That makes sense.
It would be nice if there were an option on the command line to
create the folder (in the default CREATEPROTO format) if specified...
:-)
Thanks.
Fred
--On Thursday, April 12, 2007 11:48:36 -0700 Mark Crispin
<[EMAIL PROTECTED]> wrote:
On Thu, 12 Apr 2007, Fred Seaton wrote:
We're getting ready to put imap-2006 into production and in
testing I noticed that dmail doesn't work transparently in our
.procmailrc files because it doesn't create a mailbox if it
doesn't already exist (and procmail does).
Yes, it's intentional. Otherwise, a bad guy can create arbitrary
mailboxes in a victim's account by mailing to user+newname.
There's some rather "amusing" (ahem) things that can be done with
that capability.
You may have other safeguards in place to prevent that problem.
However, the distribution version can't assume that it is alright
to have a security hole (big enough to drive a truck through!)
based upon a belief that all sites would be smart/clever enough to
block the hole through other means.
-- Mark --
http://panda.com/mrc
Democracy is two wolves and a sheep deciding what to eat for lunch.
Liberty is a well-armed sheep contesting the vote.
--
Fred Seaton
Research & Instructional Consultant, Senior UNIX Specialist
University Computer Support Services
Western Illinois University
126 Stipes Hall
Macomb, IL 61455
309-298-1177
_______________________________________________
Imap-uw mailing list
[EMAIL PROTECTED]
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
