Opened 14 years ago
Last modified 4 days ago
#10579 new enhancement
Do not use "anonymous" updater's email in ticket notification From
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | normal | Milestone: | next-major-releases |
| Component: | notification | Version: | |
| Severity: | normal | Keywords: | updater notification from |
| Cc: | Branch: | ||
| Release Notes: | |||
| API Changes: | |||
| Internal Changes: | |||
Description
Originally an additional suggestion to #8360 in comment:11:
With the "improvement" mentioned in comment:9, it would be possible for a malefactor to use a Trac system to send emails (new tickets or comments) that would appear to come from someone else.
Suggestion: The new smtp_from_author feature should only use email addresses from authenticated users.
Attachments (0)
Change History (3)
comment:1 by , 14 years ago
| Milestone: | → next-major-0.1X |
|---|
comment:2 by , 4 days ago
comment:3 by , 4 days ago
Even if the email address is trusted, it is difficult to enable the smtp_from_author feature on the Internet with SPF, DKIM, and DMARC. This feature will only be useful if all users belong to a single domain.



Thank you for reporting
Is this specific to tickets?
Such a feature should only be offered with trusted addresses. And as tracked in ticket #4286, even addresses of registered users cannot be trusted.
This comment is from Philippe "Chealer" Cloutier. All of my comments and contributions in this ticket are offered under the terms of CC0 1.0 (unless otherwise noted).