Opened 5 years ago

Closed 3 years ago

#1485128 closed Feature Requests (wontfix)

Add X-Orig-Sender for identifying which userlogin sent a mail

Reported by: HammerFall Owned by:
Priority: 5 Milestone: later
Component: SMTP connection Version: 0.2-alpha
Severity: minor Keywords:
Cc: contact@…

Description

If you are using multiple identities with roundcube, you only see the identity's email address chosen at the sending page in the email header. For debugging purposes and identifying spammy users in your system it would be more useful to have a (optional) header like this

$headers\['X-Orig-Sender'\] = $_SESSION\['username'\]

in

steps/mail/sendmail.inc

to see which login has been used to send a mail via roundcube.

Change History (7)

comment:1 Changed 5 years ago by thomasb

  • Milestone changed from 0.2-stable to later
  • Type changed from Bugs to Feature Requests

It's not a bug but a feature request

comment:2 Changed 5 years ago by dan

webmail like gmail and yahoo add a X-Originating-IP: 66.70.73.150 header. would be a worthwhile addition to roundcube to trace back where an account hijacks.

comment:3 follow-up: Changed 5 years ago by dan

workaround is to enforce a SMTP authentication using RC %u and %p and let the SMTP server add the username.

ignore prev about X-Orig... I see the $_SERVERHTTP_X_FORWARDED_FOR? and $_SERVERREMOTE_ADDR? added to the received headers which is pretty nice

comment:4 in reply to: ↑ 3 Changed 4 years ago by etilem

  • Cc contact@… added
  • Severity changed from normal to major

Replying to dan:

workaround is to enforce a SMTP authentication using RC %u and %p and let the SMTP server add the username.

ignore prev about X-Orig... I see the $_SERVERHTTP_X_FORWARDED_FOR? and $_SERVERREMOTE_ADDR? added to the received headers which is pretty nice

sure, but there's no HTTP_X_FORWARDED_FOR header when RC is used on SSL connection !

IMHO,

RC needs collecting session real IP in HTTP before switching to HTTPS

OR

like gmail, use SSL just for the login process, and switching back to HTTP after access is granted, but I don't like this solution 'cause I would like all my work done on SSL connection.

comment:5 follow-up: Changed 4 years ago by thomasb

  • Severity changed from major to minor

To identify spam users you can enable smtp_log and see username, ip and recipeient listed in logs/sendmail

comment:6 in reply to: ↑ 5 Changed 4 years ago by etilem

Replying to thomasb:

To identify spam users you can enable smtp_log and see username, ip and recipeient listed in logs/sendmail

well, this is still the proxy IP found in logs/sendmail (tested whith svn trunk), see this reply on Squid list for more info,

there's no way to set X-Originating-IP or the like while using SSL connection, I think RC needs to be redesigned on this point, 'cause this feature is misleaded :)

comment:7 Changed 3 years ago by thomasb

  • Resolution set to wontfix
  • Status changed from new to closed

Since not all users/sysadmins want to expose the username in the message headers we'll not add this functionality. You can still achieve this by using the additional_message_headers plugin which is shipped with the Roundcube package.

Note: See TracTickets for help on using tickets.