From: <de...@de...> - 2012-03-13 09:28:45
|
Author: PeterThoeny Date: 2012-03-13 04:28:34 -0500 (Tue, 13 Mar 2012) New Revision: 22701 Trac url: http://develop.twiki.org/trac/changeset/22701 Modified: twiki/trunk/SendMailPlugin/data/TWiki/SendMailPlugin.txt Log: Item6848: Initial version of SendMailPlugin - add documentation on open mail relay protection Modified: twiki/trunk/SendMailPlugin/data/TWiki/SendMailPlugin.txt =================================================================== --- twiki/trunk/SendMailPlugin/data/TWiki/SendMailPlugin.txt 2012-03-13 09:06:12 UTC (rev 22700) +++ twiki/trunk/SendMailPlugin/data/TWiki/SendMailPlugin.txt 2012-03-13 09:28:34 UTC (rev 22701) @@ -1,4 +1,4 @@ -%META:TOPICINFO{author="TWikiContributor" date="1331629205" format="1.1" version="$Rev$"}% +%META:TOPICINFO{author="TWikiContributor" date="1331630882" format="1.1" version="$Rev$"}% ---+!! !SendMailPlugin <!-- Contributions to this plugin are appreciated. Please update the plugin page at @@ -21,7 +21,7 @@ | *Parameter* | *Explanation* | *Default* | | =action=""= | Only =action="send"= is supported, it will send an e-mail | =""= (no action) | -| =from="ad...@ex..."= | E-mail address of sender. Supported tokens: %BB% =$webmastername= - name of TWiki administrator. %BB% =$webmasteremail= - e-mail of TWiki administrator. %BB% =$username= - %SYSTEMWEB%.WikiName of logged in user. %BB% =$useremail= - e-mail address of the logged in user. %BR% Defaults to TWiki administrator. | ="$webmastername <$webmasteremail>"= | +| =from="ad...@ex..."= | E-mail address of sender. Supported tokens: %BB% =$webmastername= - name of TWiki administrator. %BB% =$webmasteremail= - e-mail of TWiki administrator. %BB% =$username= - %SYSTEMWEB%.WikiName of logged in user. %BB% =$useremail= - e-mail address of the logged in user. %BR% Defaults to TWiki administrator. See note on [[#OpenMailRelay][open mail relay]]. | ="$webmastername <$webmasteremail>"= | | =to="jo...@ex..."= | To list: Comma-space delimited list of e-mail addresses of adressees. Same tokens supported as in =from=""=. Defaults to TWiki administrator. | ="$webmastername <$webmasteremail>"= | | =cc="ji...@ex..."= | CC list: Comma-space delimited list of e-mail addresses. Same tokens supported as in =from=""=. | =""= | | =bcc="bo...@ex..."= | BCC list: Comma-space delimited list of e-mail addresses. Same tokens supported as in =from=""=. | =""= | @@ -30,6 +30,18 @@ | =onsuccess="..."= | Text shown in place of the SENDMAIL variable on success, default is empty. Text may include %SYSTEMWEB%.TWikiVariables and [[%SYSTEMWEB%.FormatTokens][format tokens]]. | =""= | | =onerror="| $error ||"= | Error message shown in place of the SENDMAIL variable on error, if any. Text may include %SYSTEMWEB%.TWikiVariables and [[%SYSTEMWEB%.FormatTokens][format tokens]]. Token =$error= expands to the error message. | ="$error"= | +#OpenMailRelay +---++ Security Note on Open Mail Relay + +Public TWiki sites can potentially be abused as an open mail relay if this plugin is installed and enabled. The plugin can be secured as follows on public sites: + + * Set the ={Plugins}{SendMailPlugin}{From}= configure setting to a token such as =$webmasteremail=, or to a fixed addess. + * Set the ={Plugins}{SendMailPlugin}{To}= configure setting to a token such as =$useremail=, or to a fixed addess. + * Set the ={Plugins}{SendMailPlugin}{CC}= configure setting to =disable= (to disable), a token such as =$useremail=, or to a fixed addess. + * Set the ={Plugins}{SendMailPlugin}{BCC}= configure setting to =disable=, a token, or to a fixed addess. + +Setting these configure settings will disable the four corresponding =%<nop>SENDMAIL{"..."}%= parameters. That is, TWiki cannot be abused as an open mail relay. + ---++ Examples FIXME |