Bug#880905: exim4-config: Sender verification could be exploited for brute-force scan
Paul Graham
debianbts at omega-software.com
Sun Nov 5 20:11:57 UTC 2017
Hi!
At 05/11/17 18:59, Marc Haber wrote:
> On Sun, Nov 05, 2017 at 04:09:37PM +0100, Andreas Metzler wrote:
>> I do not see the attacker gain, the same information can be extracted by
>> trying out RCPT TO *@omega-software.com with FROM attacker at gmail.com.
> Additionally, we are desperately trying to stay close to the upstream
> configuration. If this is really an issue, then all non-Debian exim
> installations are vulnerable as well.
>
> What I am trying to say is, this issue should be reported and
> discussed with upstream _before_ we make this change. Paul, can you do
> that to make your point there?
Yes of course. As moving sender verification is only useful if recipient verification is moved, I'll make my point for recipient verification first then.
If they're receptive I'll bring up sender verification after that.
--
Paul Graham
Development Dept.
http://Omega-Software.com/
Omega Software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/f65bec5c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: odpjjbioiihigedk.jpeg
Type: image/jpeg
Size: 3512 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-exim4-maintainers/attachments/20171105/f65bec5c/attachment.jpeg>
More information about the Pkg-exim4-maintainers
mailing list