Subject: postfix-ldap: address aliases with leading space
Package: postfix-ldap
Version: 2.7.0-1
Severity: normal
I'm using postfix virtual mailboxes and virtual aliases. Aliases are
stored into a LDAP table:
# main.cf
virtual_alias_maps = ldap:/etc/postfix/ldapalias.cf
If I send mail to an alias address, for instance <[email protected]>,
everything works fine.
If I send mail to that alias but adding a leading space, i.e. "
[email protected]", postfix accepts mail as you can see in the following
telnet session to my smtp server:
220 prova.meteor.meteor ESMTP Postfix
mail from:<aaa>
250 2.1.0 Ok
rcpt to:<" [email protected]">
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
.
250 2.0.0 Ok: queued as DE5E41D554
After queuing email postfix bounces it and in mail log I can see:
May 3 17:31:13 prova postfix/virtual[8450]: DE5E41D554: to=<
[email protected]>, relay=virtual, delay=32, delays=32/0.01/0/0.07,
dsn=5.1.1, status=bounced (unknown user: " [email protected]")
In my opinion this is an odd behavior: postfix should not accept mail
and bounce it afterward.
Postfix should either reject mail at RCPT TO stage, or accept it and
then deliver it properly performing alias expansion after removing extra
spaces from recipient address.
If an attacker sends mails to " [email protected]" he can generate a lot
of back-scattering spam.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages postfix-ldap depends on:
ii libc6 2.10.2-6 Embedded GNU C Library:
Shared lib
ii libldap-2.4-2 2.4.17-2.1 OpenLDAP libraries
ii postfix 2.7.0-1 High-performance mail
transport ag
postfix-ldap recommends no packages.
postfix-ldap suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
