tags #366491 pending thanks On Thu, May 11, 2006 at 04:13:23PM +0200, Marc Haber wrote: > I'm probably going to move the macro definition to the actual ACL file > as this is possible with current exim versions, but I'll need to > clarify spec.txt chapter 6.4 on exim-users before I actually do this. > See > http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20060508/msg00120.html
Since the desired form of macro definition and actual ACL wis not possible with current exim, I have changed and rephrased the documentation in a more verbose way. Let me know if that's acceptable to you. main/01_exim4-config_listmacrosdefs: # define macros to be used in acl/30_exim4-config_check_rcpt to check # recipient local parts for strange characters. # This macro definition really should be in # acl/30_exim4-config_check_rcpt but cannot be there due to # http://www.exim.org/bugzilla/show_bug.cgi?id=101 as of exim 4.62. # These macros are documented in acl/30_exim4-config_check_rcpt, # can be changed here or overridden by a locally added configuration # file as described in README.Debian chapter 2.1.2 .ifndef CHECK_RCPT_LOCAL_LOCALPARTS CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : [EMAIL PROTECTED]/|`#&?] .endif .ifndef CHECK_RCPT_REMOTE_LOCALPARTS CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : [EMAIL PROTECTED]&?] : ^.*/\\.\\./ .endif acl/30_exim4-config_check_rcpt: # The following section of the ACL is concerned with local parts that contain # certain non-alphanumeric characters. Dots in unusual places are # handled by this ACL as well. # # Non-alphanumeric characters other than dots are rarely found in genuine # local parts, but are often tried by people looking to circumvent # relaying restrictions. Therefore, although they are valid in local # parts, these rules disallow certain non-alphanumeric characters, as # a precaution. # # Empty components (two dots in a row) are not valid in RFC 2822, but Exim # allows them because they have been encountered. (Consider local parts # constructed as "firstinitial.secondinitial.familyname" when applied to # a name without a second initial.) However, a local part starting # with a dot or containing /../ can cause trouble if it is used as part of a # file name (e.g. for a mailing list). This is also true for local parts that # contain slashes. A pipe symbol can also be troublesome if the local part is # incorporated unthinkingly into a shell command line. # # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. # # If you feel that your site should have less strict recipient # checking, please feel free to change the default values of the macros # defined in main/01_exim4-config_listmacrosdefs or override them from a # local configuration file. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : [EMAIL PROTECTED]/|`#&?] # This blocks local parts that begin with a dot or contain a quite # broad range of non-alphanumeric characters. .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address .endif # The second rule applies to all other domains, and its default is # considerably less strict. # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : [EMAIL PROTECTED]&?] : ^.*/\\.\\./ # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks # local parts that begin with a dot, slash, or vertical bar, but allows # these characters within the local part. However, the sequence /../ is # barred. The use of some other non-alphanumeric characters is blocked. # Single quotes might probably be dangerous as well, but they're # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains local_parts = CHECK_RCPT_REMOTE_LOCALPARTS message = restricted characters in address .endif Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
