[exim] Re: restricted characters in address
Am 09.03.24 um 22:26 schrieb Julian Bradfield via Exim-users:
Following an idle-moment post on mailop, I wonder:
From the default config:
---
acl_check_rcpt:
accept hosts = :
denydomains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
message = Restricted characters in address
denydomains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
message = Restricted characters in address
@Jeremy:
Why aren't the extended restrictions for the "$run{}" attack the new
defaults?
local_parts = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44
local_parts = ^[./|] : ^.*[\$@%!] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44
Doesn't it make sense to have two barriers in the way and not relaying
on only one defense line(the patched string expand flaw) ?
This does not costs us anything besides some cpu cycles. Existing
configs won't get changed by new defaults for new installations. It
could be changed with a new major release i.e. 4.98 .
Firstly, I don't understand the logic of accepting any address from an
stdio submission, while applying the restriction to a localhost tcp
submission.
Simple: on multiuser systems you never know who got hacked, has
malicouse intents or uses faulty webapps. X
Secondly, is there really any reason nowadays for restricting % and !
?
The last time I saw a % address was in 1995, and the last time I saw a
! address was in 1994. (And of course, when I did see them, they had
As may imagined: hackers do not care when it was used last. They care,
if it triggers something they can leverage.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On 2024-03-10, Viktor Dukhovni via Exim-users wrote: > On Sat, Mar 09, 2024 at 09:26:39PM +, Julian Bradfield via Exim-users > wrote: > When Exim or any other MTA relays mail with "%" or "!" addresses to an > internal MTA, that MTA might be configured to support legacy address > syntax forms. The combined front-end + internal system becomes an > open relay. That would be a configuration problem for that site - not a reason to stop your users replying to perfectly valid addresses. > And by the way, by default Postfix still supports % and ! addresses: > > https://www.postfix.org/postconf.5.html#allow_percent_hack > https://www.postfix.org/postconf.5.html#swap_bangpath But it doesn't route them. https://www.postfix.org/postconf.5.html#allow_untrusted_routing -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On 2024-03-10, Cyborg via Exim-users wrote: >> Firstly, I don't understand the logic of accepting any address from an >> stdio submission, while applying the restriction to a localhost tcp >> submission. > > Simple: on multiuser systems you never know who got hacked, has > malicouse intents or uses faulty webapps. X On a multiuser system, anybody can pipe a message into exim, can't they? -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On 2024-03-10, Cyborg via Exim-users wrote: >> The last time I saw a % address was in 1995, and the last time I saw a >> ! address was in 1994. (And of course, when I did see them, they had > > As may imagined: hackers do not care when it was used last. They care, > if it triggers something they can leverage. Anybody who has an open relay because of supporting a 30-year-obsolete (and non-RFC) facility is asking for trouble. (I also haven't seen such attempts in my logs.) -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Message ID in envelopes with multiple recipients
Ahoj,
Dňa Sat, 9 Mar 2024 15:38:43 + Jeremy Harris via Exim-users
napísal:
> However, the text of the headers (and body) of the message used as
> input for the various hashes and signatures of the DKIM signing *is*
> the output of any transport filter (this adds significant coding and
I will leave transport_filter out, as i agree with you, that using
headers_rewrite is much better and straightforward for this.
> cpu overhead, as it happens). The documentation for this is the
> source-code, for anybody caring that much.
Reading of source code is not as easy for someone who don't speak C...
> These facilities are applied before any transport filter, and hence
> before the dkim signing operation. I am reasonably sure that a
> rewrite will be visible in $h_* expansion syntax used in dkim signing
> option. However, the result of adds and removes will not be
> (sigh. That should probably be fixed).
I did test which confirms my early tests (stock debian stable):
Exim version 4.96 #2 built 01-Jan-2024 16:58:00
I setup in transport (beside others):
headers_rewrite = *@mailt.internal $1@real frs
...
dkim_domain = ${acl{dkim_dom}}
dkim_private_key = ${acl{dkim_key}}
dkim_selector = default
I defined ACLs for that, to log values:
dkim_dom:
acceptlogwrite= DKIMrw: from_domain ${domain:$rh_from:}
message = ${domain:$rh_from:}
dkim_key:
acceptlogwrite= DKIMrw: dkim_domain $dkim_domain
And sending test message (via stdin) results in logs:
1rjGgs-000eYe-0U <= root@mailt.internal U=root P=local S=418
1rjGgs-000eYe-0U DKIMrw: from_domain mailt.internal
1rjGgs-000eYe-0U DKIMrw: dkim_domain mailt.internal
1rjGgs-000eYe-0U => my@real ...
I didn't setup key for this test, thus signing doesn't happen, but
from log one can see that from_domain & dkim_domain has value before
rewrite (received message has rewritten values).
regards
--
Slavko
https://www.slavino.sk
pgpefFRStT19g.pgp
Description: Digit??lny podpis OpenPGP
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On 10/03/2024 08:51, Cyborg via Exim-users wrote:
@Jeremy:
Was that aimed at me? There is no "@" in my name.
Why aren't the extended restrictions for the "$run{}" attack the new defaults?
Because nobody thinks it useful enough?
(I suspect it was one of the attacks that led to the introduction
of taint-tracking, for which a shedload of people bitched and
moaned, and worked hard on identifying ways to evade. I think
I saw a grand total of one approving comment).
But, hey, it's a part of the configuration that is under your
control. You want something there, you can add it.
--
Cheers,
Jeremy
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscr...@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: Message ID in envelopes with multiple recipients
On 10/03/2024 11:29, Slavko via Exim-users wrote: from log one can see that from_domain & dkim_domain has value before rewrite (received message has rewritten values). That matches my code-diving. You can't use (transport) header manipulation results in the transport's dkim-control options (but the changed values are what gets signed, if any such headers are included in the definition for the signature). I'll add this to the docs for now. -- Cheers, Jeremy -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] a common(?) usecase with smarthost
I started to write up my issue, then thought I probably had the solution already (1: I may be wrong , 2: other people may have same issue) TL;DR .. jump to *** I've been struggling with various setups recently and it occurred to me there's nothing really special in what I want to do, it's probably a Well-Known-Setup. I own a domain "mydomain.com" I have an "always on server" (SMTP, dovecot, fetchmail) I have a "mail hosting company" forwardemail.net I don't open any incoming ports to my home systems (I use fetchmail) Mail sent within the house is usually sent to user@home. The exim config (Debian) has dc_other_hostnames='..home,mydomain.com...' With my previous mail hosting company, I redirected mail addressed to n...@mydomain.com to them. They saved it in a few mailboxes and I downloaded every 10 minutes to my home. All works fine except you can only read/write mail while at home (ie on home LAN inside firewall) When I switched to the new provider I carried over this model. However since they are more "full featured" I wanted to do better. So right now if I send mail inside the house to: 1. graeme - Delivered Locally 2. graeme@home - Delivered Locally 3. gra...@mydomain.com - Delivered Locally 4. gra...@gmail.com - Gets sent to smarthost (forwardemail.net) So things only leave the house iff they are for "somebody outside the house". If somebody mails me from outside the house, it obviously : 5. gra...@mydomain.com - Goes to forwardemail.net and I pop/imap it down to home server. Now what I'd like to do is be able to send/receive email outside the house. So: i: I leave mail sent from outside world on forwardemail.net (don't delete it). pop *copies* down to local home server (there are issues of spam and space usage etc) ii: When I'm outside the house I use smtp.forwardemail.net to both send (and read imap.forwardemail.net) iii: When I'm inside the house and use smtp.home as my mailer and look at local imap.home server (dovecot) But here's the rub ...and I suspect it's simple (if you know how fix) While at home: - if I mail user@home I want it to not leave the house - if I mail u...@mydomain.com , I want it to go out to forwardemail.net (Why? Because much of the mail to user@home is error reports and logs from other systems) So this seems easy...right? I just edit dc_other_hostnames="" and remove mydomain.com , then all mail to user@home stays local, but all mail to u...@mydomain.com goes out to forwardemail.net...great EXCEPT.. won't this mean that outgoing mail say it's from graeme@home ?? Which is unusable out in the real world. *** Then I spotted : dc_hide_mailname and dc_readhost. Is this their exact purpose? So, taken together: 1: Set /etc/mailname to "home" 2: Set dc_other_hostnames=" ... home" and few similar names but NOT "mydomain.com" 3: Set dc_readhost=mydomain.com and dc_hide_mailname=true So inside the house , people (machines) can mail graeme@home and it stays in the house or mail gra...@mydomain.com and it goes out to smarthost WITH the legal external address (e.g from u...@mydomain.com NOT user@home) -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: a common(?) usecase with smarthost
Dňa 10. marca 2024 14:36:16 UTC používateľ graeme vetterlein via Exim-users napísal: >So, taken together: > >1: Set /etc/mailname to "home" >2: Set dc_other_hostnames=" ... home" and few similar names but NOT >"mydomain.com" >3: Set dc_readhost=mydomain.com and dc_hide_mailname=true > >So inside the house , people (machines) can mail graeme@home and it stays in >the >house or mail gra...@mydomain.com and it goes out to smarthost WITH the legal >external address (e.g from u...@mydomain.com NOT user@home) If i got you properly yes, that works exactly that. regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On Sun, Mar 10, 2024 at 09:53:09AM +, Julian Bradfield via Exim-users wrote: > > Simple: on multiuser systems you never know who got hacked, has > > malicouse intents or uses faulty webapps. X > On a multiuser system, anybody can pipe a message into exim, can't > they? Not necessarily, in particular not on my servers. The submission agent can be a different program. -- Ian -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On Sun, Mar 10, 2024 at 09:49:14AM +, Julian Bradfield via Exim-users wrote: > That would be a configuration problem for that site - not a reason to > stop your users replying to perfectly valid addresses. > > > And by the way, by default Postfix still supports % and ! addresses: > > > > https://www.postfix.org/postconf.5.html#allow_percent_hack > > https://www.postfix.org/postconf.5.html#swap_bangpath > > But it doesn't route them. > > https://www.postfix.org/postconf.5.html#allow_untrusted_routing You missed an important qualifier "from untrusted clients", if the forwarded messages is from a peer system listed in $mynetworks, then the message will be (source) routed. - The edge system adccepts . - The internal MTA does not restrict relaying by the edge system. - The message is ultimately forwarded to . This is why "allow_untrusted_routing" is set to no, Postfix does rely on the internal (relay destination) system to not be an open relay for messages it forwards. And to detect that this could be an issue, the parsing of "%" and "!" addresses as potential source routes needs to remain enabled. I understood the topic under discussion to be enforcement of similar rules in Exim. Apologies if I got the wrong end of the stick. -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On 2024-03-10, Viktor Dukhovni via Exim-users wrote: >> https://www.postfix.org/postconf.5.html#allow_untrusted_routing > > You missed an important qualifier "from untrusted clients", if the > forwarded messages is from a peer system listed in $mynetworks, then > the message will be (source) routed. > > - The edge system adccepts . > - The internal MTA does not restrict relaying by the edge system. > - The message is ultimately forwarded to . Good point. Of course, there is still the question as to why any form of source routing should be enabled in a default configuration of anything, given its almost total obsoleteness. (I could imagine source routing being useful to communicate from an isolated network that connects to the outside world only via one very tied down mail relay, but I wonder if anybody does that. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
[exim] Re: restricted characters in address
On Sun, Mar 10, 2024 at 07:53:40PM +, Julian Bradfield via Exim-users wrote: > Of course, there is still the question as to why any form of source > routing should be enabled in a default configuration of anything, > given its almost total obsoleteness. > (I could imagine source routing being useful to communicate from an > isolated network that connects to the outside world only via one very > tied down mail relay, but I wonder if anybody does that. It is difficult to determine when safety measures are no longer needed. The code is already there, and not obviously doing any harm, or requires much upkeep, we keep it around. -- Viktor. -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
