Re: [Exim] nessus security report

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Peter Radcliffe
Dátum:  
Címzett: exim-users
Tárgy: Re: [Exim] nessus security report
Brad Crittenden <bac@???> probably said:
> 1) claims we're relaying (though i've tried relaying through my host only to
> be denied)


Does it say what test it things relays ?

> 2) acceptance of mail from "|user@???" which is a risk if a message is
> constructed to bounce and is then piped to an executable.


| is a valid character in a local part as far as I know.


> i've searched the mailing list archives for mention of these and found
> nothing. is there a known reason nessus would give a false positive for
> relaying? has the "|address" problem been addressed?


|address isn't a problem, exim doesn't pass things to shell unless you
make it do that, and if you do you have to be careful about characters
in local parts.

Do you have receiver_try_verify or receiver_verify in your config ?
If not, read about them in the spec and add whichever one you feel is
appropriate.

P.

-- 
pir                  pir@???                    pir@???