[Pymilter] You are correct, it is a bug (rejecting non-SRS)
Stuart D. Gathman
stuart at bmsi.com
Wed May 25 10:33:31 EDT 2005
On Fri, 29 Apr 2005, Alex Savguira wrote:
> You need to turn on rejecting non-SRS.
>
> [srs]
> config=/etc/mail/pysrs.cfg
> # allow a grace period, then turn this on reject_spoofed = 1
>
>
> I did... And I do the pysrs as well.. It works as I said, when the fake DSN
> contains any headers (at least subject:)... The point is that you can send a
> fake DSN with no headers (no subject, nothing), that is: <<mail from: rcpt
> to: data Buy viagra fashion...>>> It is limited, and your excellent milter
> will divert most of the fake DSN's, but it is still possible to get through,
> if the fake DSN (see the telnet dialog from my previous mail) does not
> transmit any mail headers... It is quite obvious since you check for the fake
> not srs-signed DSN in the headers parser routine...
I am sorry I was not paying full attention before. You are absolutely
correct. The 'data_allowed' flag is checked in the header callback,
and sending no headers avoids it. That is certainly a bug. The check
should be duplicated in eoh. (We want to reject as soon as possible.)
If it is not obvious how to duplicate the check (beginning with
if not self.data_allowed), then I can send you my current code.
--
Stuart D. Gathman <stuart at bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.
More information about the Pymilter
mailing list