efa-project.org

If a user gets a spam notification and clicks the release link, the message is released using the original 'to' field in the headers.
This is a problem when the 'to' address was a mailing list.
In that case, the headers will be like this:

Received: from scs-012.scs.be (unknown [91.183.189.25])
(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
(No client certificate requested)
by efa.dekimo.com (Postfix) with ESMTPS id 4BDCF120431
for <myrecipient@mydomain.com>; Thu, 25 Jun 2015 13:09:20 +0200 (CEST)
To: <mailinglist@somedomain.com>

This email is released to 'mailinglist@somedomain.com' instead of <myrecipient@mydomain.com>.
The user never recieves this email.

The mail is released using the release-msg.cgi perl script, which executes:
open(MAIL, "|$sendmail -t <$msgtorelease") or die "Cannot open $sendmail: $!";

If I release the mail using the webinterface, going to the message, checking 'release' checkbox and pressing submit, the message is released correctly.
In this case, the release is done by php, which retrieves the original recipient (<myrecipient@mydomain.com>) from the database instead of from the email headers.

Can anyone confirm this different behaviour between releasing mail using the release URL from the email (--> the perl .cgi script)
and the efa php web interface (using the release checkbox)?

(version 3.0.0.8)