[Imap-uw] dmail doesn't create mailboxes
Mark Crispin
mrc at CAC.Washington.EDU
Thu Apr 12 11:48:36 PDT 2007
On Thu, 12 Apr 2007, Fred Seaton wrote:
> We're getting ready to put imap-2006 into production and in testing I
> noticed that dmail doesn't work transparently in our .procmailrc files
> because it doesn't create a mailbox if it doesn't already exist (and
> procmail does).
Yes, it's intentional. Otherwise, a bad guy can create arbitrary
mailboxes in a victim's account by mailing to user+newname. There's some
rather "amusing" (ahem) things that can be done with that capability.
You may have other safeguards in place to prevent that problem. However,
the distribution version can't assume that it is alright to have a
security hole (big enough to drive a truck through!) based upon a belief
that all sites would be smart/clever enough to block the hole through
other means.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
More information about the Imap-uw
mailing list