On Thu, 12 Apr 2007, Fred Seaton wrote:
We're getting ready to put imap-2006 into production and in testing I noticed that dmail doesn't work transparently in our .procmailrc files because it doesn't create a mailbox if it doesn't already exist (and procmail does).
Yes, it's intentional. Otherwise, a bad guy can create arbitrary mailboxes in a victim's account by mailing to user+newname. There's some rather "amusing" (ahem) things that can be done with that capability.
You may have other safeguards in place to prevent that problem. However, the distribution version can't assume that it is alright to have a security hole (big enough to drive a truck through!) based upon a belief that all sites would be smart/clever enough to block the hole through other means.
-- Mark -- http://panda.com/mrc Democracy is two wolves and a sheep deciding what to eat for lunch. Liberty is a well-armed sheep contesting the vote. _______________________________________________ Imap-uw mailing list [EMAIL PROTECTED] https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
