What is the security risk? Maybe a privacy issue if you don’t want passbolt to know your email address? Someone else will have to answer about the no-reply email account.
The command is supposed to include a --recipient=address parameter if you want it to go to a particular address. The from only sets where it will say it’s from. I do think it’s misleading (prone to misunderstanding) if the response language is suggesting the user should receive the email when it was actually sent to the no-reply at passbolt account. That could be changed for clarification.
However, the connection worked so it has value in that regard.
I’m not following this part, can you explain more:
The command requires root/webserver user to run if file permissions are set properly.
The security risk would be the leaking of Public IPs to the no-reply email. In each email sent the mail headers container all the information of the client → sever → recipient and it can be viewed by the recipient.
It’s a security/privacy risk for the user end if the no-reply emails are viewed and mail headers are checked. In that way passbolt could locate private server ips that have passbolt installations.
I have tried sending to the no-reply email, that’s how noticed this. I was messing around with the cli interface and sent a test email. I saw the success response but i never received the email. Then I did the second try with --verbose enabled.
That’s when i saw a private IP of mine (mail headers) and had to make a few switches lol. Never leaked an IP like that before, which was funny and concerning at the same time.
No harm, no foul as you did say that the email does not exist and simply bounces.
I think personally that changing it for both the webInstaller and cli interface to require a recipient, would be a good idea for the client side end.
I only noticed it from testing the cli send_test_email, there should not be a risk to passbolt due to this. In my case I leaked my server IP running the test command without the recipient. Privacy/security risk on the clients end not passbolt itself, although Remy has noted that the no-reply email does not exist and just bounces. So that’s a plus
Maybe a notification would have stopped me from sending the test email.
Personally, i have not looked for security flaws, since passbolt has had a security audit in 2021.(if i’m not mistaken)
If I do find actual security flaws etc, that will be sent directly to passbolt team (email@example.com) in order to avoid passbolt in the wild attacks. Don’t think it would be wise to post on the forum. This was a minor issue that does not lead to a security breach so it’s acceptable.
In my case, I need the IP in order to determine who sent mail from where etc.
Public IPs can’t really be leaked because they are public, but this helps with the local ones. The recipient’s mail server would still have the public IP of your mail server to run verifications so it won’t cause any problems there.