Re: [Exim] potential security problem with lookups

Pàgina inicial
Aquest missatge és part del següent fil:
Ml'arbre de fils complet ordenat per data
MAlexey Promokhov en <-
MAlexey Y. Promokhov en ->
Delete this message
Reply to this message
Autor: Nico Erfurth
Data:  
A: Alexey Promokhov
CC: exim-users
Assumpte: Re: [Exim] potential security problem with lookups
Alexey Promokhov wrote:

> There was the following ACL statement:
>
> accept senders = ${if exists {/usr/local/etc/exim/whitesender+$domain} {/usr/local/etc/exim/whitesender+$domain} {:}}
>
> It means a whitelist for users in one of virtual domains. But if sender
> of processed message is <>, i.e. it's a bounce message, then lookup is
> hit, even if recipient is in foreign domain. So, the above construction
> gives an open relay.

Yes, because you made it one
: is the list seperator, if you have nothing in front of it, it will
check for a empty string and this matches your bounce.

AFAIK this is documented in spec.txt

Nico



Aquest missatge es va enviar a les següents llistes de correu:
Exim-users
Informació sobre la llista de correu | Missatges propers		<-[Exim] potential security problem with lookupsRE: [Exim] SMTP error code in bounce messages->
Tahini and Hummus and Cumin Development Archives administrat per cumin AdminsLurker (versió 2.3)