Debian Bug report logs - #409350
greylistd: exim4 config acl error (senders = : means <> bounce list excluded!)

Package: greylistd; Maintainer for greylistd is Thorsten Alteholz <[email protected]>; Source for greylistd is src:greylistd (PTS, buildd, popcon).

Reported by: Luke Kenneth Casson Leighton <[email protected]>

Date: Fri, 2 Feb 2007 09:33:02 UTC

Severity: normal

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to [email protected], Tor Slettnes <[email protected]>:
Bug#409350; Package greylistd. (full text, mbox, link).

Acknowledgement sent to Luke Kenneth Casson Leighton <[email protected]>:
New Bug report received and forwarded. Copy sent to Tor Slettnes <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

From: Luke Kenneth Casson Leighton <[email protected]>
To: Debian Bug Tracking System <[email protected]>
Subject: greylistd: exim4 config acl error (senders = : means <> bounce list excluded!)
Date: Fri, 02 Feb 2007 09:19:47 +0000
Package: greylistd
Severity: normal


excluding "<>" bounce senders from acl_check_rcpt is a really bad idea.

the reason is because then it allows attackers to constantly try
different usernames at the target.

in the instance where this is combined with an LMTP delivery (which is
presently broken on exim4 as the transport always says 'YEP!  go _right_
on through!) then every single message that is listed as coming from <>
(bounce) will end up in the queue, even though there is no mailbox for
it.

and _that_ results in dozens of frozen messages in the queue, per day.

the comments are nice - but it assumes that _local_ callback attempts
to LMTP actually work and that _local_ delivery actually works.

so, perhaps the problem isn't "!senders = :" but more that the
greylisting acl is oversimplistic, and doesn't distinguish between
recipient callbacks that go to local, and recipient callbacks that go to
remote.

... is this worth investigating?



-- System Information:
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux highfield 2.6.16-1-686 #2 Mon Apr 10 22:16:40 UTC 2006 i686
Locale: LANG=C, LC_CTYPE=C

Information forwarded to [email protected], Julien Danjou <[email protected]>:
Bug#409350; Package greylistd. (full text, mbox, link).

Acknowledgement sent to "David L. Anselmi" <[email protected]>:
Extra info received and forwarded to list. Copy sent to Julien Danjou <[email protected]>. (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

From: "David L. Anselmi" <[email protected]>
To: [email protected]
Subject: greylistd: exim4 config acl error (senders = : means <> bounce list excluded!)
Date: Sat, 26 Jan 2008 20:14:46 -0700
In version 0.8.6 besides the acl_check_rcpt there's acl_check_data, 
which runs the greylist check at data time for <>.  So it seems that 
bounces will get checked, just at data time rather than rcpt time.

Does that solve the problem?

Dave

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Tue May 13 13:20:56 2025; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.