On 22/06/2019 9:44 am, Andreas Metzler via Exim-users wrote:
CVE-2019-10149 is not that it is possible to submit a mail that ends up frozen in the queue. CVE is a remote command execution vulnerabilty. The fix for CVE-2019-10149 does not remove the possibility to generate frozen mails in the queue, it stops the remote command execution.
by any chance, please, would anyone happen to have an acl_smtp_rcpt example that catches these particular exploit attempts — so my queue doesn't fill up with these frozen msgs — /but/ still allows me to have "user+suffix@domain" which I enable via local_part_suffix on a redirect router?
i.e. just rejecting '+' in the local part is too strict, here. thanks very much indeed. cheers, calum. -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/