Not sure. Just remember that Qmail's security comes from the foresight
of DJB. I don't have that kind of foresight, therefore I tend to rely
on certain defaults from his era and adjust according to the times.

For example, the + and & and a few other characters are now used in
mailing lists, so the QmailToaster now allows them.

I'd prefer this method as it's default deny, and allowing what is
needed. We all know how default allow always turns out.

Erik

On 1/16/07, Tim Mancour <[EMAIL PROTECTED]> wrote:
Erik,

Which characters in the sender's mailbox identifier represent a security
issue? In my thinking these should be the only characters that are
restricted in the "C" code. The badmailfrom file can then be used to allow
site to site customization.

I know that everytime that I upgrade I have to do the hand building step to
allow the '+' character and would really like to be able to configure thus
sort of thing in a control file.

Regards,
Tim

-----Original Message-----
From: Erik Espinoza [mailto:[EMAIL PROTECTED]
Sent: Monday, January 15, 2007 8:09 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: Re: [qmailtoaster] apostrophe

Tim,

Not a good idea. If you write this patch, it shall not be included into the
Toaster.

Qmail gets a lot of security by not allowing certain characters. For
example, any e-mail address that contains a "." is stored in the file system
as a ":" because the period is a file system navigation character.

Thanks,
Erik

On 1/15/07, Tim Mancour <[EMAIL PROTECTED]> wrote:
> Hi,
>
> The toaster seems to be more restrictive than the current SMTP
> specification. RFC 2821 (page 37) only specifically prohibts ASCII
> characters 0 through 31 and characters greater than 126 from the name
> of a mailbox.
>
> As a long term solution, couldn't we modify the "C" code (specifically
> the function check_sender_address_format) to allow any character in
> the ASCII range 33 through 126. We could then use the badmailfrom
> control file to filter out sender addresses that contain characters
> that are undesirable. A single line with an explicit set of characters
> could be used - e.g. [ ,;:"'`&%\$\^\{\[\(\|\)\]\}\*\+\?\\].
>
> I could be missing something but I think that this will allow each
> site to customize as required without rebuilding the "C" code and
> without losing any functionality. I'd be happy to make the C code
> changes if this make sense to everyone.
>
> Regards,
> Tim
>
>
> -----Original Message-----
> From: Trung Pham [mailto:[EMAIL PROTECTED]
> Sent: Friday, January 12, 2007 5:14 PM
> To: qmailtoaster-list@qmailtoaster.com
> Subject: Re: [qmailtoaster] apostrophe
>
> Yeah, you will need to edit the C code before compiling it.
>
> > eh no..
> > Its just that to change qmailtoaster/checkuser you have to change
> > the code a bit.
> >
> > Like Eric explained below.
> >
> >
> > ----- Original Message -----
> > From: "Dan Herbon" <[EMAIL PROTECTED]>
> > To: <qmailtoaster-list@qmailtoaster.com>
> > Sent: Friday, January 12, 2007 10:48 PM
> > Subject: RE: [qmailtoaster] apostrophe
> >
> >
> >> So I have to have any user emailing this person to add a \ in front
> >> of the email address?:
> >>
> >> Bd\'[EMAIL PROTECTED]
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: Trung Pham [mailto:[EMAIL PROTECTED]
> >> Sent: Friday, January 12, 2007 4:37 PM
> >> To: qmailtoaster-list@qmailtoaster.com
> >> Subject: Re: [qmailtoaster] apostrophe
> >>
> >> #define CHKUSER_ALLOW_SENDER_CHAR_2 '\''
> >> that's the correct syntax
> >>
> >>> Dan Herbon wrote:
> >>>> I've been live on the new qmailtoaster server now for about 3
> >>>> weeks and no problems have arisen, everythings been great.
> >>>>
> >>>>
> >>>>
> >>>> Today however I came across my first problem. A user we used to
> >>>> email back and forth has an apostrophe in her name and for some
> >>>> strange odd reason whoever set this person up put the apostrophe
> >>>> in her
> email
> >>>> address. So her email address is:   bd'[EMAIL PROTECTED]
> >>>>
> >>>>
> >>>>
> >>>> The qmail server is rejecting this with:
> >>>>
> >>>>
> >>>>
> >>>> --------
> >>>>
> >>>> 2007-01-12 15:09:52.456145500 CHKUSER rejected sender: from
> >>>> <BD'[EMAIL PROTECTED]::> remote
> >>>> <mail-bh.server.com:unknown:12.19.*.*> rcpt <> : invalid sender
> >>>> address format
> >>>>
> >>>> ---------
> >>>>
> >>>>
> >>>>
> >>>> Is there an easy way to allow an apostrophe in the email address
> >>>> be delivered? Perhaps add just this users email address to some
> >>>> sort of whitelist somewhere. Any help would be great. I have to
> >>>> get this working.
> >>>>
> >>>>
> >>>>
> >>>> thank
> >>>>
> >>>
> >>> You should try very hard to have the admin for that domain change
> >>> the name.
> >>>
> >>> Short of success with that, you *can* tailor chkuser to accept
> >>> additional special characters, but tailoring chkuser is somewhat
> >>> of a PITA. See http://wiki.qmailtoaster.com/index.php/Chkuser. In
> >>> chkuser.h you'll want to modify
> >>> /* #define CHKUSER_ALLOW_SENDER_CHAR_2 '%' */ by uncommenting the
> >>> #define, and specifying the apostrophe as the special character.
> >>> I'm not sure how to do that properly in C, but it might be #define
> >>> CHKUSER_ALLOW_SENDER_CHAR_2 '\''
> >>> or
> >>> #define CHKUSER_ALLOW_SENDER_CHAR_2 ''''
> >>> Maybe a C guru can help you out on that.
> >>>
> >>> HTH
> >>> --
> >>> -Eric 'shubes'
> >>>
> >>> ---------------------------------------------------------------------
> >>>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
> >>> ------------------------------------------------------------------
> >>> --
> >>> - To unsubscribe, e-mail:
> >>> [EMAIL PROTECTED]
> >>> For additional commands, e-mail:
> >>> [EMAIL PROTECTED]
> >>>
> >>>
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >>     QmailToaster hosted by: VR Hosted <http://www.vr.org>
> >> -------------------------------------------------------------------
> >> --
> >> To unsubscribe, e-mail:
> >> [EMAIL PROTECTED]
> >> For additional commands, e-mail:
> >> [EMAIL PROTECTED]
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >>     QmailToaster hosted by: VR Hosted <http://www.vr.org>
> >> -------------------------------------------------------------------
> >> --
> >> To unsubscribe, e-mail:
> >> [EMAIL PROTECTED]
> >> For additional commands, e-mail:
> >> [EMAIL PROTECTED]
> >>
> >>
> >
> >
> > ---------------------------------------------------------------------
> >      QmailToaster hosted by: VR Hosted <http://www.vr.org>
> > --------------------------------------------------------------------
> > - To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> >
> >
>
>
>
> ---------------------------------------------------------------------
>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>
> ---------------------------------------------------------------------
>      QmailToaster hosted by: VR Hosted <http://www.vr.org>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail:
> [EMAIL PROTECTED]
>
>

---------------------------------------------------------------------
     QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
     QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
    QmailToaster hosted by: VR Hosted <http://www.vr.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to