[15784] in bugtraq
Re: Nasty hole in postifx/procmail/cyrus
daemon@ATHENA.MIT.EDU (Dylan Griffiths)
Fri Jul 14 14:44:32 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <396F34B6.A32CBF58@bigfoot.com>
Date: Fri, 14 Jul 2000 09:41:42 -0600
Reply-To: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
From: Dylan Griffiths <Dylan_G@BIGFOOT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Philip Guenther and I discussed the procmail script's sanity checking. The
result is this procmailrc.
You'll probably also want to review
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
which discusses rule sets which can santize mail for clients which use
Windows.
-=-
#################################################
# Postfix + Procmail + Cyrus procmailrc with sanity checking.
#
# you must explicitly set a path if you're gong to be spawing programs
PATH=/usr/cyrus/bin:$PATH
SHELL=/bin/bash
DELIVERMAIL=/usr/cyrus/bin/deliver
#VERBOSE=yes
# This will negate if non-alphanumeric characters are found.
# the special characters '.' '=' '_' '+' '-' are allowed.
# Anything else causes a bounce of "NOUSER"
:0
* ! USER ?? [^-a-z0-9_+=.]
* ! EXTENSION ?? [^-a-z0-9_+=.]
{ } # They're both fine.. nop and go to deliver rule.
:0 E
{ # one or both contained an invalid character
EXITCODE = 67 # EX_NOUSER
HOST
}
# Now that the variables have been sanity checked, we are free to use them
# in file names, etc.
LOGFILE=/home/cyrus/$USER.log
###############################
# procmail.username -- for example, procmail.Joe
# It is assumed these files are generated in some controlled way.
INCLUDERC=/home/cyrus/procmail.$USER
#
:0 w
* EXTENSION ?? .
| $DELIVERMAIL -a "$USER" -e -m "$EXTENSION" -- "$USER"
# Only if there was no extension do we try this
:0 wE
| $DELIVERMAIL -a "$USER" -e -- "$USER"
:0 e
{
EXITCODE = $? # Whichever one we tried, failed
HOST
}
-=-
Example user filters. This is a section from mine which tosses Bugtraq
related
mailings into the INBOX.bugtraq IMAP folder:
-=-
:0
* ^TOBUGTRAQ@SECURITYFOCUS.COM
{ EXTENSION="bugtraq" }
-=-
--
www.kuro5hin.org -- technology and culture, from the trenches.
