Viktor Dukhovni:
> On Wed, Mar 24, 2021 at 09:47:26PM +0000, Paul Fowler wrote:
>
> > I just got around to testing these parameters this evening.
> > They work as you suggested but I'm concerned about the potential
> > security implications. So I'll do some more research in this area and
> > see whether this is still worth pursuing further.
>
> If you're not relaying to any (possibly internal) systems that
> grant your MTA unrestricted access to send to any address, and
> also support UUCP bang paths, then you're OK.
>
> If you do relay to MTAs that trust your MTA as a relay client, and do
> support "!" and "%" source routes (default configurations of Sendmail,
> Postfix, ...), then allowing such addresses is quite risky.
One more thing: you would actually need to specify all three:
allow_untrusted_routing = no
swap_bangpath = no
allow_percent_hack = no
Without the third one, you could be an open relay (when forwarding
email) with addresses of the form user%remote-site@your-site.
According to Exim documentation (link below) the '!' and '%' are
not special in email addresses, so we know that at least it does
not appear to break legitimate usage.
Wietse
https://www.exim.org/exim-html-current/doc/html/spec_html/ch-address_rewriting.html
Exim does not handle addresses in the form of "bang paths". If it
sees such an address it treats it as an unqualified local part which
it qualifies with the local qualification domain (if the source of
the message is local or if the remote host is permitted to send
unqualified addresses). Rewriting can sometimes be used to handle
simple bang paths with a fixed number of components. For example,
the rule
\N^([^!]+)!(.*)@your.domain.example$\N $2@$1
rewrites a two-component bang path host.name!user as the domain
address u...@host.name. However, there is a security implication
in using this as a global rewriting rule for envelope addresses.
It can provide a backdoor method for using your system as a relay,
because the incoming addresses appear to be local. If the bang path
addresses are received via SMTP, it is safer to use the "S" flag
to rewrite them as they are received, so that relay checking can
be done on the rewritten addresses.
