--On Thursday, 29 March, 2007 08:28 -0700
As yet, there has been no discussion on this issue.
First, a comment about the security considerations relevant to
the use of 251/551 responses. Section 7.6 discusses the
(moved to separate note and assigned Issue 10)
Now, as for 3.5.3, the VRFY/EXPN situation is another case
where things vary depending on whether you're operating insde
an administrative domain versus between administrative
domains. The main use I've seen VRFY and EXPN used for of late
is to perform internal audits of how email gets routed to
check and make sure nobody is autoforwarding sensitive mail
outside the organization. To this end I've actually seen
requirements that VRFY/EXPN not be disabled and disabling them
is considered to be a serious violation of the rules that could
get somebody fired. But the situation reverses when you talk
about them being enabled for use outside the domain - their
use can expose sensitivie information so the same places that
require they be enabled internally may also require disabling
all external access.
I don't insist on describing this sort of usage in the
document but I don't think it would hurt. The last
recommendation of the section - that VRFY should "try harder"
than RCPT TO - makes a heck of a lot more sense when you
consider it in the light of this usage.
Suggested text would be very welcome, at least by me.