[Simon Walter] Bug#506353: mailscanner: many scripts allow local users to overwrite arbitrary files, and more, via symlink attacks

[Glenn Steen]

2008/12/4 Kai Schaetzl <maillists at conactive.com>:
> Simon.walter at hp-factory.de wrote on Thu, 4 Dec 2008 11:44:45 -0000 (UTC):
>
>> which points to an A record...
>> ... like CNAMEs are dangerous.
>
> It doesn't matter what it is. The point is that RFC doesn't like it for MX
> records. That should be very well known to any server admin. And so some
> mailservers don't accept mail from such sources.
> I personally cannot see any connection between this and the chance of
> getting spam from that source. It's a good example of an anti-spam measure
> that is counter-productive. But you have to live with it and it's easy to
> fix it.
I don't agree that it is counterproductive, nor really an anti-spam measure.
What it comes down to is that BMX is strict about the letter of the
law (the RFCs).
Since it is, it has to be strict about it all. There is no such thing
as "half-way strict":-). If you want to be strict about things that do
matter (like the actual format of the EHLO/HELO string), it would be a
double standard to NOT be strict about the "no CNAME MX" rule.
Now, some may argue that the RFCs prohibit a lookup from being the
basis of a rejection, but ... the RFCs also state that blatant errors
are to be rejected... One can play "devils advocate" with it, but ...
I'm all for rejecting all errors. Leniency == acceptance of bad
behavior == problems in the future...:-).
Anyway, I guess all are entiteled to their own views:-)
> Kai
>

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se