View Issue Details

IDProjectCategoryView StatusLast Update
0000436Main CAcert WebsiteGPG/PGPpublic2013-01-14 21:39
Reporterhomer Assigned ToSourcerer  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
PlatformMain CAcert WebsiteOSN/A 
Fixed in Version2007 
Summary0000436: Any live SMTP call stage of domain email before domain email checking
Description> Is the live SMTP call stage of domain email verification necessary, if
> you require a response to the subsequent confirmation email anyway? I
> only ask because it threw errors about the temporary failure response
> (451) that my mail server gave -- I use greylisting to filter spam. If
> you'd just dropped the message into your own outbound mail server's
> queue, it would have got to me just the same, but I wouldn't have had to
> mess around repeating the probe manually five minutes later. My choice
> to greylist, I know, I'm just wondering what utility there is in the
> live probe followed by a confirmation email.

I am not sure what has been done. I understand it is not very convenient because there is not always a mail server associated to a domain.
TagsNo tags attached.
Reviewed by
Test Instructions

Relationships

related to 0000592 confirmed The domain name checking have to be improved to be auditable 

Activities

homer

2007-05-08 10:19

reporter   ~0000842

After I was asked where I wanted my confirmation email sent to, your script then tried to either VRFY the address or make an SMTP call to the MTA published for that address and begin a session with an appropriate MAIL and RCPT command. It's a sure-fire way to verify that the email address I've told you to send the message to is valid, and in one sense it's entirely correct of your script to expect there to be an MTA willing to take mail where I've told you to send it. But it doesn't play well with greylisting, and it's kind of redundant, given that the very next thing you're going to do is send a message anyway. Perhaps your script could just be little less rigorous, and maybe just verify that there's an A, AAAA or MX for the domain part of the address? Or maybe it could be lenient and ignore temporary errors and only fail on permanent 500-series errors?

homer

2007-05-08 10:59

reporter   ~0000843

The reason why we do this is the following:
The problem we had was that there were a lot of people who were not able to
entered their email address incorrectly, then obviously didn´t received any
email, and then contacted support to research the problem. The problem then
was that our support staff had to start intensive investigations to search
for the problem, and often finding that greylisting was in place and the
users were too nervous, or that the users made mistakes in the email address,
or that their mailservers or DNS servers were broken.
So we decided to add a second connection, which just verifies the email
address, and shows the user all the results of that verification, to save our
support-team a lot of research work.

One thing we could change there is that we could add a detection for
greylisting, and then inform the user that we have detected greylisting on
his server, and ask him, whether we shoud continue sending the email through
our MTA. If you find a developer to actually implement it, we will apply that
change to the system.

Best regards,
Philipp Gühring

pc

2007-07-17 14:19

reporter   ~0000879

In order to get rid of most problems with greylisting, you should use an empty envelope sender for the validity check. See http://projects.puremagic.com/greylisting/whitepaper.html (third paragraph in the section 'Issues Affecting The Proposed Implementation').

2007-07-17 14:20

 

cacert-nomailfrom.patch (490 bytes)   
diff -rU3 cacert.orig/includes/general.php cacert/includes/general.php
--- cacert.orig/includes/general.php	2007-07-13 19:39:57.000000000 +0200
+++ cacert/includes/general.php	2007-07-17 14:10:33.000000000 +0200
@@ -644,7 +644,7 @@
 						$line = fgets($fp, 4096);
 					if(substr($line, 0, 3) != "250")
 						continue;
-					fputs($fp, "MAIL FROM: <returns@cacert.org>\r\n");
+					fputs($fp, "MAIL FROM: <>\r\n");
 					$line = fgets($fp, 4096);
 
 					if(substr($line, 0, 3) != "250")
cacert-nomailfrom.patch (490 bytes)   

pc

2007-07-17 14:21

reporter   ~0000880

I have created another patch that outputs different error messages for temporary failures. In particular, it advises the user to try again later.

2007-07-17 14:21

 

cacert-tmpfail.patch (2,755 bytes)   
diff -rU3 cacert.orig/includes/account.php cacert/includes/account.php
--- cacert.orig/includes/account.php	2007-07-13 19:39:57.000000000 +0200
+++ cacert/includes/account.php	2007-07-17 14:05:42.000000000 +0200
@@ -57,7 +57,11 @@
 		if($checkemail != "OK")
 		{
 			showheader(_("My CAcert.org Account!"));
-			echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n";
+			if (substr($checkemail, 0, 1) == "4") {
+				echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n";
+			} else {
+				echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n";
+			}
 			echo "<p>$checkemail</p>\n";
 			showfooter();
 			exit;
@@ -475,7 +479,11 @@
 		if($checkemail != "OK")
 		{
 			showheader(_("My CAcert.org Account!"));
-			echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n";
+			if (substr($checkemail, 0, 1) == "4") {
+				echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n";
+			} else {
+				echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n";
+			}
 			echo "<p>$checkemail</p>\n";
 			showfooter();
 			exit;
diff -rU3 cacert.orig/www/index.php cacert/www/index.php
--- cacert.orig/www/index.php	2007-02-23 22:42:21.000000000 +0100
+++ cacert/www/index.php	2007-07-17 13:54:47.000000000 +0200
@@ -484,7 +484,12 @@
 			if($checkemail != "OK")
 			{
 				$id = 1;
-				$_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."<br>\n$checkemail<br>\n";
+				if (substr($checkemail, 0, 1) == "4") {
+					$_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.");
+				} else {
+					$_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid");
+				}
+				$_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n";
 			}
 		}
 
cacert-tmpfail.patch (2,755 bytes)   

Sourcerer

2007-07-30 20:55

administrator   ~0000881

Oh, I didn´t noticed the patches. Thanks a lot, they are applied now. Please test and close the bug then.

Issue History

Date Modified Username Field Change
2007-05-08 09:14 homer New Issue
2007-05-08 10:19 homer Note Added: 0000842
2007-05-08 10:59 homer Note Added: 0000843
2007-06-25 07:16 evaldo Status new => confirmed
2007-07-17 14:19 pc Note Added: 0000879
2007-07-17 14:20 pc File Added: cacert-nomailfrom.patch
2007-07-17 14:21 pc Note Added: 0000880
2007-07-17 14:21 pc File Added: cacert-tmpfail.patch
2007-07-30 20:55 Sourcerer Status confirmed => solved?
2007-07-30 20:55 Sourcerer Fixed in Version => production
2007-07-30 20:55 Sourcerer Resolution open => fixed
2007-07-30 20:55 Sourcerer Assigned To => Sourcerer
2007-07-30 20:55 Sourcerer Note Added: 0000881
2007-10-24 05:49 evaldo Status solved? => closed
2008-08-12 15:09 homer Relationship added related to 0000592
2013-01-14 21:39 Werner Dworak Fixed in Version => 2007