The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

thread closed by cpanel but no update on status of problem?

Discussion in 'General Discussion' started by cyberspirit, Aug 21, 2004.

  1. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    This thread was just closed by cpanel:
    "latest cpanel version (9.7.1. C2) adds wrong email header!"
    to "prevent a flame war". It seems the cpanel guys are quick to close a thread but why does nobody from their team respond to the issue at hand??
     
  2. brentp

    brentp Well-Known Member

    Joined:
    Mar 11, 2004
    Messages:
    324
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Ayr, North Queensland, Australia
    Bugzilla

    dont you ever wonder what http://bugzilla.cpanel.net is? WELL GO AND REPORT THE BUG INSTEAD OF BITCHING ABOUT IT HERE!

    Regards,
    Brent
     
  3. haze

    haze Well-Known Member

    Joined:
    Dec 21, 2001
    Messages:
    1,550
    Likes Received:
    3
    Trophy Points:
    38
    .. and change your update prefs to stable please! :)
     
  4. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    Thaphantom, as you very well know the update was done after I reported it!
    I am also glad you no longer call people "dumbass" in the forum......
    And to the others, nobody bitched. And a bugtraq report was filed right away. But instead I did post a major problem so others could make an informed decision whether to update to the latest "current" version. And it looks like this post was needed as a problem really do exist otherwise it would not have been fixed, right?
    It always helps if people stay on the subject instead of venting other useless stuff that is mostly just targeted at posters personally (like the last 2 posts did).
     
  5. SarcNBit

    SarcNBit Well-Known Member

    Joined:
    Oct 14, 2003
    Messages:
    1,010
    Likes Received:
    3
    Trophy Points:
    38
    Please consider posting the URL or ID# next time around :)
     
  6. cPanelBilly

    cPanelBilly Guest

    cyberspirit,
    If you notice the change was made before your 2nd post. Next time if a post is closed, DO NOT open another one to ask why it was. Per user input another option was put in to turn it off, however it is still in the distributions in order to track spammers.
     
  7. monsterhosting

    monsterhosting Active Member

    Joined:
    Feb 12, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Vancouver, BC
    I was about to open another post on the same subject because it wasn't really answered. Even here it's not really well explained for the new users out there.
     
  8. cPanelBilly

    cPanelBilly Guest

    There is an option to either have it added or not added. You are more than welcome to take it out, however it will make it so that there is a wide open way for hackers to send email though your server.

    I will not post any code here how they can do it, however it allows any user on your server to forge the from headers. The reason that sender is used is because that is set by the MTA and cannot be overwritten by the user.
     
  9. monsterhosting

    monsterhosting Active Member

    Joined:
    Feb 12, 2004
    Messages:
    39
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Vancouver, BC
  10. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider

    The problem is resolved in edge/current. If you wish to have exim set the sender header when the sender is changed by the user/app, you can check it off in the exim configuration editor in whm. Turning on setting the sender: header will make it easier to track spammer at the cost of making outlook display those funky "on behalf of messages"
     
  11. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    By choosing the new option in WHM to have cpanel/exim set the username/host combination as the value for the sender field, cpanel makes the system noncompliant with RFC 822. I have copied the relevant fields here in case someone is interested.
    As you can see, RFC 822 makes clear that the Sender field "...contains the authenticated identity of the AGENT (person, system or process) that sends the message."
    But if I send an email from test@yahoo.com to my account test@domain.com and it gets a Sender field of testuser@host.domain.com everyone can see that this is against RFC 822.
    To prevent spammers forging from or sender fields it is very easy to use a syntax within exim to make sure these fields are correct without being non-compliant with RFC 822.
    I am open to discuss this offline due to the nature of this issue.

    excerpt from RFC 822


    ...4.4.1. FROM / RESENT-FROM

    This field contains the identity of the person(s) who wished
    this message to be sent. The message-creation process should
    default this field to be a single, authenticated machine
    address, indicating the AGENT (person, system or process)
    entering the message. If this is not done, the "Sender" field
    MUST be present. If the "From" field IS defaulted this way,
    the "Sender" field is optional and is redundant with the
    "From" field. In all cases, addresses in the "From" field
    must be machine-usable (addr-specs) and may not contain named
    lists (groups).

    4.4.2. SENDER / RESENT-SENDER

    This field contains the authenticated identity of the AGENT
    (person, system or process) that sends the message. It is
    intended for use when the sender is not the author of the mes-
    sage, or to indicate who among a group of authors actually
    sent the message. If the contents of the "Sender" field would
    be completely redundant with the "From" field, then the
    "Sender" field need not be present and its use is discouraged
    (though still legal). In particular, the "Sender" field MUST
    be present if it is NOT the same as the "From" Field.

    The Sender mailbox specification includes a word sequence
    which must correspond to a specific agent (i.e., a human user
    or a computer program) rather than a standard address. This
    indicates the expectation that the field will identify the
    single AGENT (person, system, or process) responsible for
    sending the mail and not simply include the name of a mailbox
    from which the mail was sent. For example in the case of a
    shared login name, the name, by itself, would not be adequate.
    The local-part address unit, which refers to this agent, is
    expected to be a computer system term, and not (for example) a
    generalized person reference which can be used outside the
    network text message context.

    August 13, 1982 - 21 - RFC #822

    Standard for ARPA Internet Text Messages

    Since the critical function served by the "Sender" field is
    identification of the agent responsible for sending mail and
    since computer programs cannot be held accountable for their
    behavior, it is strongly recommended that when a computer pro-
    gram generates a message, the HUMAN who is responsible for
    that program be referenced as part of the "Sender" field mail-
    box specification.
    ....

    http://www.faqs.org/rfcs/rfc822.html
     
  12. cPanelBilly

    cPanelBilly Guest

    cyberspirit,
    Actually this is making cpanel use RFC 822. The user that is sending the email is actually not the email user, it is the system user. That is shown as user@host.server.com.
    The headers are then being changed by the program that is running them. The headers are not sent when the email is sent via SMTP, only when it is sent via sendmail (as webmail and other programs do). So the user that actually owns this process is the account user and not the email address that is requesting it be sent, hence why you get the sent on behalf of.
     
  13. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    CpanelBilly,
    I would agree with you in terms of outgoing emails but if you look carefully in my example, the email was sent by a user on Yahoo.com
    So what cpanel does is actually changing the sender header from the originator to the user of the local system. This should only be done if the message is relayed. But since the email address of the recipient is local and the user account is in this case just the administrative owner of this address it is incorrect to change the sender address to user@host.domain.com for incoming messages.
    Outlook's behaviour is correct as it shows "on behalf of" only if envelope from and sender headers differ. And this is mostly only the case with mailing lists and relayed emails.
    So to come back to your writing, you are correct in terms of outgoing emails but you are incorrect in terms of incoming messages. In fact cpanel is spoofing the headers by injecting a false Sender field misrepresenting the email to originate from a local account whereas it actually comes from yahoo.com!
     
  14. cPanelBilly

    cPanelBilly Guest

    so you are saying that you sent an email from a yahoo account to an account on your server that was then forwarded to another account and it showed the on behalf of?
    If so this is not the intention of what is happening, it should only happen as I stated before.
     
  15. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    CpanelBilly,
    Here is what happened and what should not happen:

    Lets assume a couple of conditions first.
    I have an email account at yahoo.com, lets say it is testuser@yahoo.com
    And I have a cpanel account on a server, lets name it zeus.cpanel.net
    My username on this server is acme so my account is then acme@zeus.cpanel.net
    The domain I use on this account is acme.com
    I have set up an email account on zeus under my username acme that is billy@acme.com

    Now I am sending an email from testuser@yahoo.com to billy@acme.com
    cpanel/exim will then change the header and inject a Sender header with the value of acme@zeus.cpanel.net
    This would mean that the email that originated from testuser@yahoo.com and carries the From header of testuser@yahoo.com is spoofed by cpanel on arrival by getting a Sender header of acme@zeus.cpanel.net
    This actually would mean that acme@zeus.cpanel.net did relay the message to billy@acme.com which is incorrect since acme@zeus.cpanel.net is only the owner of the account billy@acme.com
    This renders the email spoofed by cpanels action.
    Can you follow my thought here Billy? For incoming emails that clearly come from a well defined destination and are for a local account there should be no injection or rewriting of the Sender header. Now, with outgoing messages that is a different story even though RFC says that the Sender header is not needed if the message has a clear and human origination. In any case, having From and Sender headers show different values means the message was relayed which is not the case in a clear user-to-user email.
    Hope this makes it more clear?
     
  16. cyberspirit

    cyberspirit BANNED

    Joined:
    Jun 27, 2003
    Messages:
    293
    Likes Received:
    0
    Trophy Points:
    0
    cpanelbilly, any update or news on this? I also have not seen a reply to the bug report I sent in. The fix seems to be to only add Sender headers for outgoing emails and leave incoming ones untouched.
     
  17. masood

    masood Well-Known Member

    Joined:
    Jun 14, 2002
    Messages:
    78
    Likes Received:
    0
    Trophy Points:
    6
    any update on this? on behalf of is pretty annoying...
     
  18. livewebcs

    livewebcs Member

    Joined:
    Jun 11, 2004
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    1
    So will disabling the exim check box solve the problem until they fix it?

    So can I confirm with everyone who has done it, will disabling the exim check box solve the problem until they fix it? I too have had major user problems from users with Outlook. Some of their users are so confused that they email the wrong people back, some can't use their spam settings anymore. Eudora doesn't seem to be affected in any way btw at least for now.

    PS...I do think closing the old ticket was a bit pre-mature. This is a "OPEN PROBLEM". People are upset because this is not a minor situation. Email flow is major to businesses. I could understand if we're talking about something minor or something that can wait, but this simply can't wait.

    FLAMING and getting upset are two different things. Do not shut down a post with important knowledge just because one-two people are off the handle. Just delete those posts. This is critical info.

    thanks, Will :eek:
     
  19. positive

    positive Member

    Joined:
    Mar 29, 2003
    Messages:
    15
    Likes Received:
    0
    Trophy Points:
    1
    any update on this?
     
  20. atnetsolutions

    atnetsolutions Registered

    Joined:
    Oct 26, 2004
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    I just tried the checkbox and it didnt work...I hope they fix it soon!!!
     
Loading...

Share This Page