Discourse setting Reply-To value in `From` header field when using reply by eMail feature

I’m running hMailServer on my own domain and it’s working perfectly as per the RFC’s and www.mail-tester.com (the official spam test server for Discourse) has verified it a safe and compliant server, everything including SPF, DKIM and DMARC. No issues here.

Nope, and I’m not the only one who reported it, see my links above. The reason you don’t probably see if from your enterprise customers is because they’re their down domain for a reply to address. This bug only affects Discourse when it’s setup to use a reply to address on a different domain.

If one is to follow the guidelines as outlined in this guide to use gMail as a reply to inbox: Set up reply by email with POP3 polling then the emails sent by Discourse are in violation of the RFC standards.

As per the standard:

Only the recipient’s mail server is supposed to add a Return-Path header to the top of the email

Infact even the comment in the code says it’s violating the RFC standard as a “hack” because of the oddity of the way Ruby works:

      # WARNING: RFC claims you can not set the Return Path header, this is 100% correct
        # however Rails has special handling for this header and ends up using this value
        # as the Envelope From address so stuff works as expected

From the Ruby docs:

When a :return_path is specified as header, that value will be used as the ‘envelope from’ address for the Mail message. Setting this is useful when you want delivery notifications sent to a different address than the one in :from . Mail will actually use the :return_path in preference to the :sender in preference to the :from field for the ‘envelope from’ value.

I mean it’s pretty clear that the code is violating the RFC standard and because of which the From header is being set incorrectly under certain conditions. The From header domain should NEVER be different from the senders domain. That by the very definition is how spammers/phishing servers work.

If Discourse is going to have a reply-to from a different domain that should NEVER be set in the from address and as per the Ruby docs and code comments above, that’s what’s it doing.

The issue here is that there’s no sanity check being done while trying to use the Ruby “hack” for the Return-Path:

  • The VERP bounce handling address should be set in the Reply-To header, which is being done correctly and this should be enough
  • If Discourse also wants to set this in the From header, which is acceptable if it’s the same domain, it needs for first verify that the senders domain is the same the reply to domain. Otherwise the guide published above on how to use GMail as a inbox for Discourse is violating the essence of spam management and no compliant SMTP server will DKIM sign the message.

EDIT: FYI, I have verified this by setting the Reply-To email as one from own domain and then the SMTP server DKIM signs the message and even www.mail-tester.com verifies that the message is complaint and not spam. This is because even with the VERP bounce address handling the From domain matches the senders domain and hence it’s a verifiable message with a clean chain of command. So the SMTP configuration is correct. You can also refer to the SMTP server logs showing the Discourse is sending a from address which doesn’t match the senders domain, why would a server DKIM sign such a message?

1 Like