[Tickets #11376] Re: Itip auto-accept confirmation requests
bugs at horde.org
bugs at horde.org
Tue Aug 28 20:37:54 UTC 2012
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/11376
------------------------------------------------------------------------------
Ticket | 11376
Updated By | Michael Slusarz <slusarz at horde.org>
Summary | Itip auto-accept confirmation requests
Queue | IMP
Version | Git master
Type | Enhancement
State | Assigned
Priority | 1. Low
Milestone |
Patch |
Owners | Horde Developers, Jan Schneider, Michael Rubinsky,
| Michael Slusarz
------------------------------------------------------------------------------
Michael Slusarz <slusarz at horde.org> (2012-08-28 14:37) wrote:
> That depends. Within an organization (for "local" addresses) it is
> trivial to prevent users from forging sender addresses. In that case
> there is no attack vector, since people will not be able to forge
> replies.
This was a potential solution that the client and I have discussed.
Although I would disagree with the idea that it is "trivial" to
prevent users from forging sender addresses. Imagine an organization
like a university that may have 100,000+ users, and these users may be
in a variety of differently admin'd local networks (e.g. Physics
department, Economics department, etc.). Additionally, the
e-mail/user the invite was sent to may not match the responding user
(e.g. sent to slusarz at example.com but my mail is sent from
Michael.Slusarz at department.example.com) so forging addresses becomes a
more complicated situation.
> But this is only the case for addresses we know are local, replies
> from external (non-local) users should probably never be
> auto-accepted. At the very least, there should be an option to treat
> local and non-local users differently.
That being said, I would agree that we should provide an option for
the admin to allow auto-accepting of e-mails from within the same
domain. Or better still, allow the admin to provide a list of domains
to auto-accept from.
More information about the bugs
mailing list