Re: broken "^From " header
On Tue, Jun 15, 2004 at 01:18:12PM -0600, Charles Cazabon wrote:
> Mark E. Mallett <mem@xxxxxxxxx> wrote:
> > Or are you using qmail by any chance? qmail doesn't do much validation
> > of various inputs, including the email addresses in the MAIL FROM or
> > RCPT TO. Some months back I noticed that we were getting mail from
> > broken spam engines that were putting newlines smack dab in the middle
> > of the address in the MAIL FROM, and one side-effect was broken "From "
> > lines exactly like the original poster described. I made a quick hack
> > to qmail to make it reject those addresses-- but IMHO qmail could stand
> > to have a lot more checking added.
>
> Those address forms (while rare) can be valid in quoted strings in SMTP.
> qmail is correct in allowing them.
Thank you for the correction. But one has to look at obsolete syntax to find
where that is allowed. Modern syntax disallows it. I note that even though
one is apparently mandated to accept that obsolete syntax, there are warnings
that generating it will cause operability problems. I also note that other
popular MTAs do not accept this syntax in the SMTP dialog: I've tried it on
postfix and sendmail servers, and they reject it at the MAIL FROM stage. I
wonder what others do?
Even if postfix and sendmail are wrong and qmail is right in accepting it,
there are other things to be said about best current practice, as noted in the
behaviour of these other well-deployed modern MTAs. (This is a little like
the "you can't discard mail without a DSN" debate.) My original question
still stands, I suppose: was the problem observed in a qmail environment?
> qmail handles these cases when doing mbox deliveries; see this part of
> mbox(5):
>
> HOW A MESSAGE IS DELIVERED
>
> It first creates a From_ line given the message's envelope sender and the
> current date. If the envelope sender is empty (i.e., if this is a
> bounce message), the program uses MAILER-DAEMON instead. If the envelope
> sender con tains spaces, tabs, or newlines, the program replaces them
> with hyphens.
That's from the qmail mbox(5) man page, no? So it's a little self-referential
in substantiating the behaviour of qmail :-)
> So it must have been a dumber MDA that stuck those broken From_ lines into
> that mbox file.
I would say that a local delivery agent should probably guard against
bad addresses, yes. In my case, indeed I hacked both of them to put
the check into both places.
mm