Author: Phil Brutsche Date: To: exim-users Subject: Re: [exim] Sender callouts
John W. Baxter wrote: > Like Outlook 2003. Some genius in Redmond decided that having
> Outlook create the Message-Id: header revealed internal networking
> information. (That's true, it does.) So Outlook expects Exchange to
> add such a header (after all, why would you talk to anything else
> using Outlook).
It wasn't some genius in Redmond... Ok, so it was some genius in
Redmond. But that's not the whole reason.
The Message-ID header is no longer generated by Outlook because some
Outlook user(s) decided that having the machine's hostname in the
Message-ID header was a security problem - information leakage (and the
hostname in the Recieved: header isnt ???? ). Therefore Microsoft
decided to bow to customer demand and remove that "misfeature".
More ammunition for the argument for not generating the header is in sec
3.6.4 of RFC 2822:
Though optional, every message SHOULD have a "Message-ID:" field.
Since it's *technically* not required it is *theoretically* safe not to
generate the header.
Remember, these are the people (the users, not necessarily Microsoft's
developers although I think some of them do too) who firmly believe that
the default accept-then-bounce behavior of Exchange is a desirable
security-enhancing feature (prevents successful dictionary attacks
during the SMTP transaction) and *in theory* not a major problem. We all
know what happens in practice...
We should just be glad that in Exchange 2003 they made it easy to fix.
No, I don't want to get into a "discussion" about interpreting RFCs. If
a "discussion" does erupt, it's not my fault and I don't want to be part
of it. :D
