Viktor Dukhovni:
>
>
> > On 16 Feb 2022, at 3:49 pm, Wietse Venema <wie...@porcupine.org> wrote:
> >
> >> Can Postfix accept (without mangling) (with <ESC> representing
> >> the underlying character) any of:
> >>
> >> Server:
> >> MAIL FROM:<"foo+\<ESC>bar"@example.com>
> >> RCPT TO:<"foo+\<ESC>bar"@example.com>
> >
> > Accepted, and preserved in SMTP/LMTP or mailbox delivery, but it
> > won't reach postqueue.
>
> So presumably the envelope sender and recipient addresses in
> the queue file can hold non-printable characters.
Except for newline. Postfix also does not filter javascript in HTML
tage in an email address, which might be a greater threat than
escape characters.
> > There is a mandatory printable() filter in the bounce daemon after
> > it reads a request, before it writes the bounce/defer/etc log (look
> > for the VS_NEUTER macro). ESC does not count as a printable character.
>
> Are envelope addresses censored (sanitised) by showq(8)?
That would be the wrong place. Non-printable characters are censored
in the bounce daemon as it writes the bounce/defer/etc log, and in
the postqueue comamnd as it exports to a non-Postfix environment.
Wietse
