Re: [SM-STABLE] Changes between 1.2.11 and 1.4.0 & misc

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Simon Byrnand said:
> At 12:38 7/04/03 +0200, Thijs Kinkhorst wrote:
>
>
As far as information leakage goes, I'd say that's a question for the
sendmail folks.  As far as the angle brackets go, it depends on what RFC
you look at.  As I recall, RFC822 defines that the brackets are only there
if you have some text before them.  RFC2822, which obsoletes 822, changed
it so they could be used without anything before them.

Seth.
> After much puzzling, head scratching, and packet sniffing I've finally
> worked out whats going on, but it raises more questions than it
> answers....
>
> Basically, I found that it is not Squirelmail adding the users full name,
> but *Sendmail*. (8.11.6) Both versions of Squirelmail were set to use SMTP
> delivery.
>
> The difference between 1.2.11 and 1.4.0 is that when a full name was
> lacking in the user prefs, 1.2.11 would format the from line in the
> headers
> thus:
>
> From: <si...@ig...>
>
> While 1.4.0 does it:
>
> From: si...@ig...
>
> Notice the lack of angle brackets.
>
> Now heres the strange part - it seems that Sendmail, upon seeing a From:
> address in the headers which it recognises as belonging to a domain which
> it handles (listed in its local-host-names) and seeing that the email
> address includes angle brackets, but not a full name, it promptly goes and
> looks up the users full name from its user database and puts it in !!
>
> I've even done hand SMTP sessions to confirm that sendmail really does
> this. If you leave out the angle brackets, OR put a full name in, it
> leaves
> it alone.
>
> Now I'm a bit stupified by this, it seems extremely presumptuous on
> sendmails behalf that it rewrite the From header just because it thinks
> the
> email is "from" a domain that belongs to it. In fact it seems like an
> information leakage bug to me, as even if you use noexpn and novrfy in
> your
> sendmail config, its possible to retrieve the full name of any user that
> has an account on the mail server by crafting a message "from" that user
> "to" yourself.
>
> The other question that this brings up, is that which is symantically
> correct for email addresses without a fullname part ? angle brackets or no
> angle brackets ?
>
> Regards,
> Simon
>
>
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Etnus, makers of TotalView, The
> debugger
> for complex code. Debugging C/C++ programs can leave you feeling lost and
> disoriented. TotalView can help you find your way. Available on major UNIX
> and Linux platforms. Try it free. www.etnus.com
> _______________________________________________
> squirrelmail-stable mailing list
> squ...@li...
> https://lists.sourceforge.net/lists/listinfo/squirrelmail-stable
> http://squirrelmail.org/cvs
>


-- 
Seth Randall
IT Support Specialist
Missoula Federal Credit Union
se...@mi...
MSN: ind...@ho.../ICQ: 23164675