Uploaded image for project: 'Red Hat build of Keycloak'
  1. Red Hat build of Keycloak
  2. RHBK-2901

Keycloak email message ID contains the local host name or IP address [GHI#38353]

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False

      Before reporting an issue

      [x] I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

      Area

      core

      Describe the bug

      Keycloak shouldn't reveal information about the local host name or IP in the emails message ID

      Version

      main

      Regression

      [ ] The issue is a regression

      Expected behavior

      The message ID should be derived from the email domain of the realm

      Actual behavior

      Date: Sat, 22 Mar 2025 20:29:14 +0000 (GMT)
From: Keycloak <[keycloak@example.com](mailto:keycloak@example.com)>
Reply-To: Keycloak <[keycloak@example.com](mailto:keycloak@example.com)>
To: [me@example.com](mailto:me@example.com)
Message-ID: <514684305.15.1742675354390@[192.168.1.78]>
Subject: [KEYCLOAK] - SMTP test message
MIME-Version: 1.0

      How to Reproduce?

      Send a test email from Keycloak

      Anything else?

      This has been discussed with the keycloak security mailing list to be a hardening issue. I'll prepare a PR

              Unassigned Unassigned
              pvlha Pavel Vlha
              Keycloak Core (shared)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: