[exim] Unqualified Reply-To address issue

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Zakaria
Date:  
À: exim-users
Sujet: [exim] Unqualified Reply-To address issue
Hi Exim folks,

I just stumbled across this issue and I would appreciate if any one can help me out on it.

I received an Email from Vodafone, with following relevant headers:-

From: <noreply@???>
Reply-To: Vodafone

The email failed with the following error:-

unqualified address not permitted: failing address in "Reply-To:" header is: Vodafone

Exim denies the email when it reaches acl_check_data verify syntax

  # Deny if the headers contain badly-formed addresses.
  #
  deny    !verify =     header_syntax
          message =     header syntax
          log_message = header syntax ($acl_verify_message)


The $reply_address and $h_reply-to variables can’t be read nor removed anywhere while being accessible and its only accessible in acl_check_data, and as far as my testing over the past several days this remained valid.

I tried different ways to remove Reply-To header if it contained unqualified address using following example in acl_mail and acl_rcpt but the issue again, I can’t read the reply-to header except in ACL data and failed to remove it:-

warn !condition     = ${if def:header_reply-to:{${if match{$h_reply-to}{^[a-zA-Z0-9.!#\$%&'*+\\/=?^_`\{|\}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]\{0,61\}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]\{0,61\}[a-zA-Z0-9])?)*\$}{1}{0}}}{1}}
     remove_header  = Reply-To
     logwrite    = Removed Reply-To header.


Is there any way I resolve this issue? I know Vodafone aren't keeping it up with RFC standards, as they are expected to only submit qualified address in Reply-To header but what can I do? Maybe I can with your appreciated help.

Btw, temporary fix, was to always remove Reply-To header or allow Vodafone host to send emails with unqualified address yet its not ideal, since hosts can change and God knows other mail servers I may expect to have similar issue.

Also, loosening verify deny to warn seemed to be doable but not sure from security perspective if its OK? or is there any way I can perform verify headers syntax on my own? To the experts any recommendation or something worth noting to avoid while I’m hacking in this area?

Looking forward, with thanks.

Zakaria.