[UA-EAI] EAI Evaluation Widget
Arnt Gulbrandsen
arnt at gulbrandsen.priv.no
Fri Dec 29 11:11:58 UTC 2017
> punycode at punycode is certainly allowed, but the "punycode" in the local part is an ASCII local part that starts xn--..., not coded UTF-8.
That’s not clear to me. I see neither any SHOULD nor any MUST that SMTP servers must treat punycode in domains as they would unicode. Maybe I’ve missed something?
I’m not 100% sure, but I think that Wietse Venema would have rejected the Postfix patch if punycode were required. The natural (only?) way to handle punycode in MAIL FROM/RCPT TO commands would have been to call ICU’s conversion functions from within the SMTP server, and Wietse was concerned about the attack surface. ICU has had a few CVEs, and those commands take arguments from untrusted sources across the network.
Arnt
More information about the UA-EAI
mailing list