[RCD] Message-ID issues

duchamp at redpin.com duchamp at redpin.com
Tue Aug 10 00:59:00 CEST 2010


I have identified what appears to be a long-standing issue with the way
Roundcube generated message IDs.

Recent versions, at least, use the code

'Message-ID' => sprintf('<%s@%s>', md5(uniqid('rcmail'.rand(),true)),

in program/steps/mail/func.inc to generate the Message-ID string.

In probably 99% of installations, this results in a message ID in the form
nnnnnnnnnnnnnnnn at localhost . This *may* technically be RFC2822-compliant,
depending on how you interpret the RFC. Compliance is a moot point,
however, because several anti-spam applications - including SpamAssassin
and ASSP - do not view nnnnnnnnnnnnnnnn at localhost as a valid, legitimate
message ID, and will score such messages as spam as a result.

This is not particularly desirable.

My suggestion would be to change program/steps/mail/func.inc to not
include the imap_host setting, but to either:

1, use the canonical hostname of the server, i.e. hostname.domain.tld, as
the right-hand side of the Message-ID (most desirable option);

2, use the FQDN that Roundcube was loaded under, i.e. webmail.domain.tld,
and use that as the right-hand side of the Message-ID (less desirable
option, but still very strictly RFC compliant); or

3, query and use the PTR record for the IP the server is running on (which
may be something non-unique such as customer.noc.tld) and use that as the
right-hand side of the Message-ID (least desirable, as would incur at
least one DNS lookup, and probably other annoying overhead).

Hopefully this shouldn't be too difficult to amend.

-Mike Gilday

List info: http://lists.roundcube.net/dev/

More information about the Dev mailing list