Hi Ray,
At 04:27 26-05-2009, Ray(_dot_)Bellis(_at_)nominet(_dot_)org(_dot_)uk wrote:
1. AFAIK, the only "security problem" with SMTP VRFY was information
leakage, i.e. that it provides a simple means to check which local parts
are valid without actually sending an e-mail. Your proposal does the
same, and makes it even easier. Is my understand correct, and if so,
what's your intent?
Section 7.3 of RFC 5321 discusses about the "security problem" with
SMTP VRFY. As mentioned in the last paragraph of that section, "in
many cases, RCPT commands can be
used to obtain the same information about address validity". The
mechanism proposed has less overhead and it makes it easier to
distribute the information about valid local-parts. There is more
risk of information leakage. Access to the DDDS database could be
restricted by distributing the data on a private basis or by private
tree arrangement.
2. There is no reference to the need to treat a '.' in the local part as
part of the label, and not a label separator. DNS guys know this, e-mail
implementers may not...
Yes. From a DNS perspective, there are also some other issues that
have to be covered. DNS guys will likely point out that DNS is
generally referred to as public DNS for a reason. :-)
Regards,
-sm