Re: [Exim] Re: SMTP protocol violation: synchronization erro…

Pàgina inicial
Delete this message
Reply to this message
Autor: Dave C.
Data:  
A: Derrick 'dman' Hudson
CC: exim-users
Assumpte: Re: [Exim] Re: SMTP protocol violation: synchronization error (Exim4)
On Thu, 4 Jul 2002, Derrick 'dman' Hudson wrote:

> --
> On Thu, Jul 04, 2002 at 02:20:06PM +0100, Philip Hazel wrote:
> | On 4 Jul 2002, Nigel Metheringham wrote:
> |
> | > > 12:52:38 SMTP protocol violation: synchronization error (next
> | > > input sent too soon): rejected "DATA" H= ...
> | >
> | > Its part of ESMTP pipelining.
> |
> | This can happen without pipelining. SMTP is a "lockstep" protocol - the
> | client MUST wait for the server response at certain points. Exim 4
> | enforces this, to stop spammers who just send out the whole thing in one
> | packet and then go away.
>
> It also helps protect against the HTTP form submission vulnerability,
> but I think the 5-bad-commands-and-you're-out check will handle that
> first.


Which vulnerability are you talking about and how does exims
synchronization prevent it?

The only HTTP/form vulnerability I am aware of is that fact that a stock
version of formmail.pl can be hijacked by an attacker faking a referrer
and the form data. Stock formmail uses the '-f' interface to submit its
mail, so SMTP synchronization would have no effect, and even if formmail
used -bs, exim would have no way of detecting wether or not the HTTP
client was legitimate or not (in fact, there isnt even an easy way to do
that in formmail - the only way to block this is to modify formmail to
have an 'authorized recipients' list or pattern)


> -D
>
> --
>
> Come to me, all you who are weary and burdened, and I will give you
> rest.  Take my yoke upon you and learn from me, for I am gentle and
> humble in heart, and you will find rest for your souls.  For my yoke
> is easy and my burden is light.
>         Matthew 11:28-30

>
> http://dman.ddts.net/~dman/
>
> --
> [ Content of type application/pgp-signature deleted ]
> --
>
> --
>
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>