|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Mon Jul 30 2007 - 23:28:48 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, Jul 30, 2007 at 02:58:04PM -0700, Jim Fenton wrote:
> CSCsi01498 ESMTP inspect cannot handle content-type string in DKIM headers
>
> According to one of the bug descriptions, the message
>
> SMTP: Multiple Content-Type headers!
>
> will be logged if ESMTP debugging is enabled and this is the cause.
>
This makes sense. Many firewall stateful inspection engines try to avoid
expensive protocol state machines, and attempt to make do with regular
expressions that match lexical patterns as packets fly by. Unfortunately,
fast lexical matching can suffer from false-positives (and even inspection
bypass attacks). On the flip-side, doing full protocol analysis naturally
hurts performance...
So I am not too surprised by inadvertent matching of "Content-Type:"
in the DKIM signature. In fact quoting from:
http://groups.google.com/group/list.postfix.users/msg/a1b1b73256dd8156
...
It is also possible that some of the header names inside the "h=" list
are being parsed as (malformed) headers in their own right...
I expect that this is not the last bug of this type, as it is unlikely
that the SMTP fixup code will even this bug fix be a complete SMTP
state-machine. It can be made increasingly less likely to break on
common message patterns, but new or usual valid content will likely
be found to fail from time to time.
For users running Postfix behind a PIX, if you believe Postfix to be
sufficiently robust (the track record seems to merit such a view),
it is wise to simply disable the PIX SMTP-fixup feature.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]