ietf-smtp
[Top] [All Lists]

Re: Mailing Lists v. BATV

2008-05-22 13:28:25
On 2008-05-22 15:34:10 -0400, John Leslie wrote:
Peter J. Holzer <hjp-ietf-smtp(_at_)hjp(_dot_)at> wrote:
I think most people these days use web interface to subscribe to
mailing-lists. People probably don't know their current BATV address, so
a user will enter 'john(_dot_)doe(_at_)example(_dot_)com' into the web 
form. He will get
the confirmation mail to this address, click on the confirmation url,
and get all the mails delivered to this address.

   Note that the opt-in confirmation presumably _will_ contain a BATV-
coded MailFrom.

The user may not ever send a confirmation mail. For example, con
confirmation requests sent by mailman look like this:

| We have received a request from 192.0.2.7 for subscription of your
| email address, "hjp-example(_at_)hjp(_dot_)at", to the 
community(_at_)example(_dot_)net
| mailing list.  To confirm that you want to be added to this mailing
| list, simply reply to this message, keeping the Subject: header
| intact.  Or visit this web page:
| 
|     
http://example.net/mailman/confirm/community/59cf758b185b8c0dc5487b58321fc83fbe042ede
| 
[...]

I am sure many users will confirm by clicking on the URL and not by
replying to the message. So the mailing list software will not see the
BATV-coded MailFrom.


So it appears to work fine. Until he actually tries to send mail to the
list - the mail comes from 
prv=53638f9=john(_dot_)doe(_at_)example(_dot_)com, which
doesn't match the address he's subscribed with, so it will be rejected.

   To tell truth, that's broken.

   Requiring a MailFrom you've never seen isn't nearly as reasonable as
requiring a 2822-From you have seen.

Actually, you haven't seen either a 2821-MailFrom or a 2822-From yet.
What you have seen is a 2821-RcptTo (You know that this works because
the user was able to click on the link in the message).


   Nonetheless, if we observe such behavior in the wild,

ezmlm is the canonical example. Ned tells us that his mailinglists use
the envelope, too. I don't know if either uses a webbased subscription
mechanism like mailman, but I suspect they do.

we should at the very least warn about it; and IMHO we should design
in a workaround.

That's why I mentioned it.

        hp

-- 
   _  | Peter J. Holzer    | It took a genius to create [TeX],
|_|_) | Sysadmin WSR       | and it takes a genius to maintain it.
| |   | hjp(_at_)hjp(_dot_)at         | That's not engineering, that's art.
__/   | http://www.hjp.at/ |    -- David Kastrup in comp.text.tex

Attachment: signature.asc
Description: Digital signature

<Prev in Thread] Current Thread [Next in Thread>