Re: [imp] Various meaningful IMP default settings
On 12/23/2014 05:29 AM, Daniel Vollbrecht wrote: Am 23.12.14 um 01:07 schrieb Michael M Slusarz: (Obviously, if you look at any individual phone contact log, or for incoming calls, it might show both name and number. But that's irrelevant because we've been talking about what should be show in LIST views). Then there's a misunderstanding. I was talking about the actual mail view when I click on an email (see attached screenshot) the whole time. Currently, I have to 1. click to open the email 2. click again to the small triangle on the left to expand the view 3. click again on each of the names (to see the email addresses) Now I even think that the average user doesn't imagine that (3) is possible because he already expanded the view. And my point was that the current view doesn't do a favor for neither the average nor the advanced users. In this example, I would've easily been deluded if you had sent to 'CC: imp someb...@roundcube.org' as I only see 'imp' until (3). Thus, the sender addresses can't be trusted argument doesn't apply here. Also it is industry standard in other clients not to require (2) and (3). After opening the email (1), I should get the From: Some unverified name email@host and the GeoIP country flag displayed next to it to avoid steps 2 and 3. Would this be considerable? Best, Daniel FWIW, on my installation (Horde Groupware 5.2.2), once I click the arrow to see the header addresses for an email and I do NOT shrink it back down, all future emails are displayed with the full header view...and it retains that setting between sessions. So IMHO an explicit configuration option is really not needed. Granted, you have to hover your mouse over the To or From name to notice that you can see the actual email address, but personally I think this is a far cleaner look AND looks better on a smaller laptop or netbook screen. I suppose it all comes down to the fact that developers do NOT have unlimited resources and time and have to decide what is most important to spend time working on. The idea that a configuration option for an expanded display of the email header address fields is valid, but not critical enough to spend considerable time working on at this time (unless you want to fund development of such an option and pay someone to add that feature). Indeed, it appears it has already been implemented to a limited degree as mentioned above. Sincere regards, -- Andy Dorman -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Am 17.12.14 um 05:43 schrieb Hiromi Kimura: Please try this patch. Thank you. Is a patch neccessary? As I wrote, simply by setting $_prefs['mailbox_start']['value'] solved the problem. Best, Daniel -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Am 16.12.14 um 21:28 schrieb lst_ho...@kwsoft.de: People who are able take care of the real mail address are normaly aware that the mailaddress is as easy to spoof as the real name. Without digital signatures you can not really trust a mailaddress at all. You have to verify by content then or by sideband eg. call the sender by phone. Fully agree, but it is no plausible argument when it comes to a reason for just hiding it away. Especially as every mail client is able to show the From: email address which I consider as industry standard. Nearly all Spams arriving by the big spam farms with throw-away domains are perfectly DKIM signed, so no, it is not a problem of hacked How do you know what kind of spam I get? ;-) accounts. If you still got spam *without* DKIM signature you should use greylisting to keep away the dump spam-bots as they are the only ones We deploy everything: grey-, black-, whitelisting, content filter etc. Fortunately, the ham/spam ratio is multiple dimensions of the ratio just a few years ago – same deployed mechanisms. Back then, there were 10k's of spam for one ham message, now it's just a few spams. I still see around 40 % of non-DKIMed spam on the servers. If you have a solution to eliminate that, I would be glad to know. And your explanation lacks a major point: If spammers can deploy a nontrivial mechanism like DKIM, then they easily can circumvent greylisting - just send it again after 300 seconds. The latter costs much less than having a proper DKIM setup, especially since they use bot nets and cheap virtual nodes at a large scale. not using DKIM. And no, content based filtering is not a option for people who actually care about email. Do you just use greylisting and no further server side filtering? All just by mailbox individual learning algorithms? I claim to actually care about email *and* use content filtering. I only had one false positive in many years which would have been a very grave issue if not read. Fortunately, it is easy to regularly have a look into the spam folder. Nothing gets deleted. Saves a lot of time and once a week (or month at the moment is sufficient) a quick look into 'spam' does the job. And if you care about email, you should know that greylisting might also be fault-prone. Just have a look at the whitelist that comes with postgrey, there are lines like 'no retry, reported by' en masse. Even some reported fairly recent in 2011. I'm open to hear about alternative solutions. :-) Season's Greetings Daniel -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Am 16.12.14 um 15:44 schrieb Michael M Slusarz: I fail to see the advantage of displaying e-mail addresses, especially when half the messages in my mailbox would show things like Foo do_not_reply-md5h...@externalemailcontentprovider.server14.westcoast.meaninglessdomainname.com. You don't have to activate it, if there was an option. I would be happy to have it configurable. My main intention was to discuss meaningful default settings, but in this case, I just would like to propose the introduction of a setting for it. Can be deactived by default of course. https://en.wikipedia.org/wiki/Social_engineering_(security) So when I send you a mail message with a spoofed From e-mail address from outside your domain, how is this any different? It is very likely that such a message gets processed accordingly (rejected or filtered out as spam). You would have to choose a from address with a domain which doesn't have SPF and then most likely the missing good reputation would be critical for our spamfilter. I don't think hiding the from address helps at all. The unaware users don't care and the skilled tend to be able to at least be able to activate it. If you feel strongly about this, this is easily added locally by adding the additional information to your local source. But none of these arguments even approaach a level where making this configurable makes sense. What exactly do you mean with local source? Patching my local horde source scripts myself to implement the desired functionality? [3. Mail view] Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender address in most cases, so not sure what you like to verify in this case. No, mailer daemons only have an empty envelope address. The From: address is 'Mail Delivery System MAILER-DAEMON@host.domain' and I only see just 'Mail Delivery System' all the time. Not seeing your point(?) You justified that bounces have an empty sender address (), but I'm talking about the From: address as IMP doesn't show me the sender address anyway. And as explained the From: address consists of Mail Delivery System MAILER-DAEMON@host.domain which indeed lets me distinguish from which of my hosts the notification is originating. - At least if I could see the full From: including 'MAILER-DAEMON@host.domain' and not just the useless information 'Mail Delivery System'. If you are asking to see e-mail addresses in the from address because it provides information on the tiny subset of bounced/failure messages, that is way too specialized a use case to be useful overall (especially since 99% of users don't care about these messages anyway). This is just *one* example. I also get other mail, e.g. Icinga monitoring mails etc. for which my argumentation applies as well. I'm not requesting magic, it's just a feature that almost any mail client has as option which can be enabled in the settings, whether it is enabled on default or not doesn't matter. It's quite a bit of extra work, and influences things like escaping. Which means it is something that requires maintenance. I'm just not I don't see the problem about escaping here. If I click on 'Michael M Slusarz' on your mail, the sender view expands and shows 'Michael M Slusarz slus...@horde.org'. Why is there no escaping issue then? I just would like to have an option that I don't have to click anymore to see it right away. I have no issue supporting verification with DKIM. It hasn't been Sounds good. I eventually can do this, but it couldn't harm to have it on the feature request/todo list anyway. :-) Season's Greetings Daniel -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Zitat von Daniel Vollbrecht d.vollbre...@scram.de: Am 16.12.14 um 21:28 schrieb lst_ho...@kwsoft.de: People who are able take care of the real mail address are normaly aware that the mailaddress is as easy to spoof as the real name. Without digital signatures you can not really trust a mailaddress at all. You have to verify by content then or by sideband eg. call the sender by phone. Fully agree, but it is no plausible argument when it comes to a reason for just hiding it away. Especially as every mail client is able to show the From: email address which I consider as industry standard. Nearly all Spams arriving by the big spam farms with throw-away domains are perfectly DKIM signed, so no, it is not a problem of hacked How do you know what kind of spam I get? ;-) accounts. If you still got spam *without* DKIM signature you should use greylisting to keep away the dump spam-bots as they are the only ones We deploy everything: grey-, black-, whitelisting, content filter etc. Fortunately, the ham/spam ratio is multiple dimensions of the ratio just a few years ago – same deployed mechanisms. Back then, there were 10k's of spam for one ham message, now it's just a few spams. I still see around 40 % of non-DKIMed spam on the servers. If you have a solution to eliminate that, I would be glad to know. And your explanation lacks a major point: If spammers can deploy a nontrivial mechanism like DKIM, then they easily can circumvent greylisting - just send it again after 300 seconds. The latter costs much less than having a proper DKIM setup, especially since they use bot nets and cheap virtual nodes at a large scale. That's the whole point. The spam-farms are in fact real MTA which are able to retry *and* to do DKIM signing. Spam-bots don't do both and fail greylisting anyway. That's why the spam reaching the inbox is perfectly DKIM signed and therefore i will not teach our users to rely on it. not using DKIM. And no, content based filtering is not a option for people who actually care about email. Do you just use greylisting and no further server side filtering? All just by mailbox individual learning algorithms? I claim to actually care about email *and* use content filtering. I only had one false positive in many years which would have been a very grave issue if not read. Fortunately, it is easy to regularly have a look into the spam folder. Nothing gets deleted. Saves a lot of time and once a week (or month at the moment is sufficient) a quick look into 'spam' does the job. It is fine that you do but most average mail users never have a look in a spam folder. We have seen to many e-mails ditched in some spam folder and ceased to work with supplier which can not be reliable reached by mail. Mail should be transactional as it is desigend. No error means the recipient has the mail in the inbox, not in some spam folder. And if you care about email, you should know that greylisting might also be fault-prone. Just have a look at the whitelist that comes with postgrey, there are lines like 'no retry, reported by' en masse. Even some reported fairly recent in 2011. If the sender doesn't get a least a error message the sending server is FUBAR and no one can expect it to deliver mail. But that's all way OT and my last comment on this. Regards Andreas -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
On 22 Dec 2014 19:10, Michael M Slusarz slus...@horde.org wrote: Quoting Daniel Vollbrecht d.vollbre...@scram.de: Am 16.12.14 um 15:44 schrieb Michael M Slusarz: I fail to see the advantage of displaying e-mail addresses, especially when half the messages in my mailbox would show things like Foo do_not_reply-md5h...@externalemailcontentprovider.server14.westcoast.meaninglessdomainname.com . You don't have to activate it, if there was an option. I would be happy to have it configurable. My main intention was to discuss meaningful default settings, but in this case, I just would like to propose the introduction of a setting for it. Can be deactived by default of course. I've written about this before, but this is a good time to revisit the point since it comes up often when discussing feature requests. In short, adding a configuration option for a feature is most often NOT a viable/useful option. Because configuration options are *expensive*. They are expensive since someone has to write the initial code. Then, as developers, we have to maintain this option. And for many of these options, it is likely that no devs use all the options so there is a code coverage issue. Then, admins have that much more documentation that they have to read in a configuration file, which just adds to the confusion factor. Horde has been accused in the past of being too difficult to install. I don't believe that to really be the case - you can setup a default installation without too much effort - but because we are so configurable and handle so many different types of backend components, it can appear to be that way to someone who has never dealt with Horde before because our configuration files are so detailed and dense. So configuration options only make sense when the optional behavior is either something a lot of people may use or it is debatable about what the proper default should be. Neither of those are the case here. I find this request no different than asking a phone to always show the phone number when someone calls, rather than a caller ID. Nobody I know has memorized phone numbers, even of their most common contacts. I agree with everything you said. Except that my phone shows the name and phone number. And I wouldn't want a phone that only displayed numbers. Nor would I tolerate one that only showed the name.. Simon https://en.wikipedia.org/wiki/Social_engineering_(security) So when I send you a mail message with a spoofed From e-mail address from outside your domain, how is this any different? It is very likely that such a message gets processed accordingly (rejected or filtered out as spam). You would have to choose a from address with a domain which doesn't have SPF and then most likely the missing good reputation would be critical for our spamfilter. I don't think hiding the from address helps at all. The unaware users don't care and the skilled tend to be able to at least be able to activate it. Here's the problem with this argument from a UI perspective: an unaware user MUST care about the e-mail address, because it is taking up room on the screen. This is just complicating the display. This is not example of something you can bury in a submenu, where advanced features can live and not effect what a normal user views. If you feel strongly about this, this is easily added locally by adding the additional information to your local source. But none of these arguments even approaach a level where making this configurable makes sense. What exactly do you mean with local source? Patching my local horde source scripts myself to implement the desired functionality? Yes. You can insert the email address into the From data that is shown on the templates. [3. Mail view] Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender address in most cases, so not sure what you like to verify in this case. No, mailer daemons only have an empty envelope address. The From: address is 'Mail Delivery System MAILER-DAEMON@host.domain' and I only see just 'Mail Delivery System' all the time. Not seeing your point(?) You justified that bounces have an empty sender address (), but I'm talking about the From: address as IMP doesn't show me the sender address anyway. And as explained the From: address consists of Mail Delivery System MAILER-DAEMON@host.domain The From address *might* contain this for a DSN. But there is absolutely no requirement/standard. What happens when this DSN originates from a SMTP server two hops down the transit path? which indeed lets me distinguish from which of my hosts the notification is originating. - At least if I could see the full From: including 'MAILER-DAEMON@host.domain' and not just the useless information 'Mail Delivery System'. I don't buy this argument. You are essentially asking to determine the content of the DSN from envelope information only. That's not how the mailbox list is
Re: [imp] Various meaningful IMP default settings
Quoting Simon B simon.buongio...@gmail.com: Except that my phone shows the name and phone number. And I wouldn't want a phone that only displayed numbers. Nor would I tolerate one that only showed the name.. What kind of phone are you using? I just checked Andorid and it doesn't show the phone number in the call list if that number is in my contact list. I'm pretty sure iOs does the same. (Obviously, if you look at any individual phone contact log, or for incoming calls, it might show both name and number. But that's irrelevant because we've been talking about what should be show in LIST views). michael ___ Michael Slusarz [slus...@horde.org] -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
On 23 Dec 2014 01:07, Michael M Slusarz slus...@horde.org wrote: Quoting Simon B simon.buongio...@gmail.com: Except that my phone shows the name and phone number. And I wouldn't want a phone that only displayed numbers. Nor would I tolerate one that only showed the name.. What kind of phone are you using? I just checked Andorid and it doesn't show the phone number in the call list if that number is in my contact list. I'm pretty sure iOs does the same. (Obviously, if you look at any individual phone contact log, or for incoming calls, it might show both name and number. But that's irrelevant because we've been talking about what should be show in LIST views). Hi Michael Android. Actually the call log doesn't (although it does indicate if it was mobile or fixed and incoming/outgoing/missed). I was talking about when the phone actually rings - which is more analogous to clicking on an unread email. Simon -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
[imp] Various meaningful IMP default settings
Hi all, having non-Ajax Horde 3 for many years, I recently upgraded to 5.2.2. I noticed the following drawbacks compared to the previous version which are set by default and would like to propose the following changes (the first two points could be considered as bugs): 1. Apparently empty large folders: Show a message loading notification if opening large folders (1000+ messages on a remote and slightly slow IMAP server in my case). Currently, large folders are shown empty with no messages. Even pressing the reload button and waiting a long time doesn't help. However, if I browse to another folder and immediately browse back to the large one, all messages are shown - and then cached during the session. But after logout, same again. This really confuses the users (all mails lost!). 2. Message order: Folders are always opened in the right order that I configured (newest on top), but the oldest message at the bottom is selected and thus the scroll bar is at its bottommost position. It should be at the topmost position as I always have to scroll up for miles to see the newest messages. 3. Mail view: show sender email address *and* 'from' name by default (or by user option), not only the from name (From: from name sender@domain). This really seems to be an Outlook disease that also made it into e.g. Thunderbird, but at least there it applies only to addressbook-known users and there's an option to switch it off which IMP doesn't have. E.g. I get lots of different MAILER-DAEMON messages and never know from which system they are as the from name is the same, only the email adress differs. Furthermore, email is an untrustworthy application, so at least users shouldn't be forced to not even be able to verify the address. 4. Verifiability: Regarding 3, it would be even more useful if DKIM-signatures could additionally be shown under the From/To lines as GMail does it (mailed by/verified by sender.domain). 5. Country flags: Introduce an option and set it default to expand the 'from' field to show country flags immediately to avoid two clicks (one to the triangle left to it and one more on the sender's name). If any of these can already be configured, please let me know as I couldn't find options. I think this belongs into the options and should not be solved by a hook. Best, Daniel -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Zitat von Daniel Vollbrecht d.vollbre...@scram.de: Hi all, having non-Ajax Horde 3 for many years, I recently upgraded to 5.2.2. I noticed the following drawbacks compared to the previous version which are set by default and would like to propose the following changes (the first two points could be considered as bugs): 1. Apparently empty large folders: Show a message loading notification if opening large folders (1000+ messages on a remote and slightly slow IMAP server in my case). Currently, large folders are shown empty with no messages. Even pressing the reload button and waiting a long time doesn't help. However, if I browse to another folder and immediately browse back to the large one, all messages are shown - and then cached during the session. But after logout, same again. This really confuses the users (all mails lost!). We have also seen this, but only on our really slow test server. I have not investigated yet but maybe the PHP script timeout is set too low? 2. Message order: Folders are always opened in the right order that I configured (newest on top), but the oldest message at the bottom is selected and thus the scroll bar is at its bottommost position. It should be at the topmost position as I always have to scroll up for miles to see the newest messages. There is a setting in IMP if the newest unread message is displayed first or the oldest unread. This should do the trick, no? 3. Mail view: show sender email address *and* 'from' name by default (or by user option), not only the from name (From: from name sender@domain). This really seems to be an Outlook disease that also made it into e.g. Thunderbird, but at least there it applies only to addressbook-known users and there's an option to switch it off which IMP doesn't have. I also somewhat dislike it also but the mail address after all is only routing information, the real name is the person we known about. This is what most users like to known. With mouse-over you should actually see the mail address. E.g. I get lots of different MAILER-DAEMON messages and never know from which system they are as the from name is the same, only the email adress differs. Furthermore, email is an untrustworthy application, so at least users shouldn't be forced to not even be able to verify the address. Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender address in most cases, so not sure what you like to verify in this case. 4. Verifiability: Regarding 3, it would be even more useful if DKIM-signatures could additionally be shown under the From/To lines as GMail does it (mailed by/verified by sender.domain). Might be a option, but if you really need verified email you have to use S/MIME or PGP. After all you like to know who have sent/created the mail and not who has delivered it. We got many Spams today with perfect DKIM signatures, but i don't like my users see this as trustworthy for sure. Regards Andreas -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Hi Andreas We have also seen this, but only on our really slow test server. I have not investigated yet but maybe the PHP script timeout is set too low? No, this is something I checked before reporting it here of course. :) I use imapproxy, but it is not that it loads forever, it just says message folder empty. if I browse to another folder and immediately browse back to the large one, I see all messages. The whole process from login lasted less than 20 seconds. There is a setting in IMP if the newest unread message is displayed first or the oldest unread. This should do the trick, no? OK, thanks. That would be: $_prefs['mailbox_start']['value'] = IMP::MAILBOX_START_LASTUNSEEN; Just tried it and it works perfectly. And to my surprise, the mentioned 1. Apparently empty large folders is gone now. So this is also a candidate for a good default setting. :-) I also somewhat dislike it also but the mail address after all is only routing information, the real name is the person we known about. This is what most users like to known. With mouse-over you should actually see the mail address. I don't agree. For me it is very important to see the email address. One reason is that we don't allow our own domain as sender address originating from external hosts (postfix: reject_sender_login_mismatch), thus it is a huge difference if I see something like 'My boss f...@free.host' or 'My boss ceo@my.domain'. Unfortunately, now in IMP I see 'My boss' in both cases which is not satisfactory - social engineering. For further reading: https://en.wikipedia.org/wiki/Social_engineering_(security) [3. Mail view] Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender address in most cases, so not sure what you like to verify in this case. No, mailer daemons only have an empty envelope address. The From: address is 'Mail Delivery System MAILER-DAEMON@host.domain' and I only see just 'Mail Delivery System' all the time. It is not just about (rare) non-deliveries, if using DSN notifies for successful submission it perfectly makes sense to see which host is reporting. You can set this in Thunderbird (mail.dsn.always_request_on). At least it should be *configurable* to show the full From: without any clicks or mouseovers though I think it should also be activated by default. There is also enough space on my screen even in the standard view where From: is right next to the subject so why hiding so much information? [4. Verifiability] Might be a option, but if you really need verified email you have to use S/MIME or PGP. After all you like to know who have sent/created the mail and not who has delivered it. We got many Spams today with perfect DKIM signatures, but i don't like my users see this as trustworthy for sure. Then you can switch it off or I also would be happy if this would be switched off by default, but currently it is not even possible. I agree not to make users feel a false sense of trust or security and I don't want to discuss S/MIME or PGP here because I consider that as good, but 99 % of my contacts don't have it installed. Spams with perfect DKIM signatures mostly mean that somebody's account got hacked and I think the right approach is to have a good spam filter. So the user actually won't see such a message in most cases, but for all the hams with valid DKIm signature I want to give them the chance to verify if someone used a faked address or if this is unlikely to be faked even without cryptographic authenticity. You are free to have it disabled, of course, but I would use it. :-) Similar for the date, most mail clients show the Date: header which perfectly can be faked, but I display and sort by the Received: date which is easy to configure - at least in Thunderbird (in IMP this should already be the case with 'sortdate'). Best, Daniel -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Quoting Daniel Vollbrecht d.vollbre...@scram.de: I also somewhat dislike it also but the mail address after all is only routing information, the real name is the person we known about. This is what most users like to known. With mouse-over you should actually see the mail address. I don't agree. For me it is very important to see the email address. I fail to see the advantage of displaying e-mail addresses, especially when half the messages in my mailbox would show things like Foo do_not_reply-md5h...@externalemailcontentprovider.server14.westcoast.meaninglessdomainname.com. One reason is that we don't allow our own domain as sender address originating from external hosts (postfix: reject_sender_login_mismatch), thus it is a huge difference if I see something like 'My boss f...@free.host' or 'My boss ceo@my.domain'. Unfortunately, now in IMP I see 'My boss' in both cases which is not satisfactory - social engineering. For further reading: https://en.wikipedia.org/wiki/Social_engineering_(security) So when I send you a mail message with a spoofed From e-mail address from outside your domain, how is this any different? If you feel strongly about this, this is easily added locally by adding the additional information to your local source. But none of these arguments even approaach a level where making this configurable makes sense. [3. Mail view] Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender address in most cases, so not sure what you like to verify in this case. No, mailer daemons only have an empty envelope address. The From: address is 'Mail Delivery System MAILER-DAEMON@host.domain' and I only see just 'Mail Delivery System' all the time. Not seeing your point(?) If you are asking to see e-mail addresses in the from address because it provides information on the tiny subset of bounced/failure messages, that is way too specialized a use case to be useful overall (especially since 99% of users don't care about these messages anyway). At least it should be *configurable* to show the full From: without any clicks or mouseovers though I think it should also be activated by default. There is also enough space on my screen even in the standard view where From: is right next to the subject so why hiding so much information? It's quite a bit of extra work, and influences things like escaping. Which means it is something that requires maintenance. I'm just not seeing an argument that's convincing enough for us to make this an option we need to support in the future. Spams with perfect DKIM signatures mostly mean that somebody's account got hacked and I think the right approach is to have a good spam filter. So the user actually won't see such a message in most cases, but for all the hams with valid DKIm signature I want to give them the chance to verify if someone used a faked address or if this is unlikely to be faked even without cryptographic authenticity. You are free to have it disabled, of course, but I would use it. :-) I have no issue supporting verification with DKIM. It hasn't been implemented prior because 1) nobody has really asked (i.e. paid) for it and 2) it only has become standardized in the last few years and has begun to be more widely implemented. michael ___ Michael Slusarz [slus...@horde.org] -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
Re: [imp] Various meaningful IMP default settings
Zitat von Daniel Vollbrecht d.vollbre...@scram.de: Hi Andreas We have also seen this, but only on our really slow test server. I have not investigated yet but maybe the PHP script timeout is set too low? No, this is something I checked before reporting it here of course. :) I use imapproxy, but it is not that it loads forever, it just says message folder empty. if I browse to another folder and immediately browse back to the large one, I see all messages. The whole process from login lasted less than 20 seconds. That's the same we have, but as said it has not until now nagged me enough to really debug it. I also somewhat dislike it also but the mail address after all is only routing information, the real name is the person we known about. This is what most users like to known. With mouse-over you should actually see the mail address. I don't agree. For me it is very important to see the email address. One reason is that we don't allow our own domain as sender address originating from external hosts (postfix: reject_sender_login_mismatch), thus it is a huge difference if I see something like 'My boss f...@free.host' or 'My boss ceo@my.domain'. Unfortunately, now in IMP I see 'My boss' in both cases which is not satisfactory - social engineering. For further reading: https://en.wikipedia.org/wiki/Social_engineering_(security) People who are able take care of the real mail address are normaly aware that the mailaddress is as easy to spoof as the real name. Without digital signatures you can not really trust a mailaddress at all. You have to verify by content then or by sideband eg. call the sender by phone. [4. Verifiability] Might be a option, but if you really need verified email you have to use S/MIME or PGP. After all you like to know who have sent/created the mail and not who has delivered it. We got many Spams today with perfect DKIM signatures, but i don't like my users see this as trustworthy for sure. Then you can switch it off or I also would be happy if this would be switched off by default, but currently it is not even possible. I agree not to make users feel a false sense of trust or security and I don't want to discuss S/MIME or PGP here because I consider that as good, but 99 % of my contacts don't have it installed. Spams with perfect DKIM signatures mostly mean that somebody's account got hacked and I think the right approach is to have a good spam filter. So the user actually won't see such a message in most cases, but for all the hams with valid DKIm signature I want to give them the chance to verify if someone used a faked address or if this is unlikely to be faked even without cryptographic authenticity. You are free to have it disabled, of course, but I would use it. :-) Nearly all Spams arriving by the big spam farms with throw-away domains are perfectly DKIM signed, so no, it is not a problem of hacked accounts. If you still got spam *without* DKIM signature you should use greylisting to keep away the dump spam-bots as they are the only ones not using DKIM. And no, content based filtering is not a option for people who actually care about email. Regards Andreas -- imp mailing list Frequently Asked Questions: http://wiki.horde.org/FAQ To unsubscribe, mail: imp-unsubscr...@lists.horde.org
