Re: [exim] exim4: headers check syntax?

Top Page
Delete this message
Reply to this message
Author: listrcv
Date:  
To: Marc Haber
CC: exim-users
Subject: Re: [exim] exim4: headers check syntax?

Hi,

thanks for the hint! I'm not using the exim-config stuff because it is a
mess to me. I copied over the example config that comes along with the
docs and started from there --- much easier than fumbling with
exim-config, and this way, I actually know what I have configured and
what not :) Also, it made (and still makes) me learn about the
differences between exim3 and exim4.


Checking the headers might reject legitimate mail, but since cyrus
doesn't deliver it anyway and sends out a delivery error message, it is
something that could be abused by SPAMers.

I had syntax checking on the headers enabled with exim3 before and was
missing it in exim4, but I didn't look into it until now that I'm seeing
mail rejected due to bad headers. Nobody complained about it in the last
three years :)


The following makes cyrus happy now:


> acl_check_data:
>
>   # deny messages with invalid headers
>   deny    message = Messages with invalid headers are not allowed.
>           log_message   = invalid headers in message
>           !verify = header_syntax

>
>   # deny message if there are NUL characters in the message body
>   deny    message   = NUL characters in the message body are not allowed.
>           log_message   = NUL_chars%$tod_log%<$return_path>%<$recipients>%($body_zerocount)
>           condition = ${if > {$body_zerocount}{0} }
> [...]



Denying NUL characters may also reject legitimate mail, but I didn't
like the ressource usage that might be involved with filtering all the
mail for it.


GH


Marc Haber wrote:
> On Wed, 05 Apr 2006 13:57:59 +0200, listrcv <listrcv@???>
>
>>in exim3, there was an option to check the syntax of mail headers
>>(headers_check_syntax or so).
>>
>>How do I enable that with exim4?
>>
>>
>>Cyrus complains about invalid headers, so I want to check them before
>>such mail is handed over to cyrus. Messages with invalid headers should
>>be rejected before accepting them for not to have a possible exploit for
>>SPAMers.
>
>
> If you are on Debian, you only need to set the macro
> CHECK_DATA_VERIFY_HEADER_SYNTAX. The code is already there in the DATA
> acl.
>
> The default is off since this might reject legitimate e-mail.
>
> Greetings
> Marc
>