[#6944] identity creation auditing
Summary identity creation auditing
Queue Horde Base
Queue Version Git master
Type Enhancement
State Accepted
Priority 1. Low
Requester liamr (at) umich (dot) edu
Created 06/17/2008 (2136 days ago)
Updated 12/06/2011 (869 days ago)
Patch No

12/06/2011 04:53:53 AM Michael Slusarz Comment #5
Version ⇒ Git master
Queue ⇒ Horde Base
Reply to this comment
This is a Horde/Core feature request.
06/30/2008 06:58:42 PM Chuck Hagenbuch Comment #4
State ⇒ Accepted
Reply to this comment
1. we should add a "allowed_domains" regexp for addresses that don't 
trigger validation (admins will be responsible for ensuring that their 
regexps don't let too much in of course)

2. I'm okay with adding a "central_validation_email" that if set would 
get all confirmation requests.
06/18/2008 08:13:28 PM liamr (at) umich (dot) edu Comment #3 Reply to this comment
I think that our first pass would be to either...

- redirect the identity confirmation messages to a central address 
(perhaps Horde's $conf['problems']['email'])

- only invoked identify confirmation messages if the Reply-to or From 
contained a domain other than that server's "maildomain"

06/18/2008 01:37:51 AM Chuck Hagenbuch Comment #2
State ⇒ Feedback
Reply to this comment
Not to be too picky, but sure, it'd be cool - any suggestions on how 
to do it in a way that doesn't make Horde overly complicated?
06/17/2008 10:49:17 PM liamr (at) umich (dot) edu Comment #1
State ⇒ New
Patch ⇒ No
Milestone ⇒
Queue ⇒ IMP
Summary ⇒ identity creation auditing
Type ⇒ Enhancement
Priority ⇒ 1. Low
Reply to this comment
It would be cool if the identity creation confirmation email...

- was only invoked when creating an identity with a non-local From / Reply-to

- could be directed to central administrative user

Spammy users often control the addresses they use as From and 
Reply-to, so we don't gain a lot by having them confirm their spammy 
yahoo account.

Maybe there could be a web based admin tool to approve / deny 
identities.. something where the identity in question was displayed to 
the admin, so they could better judge whether the id was legit.