Setting the "Return-Path" header doesn't follow RFC 5321

Created on 17 May 2019, over 5 years ago
Updated 2 February 2024, 11 months ago

Problem/Motivation

Drupal's mail command sets the Return-Path header directly. This is in violation of the relevant RFCs.

https://tools.ietf.org/html/rfc2821#section-4.4

A message-originating SMTP system SHOULD NOT send a message that
already contains a Return-path header. SMTP servers performing a
relay function MUST NOT inspect the message data, and especially not
to the extent needed to determine if Return-path headers are present.
SMTP servers making final delivery MAY remove Return-path headers
before adding their own.

More recent RFCs:

The Return-Path header is set by the SMTP server to the value of the envelope sender (MAIL FROM: SMTP command). When using sendmail or other local MTA this can often be set using the "-f" option.

When Drupal sets the Return-Path header the recipient mail server may reject the email or ignore the header. If the email gets through, it results in 2 headers which can be different and which the recipient might flag as spam.

External mail services, such as Mailgun or Sendgrid, set their own envelope sender (therefore Return-Path header) to capture any bounces. Drupal should not try to influence the header at all.

External SMTP services may use Variable Envelope Return Path.

Proposed resolution

Do not set the "Return-Path" header within Drupal and provide more detailed documentation on Drupal's mail system.

That is, remove Return-Path altogether and set the envelope sender to $message['from']. See https://api.drupal.org/api/drupal/core!core.api.php/function/hook_mail_a...

PHPMailer has resolved the issue:

πŸ› Bug report
Status

Needs work

Version

11.0 πŸ”₯

Component
MailΒ  β†’

Last updated 5 days ago

No maintainer
Created by

πŸ‡¦πŸ‡ΊAustralia imclean Tasmania

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • The Needs Review Queue Bot β†’ tested this issue. It either no longer applies to Drupal core, or fails the Drupal core commit checks. Therefore, this issue status is now "Needs work".

    Apart from a re-roll or rebase, this issue may need more work to address feedback in the issue or MR comments. To progress an issue, incorporate this feedback as part of the process of updating the issue. This helps other contributors to know what is outstanding.

    Consult the Drupal Contributor Guide β†’ to find step-by-step guides for working with issues.

  • First commit to issue fork.
  • Status changed to RTBC 11 months ago
  • πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

    I agree with @iamclean's assessments and answers to @alexpott from #32.

    I love this patch because it removes complexity and clears up misconceptions of how this Return-path works and conflated with From (in my case for bounces) and still does the same thing it used to.

    I'm using mimemail which makes the -f flag not work because the Return-path is in the <from@example.org> format and never matches the site_mail.

    Moved this to a reroll MR, for the bot

  • Merge request !6417Setting envelope sender to From header β†’ (Open) created by joelpittet
  • πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

    I did a really rough draft CR https://www.drupal.org/node/3418522 β†’ , please edit at a will. I'm not sure how to describe it as "envelope sender" but that is the correct term it sounds strange.

  • Status changed to Needs work 11 months ago
  • πŸ‡¬πŸ‡§United Kingdom alexpott πŸ‡ͺπŸ‡ΊπŸŒ

    Tests have failed due to the changes.

  • πŸ‡¨πŸ‡¦Canada joelpittet Vancouver

    Thanks @alexpott, usually the test failures would kick it back to needs work, probably a transition to gitlab thing...
    Anyways, this patch makes this problem with RFC 2822 Return-Path more problematic
    πŸ› RfcComplianceException: RFC 2822 Needs work

    Because prior to this, we stripped the return-path out, so it didn't validate it through Symfony. With this patch it's still there, so gets validate and makes that issue a problem for my case as well... (I haven't applied the patch in that one because I'd rather not rely on multiple patches to solve a problem if I can help it).

    I still like the solution here, just need to find a way to make everybody happy... and the testbot

Production build 0.71.5 2024