Subj : Re: Email Posting ACS possibly not honored via POP3? <-- SMTP!, + more
To   : g00r00
From : Bj”rn Wiberg
Date : Thu Mar 24 2022 09:28 pm

Hello again, g00r00!

On 22 Mar 2022, Bj”rn Wiberg said the following...
 BW> I just noticed that if I set:
 BW> Post ACS    ³ !fa
 BW> ...on the ID 1 (email) message base, that prevents users having that
 BW> flag from posting from within the BBS, but it does not stop them from
 BW> posting emails via POP3. The POP3 server happily accepts the messages

Of course I meant "SMTP", not POP3. :o)

I do realize that SMTP on the suggested default port (25) is usually meant for message transfers between MTAs (and should not require STARTTLS if the server is publicly referenced, as per RFC 3207 section 4), not message submissions by MSAs (which often use port 587 and must require authentication as per RFC 6409 section 4.3).

So I guess it depends on the purpose which port should be used, whether STARTTLS should be required or not, and whether authentication should be required or not...


Speaking of ACSes and (for real, now!) POP3, I also noticed that the POP3 server appears to let a user list and retrieve messages, respectively, even though the corresponding List ACS and Read ACS for the email message base are not fulfilled (which usually restrict this from within the BBS).


Just thought I would mention this in case you think that this access checking
should be added to those two MIS servers.

As usual, thank you for your time and consideration!

Best regards
Bj”rn

--- Mystic BBS v1.12 A48 2022/03/11 (Linux/64)
 * Origin: Star Collision BBS, Uppsala, Sweden (2:201/137)

.