Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Emailing passwords
i have spoken to the hosters and they have forwarded me an artice on how to edit the send mail script:
endmail Functions
What is the path to Sendmail?
/usr/sbin/sendmail
How do I use Sendmail in a script?
When using sendmail you will need to ensure that you use an active POP3 mailbox on your domain in either the to or from field in the mail script.
An example of how to use this is displayed below:
mail($to, $sub, $mess, “From: root@yourdomain.co.uk”, “-froot@yourdomain.co.uk”);
Please can someone identify which file i need to add this script into etc.
Regards
Chris
Offline
Re: Emailing passwords
Please can someone identify which file i need to add this script into etc.
Edit txpMail function (on line 929) in textpattern/lib/txplib_misc.php. Change line 988 to use that required flag.
In example from $sep to $sep,'-f'.$email (or use address directly instead variable).
Note that the user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a ‘X-Warning’ header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.
Last edited by Gocom (2008-08-19 12:08:05)
Offline
Re: Emailing passwords
Hello Chris,
It’s an absolute b****r isn’t it! As far as we can tell, it isn’t possible to append code to one’s .htaccess file or to Textpattern’s config.php file to make the necessary changes to email headers generated by php mail(), which would be relatively painless. The php snippet:
php_value mail.force_extra_parameters -fsender@domain.com where sender@domain.com is a valid email address, used to be the way to achieve this but updates to PHP5.2.5 last year ensure that the “mail.force_extra_parameters” php.ini directive is no longer to be modifiable in .htaccess due to the security implications.
We aren’t programmers and will only dabble in PHP in life threatening situations. Nevertheless, this is what we we had to do to get ourselves out of the bind that you now find yourself in when our host introduced the same measures a month or two ago, effectively crippling a clutch of our sites. We hacked at one of the TXP core files and a handful of key TXP plug-ins to make them work under the amended requirements.
To deal with TXP’s password/username email system by adding the -f switch along with the user email address stored in the txp_prefs mySQL table, we amended the PHP module in textpattern/lib/txplib_misc.php (TXP 4.0.6) as follows:
CHANGE:
981 return mail($to_address, $subject, $body,
982
983 "From: $RealName <$email>".
984 $sep.'Reply-To: '.( isset($reply_to) ? $reply_to : "$RealName <$email>" ).
985 $sep.'X-Mailer: Textpattern'.
986 $sep.'Content-Transfer-Encoding: 8bit'.
987 $sep.'Content-Type: text/plain; charset="'.$charset.'"'.
988 $sep
989 );
990 }TO:
981 $sender_email = safe_field("val",'txp_prefs',"name = 'blog_mail_uid'");
982 $sender_email = strip_rn($sender_email);
983
984 return mail($to_address, $subject, $body,
985 "From: $RealName <$sender_email>".
986 $sep.'Reply-To: '.( isset($reply_to) ? $reply_to : "$RealName <$sender_email>" ).
987 $sep.'X-Mailer: Textpattern'.
988 $sep.'Content-Transfer-Encoding: 8bit'.
989 $sep.'Content-Type: text/plain; charset="'.$charset.'"'.
990 $sep,
991 "-f<$sender_email>"
992 );
993 }This seems to work well but we readily admit that it’s an amateurish hack and that there are likely better and more elegant ways to achieve the same result. It would be good if the devs would take this up sooner than later, I feel, because there is something of a tidal surge as more hosting companies adopt this requirement. We tested our hack with TXP installations on some hosting companies that don’t have the requirement (yet) and it worked fine on those too, so it seems that “-froot@yourdomain.co.uk” is backwards compatible as a concept and probably something to be considered for adding to the TXP core.
As for the key plug-ins:- ign_password_protect responds to a hack that is almost identical to the one above.
- for zem_contact_reborn, see Nora Brown’s post. We find that it works well, except that we have a question about whether the amendment covers the copy of the email generated by the form that is destined for the email’s originator. We have had some instances of it behaving differently but haven’t been able to diagnose why yet.
I will find someplace to lodge copies of the hacked txplib_misc.php file and the ign_password_protect plug_in so that they can be downloaded for convenience sake. I’ll post details later on today but need to go and feed some hungry and insistent dogs for now.
Apologies if I have banged on too much here but it’s an issue, along with the need for a SMTP alternative to PHP mail() that seems as if it won’t go away.
I hope this gets you out of your current difficulty for now.
Last edited by joebaich (2008-08-19 12:09:49)
Offline
Re: Emailing passwords
Gocom wrote:
Edit
txpMailfunction (on line 929) intextpattern/lib/txplib_misc.php. Change line 988 to use that required flag.In example from
$septo$sep,'-f'.$email(or use address directly instead variable).Note that the user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a ‘X-Warning’ header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.
Great! I knew that there would be a more elegant way to do this :-). Most users don’t have access to the /etc/mail/trusted-users file though and that seems as though it could be problematical. That’s why we opted for the content of the ‘blog_mail_uid’ field from the txp_prefs table to get a bone fide email address.
Offline
Re: Emailing passwords
Ok so which one should i be using?
I am struggling to understand what you mean:
“Note that the user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a ‘X-Warning’ header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.”
Hope to hear from you soon
Regards
Chris
Offline
Re: Emailing passwords
I said
I will find someplace to lodge copies of the hacked txplib_misc.php file and the ign_password_protect plug_in so that they can be downloaded for convenience sake. I’ll post details later on today but …
Here are copies of the two hacked files for download. The ign_password_protect hack and the hacked txplib_misc.php file
Offline
Re: Emailing passwords
Joe and others who’ve experimented with this, I have a few questions:
- Can the ‘-f<email address’ be any valid email address or does it have to be an email address with the same domain as where TXP is installed?
- Must the ‘-f<email address>’ be the same as the ‘From: <email>’ address?
Offline
Re: Emailing passwords
Ruud,
I can only speak for certain about the way it works on the Hosting Company we use with the ‘-f<email address>’ requirement (Mosso). Nora and Chris each use a different host. I will ask those companies too but we suspect that the same will hold true.
The ‘-f<email address>’ does not have be an email address from the same domain as where TXP is installed and can be any valid email address.
From what we have researched, here for instance, the ‘-f<email address>’ does not have to be the same as the ‘From: <email>’ address. However in our hack and in the more elegant one suggested by Gocom above too, the ‘-f<email address>’ is the same as the ‘From: <email>’ address and so we haven’t tested that conclusion.
As an illustration, this is the relevant section of a TXP generated email header with our hack applied to textpattern/lib/txplib_misc.php. The first part of the email names have been changed to protect the innocent civilians but they were valid names. comcast.net nor blairfolk.com is hosted by Mosso.
From: jayblo@comcast.net
Subject: [My Sendmail Site] Your login info
Date: August 22, 2008 12:54:56 PM EDT
To: weejim@blairfolk.com
Reply-To: jayblo@comcast.net
Return-Path: <jayblo@comcast.net>
Envelope-To: weejim@blairfolk.com
Delivery-Date: Fri, 22 Aug 2008 09:54:58 -0700
Received: from [64.49.221.236] (port=61800 helo=mx2.wc1.sat1.stabletransit.com) by n12.c03.server-system.net with esmtp (Exim 4.63) (envelope-from <jayblo@comcast.net>) id 1KWZub-00010i-3s for weejim@blairfolk.com; Fri, 22 Aug 2008 09:54:58 -0700
Received: by mx2.wc1.sat1.stabletransit.com (Postfix, from userid 99) id DC8E4C7225B; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
Received: from lblin5-118.wc1.stabletransit.com (lblin5-118 [172.16.11.208]) by mx2.wc1.sat1.stabletransit.com (Postfix) with ESMTP id B1745C7225B for <weejim@blairfolk.com>; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
Received: by lblin5-118.wc1.stabletransit.com (Postfix, from userid 33) id 9BE7E11100A9; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx2.wc1.sat1.stabletransit.com
X-Spam-Level:
X-Spam-Level: *
X-Spam-Status: No, score=-2.6 required=6.0 tests=BAYES_00 autolearn=disabled version=3.2.4
X-Spam-Status: "score=0.0 tests=none version=3.1.7 cmae=v=1.0 c=1 a=rITDv7nW5hcA:10 a=cweTzfaNA5G0HvDmRwNm5Q==:17 a=la5IYv9AAAAA:8 a=m5i_P22apacobXg7pzAA:9 a=ocTgPvstXRVZRWPO7rwA:7 a=MWXTzWo3fpshw9CyqA5Nt2PEKMoA:4 a=M5NflSamuk0A:10 xcat=Undefined/Undefined"Thank you for your interest.
Offline
Re: Emailing passwords
Hmm. I did some testing to see what exactly that -f switch does. It overrides the default email address used in the SMTP envelope FROM header. With some people using SPF DNS records, this means one can’t simply use any valid email address. It has to an address that the IPnr hosting the website is allowed to use (or rather: not prohibited from using due to an SPF DNS record).
Using the blog_mail_uid is not an option. That’s not a changeable preference.
Using the FROM address in the -f option doesn’t always work due to SPF.
So, to solve this, we’d need an extra preference, I think, that allows you to enter an email address (or leave empty if not needed).
Offline
Re: Emailing passwords
Good point, Ruud. I had forgotten about the impact of SPF on this. The domain we used to test the hacks does have a SPF record in play but it is currently sufficiently lax to allow the use of domains not hosted locally (‘~all’ SoftFail clause).
I wonder though if adding an extra TXP preference to cope with a non SPF qualified email address by replacing it via the ‘-f switch’ is the best course of action? Taking a step back and looking at the wider requirement, to prevent SPAM, wouldn’t it be more logical to expect/require the TXP user to amend the SPF record to enable a domain he/she wished to use as the ‘TXP Sender’ if it was not already qualified? How would you ensure that the email address that the user entered in the new TXP preference was ‘domain SPF record’ qualified anyway?
Offline
Re: Emailing passwords
For your information -
My problem was identifed when i set up textpattern on the domain when my password (as the first user) wasn’t received in my email account.
Offline
Re: Emailing passwords
Chris,
My problem was identifed when i set up textpattern on the domain when my password (as the first user) wasn’t received in my email account.
It was clear from what you said initially, that this was how the problem had first manifested itself with you. It will be exactly the same for anyone installing TXP on a Host with this restriction on php mail().
As to the question you posed in a previous post about whether to use Gocom’s or our solution to fix it for now, the answer is ‘either of them; you choose!’.
Gocom’s method is straightforward and requires an amendment to a single line in textpattern/lib/txplib_misc.php (TXP 4.0.6). It uses the variable $email that is already at play in the script and takes the value of the email field of the first user in the table txp_users. As you know, that field is editable in TXP’s Admin at ‘Admin/Users’. This same amendment can be applied to the ign_password_protect plugin; the line is identical to the one in the TXP core script.
Our method does the essentially the same thing as Gocom’s except that it uses a line or two more code to take the value of the field blog_mail_uid from the table txp_prefs. This field takes the same email address value from the first user on set up but can’t be changed via TXP Admin. It keeps its original value even if one subsequently changes the email address of the first user (i.e. the TXP Publisher). As you will have seen in my earlier post, I have made hacked versions of textpattern/lib/txplib_misc.php (TXP 4.0.6) and the plugin ign_password_protect available for download.
If it helps you decide, we will use Gocom’s method on future TXP 4.0.6 installations :-).
As Ruud points out, anyone adopting either of these hacks to get around the ‘fifth parameter’ requirement for php() mail needs to be mindful of the interplay with the Sender Policy Framework (SPF) record in the DNS Zone file for their TXP installation’s domain, if indeed such a record exists. This is more important if $mail or blog_mail_uid belong to a domain other than the one used by the TXP installation. One would need to ensure that the SPF record permits (or doesn’t prohibit) its use on the host’s email server. It is the kind of thing one would turn to one’s host for help, if indeed help were required.
Offline