View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000436 | Main CAcert Website | GPG/PGP | public | 2007-05-08 09:14 | 2013-01-14 21:39 |
Reporter | homer | Assigned To | Sourcerer | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Platform | Main CAcert Website | OS | N/A | OS Version | stable |
Fixed in Version | 2007 | ||||
Summary | 0000436: Any live SMTP call stage of domain email before domain email checking | ||||
Description | > Is the live SMTP call stage of domain email verification necessary, if > you require a response to the subsequent confirmation email anyway? I > only ask because it threw errors about the temporary failure response > (451) that my mail server gave -- I use greylisting to filter spam. If > you'd just dropped the message into your own outbound mail server's > queue, it would have got to me just the same, but I wouldn't have had to > mess around repeating the probe manually five minutes later. My choice > to greylist, I know, I'm just wondering what utility there is in the > live probe followed by a confirmation email. I am not sure what has been done. I understand it is not very convenient because there is not always a mail server associated to a domain. | ||||
Tags | No tags attached. | ||||
Reviewed by | |||||
Test Instructions | |||||
related to | 0000592 | confirmed | The domain name checking have to be improved to be auditable |
|
After I was asked where I wanted my confirmation email sent to, your script then tried to either VRFY the address or make an SMTP call to the MTA published for that address and begin a session with an appropriate MAIL and RCPT command. It's a sure-fire way to verify that the email address I've told you to send the message to is valid, and in one sense it's entirely correct of your script to expect there to be an MTA willing to take mail where I've told you to send it. But it doesn't play well with greylisting, and it's kind of redundant, given that the very next thing you're going to do is send a message anyway. Perhaps your script could just be little less rigorous, and maybe just verify that there's an A, AAAA or MX for the domain part of the address? Or maybe it could be lenient and ignore temporary errors and only fail on permanent 500-series errors? |
|
The reason why we do this is the following: The problem we had was that there were a lot of people who were not able to entered their email address incorrectly, then obviously didn´t received any email, and then contacted support to research the problem. The problem then was that our support staff had to start intensive investigations to search for the problem, and often finding that greylisting was in place and the users were too nervous, or that the users made mistakes in the email address, or that their mailservers or DNS servers were broken. So we decided to add a second connection, which just verifies the email address, and shows the user all the results of that verification, to save our support-team a lot of research work. One thing we could change there is that we could add a detection for greylisting, and then inform the user that we have detected greylisting on his server, and ask him, whether we shoud continue sending the email through our MTA. If you find a developer to actually implement it, we will apply that change to the system. Best regards, Philipp Gühring |
|
In order to get rid of most problems with greylisting, you should use an empty envelope sender for the validity check. See http://projects.puremagic.com/greylisting/whitepaper.html (third paragraph in the section 'Issues Affecting The Proposed Implementation'). |
2007-07-17 14:20
|
cacert-nomailfrom.patch (490 bytes)
diff -rU3 cacert.orig/includes/general.php cacert/includes/general.php --- cacert.orig/includes/general.php 2007-07-13 19:39:57.000000000 +0200 +++ cacert/includes/general.php 2007-07-17 14:10:33.000000000 +0200 @@ -644,7 +644,7 @@ $line = fgets($fp, 4096); if(substr($line, 0, 3) != "250") continue; - fputs($fp, "MAIL FROM: <returns@cacert.org>\r\n"); + fputs($fp, "MAIL FROM: <>\r\n"); $line = fgets($fp, 4096); if(substr($line, 0, 3) != "250") |
|
I have created another patch that outputs different error messages for temporary failures. In particular, it advises the user to try again later. |
2007-07-17 14:21
|
cacert-tmpfail.patch (2,755 bytes)
diff -rU3 cacert.orig/includes/account.php cacert/includes/account.php --- cacert.orig/includes/account.php 2007-07-13 19:39:57.000000000 +0200 +++ cacert/includes/account.php 2007-07-17 14:05:42.000000000 +0200 @@ -57,7 +57,11 @@ if($checkemail != "OK") { showheader(_("My CAcert.org Account!")); - echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + if (substr($checkemail, 0, 1) == "4") { + echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n"; + } else { + echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + } echo "<p>$checkemail</p>\n"; showfooter(); exit; @@ -475,7 +479,11 @@ if($checkemail != "OK") { showheader(_("My CAcert.org Account!")); - echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + if (substr($checkemail, 0, 1) == "4") { + echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n"; + } else { + echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + } echo "<p>$checkemail</p>\n"; showfooter(); exit; diff -rU3 cacert.orig/www/index.php cacert/www/index.php --- cacert.orig/www/index.php 2007-02-23 22:42:21.000000000 +0100 +++ cacert/www/index.php 2007-07-17 13:54:47.000000000 +0200 @@ -484,7 +484,12 @@ if($checkemail != "OK") { $id = 1; - $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."<br>\n$checkemail<br>\n"; + if (substr($checkemail, 0, 1) == "4") { + $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes."); + } else { + $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid"); + } + $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n"; } } |
|
Oh, I didn´t noticed the patches. Thanks a lot, they are applied now. Please test and close the bug then. |
Date Modified | Username | Field | Change |
---|---|---|---|
2007-05-08 09:14 | homer | New Issue | |
2007-05-08 10:19 | homer | Note Added: 0000842 | |
2007-05-08 10:59 | homer | Note Added: 0000843 | |
2007-06-25 07:16 | evaldo | Status | new => confirmed |
2007-07-17 14:19 | pc | Note Added: 0000879 | |
2007-07-17 14:20 | pc | File Added: cacert-nomailfrom.patch | |
2007-07-17 14:21 | pc | Note Added: 0000880 | |
2007-07-17 14:21 | pc | File Added: cacert-tmpfail.patch | |
2007-07-30 20:55 | Sourcerer | Status | confirmed => solved? |
2007-07-30 20:55 | Sourcerer | Fixed in Version | => production |
2007-07-30 20:55 | Sourcerer | Resolution | open => fixed |
2007-07-30 20:55 | Sourcerer | Assigned To | => Sourcerer |
2007-07-30 20:55 | Sourcerer | Note Added: 0000881 | |
2007-10-24 05:49 | evaldo | Status | solved? => closed |
2008-08-12 15:09 | homer | Relationship added | related to 0000592 |
2013-01-14 21:39 | Werner Dworak | Fixed in Version | => 2007 |