From: Andy Thompson (athompsonmooreheadcomm.com)
Date: Mon Aug 02 2004 - 15:46:06 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>>What about:
>>>>>
>>>>> By default, this is not allowed, to avoid accidents with software
>>>>> that passes email addresses via the command line. Such software
>>>>> would not be able to distinguish a malicious address from a
>>>>> bona fide command-line option.
>>>>>
>>>>>I know that you can prevent this from happening by putting a "--"
>>>>>option into the command line, but I would not bet my life on it
>>>>>that everyone would follow such advice.
>>>>
>>>>That makes sense.
>>>
>>>
>>>I have updated the text.
>>>
>>>
>>>
>>>>So in your opinion, on a system such as mine with no local users, web
>>>>scripts, et al where I have complete control over what is run on the
>>>>box, is this a pretty low risk option to enable?
>>>
>>>
>>>Consider the following: does your machine communicate (email) with
>>>other systems? How will those systems respond to addresses beginning
>>>with a '-' character? Maybe it triggers a bug, and maybe it hits
>>>a defensive Postfix box.
>>
>>Obviously unknowns and out of my control. But I can control my system
>>and if I can reasonably say that the chances are pretty slim that my
>>system would send email in this way then it seems like it's not such a
>>big deal.
>>
>>AFAICT though, - is a valid char in an email address, even leading -
>>signs are valid, correct?
>
>
> That's only of academic interest, I'm afraid.
>
> The RFC lets one get away with a lot of characters that are unlikely
> to be accepted by actual implementations.

True.

So we come full circle... what are the implications of enabling this on
my system? If an email goes thru my system with a - prefix on the email
address, what problems might that cause, other than the unknowns? If my
system receives an email with a - prefix on the address and I have this
enabled, what might I expect to happen?

-andy

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]