Defect #19599

Updated by Toshi MARUYAMA about 9 years ago

Many modern (or just well-configured) SMTP servers will block a user from impersonating another email address by re-writing the 'from' header into the 'reply-to' header and setting 'from' as the actual sending account name. This caused a problem for me when creating tickets from the email issued by a website contact form. The notifications would go to the wrong address and the user account would not be created. 

 I'm not clear on weather the responsibility for this should lie with Redmine or Mail::Message but I've patched my Redmine installation with the following code at the start of the receive(email) method in app/models/mail_handler.rb. 

 If I knew more about Redmine I'd try to make a plugin that solved the issue, perhaps someone else can. 

 I've verified this problem exists in trunk and 2.6.3.stable. 

 This is my fix: 
 <pre><code class="ruby"> <pre> 
   # Processes incoming emails 
   # Returns the created object (eg. an issue, a message) or false 
   def receive(email) 
     @email = email 
     sender_email = email.from.to_a.first.to_s.strip 

     #RFC822 Sections 4.4.3 and 4.4.4 say that if the reply-to field exists, mail should not be sent to the address in the 'from' field. 
     #Correct handling of 'reply-to' is required for SMTP servers that do not allow senders to fake the 'from' field. 
     #Website contact forms transmitted through a gmail SMTP server are a good example. 
     if email['reply-to'].present? 
         replyto_email = email['reply_to'].to_s.strip  "Email contains a reply-to field. Will attempt to use '" + replyto_email + "' instead of '" + sender_email + "'" 
         sender_email = replyto_email 
 </code></pre> </pre>