Dec. 29, 2017
11:11 a.m.
punycode@punycode is certainly allowed, but the "punycode" in the local part is an ASCII local part that starts xn--..., not coded UTF-8.
That’s not clear to me. I see neither any SHOULD nor any MUST that SMTP servers must treat punycode in domains as they would unicode. Maybe I’ve missed something? I’m not 100% sure, but I think that Wietse Venema would have rejected the Postfix patch if punycode were required. The natural (only?) way to handle punycode in MAIL FROM/RCPT TO commands would have been to call ICU’s conversion functions from within the SMTP server, and Wietse was concerned about the attack surface. ICU has had a few CVEs, and those commands take arguments from untrusted sources across the network. Arnt