AWS: WordPress password reset emails are not getting sent

Description

To reproduce:

Oddly, Omeka's password reset emails are working properly.

Activity

Show:
Mark Breedlove
October 29, 2014, 8:25 AM

Further note: it's using a class called PHPMailer, so maybe that has some bearing. I think that calls PHP's mail() but it may be doing something funny in the meantime.

Mark Breedlove
October 29, 2014, 12:25 PM

More information to chew on tomorrow. I did a password reset on Rackspace production, and the headers included the following:

<pre>
Delivered-To: MY ADDRESS @ dp.la
Received: by 10.96.33.200 with SMTP id t8csp16898qdi;
Tue, 28 Oct 2014 17:40:57 -0700 (PDT)
X-Received: by 10.107.155.9 with SMTP id d9mr8068030ioe.12.1414543256977;
Tue, 28 Oct 2014 17:40:56 -0700 (PDT)
Return-Path: <dpla-drop AT THE DOMAIN cyber.law.harvard.edu>
Received: from mail.rs.dp.la (mail.rs.dp.la. [166.78.243.28])
by mx.google.com with ESMTP id y8si4783956icl.32.2014.10.28.17.40.56
for <MY ADDRESS @ dp.la>;
Tue, 28 Oct 2014 17:40:56 -0700 (PDT)
Received-SPF: none (google.com: dpla-drop AT THE DOMAIN cyber.law.harvard.edu does not designate permitted sender hosts) client-ip=166.78.243.28;
Authentication-Results: mx.google.com;
spf=neutral (google.com: dpla-drop AT THE DOMAIN cyber.law.harvard.edu does not designate permitted sender hosts) smtp.mail=dpla-drop AT THE DOMAIN cyber.law.harvard.edu
To: MY ADDRESS @ dp.la
Subject: [Digital Public Library of America] Password Reset
X-PHP-Originating-Script: 1000:class-phpmailer.php
Date: Wed, 29 Oct 2014 00:40:55 +0000
From: WordPress <wordpress@default>
Message-ID: <61b29d4d98575b29675899e5e3e06627@default>
X-Priority: 3
X-Mailer: PHPMailer 5.2.7 (https://github.com/PHPMailer/PHPMailer/)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
</pre>

Note the From address of — wordpress@default, which has not been rewritten. The mail relay is sending this straight to Google, after it comes from the origin server, without rewriting the From header. From what I can see in the mail log, — wordpress@default is the address set at the source.

This whole thing is broken to begin with because this message ended up in my spam folder for good reason: wordpress@default is a bogus mail address. I'm not sure where Return-Path (which contains the dpla-drop address) is being assigned. The header is not being rewritten from root to that address; I think this header is being inserted, rather than being rewritten. My guess is that wordpress@default is coming from Wordpress itself, because — @default isn't any kind of mail / networking convention that I'm aware of. Why it's different between our AWS and Rackspace environments is still a mystery.

Anyhow, I'll keep looking at it tomorrow. I hope it's as easy as setting some Wordpress plugin setting that makes PHPMailer put in a From header that we can rewrite correctly.

Mark Breedlove
October 29, 2014, 1:25 PM

So, I'm obviously not looking at this tomorrow ...

The string — wordpress@default comes from here: https://github.com/dpla/frontend-wp/blob/develop/wp-includes/pluggable.php#L346-L354
I think that the "default" probably comes from the webserver's virtual host configuration. The PHP SERVER_NAME superglobal is the name of the virtual host, which people sometimes don't realize.

Furthermore, I do not see Wordpress's lost-password function setting any headers for the reset mail, which would include any From headers:
https://github.com/dpla/frontend-wp/blob/develop/wp-login.php#L392
... which would mean that these messages go out as — wordpress@ [ the virtual host from the webserver ]
... yes, that is a flaw in Wordpress At least the version we're using. We told it the admin email to use for user notices, but it's not using it.

I still wonder why the Postfix log contains lines indicating a different "from" value than this, but that may be due to the fact that it's reporting on the Return-Path, not the From.

Aaaanyyywaaay.... this is not ideal, but the solution is to add — wordpress@default to Postfix's generic maps file (/etc/postfix/generic). I've just done that and I can now receive a password reset email, which has had its From address rewritten to info @ the domain dp.la.

Can someone else try the password reset again? (Feel free to pass this ticket around or bump back to me.)

Kenny Whitebloom
October 29, 2014, 11:06 PM

just reset my password and received a note from <info@dp.la> (in
particular, info@dp.la via amazonses.com). hope that helps!

best,
kenny

On Tue, Oct 28, 2014 at 10:25 PM, <issues@dp.la> wrote:

> Issue #7729 has been updated by Mark Breedlove.
>
> - Status changed from In Progress to Feedback
> - Assignee changed from Mark Breedlove to Kenny Whitebloom
>
> So, I'm obviously not looking at this tomorrow ...
>
> The string wordpress@default comes from here:
> https://github.com/dpla/frontend-wp/blob/develop/wp-includes/pluggable.php#L346-L354
> I think that the "default" probably comes from the webserver's virtual
> host configuration. The PHP SERVER_NAME superglobal is the name of the
> virtual host, which people sometimes don't realize.
>
> Furthermore, I do not see Wordpress's lost-password function setting any
> headers for the reset mail, which would include any From headers:
> https://github.com/dpla/frontend-wp/blob/develop/wp-login.php#L392
> ... which would mean that these messages go out as wordpress@ [ the
> virtual host from the webserver ]
> ... yes, that is a flaw in Wordpress At least the version we're using.
> We told it the admin email to use for user notices, but it's not using it.
>
> I still wonder why the Postfix log contains lines indicating a different
> "from" value than this, but that may be due to the fact that it's reporting
> on the Return-Path, not the From.
>
> Aaaanyyywaaay.... this is not ideal, but the solution is to add
> wordpress@default to Postfix's generic maps file (/etc/postfix/generic).
> I've just done that and I can now receive a password reset email, which has
> had its From address rewritten to info @ the domain dp.la.
>
> Can someone else try the password reset again? (Feel free to pass this
> ticket around or bump back to me.)
> ------------------------------ > Task #7729: AWS: WordPress password reset emails are not getting sent
> <https://issues.dp.la/issues/7729#change-28924>
>
> - Author: Mark Matienzo
> - Status: Feedback
> - Priority: Medium
> - Assignee: Kenny Whitebloom
> - Category: Infrastructure
> - Target version: Iteration ZZ
>
> To reproduce:
>
> - Go to http://aws.dp.la/info/wp-login.php?action=lostpassword
> - Put in the username or email address for a valid account
> - Notice that you don't get an email
>
> Oddly, Omeka's password reset emails are working properly.
> ------------------------------ >
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> https://issues.dp.la/my/account
>

Mark Breedlove
October 30, 2014, 4:29 AM

Thanks!

Closing this.

Done

Assignee

Kenny Whitebloom

Reporter

Mark Matienzo

Labels

None

Priority

Medium