0000436: Any live SMTP call stage of domain email before domain email checking - CAcert Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0000436	Main CAcert Website	GPG/PGP	public	2007-05-08 09:14	2013-01-14 21:39

Reporter	homer	Assigned To	Sourcerer
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	fixed
Platform	Main CAcert Website	OS	N/A	OS Version	stable
Fixed in Version	2007

Summary	0000436: Any live SMTP call stage of domain email before domain email checking
Description	> Is the live SMTP call stage of domain email verification necessary, if > you require a response to the subsequent confirmation email anyway? I > only ask because it threw errors about the temporary failure response > (451) that my mail server gave -- I use greylisting to filter spam. If > you'd just dropped the message into your own outbound mail server's > queue, it would have got to me just the same, but I wouldn't have had to > mess around repeating the probe manually five minutes later. My choice > to greylist, I know, I'm just wondering what utility there is in the > live probe followed by a confirmation email. I am not sure what has been done. I understand it is not very convenient because there is not always a mail server associated to a domain.
Tags	No tags attached.

Reviewed by
Test Instructions

homer 2007-05-08 10:19 reporter ~0000842	After I was asked where I wanted my confirmation email sent to, your script then tried to either VRFY the address or make an SMTP call to the MTA published for that address and begin a session with an appropriate MAIL and RCPT command. It's a sure-fire way to verify that the email address I've told you to send the message to is valid, and in one sense it's entirely correct of your script to expect there to be an MTA willing to take mail where I've told you to send it. But it doesn't play well with greylisting, and it's kind of redundant, given that the very next thing you're going to do is send a message anyway. Perhaps your script could just be little less rigorous, and maybe just verify that there's an A, AAAA or MX for the domain part of the address? Or maybe it could be lenient and ignore temporary errors and only fail on permanent 500-series errors?

homer 2007-05-08 10:59 reporter ~0000843	The reason why we do this is the following: The problem we had was that there were a lot of people who were not able to entered their email address incorrectly, then obviously didn´t received any email, and then contacted support to research the problem. The problem then was that our support staff had to start intensive investigations to search for the problem, and often finding that greylisting was in place and the users were too nervous, or that the users made mistakes in the email address, or that their mailservers or DNS servers were broken. So we decided to add a second connection, which just verifies the email address, and shows the user all the results of that verification, to save our support-team a lot of research work. One thing we could change there is that we could add a detection for greylisting, and then inform the user that we have detected greylisting on his server, and ask him, whether we shoud continue sending the email through our MTA. If you find a developer to actually implement it, we will apply that change to the system. Best regards, Philipp Gühring

pc 2007-07-17 14:19 reporter ~0000879	In order to get rid of most problems with greylisting, you should use an empty envelope sender for the validity check. See http://projects.puremagic.com/greylisting/whitepaper.html (third paragraph in the section 'Issues Affecting The Proposed Implementation').

2007-07-17 14:20	cacert-nomailfrom.patch (490 bytes) diff -rU3 cacert.orig/includes/general.php cacert/includes/general.php --- cacert.orig/includes/general.php 2007-07-13 19:39:57.000000000 +0200 +++ cacert/includes/general.php 2007-07-17 14:10:33.000000000 +0200 @@ -644,7 +644,7 @@ $line = fgets($fp, 4096); if(substr($line, 0, 3) != "250") continue; - fputs($fp, "MAIL FROM: <returns@cacert.org>\r\n"); + fputs($fp, "MAIL FROM: <>\r\n"); $line = fgets($fp, 4096); if(substr($line, 0, 3) != "250") cacert-nomailfrom.patch (490 bytes)

pc 2007-07-17 14:21 reporter ~0000880	I have created another patch that outputs different error messages for temporary failures. In particular, it advises the user to try again later.

2007-07-17 14:21	cacert-tmpfail.patch (2,755 bytes) diff -rU3 cacert.orig/includes/account.php cacert/includes/account.php --- cacert.orig/includes/account.php 2007-07-13 19:39:57.000000000 +0200 +++ cacert/includes/account.php 2007-07-17 14:05:42.000000000 +0200 @@ -57,7 +57,11 @@ if($checkemail != "OK") { showheader(_("My CAcert.org Account!")); - echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + if (substr($checkemail, 0, 1) == "4") { + echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n"; + } else { + echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + } echo "<p>$checkemail</p>\n"; showfooter(); exit; @@ -475,7 +479,11 @@ if($checkemail != "OK") { showheader(_("My CAcert.org Account!")); - echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + if (substr($checkemail, 0, 1) == "4") { + echo "<p>"._("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes.")."</p>\n"; + } else { + echo "<p>"._("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."</p>\n"; + } echo "<p>$checkemail</p>\n"; showfooter(); exit; diff -rU3 cacert.orig/www/index.php cacert/www/index.php --- cacert.orig/www/index.php 2007-02-23 22:42:21.000000000 +0100 +++ cacert/www/index.php 2007-07-17 13:54:47.000000000 +0200 @@ -484,7 +484,12 @@ if($checkemail != "OK") { $id = 1; - $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid")."<br>\n$checkemail<br>\n"; + if (substr($checkemail, 0, 1) == "4") { + $_SESSION['_config']['errmsg'] .= _("The mail server responsible for your domain indicated a temporary failure. This may be due to anti-SPAM measures, such as \"greylisting\". Please try again in a few minutes."); + } else { + $_SESSION['_config']['errmsg'] .= _("Email Address given was invalid, or a test connection couldn't be made to your server, or the server rejected the email address as invalid"); + } + $_SESSION['_config']['errmsg'] .= "<br>\n$checkemail<br>\n"; } } cacert-tmpfail.patch (2,755 bytes)

Sourcerer 2007-07-30 20:55 administrator ~0000881	Oh, I didn´t noticed the patches. Thanks a lot, they are applied now. Please test and close the bug then.

Date Modified	Username	Field	Change
2007-05-08 09:14	homer	New Issue
2007-05-08 10:19	homer	Note Added: 0000842
2007-05-08 10:59	homer	Note Added: 0000843
2007-06-25 07:16	evaldo	Status	new => confirmed
2007-07-17 14:19	pc	Note Added: 0000879
2007-07-17 14:20	pc	File Added: cacert-nomailfrom.patch
2007-07-17 14:21	pc	Note Added: 0000880
2007-07-17 14:21	pc	File Added: cacert-tmpfail.patch
2007-07-30 20:55	Sourcerer	Status	confirmed => solved?
2007-07-30 20:55	Sourcerer	Fixed in Version	=> production
2007-07-30 20:55	Sourcerer	Resolution	open => fixed
2007-07-30 20:55	Sourcerer	Assigned To	=> Sourcerer
2007-07-30 20:55	Sourcerer	Note Added: 0000881
2007-10-24 05:49	evaldo	Status	solved? => closed
2008-08-12 15:09	homer	Relationship added	related to 0000592
2013-01-14 21:39	Werner Dworak	Fixed in Version	=> 2007