Re: [Exim] local_part check - illegal characters

Pàgina inicial
Delete this message
Reply to this message
Autor: Philip Hazel
Data:  
A: Matthew Byng-Maddick
CC: exim-users
Assumpte: Re: [Exim] local_part check - illegal characters
On Sun, 6 Apr 2003, Matthew Byng-Maddick wrote:

> On Sun, Apr 06, 2003 at 01:40:34PM +0300, Odhiambo G. Washington wrote:
> > I am writing to seek clarification on why a '/' is percieved as an illegal
> > character within a local part. Maybe it's in RFC (2)822 but I did not go
> > all the way and read it.
>
> It's not RFC2822 or RFC822 invalid, but it's probably a good indication
> that someone's trying to do some attack to overwrite on your MTA's disk.
> (cf defence in depth).


As it say in the default configuration:

# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.

As it says in the manual:

    deny    local_parts   = ^.*[@%!/|]


This statement uses a regular expression to reject addresses with
local parts that contain any of the characters '@', '%', '!', '/' or
'|'. Although these characters are entirely legal in local parts (in
the case of '@' only if correctly quoted), they do not normally occur
in Internet mail addresses.

The first three have in the past been associated with explicitly
routed addresses (percent is still sometimes used - see the
"percent_hack_domains" option). Addresses containing these characters
are regularly tried by spammers in an attempt to bypass relaying
restrictions, and also by open relay testing programs. Unless you
really need them it is safest to reject these characters at this early
stage. Slash is included in the list to avoid problems in local parts
that are used to construct file names. Vertical bar is included
because of its use as a pipe symbol in shell commands.

This configuration is heavy-handed in rejecting these characters for
all messages it accepts from remote hosts. This is a deliberate policy
of being as safe as possible. By moving the test elsewhere in the ACL,
you can relax the restriction so that, for example, it applies only to
addresses in your local domains.


--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.