Zitat von Daniel Vollbrecht <d.vollbre...@scram.de>:
Hi Andreas
We have also seen this, but only on our really slow test server. I have
not investigated yet but maybe the PHP script timeout is set too low?
No, this is something I checked before reporting it here of course.
:) I use imapproxy, but it is not that it loads forever, it just
says "message folder empty". if I browse to another folder and
immediately browse back to the large one, I see all messages. The
whole process from login lasted less than 20 seconds.
That's the same we have, but as said it has not until now nagged me
enough to really debug it.
I also somewhat dislike it also but the mail address after all is only
routing information, the "real" name is the person we known about. This
is what most users like to known. With mouse-over you should actually
see the mail address.
I don't agree. For me it is very important to see the email address.
One reason is that we don't allow our own domain as sender address
originating from external hosts (postfix:
reject_sender_login_mismatch), thus it is a huge difference if I see
something like 'My boss <f...@free.host>' or 'My boss
<ceo@my.domain>'. Unfortunately, now in IMP I see 'My boss' in both
cases which is not satisfactory - social engineering. For further
reading:
https://en.wikipedia.org/wiki/Social_engineering_(security)
People who are able take care of the real mail address are normaly
aware that the mailaddress is as easy to spoof as the real name.
Without digital signatures you can not really trust a mailaddress at
all. You have to verify by content then or by sideband eg. call the
sender by phone.
[4. Verifiability]
Might be a option, but if you really need verified email you have to use
S/MIME or PGP. After all you like to know who have sent/created the mail
and not who has delivered it. We got many Spams today with perfect DKIM
signatures, but i don't like my users see this as trustworthy for sure.
Then you can switch it off or I also would be happy if this would be
switched off by default, but currently it is not even possible.
I agree not to make users feel a false sense of trust or security
and I don't want to discuss S/MIME or PGP here because I consider
that as good, but 99 % of my contacts don't have it installed.
Spams with perfect DKIM signatures mostly mean that somebody's
account got hacked and I think the right approach is to have a good
spam filter. So the user actually won't see such a message in most
cases, but for all the hams with valid DKIm signature I want to give
them the chance to verify if someone used a faked address or if this
is unlikely to be faked even without cryptographic authenticity. You
are free to have it disabled, of course, but I would use it. :-)
Nearly all Spams arriving by the big spam farms with throw-away
domains are perfectly DKIM signed, so no, it is not a problem of
"hacked" accounts. If you still got spam *without* DKIM signature you
should use greylisting to keep away the dump spam-bots as they are the
only ones not using DKIM. And no, content based filtering is not a
option for people who actually care about email.
Regards
Andreas
--
imp mailing list
Frequently Asked Questions: http://wiki.horde.org/FAQ
To unsubscribe, mail: imp-unsubscr...@lists.horde.org
