Re: [Exim] nessus security report

Pàgina inicial
Delete this message
Reply to this message
Autor: Jason
Data:  
A: exim-users
Assumpte: Re: [Exim] nessus security report
On 19 May 2000, at 12:08, Peter Radcliffe wrote:

> Brad Crittenden <bac@???> probably said:
> > 1) claims we're relaying (though i've tried relaying through my host
> > only to be denied)
>
> Does it say what test it things relays ?


This error is that exim will accept if it is told not to verify the
receivers email address. I think there was an entry about this in
the FAQ without the verify option set, it will give 250 Address looks
symantically correct.. or something along those lines..

Jason

> > 2) acceptance of mail from "|user@???" which is a risk if a
> > message is constructed to bounce and is then piped to an executable.
>
> | is a valid character in a local part as far as I know.
>
> > i've searched the mailing list archives for mention of these and
> > found nothing. is there a known reason nessus would give a false
> > positive for relaying? has the "|address" problem been addressed?
>
> |address isn't a problem, exim doesn't pass things to shell unless you
> make it do that, and if you do you have to be careful about characters
> in local parts.
>
> Do you have receiver_try_verify or receiver_verify in your config ? If
> not, read about them in the spec and add whichever one you feel is
> appropriate.
>
> P.
>
> -- 
> pir                  pir@???                    pir@???

>
>
>



---
Jason Robertson                
Network Analyst            
jason@???    
http://www.astroadvice.com