Hi Wietse,
The DB dump shows :
londonstransport+bncbdzntlposqirbr426sgamgqeh7mv...@googlegroups.com???
0:0:1637682515:250 2.1.5 OK s8si901258edx.4 - gsmtp
There are 0xc2 0xa0 bytes at the end of the storage key, but not
in your query.
Apologies, I pasted the output generated by 'postmap -s' which puts a
tab character (9) between key and value. I can't say where the other
bytes came from. The extra bytes aren't in the key part of database file
hex dump so still at a loss why postmap -q doesn't match :
00006860 70 00 34 00 00 00 00 00 45 00 6c 6f 6e 64 6f 6e |p.4.....E.london|
00006870 73 74 72 61 6e 73 70 6f 72 74 2b 62 6e 63 42 44 |stransport+bncBD|
00006880 5a 4e 54 4c 50 4f 53 51 49 52 42 52 34 32 36 53 |ZNTLPOSQIRBR426S|
00006890 47 41 4d 47 51 45 48 37 4d 56 4b 55 41 40 67 6f |GAMGQEH7MVKUA@go|
000068a0 6f 67 6c 65 67 72 6f 75 70 73 2e 63 6f 6d 00 30 |oglegroups.com.0|
000068b0 3a 30 3a 31 36 33 37 36 38 32 35 31 35 3a 32 35 |:0:1637682515:25|
000068c0 30 20 32 2e 31 2e 35 20 4f 4b 20 73 38 73 69 39 |0 2.1.5 OK s8si9|
000068d0 30 31 32 35 38 65 64 78 2e 34 20 2d 20 67 73 6d |01258edx.4 - gsm|
000068e0 74 70 00 00 35 00 00 00 00 00 45 00 6c 6f 6e 64 |tp..5.....E.lond|
Your postmap queries will have a shell command injection attack
of the command is processed by a shell.
I find your last paragraph worrying. Do you mean my own postmap queries
will facilitate an external attack? Or that my queries are the attack?
I really don't want open any security holes.
Another thing that occurred to me (in direct opposition to my vanity
project which is to log those I allow to bypass the verify check against
those that would passed the check anyway), is that it is pretty
pointless adding certain groups to the database where there sender
address is unique and unlikely to ever be repeated.
That's one reason why it is a bad idea to use address verification
for such domains.
Yes, I agree. I will add those domains I find using unique sender
strings to the allow list on 'check_sender_access
hash:/etc/postfix/verify_sender' file when I'm done meddling.
Thanks,
Mick.
