Trying to undertand correct settings for $TARGET_EMAIL

[postman]

1) If I make the minimum changes to formmail.php and set '$TARGET_EMAIL = array(EMAIL_NAME."@mydomain\.com$");' and
2) on the form set '<input type="hidden" name="recipients" value="myname@hotmail.com" />',
I get 'Error=The form has an internal error - no valid recipients were specified.' in the message sent to my DEF_ALERT email address. I presume this is because 'hotmail' is not defined in the $TARGET_EMAIL array. This is what I might expect from the documentation.

However, with no changes to $TARGET_EMAIL described in (1) above
a) if I have a formmail.ini with "me=myname@hotmail.com" NOT DEFINED in it, then I get the "no valid recipients" message sent to my DEF_ALERT email address, as before, but
b) if I have a formmail.ini with "me=myname@hotmail.com" DEFINED in it, then the message goes through fine.

There are warnings in the documentation on setting $TARGET_EMAIL very carefully to avoid "relaying", but in this case, the presence of the "myname@hotmail.com" address in the .ini file seems to allow mail to be sent to that address without any further chanfes to $TARGET_EMAIL, i.e, formmail.php appears to scan the .ini file to see if the address is present there, and send the message if the address is found.

Is this a correct interpretation of how things work?

[russellr]

Hi,

That's exactly right.

Some versions ago, if you had an email address in the INI file, you would also have to allow that email address in $TARGET_EMAIL.

However, that was extra redundant work. Since the INI file is on the server, it's just as secure from the web as FormMail itself.

Therefore, recent versions of FormMail automatically accept email addresses in the INI file as being safe to send to.

[russellr]

Hi again,

BTW, this is mentioned in the HOW TO guide for INI files:
http://www.tectite.com/fmhowto/inifile.php

See the section titled "Email addresses".

[postman]

Thanks for the confirmation, and the pointer to the relevant section in the page on .ini files. I would suggest it would be appropriate to include a note in the documentation page on $TARGET_EMAIL saying that the presence of email addresses in a .ini file removes the requirement to include them in the $TARGET_EMAIL setting. The link you gave me above could be added also.
Formmail looks to be a very nice piece of software.