Does not allow binding to a specific IP

  • Resolved Roy Orbitson

    (@lev0)


    10 months, 4 weeks ago

    I’m sure SendLayer is aware of the importance of sending from known IPs to match SPF records, rDNS records, and that sending to relays may be restricted to known IPs. This plugin has no setting to bind to a specific address, so if the site’s server has multiple addresses assigned, there’s no guarantee mail will be sent from the right one.

    It could be set with other custom plugin code, but given the scope of your plugin, I think this should be included. The relevant lines look like this (from here):

    $mail->SMTPOptions = array(
    	'socket' => array(
    		'bindto' => "$specificIP:0",
    	),
    );

    In your plugin, the only options set via that method are relevant to your allow_smtp_insecure_ssl pref.

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Support Shawon Chowdhury

    (@shawon001)

    10 months, 3 weeks ago

    Hi @lev0 ,

    Thanks for sharing and for the implementation suggestions.

    I’ve passed this along to the dev team for consideration and will keep you informed of any updates.

    In the meantime, if you have any further questions, please don’t hesitate to share.

    Plugin Support Shawon Chowdhury

    (@shawon001)

    10 months, 3 weeks ago

    Hi @lev0 ,

    Thanks for being patient.

    I want to thank you one more time for this awesome suggestion.

    Ideally, it’s not fully relevant for email providers like SendLayer, Mailgun, etc. When sending emails via an email provider’s SMTP server, only the provider’s IP address (i.e., the SMTP server’s IP) typically matters in terms of email delivery reputation, SPF/DKIM/DMARC compliance, and spam filtering.

    In case it helps to share, here are some reasons why bindto is not there for the Easy WP SMTP plugin:

    • Most users use external SMTP providers (e.g., Gmail, SendLayer, SendGrid), and these providers don’t care which IP your server uses to initiate the connection.
    • PHPMailer acts as a client connecting to the SMTP server — the actual email is sent out from the provider’s trusted infrastructure, not your server.

    But we really appreciate your suggestion, and we will keep this in our roadmap for future improvements.

    Thanks 🙂

    Thread Starter Roy Orbitson

    (@lev0)

    10 months, 3 weeks ago

    it’s not fully relevant for email providers like SendLayer, Mailgun, etc

    But it is for other SMTP relays, and restricting by IP is a great additional measure as it prevents processing authentication when the origin is disallowed.

    only the provider’s IP address (i.e., the SMTP server’s IP) typically matters in terms of email delivery reputation, SPF/DKIM/DMARC compliance, and spam filtering.

    I have seen mail sent via a relay, which doesn’t scrub Received: headers, be rejected because it contained IPs that weren’t in SPF, though the relay’s IP was. Adding the origin IP to SPF only works if it can reliably send from the correct IP.

    Most users use external SMTP providers (e.g., Gmail, SendLayer, SendGrid), and these providers don’t care which IP your server uses to initiate the connection.

    Gmail, when used with Google Workspace, has a specific config area that allows restrictions based on IPs, so it most definitely does care. Putting those restrictions on websites that need to send mail shouldn’t be the only measure, but is just good security. It is also explicitly recommended in Google’s help articles that these restrictions be placed on devices that are unable to use OAuth. They wouldn’t make such recommendations if they didn’t care.

    PHPMailer acts as a client connecting to the SMTP server — the actual email is sent out from the provider’s trusted infrastructure, not your server.

    As I wrote above, some relays preserve the origin, so it must be correct. It’s more relevant to relays restricting incoming mail, and for that it can be critical.

    I understand that SendLayer authors this plugin primarily to promote its own service, but it also presents the pluigin as being general purpose, and not being able to bind to an IP can make it a poor choice for that.

    Plugin Support Shawon Chowdhury

    (@shawon001)

    10 months, 1 week ago

    Hi @lev0 ,

    We really appreciate the follow up with the details.

    I’ll pass this along to the devs and will update you if there’s any possible workarounds.

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Does not allow binding to a specific IP’ is closed to new replies.