Bugtraq mailing list archives
Re: Nasty hole in postifx/procmail/cyrus
From: Dylan_G () BIGFOOT COM (Dylan Griffiths)
Date: Fri, 14 Jul 2000 09:41:42 -0600
Philip Guenther and I discussed the procmail script's sanity checking. The result is this procmailrc. You'll probably also want to review ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html which discusses rule sets which can santize mail for clients which use Windows. -=- ################################################# # Postfix + Procmail + Cyrus procmailrc with sanity checking. # # you must explicitly set a path if you're gong to be spawing programs PATH=/usr/cyrus/bin:$PATH SHELL=/bin/bash DELIVERMAIL=/usr/cyrus/bin/deliver #VERBOSE=yes # This will negate if non-alphanumeric characters are found. # the special characters '.' '=' '_' '+' '-' are allowed. # Anything else causes a bounce of "NOUSER" :0 * ! USER ?? [^-a-z0-9_+=.] * ! EXTENSION ?? [^-a-z0-9_+=.] { } # They're both fine.. nop and go to deliver rule. :0 E { # one or both contained an invalid character EXITCODE = 67 # EX_NOUSER HOST } # Now that the variables have been sanity checked, we are free to use them # in file names, etc. LOGFILE=/home/cyrus/$USER.log ############################### # procmail.username -- for example, procmail.Joe # It is assumed these files are generated in some controlled way. INCLUDERC=/home/cyrus/procmail.$USER # :0 w * EXTENSION ?? . | $DELIVERMAIL -a "$USER" -e -m "$EXTENSION" -- "$USER" # Only if there was no extension do we try this :0 wE | $DELIVERMAIL -a "$USER" -e -- "$USER" :0 e { EXITCODE = $? # Whichever one we tried, failed HOST } -=- Example user filters. This is a section from mine which tosses Bugtraq related mailings into the INBOX.bugtraq IMAP folder: -=- :0 * ^TOBUGTRAQ () SECURITYFOCUS COM { EXTENSION="bugtraq" } -=- -- www.kuro5hin.org -- technology and culture, from the trenches.
Current thread:
- Nasty hole in postifx/procmail/cyrus John Pettitt (Jun 30)
- Posting vulnerabilities Alfred Huger (Jun 30)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 01)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 02)
- <Possible follow-ups>
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Philip Guenther (Jul 06)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 04)
- Re: Nasty hole in postifx/procmail/cyrus Dylan Griffiths (Jul 14)