Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malformed rcpaddr breaks mail queue - MSMilter fix proposal #690

Closed
alexskynet opened this issue Oct 2, 2024 · 2 comments · Fixed by #691
Closed

Malformed rcpaddr breaks mail queue - MSMilter fix proposal #690

alexskynet opened this issue Oct 2, 2024 · 2 comments · Fixed by #691
Labels

Comments

@alexskynet
Copy link

Describe the bug
A message with malformed recipient address breaks postfix queue

This is an example of milterout queue file relevant row:

O<<200b>[email protected]>

As you can see code <200b> is in front of the real address so the address breaks the queue and never leaves milterout folder

To Reproduce
craft some sort of control code or char inside the recipient address

Expected behavior
Offendig char should be stripped off before sending to MTA

Server (please complete the following information):

  • OS:Rocky 9
  • MailScanner Version: [ 5.5.2.1]

Additional context
For now I've fixed this behaviour adding a cleanup at line 250 of /usr/sbin/MSMilter as follows

250 $args[0] =~ /<(<.>)?(.)>$/;
251 # my $rcptto = $args[0];
252 my $rcptto = "<$2>";

this just fixes code in the beginnig of the address but likely a smarter solution mat be to only allow a specific set of chars inside the address

@alexskynet
Copy link
Author

alexskynet commented Oct 2, 2024

I came up with a better solution that removes dirty code wherever it may be in the address.

This is the fix:

file: /usr/sbin/MSMilter

251 #   my $rcptto = $args[0];
252     ##### ALEX ###
253     my $rcptto = substr $args[0] , 1, -1;
254     $rcptto =~ s/<.*?>//g;
255     $rcptto = "<$rcptto>";
256     ### END ALEX ###

Basically
253 I remove the head and trailing markers, < >
254 then I remove anything inside the address that may be inside addictional < >
255 then add the head/trailing markers again and go on with standard MS code

This should fix the vulnerability in a definitive way

EDIT: added g switch to line 254

@shawniverson
Copy link
Member

I made a small revision so that we don't assume the first and last chars are always < and >, respectively. They should be, but postfix does allow you to pass in an address without them.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants