3 Apr
2009
3 Apr
'09
1:15 a.m.
Niels Mayer wrote:
FYI, one thing a future mail-rearchitecture might
consider supporting:
A better way of querying whether SMTP is working and the registration email
address is valid prior to creating the user being registered. It would
probably be a good idea to add the user and the user-document only after
successful SMTP delivery of the registration message. Or cleanup the created
user/document in a catch() on SMTP failure in
com.xpn.xwiki.XWiki.sendMessage().
Good idea, but note that many counter-spam features will make it
unreliable. Many systems when presented with an address like
xxx(a)yyy.zzz, where xxx is an user who does not exist, will simply say
it's accepted and trash it immediately.
What can and should be done is to 1) check if an address looks real
according to http://tools.ietf.org/html/rfc5321 , 2) check if the target
domain exists. There's no reliable way of checking if an user exists (I
believe SMTP has such a feature, but it's usually turned off to not make
spammers' lives easier). The only reliable way of dealing with
real-looking but invalid addresses is to give an user (for example)
24-72 hours for activation, then delete them (not necessarily after the
exact number of hours - a cleaning thread running once per day at
whatever time is considered low-traffic will do just fine). Of course
the number should be configurable - one admin would set it to 2h which
is a sensible minimum (long re-send delay + gray list = up to a little
above one hour until the user gets it), another would want one week to
give the user a chance to contact them and allow for manual activation
if needed for some reason.
For checking addresses see
http://commons.apache.org/validator/api-1.3.1/org/apache/commons/validator/…
Greetings, Lilianne