On Thu, Jul 16, 2009 at 11:19 PM, Timo Sirainen<tss@iki.fi> wrote:
On Fri, 2009-07-17 at 00:12 +0200, Axel Luttgens wrote:
With large installations with multiple servers that could allow user to see e.g. if they're on the same server as someone else they know, or when they get moved to a different servers, etc.. But is this a real issue? Maybe not.
I tend to agree with the latter. First, hiding the info would tend towards security through obscurity. Second, it is very likely that the info would anyway be leaked through some other parts of the transport layers. Third, one may hope that the security of smtp/imap/pop softwares doesn't depend on the availability of such info. ;-)
It's not really about the security, but more about exposing some information that maybe the IMAP service provider would have preferred if you didn't know about.
If I may chip in my opinion:
Information disclosure *is* a security problem. And this trend is increasing as systems tend to become more secure and direct break ins are tougher and tougher. So attackers resort to weaker links - people.
When confronted with a choice of disclosing information or not (provided that the functionality level is the same, of course, and that the protocol standards are being followed) I see no reason to disclose it. It is just about following good practice.
At the end of the day, and in this case, the impact of disclosing this information is pretty close to 0.
Unfortunately I'm no longer a sysadmin and I don't know if "my" hosted multi-[virtual]-domain postfix/ldap/dovecot installations are still running, but I haven't yet found the reason to go back to other software.
Cheers, Pedro.