Email Server Impersonation

Asked by Starbeamrainbowlabs on 2018-06-20

Hello,

I've received a few DMARC reports telling me that emails have been sent in the name of my email server by launchpad. While this is probably related to my activity (though there's no real way to tell), my question is this:

Why is launchpad sending emails in my server's name?

Best Regards,
Starbeamrainbowlabs

Question information

Language:
English Edit question
Status:
Solved
For:
Launchpad itself Edit question
Assignee:
No assignee Edit question
Solved by:
Starbeamrainbowlabs
Solved:
2018-06-22
Last query:
2018-06-22
Last reply:
2018-06-21
Colin Watson (cjwatson) said : #1

The original reasoning was, I believe, that it's the user performing whatever action resulted in Launchpad sending email, and so it's perfectly reasonable to send out email with that user's configured preferred email address as the From: header; note that the envelope sender of emails we send is under @canonical.com. After all, Launchpad is not making up messages out of whole cloth to send on behalf of our users; at some level it's basically just being a fancy mail user agent, and the From: header was originally merely supposed to identify the author of the message, not the server it came from. However, DMARC changed the rules here.

I've linked bug 1589693, which is about this; we don't really need to track this in the answer tracker too.

Starbeamrainbowlabs (sbrl) said : #2

Ah, thanks. Glad to get some reassurance on this!

Thanks for that bug - I'll go check that out.