Hi!
At 05/11/17 18:59, Marc Haber wrote:
On Sun, Nov 05, 2017 at 04:09:37PM +0100, Andreas Metzler wrote:
I do not see the attacker gain, the same information can be extracted by
trying out RCPT TO *@omega-software.com with FROM attac...@gmail.com.
Additionally, we are desperately trying to stay close to the upstream
configuration. If this is really an issue, then all non-Debian exim
installations are vulnerable as well.
What I am trying to say is, this issue should be reported and
discussed with upstream _before_ we make this change. Paul, can you do
that to make your point there?
Yes of course. As moving sender verification is only useful if recipient
verification is moved, I'll make my point for recipient verification first then.
If they're receptive I'll bring up sender verification after that.
--
Paul Graham
Development Dept.
http://Omega-Software.com/
Omega Software
