[Mimedefang] Email injection and the android 'email' app

[Richard Laager]

On Tue, 2013-03-05 at 17:59 -0500, David F. Skoll wrote:
> There's no way you should break your setup to comply with a brain-dead
> Android app.

As a result of this thread, we discussed and tested this in-house (on
just one phone). I believe we did get a notification that the message
didn't send, so that's good. However, the fact that we had to switch it
into airplane mode to be able to delete from the outbox was very
annoying.

That aside, is Android behaving any differently than Thunderbird, or
many other mail clients? Getting a 5xx status code from the "outgoing
mail server" seems to pop up a dialog and then leave the message in the
outbox on the ones we tested.

This leads to inconsistent behavior between local and remote
destinations. It's arguably good for local destinations, as you can fix
the address typo before sending (thus avoiding breakage when people hit
Reply to All, for example). But I don't think it'd be reasonable for the
outgoing mail server to check the remote addresses at the RCPT TO stage
so that it could (attempt to) provide the consistent behavior of
(nearly) always rejecting at RCPT TO. So if you want consistency,
accepting all recipients for authenticated senders (and then later
generating bounces) seems to be the only option.

-- 
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20130305/37fc11e9/attachment.sig>