duesee
commented
4 months ago I keep stumbling into situations where this feature is very useful. Backtracking a bit: This feature should be disabled by default but we rather want to keep it.
Closed duesee closed 4 months ago
duesee
commented
4 months ago I keep stumbling into situations where this feature is very useful. Backtracking a bit: This feature should be disabled by default but we rather want to keep it.
I always felt there is something off with this feature. In light of https://media.ccc.de/v/37c3-11782-smtp_smuggling_spoofing_e-mails_worldwide, I'm now leaning strongly towards removing this entirely.
Note: I'm not (yet) aware of a way to exploit this in IMAP. But this doesn't mean there is no way :-) Better safe than sorry.
How to approach this issue: Remove https://github.com/duesee/imap-codec/blob/main/imap-codec/Cargo.toml#L35 and fix everything that breaks :-)
Note: We won't work on this until a few weeks/months later to get some real-world insights from @superboum first.