An Issue and a Question

[Arnox_S]

First, the important stuff.

Your registration is partly broken, guys. The forum is not sending emails to some email providers. I had to use Guerilla Mail, one of the few email providers that SMF will send an email to (funny how it works just fine for temporary email and not normal email), to register here.

Luckily though, I found out how to fix this as well because I had the exact same problem. In the forum Admin CP, Configuration > Server Settings > General, we're looking for the Webmaster Email Address box. For some reason, it will need to be:

[email protected]

For you guys. Because it needs to follow this pattern:

noreply@<yoursiteurlhere>

Tested and working on my forum. I would give you the link to it but apparently I don't have permission to post external links yet.

-

The second thing I wanted to bring up is a question. I heard that images being allowed in signatures are a security risk. Is this true for SMF?

Thanks in advance for the help.

EDIT: Oh yes, and I'm running SMF v.2.0.7 currently on my site.

[Arantor]

It's not broken per se - because it's sending it out just fine. The fact your mail provider chooses not to accept it is not actually this site's problem. Most of the automated email I get (even the legitimate stuff) doesn't use a [email protected] email, meaning that you're going to have a lot of problems with that provider if you're not careful. Outbound email from here works just fine - I get email from here regularly without any problems.

As for the webmaster email setting, don't use that to try and change things because it will crash and burn quite badly if you're not careful. You see, there are times SMF will try to send you an email in the event of major failures - and that's the address it's going to use.

If you want to use an alternative address for outbound email, there's a hidden setting in the code, which IIRC at least one mod makes available.


Images being allowed in signatures... that's a very good question. Depends mostly on how you define security risk.

The image will be, of course, automatically loaded. Any links to the site itself, where the image URL contains index.php?action= will be neutered to limit damage (e.g. if you try to link to action=logout to force someone to logout). But that won't stop people if they put such links inside link shorteners (e.g. Bitly or TinyURL) and use *that* as the image link. SMF in itself should not be seriously vulnerable because any data changing actions require either a form submission (not a link) or if they are accessible by link, the session id will be required - for example if you were to look at the logout link, you would see something like ;abcdabcd=12341231231231231233 after it, which must be present for the link to work.

[Arnox_S]

It's not broken per se - because it's sending it out just fine.

Are you sure? My email is not the only one that I've noticed that is having this problem by far. Most of my members have also all reported the same thing. They can't get their emails at all with few seemingly random exceptions and they're using well-known providers too like Hotmail and Yahoo. (I use Yahoo personally) Further, I've tested this problem on a new GMail account with the same result. If it is the email providers rejecting it then there's something wrong with the email being sent. Either way, there is a problem and it's on the forum's end.

And if the forum has a major failure, I won't know about it until I actually go on my computer. And every time I use my computer, I check my site for any updates anyway, so that's no loss.

As to the images, OK, so you're saying that they can exploit it but it's pretty much inconsequential in terms of damage potential, right? Thanks again for the help!

[Arantor]

I've had three emails (PM notifications) from the mail servers this evening alone. Make that four, I just sent myself a PM to prove it's working (and got an email less than a minute later)

It sounds to me as though you're predominantly having issues because of your hosting - and some hosts have all kinds of weird configurations with outbound email. For your host, you may well have to have [email protected] to get it out the door. You should probably check with your host about what their requirements are, as they may have other requirements, including limits on how many can be sent at once. They may also prefer you to use SMTP instead of PHP's own sendmail support, but again that's a question for them.

Oh, Yahoo, you say? Yes, Yahoo is one of those providers that's ridiculously finicky and seems to change its mind on a regular basis as to what it will and won't accept. But both Hotmail and Yahoo have been unreliable for some time and frequently block SMF mails because it thinks they're spam (since all installations send basically the same email)

I've asked them for details in the past as to what should be done to mitigate this but no answer forthcoming yet.

[Arnox_S]

Wait a tick. Maybe it is just me. I got my registration email for the original account I registered here (finally).

Huh. Well nevermind then.

I guess that just leaves the images in sigs question. You're probably right, Arantor, but I'd like to see what the forum team has to say about this. I really want to make sure just in case.

[Arantor]

It's kind of interesting to not be taken seriously considering that I have the highest post count on this forum, and I have been one of the major contributors in recent years

Honestly, it's as safe as it's going to get at this point. The steps that could possibly be taken have been taken, and were taken even before link shorteners began to appear. Such security measures are limited in the event of Pretty URLs type mods being used, but the underlying protection (session id in links being a requirement for data changing URLs) hasn't changed, since it's also used in similar CSRF protection elsewhere, not just for images.

[Kindred]

As he says, Arantor can be considered an authority on the SMF system and coding.

but, if you need it...    I fully endorse everything that he has already said.

[Arantor]

It's funny, actually, I was looking over that protection code only last night and looking at tweaking it to make it run slightly faster and with less memory use

[Arnox_S]

It's kind of interesting to not be taken seriously considering that I have the highest post count on this forum, and hxxp:github.com/SimpleMachines/SMF2.1/graphs/contributors [nonactive] in recent years

Honestly, it's as safe as it's going to get at this point. The steps that could possibly be taken have been taken, and were taken even before link shorteners began to appear. Such security measures are limited in the event of Pretty URLs type mods being used, but the underlying protection (session id in links being a requirement for data changing URLs) hasn't changed, since it's also used in similar CSRF protection elsewhere, not just for images.

As he says, Arantor can be considered an authority on the SMF system and coding.

but, if you need it...    I fully endorse everything that he has already said.

My apologies, Aran. Don't get me wrong, you had the look of a gentlemen and a scholar and that's why I said you were probably right. However, your profile only says you're a friend and not actually part of the official team so I didn't know exactly how much you knew or were included in the dev process. But now seeing your level of involvement, I don't know why you're NOT listed as part of the team.

Well, that settles it then. I'll turn on images in sigs on my next visit to the forum. And I guess it didn't matter in the first place anyway because I think we all know that the best security comes from regular backups.

[Arantor]

Well, you generally only get to be a friend because of having been on the team As for being on the team, it is my choice not to be officially present, since these days I'm more of an active observer than an active contributor, if that makes sense