[Top] [All Lists]

Re: draft-klensin-rfc2821bis-04: VRFY and EXPN syntax

2007-07-19 12:08:39
On 2007-07-16 10:56:13 -0700, SM wrote:
At 01:15 16-07-2007, Peter J. Holzer wrote:
Speaking of local mailboxes and user names, I think it is extremely
inadvisable to let VRFY return a list of real addresses on a partial
match. If "VRFY john" returns a list of all addresses of users whose
first or last name is John, it is simple to harvest addresses.

That would only be a problem if VRFY is not restricted.  Section 
3.5.2 states that VRFY is not required to work across 
relays.  Section 3.5 is about commands for debugging 
addresses.  There is already a warning about disabling these commands 
for security reasons.

I know. My intent is that security considerations should guide
implementors toward in an implementation which does not need to be

If I as an admin, have an implementation of VRFY which returns a list of
valid addresses in a 553 response, I have to turn it off. However, if I
have an implementation which returns a 250 response only on an *exact*
match of a valid email address and returns a 550 response in all other
cases, I have no qualms of leaving it enabled. If someone wants to test
the validity of an address I'd prefer they use VRFY rather than RCPT.

Now, if the implementations lets me configure something like "exact
matches for everyone, search by full name for authenticated users and
arbitrary wild card search for the admin" that's nice. But the baseline
should be an implementation of VRFY which can be safely enabled on the
internet and reveal no more information than RCPT does on a
well-configured system.

"In many cases, RCPT commands can be used to obtain the same 
information about address validity."

Yes. This is how it should be.


   _  | Peter J. Holzer    | I know I'd be respectful of a pirate 
|_|_) | Sysadmin WSR       | with an emu on his shoulder.
| |   | hjp(_at_)hjp(_dot_)at         |
__/   | |    -- Sam in "Freefall"

Attachment: signature.asc
Description: Digital signature