Re: [Exim] E-mail address SQL problem

Top Page
Delete this message
Reply to this message
Author: Sheldon Hearn
Date:  
To: Adam H. Pendleton
CC: exim-users
Subject: Re: [Exim] E-mail address SQL problem
On (2003/11/20 13:44), Adam H. Pendleton wrote:

> # PgSQL system aliases
> pgsql_sys_aliases:
>  driver = redirect
>  allow_fail
>  allow_defer
>  data = ${lookup pgsql{SELECT dest FROM email_aliases \
>            WHERE alias='${local_part}' AND type='system'}}


SQL injection time. :-)

> My questions are:
>
> 1. Why is exim performing this system aliases lookup for a from
> address? Shouldn't sender verify be done somewhere else?


If the sender address is in a domain that Exim believes is local, Exim
will (and should) perform whatever lookups necessary to determine
whether it's a deliverable address in that local domain, assuming sender
verification is enabled.

> 2. What can I do to prevent this from being a real problem?


See the section "More about MySQL and PostgreSQL and Oracle" in the
spec. You're looking for quote_pgsql. :-)

This, incidentally, is one of the reasons you should give serious
consideration to giving Exim read-only access to your database. :-)

Ciao,
Sheldon.