Hi,
thanks for the hint! I'm not using the exim-config stuff because it is a
mess to me. I copied over the example config that comes along with the
docs and started from there --- much easier than fumbling with
exim-config, and this way, I actually know what I have configured and
what not :) Also, it made (and still makes) me learn about the
differences between exim3 and exim4.
Checking the headers might reject legitimate mail, but since cyrus
doesn't deliver it anyway and sends out a delivery error message, it is
something that could be abused by SPAMers.
I had syntax checking on the headers enabled with exim3 before and was
missing it in exim4, but I didn't look into it until now that I'm seeing
mail rejected due to bad headers. Nobody complained about it in the last
three years :)
The following makes cyrus happy now:
> acl_check_data:
>
> # deny messages with invalid headers
> deny message = Messages with invalid headers are not allowed.
> log_message = invalid headers in message
> !verify = header_syntax
>
> # deny message if there are NUL characters in the message body
> deny message = NUL characters in the message body are not allowed.
> log_message = NUL_chars%$tod_log%<$return_path>%<$recipients>%($body_zerocount)
> condition = ${if > {$body_zerocount}{0} }
> [...]
Denying NUL characters may also reject legitimate mail, but I didn't
like the ressource usage that might be involved with filtering all the
mail for it.
GH
Marc Haber wrote:
> On Wed, 05 Apr 2006 13:57:59 +0200, listrcv <listrcv@???>
>
>>in exim3, there was an option to check the syntax of mail headers
>>(headers_check_syntax or so).
>>
>>How do I enable that with exim4?
>>
>>
>>Cyrus complains about invalid headers, so I want to check them before
>>such mail is handed over to cyrus. Messages with invalid headers should
>>be rejected before accepting them for not to have a possible exploit for
>>SPAMers.
>
>
> If you are on Debian, you only need to set the macro
> CHECK_DATA_VERIFY_HEADER_SYNTAX. The code is already there in the DATA
> acl.
>
> The default is off since this might reject legitimate e-mail.
>
> Greetings
> Marc
>