We have been struggling with getting our emails to send correctly using netcore (formerly pepipost). To summarize the emails we are generating with their service places the reply-to address in the from address.
When bringing this to their attention this is the response we get. If anyone can confirm the accuracy of this statement we would appreciate it.
—————
We’ve conducted multiple rounds of testing, and here are the observations:
Problem Statement
When Discourse establishes an SMTP connection with an external ESP (e.g., Netcore, Mailgun, or others), it sends the reply address (e.g., reply+reply_id@reply.mamapedia.com) in the From field of the email during injection.
This configuration is not controlled by Netcore, as shown in the logs we shared earlier. Notably, Discourse uses this same configuration when connecting to other platforms.
Findings
- Domain Validation by Netcore:
- Netcore validates whether the From domain is active in your Netcore portal.
- Testing With Non-Existing Domains:
- We tested sending emails using non-existing domains like messages1.mamapedia.com and messagestest.test.com through Mailgun. These emails were delivered even though the domains were not added to the Mailgun account. The test emails are attached for reference. This can be a serious security issue.
- In contrast, Netcore includes an added layer of security to prevent fraud. If an inactive domain (not validated in your Netcore account) sends a request, the request is rejected.
This added security helps prevent scenarios where a malicious actor could use your SMTP credentials to send emails from unauthorized domains (e.g., apple.com, [gmail.com]
(http://gmail.com/) or anything else).