Jared Johnson wrote:
We recently noticed a message in our postfix queue that thought it was
addressed to " foo.com". After examining it, it turned out that Qpsmtpd
accepted a MAIL FROM command formatted like so:
MAIL FROM:<u...@d.com,foo.com>
When it passed it to postfix, it transmographied it first into the
sender 'u...@domain.com, something.com' and then into the sender
'u...@domain.com' and the recipient ' something.com'. That's a bit
silly, but it seems that QP never should have accepted the message in
the first place. I tested using vanilla git Qpsmptd::Address as follows:
perl -MQpsmtpd::Address -le \
"print Qpsmtpd::Address->new('<u...@d.com,foo.com>')"
<u...@d.com,foo.com>
Taking a look at Qpsmtpd::Address, I noticed some comments and code that
seemed to be looking for similar syntax:
line
# A-d-l = At-domain *( "," A-d-l )
# ; Note that this form, the so-called "source route",
# ; MUST BE accepted, SHOULD NOT be generated, and SHOULD be
# ; ignored.
...
# strip source route
$path =~ s/^...@$domain(?:,\...@$domain)*://;
It looks to me like it's trying to find syntax like:
MAIL FROM:<u...@d.com,@foo.com>
and make it equivalent to just MAIL FROM:<u...@d.com>
That doesn't seem to be what it actually does, though:
perl -MQpsmtpd::Address -le \
"print Qpsmtpd::Address->new('<u...@d.com,@foo.com>')"
<"u...@d.com\,"@foo.com>
Does anyone have a good enough grasp on rfc2821 and
Qpsmtpd::Address::canonify() to know just what canonify() is actually
supposed to be doing with "source routes" and why it's managing to allow
this obviously invalid syntax through instead?
That's not close to a valid source route. Source routes look like @a,@b:u...@c
Let's say you got an email that looks like this:
MAIL FROM: y...@z
RCPT TO: @a,@b:u...@c
You
1) transform the RCPT TO to @b:u...@c
2) transform the MAIL FROM to @a:y...@z
3) deliver to @a
Then @a does the same thing.
You just got a bogus mail from.
Here's a useful meta-reference:
http://www.rfc-ignorant.org/rfcs/rfc2821.php#page72 an search for
"source route".
