librelist archives

« back to archive

Re: Message-IDs rewritten

Re: Message-IDs rewritten

From:
Zed A. Shaw
Date:
2009-07-26 @ 21:27
On Sun, Jul 26, 2009 at 07:38:51PM +0000, Eric Wong wrote:
> Message-IDs are getting rewritten when they get delivered to
> subscribers.  I'm not sure if it's intentional or not, but I don't
> think there's a reasonable attack vector here that would be stopped.

Alright, the message-ids, dates, and references all use the original
message's information.  Try out git and let me know if it works.

Basically, I was stripping it so postfix added one.  Now I maintain it
so it should work.

-- 
Zed A. Shaw
http://zedshaw.com/

Re: Message-IDs rewritten

From:
Eric Wong
Date:
2009-07-26 @ 21:49
"Zed A. Shaw" <zedshaw@zedshaw.com> wrote:
> On Sun, Jul 26, 2009 at 07:38:51PM +0000, Eric Wong wrote:
> > Message-IDs are getting rewritten when they get delivered to
> > subscribers.  I'm not sure if it's intentional or not, but I don't
> > think there's a reasonable attack vector here that would be stopped.
> 
> Alright, the message-ids, dates, and references all use the original
> message's information.  Try out git and let me know if it works.
> 
> Basically, I was stripping it so postfix added one.  Now I maintain it
> so it should work.

Thank you Zed!  A patch series I sent to the pcu list threaded with
chain-reply-to nicely:

-- 
Eric Wong

Message-IDs rewritten

From:
Eric Wong
Date:
2009-07-28 @ 08:23
Message-IDs are getting rewritten when they get delivered to
subscribers.  I'm not sure if it's intentional or not, but I don't
think there's a reasonable attack vector here that would be stopped.

Anyhow this breaks the threading ability of "git send-email" when a
series of patches is tied to a single thread (with a cover message).

This also makes deduplication more difficult for folks that Bcc:
themselves.

-- 
Eric Wong

Re: Message-IDs rewritten

From:
Zed A. Shaw
Date:
2009-07-28 @ 08:23
On Sun, Jul 26, 2009 at 07:38:51PM +0000, Eric Wong wrote:
> Message-IDs are getting rewritten when they get delivered to
> subscribers.  I'm not sure if it's intentional or not, but I don't
> think there's a reasonable attack vector here that would be stopped.

Attack vector?  Uh, yeah, nobody should rely on any email headers for
anything secure.

I'll see if they are getting dropped or rewritten on the server.  I
think I strip those out and then the server makes a new one. I'll try
adding it back.
 
> Anyhow this breaks the threading ability of "git send-email" when a
> series of patches is tied to a single thread (with a cover message).

That sounds wrong since other mail clients now thread the messages
correctly.  I'll throw it in and get you to check, but if git is getting
it wrong and nobody else, then git can blow me. :-)
 
> This also makes deduplication more difficult for folks that Bcc:
> themselves.

Well, that there is a pretty obscure edge case for sure.  Who do you
know is doing bcc of their mailing list posts, rather than just
subscribing the other account?

-- 
Zed A. Shaw
http://zedshaw.com/

Re: Message-IDs rewritten

From:
Eric Wong
Date:
2009-07-26 @ 21:51
"Zed A. Shaw" <zedshaw@zedshaw.com> wrote:
> On Sun, Jul 26, 2009 at 07:38:51PM +0000, Eric Wong wrote:
> > This also makes deduplication more difficult for folks that Bcc:
> > themselves.
> 
> Well, that there is a pretty obscure edge case for sure.  Who do you
> know is doing bcc of their mailing list posts, rather than just
> subscribing the other account?

Really?  I always Bcc myself by default, but I often find myself
to be an edge case :>

It's much easier to sychronize sent mail to IMAP when I'm switching
between machines.  It's also easier to verify that I sent something out
(I'm forgetful).  Out of morbid curiousity, I get to see SpamAssassin
scores of messages I send out, too.

Thanks again for the quick fix!

-- 
Eric Wong

Re: Message-IDs rewritten

From:
Zed A. Shaw
Date:
2009-07-26 @ 23:26
On Sun, Jul 26, 2009 at 02:51:46PM -0700, Eric Wong wrote:
> Really?  I always Bcc myself by default, but I often find myself
> to be an edge case :>

Yeah, that's very edge case.  You should consider writing a Lamson
handler for that. :-)
 
> It's much easier to sychronize sent mail to IMAP when I'm switching
> between machines.  It's also easier to verify that I sent something out
> (I'm forgetful).  Out of morbid curiousity, I get to see SpamAssassin
> scores of messages I send out, too.
> 
> Thanks again for the quick fix!

So, with the message-ids being sent along, your stuff should all just
work.  Let me know if doesn't.

-- 
Zed A. Shaw
http://zedshaw.com/