Am 09.03.24 um 22:26 schrieb Julian Bradfield via Exim-users:
> Following an idle-moment post on mailop, I wonder:
>
> From the default config:
>
> ---
> acl_check_rcpt:
>
> accept hosts = :
>
> deny domains = +local_domains
> local_parts = ^[.] : ^.*[@%!/|]
> message = Restricted characters in address
>
> deny domains = !+local_domains
> local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
> message = Restricted characters in address
@Jeremy:
Why aren't the extended restrictions for the "$run{}" attack the new
defaults?
local_parts = ^[.] : ^.*[\$@%!/|] : ^.*x24 : ^.*0.44
local_parts = ^[./|] : ^.*[\$@%!] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44
Doesn't it make sense to have two barriers in the way and not relaying
on only one defense line(the patched string expand flaw) ?
This does not costs us anything besides some cpu cycles. Existing
configs won't get changed by new defaults for new installations. It
could be changed with a new major release i.e. 4.98 .
>
> Firstly, I don't understand the logic of accepting any address from an
> stdio submission, while applying the restriction to a localhost tcp
> submission.
Simple: on multiuser systems you never know who got hacked, has
malicouse intents or uses faulty webapps. X
>
> Secondly, is there really any reason nowadays for restricting % and !
> ?
>
> The last time I saw a % address was in 1995, and the last time I saw a
> ! address was in 1994. (And of course, when I did see them, they had
As may imagined: hackers do not care when it was used last. They care,
if it triggers something they can leverage.
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
