Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: Emailing passwords
Gocom wrote:
Edit
txpMailfunction (on line 929) intextpattern/lib/txplib_misc.php. Change line 988 to use that required flag.In example from
$septo$sep,'-f'.$email(or use address directly instead variable).Note that the user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a ‘X-Warning’ header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.
Great! I knew that there would be a more elegant way to do this :-). Most users don’t have access to the /etc/mail/trusted-users file though and that seems as though it could be problematical. That’s why we opted for the content of the ‘blog_mail_uid’ field from the txp_prefs table to get a bone fide email address.
Offline
Re: Emailing passwords
Ok so which one should i be using?
I am struggling to understand what you mean:
“Note that the user that the webserver runs as should be added as a trusted user to the sendmail configuration to prevent a ‘X-Warning’ header from being added to the message when the envelope sender (-f) is set using this method. For sendmail users, this file is /etc/mail/trusted-users.”
Hope to hear from you soon
Regards
Chris
Offline
Re: Emailing passwords
I said
I will find someplace to lodge copies of the hacked txplib_misc.php file and the ign_password_protect plug_in so that they can be downloaded for convenience sake. I’ll post details later on today but …
Here are copies of the two hacked files for download. The ign_password_protect hack and the hacked txplib_misc.php file
Offline
Re: Emailing passwords
Joe and others who’ve experimented with this, I have a few questions:
- Can the ‘-f<email address’ be any valid email address or does it have to be an email address with the same domain as where TXP is installed?
- Must the ‘-f<email address>’ be the same as the ‘From: <email>’ address?
Offline
Re: Emailing passwords
Ruud,
I can only speak for certain about the way it works on the Hosting Company we use with the ‘-f<email address>’ requirement (Mosso). Nora and Chris each use a different host. I will ask those companies too but we suspect that the same will hold true.
The ‘-f<email address>’ does not have be an email address from the same domain as where TXP is installed and can be any valid email address.
From what we have researched, here for instance, the ‘-f<email address>’ does not have to be the same as the ‘From: <email>’ address. However in our hack and in the more elegant one suggested by Gocom above too, the ‘-f<email address>’ is the same as the ‘From: <email>’ address and so we haven’t tested that conclusion.
As an illustration, this is the relevant section of a TXP generated email header with our hack applied to textpattern/lib/txplib_misc.php. The first part of the email names have been changed to protect the innocent civilians but they were valid names. comcast.net nor blairfolk.com is hosted by Mosso.
From: jayblo@comcast.net
Subject: [My Sendmail Site] Your login info
Date: August 22, 2008 12:54:56 PM EDT
To: weejim@blairfolk.com
Reply-To: jayblo@comcast.net
Return-Path: <jayblo@comcast.net>
Envelope-To: weejim@blairfolk.com
Delivery-Date: Fri, 22 Aug 2008 09:54:58 -0700
Received: from [64.49.221.236] (port=61800 helo=mx2.wc1.sat1.stabletransit.com) by n12.c03.server-system.net with esmtp (Exim 4.63) (envelope-from <jayblo@comcast.net>) id 1KWZub-00010i-3s for weejim@blairfolk.com; Fri, 22 Aug 2008 09:54:58 -0700
Received: by mx2.wc1.sat1.stabletransit.com (Postfix, from userid 99) id DC8E4C7225B; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
Received: from lblin5-118.wc1.stabletransit.com (lblin5-118 [172.16.11.208]) by mx2.wc1.sat1.stabletransit.com (Postfix) with ESMTP id B1745C7225B for <weejim@blairfolk.com>; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
Received: by lblin5-118.wc1.stabletransit.com (Postfix, from userid 33) id 9BE7E11100A9; Fri, 22 Aug 2008 11:54:56 -0500 (CDT)
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on mx2.wc1.sat1.stabletransit.com
X-Spam-Level:
X-Spam-Level: *
X-Spam-Status: No, score=-2.6 required=6.0 tests=BAYES_00 autolearn=disabled version=3.2.4
X-Spam-Status: "score=0.0 tests=none version=3.1.7 cmae=v=1.0 c=1 a=rITDv7nW5hcA:10 a=cweTzfaNA5G0HvDmRwNm5Q==:17 a=la5IYv9AAAAA:8 a=m5i_P22apacobXg7pzAA:9 a=ocTgPvstXRVZRWPO7rwA:7 a=MWXTzWo3fpshw9CyqA5Nt2PEKMoA:4 a=M5NflSamuk0A:10 xcat=Undefined/Undefined"Thank you for your interest.
Offline
Re: Emailing passwords
Hmm. I did some testing to see what exactly that -f switch does. It overrides the default email address used in the SMTP envelope FROM header. With some people using SPF DNS records, this means one can’t simply use any valid email address. It has to an address that the IPnr hosting the website is allowed to use (or rather: not prohibited from using due to an SPF DNS record).
Using the blog_mail_uid is not an option. That’s not a changeable preference.
Using the FROM address in the -f option doesn’t always work due to SPF.
So, to solve this, we’d need an extra preference, I think, that allows you to enter an email address (or leave empty if not needed).
Offline
Re: Emailing passwords
Good point, Ruud. I had forgotten about the impact of SPF on this. The domain we used to test the hacks does have a SPF record in play but it is currently sufficiently lax to allow the use of domains not hosted locally (‘~all’ SoftFail clause).
I wonder though if adding an extra TXP preference to cope with a non SPF qualified email address by replacing it via the ‘-f switch’ is the best course of action? Taking a step back and looking at the wider requirement, to prevent SPAM, wouldn’t it be more logical to expect/require the TXP user to amend the SPF record to enable a domain he/she wished to use as the ‘TXP Sender’ if it was not already qualified? How would you ensure that the email address that the user entered in the new TXP preference was ‘domain SPF record’ qualified anyway?
Offline
Re: Emailing passwords
For your information -
My problem was identifed when i set up textpattern on the domain when my password (as the first user) wasn’t received in my email account.
Offline
Re: Emailing passwords
Chris,
My problem was identifed when i set up textpattern on the domain when my password (as the first user) wasn’t received in my email account.
It was clear from what you said initially, that this was how the problem had first manifested itself with you. It will be exactly the same for anyone installing TXP on a Host with this restriction on php mail().
As to the question you posed in a previous post about whether to use Gocom’s or our solution to fix it for now, the answer is ‘either of them; you choose!’.
Gocom’s method is straightforward and requires an amendment to a single line in textpattern/lib/txplib_misc.php (TXP 4.0.6). It uses the variable $email that is already at play in the script and takes the value of the email field of the first user in the table txp_users. As you know, that field is editable in TXP’s Admin at ‘Admin/Users’. This same amendment can be applied to the ign_password_protect plugin; the line is identical to the one in the TXP core script.
Our method does the essentially the same thing as Gocom’s except that it uses a line or two more code to take the value of the field blog_mail_uid from the table txp_prefs. This field takes the same email address value from the first user on set up but can’t be changed via TXP Admin. It keeps its original value even if one subsequently changes the email address of the first user (i.e. the TXP Publisher). As you will have seen in my earlier post, I have made hacked versions of textpattern/lib/txplib_misc.php (TXP 4.0.6) and the plugin ign_password_protect available for download.
If it helps you decide, we will use Gocom’s method on future TXP 4.0.6 installations :-).
As Ruud points out, anyone adopting either of these hacks to get around the ‘fifth parameter’ requirement for php() mail needs to be mindful of the interplay with the Sender Policy Framework (SPF) record in the DNS Zone file for their TXP installation’s domain, if indeed such a record exists. This is more important if $mail or blog_mail_uid belong to a domain other than the one used by the TXP installation. One would need to ensure that the SPF record permits (or doesn’t prohibit) its use on the host’s email server. It is the kind of thing one would turn to one’s host for help, if indeed help were required.
Offline
Re: Emailing passwords
- Gocom’s solution uses a varying sender email address if you have multiple users in your TXP install, so you’d have to deal with SPF records for all of them.
- The “-f” solution breaks if safe_mode is enabled
- Neither solution works on windows servers, from what I’ve read (ini_set sendmail_from does appear to work there).
I’ll probably go for a user-changeable preference and auto-detect safe_mode and windows servers to make it work across as many systems as possible. By default this will not be enabled. The user has to fill out an email address if needed.
Offline
Re: Emailing passwords
Thanks Ruud. That is good to hear.
Offline
Re: Emailing passwords
For an alternative hack for adding the ‘-f ‘ switch to sem_contact_reborn see Igor’s post here.
Offline
Re: Emailing passwords
Ruud,
I checked out the latest version of 4.0.7 a few moments ago on another mission, but noted that it appeared to be now ‘-f switch’ compliant. I applied the build to a site hosted on Mosso, added an valid email name to the new Adv Preference, and it worked beautifully. Thank you very much indeed.
Offline
Re: Emailing passwords
Thanks for confirming that it works :)
Offline