Defect #19599
openRedmine does not honnor RFC822 4.4.3 reply-to field in incoming emails
0%
Description
Many modern (or just well-configured) SMTP servers will block a user from impersonating another email address by re-writing the 'from' header into the 'reply-to' header and setting 'from' as the actual sending account name. This caused a problem for me when creating tickets from the email issued by a website contact form. The notifications would go to the wrong address and the user account would not be created.
I'm not clear on weather the responsibility for this should lie with Redmine or Mail::Message but I've patched my Redmine installation with the following code at the start of the receive(email) method in app/models/mail_handler.rb.
If I knew more about Redmine I'd try to make a plugin that solved the issue, perhaps someone else can.
I've verified this problem exists in trunk and 2.6.3.stable.
This is my fix:
# Processes incoming emails
# Returns the created object (eg. an issue, a message) or false
def receive(email)
@email = email
sender_email = email.from.to_a.first.to_s.strip
#RFC822 Sections 4.4.3 and 4.4.4 say that if the reply-to field exists, mail should not be sent to the address in the 'from' field.
#Correct handling of 'reply-to' is required for SMTP servers that do not allow senders to fake the 'from' field.
#Website contact forms transmitted through a gmail SMTP server are a good example.
if email['reply-to'].present?
replyto_email = email['reply_to'].to_s.strip
logger.info "Email contains a reply-to field. Will attempt to use '" + replyto_email + "' instead of '" + sender_email + "'"
sender_email = replyto_email
end