On 21/10/15 16:44, Warwick Brown wrote: > Pen-testers still test to see if legacy routed addresses are supported due to the dross of legacy still out there.
> I agree with your reasoning as to routed addresses being obsolete, and that is why I still use the restricted characters ACL to ensure they are not accepted.
> But, the issue I see is that the invalid input is silently discarded with no notice of when or why.
> The ":" character is in my restricted characters ACL, however in the special-case where the user-part is null, the restricted characters ACL does not seem to kick in.
> I am satisfied that exim fails safe, but still think it's worth a look-in to why it silently discards parts of its input data - if this is by design, then fine, but if it is an unintended consequence, then it is to me a little more concerning.
The following comment is in the source code
[ block comment for parse_extract_address() ] :-
Exim no longer supports the use of source routed addresses (those of the form
@domain,...:route_addr). It recognizes the syntax, but collapses such addresses
down to their final components. Formerly, collapse_source_routes had to be set
to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision
of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes
a lot of code elsewhere in Exim much simpler.
I've not looked at the actual coding, but that seems to match what you observe
and I read it as being fully intended.
The comment dates back at least as far as 2004, the start of the git history.
- --
Cheers,
Jeremy