[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] neomail on RAQ02

Hi Jeff,

> I see it as a bit more serious than that, Taco...
> 
> I've got two sites on my RaQ... www.site1.com and www.site2.com.
> 
> If a user with an account on site1.com logs into his account at
> site2.com, he'll be able to log in successfully, and he'll still see his
> mailboxes, etc.  So he may _think_ he's got an account site2.com.
He's a bit brainless then, but anyway ...

> However, his return address will STILL be hisname@xxxxxxxxx on any email
> he sends out.
No, that is actually the issue people have: any valid user on a RaQ can login to 
the neomail of another site and hit the preferences button and send out e-mails 
using the other site's domain. Again: neomail should be seen as a mailclient. 
Any mailclient can be configured to send out messages with any domain. Hence I 
still think this is a non-issue. The only issue I agree on, is that users could 
login to other site's neomail and download their mail, and therefore not get 
charged the bandwidth. This is the only real valid issue.

> So slightly different, and slightly more serious (imho) than you seem to
> think.
Again, I don't see the problem. But I am open to any education ;)

> Hmmmm.... this really isn't _your_ issue, Taco, since you didn't write
> neomail.
But I did create the neomail package and added a lot of changes so it would 
support multiple domains and multiple architectures. As the maintainer of the 
package I do think it is my issue.

> Does the available "isp" patch fix this problem?  I don't think so.
I don't think so.

> Are you considering making your own patch?  I'd like that
Yes, but not this week. (This does not imply it is ready NEXT week ;) )...

With regards,

Taco Scargo

Professional Services Manager, EMEA

Sun Microsystems		Tel. +31 (71) 565 7021
Sun Cobalt Server Appliances	taco.scargo@xxxxxxx