Opened 5 years ago
Closed 3 years ago
#1485128 closed Feature Requests (wontfix)
Add X-Orig-Sender for identifying which userlogin sent a mail
| Reported by: | HammerFall | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | later |
| Component: | SMTP connection | Version: | 0.2-alpha |
| Severity: | minor | Keywords: | |
| Cc: | contact@… |
Description
If you are using multiple identities with roundcube, you only see the identity's email address chosen at the sending page in the email header. For debugging purposes and identifying spammy users in your system it would be more useful to have a (optional) header like this
$headers\['X-Orig-Sender'\] = $_SESSION\['username'\]
in
steps/mail/sendmail.inc
to see which login has been used to send a mail via roundcube.
Change History (7)
comment:1 Changed 5 years ago by thomasb
- Milestone changed from 0.2-stable to later
- Type changed from Bugs to Feature Requests
comment:2 Changed 5 years ago by dan
webmail like gmail and yahoo add a X-Originating-IP: 66.70.73.150 header. would be a worthwhile addition to roundcube to trace back where an account hijacks.
comment:3 follow-up: ↓ 4 Changed 5 years ago by dan
workaround is to enforce a SMTP authentication using RC %u and %p and let the SMTP server add the username.
ignore prev about X-Orig... I see the $_SERVERHTTP_X_FORWARDED_FOR? and $_SERVERREMOTE_ADDR? added to the received headers which is pretty nice
comment:4 in reply to: ↑ 3 Changed 4 years ago by etilem
- Cc contact@… added
- Severity changed from normal to major
Replying to dan:
workaround is to enforce a SMTP authentication using RC %u and %p and let the SMTP server add the username.
ignore prev about X-Orig... I see the $_SERVERHTTP_X_FORWARDED_FOR? and $_SERVERREMOTE_ADDR? added to the received headers which is pretty nice
sure, but there's no HTTP_X_FORWARDED_FOR header when RC is used on SSL connection !
IMHO,
RC needs collecting session real IP in HTTP before switching to HTTPS
OR
like gmail, use SSL just for the login process, and switching back to HTTP after access is granted, but I don't like this solution 'cause I would like all my work done on SSL connection.
comment:5 follow-up: ↓ 6 Changed 4 years ago by thomasb
- Severity changed from major to minor
To identify spam users you can enable smtp_log and see username, ip and recipeient listed in logs/sendmail
comment:6 in reply to: ↑ 5 Changed 4 years ago by etilem
Replying to thomasb:
To identify spam users you can enable smtp_log and see username, ip and recipeient listed in logs/sendmail
well, this is still the proxy IP found in logs/sendmail (tested whith svn trunk), see this reply on Squid list for more info,
there's no way to set X-Originating-IP or the like while using SSL connection, I think RC needs to be redesigned on this point, 'cause this feature is misleaded :)
comment:7 Changed 3 years ago by thomasb
- Resolution set to wontfix
- Status changed from new to closed
Since not all users/sysadmins want to expose the username in the message headers we'll not add this functionality. You can still achieve this by using the additional_message_headers plugin which is shipped with the Roundcube package.
It's not a bug but a feature request