ietf-smtp
[Top] [All Lists]

Re: Comments on draft-moonesamy-smtp-vrfy-ddds-00

2009-05-27 03:32:12

Hi Ray,
At 04:27 26-05-2009, Ray(_dot_)Bellis(_at_)nominet(_dot_)org(_dot_)uk wrote:
1.  AFAIK, the only "security problem" with SMTP VRFY was information
leakage, i.e. that it provides a simple means to check which local parts
are valid without actually sending an e-mail.  Your proposal does the
same, and makes it even easier.  Is my understand correct, and if so,
what's your intent?

Section 7.3 of RFC 5321 discusses about the "security problem" with SMTP VRFY. As mentioned in the last paragraph of that section, "in many cases, RCPT commands can be used to obtain the same information about address validity". The mechanism proposed has less overhead and it makes it easier to distribute the information about valid local-parts. There is more risk of information leakage. Access to the DDDS database could be restricted by distributing the data on a private basis or by private tree arrangement.

2.  There is no reference to the need to treat a '.' in the local part as
part of the label, and not a label separator.  DNS guys know this, e-mail
implementers may not...

Yes. From a DNS perspective, there are also some other issues that have to be covered. DNS guys will likely point out that DNS is generally referred to as public DNS for a reason. :-)

Regards,
-sm
<Prev in Thread] Current Thread [Next in Thread>