[imp] Various meaningful IMP default settings

[Daniel Vollbrecht]

Hi Andreas

> We have also seen this, but only on our really slow test server. I have
> not investigated yet but maybe the PHP script timeout is set too low?

No, this is something I checked before reporting it here of course. :) I 
use imapproxy, but it is not that it loads forever, it just says 
"message folder empty". if I browse to another folder and immediately 
browse back to the large one, I see all messages. The whole process from 
login lasted less than 20 seconds.

> There is a setting in IMP if the newest unread message is displayed
> first or the oldest unread. This should do the trick, no?

OK, thanks. That would be:

$_prefs['mailbox_start']['value'] = IMP::MAILBOX_START_LASTUNSEEN;

Just tried it and it works perfectly. And to my surprise, the mentioned 
"1. Apparently empty large folders" is gone now. So this is also a 
candidate for a good default setting. :-)

> I also somewhat dislike it also but the mail address after all is only
> routing information, the "real" name is the person we known about. This
> is what most users like to known. With mouse-over you should actually
> see the mail address.

I don't agree. For me it is very important to see the email address. One 
reason is that we don't allow our own domain as sender address 
originating from external hosts (postfix: reject_sender_login_mismatch), 
thus it is a huge difference if I see something like 'My boss 
<fake at free.host>' or 'My boss <ceo at my.domain>'. Unfortunately, now in 
IMP I see 'My boss' in both cases which is not satisfactory - social 
engineering. For further reading:

https://en.wikipedia.org/wiki/Social_engineering_(security)

[3. Mail view]
> Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender
> address in most cases, so not sure what you like to verify in this case.

No, mailer daemons only have an empty envelope address. The From: 
address is 'Mail Delivery System <MAILER-DAEMON at host.domain>' and I only 
see just 'Mail Delivery System' all the time.

It is not just about (rare) non-deliveries, if using DSN notifies for 
successful submission it perfectly makes sense to see which host is 
reporting. You can set this in Thunderbird (mail.dsn.always_request_on).

At least it should be *configurable* to show the full From: without any 
clicks or mouseovers though I think it should also be activated by 
default. There is also enough space on my screen even in the standard 
view where From: is right next to the subject so why hiding so much 
information?

[4. Verifiability]
> Might be a option, but if you really need verified email you have to use
> S/MIME or PGP. After all you like to know who have sent/created the mail
> and not who has delivered it. We got many Spams today with perfect DKIM
> signatures, but i don't like my users see this as trustworthy for sure.

Then you can switch it off or I also would be happy if this would be 
switched off by default, but currently it is not even possible.

I agree not to make users feel a false sense of trust or security and I 
don't want to discuss S/MIME or PGP here because I consider that as 
good, but 99 % of my contacts don't have it installed.

Spams with perfect DKIM signatures mostly mean that somebody's account 
got hacked and I think the right approach is to have a good spam filter. 
So the user actually won't see such a message in most cases, but for all 
the hams with valid DKIm signature I want to give them the chance to 
verify if someone used a faked address or if this is unlikely to be 
faked even without cryptographic authenticity. You are free to have it 
disabled, of course, but I would use it. :-)

Similar for the date, most mail clients show the Date: header which 
perfectly can be faked, but I display and sort by the Received: date 
which is easy to configure - at least in Thunderbird (in IMP this should 
already be the case with 'sortdate').


Best, Daniel