Email Bug -- Help needed to validate

ss88us

Hey guys,

I need your help validating what I would call a serious email bug. I'm on the latest version of Enhance. I did report this to Adam in Feb 2023 but for me it's still present after the email overhaul.

TL;DR: Customers can send as any email account (via PHP), and it's received by the recipient as a valid email (just as if the customer sent it via an authenticated SMTP transaction via the email client). "Valid email" = DKIM, SPF, DMARC = Passed

My Setup

Smart Host enabled via Amazon SES
Added domain.com as a valid identity to SES
Latest version of Enhance
Customer 1 account has an email customer1@domain.com and Email is assigned as Server1
Customer 2 has no emails but has assigned Email as Server1

To reproduce

Login to Enhance and impersonate Customer 2
Add a file named email_test.php to public_html with the following content:

<?php

$to = "ANY_EMAIL_I_USED@GMAIL.COM";
$subject = "Password Change";
$txt = "Change your password by visiting here";
$headers = "From: customer1@domain.com";

mail($to, $subject, $txt, $headers);

?>

Make sure the $headers variable is using the same email as Customer 1 (customer1@domain.com)
Execute the script in your browser
Look at the headers of the received email at the recipients email

In the end, I was expecting Gmail is block it, mark it as spam, or whatever, but the fake email is routing through Amazon SES as a legitimate email. I think I was even expecting the Customer 2 to be blocked immediately as they do not have permission to send an email from Customer 1 however, I'm well aware that it should have come from Customer 2's "system email account" instead.

Questions

Does this happen to you?
I see mailbaby integrations a lot; does this happen with mailbaby?
I do not have the facility to test without a smart host; but if anyone is not using a smart host; does this happen to you?

Thanks,
Sully

mendozal

ss88us I have disabled the MTA on the application server so websites can't send emails manually or Wordpress automatically.

For this test I enabled postfix and tested.

Without Smarthost

Email was not delivered

(host gmail-smtp-in.l.google.com[142.251.163.26] said: 550-5.7.26 Your email has been blocked because the sender is unauthenticated. 550-5.7.26 Gmail requires all senders to authenticate with either SPF or DKIM. 550-5.7.26 550-5.7.26 Authentication results: 550-5.7.26 DKIM = did not pass 550-5.7.26 SPF [hostname here] with ip: [IP here] = did not pass

With Smarthost (mailbaby)

Email was delivered.
Spam Status=Clean 0.89

The FROM address was the website's default address though, not the customer 1 forged email address.

ss88us

Thank you @mendozal, that's what I would expect for a 'valid' setup. I will wait to see if anyone else can replicate this or perhaps they're using Amazon SES too.

ss88us

bump

Martin

Hi,

I believe it is also an issue. I added the Email role to an existing server and have the two domains set up.

I sent an email from sender@domain1 using webmail and received as expected.

I created your script but had to add a fifth variable with '-f sender@domain1' because it was sending out as user@server.localdomain and getting rejected by my email servers, this might be a problem at my end though, I don't generally send this way yet.

After I had added the sender variable to your script the email got delivered to my mailbox and I wouldn't know known that it wasn't sent by sender@domain1.

I am using a smarthost, but with the smarthost disabled I can still pretend to be sender@domain1 and the email gets delivered.

There doesn't appear to be any validation of the sender when sending an email.

I hope this helps, I can do further testing if needed.

ss88us

Martin Morning Martin,

Thank you for performing your own testing. It really helps validate there is an issue within the system. I would still like others to test as well.

What smart host provider were you using?

Martin

ss88us the smarthost is a cluster of our own servers, it didn't seem to matter whether I used it or not though.

Not currently using DKIM to test Nickske00 theory, but the DKIM failing to sign if the domain isn't yours sounds like a step in the right direction.

Nickske00

I just tested this with the local email and when another user tries to send an email there is no dkim signature.

I first tested this with another website of myself, and then there is a dkim signature. So probably there is a check the sending user has the domain before signing the email.

So;
Scenario 1
Customer1 (both in their own container, so totally separated from each other, only same customer):

Website 1 a.com
Website 2 b.com

Result: a.com can send emails as b.com and they will be signed with a valid dkim signature

Scenario 2
Customer 1:

Website 1 a.com

Customer 2:

Website 1 b.com

Result: When a.com sends an email as b.com there is no dkim signature.

As I don't use smarthost myself I can't test a setup like that.