Bug#908865: exim4: Default CHECK_RCPT_REMOTE_LOCALPARTS blocks legal email addresses (in particular the % character)

2018-09-17 Thread Marc Haber 
tags #908865 upstream
thanks

On Mon, Sep 17, 2018 at 10:04:34PM +0200, Rainer Dorsch wrote:
> I particular, I do not understand the spam risk you mention and also
> Google did not help me :-/ ... Could you give me a pointer to more
> details? In particular do I carry a SPAM risk if I do the local
> modification to accept the % sign?

As far as I remember, exim itself is not vulnerable, but might be part
of a relay chain relaying such a message to a relay that _is_ vulnerable
to the issue.

I have looked again and found that this is indeed a configuration that
is part of upstream's default configuration (see src/configure.default
in the upstream code - the only thing we add is the macro that makes it
easier to change the setting). This means that Debian is unlikely to
change this as we try sticking to upstream's configuration as close
as sanely possible.

You might want to discuss this on the upsteam maiilng list
exim-u...@exim.org and get a better explanation (or even a change)
there.

Greetings
Marc

-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Bug#908865: exim4: Default CHECK_RCPT_REMOTE_LOCALPARTS blocks legal email addresses (in particular the % character)

2018-09-17 Thread Rainer Dorsch 
Hi Marc,

thanks for your quick reply.

Am Montag, 17. September 2018, 13:01:11 CEST schrieb Marc Haber:
> Hi,
> 
> please feel free to do a local override of the macro. How to do this is
> explained in the package docs. 

That is exactly what I attempted by adding

# accept % in email addresses (local part, i.e. not domain) 
/etc/exim4/conf.d/main/00_localconfig

I hope that is the way it is intended by the exim4 Debian developers.

> Andreas might revise the default in the
> package, if it were my decision, I wouldn't change this, even if in
> these days where explicit SMTP routing is not even used any more by
> spammers.

Here I probably have not enough knowledge...

>From what I understand from RFC2822 the % is a character like any other 
>character in the 
alphabet for the local-part

https://tools.ietf.org/html/rfc2822#section-3.4.1

https://tools.ietf.org/html/rfc2822#section-3.2.4

Why is there any disadvantage to allow it?

I particular, I do not understand the spam risk you mention and also Google did 
not help 
me :-/ ... Could you give me a pointer to more details? In particular do I 
carry a SPAM risk 
if I do the local modification to accept the % sign?

> 
> Please also note that it is clearly documented that this rule blocks
> addresses that are RFC-valid.

There are people which advise the opposite

https://archive.fosdem.org/2018/schedule/event/email_address_quiz/

but this is beyond my expertise to judge what are the implications  there

Thanks again for your quick response
Rainer

-- 
Rainer Dorsch
http://bokomoko.de/

Bug#908865: exim4: Default CHECK_RCPT_REMOTE_LOCALPARTS blocks legal email addresses (in particular the % character)

2018-09-17 Thread Marc Haber 
Hi,

please feel free to do a local override of the macro. How to do this is
explained in the package docs. Andreas might revise the default in the
package, if it were my decision, I wouldn't change this, even if in
these days where explicit SMTP routing is not even used any more by
spammers.

Please also note that it is clearly documented that this rule blocks
addresses that are RFC-valid.

Greetings
Marc
-- 
-
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany|  lose things."Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Bug#908865: exim4: Default CHECK_RCPT_REMOTE_LOCALPARTS blocks legal email addresses (in particular the % character)

2018-09-15 Thread Rainer Dorsch 
Package: exim4
Version: 4.84.2-2+deb8u5
Severity: important
Tags: patch

Dear Maintainer,

I just realized that the default configuration of exim4 in Debian blocks legal 
email addresses with legel syntax.

E.g. list%u...@gmx.de is rejected and generates a 

restricted characters in address

entry in the rejectlog.

These email addresses are used by the most popular German email provider for 
distribution lists

https://hilfe.gmx.net/email/einstellungen/verteiler-anlegen.html

(I applogize for the German page, but I did not find an English version).


I changed CHECK_RCPT_REMOTE_LOCALPARTS by adding

# accept % in email addresses (local part, i.e. not domain)
# This PCRE specifies regular expressions which when matched, exim4 will reject 
the message
# The : seems to be a logical or
# Default
# CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@!`#&?] : ^.*/\\.\\./

to /etc/exim4/conf.d/main/00_localconfig

I suggest to change the apply this change to the default of 
CHECK_RCPT_REMOTE_LOCALPARTS if there is no strong reason not to do that.

Certainly any other way to validate this legal (and probably reasonably common 
email addresses in Germany) is equally welcome.

Thanks
Rainer

PS: Although I would expect that this issue affects quite a few people in 
Germany, I did not find another matching bug report. If I missed it, please 
make this a duplicate.


-- Package-specific info:
Exim version 4.84_2 #1 built 10-Feb-2018 14:37:56
Copyright (c) University of Cambridge, 1995 - 2014
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2014
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() IPv6 PAM Perl Expand_dlfunc GnuTLS 
move_frozen_messages Content_Scanning DKIM Old_Demime PRDR OCSP
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz 
dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql sqlite
Authenticators: cram_md5 cyrus_sasl dovecot plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='internet'
dc_other_hostnames='bokomoko.de;fdor.de'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery='maildir_home'
mailname:bokomoko.de

-- System Information:
Debian Release: 8.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-0.bpo.8-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages exim4 depends on:
ii  debconf [debconf-2.0]  1.5.56+deb8u1
ii  exim4-base 4.84.2-2+deb8u5
ii  exim4-daemon-heavy 4.84.2-2+deb8u5

exim4 recommends no packages.

exim4 suggests no packages.

-- debconf information:
* exim4/drec: