Make WordPress Core

Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#53048 closed defect (bug) (invalid)

PHPMailer uses hardcoded default sender mail address, preventing mail to be sent

Reported by: vinc17's profile vinc17 Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.2
Component: Mail Keywords:
Focuses: Cc:

Description

The retrieve_password() function of wp-login.php fails with the error message "The email could not be sent. Your site may not be correctly configured to send emails." when sending the mail because the default sender used by wp_mail() is blocked as non-existing (well, I assume that this is the cause, because I am not the admin of the local mail server). According to the wp_mail() code:

                /*
                 * If we don't have an email from the input headers, default to wordpress@$sitename
                 * Some hosts will block outgoing mail from this address if it doesn't exist,
                 * but there's no easy alternative. Defaulting to admin_email might appear to be
                 * another option, but some hosts may refuse to relay mail from an unknown domain.
                 * See https://core.trac.wordpress.org/ticket/5007.
                 */
                if ( ! isset( $from_email ) ) {
                        // Get the site domain and get rid of www.
                        $sitename = wp_parse_url( network_home_url(), PHP_URL_HOST );
                        if ( 'www.' === substr( $sitename, 0, 4 ) ) {
                                $sitename = substr( $sitename, 4 );
                        }

                        $from_email = 'wordpress@' . $sitename;
                }

so that the local part of the sender is hardcoded to "wordpress". Even though a wordpress e-mail address could be created at my site, sharing the same sender address among all the WordPress instances at the site may be a bad idea. So this should be configurable.

Change History (7)

#1 @desrosj
3 years ago

  • Component changed from External Libraries to Mail

#2 @knutsp
3 years ago

  • Keywords close added
  • Version changed from 5.6.2 to 2.2

You may want this code at line 378:

    /**
     * Filters the email address to send from.
     *
     * @since 2.2.0
     *
     * @param string $from_email Email address to send from.
     */
    $from_email = apply_filters( 'wp_mail_from', $from_email );

You may then apply this filter and set whatever from address you want. There is also a filter wp_mail_from_name just below. Se docs at https://developer.wordpress.org/reference/functions/wp_mail/#usage

#3 @vinc17
3 years ago

OK, thanks. I confirm that this works (filter added in a MU Plugin). But perhaps this should be documented at https://wordpress.org/support/article/how-to-install-wordpress/ since ensuring that the right sender address is used is something that should typically be done at installation time (so that the "Lost your password?" feature works).

#4 @knutsp
3 years ago

  • Keywords close removed
  • Resolution set to invalid
  • Status changed from new to closed

Nice to hear you were able to make it work on your installation.

There are multiple reasons why outgoing mail doesn't work, depending on hosting server config and the mail server (MX) for the domain. Some need to set up SMTP. Hosting providers and server admins should ensure sending emails through phpmailer just work, even from non-existing addresses, at least wordpress@ or provide instructions and alternatives, IMO.

Th WordPress community could provide better instructions and troubleshooting tips for sending emails on https://wordpress.org/support/ even if there are plenty using Google.

This ticket was mentioned in Slack in #docs by knutsp. View the logs.


3 years ago

#6 @peterwilsoncc
3 years ago

  • Milestone Awaiting Review deleted

#7 @vinc17
3 years ago

Note that the admin of the website is not necessarily the same as the admin in charge of e-mail. So it is important to get instructions at WordPress installation time or at least technical information. I thought that the WordPress installation was complete after following the instructions, but this actually wasn't the case, and I wasn't aware of that. In the WordPress general settings, there is an admin e-mail address, but it is not used as the default From address, so that this is surprising. One could also expect that the (Unix) login be used for the e-mail address, as this is the default for various tools (so that it should have worked). So, since WordPress uses something specific, it should have documented it.

Note also that there are good reasons to reject non-existing e-mail addresses, e.g. to limit phishing attempts or to detect MUA misconfigurations. Moreover, using wordpress@ is a bad idea because there may be multiple WordPress installations (with different admins) at this domain, and they shouldn't share the same address. Troubleshooting tips available on the web are not satisfactory in general (at least those I've found); they do not replace instructions.

Last edited 3 years ago by vinc17 (previous) (diff)
Note: See TracTickets for help on using tickets.