Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactoring email sending #6196

Open
pierreozoux opened this issue Feb 28, 2017 · 5 comments
Open

Refactoring email sending #6196

pierreozoux opened this issue Feb 28, 2017 · 5 comments
Assignees
@rodrigok @sampaiodiego
Labels
feat: email stat: triaged Issue reviewed and properly tagged type: improvement
Milestone
Short-term

Comments

@pierreozoux
Copy link
Contributor

I investigated a bit for #6192 and #6195 and the way Rocket.Chat is sending email is... I'd say a bit messy, let me detail

  • various methods are used in the wild: ( Mailer.sendMail, Email.send, Accounts.sendResetPasswordEmail )
  • these methods are used sometimes differently

And here I can see a potential security issue:

Rocket.Chat/packages/rocketchat-mailer/client/views/mailer.coffee

Line 9 in 07efe5a

from = $(t.find('[name=from]')).val()

Looks like you let the user define the from field.
Which means, as an email provider, my reputation can get lowered by a spammer using my rocket.chat instance.

IMHO, we need to refactor these, to make it easier to understand what is going on.

I guess we need:

  • make all emails going though: Mailer.sendMail
  • make sure this method is working well
  • make sure this method is reading everything from MAIL_URL
  • Maybe add a FROM_EMAIL env var that this method would understand, this would allow unattended rocket.chat full configuration
  • make accounts emails, also use this method, this way, they would get styled also (footer - header)
  • log things to allow to run in debug mode to understand better what is going on

What is the normal way to proceed? Should we open an issue for each item? What is your general opinion on that matter?
@graywolf336
Copy link
Contributor

@engelgabriel @rodrigok

@rasos rasos mentioned this issue Mar 2, 2017
Closed
@pkgodara pkgodara mentioned this issue Mar 21, 2017
Closed
@marceloschmidt
Copy link
Member

The Mailer.sendMail function is supposed to be used only by admins through the administration panel. I don't think having the From field there is a problem, unless you don't trust your administrators.

image

@RocketChat/core thoughts?

@pierreozoux
Copy link
Contributor Author

@marceloschmidt yes sorry about the security issue, you are right, it is not.

I was confused at first because, I'm a meteor user, and I expect MAIL_URL to work. But as explained in #6192 and the documentation, SMTP settings need also to be specified for a proper working Rocket.Chat instance.

I still think that sending emails should be refactored for 2 reasons:

  • clarity of the code, one function to perform always the same action: send a mail to the user
  • email styling with footer and header defined by the admin (currently meteor-account emails are not styled)

@engelgabriel engelgabriel added this to the 0.55.0 milestone Mar 27, 2017
@pierreozoux pierreozoux mentioned this issue Apr 1, 2017
Closed
@engelgabriel engelgabriel modified the milestones: 0.55.0, 0.56.0 Apr 13, 2017
@engelgabriel engelgabriel modified the milestones: 0.56.0, 0.57.0 May 9, 2017
@engelgabriel engelgabriel modified the milestones: 0.57.0, 0.58.0 Jun 19, 2017
@rodrigok rodrigok modified the milestones: 0.58.0, 0.59.0 Aug 1, 2017
@engelgabriel engelgabriel modified the milestones: 0.59.0, 0.60.0 Aug 25, 2017
@engelgabriel engelgabriel removed this from the 0.59.0 milestone Aug 25, 2017
@rodrigok rodrigok modified the milestones: 0.60.0, 0.61.0 Dec 21, 2017
@rodrigok rodrigok modified the milestones: 0.61.0, 0.61.1 Jan 22, 2018
@rodrigok rodrigok modified the milestones: 0.61.1, Short-term Feb 13, 2018
@marceloschmidt
Copy link
Member

I believe the problem of using multiple methods has been fixed. @ggazzo can you please confirm and if so close the issue?

@geekgonecrazy
Copy link
Contributor

@ggazzo you are last mentioned, do you know if we can close this?

@tassoevan tassoevan added stat: triaged Issue reviewed and properly tagged and removed Triaged labels Oct 27, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rodrigok rodrigok

@sampaiodiego sampaiodiego

Labels
feat: email stat: triaged Issue reviewed and properly tagged type: improvement
Projects
None yet
Milestone
Short-term
Development

No branches or pull requests
9 participants
@geekgonecrazy @rodrigok @graywolf336 @engelgabriel @pierreozoux @marceloschmidt @tassoevan @sampaiodiego @MartinSchoeler