Email "From:" is same as the envelope-sender

[bitranch]

Plone 2.1 with SecureMailHost assumes that an email's envelope-sender is the same as the From: header in the email. This creates problems with bounced email sent via "Send this page" and the contact-info page because the message appears to be a spoof. The incorrectly set envelope-sender can also generate backscatter to innocent parties.

The problem is that the "From:" email ID is entered on the site, yet the mail server used to send the message is almost never the server for that email ID. For email servers implementing SPF (or other spoof detection) this results in the message being bounced as a spoof. The envelope sender should be set to the webmaster or postmaster of the site -- assuming those are valid sending IDs for the MailHost mail server.

Backscatter can be generated by entering another person's email ID in the "From" field and an invalid "To" ID (or possibly an ID that goes to an SPF checking email server). The resulting bounce is directed to the innocent "From" party if the receiving server doesn't reject the message during the transaction. An envelope sender of the site's webmaster/postmaster would at least send the bounces to someone who'd have a clue of where those bounces are originating. Since the site is sending the message on behalf of the (unverified!) "From" ID, setting the envelope-sender to a site admin ID is a sensible precaution at the very least.

[bitranch]

I've fixed this in send_feedback and send_feedback_site. Fixing "send page to" still remains. (Coming as soon as I unravel the twisty-turny path the send-to message takes through the code.)

[limi]

Last part of the fix now in SVN.