Re: Security review of SIEVE vacation
2005-09-13 13:37:50
Jeff:
I'm not real wild about the mechansims defined in sections 3.5 and 3.6
to try to avoid sending vacation messages to places they shouldn't go.
They seem a bit too inflexible for my taste. I won't object on these
grounds, though.
Just as one example, any address with a mailbox name beginning 'jhutz+'
or 'jhutz=' and a domain ending in 'cmu.edu' is is probably mine, and if
I used vacation, I'd certainly want it to treat mail sent to any such
address as belonging to me, regardless of the specific host the mail
went to or what, if anything, occurs after the plus. I'd want that even
if the mail server weren't also at CMU, if I ever decided to forward my
CMU mail off-site. One way to deal with this sort of problem would be
to allow a match type and comparator to be specified for the addresses.
Not unsurprisingly, I thought about this when writing the ancient
ancestral versions of the draft. I assume the first paragraph of
section 3.5 is sufficient to allow CMU mailers to deduce that
jhutz+anything(_at_)cmu(_dot_)edu is "yours" for the purpose of autoresponses. At
this point, it becomes a matter of policy.
Tim
|
|