[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: problem with relaying

On Wed, Jan 17, 2001 at 09:33:28PM +0100, Slawek Zak wrote:
> On Wed, 17 Jan 2001, Matti Aarnio stated:
> >> Zmailer ver. 2.99.54, did pass all but the test number thirteen. In
> > 
> >     It can be rejected syncronously *IF* you run router synchronously.
> And risk compromising the security of the whole system...

   While the reasons up front are given as "don't do this or your system
   security _may_ get compromized", the thing isn't quite that bad.
   The script-language in the router is very much SH like, thus
   is not same as:
   The second one guarantes that the expression result is single string,
   even when it contains various shell metachars.

   Hmm..  I wonder if there really are situations where the classical SH
   style expansions makes sense -- IFS splitting of unquoted string expands
   to tokens, and then analysing for SH metachars.

   Changeing the script interpret is one of the most difficult things
   in ZMailer, and this evaluator detail doubly so...  I recall having
   tried and failed.  Small tweaking there isn't simple, a thorough
   underlying script-language replacement might be easier, but which ?
   PERL ?  Python ?  TCL ?  Scheme ?

   Actually I can - propably - do the change.  $STRVAR will evaluate
   with and without quotes as with quotes,  $LISTVAR  will evaluate
   without quotes.   I must ponder this.

   However in general the spawning of router for interactive routing of
   each arriving source and recipient address without using that data for
   anything except telling that "no such user" is -- most wastefull.

   Furthermore, doing routing script evaluations in the smtp-server will
   make the SMTP reception extremely heavy, while it is now quite

> /S

/Matti Aarnio	<mea@nic.funet.fi>