1343: forging a user's 'From:' address in email notifications is incompatible with DKIM/mail filtering/review list moderation

volut******@gmai***** (Google Code) (Is this you? Claim this profile.)
chipx86
 chipx86
Jan. 30, 2011
1646 
What version are you running?
1.0 (user of kde's reviewboard)

What steps will reproduce the problem?
1. make comment on bug
2. email gets sent to mailing list and user with a 'From:' address of the
registered user
3. as the email didn't travel through the user's gateway there was no DKIM
signature on the email. If the user deployed Author Domain Signing
Practices ADSP checking then the email would have failed verification. 

Also there are some organisation gateways that don't allow their own email
addresses to come in from the outside as a anti{spoofing/spam/social
engineering} mechanism. These users are excluded from freely using reviewboard.

What is the expected output? What do you see instead?

An email with a from address like "Daniel via reviewboard <rb@example.org>"
would be DKIM compatible and gateway compatible. This is what RT does quite
successfully.

It also doesn't have the problem that every unsubscribed user doesn't get
moderated on the email list where notifications are sent.

Please provide any additional information below.

A paper compatibility between email list and DKIM on this here:
https://community.cacert.org/dkim. Some bits are relevant to reviewboard as
its potentially delivering email differently from the author's (aka user's)
Author Domain Signing Practices (ADSP - RFC5617).

Happy to answer further questions.
chipx86
#1 chipx86 
I know very little about DKIM, but am reading up on it now. So to solve this, would I
instead be able to have RB set the From address as "Author's Name
<nobody@servername.com>" and then change Sender: and Reply-to: to be the value we
previously were setting as the From: address?

Signing happens on the mail server, but not at all on our end, right?

As for the From: address we choose, will we have the same problem if we were to
generate a dummy e-mail address, and send it through a server with DKIM support? In
other words, it's important to allow for specifying the e-mail address, right?
  • +NeedInfo
#2 volut******@gmai***** (Google Code) (Is this you? Claim this profile.) 
> So to solve this, would I instead be able to have RB set the From address as
> "Author's Name <nobody@servername.com>"
yes. Anything except a domain where ADSP is deployed works. The severname.com is good
for reasons described below.

> change Sender: and Reply-to: to be the value we previously were setting as the
> From: address?
Good idea with Reply-to:. ADSP only checks the From address. Sender according to
RFC5322 is for the party responsible for sending (RFC talks about the secretary
sending on behalf of the boss). Email lists set this to an address like
*-bounces@lists.*, same as the envelope address, to handle bounced email handling. I
don't think setting Sender to the original From address is a good idea.

> Signing happens on the mail server, but not at all on our end, right?
right. it happens at the sender end. By putting a From address in you're jumping in
the middle of a potential ADSP validation argument between recipient and domain owner
you had no idea existed.

> As for the From: address we choose, will we have the same problem if we were to
> generate a dummy e-mail address, and send it through a server with DKIM support?
Choosing a domain associated with the server install is good. That way the domain
owners can choose to deploy DKIM signing (or not) on RB's emails. The only way it can
break in this situation is the domain owners deploy a ADSP dkim=all/discard policy on
the server and forget to turn signing on (in which case its their own stupid fault).

> In other words, it's important to allow for specifying the e-mail address, right?
Allowing the user to set the address would be a small luxury for the site admin. It
would allow them to make sure nobody@servername.com at least validates to address
verification (dummy messages to check the existence of an account before accepting
emails).
david
#3 david
  • -NeedInfo
    +New
  • -Type-Defect
    +Type-Enhancement
    +Component-EMail
#4 berna******@gmai***** (Google Code) (Is this you? Claim this profile.) 
Whatever you do here -- make it an option. 

For us, it works well (Microsoft Exchange Server). I prefer to "fake" that the email
really came from me (because, in reality, it is almost true, I wrote almost all of
it). In Outlook, it looks weird when you use the From:/Sender: field stuff:  The
wording "on behalf of" appears in the user's list, a bit annoying.
david
#5 david
chipx86
#6 chipx86 
This has been implemented for 1.6.

It's not an option. Maybe it can be made eventually, but for now we're going forward with it. I know it's annoying, but I know in your case you'll be using Zimbra before long ;) Hopefully they don't do it or can change it.
  • -New
    +Fixed
  • +Milestone-Release1.6
  • +chipx86
#7 volut******@gmai***** (Google Code) (Is this you? Claim this profile.) 
thankyou
#8 truan*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
I had hoped this would fix an issue we have whereby emails don't get sent because Exchange will only accept emails with a From field that matches the account you log into it as.
I thought the setting would allow the override of the From field, however it seems to still use the ReviewBoard user as the From field and use the override as the Sender ( I thought it would be the other way round).
Have I misunderstood, or is it broken?
#9 sour*****@gmai***** (Google Code) (Is this you? Claim this profile.) 
I have now sent a patch to the mailing list which fixes SPF compliance, and thus comment #8's issue. Please find it attached here as well.
  • +
    fix-reviewboard-spf-compliance.patch 
    diff --git a/reviewboard/notifications/email.py b/reviewboard/notifications/email.py
    index 69b7fdc..b748643 100644
    --- a/reviewboard/notifications/email.py
    +++ b/reviewboard/notifications/email.py
    @@ -127,9 +127,10 @@ class SpiffyEmailMessage(EmailMultiAlternatives):
             # Mark the mail as 'auto-generated' (according to RFC 3834) to
             # hopefully avoid auto replies.
             headers['Auto-Submitted'] = 'auto-generated'
    +        headers['From'] = from_email
     
             super(SpiffyEmailMessage, self).__init__(subject, text_body,
    -                                                 from_email, to,
    +                                                 settings.DEFAULT_FROM_EMAIL, to,
                                                      headers=headers)
     
             self.cc = cc or []
#10 chris.a.********@gmai***** (Google Code) (Is this you? Claim this profile.) 
I'm still having issues with this on ReviewBoard 1.6.5. Our company uses a hosted MS Outlook service. Here's the trace from the logfile (with subject and email addresses changed):

Error sending e-mail notification with subject 'Re: Review Request: Subject' on behalf of '"John Doe" <jdoe@example.com>' to '"Joe Blow" <jblow@example.com>': (550, '5.7.1 Client does not have permissions to send on behalf of the from address')
Traceback (most recent call last):
  File "/usr/lib/python2.5/site-packages/ReviewBoard-1.6.5-py2.5.egg/reviewboard/notifications/email.py", line 231, in send_review_mail
    message.send()
  File "/usr/lib/python2.5/site-packages/Django-1.3.1-py2.5.egg/django/core/mail/message.py", line 251, in send
    return self.get_connection(fail_silently).send_messages([self])
  File "/usr/lib/python2.5/site-packages/Django-1.3.1-py2.5.egg/django/core/mail/backends/smtp.py", line 86, in send_messages
    sent = self._send(message)
  File "/usr/lib/python2.5/site-packages/Django-1.3.1-py2.5.egg/django/core/mail/backends/smtp.py", line 104, in _send
    email_message.message().as_string())
  File "/usr/lib/python2.5/smtplib.py", line 707, in sendmail
    raise SMTPDataError(code, resp)
SMTPDataError: (550, '5.7.1 Client does not have permissions to send on behalf of the from address')

The "Sender e-mail address" in the admin settings is reviewboard@example.com. In the past I've had to "get around" this by setting every user's email address to match that, and just tell everyone to make sure they include the group mailing list on their reviews, but obviously that sucks. Is there a way to configure reviewboard such that it just does a standard From using that value and does not use "sender" headers to make it "on behalf of" the users? Setting up the mail servers to allow sending on behalf of other accounts is beyond my control.