Email

Exim 的 !verify = header_syntax ACL 項目拒絕了帶有 RFC 2047 編碼的 From/To 標頭的郵件是否合法?

  • March 4, 2020

最近的 Exim 升級將此添加到預設acl_smtp_dataACL:

.ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX
deny
 !acl = acl_local_deny_exceptions
 !verify = header_syntax
 message = header syntax
 log_message = header syntax ($acl_verify_message)
.endif

這會導致某些消息被拒絕。例如,垃圾郵件中的以下標頭:

2020-03-02 09:22:48 1j8hHk-0000gS-3Y H=(static-181-143-69-27.une.net.co) [181.143.69.27] F=<Danika@une.net.co> rejected after DATA: header syntax (unqualified address not permitted: failing address in "From:" header is: =?utf-8?B?IkRhbmlrYSIgPERhbmlrYUB1bmUubmV0LmNvPg==?=): unqualified address not permitted: failing address in "From:" header is: =?utf-8?B?IkRhbmlrYSIgPERhbmlrYUB1bmUubmV0LmNvPg==?=

解碼有問題的標頭,我們得到:

00000000  22 58 69 6d 65 6e 61 22  20 3c 58 69 6d 65 6e 61  |"Ximena" <Ximena|
00000010  40 76 69 6c 2e 63 6f 6d  2e 75 61 3e              |@vil.com.ua>|
0000001c

From在我看來,這對於標題來說是一個非常好的價值。

我是否冒著使用 拒絕合法郵件的風險verify = header_syntax,或者上面的標題是否無效並且可以安全拒絕?

深入研究 RFC 2047:

5. Use of encoded-words in message headers

An 'encoded-word' may appear in a message header or body part header
  according to the following rules:

[...]

(3) As a replacement for a 'word' entity within a 'phrase', for example,
   one that precedes an address in a From, To, or Cc header.  The ABNF
   definition for 'phrase' from RFC 822 thus becomes:

   phrase = 1*( encoded-word / word )

   [...]

  These are the ONLY locations where an 'encoded-word' may appear.  In
  particular:

  + An 'encoded-word' MUST NOT appear in any portion of an 'addr-spec'.

似乎 anencoded-word可以用於標題中地址之前的文本,但不能用於地址本身。因此使用 是安全的verify = header_syntax,只要我們假設合法郵件不會包含違反 RFC 2047 的標頭,即通過將地址偷偷帶入標頭的編碼部分。

另一方面…… RFC 6854呢?這允許標題,例如:

From: Automated System:;

公平地說,RFC 還說此語法“僅用於有限使用”(“僅適用於有限或獨特的情況”,例如,根據RFC 2026進行實驗)。所以我不會因此而失眠!

引用自:https://serverfault.com/questions/1005259