[Exim] potential security problem with lookups

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
M 
MNico Erfurth at ->
Delete this message
Reply to this message
Author: Alexey Promokhov
Date:  
To: exim-users
Subject: [Exim] potential security problem with lookups
Greetings.

I just discover the following situation.

There was the following ACL statement:

accept senders = ${if exists {/usr/local/etc/exim/whitesender+$domain} {/usr/local/etc/exim/whitesender+$domain} {:}}

It means a whitelist for users in one of virtual domains. But if sender
of processed message is <>, i.e. it's a bounce message, then lookup is
hit, even if recipient is in foreign domain. So, the above construction
gives an open relay.

{:} construction was in our config file for historic reason. Replacing it
with {} does correct the situation.

I suggest to process looking with key=<empty> in special manner, because such
lookup is mostly useless, and can give undesired results in case of typos
and carelessness.

--
Alexey Y. Promokhov, system administrator
Joint Stock Venture "GP Telecom", Moscow, Russia



This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [Exim] Logging problem with 4.14Re: [Exim] potential security problem with lookups->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)