Re: Email addresses with .'s in

Mon, 1 Feb 1999 14:45:20 -0500 

To keep our virtualdomains organized so that several admins can figure out
what is going on:

/var/qmail/control/virtualdomains:

mayod.nb.net:alias-virtuals/net/nb/mayod/q

This scheme works very well for me and the other admins can pick up what
is going on very quickly.

Tim Mayo

On Mon, 1 Feb 1999, Peter van Dijk wrote:

> On Mon, Feb 01, 1999 at 10:33:42AM +0100, Harald Hanche-Olsen wrote:
> > - Peter van Dijk <[EMAIL PROTECTED]>:
> > 
> > | On Sun, Jan 31, 1999 at 06:51:36PM -0000, Russell Nelson wrote:
> > | > 
> > | > It's a security measure, to keep people from sending mail to
> > | > user-../../etc/passwd (e.g.).  Qmail-local used to replace slashes
> > | > with colons, until it was seen that slashes were useful to allow
> > | > subdirectories, so now the dots are replaced with colons.
> > | 
> > | I understand the security part (feeling stupid today after
> > | reconfigging one win95 machine just over 15 times. I never knew that
> > | I could actually feel stress...).
> > | 
> > | But where would you use directories in that? Creating .qmail-bla/duh
> > | and mailing to peter-bla/duh doesn't really do the job.
> > 
> > No, but at the time Russell is talking about, dots were *not*
> > replaced.  There are only three reasonable ways to foil the /../
> > attack, and those are (1) replace slashes by something else, (2)
> > replace dots by something else, and (3) recognize the substring /../
> > and either replace it by something else or bounce the mail.
> > Personally, I think I would prefer (3) because it confuses users less,
> > but OTOH (1) and (2) are simpler to implement, whick makes it less
> > likely for a security bug to creep in.
> 
> All agreed, but I still don't understand Russell saying 'slashes were useful to allow
> subdirectories'.
> 
> > | Hmm.. too little caffeine here.
> > 
> > I hope you know the remedy for that.
> 
> Yep. 2, actually :)
> 
> Greetz, Peter.
> -- 
> .| Peter van Dijk
> .| [EMAIL PROTECTED]
> 

---------------------------------
Timothy L. Mayo                         mailto:[EMAIL PROTECTED]
Senior Systems Manager
localconnect(sm)
http://www.localconnect.net/

The National Business Network Inc.      http://www.nb.net/
One Monroeville Center, Suite 850
Monroeville, PA  15146
(412) 810-8888 Phone
(412) 810-8886 Fax

Reply via email to