From: Ben Rosengart (floatpanix.com)
Date: Mon Nov 26 2007 - 18:00:27 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With the default "allow_min_user = no", recipients whose addresses
begin with '-' are bounced by qmgr. This is to avoid, as Viktor
Duchovni puts it, "security issues with naive filters that don't put
'--' between sender and recipients."

You might think that smtpd would reject such recipients, but it
doesn't; it can't be sure that the leading '-' will still be present
after rewriting. In order to "be liberal in what it accepts", smtpd
assumes that the result of rewriting will not match /^-/.

Given that the internet is plagued by backscatter, this seems like
the wrong assumption to me. In Postfix's default configuration,
rewriting does not cure the problem, and a bounce, which might be
backscatter, is generated, and smtpd's default stance should reflect
this fact.

I propose a new parameter, "smtpd_allow_min_user", defaulting to
"no". If people want the current behavior, they can change it to
"yes". Or, if we want to really solve the problem,
"smtpd_allow_min_user_maps", allowing the user to define the set of
addresses which is acceptable despite a leading '-'.

(Another surprising (and therefore undesirable) effect of the current
system is that if a rewrite which moves or removes the leading '-' is
moved from, say, virtual(5) to generic(5), mail which previously
worked will begin bouncing.)

What do people think?

Thanks,
--
  Ben Rosengart

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQEVAwUBR0teG1+JVDL+b2nKAQL4AQf+NrIGScUdTfyQdToideVTEWMwRKoF34Qq
MXmkcY7VcZ2MtTbb7XSRPIZpMaNfC9x1FvS8T8pR3JZmY08xa/VD4cEErQHa5IA9
jnCAvSnv+BOfVBe/DCebFO2aUuZ0N9B62a13QtIFFFMmH1HN+/Kw7RMfCp34iV5d
QA1zj0cGQ7gkACIk1jPuFgeodARiaGefDysDpwvM8GsziUUR+7zoJotZG1F8h6/l
0cp3JLobBuqyZ6byyx1py3eu0BI7AgHMPVPGP2l3RBzlecLiBRRCNQUl+m3KHaCW
Jn5aLgsTewPl2sTk3NFH7k4J09IUpiB9FE1UeEKEQnpu7l66+0dzOQ==
=1VvH
-----END PGP SIGNATURE-----

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]