[imp] Various meaningful IMP default settings

Michael M Slusarz slusarz at horde.org
Tue Dec 16 14:44:24 UTC 2014


Quoting Daniel Vollbrecht <d.vollbrecht at scram.de>:

>> I also somewhat dislike it also but the mail address after all is only
>> routing information, the "real" name is the person we known about. This
>> is what most users like to known. With mouse-over you should actually
>> see the mail address.
>
> I don't agree. For me it is very important to see the email address.

I fail to see the advantage of displaying e-mail addresses, especially  
when half the messages in my mailbox would show things like "Foo  
<do_not_reply-MD5hash at externalemailcontentprovider.server14.westcoast.meaninglessdomainname.com>".

> One reason is that we don't allow our own domain as sender address  
> originating from external hosts (postfix:  
> reject_sender_login_mismatch), thus it is a huge difference if I see  
> something like 'My boss <fake at free.host>' or 'My boss  
> <ceo at my.domain>'. Unfortunately, now in IMP I see 'My boss' in both  
> cases which is not satisfactory - social engineering. For further  
> reading:
>
> https://en.wikipedia.org/wiki/Social_engineering_(security)

So when I send you a mail message with a spoofed From e-mail address  
from outside your domain, how is this any different?

If you feel strongly about this, this is easily added locally by  
adding the additional information to your local source.  But none of  
these arguments even approaach a level where making this configurable  
makes sense.

> [3. Mail view]
>> Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender
>> address in most cases, so not sure what you like to verify in this case.
>
> No, mailer daemons only have an empty envelope address. The From:  
> address is 'Mail Delivery System <MAILER-DAEMON at host.domain>' and I  
> only see just 'Mail Delivery System' all the time.

Not seeing your point(?)

If you are asking to see e-mail addresses in the from address because  
it provides information on the tiny subset of bounced/failure  
messages, that is way too specialized a use case to be useful overall  
(especially since 99% of users don't care about these messages anyway).

> At least it should be *configurable* to show the full From: without  
> any clicks or mouseovers though I think it should also be activated  
> by default. There is also enough space on my screen even in the  
> standard view where From: is right next to the subject so why hiding  
> so much information?

It's quite a bit of extra work, and influences things like escaping.   
Which means it is something that requires maintenance.  I'm just not  
seeing an argument that's convincing enough for us to make this an  
option we need to support in the future.

> Spams with perfect DKIM signatures mostly mean that somebody's  
> account got hacked and I think the right approach is to have a good  
> spam filter. So the user actually won't see such a message in most  
> cases, but for all the hams with valid DKIm signature I want to give  
> them the chance to verify if someone used a faked address or if this  
> is unlikely to be faked even without cryptographic authenticity. You  
> are free to have it disabled, of course, but I would use it. :-)

I have no issue supporting verification with DKIM.  It hasn't been  
implemented prior because 1) nobody has really asked (i.e. paid) for  
it and 2) it only has become standardized in the last few years and  
has begun to be more widely implemented.

michael

___________________________________
Michael Slusarz [slusarz at horde.org]



More information about the imp mailing list