[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Message submission via authenticated SMTP


> [...]
>     Comments in that file are asking for why the   zpwmatch()  can't
>     return error reports.
>     Well, theory is roughly, that for Security reasons your average
>     (ab)user should not hear if account really exists, or not.
>     That is, beside of IO-errors in DB engine (ok to tell ?),
>     reply should either be that: Password does check, or does not check.
>     (If account does not exist, reply is: "pw does not check")
> [...]

I thought about SMTP messages like "454 Temporary authentication 
failure" when a remote password database is not available. More
informative zpwmatch() interface does not force you to send the 
exact messages or error codes to the (ab)user.

Artur Urbanowicz