On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote: > CVE-2019-10149 is not that it is possible to submit a mail that ends
> up frozen in the queue. CVE is a remote command execution
> vulnerabilty. The fix for CVE-2019-10149 does not remove the
> possibility to generate frozen mails in the queue, it stops the remote
> command execution.
by any chance, please, would anyone happen to have an acl_smtp_rcpt
example that catches these particular exploit attempts — so my queue
doesn't fill up with these frozen msgs — /but/ still allows me to have
"user+suffix@domain" which I enable via local_part_suffix on a redirect
router?
i.e. just rejecting '+' in the local part is too strict, here.