Bug#408174: exim4: header_sender test and group addresses: exim
rejecting rfc-valid mails
Marc Schiffbauer
marc at links2linux.de
Tue Jan 23 22:24:20 UTC 2007
Package: exim4
Version: 4.50-8sarge2
Severity: important
in these days the setting "verify = header_sender" is very important
IMO. But there is a bug in exim that can cause valid mail to be
rejected. So you have two choices in the debian version of exim4:
* configure exim to not check sender headers (allow users to use
(foo at notarealdomain.foo as From:, Sender: or Reply-To:)
* let exim check headers but risc 100% valid mails being rejected
so I consider this kind of serious. Maybe a backport of this fix would
be a good idea?
(affects sarge and etch and current sid, AFAICT)
The Problem: as of RFC2822 it is valid to specify empty group addresses
in a Reply-To: header like this:
From: someuser at valid-domain.com
Reply-To: "Please do not reply":;
But because of a bug in exim this will be rejected. This bug was fixed
upstream in version 4.64.
References/Details:
http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20061009/msg00061.html
ChangeLog of Exim 4.64:
"PH/18 Two problems with "group" syntax in header lines when verifying: (1) The
flag allowing group syntax was set by the header_syntax check but not
turned off, possible causing trouble later; (2) The flag was not being
set at all for the header_verify test, causing "group"-style headers to
be rejected. I have now set it in this case, and also caused header_
verify to ignore an empty address taken from a group. While doing this, I
came across some other cases where the code for allowing group syntax
while scanning a header line wasn't quite right (mostly, not resetting
the flag correctly in the right place). These bugs could have caused
trouble for malformed header lines. I hope it is now all correct."
kind regards
-Marc
More information about the Pkg-exim4-maintainers
mailing list