Proposed death of verifycancels
Bill Davidsen
davidsen at tmr.com
Tue Jun 13 11:58:43 UTC 2000
On 8 Jun 2000, Russ Allbery wrote:
> Does anyone use and want to keep the verifycancels inn.conf option? If
> so, speak up now; I'm proposing removing it from the CURRENT tree. The
> current USEFOR standard says not to verify cancels in that fashion and I
> don't think it serves any useful purpose these days.
>
> For those not familiar with it, the current verifycancels option checks
> the From/Sender of the message against the From/Sender of the cancel and
> only allows the cancel if they match. Of course, the canceller can just
> forge the From/Sender (and most of them know to do this), plus the check
> isn't and can't be performed if the cancel arrives before the original
> message.
Turn that around... the existing code does not catch any valid cancels,
but it does catch some poor forgeries. So... does some good, does no harm.
Unless someone can make a point that it actually blocks a legitimate
cancel, I would leave it in until the "new cancel" logic has been out for
a while and some clients are actually using it.
--
bill davidsen <davidsen at tmr.com>
CTO, TMR Associates, Inc
Doing interesting things with little computers since 1979.
More information about the inn-workers
mailing list