Am 09.03.24 um 22:26 schrieb Julian Bradfield via Exim-users:
Following an idle-moment post on mailop, I wonder:
From the default config:
---
acl_check_rcpt:
accept hosts = :
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
message = Restricted characters in address
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
message = Restricted characters in address
@Jeremy:
Why aren't the extended restrictions for the "$run{}" attack the new
defaults?
local_parts = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44
local_parts = ^[./|] : ^.*[\$@%!] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44
Doesn't it make sense to have two barriers in the way and not relaying
on only one defense line(the patched string expand flaw) ?
This does not costs us anything besides some cpu cycles. Existing
configs won't get changed by new defaults for new installations. It
could be changed with a new major release i.e. 4.98 .
Firstly, I don't understand the logic of accepting any address from an
stdio submission, while applying the restriction to a localhost tcp
submission.
Simple: on multiuser systems you never know who got hacked, has
malicouse intents or uses faulty webapps. X
Secondly, is there really any reason nowadays for restricting % and !
?
The last time I saw a % address was in 1995, and the last time I saw a
! address was in 1994. (And of course, when I did see them, they had
As may imagined: hackers do not care when it was used last. They care,
if it triggers something they can leverage.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
