[Bug 123468] mail/postgrey: information leak, privacy issue
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Tue Sep 30 02:24:45 UTC 2014
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=123468
Darren Pilgrim <ports.maintainer at evilphi.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |ports.maintainer at evilphi.co
| |m
--- Comment #11 from Darren Pilgrim <ports.maintainer at evilphi.com> ---
This is a non-issue for the following reasons:
- If the operator of %r uses the default response string from postgrey, they
are making it public they're using postgrey. If they didn't want to disclose
that, they'd override the string and remove the URI entirely.
- Network information about the server receiving for %r is not disclosed to
postgrey.schweikert.ch.
- The URI works for nearly-arbitrary strings. It is not even subject to FQDN
validation. For example, http://postgrey.schweikert.ch/help/_.html
- The IP address disclosed to the postgrey.schweikert.ch is that of the browser
going to the site, not the mail server relaying to %r.
- The sending email address is not disclosed.
- The same information is disclosed to the entire path of networks between the
sender and receiving server.
The information disclosure is that a browser appearing at a given IP address is
emitting unencrypted HTTP requests which may or may not be associated with an
email sent to %r. The lack of SSL and minimal level of information provided
means this is effectively a disclosure of information already widely disclosed.
Given the insignificant nature of the disclosure, there is greater utility in
not deviating from upstream.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-ports-bugs
mailing list