Re: [Exim] size restriction

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Philip Hazel
Data:  
Para: Suresh Ramasubramanian
CC: exim-users
Asunto: Re: [Exim] size restriction
On Fri, 12 Jan 2001, Suresh Ramasubramanian wrote:

> If you set this
>
> > message_size_limit=300K
>
> what you'll get is
>
> mail from: <foo@???> SIZE=[size]


Not absolutely strictly true. If the client starts the session with
EHLO, Exim advertises its support for SIZE=. If then the client chooses
to use the SIZE= facility, it will indeed send that command and will get
an immediate error code if the value is too big.

If, OTOH, the client does not send SIZE= on the MAIL command, Exim has
to find out the size by reading the message. (Actually, it does this
anyway, because the client may have lied in its SIZE= value.) Because of
the way the SMTP protocol is defined, Exim cannot return a response until
it has received the entire message. However, once it has hit the size
limitation, it just sits there throwing away the incoming data until the
end is reached.

I guess this does admit a DOS attack in that it uses an SMTP incoming
channel. However, there are plenty of similar things: a client could
connect, start a message, and then send one byte of data every 4
minutes, say (since the usual timeout is 5 minutes). This takes a very
long time even before it hits a limit as modest as 300K.

I guess the only way round this would be to put an overall limit on the
real time taken to receive a message. It would have to be at least an
hour, I would think. Is there any real need for this?


-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.