Thunderbird:Autoconfiguration:MozillaWebservicePublish

From MozillaWiki
Jump to: navigation, search

How to fill the Mozilla server config database

The Mozilla webservice should contain configuration information for all major ISPs, where "major" probably means > 1 million users. These are still a few dozen or hundred configs.

We need a way to get the configuration files on the Mozilla server, and be sure that the configuration is correct. If anybody can just upload settings, we run into security problems by mischiefs abusing that.

Seed

At the start, for the largest ISPs, I think it's possible to do create the configuration files by hand.

  1. Pick the huge mail providers you know about and which offer POP/IMAP access, e.g. Yahoo, AOL, Verizon, Orange (France), T-Online (Germany) etc., and find the config on their webpages.
  2. Take a random list with lots of email addresses, e.g. usenet, big mailing list, what have you, sort by most frequent domain name, pick the top 30 or so, find config on their webpages.

Process to add/Edit configs in the ISP DB

The ISP DB is maintained by Mozilla Messaging. In order to make sure that the data added to the list is correct and users are secure, Mozilla Messaging is putting up this procedure.

The data contained on this list is public domain.

Anybody can add configurations in the database, but they must be correct. Some people are designated as reviewers, who can approve a configuration in the database.

Even approved configurations are currently not immediately put live, see bug 526496.

There's a Google group for discussing the DB.

Sharing by users

To allow users to upload configurations, we can add a simple button in the account management dialog, "Publish account setup" or similar, which publishes the user's current account config to the Mozilla webservice.

  • Before upload, field values - esp. username etc. - are compared with known placeholders and replaced with the placeholder where possible.
  • If username fields could not be replaced or still contains literals, TODO show to use and ask him whether this has no personal information anymore, or needs to be entered by the user (and if so the field label), or what to do with it.
  • Maybe we show the resulting config (file) to the user again, to confirm that it contains no user-specific data anymore.
  • After upload, the Mozilla server checks whether the domain of the IMAP/POP/SMTP hostnames match the email domain. If not, it's quarantined and needs to be checked by a human moderator.
  • The server checks whether a configuration file already exists for this domain. If yes, the new one is quarantined and a human moderator needs to check which one is better. (It is possible that the old one was wrong or is outdated.)

The above is just a rough plan, more thought is needed on the details and whether more checks are needed, and how to deal with them.