On Wed, Jul 2, 2014 at 12:47 PM, Oleg <lego12239@???> wrote: >> condition = ${if match_domain{$sender_address_domain}{+local_domains}}
>
> Wow. Thank you! This works. This is what i need.
>
>> The match_domain condition takes an arbitrary specification in the
>> second parameter; however, because too many real-world setups introduced
>> security holes using this, we restricted it so that the second parameter
>> is not subject to dollar-expansion. Every other type of lookup still
>> works.
>
> May be i can find anywhere an info or examples of such configs with
> security holes to know how not to do?
Expansion of the second argument of the match_* functions is disabled
in the build, so you no longer can do these screw-ups to yourself.
In the past, you could do string expansions in the *second*argument*.
Let's pick the ridiculous use case of looking for a specific header
that a customer could put extra domains they want to accept email for.
Don't think about why you might do something this dumb, just accept
that someone wants to do it and chose this way:
If the header X-Something: contained more than just the domain name,
say maybe it had something that is expandable:
X-Something: $sender_address_domain
That would make it accept ANYTHING because the second argument will
expand $sender_address_domain which will always match the first
argument. Now let's get malicious:
X-Something: domain.com ${run {/bin/rm -rf /}}
When the second part gets expanded, it will expand the ${run } part
and delete everything on your server. Very very bad.
Now that this expansion does not happen on the second argument
(because what is frequently passed to it is untrusted, i.e. user
supplied, data) this type of exploitation is no longer possible.
...Todd
--
The total budget at all receivers for solving senders' problems is $0.
If you want them to accept your mail and manage it the way you want,
send it the way the spec says to. --John Levine