Re: [exim] configure exim4 against incoming rogue local part…

Góra strony
Delete this message
Reply to this message
Autor: ale
Data:  
Dla: exim-users
Temat: Re: [exim] configure exim4 against incoming rogue local parts
I tested it using a remote client of the same host, and from a
completely different host.

regards

Ale

On 02/06/22 18:42, Slavko via Exim-users wrote:
> Ahoj,
>
> Dňa Thu, 2 Jun 2022 16:19:18 +0100 Jeremy Harris via Exim-users
> <exim-users@???> napísal:
>
>> I don't see that your config actually uses
>> CHECK_RCPT_REMOTE_LOCALPARTS, having defined it.
> It is, only not at start of the file, see:
>
>    ...

>
>    acl_check_mail:
>      accept
>      CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
>      CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

>
>    acl_check_rcpt:

>
>    ...

>
> You (original poster) do not tell us how you did test it. The particular
> ACL are run only for SMTP connection, thus will not stop to use eg. by
> mailx, nor by batch SMTP (accepted at start of RCPT ACL). See here, how
> you can test it (note the dot at RCPT start as restricted character) --
> can be wrapped:
>
> + from remote machine:
>
>    swaks --server mail.example.org --to .user@??? --quit rcpt
>    === Trying primex.skk:25...
>    ...
>     -> RCPT TO:<.user@???>
>    <** 550 restricted characters in address
>    ...

>
> + from local host:
>
>    echo -e "EHLO kuk\nMAIL FROM:<user@???>\nRCPT TO:<.user@???>\nQUIT" | exim -bh 1.2.3.4 ...
>    >>> processing "deny" (/var/lib/exim4/config.autogenerated 439)
>    >>> check domains = !+local_domains
>    >>> example.org in "!+local_domains"? yes (end of list)
>    >>> check local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
>    >>> .user in "^[./|] : ^.*[@%!`#&?] : ^.*/\.\./"? yes (matched
>    >>>   "^[./|]") message: restricted characters in address
>    >>> deny: condition test succeeded in ACL "acl_check_rcpt"
>    >>> end of ACL "acl_check_rcpt": DENY
>    550 restricted characters in address
>    LOG: H=[1.2.3.4] F=<linux@???> rejected RCPT <.user@???>: restricted characters in address ...

>
> As you can see, both examples ends in rejections that recipient.
>
> You do not need to setup the CHECK_RCPT_*_LOCALPARTS macros, as they
> have sane defaults on debian, only when one want to relax them or vice
> versa...
>
> regards
>
>