Re: QMQP may eat your mail and its bounces

[Matthias Andree]

On Fri, 07 Sep 2001, Dave Sill wrote:

> >Hu? No-one said QMQP would require RFC-compliant mail. qmail-remote is
> >the only place that mentions this. qmail-inject silently fixes missing
> >newlines. So what?
> 
> So it's a documentation bug, at worst.

No, Sir. Sorry. Qmail-send of 1.03 is unable to bounce any mail it has
received. It blindly trusts untrusted data (even an authenticated user
may send untrusted data) to contain a terminating LF and fails. It is
not correct because it fails on constructed input data. That's an
implementation bug. (I thought it was Dan's task to negate bugs, not
yours.)

It won't do evil things to anybody else, because it just eats the
"offender's" mail while loudly screaming at the logs, nonetheless, it's
a trust problem and a bug trivially fixed. I'm not claiming the 500
dollars yet, see?

-- 
Matthias Andree
Outlook (Express) users: press Ctrl+F3 for the full source code of this post.
begin  dont_click_this_virus.exe
end