Now that the LIST command works for #Public and #Users, we're seeing that some clients send commands that look like this:
LIST "#Public" "*" It makes sense, but doesn't jive with the mailbox_remove_namespace function. So we're working on fixing that ASAP. In the mean time, what does anybody suppose should be the behavior of: LIST "#Users" "*" Should that really go ahead and list all folders owned by all users with ACL's that allow either you or public to read them? Should we require that a specific user be allowed? What about partial user lookups? LIST "" "#Users/ab*" The guidance on this issue from RFC 2342 is: 7. Security Considerations In response to a LIST command containing an argument of the Other Users' Namespace prefix, a server SHOULD NOT list users that have not granted list access to their personal mailboxes to the currently authenticated user. Providing such a list, could compromise security by potentially disclosing confidential information of who is located on the server, or providing a starting point of a list of user accounts to attack. I'm inclined to say that we should just fail any LIST within #Users that doesn't have a complete username specified. I don't know how other servers handle this situation, but I bet that it's probably fairly inconsistent... Aaron _______________________________________________ Dbmail-dev mailing list [email protected] http://twister.fastxs.net/mailman/listinfo/dbmail-dev
