[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: problem with relaying
On Wed, Jan 17, 2001 at 09:33:28PM +0100, Slawek Zak wrote:
> On Wed, 17 Jan 2001, Matti Aarnio stated:
> >> Zmailer ver. 2.99.54, did pass all but the test number thirteen. In
> >
> > It can be rejected syncronously *IF* you run router synchronously.
>
> And risk compromising the security of the whole system...
While the reasons up front are given as "don't do this or your system
security _may_ get compromized", the thing isn't quite that bad.
The script-language in the router is very much SH like, thus
varname=$expression
is not same as:
varname="$expression"
The second one guarantes that the expression result is single string,
even when it contains various shell metachars.
Hmm.. I wonder if there really are situations where the classical SH
style expansions makes sense -- IFS splitting of unquoted string expands
to tokens, and then analysing for SH metachars.
Changeing the script interpret is one of the most difficult things
in ZMailer, and this evaluator detail doubly so... I recall having
tried and failed. Small tweaking there isn't simple, a thorough
underlying script-language replacement might be easier, but which ?
PERL ? Python ? TCL ? Scheme ?
Actually I can - propably - do the change. $STRVAR will evaluate
with and without quotes as with quotes, $LISTVAR will evaluate
without quotes. I must ponder this.
However in general the spawning of router for interactive routing of
each arriving source and recipient address without using that data for
anything except telling that "no such user" is -- most wastefull.
Furthermore, doing routing script evaluations in the smtp-server will
make the SMTP reception extremely heavy, while it is now quite
lightweight...
> /S
--
/Matti Aarnio <mea@nic.funet.fi>