I would like our FTA to validate internal email addresses (via LDAP lookup) before sending external files/emails to internal addresses. Obviously, this will not work for sending email/files to external users (no possible way to lookup a directory of all possible external email addresses), but all internal email addresses are stored in our Active Directory and can be checked via LDAP at any time. The intention here is to ovoid the possible scenario where an external user could create an account on our FTA (which we allow anyone to do) and then send an inappropriate file to a non-existant internal user, and then continue to access that file in their Sent Messages. Currently, the FTA does allow such an occurrence and was brought to our attention by a security consultant we engaged to test/penetrate our public web sites. I have tested this with an external account, sent an email/file that is not received by anyone (sent to a non-existent internal address) and the email/file remains visible in my Sent Messages. This allows me/the external user to download the file again at another time... effectively using/abusing our FTA as a personal file storage appliance. If this issue was exploited, and inappropriate files were found to be stored on our FTA, our organisation could be in a lot of trouble! I believe that, since all internal email addresses must exist in our Active Directory, an option to perform an LDAP lookup before sending (from external to internal only) will resolve this potential abuse scenario.
Comments Johan Allard LiquidFiles External users can't (since v2.x at least) not download files they've sent, solving this problem (without exposing internal addresses). May 15, 2013, 07:55
