Daniel, > Thank you for making this nice addition for me! > It works perfectly and accomplishes exactly what I needed...
I'm glad it does. > Will I need to continue patching this in or are you committing it > to the main branch? Just checking... Will be in 2.5.2, in few days. > RE: your concerns about the SQL pattern issues, I'm assuming I > wouldn't need to be quite as concerned about this as my postfix > server doesn't even call on amavis until the recipient address has > been validated as local... Does this make sense? For incoming mail, when plus addressing is enabled (and there is no reason it shouldn't be), one may add any junk in local part after a separator, e.g. "user+xx_%x.***"@example.com. For outgoing mail, your users are allowed to specify any recipient localpart under a valid domain name. > Also, how would this same concern not apply to the recipient > address listed in the %k macro which has been in the code all along? The: users.email IN (fixed tainted strings) is safe because only exact string matches are used, and the list of strings is prepared by amavisd code by stripping out parts of the recipient address, in a well defined order from specific to a more general form. The: alias.goto LIKE tainted_regexp appears potentially problematic, a recipient address could contain characters which have special meaning to SQL pattern matching, e.g. a recipient address like [EMAIL PROTECTED] would also match [EMAIL PROTECTED]@y.example.com (I know the '_' is not supposed to be used in host names, but it is a valid character for DNS, and few mailers enforce it). If SQL regexp matching were used instead of the simple LIKE, it would be even easier to cheat. It would be alright to do it the other way around though, e.g. tainted_string LIKE admin-specified-regexp which would be more similar to the: users.email IN (%k) functionality. Mark ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
