[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Message submission via authenticated SMTP
Matti,
> [...]
> Comments in that file are asking for why the zpwmatch() can't
> return error reports.
>
> Well, theory is roughly, that for Security reasons your average
> (ab)user should not hear if account really exists, or not.
> That is, beside of IO-errors in DB engine (ok to tell ?),
> reply should either be that: Password does check, or does not check.
> (If account does not exist, reply is: "pw does not check")
> [...]
I thought about SMTP messages like "454 Temporary authentication
failure" when a remote password database is not available. More
informative zpwmatch() interface does not force you to send the
exact messages or error codes to the (ab)user.
Regards,
Artur Urbanowicz