groupoffice icon indicating copy to clipboard operation
groupoffice copied to clipboard
verified publisher icon Intermesh

Calendar event invite mail From address

Open polarismail opened this issue 3 years ago • 3 comments

When you invite a user from outside GO to an event, and that user has to accept the invitation, a confirmation e-mail gets generated. This happens here:

In modules/calendar/model/Event.php function replyToOrganizer

there is a problem in the way the e-mail gets generated:

            $message = \GO\Base\Mail\Message::newInstance($subject)
                                                    ->setFrom($sendingParticipant->email, $sendingParticipant->name)
                                                    ->addTo($organizer->email, $organizer->name);

GO is using internal SMTP service but it's generating an e-mail message with the setFrom of the participant. So for example, if the participant is [email protected] , the code above will basically generate a message with a From of [email protected] which is not correct, since we shouldn't originate e-mails as @gmail , or anyone else for that matter.

The correct solution is to either set the from to the system e-mail, organizer e-mail or some other address for which we have authority.

The even better solution would be to be able to set separate envelope / header from ( although that may break DKIM / DMARC ). In any case, at least the envelope sender should not be hard set to addresses we can't control.

We are using a temporary workaround:

            $message = \GO\Base\Mail\Message::newInstance($subject)
                                                    ->setFrom($organizer->email, $sendingParticipant->name)
                                                    ->addTo($organizer->email, $organizer->name);

not sure if you have a better way of handling this

polarismail avatar Dec 02 '22 16:12 polarismail

Found a better solution.

The problem lies in the fact that an event can have a participant or an organizer that's either local to GO, or external.

if you try setting that participant or the organizer as the From, you will have issues in certain cases because you shouldn't be allowed to setFrom to @gmail.com in the envelope.

You should always have an envelope From of an address you control. As mentioned above, the solution is either to set the From to always be the System E-mail, or you can set the Envelope From to always be the user that's acting on the event.

We chose this latter option, via this code, in: modules/calendar/model/Event.php line 2641:

                $message->setHtmlAlternateBody($body);

                 // Force Envelope From to be the user's e-mail address
                if(Module::isInstalled('legacy', 'email')) {
                        $account = GO\Email\Model\Account::model()->findByEmail($this->user->email);
                        if($account) {
                                $message->setSender($this->user->email);
                        }
                }

                $this->getUserMailer()->send($message);

polarismail avatar Dec 06 '22 18:12 polarismail

Will the Sender header make a difference here? Won't SPF fail anyway because it will check the return path?

https://mxtoolbox.com/dmarc/spf/setup/spf-return-path

mschering avatar Dec 08 '22 08:12 mschering

On the contrary.

The original code sets From to be $sendingParticipant->email . $sendingParticipant can be either a local GO user ( when GO user initiates ) or a remote user ( when remote user initiates ).

By setting Sender ( envelope From value ) to GO user, you ensure to always send using the proper e-mail address.

I will send you an e-mail to better show you the bug

polarismail avatar Dec 08 '22 14:12 polarismail

This one was fixed some time ago

mschering avatar Jun 17 '24 10:06 mschering