Merge pull request #107 from simple-login/fix-sender

Fix sender

CHANGELOG

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 Support PGP
+Take into account Sender header
 
 ## [1.1.0] - 2020-03-13
 Support multiple Mailboxes

app/dashboard/views/mailbox_detail.py

@@ -54,9 +54,7 @@ def mailbox_detail_route(mailbox_id):
                 ):
                     flash(f"Email {new_email} already used", "error")
                 elif not can_be_used_as_personal_email(new_email):
-                    flash(
+                    flash("You cannot use this email address as your mailbox", "error")
-                        "You cannot use this email address as your mailbox", "error",
-                    )
                 else:
                     mailbox.new_email = new_email
                     db.session.commit()

email_handler.py

@@ -313,8 +313,9 @@ def handle_forward(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> str:
         # add custom header
         add_or_replace_header(msg, "X-SimpleLogin-Type", "Forward")
 
-        # remove reply-to header if present
+        # remove reply-to & sender header if present
         delete_header(msg, "Reply-To")
+        delete_header(msg, "Sender")
 
         # change the from header so the sender comes from @SL
         # so it can pass DMARC check
@@ -405,9 +406,7 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> str:
     # in this case Postfix will try to send a bounce report to original sender, which is
     # the "reply email"
     if envelope.mail_from == "<>":
-        LOG.error(
+        LOG.error("Bounce when sending to alias %s, user %s", alias, gen_email.user)
-            "Bounce when sending to alias %s, user %s", alias, gen_email.user,
-        )
 
         handle_bounce(
             alias, envelope, forward_email, gen_email, msg, smtp, user, mailbox_email
@@ -467,6 +466,9 @@ def handle_reply(envelope, smtp: SMTP, msg: Message, rcpt_to: str) -> str:
     # make sure to delete it
     delete_header(msg, "Reply-To")
 
+    # remove sender header if present as this could reveal user real email
+    delete_header(msg, "Sender")
+
     add_or_replace_header(msg, "To", forward_email.website_email)
 
     # add List-Unsubscribe header

tests/api/test_new_custom_alias.py

@@ -50,7 +50,7 @@ def test_create_custom_alias_without_note(flask_client):
     r = flask_client.post(
         url_for("api.new_custom_alias", hostname="www.test.com"),
         headers={"Authentication": api_key.code},
-        json={"alias_prefix": "prefix", "alias_suffix": f".{word}@{EMAIL_DOMAIN}",},
+        json={"alias_prefix": "prefix", "alias_suffix": f".{word}@{EMAIL_DOMAIN}"},
     )
 
     assert r.status_code == 201

tests/api/test_new_random_alias.py

@@ -52,7 +52,7 @@ def test_custom_mode(flask_client):
     r = flask_client.post(
         url_for("api.new_random_alias", hostname="www.test.com", mode="uuid"),
         headers={"Authentication": api_key.code},
-        json={"note": "test note",},
+        json={"note": "test note"},
     )
 
     assert r.status_code == 201