ietf-mta-filters
[Top] [All Lists]

Re: Security review of SIEVE vacation

2005-09-15 11:07:36


On Wed, Sep 14, 2005 at 10:00:04AM -0400, Sam Hartman wrote:
Jeff's concern is that imap.outsourcemail.com may well know nothing
about CMU's addressing plan.  If outsourcemail.com is affiliated with
Jeff and not with CMU it is unreasonable for them to have out of band
configuration.

Now I see where the comparator comes in: To describe remote subaddressing
schemes.

That is not going to work, because subaddressing schemes can not be
covered by Sieve without adding a powerful string expression language.
A comparator may suffice to describe the user-separator-detail scheme,
but without regular expressions it already requires a couple patterns.
More elaborate subaddressing schemes may leave regular languages.

Bingo. Over the years I've seen numerous different subaddressing schemes. Only
a couple of days ago I ran into one that was positional - no separator - and I
believe the subaddress came first.

Things might have been different had the IETF published some suggestions
in this area, but the IETF elected not to do so some years back.

That said, the WG may choose not to solve that use case.
I am afraid that's the only sensible way, but the vacation extension
should probably document this in section 6, security considerations.
Like:

  If mail is forwarded from a site that uses subaddressing, it may
  be impossible to list all recipient addresses with ":addresses".

Seems reasonable. I'll add it unless someone objects.

                                Ned