[Mimedefang] Email injection and the android 'email' app

[Tilman Schmidt]

Am 06.03.2013 05:37, schrieb Richard Laager:
> As a result of this thread, we discussed and tested this in-house (on
> just one phone). I believe we did get a notification that the message
> didn't send, so that's good.

What I thought when I first read this thread. Users will ignore
notifications and swear afterwards that there was none. "System
ate my mail" after clicking away a pop-up window saying "Unknown
recipient".

> That aside, is Android behaving any differently than Thunderbird, or
> many other mail clients? Getting a 5xx status code from the "outgoing
> mail server" seems to pop up a dialog and then leave the message in the
> outbox on the ones we tested.

Thunderbird leaves the message composition window open in that case,
which is arguably a clearer sign that the message wasn't sent.

> This leads to inconsistent behavior between local and remote
> destinations.

I don't think it's inconsistent. Processes can fail at different
stages, and people are (or should be) used to that. Specifically,
mail transmission can fail at different stages, and notifications
will differ depending on that. The popup right after clicking
"Send" is just one more variant.

> So if you want consistency,
> accepting all recipients for authenticated senders (and then later
> generating bounces) seems to be the only option.

IMHO that would be a very bad solution, reducing the usability
of the server for the majority of users because of the (forgive
me) stupidity of a few.

-- 
Tilman Schmidt
Phoenix Software GmbH
Bonn, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20130306/03e56217/attachment.sig>