• Email Posting ACS possibly not honored via POP3?

    From Björn Wiberg@2:201/137 to g00r00 on Tue Mar 22 17:07:02 2022
    Hello g00r00!

    Hope all is well with you!

    I just noticed that if I set:

    Post ACS │ !fa

    ...on the ID 1 (email) message base, that prevents users having that flag from posting from within the BBS, but it does not stop them from posting emails via POP3. The POP3 server happily accepts the messages despite the flag, and the messages are saved correctly (and reaches their intended local recipients).

    Just thought that I would mention this.

    And, by the way, I *did* notice the "Editing e-mail ACS can have adverse effects" note that pops up when having something in the ACS fields for that message base. :-D :-D :-D

    Best regards
    Björn

    --- Mystic BBS v1.12 A48 2022/03/11 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)
  • From Björn Wiberg@2:201/137 to g00r00 on Thu Mar 24 21:28:56 2022
    Hello again, g00r00!

    On 22 Mar 2022, Björn Wiberg said the following...
    I just noticed that if I set:
    Post ACS │ !fa
    ...on the ID 1 (email) message base, that prevents users having that
    flag from posting from within the BBS, but it does not stop them from posting emails via POP3. The POP3 server happily accepts the messages

    Of course I meant "SMTP", not POP3. :o)

    I do realize that SMTP on the suggested default port (25) is usually meant for message transfers between MTAs (and should not require STARTTLS if the server is publicly referenced, as per RFC 3207 section 4), not message submissions by MSAs (which often use port 587 and must require authentication as per RFC 6409 section 4.3).

    So I guess it depends on the purpose which port should be used, whether STARTTLS should be required or not, and whether authentication should be required or not...


    Speaking of ACSes and (for real, now!) POP3, I also noticed that the POP3 server appears to let a user list and retrieve messages, respectively, even though the corresponding List ACS and Read ACS for the email message base are not fulfilled (which usually restrict this from within the BBS).


    Just thought I would mention this in case you think that this access checking should be added to those two MIS servers.

    As usual, thank you for your time and consideration!

    Best regards
    Björn

    --- Mystic BBS v1.12 A48 2022/03/11 (Linux/64)
    * Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)