Curtis H. Wilbar Jr.:
> Wietse Venema wrote:
> > Curtis H. Wilbar Jr.:
> >
> >> Running a Postfix 2.2 server...
> >>
> >> The server won't accept u...@somewhereelse.com@ourserver.com
> >>
> >> But, it is accepting @somewhereelse.com:u...@ourserver.com
> >>
> >
> > This is historical syntax, and is deprecated.
> >
> > For compatibility, Postfix accepts the syntax and processes it as
> > if the client had sent "u...@ourserver.com" instead.
> >
> >
> >> We will be upgrading Postfix soon, but in the meantime, how do I best
> >> block this ?
> >>
> >
> > It is harmless.
> >
>
> I discovered as much... but it is showing up on a PCI scan... and while
> I can submit it as a false positive, is there a way to block this syntax
> at the RCPT TO phase ?
You might try the Postfix 2.7 smtpd_command_filter feature to
replace this input by other input that triggers a reject. For
example, this example strips off the text after ":". This leaves
the offending part that starts with "@", which is rejected with
"strict_rfc821_envelopes = yes".
/etc/postfix/main.cf:
strict_rfc821_envelopes = yes
smtpd_command_filter = pcre:/etc/postfix/cmd_filter
/etc/postfix/cmd_filter:
/^(@[^,:]+):/ $1
Otherwise, there is no vulnerability, so I am not in a hurry to
"fix" it. You can flag it as a false positive.
Wietse
