[Top] [All Lists]

RFC2821bis-01 Issue 10: 251/551 in Security Considerations (was: Re: RFC2821bis-01 Issue 2: VRFY/EXPN)

2007-03-29 09:18:48

--On Thursday, 29 March, 2007 08:28 -0700
ned+ietf-smtp(_at_)mrochek(_dot_)com wrote:

First, a comment about the security considerations relevant to
the use of 251/551 responses. Section 7.6 discusses the
potential for such codes to disclose potentially sensitive
information. However, the section does not mention the issue
that arises when a client actually does use 251/551 "address
update" information to affect future behavior. When this is
done a MITM attack can be used to force a bogus update the
redirect all future mail to a given address to wherever the
attacker wants it to go. As such, 251/551 auto-updating by
clients should only be used in circumstances where the
server's authenticity can somehow be verified. This probably
should be mentioned in section 3.4 as well as 7.6.

Speaking as an individual, I agree.   Text would be welcome,
please.  Issue  10 assigned to this so I don't lose it.


<Prev in Thread] Current Thread [Next in Thread>