Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

additional_message_headers.php: support CALLABLE/callback via config #9755

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

additional_message_headers.php: support CALLABLE/callback via config #9755

wants to merge 6 commits into from

Conversation

jb4z
Copy link

@jb4z jb4z commented Jan 19, 2025

Good day all,

The purpose of this patch is to have Roundcube execute a callback function during runtime, as defined in config.inc.php, for more complex tasks going beyond static strings or their replacements.

For example, one could configure something like this:

$config['additional_message_headers']['X-Sender'] = null;
$config['additional_message_headers']['X-RC-USR'] = (function() {
                $d = json_encode([
                    'u' => rcube::get_instance()->get_user_name(),
                    'r' => $_SERVER['REMOTE_ADDR'],
                    'a' => empty($_SERVER['HTTP_USER_AGENT']) ? '-' : $_SERVER['HTTP_USER_AGENT'],
                    't' => $_SERVER['REQUEST_TIME']
                ]);
                return base64_encode($d); # should also be encrypted ;)
        });

In this example,
a) disables the cleartext X-Sender header;
b) adds a dynamic header X-RC-USR in base64-JSON-encoded form, which could later be used for compliance purposes. If this header is automatically processed by the mail gateway, further analysis could aid in detecting abuse patterns, while not directly exposing this sensitive information as human-readable text; if properly encrypted (out of this scope), this could eliminate privacy concerns.

One of the ideas behind this is that using Roundcube (or any other webmailer) usually masquerades the original user's IP address by the webmailer's server IP address to the SMTP server; this is not the case when a user talks to the SMTP server directly.

With tight integration into your setup, you will never again have to sift through different logs/correlate IP address information just to find the guy who sent this message which the person behind the user's login denies having sent.

This patch also reduces two arrays ($search, $replace) into one ($map) for maintainability.

jb4z added 3 commits January 19, 2025 11:27
@jb4z
Update additional_message_headers.php: Add support for CALLABLE/callb…
48fe6ce 
…ack via config

The purpose of this patch is to have Roundcube execute a callback function during runtime, as defined in config.inc.php for more complex tasks.

For example, one could configure something like this:

$config['additional_message_headers']['X-Sender'] = null;
$config['additional_message_headers']['X-RC-USR'] = (function() {
                $d = json_encode(['u' => rcube::get_instance()->get_user_name(), 'r' => $_SERVER['REMOTE_ADDR'], 'a' => empty($_SERVER['HTTP_USER_AGENT']) ? '-' : $_SERVER['HTTP_USER_AGENT'], 't' => $_SERVER['REQUEST_TIME'] ]);
                return base64_encode($d); # should also be encrypted ;)
        });

In this example,
a) disables the cleartext X-Sender header; 
b) adds a dynamic header X-RC-USR in base64-JSON-encoded form, which could later be used for compliance purposes. If this header is automatically processed by the mail gateway, further analysis could aid in detecting abuse patterns, while not directly exposing this sensitive information as human-readable text; if properly encrypted (out of this scope), this could eliminate privacy concerns.

One of the ideas behind this is that using Roundcube (or any other webmailer) usually masquerades the original user's IP address by the webmailer's server IP address to the SMTP server; this is not the case when a user talks to the SMTP server directly.

With tight integration into your setup, you will never again have to sift through different logs/correlate IP address information just to find the guy who sent this message which the person behind the user's login denies having sent.

This patch also reduces two arrays ($search, $replace) into one ($map) for maintainability.
@jb4z
Update additional_message_headers.php
7659584 
Missed something while creating initial patch
@jb4z
Update additional_message_headers.php
31401fb 
3 times' a charm
@alecpl
Copy link
Member

alecpl commented Feb 9, 2025

Thanks. Please, fix the coding style issue. Also, it would be good to add some note to the config.inc.php.dist file, with some simple example.

@jb4z
Copy link
Author

jb4z commented Feb 16, 2025

Thanks for considering this. Fixed the whitespace issue as requested and updated the config.inc.php.sample, hoping it's not too verbose (and not too opinionated 😬)

alecpl
alecpl reviewed Feb 16, 2025
View reviewed changes
config/config.inc.php.sample
$config['skin'] = 'elastic';

// Optional config of the additional_message_headers plugin (Issue #9755; Feb 2025)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sample should be in plugins/additional_message_headers/config.inc.php.dist

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alecpl alecpl alecpl left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jb4z @alecpl