I have a off the shelf PHP app it uses msmtp to do its mail sending. My some of my users are part of another external_organisation, and they need to send email from my php app as their external_organisation.com email address. And some need to send as mycompany.com
For the most part this has been working all ok, until now...
external_organisation has recently setup DKIM, and have told me I need to give them a key and sign emails being sent as them or they will stop working soon. I have searched ALL of the internet three times, but I cant work out how to make this happen.
Can I please get some pointers?
I assume I need to configure msmtp, and not PHPMailer ? I really am not sure about this.
This question would be better suited to ServerFault as it's a server config question, not a programming question.
It's definitely better and faster to configure your mail server to do the signing rather than PHPMailer, but you need some way of specifying the selector to sign with (assuming you want to use more than one). Most mail servers that support DKIM allow you to do this via a specially-named header, but you'll need to refer to their docs on it.
The simplest way to configure things is to sign with your own private key and get the external org to put your public key in their DNS in a TXT record under your selector, for example in yourservice._domainkey.external-org.example.com
Alternatively, they can set up a CNAME for your service in their DNS, and you then have control over the public key in your DNS. Something like external-org.yourservice.example.com.
Either way, wherever the signing happens needs access to the private key, and the domain and selector need to point at a public key in DNS.
Minor tip: saying things like "I have searched ALL of the internet three times" is unlikely to make a good impression. There are a zillion articles on how to use DKIM and they will all say basically the same thing, because it is the same thing.
Related
I'm using Laravel 5.5. In my app, users can write something and send it through email to someone. The thing they wrote gets recorded as a "message" in my DB. I need to, somehow, send the ID of this message in the e-mail, so when the receiver replies through e-mail, I know which message he's replying to.
What's the easiest way to do this? I know there are APIS, but I need to implement a custom solution.
Thanks for any light on this.
Use extended addressing on your mail server - replies+specialcode#example.com ... although a lot of bad "email validation" methods think it isn't valid, so I changed the extension character to a hyphen instead of the + on my postfix setup.
All mail is delivered to replies#example.com but the to: and other headers keep the specialcode part which you can then use to route into a ticketing system, etc.
This feature is supported by Postfix (recipient_delimiter in main.cf), QMail, and several other SMTP servers. Note that you need the support for this on the incoming-to-you SMTP side, nowhere else, especially if you use a character that isn't typically declared as "wrong" by various filters. May be worth splitting off a subdomain so you can easily set up separate MX servers, etc. since I'm sure you don't want your regular corporate mail running through the same filters and processing (at least, I would...)
I have to make the copy of my existing site for testing purposes at home. I have got the permission from the company.
But in the database I have the more than 10,000 customer records with email.
I don't want to accidentally send any emails to them while i make some mess with site during various tests.
whats the best way to avoid that
I do need the email functionality for testing other stuff
The most idiot-proof method you can use is often the best for these things as we all have those days where anything that can go wrong will. It's best to be careful, even borderline paranoid, when a mistake could really ruin your day.
Here's a few methods that might work:
Impotent Configuration by Default
The absolutely safest system is to keep the SMTP server configuration for the production server on the production server and only on the production server. Your development copy would have some other SMTP configuration, like to a testing GMail SMTP account. Usually GMail limits you to 500 emails per day on ordinary accounts so you'll quickly hit this limit if you really screw things up somehow.
Replace Customer Emails in Database
Another thing to consider is scrubbing all of the customer emails in your database, removing them and replacing them with mytestaccount+0000#gmail.com and mytestaccount0001#gmail.com if you care to actually receive and inspect them, taking advantage of the fact that the + and subsequent content is ignored for delivery to GMail, effectively giving you unlimited potential email addresses.
As an example:
UPDATE customers SET email=CONCAT('mytestaccount+', customer.id, '#gmail.com')
You'll have to customize this to be whatever email address you want. One advantage to doing this is that you won't have a valuable list of customer email addresses sitting on your development drive and any associated back-ups of it. To be thorough you should probably scramble the hashed passwords as well just so the database is basically worthless to potential hackers. Too many times passwords get scraped from backups that aren't secured properly.
Render Customer Emails Undeliverable
The next best approach is to add ".test" to the end of every email in the system you don't want to send so that it will hard bounce instead of going to someone's inbox.
This is basically a one-liner:
UPDATE customers SET email=CONCAT(email, '.test')
Over-Ride Email at Delivery Time
You can always include some conditional logic like where you will deliberately substitute the recipient of the email message. This can be risky because there's a chance that you might disable that switch by accident, though, so as always, be careful.
In practice this looks something like:
if ($i_should_not_spam_customer_accounts_accidentally)
{
$mail->to = "nobody#nowhere"
}
Use an API Driven Service
Some Mail Service Providers have an API that can help you when testing email messages. I'm a co-founder at PostageApp and the service was designed so you can send messages using an API key that's specifically configured to receive but not deliver emails. Other services like MailGun can be used in a similar fashion.
No Single Point of Failure
It isn't a good feeling being one logical test away from tragedy, though. You should make sure there's several things that have to go wrong before you have a fiasco.
If you don't want to change your code or the data in the database, and if you are using postfix in your local machine, you can rewrite all the outgoing mail to your addres. More info: http://www.postfix.org/ADDRESS_REWRITING_README.html
Change All the Email Address, For Example email#domain.com to email#domain.com. After the test completes you can replace # with #.
I'm confused about how mail works in PHP and CakePHP.
1.) What is the difference between sending an email either using the PHP mail function / CakePHP email helper or SMPTP as shown here: http://book.cakephp.org/1.3/en/view/1290/Sending-A-Message-Using-SMTP as the outcome looks the same?
2.) To specify who the email is coming from, you pass in the email in the header, but you can put whatever you want, so what is stopping you from just putting in anything? like yourbank.com? mail('you#gmail.com', "Subject", "Message", "From: <dave#yourbank.com>"); I just tried it and it worked fine and I couldn't find out anyway in Gmail to see if it didn't come from dave at yourbank.com...
Hopefully I can get some light on these two questions. Thanks.
1). CakePHP has a bunch of helpers & functionality implemented to make life easier when developing applications. As you've discovered, Cake has mail functionality. I suggest reading this whole page http://book.cakephp.org/2.0/en/core-utility-libraries/email.html (It's 2.0 not 1.3, so please not there have been some big alterations between the two versions). The article covers in depth on why you may configure something in a particular manner.
CakePHP is using the default mail function with PHP. It's just allow you to incorporate views into the content and configure the outgoing mail in a much easier manner.
2) As for putting in potentially any email address within the From Header.... this can potentially fall under the category of Email Spoofing, essentially sending an email when it's not authorized from the source (From Header). Again this links back to configuring specific mail servers.
By default mail clients and generally setup to prevent spam and junk, this is done by taking a large amount of steps. Some may be..
Keyword checking, (Checking the contents of an email for any
keywords classified as spam).
Header checking, <--- This is the one that answers your
question.
Essentially... headers are examined and checked to see if the server that the mail was sent from has the authority to use the given from address.
As I don't have enough technical knowledge, i'll throw a few pages your way which discuss setting up records against your DNS/Domain so emails are validated correctly and not put within spam folders.
http://www.ipswitch.com/support/imail/guide/imailgsv8.1/Appendix%20A%20dns4.html
http://help.postageapp.com/kb/application-features/dkim-and-spf-setup-and-validation
How to properly set up DNS SPF records?
I hope my jumbled ramblings make some sort of sense.
Question 1: PHP mail function uses your own server's built in email functionality to send email. If you use SMTP, you're connecting to another server (eg. Google's mail servers) and using that server to send the email.
CakePHP's email component can use either PHP mail, or SMTP, depending on how you configure it.
The outcome is basically the same in many respects. Which way is best for you will depend on your set up, the volume of email you're sending, whether your own server has any restrictions with regards to sending mail, etc. If you Google "PHP mail versus SMTP" or similar, then you'll get some info to help you decide which is best for you.
If you're not sending much email, eg. if you're just wanting to send the results of an enquiry form that gets submitted a few times each day, then just use PHP mail and don't worry about it.
Question 2: Although email programs put various measures in place to make sure mail is legitimate, basically nothing stops fake emails completely. You can send Fake email. Check out this site: http://deadfake.com/Send.aspx and in particular, their FAQ section: http://deadfake.com/FAQ.aspx
Spam filters do their best to catch fake emails, but ultimately it's up to the end user to keep their wits about them, especially with banking emails!
We are setting up a bulk mailing system using sendgrid as our core.
We are managing the lists ourselves and sendgrid is simply our transport and are using code igniter to build the system.
We are wondering what you would recommend we use, sendgrid as an smtp server, or use it's curl API.
We are sending emails out to x00,000 people every day, the emails all have the same content.
We have found SendGrid's integration documentation for code igniter which only has smtp examples, so possibly that is the way to go?
The other part of the question is, if we were to go with the SMTP api, how does code igniters bcc_batch_mode work?
I currently work at SendGrid. Our web API actually works faster than SMTP, as you only need to make a single cURL request to us to send a message, whereas with SMTP there's a lot of back-and-forth TCP chatter for connection, HELO, and such.
We recently published a new PHP library, you can find it on our github account: http://github.com/sendgrid/
Don't hesitate to contact us if you have questions.
Reading the documentation at http://sendgrid.com/documentation/map/version/v2#api
there is little to choose between them. All functionality is available either way. For PHP, I recommend smtp server with their SMTP API to take advantage of existing libraries that correctly format, mime encode, and send the email. Notably, example PHP code is given only for the SMTP API.
Edited for additions to question
The sendgrid documentation say to encode multiple recipients with their API in a custom mail header -- X-SMTPAPI --not using CC and BCC. See http://sendgrid.com/documentation/display/api/SMTPDevelopersGuide
http://sendgrid.com/documentation/display/api/SMTP best practices section for issue with multiple recipients in the regular mail headers.
Ok, so simply as a reference for anyone I am going to paste my support chat. Note that this chat covers a wide range of things so could be useful to have it stored here
me: Sending to multiple recipients using code igniter?
Hi there, I am a php developer using code igniter, we are using sendgrid as our email sending platform,
Support: Hello.
me: Hi,
Support: Let me see if I can find a reference in our docs.
me: I believe you are going to reference: http://bit.ly/jL1Pde
Support: That was the one I was looking for.
me: Yes, I have seen that, But I also saw http://bit.ly/jvowuk which says you should use the X-SMTPAPI header, so I am a bit confused as to which I should use?
Support: Use the Codeigniter example from the previous link. You could use X-SMTPAPI, but is not needed in this case. The reason is for better portability with other languages.
me: Oh I see, Thank you very much, I have one other query.
Support: Ok.
me: When sending emails is there any header we can send to associate extra information with an email (for example a id from our system) to help with the lookup?
Support: You can set a custom category if needed. setCategory(cat) Sets a category for an e-mail to be logged as. You can use any category name you like. This is from http://bit.ly/iYjq2G
me: Oh I see, thank you, and sorry to be a pain but I have one more question,
Support: Ok.
me: We wish to provide our users with the ability to unsubscribe from receiving emails, All emails send through in a specific batch (e.g. 100,000 emails) will have the exact same content, with the exception that we want to append an unsubscribe message to the bottom, We want to be able to track the unsubscribe back to a specific message sent from our system, so we will want to have the url look something like http://example.com/unsubscribe/1234, 1234 being the unique id for the message sent, does sendgrid provide an easy way to complete this, or must we do an individual request for every message?
Support: Ok, so you can do this using: addFilterSetting(filter, setting, val) Adds/changes a setting for a filter. Settings specified in the header will override configured settings. Here is an example of the parameter being enabled in PHP: $hdr->addFilterSetting('subscriptiontrack', 'enable', 1);
me: ok so looking at http://bit.ly/k49a57 it says about your custom name to appear in the link, what exactly does this mean? as we do not wish the user to be sent to sendgrid to unsubscribe.
Support: So, it allows you to make the link say something different other than what we provide such as 'Remove myself from this company' for example.
me: Oh I see, So if we wish the url to be something personal we must manage this ourselves, this is fine, I cant remember where, but I noticed somewhere there was something about substitutions for the email content, would this allow us to send through a list of ids and in our email body we could have *example.com/unsubscribe/--email_id--* and have it replace the *--email_id--* with the passed id?
me: Ah, http://bit.ly/jvowuk point 2 is what I was referring to, could I use that?
Support: Yes you could do that.
me: ah, here is a better example, http://bit.ly/lK6ltE
Support: Yes, that shows the e-mail with substitution. So, it can be modified for each.
me: So, I can use *$this->email->_set_header('Custom-Header', 'value');* in code igniter to set a custom header, if I was sending out say 3000 emails, I have an array that looks like array(5,6,7,8...) with the ids, 3000 of them How would I send these through? (if it is not a quick answer I can work it out by looking in the SmtpApiHeader class)
Support: The SmtpApiHeader is the best way. Adding them as parameters for the substitution. Each indexed ID.
session disconnected.
I'm looking to set up a whistleblowing/anonymous tip website, but I've run into some problems. The basic idea is that you navigate to a splash page, fill in a few fields (name and location optionally, and then the message), then fire it off. At that point the message gets sent to a specific email inbox so that our team can look at it.
I've done a bit of research and PHP seems like my best bet, but I would also like to be able to log IP addresses for every message (or, more ideally, append them to the email before it is sent) so that I can be sure I'm not getting trolled or spammed. Can anyone point me in the right direction with this? I'm kind of a PHP noob, but willing to learn.
Thanks!
The remote IP address will be available within your php script using the super global $_SERVER['REMOTE_ADDR']. You can append that to your mail.
Just to mention: If you log the ip address of the sender, you kind of miss something important if you want the sender to be ANONYMOUS. Because if you log the ip, then this is not really the case anymore.
Problem
Spambots most of the times have a network of computers(hacked!) so blocking IP addresses most of the times does not work. Also I would like to point out the probably some legimate user who is not aware of the malware on his PC can't use your service because you are blocking his IP address. Otherwise CAPTCHA's were NOT necessary at all and Google, Yahoo! would not be using them at all because as you most likely know these images are hard to read sometimes.
Solution
You should just have a good spam filter(GMail's works very good) in place and use Akismet to detect spam-messages instead. They have very decent libraries in place so that you don't have to do any coding at all and it is going to work a lot better, then what you were about to implement.