auth icon indicating copy to clipboard operation
auth copied to clipboard
verified publisher icon supabase

Supabase uses user email instead of sender email for custom smtp in some circumstances

Open davidshq opened this issue 10 months ago • 1 comments

  • [X] I confirm I have searched the Docs, GitHub Discussions, and Discord.
  • [X] I confirm this is a bug with Supabase, not with my own application.

Describe the bug

When one changes from the built-in Supabase email to using a Custom SMTP provider, Supabase may (under circumstances not determined) use the app user's email (e.g. [email protected]) as the from address rather than using the specified "from" under Customer SMTP (e.g. [email protected]).

The event message for the error in Auth looks like this:

{"auth_event":{"action":"user_recovery_requested","actor_id":"f1f5ecf2-573d-497d-baef-6a8b1117ab71","actor_username":"[email protected]","actor_via_sso":false,"log_type":"user"},"component":"api","error":"gomail: could not send email 1: 554 Message rejected: Email address is not verified. The following identities failed the check in region US-EAST-2: [email protected]","level":"error","method":"POST","msg":"500: Error sending recovery email","path":"/recover","referer":"https://some-address.netlify.app/reset-password","remote_addr":"151.211.27.38","request_id":"91e4000b41d2bf77-ATL","time":"2025-03-10T15:56:06Z"}

The metadata looks like:

[
  {
    "host": "db-afimbptvoogkfkosrisw",
    "component": "api",
    "_SYSTEMD_CGROUP": null,
    "request_id": "91e4000b41d2bf77-ATL",
    "mail_from": null,
    "message": null,
    "_SOURCE_REALTIME_TIMESTAMP": null,
    "PRIORITY": null,
    "_AUDIT_LOGINUID": null,
    "panic": null,
    "metering": null,
    "UNIT": null,
    "event": null,
    "SYSLOG_FACILITY": null,
    "msg": "500: Error sending recovery email",
    "mail_type": null,
    "EXECUTABLE": null,
    "user_id": null,
    "_CMDLINE": null,
    "action": null,
    "auth_event": [
      {
        "action": "user_recovery_requested",
        "actor_id": "f1f5ecf2-573d-497d-baef-6a8b1117ab71",
        "actor_name": null,
        "actor_username": "[email protected]",
        "actor_via_sso": false,
        "log_type": "user",
        "traits": []
      }
    ],
    "level": "error",
    "_PID": null,
    "path": "/recover",
    "duration": null,
    "_COMM": null,
    "header": null,
    "_MACHINE_ID": null,
    "login_method": null,
    "_STREAM_ID": null,
    "source_type": null,
    "_LINE_BREAK": null,
    "_EXE": null,
    "_AUDIT_SESSION": null,
    "_TRANSPORT": null,
    "x_forwarded_proto": null,
    "time": null,
    "mail_to": null,
    "_GID": null,
    "stack": null,
    "x_forwarded_host": null,
    "status": null,
    "_UID": null,
    "method": "POST",
    "CODE_FILE": null,
    "remote_addr": "151.210.97.34",
    "provider": null,
    "_SYSTEMD_UNIT": null,
    "issuer": null,
    "error": "gomail: could not send email 1: 554 Message rejected: Email address is not verified. The following identities failed the check in region US-EAST-2: [email protected]",
    "client_id": null,
    "MESSAGE_ID": null,
    "referer": "https://some-address.netlify.app/reset-password",
    "_SYSTEMD_INVOCATION_ID": null,
    "CODE_FUNC": null,
    "_BOOT_ID": null,
    "INVOCATION_ID": null,
    "__MONOTONIC_TIMESTAMP": null,
    "timestamp": null,
    "__REALTIME_TIMESTAMP": null,
    "CODE_LINE": null,
    "_SYSTEMD_SLICE": null,
    "instance_id": null,
    "args": [],
    "SYSLOG_IDENTIFIER": null,
    "metadata": [],
    "_CAP_EFFECTIVE": null,
    "factor_id": null,
    "_SELINUX_CONTEXT": null,
    "project": null
  }
]

To Reproduce

Steps to reproduce the behavior, please provide code snippets or a repository:

  1. Go to Authentication -> Emails -> SMTP Settings
  2. Enable Custom SMTP
  3. Enter sender email (e.g. [email protected]) and sender name (e.g. Admin Person)
  4. Enter SMTP provider settings (in this case I'm using SES)
  5. Click Save Changes.
  6. Go to your app and click on the forgot password link
  7. Enter your email
  8. An error message will likely display saying it failed to send the message
  9. Go to Logs -> Auth and you'll find an ERROR /recover | 500: Error sending recovery email message, it contains the info I shared above.

Expected behavior

After setting up Custom SMTP all emails sent via Supabase should use the Custom SMTP including using the sender email and sender name configurated under Custom SMTP.

System information

  • OS: Windows 11
  • Browser (if applies) Edge
  • Version of supabase-js: 2.39.? and 2.49.1
  • Version of Node.js: netlify's default

davidshq avatar Mar 10 '25 17:03 davidshq

To the best of my understanding the issue is that the headers are overwriting the custom smtp defined from. A patch to mailme.go like this:

	// Apply headers first
	for k, v := range headers {
		if v != nil && k != "From" { // Skip From header from headers
			mail.SetHeader(k, v...)
		}
	}
	
	// Set From, To, Subject headers after other headers
	// This ensures From from configuration takes precedence
	mail.SetHeader("From", m.From)
	mail.SetHeader("To", to)
	mail.SetHeader("Subject", subject.String())

Or perhaps:

	mail.SetHeader("From", m.From)
	mail.SetHeader("To", to)
	mail.SetHeader("Subject", subject.String())
	
	for k, v := range headers {
		if v != nil && k != "From" { // Skip From header from headers
			mail.SetHeader(k, v...)
		}
	}

davidshq avatar Mar 10 '25 17:03 davidshq