Mail leaks server information in Message-ID

Description

The current Java.Mail exposes system information in the Message-Id. See for example
https://stackoverflow.com/questions/29647529/override-message-id-by-configuration
and
https://ossindex.sonatype.org/vuln/7d80f106-0f98-4639-ab9e-12e00211dcb0

Furthermore when using a local system account on a Windows environment, the message-id does not comply with the intenet standard (RFC 2822), leading to a high SPAM score. See
https://stackoverflow.com/questions/62213439/lucee-cfmail-message-id (question entered by myself).

Environment

Lucee Version 5.3.5.92
Tomcat 9.0.31
Java 11.0.6
Windows Server 2016 (10) 64 BIT

Activity

Show:
Zac Spitzer
August 5, 2020, 10:22 PM

Lucee also doesn’t allow overriding the message-id LDEV-2473

Pothys - MitrahSoft
October 9, 2020, 2:06 AM

I've checked this ticket and confirmed the issue happened on lucee latest version 5,3,8,76-SNAPSHOT also. I've already mentioned in the ticket comment. Lucee leaks the system information in message_id.

Zac Spitzer
October 20, 2020, 7:47 PM
Edited

this was fixed in 5.3.8.84 by

Fixed

Assignee

Michael Offner

Reporter

Roeland Verbeek

Priority

Blocker

Labels

Fix versions