[Top] [All Lists]

Re: Security review of SIEVE vacation

2005-09-15 13:35:02

On Thursday, September 15, 2005 10:44:48 AM -0700 Ned Freed <ned(_dot_)freed(_at_)mrochek(_dot_)com> wrote:

On Wed, Sep 14, 2005 at 10:00:04AM -0400, Sam Hartman wrote:
> Jeff's concern is that may well know nothing
> about CMU's addressing plan.  If is affiliated with
> Jeff and not with CMU it is unreasonable for them to have out of band
> configuration.

Now I see where the comparator comes in: To describe remote subaddressing

That is not going to work, because subaddressing schemes can not be
covered by Sieve without adding a powerful string expression language.
A comparator may suffice to describe the user-separator-detail scheme,
but without regular expressions it already requires a couple patterns.
More elaborate subaddressing schemes may leave regular languages.

Bingo. Over the years I've seen numerous different subaddressing schemes.
Only a couple of days ago I ran into one that was positional - no
separator - and I believe the subaddress came first.

Things might have been different had the IETF published some suggestions
in this area, but the IETF elected not to do so some years back.

I think you can do a lot with multiple patterns using the pattern matching we have now. And certainly a "powerful string expression language" is not out of the question -- we have a draft on the table for adding regular expression matching to SIEVE (I have some reservations about that, but nothing insurmountable).

Still, ading a match operator and comparator would be a significant change, and I can understand not wanting to do it.

> That said, the WG may choose not to solve that use case.
I am afraid that's the only sensible way, but the vacation extension
should probably document this in section 6, security considerations.

  If mail is forwarded from a site that uses subaddressing, it may
  be impossible to list all recipient addresses with ":addresses".

Seems reasonable. I'll add it unless someone objects.

This seems fine.  Is "subaddressing" a well-defined term?