Create Mailboxes on Delivery

John Wade jwade at oakton.edu
Thu Jun 24 16:24:27 EDT 2004



ms419 at freezone.co.uk wrote:

> On Jun 24, 2004, at 2:01 AM, Aristotelis wrote:
>
> > On Wed, 23 Jun 2004 ms419 at freezone.co.uk wrote:
> >
> >> It is essential to me to create the mailboxes for which incoming
> >> messages are intended when they don't exist. To this end, I am writing
> >> a patch.
> >
> >  I haven't seen the patch yet. But I want to get some more info
> > first. Correct me if I'm wrong. You want to write a patch that
> > creates ANY folder where a mails tries to be delivered??
>
> This is correct.
>
> >  For example if I want to deliver the email to :
> > user.arisg.koko
> >  and this folder doesn't exist then automatically (without further
> > checking) the folder should be created??
>
> This is also correct.
>
> >  This IMHO is a really bad idea. People can easily create
> > problems in this type of setup. I could just start emailing
> >
> > to
> > user.arisg.koko1
> > user.arisg.koko2
> > user.arisg.koko3
> > user.arisg.koko4
> > user.arisg.koko5
> >
> >  And all this dummy folders will be created.
> > (I can also think for some other problems that might occur
> > with this setup)
>
> Rob Siemborski made this point on this list back in May. I still
> misunderstand, or don't see the danger. It is impossible for _people_
> to create problems because, in general, I think they lack the authority
> to create mailboxes. Those authenticated users with authority to create
> certain mailboxes could do so using IMAP, so I don't understand why
> enabling this on delivery represents an increased danger. Please
> correct me if I'm way out to lunch.

I agree that IMHO this sounds like very bad behavior, unless I misunderstand
how you are doing delivery, this gives any arbitrary individual anywhere on
the internet the ability to create mailboxes in your user's inboxes by simply
constructing an appropriate email address and sending a message.   This could
be malicious or simply an inadvertant typo.   Unless you are using your MTA
to protect cyrus by filtering out invalid sub mailboxes, you would be very
exposed.

Hope this helps,
John Wade



---
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html




More information about the Info-cyrus mailing list