[imp] Various meaningful IMP default settings

lst_hoe02 at kwsoft.de lst_hoe02 at kwsoft.de
Tue Dec 16 20:28:43 UTC 2014


Zitat von Daniel Vollbrecht <d.vollbrecht at scram.de>:

> Hi Andreas
>
>> We have also seen this, but only on our really slow test server. I have
>> not investigated yet but maybe the PHP script timeout is set too low?
>
> No, this is something I checked before reporting it here of course.  
> :) I use imapproxy, but it is not that it loads forever, it just  
> says "message folder empty". if I browse to another folder and  
> immediately browse back to the large one, I see all messages. The  
> whole process from login lasted less than 20 seconds.

That's the same we have, but as said it has not until now nagged me  
enough to really debug it.

>> I also somewhat dislike it also but the mail address after all is only
>> routing information, the "real" name is the person we known about. This
>> is what most users like to known. With mouse-over you should actually
>> see the mail address.
>
> I don't agree. For me it is very important to see the email address.  
> One reason is that we don't allow our own domain as sender address  
> originating from external hosts (postfix:  
> reject_sender_login_mismatch), thus it is a huge difference if I see  
> something like 'My boss <fake at free.host>' or 'My boss  
> <ceo at my.domain>'. Unfortunately, now in IMP I see 'My boss' in both  
> cases which is not satisfactory - social engineering. For further  
> reading:
>
> https://en.wikipedia.org/wiki/Social_engineering_(security)

People who are able take care of the real mail address are normaly  
aware that the mailaddress is as easy to spoof as the real name.  
Without digital signatures you can not really trust a mailaddress at  
all. You have to verify by content then or by sideband eg. call the  
sender by phone.

> [4. Verifiability]
>> Might be a option, but if you really need verified email you have to use
>> S/MIME or PGP. After all you like to know who have sent/created the mail
>> and not who has delivered it. We got many Spams today with perfect DKIM
>> signatures, but i don't like my users see this as trustworthy for sure.
>
> Then you can switch it off or I also would be happy if this would be  
> switched off by default, but currently it is not even possible.
>
> I agree not to make users feel a false sense of trust or security  
> and I don't want to discuss S/MIME or PGP here because I consider  
> that as good, but 99 % of my contacts don't have it installed.
>
> Spams with perfect DKIM signatures mostly mean that somebody's  
> account got hacked and I think the right approach is to have a good  
> spam filter. So the user actually won't see such a message in most  
> cases, but for all the hams with valid DKIm signature I want to give  
> them the chance to verify if someone used a faked address or if this  
> is unlikely to be faked even without cryptographic authenticity. You  
> are free to have it disabled, of course, but I would use it. :-)

Nearly all Spams arriving by the big spam farms with throw-away  
domains are perfectly DKIM signed, so no, it is not a problem of  
"hacked" accounts. If you still got spam *without* DKIM signature you  
should use greylisting to keep away the dump spam-bots as they are the  
only ones not using DKIM. And no, content based filtering is not a  
option for people who actually care about email.

Regards

Andreas




More information about the imp mailing list