Bug#366491: Re: Bug#366491: exim4-config: CHECK_RCPT_LOCAL_LOCALPARTS denies valid email addresses

Marc Haber mh+debian-packages at zugschlus.de
Mon May 15 13:30:35 UTC 2006 

tags #366491 pending
thanks

On Thu, May 11, 2006 at 04:13:23PM +0200, Marc Haber wrote:
> I'm probably going to move the macro definition to the actual ACL file
> as this is possible with current exim versions, but I'll need to
> clarify spec.txt chapter 6.4 on exim-users before I actually do this.
> See
> http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20060508/msg00120.html

Since the desired form of macro definition and actual ACL wis not
possible with current exim, I have changed and rephrased the
documentation in a more verbose way. Let me know if that's acceptable
to you.

main/01_exim4-config_listmacrosdefs:
# define macros to be used in acl/30_exim4-config_check_rcpt to check
# recipient local parts for strange characters.

# This macro definition really should be in
# acl/30_exim4-config_check_rcpt but cannot be there due to
# http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62.

# These macros are documented in acl/30_exim4-config_check_rcpt,
# can be changed here or overridden by a locally added configuration
# file as described in README.Debian chapter 2.1.2

.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
.endif

.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
.endif

acl/30_exim4-config_check_rcpt:
  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # These ACL components will block recipient addresses that are valid
  # from an RFC2822 point of view. We chose to have them blocked by
  # default for security reasons.
  #
  # If you feel that your site should have less strict recipient
  # checking, please feel free to change the default values of the macros
  # defined in main/01_exim4-config_listmacrosdefs or override them from a
  # local configuration file.
  # 
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.

  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  # This blocks local parts that begin with a dot or contain a quite
  # broad range of non-alphanumeric characters.
  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif


  # The second rule applies to all other domains, and its default is
  # considerably less strict.
  
  # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

  # It allows local users to send outgoing messages to sites
  # that use slashes and vertical bars in their local parts. It blocks
  # local parts that begin with a dot, slash, or vertical bar, but allows
  # these characters within the local part. However, the sequence /../ is
  # barred. The use of some other non-alphanumeric characters is blocked.
  # Single quotes might probably be dangerous as well, but they're
  # allowed by the default regexps to avoid rejecting mails to Ireland.
  # The motivation here is to prevent local users (or local users' malware)
  # from mounting certain kinds of attack on remote sites.
  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif


Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

More information about the Pkg-exim4-maintainers mailing list