|
oooohhh. i get it!! it's the old that's-not-an-exploit-it's-a-feature thing! :-D serously though, i figured that's how it should be handled... and so i'll leave that to you guys: of course, only if it's something you actually consider worth adding to your already awesome smtpd daemon. :-) thanks for your response. gerard Bart wrote: Hi, It's good to hear that you got this problem solved for your use, however this is something that we would rather see implemented in the user checking script. Since the percent sign in usernames does actually have a valid use for relaying email, it would not be favourable to disable this feature in the smtp code in case anybody would like to use it. There should be no problems in modifying the user checking script to reject emails with whichever characters you may find unacceptable. Bart On September 5, 2004 02:06 pm, walnut wrote:hi. i wrote the list a little while ago about the %, @ and ! symbols being used as exploits during relay attempts. a few of the relay tests i've tried were able to get qmail (and the magic-mail server) to accept mail for non-existant users with these exploits. while the mail isn't ever delivered, it does generate a bounce and it also has the potential to get a server listed (as irresponsible as that may seem). the test servers are: http://members.iinet.net.au/~remmie/relay/ http://www.antispam-ufrj.pads.ufrj.br/test-relay.html there are several other relay tests online that test for the same hack. i'm writing the list because i found a patch for qmail that prevents these exploits: http://www.qmail.org/qmail-smtpd-relay-reject and i've copied that patch's logic and diff'd magic-smtpd to do the same. my patch works, however i'm just wondering if i've applied the change in the appropriate place. here's my patch: --- orig/magic-smtpd.c 2004-05-03 14:18:36.000000000 -0700 +++ magic-smtpd.c 2004-09-05 13:54:56.655246432 -0700 @@ -1209,6 +1209,21 @@ if (in_rcpt_hosts) { retval = 0; + int j; + char *buffer; + buffer = LM_STRING_BUFFER(rcptaddr); + j = strlen(buffer); + while(--j >= 0) + if (buffer[j] == '@') break; + if (j < 0) j = strlen(buffer); + while(--j >= 0) { + if (buffer[j] == '@' || buffer[j] == '%' || buffer[j] == '!') { + fprintf(stdout, "553 we don't relay (#5.7.1)\r\n"); + fflush(stdout); + return -1; + } + } + /* Check to see if the rcpt address is a valid user */ if ((!rcpt_bracket_ip_flag) && (config.check_valid_users != 0)) { retval = msd_check_rcpt_user(&addr, &spamdir); thanks for your help, and please let me know if this is useful. --------------------------------------------------------------------- To unsubscribe, e-mail: magicmail-users-unsubscribe@linuxmagic.com For additional commands, e-mail: magicmail-users-help@linuxmagic.com |