On 11/08/2019 09:55, Frank Elsner via Exim-users wrote:
> for alias processing the config contains
> the RCPT ACL
> 
> |   warn  domains = +local_domains
> |         set acl_m_rcpt = ${sg{${run{/usr/local/bin/lookup_alias 
> $local_part@$domain}}}{\\n}{}}

1) You may have a security problem.  Think carefully about what an
attacker could do with a crafted local_part.

2) You are overwriting acl_m_rcpt for every new recipient.  The routing
only happens after the message is accepted.

In more general terms for this sort of problem, you could have tested
using "-bh" and "-d".  This makes the processing flow visible.


It fits better in exim if you do the alias lookup in the routers. To
enforce SMTP-time actions on problems such as your ERROR_NO_CONNECTION,
use an ACL condition "verify = recipient"; that runs the routing to see
if the address is acceptable.

-- 
Cheers,
  Jeremy

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to