[imp] Various meaningful IMP default settings

Daniel Vollbrecht d.vollbrecht at scram.de
Mon Dec 22 16:37:30 UTC 2014


Am 16.12.14 um 15:44 schrieb Michael M Slusarz:
> I fail to see the advantage of displaying e-mail addresses, especially
> when half the messages in my mailbox would show things like "Foo
> <do_not_reply-MD5hash at externalemailcontentprovider.server14.westcoast.meaninglessdomainname.com>".

You don't have to activate it, if there was an option. I would be happy 
to have it configurable. My main intention was to discuss meaningful 
default settings, but in this case, I just would like to propose the 
introduction of a setting for it. Can be deactived by default of course.

>> https://en.wikipedia.org/wiki/Social_engineering_(security)
>
> So when I send you a mail message with a spoofed From e-mail address
> from outside your domain, how is this any different?

It is very likely that such a message gets processed accordingly 
(rejected or filtered out as spam). You would have to choose a from 
address with a domain which doesn't have SPF and then most likely the 
missing good reputation would be critical for our spamfilter.

I don't think hiding the from address helps at all. The unaware users 
don't care and the skilled tend to be able to at least be able to 
activate it.

> If you feel strongly about this, this is easily added locally by adding
> the additional information to your local source.  But none of these
> arguments even approaach a level where making this configurable makes
> sense.

What exactly do you mean with local source? Patching my local horde 
source scripts myself to implement the desired functionality?

>> [3. Mail view]
>>> Hmm, the MAILER-DAEMON messages (bounces) actually has the empty sender
>>> address in most cases, so not sure what you like to verify in this case.
>>
>> No, mailer daemons only have an empty envelope address. The From:
>> address is 'Mail Delivery System <MAILER-DAEMON at host.domain>' and I
>> only see just 'Mail Delivery System' all the time.
>
> Not seeing your point(?)

You justified that bounces have an empty sender address (<>), but I'm 
talking about the From: address as IMP doesn't show me the sender 
address anyway. And as explained the From: address consists of

Mail Delivery System <MAILER-DAEMON at host.domain>

which indeed lets me distinguish from which of my hosts the notification 
is originating. - At least if I could see the full From: including 
'MAILER-DAEMON at host.domain' and not just the useless information 'Mail 
Delivery System'.

> If you are asking to see e-mail addresses in the from address because it
> provides information on the tiny subset of bounced/failure messages,
> that is way too specialized a use case to be useful overall (especially
> since 99% of users don't care about these messages anyway).

This is just *one* example. I also get other mail, e.g. Icinga 
monitoring mails etc. for which my argumentation applies as well.

I'm not requesting magic, it's just a feature that almost any mail 
client has as option which can be enabled in the settings, whether it is 
enabled on default or not doesn't matter.

> It's quite a bit of extra work, and influences things like escaping.
> Which means it is something that requires maintenance.  I'm just not

I don't see the problem about escaping here. If I click on 'Michael M 
Slusarz' on your mail, the sender view expands and shows 'Michael M 
Slusarz <slusarz at horde.org>'. Why is there no escaping issue then? I 
just would like to have an option that I don't have to click anymore to 
see it right away.

> I have no issue supporting verification with DKIM.  It hasn't been

Sounds good. I eventually can do this, but it couldn't harm to have it 
on the feature request/todo list anyway. :-)

Season's Greetings

Daniel


More information about the imp mailing list