-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 21/10/15 16:44, Warwick Brown wrote: > Pen-testers still test to see if legacy routed addresses are supported due to > the dross of legacy still out there. > I agree with your reasoning as to routed addresses being obsolete, and that > is why I still use the restricted characters ACL to ensure they are not > accepted. > But, the issue I see is that the invalid input is silently discarded with no > notice of when or why. > The ":" character is in my restricted characters ACL, however in the > special-case where the user-part is null, the restricted characters ACL does > not seem to kick in. > I am satisfied that exim fails safe, but still think it's worth a look-in to > why it silently discards parts of its input data - if this is by design, then > fine, but if it is an unintended consequence, then it is to me a little more > concerning.
The following comment is in the source code [ block comment for parse_extract_address() ] :- Exim no longer supports the use of source routed addresses (those of the form @domain,...:route_addr). It recognizes the syntax, but collapses such addresses down to their final components. Formerly, collapse_source_routes had to be set to achieve this effect. RFC 1123 allows collapsing with MAY, while the revision of RFC 821 had increased this to SHOULD, so I've gone for it, because it makes a lot of code elsewhere in Exim much simpler. I've not looked at the actual coding, but that seems to match what you observe and I read it as being fully intended. The comment dates back at least as far as 2004, the start of the git history. - -- Cheers, Jeremy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJWJ8puAAoJELzljIzkHzLf2SgIAJZSCrBqpfxJqgHZPu/S/3Di 3EmYN9WiJXnri00j9p8UPGFCmtB94aFhFz83IBkP12RKwomir2rngpiqc6wv7gv3 Z2lwcaUs4rX/6q4uxLGdJGFHZP/u8dQAWCaNTSlS6btADWwviQWu9am6sTZBqtVN k2obDtIpz+z51czp4B2is1z3unVDsrj0/ajdLrD6balCE2xgbXgvix2DtJelfM8r hCvbvd4ScslGzXz28qD/a8bMa/JWJN3/ykYeOnYjjQlrXBouw5m5uG0IHKk8a1Rz py3zofeBlTUBGv2yxqGglADlpogPIwU4+bR5blbZF2dymvhTvaXJlHaMMbq6AR4= =QuGJ -----END PGP SIGNATURE----- -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
