[Pymilter] You are correct, it is a bug (rejecting non-SRS)

Stuart D. Gathman stuart at bmsi.com
Wed May 25 10:33:31 EDT 2005


On Fri, 29 Apr 2005, Alex Savguira wrote:

> You need to turn on rejecting non-SRS.
> 
> [srs]
> config=/etc/mail/pysrs.cfg
> # allow a grace period, then turn this on reject_spoofed = 1
> 
> 
> I did... And I do the pysrs as well.. It works as I said, when the fake DSN
> contains any headers (at least subject:)... The point is that you can send a
> fake DSN with no headers (no subject, nothing), that is: <<mail from: rcpt
> to: data Buy viagra fashion...>>> It is limited, and your excellent milter
> will divert most of the fake DSN's, but it is still possible to get through,
> if the fake DSN (see the telnet dialog from my previous mail) does not
> transmit any mail headers... It is quite obvious since you check for the fake
> not srs-signed DSN in the headers parser routine...

I am sorry I was not paying full attention before.  You are absolutely
correct.  The 'data_allowed' flag is checked in the header callback,
and sending no headers avoids it.  That is certainly a bug.  The check
should be duplicated in eoh.  (We want to reject as soon as possible.)
If it is not obvious how to duplicate the check (beginning with 
if not self.data_allowed), then I can send you my current code.

-- 
	      Stuart D. Gathman <stuart at bmsi.com>
    Business Management Systems Inc.  Phone: 703 591-0911 Fax: 703 591-6154
"Confutatis maledictis, flamis acribus addictis" - background song for
a Microsoft sponsored "Where do you want to go from here?" commercial.





More information about the Pymilter mailing list