Bug#366491: exim4-config: CHECK_RCPT_LOCAL_LOCALPARTS denies valid email addresses

Klaus Muth muth at hagos.de
Tue May 9 05:06:45 UTC 2006 

Package: exim4-config
Version: 4.50-8
Severity: important



-- Package-specific info:
Exim version 4.50 #1 built 27-May-2005 08:10:05
Copyright (c) University of Cambridge 2004
Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December  3, 2003)
Support for: iconv() IPv6 PAM Perl GnuTLS Content_Scanning Old_Demime
Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch ldap ldapdn ldapm mysql nis nis0 passwd pgsql
Authenticators: cram_md5 cyrus_sasl plaintext spa
Routers: accept dnslookup ipliteral iplookup manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore/mbx autoreply lmtp pipe smtp
Fixed never_users: 0
Configuration file is /var/lib/exim4/config.autogenerated
# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to replace
# the DEBCONFsomethingDEBCONF strings in the configuration template files.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='internet'
dc_other_hostnames='hagos.de:mail.hagos.de:www.hagos.de:tatooine.hagos.de:hagos.eu:hatego.de:haprof.de:ogo.hagos.de:hagos.eu'
dc_local_interfaces=''
dc_readhost=''
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='192.168.0.0/16'
dc_smarthost=''
CFILEMODE='644'
dc_use_split_config='true'
dc_hide_mailname=''
dc_mailname_in_oh='true'
dc_localdelivery=cyrdeliver
mailname:tatooine.hagos.de

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-386
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages exim4-config depends on:
ii  adduser                 3.63             Add and remove users and groups
ii  debconf [debconf-2.0]   1.4.30.13        Debian configuration management sy
ii  passwd                  1:4.0.3-31sarge5 change and administer password and

-- debconf information:
  exim4/dc_noalias_regenerate: false
  exim4/dc_smarthost:
* exim4/dc_relay_domains:
* exim4/dc_relay_nets: 192.168.0.0/16
* exim4/mailname: tatooine.hagos.de
* exim4/dc_local_interfaces:
  exim4/dc_minimaldns: false
  exim4/exim3_upgrade: true
* exim4/dc_other_hostnames: hagos.de:mail.hagos.de:www.hagos.de
* exim4/dc_eximconfig_configtype: internet site; mail is sent and received directly using SMTP
  exim4/no_config: true
  exim4/hide_mailname:
* exim4/dc_postmaster: ed
  exim4/dc_readhost:
* exim4/use_split_config: true
  exim4/internal/exim4-config.reconfigure: false
  exim4/exim4-config-title:


exim4 does not send mail to e.g. the address ex&ample at tiscalinet.de,
which is a valid email address (and tiscalinet.de allows such an
address!) according to RFC 2822:
IN 3.4.1:
addr-spec       =       local-part "@" domain
local-part      =       dot-atom / quoted-string / obs-local-part 

and in 3.2.4:
atext           =       ALPHA / DIGIT / ; Any character except controls, 
                        "!" / "#" /     ;  SP, and specials. 
                        "$" / "%" /     ;  Used for atoms 
                        "&" / "''" / 
                        "*" / "+" / 
                        "-" / "/" / 
                        "=" / "?" / 
                        "^" / "_" / 
                        "`" / "{" / 
                        "|" / "}" / 
                        "~" 
 
atom            =       [CFWS] 1*atext [CFWS] 
dot-atom        =       [CFWS] dot-atom-text [CFWS]

In other words: & is a valid caracter for a localpart! So exim4 denies
mail from local to remote with "restricted characters in address" when
it contains "strange" but valid characters. While forbidding those
characters in local addresses is ok, it is just a bug to forbid them in
remote mailaddresses.

The problem is in /etc/exim4/conf.d/main/01_exim4-config_listmacrosdefs: 
[...]
# This macro is used to check local parts of recipients in non-local 
# domains. It thus allows your own users to send outgoing messages to 
# sites that use slashes and vertical bars in their local parts. It
# blocks 
# local parts that begin with a dot, slash, or vertical bar, but allows 
# these characters within the local part. However, the sequence /../ is 
# barred. The use of some other non-alphanumeric characters is blocked. 
# The motivation here is to prevent your users (or your users' viruses) 
# from mounting certain kinds of attack on remote sites. 
.ifndef CHECK_RCPT_REMOTE_LOCALPARTS 
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!''`#&?] : ^.*/\.\./ 
.endif

Solution is setting CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*/\.\./
which can be done locally in a new file /etc/exim4/conf.d/main/00_local
but should be done in the standard config.

More information about the Pkg-exim4-maintainers mailing list