Discussion:
SMTP smuggling with NUL char - m4 option to reject them
(too old to reply)
Marco Moock
2024-05-04 13:00:13 UTC
Permalink
Hello!

There has been discussion about SMTP smuggling via NUL characters.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070190

It seems that sendmail includes an FFR option to reject such mails, but
no m4 option yet.

Is such a thing planned in near future?
--
kind regards
Marco
Claus Aßmann
2024-05-04 16:25:02 UTC
Permalink
Post by Marco Moock
It seems that sendmail includes an FFR option to reject such mails, but
no m4 option yet.
What's the problem?

LOCAL_CONFIG
O RejectNUL=true
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
Stacey Marshall
2024-05-17 10:19:29 UTC
Permalink
Post by Claus Aßmann
What's the problem?
LOCAL_CONFIG
O RejectNUL=true
Being relatively new to sendmail configuration myself that had escaped
me too. cf/README does mention it, but it looks so different to most of
the other settings in sendmail.mc. Embarrassingly I see now that
there was already a similar example in sendmal.mc only for
LOCAL_NET_CONFIG. livin' and learnin':

# diff -u sendmail.mc test.mc
--- sendmail.mc 2023-10-17 03:29:33.826913320 -0700
+++ test.mc 2024-05-17 03:12:22.832629965 -0700
@@ -26,5 +26,8 @@
MAILER(`local')dnl
MAILER(`smtp')dnl

+LOCAL_CONFIG
+O RejectNUL=true
+
LOCAL_NET_CONFIG
R$* < @ $* .$m. > $* $#esmtp $@ $2.$m $: $1 < @ $2.$m. > $3
Marco Moock
2024-05-17 12:23:27 UTC
Permalink
Post by Stacey Marshall
cf/README does mention it, but it looks so different to most of
the other settings in sendmail.mc.
The .mc file is being processed by the macro processor m4.
To make configuration easy, most mc config lines are m4 commands.

The real configuration then resides in the .cf files and doesn't use m4
commands, so looks different. :-)
The m4 command will result in the cf configuration lines after
processing.

For rejecting the NUL char, no m4 config exists in the current version.
That's why I asked because it is also an FFR compile time option that
might change, be removed or is simply not intended to be used in
productive systems.
--
kind regards
Marco

Send spam to ***@cartoonies.org
Loading...