Skip to content

[FIX] Missing setting to control when to send the ReplyTo field in email notifications #20744

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
sampaiodiego merged 5 commits into from
Feb 19, 2021
Merged

[FIX] Missing setting to control when to send the ReplyTo field in email notifications #20744

sampaiodiego merged 5 commits into from
Feb 19, 2021

Conversation

@matheusbsilva137
Copy link
Contributor

@matheusbsilva137 matheusbsilva137 commented Feb 12, 2021

Proposed changes (including videos or screenshots)

  • Add a new setting ("Add Reply-To header") in the Email settings' page to control when the Reply-To header is used in e-mail notifications;
  • The new setting is turned off (false value) by default.

Issue(s)

Fixes issue #15767

Steps to test or reproduce

The new setting is displayed in the Direct Reply section of the Email settings' page (Administration > Email > Direct Reply).
reply-to

Further comments

KevLehman
KevLehman reviewed Feb 17, 2021
View reviewed changes
sampaiodiego
sampaiodiego requested changes Feb 18, 2021
View reviewed changes
app/lib/server/functions/notifications/email.js Outdated

// If direct reply enabled, email content with headers
if (settings.get('Direct_Reply_Enable')) {
if (settings.get('Direct_Reply_Enable') && settings.get('Direct_Reply_ReplyTo_Enable')) {
Copy link
Member

@sampaiodiego sampaiodiego Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In case Direct Reply is enabled, the Reply-To header should be always set, since that is the only way we can make sure to receive a reply from the notification email, this new setting should be only applied to regular email notifications (when Direct Reply is turned off 😉 )

app/lib/server/startup/email.js Outdated
placeholder: 'email@domain',
secret: true,
});
this.add('Direct_Reply_ReplyTo_Enable', false, {
Copy link
Member

@sampaiodiego sampaiodiego Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As I mentioned on previous comment, this setting should control the Reply-To header from regular notifications, so the name of setting is currently misleading..

I'd recommend moving the setting to the Privacy section and change its name:

Suggested change
this.add('Direct_Reply_ReplyTo_Enable', false, {
this.add('Add_Sender_To_ReplyTo', false, {

matheusbsilva137
matheusbsilva137 commented Feb 18, 2021
View reviewed changes
app/lib/server/startup/email.js Outdated
this.add('Direct_Reply_ReplyTo_Enable', false, {
type: 'boolean',
env: true,
i18nLabel: 'Add_ReplyTo_Header',
Copy link
Contributor Author

@matheusbsilva137 matheusbsilva137 Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following the changes on the setting's name, would you recommend changing its label too? @sampaiodiego

Copy link
Member

@sampaiodiego sampaiodiego Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I didn't notice the setting name I suggested is actually very close to the i18nLabel 😅

I'd say you can remove the i18nLabel as the _id of the setting will be used if the label is missing.. 😉

also, I just realized it's missing an i18n key.. =)

Copy link
Contributor Author

@matheusbsilva137 matheusbsilva137 Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, thanks for the suggestion! 🙂
Is i18nDescription the missing key which you think that must be added here?

Copy link
Member

@sampaiodiego sampaiodiego Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, sry 🙈

what I meant was you should create a new i18n key at least on the English translation file (https://github.com/RocketChat/Rocket.Chat/blob/develop/packages/rocketchat-i18n/i18n/en.i18n.json), if possible, add the same key to the portuguese (pt-BR.i18n.json) file as well.. this translation will be used as the label of setting on the Admin UI.

the key you'll add to the translation files should be the value of the i18nDescription property (if it exists), otherwise it can be the setting _id.. (I'd recommend adding a i18nDescription property only if the setting _id is not similar to the label that setting should have)..

hopefully it makes more sense now, I'm sorry the confusion.

KevLehman
KevLehman requested changes Feb 19, 2021
View reviewed changes
app/lib/server/functions/notifications/email.js Outdated
const [senderEmail] = sender.emails;
email.headers['Reply-To'] = generateNameEmail(username, senderEmail.address);

if (settings.get('Direct_Reply_ReplyTo_Enable')) {
Copy link
Member

@KevLehman KevLehman Feb 19, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This if can be merged with the parent if.

sampaiodiego
sampaiodiego reviewed Feb 19, 2021
View reviewed changes
@sampaiodiego sampaiodiego merged commit 0bd7b50 into develop Feb 19, 2021
@sampaiodiego sampaiodiego deleted the fix-email-reply-to branch February 19, 2021 18:39
gabrieleiro pushed a commit that referenced this pull request Feb 19, 2021
@matheusbsilva137 @gabrieleiro
[FIX] Missing setting to control when to send the ReplyTo field in em…
dced81c 
…ail notifications (#20744)
nmagedman added a commit to seekingalpha/Rocket.Chat that referenced this pull request Feb 22, 2021
@nmagedman
PATCH: Disable Reply-To in Offline Email notifications
423d90d 
RC v3.4.0 adds a Reply-To header containing the user’s email address.
Previously, there was no Reply-To header at all.  The From header was
(and still is) the commenter's real name and a site-wide configured
email address, “[email protected]”.

The new feature was intended to **prevent** a privacy issue – if a user
would reply to an email thinking it would go to the commenter, he might
send a confidential message to the [email protected] mailbox.
So with the Reply-To, email would go to the intended recipient.

However, AFAICT, the user's email address is not displayed to any other
(non-admin) users anywhere within the RC UI, so we've always considered
the email address to be a private field.  However, the Reply-To exposes
this private email address.

Solution:
Remove the Reply-To header.

In the future, we may also change the From/Reply-To address to "no-reply@"

https://seekingalpha.atlassian.net/browse/MP-931

NOTE:
  I am currently patching this onto 3.11.1, however I notice that
  3.12.0-rc.0 is planning a change to this feature which may obviate
  the need for this patch.
    RocketChat#20744
@sampaiodiego sampaiodiego mentioned this pull request Feb 28, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sampaiodiego sampaiodiego sampaiodiego approved these changes

@pierre-lehnen-rc pierre-lehnen-rc Awaiting requested review from pierre-lehnen-rc

@KevLehman KevLehman Awaiting requested review from KevLehman

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@matheusbsilva137 @sampaiodiego @KevLehman