Re: Nasty hole in postifx/procmail/cyrus

[Dylan_G () BIGFOOT COM (Dylan Griffiths)]

Philip Guenther and I discussed the procmail script's sanity checking.  The
result is this procmailrc.

You'll probably also want to review
ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
which discusses rule sets which can santize mail for clients which use
Windows.

-=-

#################################################
# Postfix + Procmail + Cyrus procmailrc with sanity checking.
#
# you must explicitly set a path if you're gong to be spawing programs
PATH=/usr/cyrus/bin:$PATH
SHELL=/bin/bash
DELIVERMAIL=/usr/cyrus/bin/deliver
#VERBOSE=yes

# This will negate if non-alphanumeric characters are found.
# the special characters '.' '=' '_' '+' '-' are allowed.
# Anything else causes a bounce of "NOUSER"

:0
* ! USER ?? [^-a-z0-9_+=.]
* ! EXTENSION ?? [^-a-z0-9_+=.]
{ }                     # They're both fine.. nop and go to deliver rule.

:0 E
{                       # one or both contained an invalid character
    EXITCODE = 67       # EX_NOUSER
    HOST
}

# Now that the variables have been sanity checked, we are free to use them
# in file names, etc.
LOGFILE=/home/cyrus/$USER.log

###############################
# procmail.username -- for example, procmail.Joe
# It is assumed these files are generated in some controlled way.
INCLUDERC=/home/cyrus/procmail.$USER
#

:0 w
* EXTENSION ?? .
| $DELIVERMAIL  -a "$USER" -e -m "$EXTENSION" -- "$USER"

# Only if there was no extension do we try this
:0 wE
| $DELIVERMAIL  -a "$USER" -e -- "$USER"

:0 e
{
    EXITCODE = $?       # Whichever one we tried, failed
    HOST
}

-=-

Example user filters.  This is a section from mine which tosses Bugtraq
related
mailings into the INBOX.bugtraq IMAP folder:

-=-

:0
* ^TOBUGTRAQ () SECURITYFOCUS COM
{ EXTENSION="bugtraq" }

-=-

--
    www.kuro5hin.org -- technology and culture, from the trenches.