Re: [exim] hole in acl_smtp_mail

Top Page
Delete this message
Reply to this message
Author: Ian Eiloart
Date:  
To: David Woodhouse, Axel Rau
CC: List: exim, Nigel Metheringham
Subject: Re: [exim] hole in acl_smtp_mail


--On 2 August 2010 10:24:43 +0100 David Woodhouse <dwmw2@???>
wrote:

> On Sun, 2010-08-01 at 14:07 +0100, Nigel Metheringham wrote:
>> On 1 Aug 2010, at 13:43, Jeremy Harris wrote:
>>
>> > Are you assuming that
>> > header From: is the same as envelope MAIL FROM ?
>>
>> By the way, don't take that as a suggest you should be checking header
>> From: - for a reason why look at messages you sent to this mailing
>> list as they come back to you...
>
> Well, in the general case it's just as broken to do it on the envelope
> MAIL FROM:.


Maybe, but we've been doing that for several years now. I filter my local
email into a separate mailbox, which is 100% spam free. Yes, we do get some
false positives, but I don't recall a case like the one you mention below.
Generally, it's third party sites using our addresses as sender addresses.
Greetings cards, and some peer-review collaborative sites. Generally,
they're either happy to fix their software, or we don't care.

> Some "mailing lists" turn out to be just aliases which expand to a bunch
> of people, and don't rewrite the envelope sender either. I noticed a few
> days ago that the Fedora packager-sponsors list is an example of this,
> for example.
>
> So if one of your users sent a message to such a "list", you'd reject
> that message. So none of your other users would receive it (and neither
> would the original sender, of course).
>
> You'd also reject valid messages if you have users who forward an
> external mail account to their account on your server. If any of your
> local users then send mail to that account, it's going to come back to
> you, quite correctly, with your *own* sender address in the envelope.
> And get wrongly rejected.
>
> You cannot safely reject mail based on comparing the MAIL FROM: address
> with the IP address from which it comes.
>
> You'd do better to look at BATV -- where you can reject the message
> based on the MAIL FROM: address *alone*. For example, I never send
> MAIL FROM:<dwmw2@???> and thus I can reject all messages with
> that in the envelope, regardless of where they come from.
>
> --
> dwmw2




--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/