barco57:
Directly addressing the php, sendmail versus smtp,smtpauth issue.
I've never considered this to be an issue. They are simply different methods used to achieve a certain outcome.
barco57:
Depending on server setup (partly because I am not sure in all cases) php, sendmail will show the email as being sent from (NOT the FROM: field) user@servername instead of [email protected] as smtp,smtpauth does,
The question here is do you know *why* it is this way? (hint: The Email transport method descriptions in the ZenCart settings actually contains the clues/answer(s) to this).
Knowing how/why something does what it does can take a LOT of 'guesswork' in knowing what is best to use for any given situation/circumstance.
barco57:
which could lead to delivery issues.
Entering an invalid email address, using an invalid port#, and a zillion other things could also "lead to delivery issues".
barco57:
The visible FROM: field will still be filled out with what you set in the store admin, but if you were to view the headers of the email you would likely see [email protected] buried in there.
Errr, the 'visible FROM: field' will be the most 'recent' FROM field contained in the message. There can be several/many FROM fields in any given message. What ends up in the 'final' message received by the recipient is controlled by many factors that are dependent on the path that the message travels and the configuration of the software doing the processing.
To state that PHP will add 'this header' or sendmail will add 'that header' or SMTP will add another, or the fact that any of these processes can also *remove* these headers (and even change them) at any point in the processing (even up to the final delivery into the recipients mailbox) actually negates any claims any one method could lead to delivery issues not experienced with with one of the other methods.
The message headers are little more than a diagnostic tool (that can be *also* used to control various aspects of delivery (or to reject delivery), and really shouldn't be considered as anything more than that.
Whether the inclusion or exclusion of a particular header has any effect on the final delivery is actually a function of the receiving server, not the transport method used to send them.
barco57:
As someone who works in hosting I would say it's always preferable to use smtpauth, when possible.
As someone that also 'works in hosting' (since 1997) I'm inclined to disagree with this (up to a point). One could argue that PHP is the best method (from a hosting perspective) because it adds a 'wrapper' to the sendmail function, and this wrapper can more easily be used to prevent unwanted messages reaching the sendmail server than feeding the mail directly to sendmail (or qmail, or whatever). The use of 'wrappers' for this purpose is nothing new or unusual, in fact most hosts/servers use 'TCP Wrappers' to help protect many server services (SSH being a classic example.
As a sidenote, sendmail *is* an SMTP server, so if/when it is argued that SMTP/SMTPAuth is somehow better or more secure than sendmail, it is just like arguing that SMTP is better or more secure than SMTP, which clearly makes no sense at all.
Then try to argue that SMTP 'direct' is better or more secure than a PHP wrapper around the sendmail/SMTP process, you are actually saying that removing this protection wrapper somehow *increases* security - Which makes even less sense than arguing that SMTP is better than SMTP.
By 'you' I am referring to anyone that also sees things the way you (apparently) are, I'm NOT specifically targeting you (or any other individual).
As is my way, I'm merely trying to explain things as they really are, which more often than not is a lot different than what many people think.
This is also why people get so easily confused as to what transport method they *should* be using because there isn't really a 'best' method. If that was the case zencart wouldn't have a need for so many options/alternatives. It would simply be hard coded to use this 'best method' and everyone would be happy and a discussion such as this would never eventuate.
Am I being pedantic/picky about this? Perhaps I am, but if it wasn't for people such as myself trying to separate fact from hearsay then the world will slowly sink into blissful ignorance with the impression that computers are little more than magic boxes that no one really understands. Will my attempts to educate make any difference? Probably not, but that doesn't mean I shouldn't at least *try*, otherwise I'd just be part of the problem rather than part of the solution.
Does anyone actually need to know this information? Probably not, well, not unless you happen to work in 'the hosting business', in which case I'd suggest that it is all essential knowledge, because unless you know how such things work, how can you possibly hope to keep things secure?
Again, nothing personal intended.
Cheers
RodG