Tickets :: Comment on [#11376] Itip auto-accept requests

* Your Email Address
* Spam protection	Enter the letters below: . .__ .___.___.__ \| \| \[__ [__ [__) \|___\|__/[___\| \| \
Comment	>> That depends. Within an organization (for "local" addresses) it is >> trivial to prevent users from forging sender addresses. In that case >> there is no attack vector, since people will not be able to forge >> replies. > > This was a potential solution that the client and I have discussed. > Although I would disagree with the idea that it is "trivial" to > prevent users from forging sender addresses. Imagine an organization > like a university that may have 100,000+ users, and these users may > be in a variety of differently admin'd local networks (e.g. Physics > department, Economics department, etc.). Additionally, the > e-mail/user the invite was sent to may not match the responding user > (e.g. sent to slusarz@example.com but my mail is sent from > Michael.Slusarz@department.example.com) so forging addresses becomes > a more complicated situation. > >> But this is only the case for addresses we know are local, >> replies from external (non-local) users should probably never be >> auto-accepted. At the very least, there should be an option to treat >> local and non-local users differently. > > That being said, I would agree that we should provide an option for > the admin to allow auto-accepting of e-mails from within the same > domain. Or better still, allow the admin to provide a list of > domains to auto-accept from.
Attachment
Watch this ticket