> -----Original Message----- > From: Jeremy Harris [mailto:[email protected]] > Sent: 21 October 2015 18:25 > To: Warwick Brown; [email protected] > Subject: Re: [exim-dev] Interesting behaviour > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > On 21/10/15 16:44, Warwick Brown wrote: > > Pen-testers still test to see if legacy routed addresses are supported due > > to > the dross of legacy still out there. > > I agree with your reasoning as to routed addresses being obsolete, and > that is why I still use the restricted characters ACL to ensure they are not > accepted. > > But, the issue I see is that the invalid input is silently discarded with no > notice of when or why. > > The ":" character is in my restricted characters ACL, however in the > > special- > case where the user-part is null, the restricted characters ACL does not seem > to kick in. > > I am satisfied that exim fails safe, but still think it's worth a look-in > > to why it > silently discards parts of its input data - if this is by design, then fine, > but if it is > an unintended consequence, then it is to me a little more concerning. > > The following comment is in the source code > [ block comment for parse_extract_address() ] :- > > Exim no longer supports the use of source routed addresses (those of the > form > @domain,...:route_addr). It recognizes the syntax, but collapses such > addresses > down to their final components. Formerly, collapse_source_routes had to > be set > to achieve this effect. RFC 1123 allows collapsing with MAY, while the > revision > of RFC 821 had increased this to SHOULD, so I've gone for it, because it > makes > a lot of code elsewhere in Exim much simpler. > > I've not looked at the actual coding, but that seems to match what you > observe > and I read it as being fully intended. > > The comment dates back at least as far as 2004, the start of the git history. > - -- > Cheers, > Jeremy > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQEcBAEBCAAGBQJWJ8puAAoJELzljIzkHzLf2SgIAJZSCrBqpfxJqgHZPu/S/3Di > 3EmYN9WiJXnri00j9p8UPGFCmtB94aFhFz83IBkP12RKwomir2rngpiqc6wv7gv3 > Z2lwcaUs4rX/6q4uxLGdJGFHZP/u8dQAWCaNTSlS6btADWwviQWu9am6sTZB > qtVN > k2obDtIpz+z51czp4B2is1z3unVDsrj0/ajdLrD6balCE2xgbXgvix2DtJelfM8r > hCvbvd4ScslGzXz28qD/a8bMa/JWJN3/ykYeOnYjjQlrXBouw5m5uG0IHKk8a1R > z > py3zofeBlTUBGv2yxqGglADlpogPIwU4+bR5blbZF2dymvhTvaXJlHaMMbq6AR > 4= > =QuGJ > -----END PGP SIGNATURE----- > > __________________________________________________________ > ____________ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > __________________________________________________________ > ____________
Thanks Jeremy, In light of that, I will take it as intentional behaviour. Thanks again for considering my concern Regards, Warwick -- ## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
