Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Sep 2014 02:24:45 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 123468] mail/postgrey: information leak, privacy issue
Message-ID:  <bug-123468-13-jyTgVu27F0@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-123468-13@https.bugs.freebsd.org/bugzilla/>
References:  <bug-123468-13@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=123468

Darren Pilgrim <ports.maintainer@evilphi.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ports.maintainer@evilphi.co
                   |                            |m

--- Comment #11 from Darren Pilgrim <ports.maintainer@evilphi.com> ---
This is a non-issue for the following reasons:

- If the operator of %r uses the default response string from postgrey, they
are making it public they're using postgrey.  If they didn't want to disclose
that, they'd override the string and remove the URI entirely.

- Network information about the server receiving for %r is not disclosed to
postgrey.schweikert.ch.

- The URI works for nearly-arbitrary strings.  It is not even subject to FQDN
validation.  For example, http://postgrey.schweikert.ch/help/_.html

- The IP address disclosed to the postgrey.schweikert.ch is that of the browser
going to the site, not the mail server relaying to %r.

- The sending email address is not disclosed.

- The same information is disclosed to the entire path of networks between the
sender and receiving server.

The information disclosure is that a browser appearing at a given IP address is
emitting unencrypted HTTP requests which may or may not be associated with an
email sent to %r.  The lack of SSL and minimal level of information provided
means this is effectively a disclosure of information already widely disclosed.

Given the insignificant nature of the disclosure, there is greater utility in
not deviating from upstream.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-123468-13-jyTgVu27F0>