peterr Posted February 25, 2004 Posted February 25, 2004 Hi, The "contact us" link and other email functions use the "tep_mail" function. I have looked into the code that 'tep_mail' uses, and notice the final 'send' is the PHP mail() function. We need to be able change some email headers. At present, the ones we would like to change are: From username@mailservername.net Mon Feb 23 23:54:46 2004Return-path: <username@mailservername.net> Received: from username by mailservername.net with local (Exim 4.24) id 1AvUak-00053g-3Y for [email protected]; Mon, 23 Feb 2004 23:54:46 -0500 The email header value, shown in blue is of course, the username, and currently defaults to the "root/shell" username. We would prefer to protect this username (obviously), and would like the username to be localhost instead. Under admin, the email transport method is 'sendmail'. I have been able to use different Perl modules on the same web hosts and send emails with value 'localhost', and I'm sure PHP can do it as well. Does anyone know what parameters, or header values to parse to the PHP mail() function, which is called by the osC tep_mail() function please. Thanks, :) Peter
peterr Posted February 25, 2004 Author Posted February 25, 2004 Hi, I was hoping to edit the first post, but I think the 'edit' button only stays there for 5 mins. :( Looking at function tep_mail(), in line 975 of /catalog/includes/functions/general.php , it calls a function called send() and passes 5 parameters. The send() function is in /catalog/includes/classes/email.php , and allows for 6 parameters, the 6th one being the variable $headers. So, ... it seems if I can just work out what headers to pass, then all that needs changing is the call to the send() function, to pass 6 parameters. Does that sound right ?? Peter
♥ecartz Posted February 27, 2004 Posted February 27, 2004 Not exactly. The headers that you indicate will actually get set automatically by sendmail (if that is what you are using). What you actually want to do is change the sendmail command line (sendmail_path setting in php.ini -- you can change it in .htaccess or with ini_set) to include [email protected] If you were using SMTP, you would change the sendmail_from instead Hth, Matt Always back up before making changes.
peterr Posted February 27, 2004 Author Posted February 27, 2004 Hi Matt, Not exactly. The headers that you indicate will actually get set automatically by sendmail (if that is what you are using). What you actually want to do is change the sendmail command line (sendmail_path setting in php.ini -- you can change it in .htaccess or with ini_set) to include [email protected] We can use our own PHP.INI, but I have found if I want to use one, LOTS of PHP settings get changed back to defaults, so it's a bit of a bother really, doing that method. I looked up the function ini-set() , and there are two 'sendmail' parms you can pass: sendmail_from sendmail_path and I'm guessing I need the "sendmail_from' one, so the code would be something like: ini_set('sendmail_from','[email protected]'); that's a much better method, this way you are suggesting will mean I don't have to change any part of the 'tep_mail()' function, or any other functions that 'tep_mail()' calls. If you were using SMTP, you would change the sendmail_from instead We use sendmail, actually it is a sendmail 'pipe' to Exim. Just ran a 'phpinfo(), and the sendmail settings are: sendmail_from no value no valuesendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i Thanks for your help, Peter
♥ecartz Posted February 27, 2004 Posted February 27, 2004 It's confusing in that there are two kinds of mail settings: SMTP and sendmail. You need to change the sendmail setting: sendmail_path. Despite the name, sendmail_from is an SMTP setting. I would try ini_set('sendmail_path', '/usr/sbin/sendmail -t -i [email protected]'); Hth, Matt Always back up before making changes.
peterr Posted February 27, 2004 Author Posted February 27, 2004 Hi Matt, Good you were so quick, thanks, because I had just made the mods and was about to upload the new file. :D Thanks a lot, Peter
peterr Posted February 29, 2004 Author Posted February 29, 2004 Hi Matt, The "ini_set" function didn't work. I don't know what the scope of this function is, as I remember I used it recently to set the 'messages to browser" to "off/false", but it wouldn't override the PHP.INI settings that our setup on the website. I wrote a small script, did a phpinfo(), used the 'ini-set' function as you explained, then ran the phpinfo() again, and the settings reamined unchanged: sendmail_from no value no valuesendmail_path /usr/sbin/sendmail -t -i /usr/sbin/sendmail -t -i SMTP localhost localhost I think I may have to just try to code a small script with the mail() function, and get it working with a different username first, and the function tep_mail() calls other functions and is not real easy to follow. Passing username appears to be in the 'additiona; headers' of the mail() function. Peter
♥ecartz Posted March 1, 2004 Posted March 1, 2004 You may actually want to do it in the additional_parameters parameter (the fifth one) of the mail function. There are times when you don't want to do it in additional_headers (the fourth parameter), as some mailers will rewrite this. Hth, Matt Always back up before making changes.
peterr Posted March 1, 2004 Author Posted March 1, 2004 Hi Matt, Thanks, I'll try that out. I think in the testing I may have been parsing the fourth parameter only, and not the fifth, so I'll try that one. Thanks, Peter
peterr Posted March 25, 2004 Author Posted March 25, 2004 Hi, Tried everything with PHP and mail() function, and also PHP and piping the sendmail command, and even changing PHP.INI, it absolutely refused to work, so I'm convinced the _only_ way to change the username on the server and PHP, is to use SMTP and 'authenticate', well at the least , supply a hostname. the code below: <?php include('Mail.php'); $recipients = '[email protected]'; $headers['From'] = '[email protected]'; $headers['To'] = '[email protected]'; $headers['Subject'] = 'Test message 1'; $body = 'Test message 2 with the body.'; $params['host'] = 'localhost'; // Create the mail object using the Mail::factory method $mail_object =& Mail::factory('smtp', $params); $mail_object->send($recipients, $headers, $body); print "Sent Mail message to $recipients"; ?> .. modified the "Return-Path:" email header and also the "Received: from ....." details, exactly what I needed. I did have a quick look at 'PHPmailer', and looking at the classes and 'how' it sends the email, no doubt that product would also work just fine, because it used SMTP / host to send it. There was also an osCommerce contribution smtp through the authentication smtp server, that may also do the trick. Peter
peterr Posted March 30, 2004 Author Posted March 30, 2004 Hi, Finally after doing some more testing over the last week or so, I have now realised that I cannot use the osC "tep_mail()" function to send any emails. I have found some suitable code replacement (see previous post), but I would like to be sure of a few things please, if someone can advise. 1. I have looked at the function tep_mail(), and it always does a "build_message" function, then a 'send()" function, which then eventually executes this code: if (EMAIL_TRANSPORT == 'smtp') { return mail($to_addr, $subject, $this->output, 'From: ' . $from . $this->lf . 'To: ' . $to . $this->lf . implode($this->lf, $this->headers) . $this->lf . implode($this->lf, $xtra_headers)); } else { return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers)); } I will have to replace the PHP mail() function above with the replacement code. Unfortunately, the send() function is not in one file, but five. :( Here are the files where I found it: /catalog/admin/includes/classes/email.php /catalog/admin/includes/modules/newsletters/newsletter.php /catalog/admin/includes/modules/newsletters/product_notification.php /catalog/includes/classes/email.php /catalog/includes/classes/http_client.php but, the "send" in some is not the same function as the "send" in others. 2. The actual PHP mail() function appears to be only in 2 files: /catalog/admin/includes/classes/email.php /catalog/includes/classes/email.php but, it is the other 3 files that I would need to check also. :D The _real_ problem with all these mods I need to make is: * I do not know all the functions where email is used in osC, simply because I have reason to beleive some of the emails are not even working (like advising us when there is an order). * For this reason, I cannot know which files to modify, only search for the send() function, the PHP mail() function, and "hope" that they are the only places where email is used. Surely there is a definitive list somewhere (Wiki ??) of "when" an email is sent from osCommerce, and "where" (what PHP file) to find the code that sends the email. I'm at a loss to know if the modifications I make will cover all emails sent from osCommerce. Do I need to use something like "Beyond Compare" or similar ? At present, the tools I'm using are (Win) 'find' feature. Does "Beyond Compare", or similar tools show a "where used" or cross-reference list ? Hoping someone can advise, :D Peter
♥ecartz Posted March 30, 2004 Posted March 30, 2004 Peter, The mail() function is only called from includes/classes/email.php You should be able to make the changes you need directly in the same function as calls mail(). That's the way the SMTP w/ Authentication contribution works...it replaces the call to mail() with its own function. Btw, I have recently found that RHEL3/Plesk uses qmail in such a way that one needs to add in some environment variable code (lines 2-5:) } else { $email_address_parts = explode('@', STORE_OWNER_EMAIL_ADDRESS, 2); putenv('MAILHOST=' . $email_address_parts[1]); putenv('MAILUSER=' . $email_address_parts[0]); putenv('MAILNAME=' . STORE_OWNER); return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers)); } right before the call to mail() in the non-SMTP case. I don't know if this has anything to do with your problem or not. Hth, Matt Always back up before making changes.
peterr Posted March 30, 2004 Author Posted March 30, 2004 Hi Matt, The mail() function is only called from includes/classes/email.php Yes, I have done several 'finds' , using "mail(" and "return mail(" as the string to search on, and the mail() function is definitely only in: /catalog/admin/includes/classes/email.php /catalog/includes/classes/email.php which is within the "send()" function; why there needs to be duplicate code in 2 files, I don't know, it doesn't make sense to me, anyway it's only in email.php, as you say. You should be able to make the changes you need directly in the same function as calls mail(). That's the way the SMTP w/ Authentication contribution works...it replaces the call to mail() with its own function. Ok, I hear what you are saying. The things that concern me are 'missing something', like I'd like all my bases covered, so to speak. If I look in /newsletters.php, this code: function send($newsletter_id) { $mail_query = tep_db_query("select customers_firstname, customers_lastname, customers_email_address from " . TABLE_CUSTOMERS . " where customers_newsletter = '1'"); $mimemessage = new email(array('X-Mailer: osCommerce bulk mailer')); $mimemessage->add_text($this->content); $mimemessage->build_message(); while ($mail = tep_db_fetch_array($mail_query)) { $mimemessage->send($mail['customers_firstname'] . ' ' . $mail['customers_lastname'], $mail['customers_email_address'], '', EMAIL_FROM, $this->title); } $newsletter_id = tep_db_prepare_input($newsletter_id); tep_db_query("update " . TABLE_NEWSLETTERS . " set date_sent = now(), status = '1' where newsletters_id = '" . tep_db_input($newsletter_id) . "'"); } } means I might have to change something there also, and in product_notification.php, there is also a send() function (much bigger), that uses similar code as above. It's a case of nailing _all_ the email functions within osC, that concerns me. Btw, I have recently found that RHEL3/Plesk uses qmail in such a way that one needs to add in some environment variable code (lines 2-5:) } else { $email_address_parts = explode('@', STORE_OWNER_EMAIL_ADDRESS, 2); putenv('MAILHOST=' . $email_address_parts[1]); putenv('MAILUSER=' . $email_address_parts[0]); putenv('MAILNAME=' . STORE_OWNER); return mail($to, $subject, $this->output, 'From: '.$from.$this->lf.implode($this->lf, $this->headers).$this->lf.implode($this->lf, $xtra_headers)); } right before the call to mail() in the non-SMTP case. I don't know if this has anything to do with your problem or not. Thanks for supplying that code. The site uses Exim, and any use of either sendmail or any other flavours (SMTP), still eventually 'invoke' Exim. But as 'athentication' seems to be the only way past this problem, I could at least try the code above, in isolation, a small test, and see what happens. Many thanks, :D Peter
Anna Posted August 12, 2004 Posted August 12, 2004 Hi Peter, I'd be interested in the solution to your problem as we also use exim (apache/linux). I've just spent 2 days trying to stop shopper emails appearing as from ?Apache [[email protected]] on behalf of Nice Shop Name [[email protected]]?. This was caused by exim adding a "Sender: [email protected]" header which is fixed by adding "trusted_users = <webserver username>" to the exim config file. I don't know if you have had the same issue, but this at least keeps the webserver info in the headers and out of the visible "From". all the best Anna
peterr Posted August 13, 2004 Author Posted August 13, 2004 Hi Anna, I'd be interested in the solution to your problem as we also use exim (apache/linux). Looking by the date of my last post in this thread, I have since moved web hosts, and one of the reasons (albeit minor) was because of this email issue, passing 'confidential' information in the email headers. The new host said they have the user "nobody", so that sealed my decision to go with them. I'm a web host reseller myself, and it is important for me to ensure any emails that go out from any of the domains I support, don't have the username, especially the website login username, in the email headers. It simply compromises website security, plain and simple. So, my solution was fixed by changing hosts, even though later on we did have one small 'hiccup', as the latest CPanel mod placed additional email headers from the MTA (Exim). Guess what was in the headers, yep, the website login username. However, after a period of "persuasion", the CPanel developers were very co-operative, and now, place the domain name instead of the username. All this was done by CPanel/Exim, to track down spammers, because these extra email hdrs are added AFTER the email is sent, that is the MTA runs a Perl script to add them in. Now, none of this really helps you does it !! :D My memory isn't good, but I'm sure I was able to get around the problem by using, .... hmm, I'd better check, yep here it is ........... <?php include('Mail.php'); $recipients = '[email protected]'; $headers['From'] = '[email protected]'; $headers['To'] = '[email protected]'; $headers['Subject'] = 'Test message 1'; $body = 'Test message 2 with the body.'; $params['host'] = 'localhost'; // Create the mail object using the Mail::factory method $mail_object =& Mail::factory('smtp', $params); $mail_object->send($recipients, $headers, $body); print "Sent Mail message to $recipients"; ?> For osC, you will have to find out where the tep_mail() function (I probably have the name wrong, it's been many mths ?? ) is used, and replace the PHP mail() function with code like I have supplied above. There are a few other places where osC sends email though, so make sure you cover all the places. The best test is run a small script like the example above, then see what the headers are. Run the PHP script from your osCommerce site of course, and even ad in application_top.php, just to throw in some additional varibales and settings, so 'simulate' an osC email send. I've just spent 2 days trying to stop shopper emails appearing as from ?Apache [[email protected]] on behalf of Nice Shop Name [[email protected]]?.This was caused by exim adding a "Sender: [email protected]" header which is fixed by adding "trusted_users = <webserver username>" to the exim config file. If the name apache or other info is not used anywhere as a login or username for something, that is, no confidential info given out, then it's okay, isn't it ?? Yes, the trusted users thing, I tried to get the previous hosts to change the list, but they wouldn't. The new hosts simply have 'nobody' and that is the user in the email headers, I like that. :) I don't know if you have had the same issue, but this at least keeps the webserver info in the headers and out of the visible "From". If it is in the headers, and considered something that could compromise your website security, then being 'invisible' doesn't really help I think, because it is still there, and open to abuse. Better for you, if it isn't there. Hope that helps, Peter
Anna Posted August 13, 2004 Posted August 13, 2004 Hi Peter Thanks for the reply and useful info and I'm glad you're happy with the new host & setup! :D I don't pretend to understand mail/webserver configuration that much (I'm *just* the programmer...) but I'm told our headers don't reveal enough to compromise us. 'apache' was the only username revealed by our headers and it's not possible to log in to our servers using it. I'm sure 'nobody' is your apache username but likewise it shouldn't be possible to log in as it. So while they're real accounts they shouldn't be a problem as far as I understand it! So you're right 'From Apache on behalf of...' isn't a real risk, but it really didn't look nice to shoppers and might worry them that the mail might not actually be from the store. It'd still be nice to clean up the headers a bit - add the Reply To and Return-Path, and perhaps Priority - but it's now clear I'd need to find out more about what exim does/adds before I mess with the osCommerce side of it. When I find the time I'll definitely bear your code in mind thanks! We also resell hosting on dedicated servers so security is a big interest. Luckily I don't deal with the config side, just the programming! ;) Unfortunately the dividing line is well blurred <_< This email config has been a real learning experience! All the best Anna
peterr Posted August 13, 2004 Author Posted August 13, 2004 Hi, There are some good examples of how to modify the email headers here: http://au.php.net/manual/en/function.mail.php http://au.php.net/manual/en/ref.mail.php The second URL has an example of using Exim. My experience with changing email headers was one in where some headers I modified did not end up the same when the mail was received, in the end, the MTA has the final say. :) Peter
Anna Posted August 13, 2004 Posted August 13, 2004 Brilliant! Will certainly follow up the exim example & as I said look further into exim anyway (which was only just installed on our latest not-yet-live server so the config clearly needed some tweaking! ). Thanks Anna
Recommended Posts
Archived
This topic is now archived and is closed to further replies.