Forum OpenACS Development: Re: Incoming Mail Handling

Collapse
3: Re: Incoming Mail Handling (response to 1)
Posted by Malte Sussdorff on
I think due to the fact that setting this up requires quite some work (you have to ammend Postfix to do anything useful and configure OpenACS correctly to listen to the incoming e-mails), I'd say whoever needs this functionality (sending an email to the system without authentication) is aware of the risks and we should not limit the toolkit to not allow arbitrarily incoming email into the system. Though this is a security risk, you have to conciously set it up that way, so I don't think we are facing a problem. There are a lot of ideas on how to improve the security, e.g. for the receptionist we will block emails from the outside of the company (so only mails from within the company can be send to the mailserver). Or you could say only people with a valid sender email (though this can be faked) will be allowed to send emails to the system, or you could rely on digitally signed messages or, or, or.