Mailing List Archive

On 26/05/2023 10:20, Sebastian Arcus via Exim-users wrote:
> strip all names in the From: field altogether and just leave the email address? Can Exim do that

Yes.

A simple (hah!) matter of remove-header, suitable regex, and add-header.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Hello Sebastian!

On Fri, 26 May 2023, Sebastian Arcus via Exim-users wrote:

> Hello. As so many scams around are based on impersonating someone inside the
> company, I am wondering if anyone here has considered the more extreme
> solution of completely removing any name in the From: header for incoming
> emails? I already have SPF/DKIM/DMARC in place, so the scammers can't
> actually impersonate the sending email address, but they keep on using the
> names of people with positions high up in the company. The risks of falling
> for such emails are much reduced at this stage, but now I'm wondering if the
> next step would be to just strip all names in the From: field altogether and
> just leave the email address? Can Exim do that, and has anyone considered it?

Have you heard of IDNs (domain names with unicode characters)? For
example, your domain is company.com and the bad guy registers c<some
unicode character looking like an o>mpany.com. Then he sets up
SPF/DKIM/DMARC for that domain and sends you an email. Could you tell just
from the email address if it's from your CEO or a scammer?

Removing the names to force users to look at the email address can help to
the lower the risk of falling for less sophisticated scams, but it
wouldn't work for more professional frauds.

ciao
Markus
--
/ Markus Reschke \
\ madires@theca-tabellaria.de /


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 10:05:16 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:

>A simple (hah!) matter of remove-header, suitable regex, and add-header.

Even more simple, instead of regex, just extract ${address:...}
and use that to replace header, in case of single address...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 26.05.2023 19:40:
> D?a 26. mája 2023 10:05:16 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:
>
>> A simple (hah!) matter of remove-header, suitable regex, and add-header.
>
> Even more simple, instead of regex, just extract ${address:...}
> and use that to replace header, in case of single address...

I posted example to this list five weeks ago:

From: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>

I know that comma must be encoded. Also I know that MUAs correctly
display such headers. Also I know that attackers can use such headers.

Please show me how you are going to extract the address without the
regular expression from the header shown above.


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 26/05/2023 18:28, Victor Ustugov via Exim-users wrote:
> Please show me how you are going to extract the address without the
> regular expression from the header shown above.

Why without? Using ${addresses: } does seem to work ok
for this example:

/considering: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>}
/considering: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>}
|-------text: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
|considering: }
|--expanding: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
\_____result: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
|-----op-res: charles@example.org
|--expanding: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>}
\_____result: charles@example.org

--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 17:50:14 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:

>Why without? Using ${addresses: } does seem to work ok
>for this example:

Jeremy, please, i check docs for ${address:...} now, in it
states RFC 2822 parsing. I don't know how to ask properly
in English. But RFC 2822 was replaced by RFC 5322, and
beside that, address string was updated by MIME
encoded-words (i have not RFC number now).

The docs have to be updated? Or parsing is (can be)
outdated?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Jeremy Harris via Exim-users wrote on 26.05.2023 20:50:
> On 26/05/2023 18:28, Victor Ustugov via Exim-users wrote:
>> Please show me how you are going to extract the address without the
>> regular expression from the header shown above.
>
> Why without?  Using ${addresses: } does seem to work ok
> for this example:
>
>  /considering: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?=
> <charles@example.org>}
>   /considering: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>}
>   |-------text: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>   |considering: }
>   |--expanding: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>   \_____result: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>  |-----op-res: charles@example.org
>  |--expanding: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?=
> <charles@example.org>}
>  \_____result: charles@example.org

I got an empty result. So i wrote about this example.

# exim -be '${address:=?utf-8?Q?My=20Bizness:=20Inc.?=
<charles@example.org>}'


test without colon:

# exim -be '${address:=?utf-8?Q?My=20Bizness=20Inc.?=
<charles@example.org>}'
charles@example.org


Tested on exim 4.95 and exim 4.96.


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Victor Ustugov via Exim-users wrote on 26.05.2023 22:44:
> Jeremy Harris via Exim-users wrote on 26.05.2023 20:50:
>> On 26/05/2023 18:28, Victor Ustugov via Exim-users wrote:
>>> Please show me how you are going to extract the address without the
>>> regular expression from the header shown above.
>>
>> Why without?  Using ${addresses: } does seem to work ok
>> for this example:
>>
>>  /considering: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?=
>> <charles@example.org>}
>>   /considering: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>}
>>   |-------text: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>>   |considering: }
>>   |--expanding: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>>   \_____result: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>>  |-----op-res: charles@example.org
>>  |--expanding: ${addresses:=?utf-8?Q?My=20Bizness:=20Inc.?=
>> <charles@example.org>}
>>  \_____result: charles@example.org
>
> I got an empty result. So i wrote about this example.
>
> # exim -be '${address:=?utf-8?Q?My=20Bizness:=20Inc.?=
> <charles@example.org>}'

Just now I noticed the difference.
You have used ${addresses:
I have used ${address:

It looks like ${addresses: considers there are two addresses in the
header with a colon and simply ignores the part of the header before the
colon.

Ok.


> test without colon:
>
> # exim -be '${address:=?utf-8?Q?My=20Bizness=20Inc.?=
> <charles@example.org>}'
> charles@example.org
>
>
> Tested on exim 4.95 and exim 4.96.
>
>


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Victor Ustugov via Exim-users wrote on 26.05.2023 20:28:
> Slavko via Exim-users wrote on 26.05.2023 19:40:
>> D?a 26. mája 2023 10:05:16 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:
>>
>>> A simple (hah!) matter of remove-header, suitable regex, and add-header.
>>
>> Even more simple, instead of regex, just extract ${address:...}
>> and use that to replace header, in case of single address...
>
> I posted example to this list five weeks ago:
>
> From: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>
> I know that comma must be encoded.

I meant colon, not comma.


> Also I know that MUAs correctly
> display such headers. Also I know that attackers can use such headers.
>
> Please show me how you are going to extract the address without the
> regular expression from the header shown above.
>
>


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 17:28:41 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:

>Please show me how you are going to extract the address without the
>regular expression from the header shown above.

Just curious, can you share your regex for address extracting?

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 26/05/2023 20:32, Slavko via Exim-users wrote:
> Jeremy, please, i check docs for ${address:...} now, in it
> states RFC 2822 parsing. I don't know how to ask properly
> in English. But RFC 2822 was replaced by RFC 5322, and
> beside that, address string was updated by MIME
> encoded-words (i have not RFC number now).
>
> The docs have to be updated? Or parsing is (can be)
> outdated?

As I read it, 5322 defines display-name as "phrase"
and then helpfully does not define *that*. So I can't
answer for certain, but I'm assuming 5322 and 2822
are the same for this purpose.

Anyone know for certain?

As for updating the docs, I'm not sure it's worthwhile.
--
Cheers,
Jeremy


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On 2023-05-26 at 16:41:44 UTC-0400 (Fri, 26 May 2023 21:41:44 +0100)
Jeremy Harris via Exim-users <jgh@wizmail.org>
is rumored to have said:

> On 26/05/2023 20:32, Slavko via Exim-users wrote:
>> Jeremy, please, i check docs for ${address:...} now, in it
>> states RFC 2822 parsing. I don't know how to ask properly
>> in English. But RFC 2822 was replaced by RFC 5322, and
>> beside that, address string was updated by MIME
>> encoded-words (i have not RFC number now).
>>
>> The docs have to be updated? Or parsing is (can be)
>> outdated?
>
> As I read it, 5322 defines display-name as "phrase"
> and then helpfully does not define *that*. So I can't
> answer for certain, but I'm assuming 5322 and 2822
> are the same for this purpose.
>
> Anyone know for certain?

There's no effective difference in the definitions of the From header
between RFC2822 and RFC5322. It is possible to chase down the ABNF
definitions via references.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 20:41:44 UTC používate? Jeremy Harris via Exim-users <exim-users@lists.exim.org> napísal:

>As I read it, 5322 defines display-name as "phrase"
>and then helpfully does not define *that*.

Phrase is defined in 3.2.5 section as one or more words,
and as word is atom or quoted-string, phrase is one or
more atoms/quoted-strings. Or do you mean something
else?

>As for updating the docs, I'm not sure it's worthwhile.

Not crucial... But IMO it is worth, as not all (including
me) know diferences in syntax (if any) with ~15 years
obsoleted RFC 2822 (i mean update for next version
of course).

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 17:28:41 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:

>I posted example to this list five weeks ago:
>
>From: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>
>I know that comma must be encoded. Also I know that MUAs correctly
>display such headers.

All MUAs? Your MUAs?

My MUA shows "unknown sender" with that header and
i cannot hit reply...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 27.05.2023 00:42:
> D?a 26. mája 2023 17:28:41 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:
>
>> I posted example to this list five weeks ago:
>>
>> From: =?utf-8?Q?My=20Bizness:=20Inc.?= <charles@example.org>
>>
>> I know that comma must be encoded. Also I know that MUAs correctly
>> display such headers.
>
> All MUAs?

No.

> Your MUAs?

No. I am a conservative and personally I use a fairly rare MUA.

Do you think Thunderbird is widely used enough to be a good example?

Or was your question about MTA features for your personal use only?


> My MUA shows "unknown sender" with that header and
> i cannot hit reply...

My mua shows me both text and address without hiding the address.

It would be nice if everyone used your MUA or my MUA. But that doesn't
happen in real life. I would consider the worst case scenarios as well.
But you can do as you wish.


> regards
>
>


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 26.05.2023 23:32:
> D?a 26. mája 2023 17:28:41 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:
>
>> Please show me how you are going to extract the address without the
>> regular expression from the header shown above.
>
> Just curious, can you share your regex for address extracting?

Something like this:

${if
eq{${address:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>\s*\N}{\$1}}}{${address:$rh_From:}}}


Jeremy showed the variant with ${addresses:

This one is better than ${address:

But he can't do it either:

From: postmaster@your-domain.tld <charles@example.org>

And I know that the correct variant is:

From: "postmaster@your-domain.tld" <charles@example.org>

Jeremy Harris wrote on 13.04.2023 at 10:36: "A mail sender could send
you *anything*". And I have to consider how *SOME* MUAs and *SOME*
webmails work.

You can do as you wish.


> regards
>
>


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 22:04:42 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:

>Or was your question about MTA features for your personal use only?

No, that was rhetorical questions ;-)

>It would be nice if everyone used your MUA or my MUA. But that doesn't
>happen in real life. I would consider the worst case scenarios as well.

The MUAs are not as important, as they are as people -- can
do strange things ;-)

More important is, that this header passes the header_syntax
and header_sender verify, thus one can expect that all exim's
expansions can do its job with it and will provide reliable output.
But as you clearly show, that it is not case of ${address:...}.

As From: header can contain multiple addresses (by definition),
it can be more appropriate to use ${addresses:...} and it works,
as Jeremy shown. But in this case it contains only one address
string (while not RFC compliant).

In any case, the exim's behavior is inconsisten, if it is
considered as broken it have to be broken in all cases
not only in some. Any devs opinion/decision?

regard


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 22:31:56 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:

>
>${if
>eq{${address:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>\s*\N}{\$1}}}{${address:$rh_From:}}}
>

Thanks, but do you know that is not perfect too? Eg. try
add "(comment)" after address and will match invalid
address... Some time ago i search email address regex
on Internet, and what i found as full RFC compliant
was horrible complicated, with questionable performance,
not manageable (i lost in it) and for ASCII only...

>But he can't do it either:
>
>From: postmaster@your-domain.tld <charles@example.org>

That is IMO OK, as this will not pass header_syntax check,
thus one can consider that as expected to don't parse...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 27.05.2023 02:19:
> D?a 26. mája 2023 22:04:42 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:
>
>> Or was your question about MTA features for your personal use only?
>
> No, that was rhetorical questions ;-)
>
>> It would be nice if everyone used your MUA or my MUA. But that doesn't
>> happen in real life. I would consider the worst case scenarios as well.
>
> The MUAs are not as important, as they are as people -- can
> do strange things ;-)

Agree.

> More important is, that this header passes the header_syntax
> and header_sender verify, thus one can expect that all exim's
> expansions can do its job with it and will provide reliable output.
> But as you clearly show, that it is not case of ${address:...}.

Yes, in this case ${addresses:...} is a better variant than ${address:...}

> As From: header can contain multiple addresses (by definition),
> it can be more appropriate to use ${addresses:...} and it works,
> as Jeremy shown. But in this case it contains only one address
> string (while not RFC compliant).

If all adresses are valid, than ${addresses:...} will return them all.
It remains only to replace the list separator before adding a new
heading from.
But if one the addresses is like `postmaster@your-domain.tld
<charles@example.org>`, it will be skipped.

But more than one address in a From header is rare. And if there are
several such incorrect addresses in the From header of the attacker's
email, then it's good that at least one of them can be extracted using a
simple regular expression.

> In any case, the exim's behavior is inconsisten, if it is
> considered as broken it have to be broken in all cases
> not only in some. Any devs opinion/decision?


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

On Fri, May 26, 2023 at 10:20:32AM +0100, Sebastian Arcus via Exim-users wrote:

.. snip ..
> next step would be to just strip all names in the From: field altogether and
> just leave the email address? Can Exim do that, and has anyone considered
> it?

This is the kind of transform I prefer to do with a transport_filter, where
I can read the input into a program (probably a Perl script), tweak it bit by
bit imperatively, and then return the final result -- as opposed to trying
to write the one perfect regexp in one step.

--
Ian

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

D?a 26. mája 2023 23:45:22 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:

>But more than one address in a From header is rare. And if there are
>several such incorrect addresses in the From header of the attacker's
>email, then it's good that at least one of them can be extracted using a
>simple regular expression.

I do not manipulate From: nor any other (address) header by
that way on incomming mails, nor from wild, nor from users.

But i use ${address:...} expansion to extract address from
Sender: and From: headers (forced to one address) on MSA
to check, that users use only allowed address, to prevent
spoofing. I do that test(s) after syntax verifying, but now i
see that it is not reliable, just because MUA (expected) &
exim can do it wrong...

I did expensive testing of that checks, but the case of
invalid syntax which pass syntax verifying was not
included...

regards


--
Slavko
https://www.slavino.sk/

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 27.05.2023 02:44:
> D?a 26. mája 2023 22:31:56 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:
>
>>
>> ${if
>> eq{${address:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>\s*\N}{\$1}}}{${address:$rh_From:}}}
>>
>
> Thanks, but do you know that is not perfect too? Eg. try
> add "(comment)" after address and will match invalid
> address...

Oh... I really missed the "comment". Maybe because in real life I met it
a very long time ago.

> Some time ago i search email address regex
> on Internet, and what i found as full RFC compliant
> was horrible complicated, with questionable performance,
> not manageable (i lost in it) and for ASCII only...

I think that in this case it is not necessary to use a very "horrible
complicated" full RFC compliant regexp. It may be sufficient to ignore
all parenthesized text after the last ">". Or even ignore all text in
parentheses after the last ">".

${if
eq{${addresses:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>[^>]*$\N}{\$1}}}{${addresses:$rh_From:}}}

>> But he can't do it either:
>>
>> From: postmaster@your-domain.tld <charles@example.org>
>
> That is IMO OK, as this will not pass header_syntax check,
> thus one can consider that as expected to don't parse...


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Slavko via Exim-users wrote on 27.05.2023 10:54:
> D?a 26. mája 2023 23:45:22 UTC používate? Victor Ustugov via Exim-users <exim-users@lists.exim.org> napísal:
>
>> But more than one address in a From header is rare. And if there are
>> several such incorrect addresses in the From header of the attacker's
>> email, then it's good that at least one of them can be extracted using a
>> simple regular expression.
>
> I do not manipulate From: nor any other (address) header by
> that way on incomming mails, nor from wild, nor from users.

I too.

But this is exactly what the author of the topic needs.


> But i use ${address:...} expansion to extract address from
> Sender: and From: headers (forced to one address) on MSA
> to check, that users use only allowed address, to prevent
> spoofing. I do that test(s) after syntax verifying, but now i
> see that it is not reliable, just because MUA (expected) &
> exim can do it wrong...

I think checking the headers of emails sent by your users could be more
strict. Because if ${address:...} returns empty result then header is
not RFC compliant.

To my mind when checking the headers of messages received from outside,
we should get addresses even from an incorrectly composed header. At
least if we need to check these addresses.

The headers of outgoing emails from our users must always be RFC compliant.

> I did expensive testing of that checks, but the case of
> invalid syntax which pass syntax verifying was not
> included...


--
Best wishes Victor Ustugov
mailto:victor@corvax.kiev.ua
public GnuPG/PGP key: https://victor.corvax.kiev.ua/corvax.asc

--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-users-unsubscribe@lists.exim.org
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Ahoj,

D?a Sat, 27 May 2023 13:20:48 +0300 Victor Ustugov via Exim-users
<exim-users@lists.exim.org> napísal:

> I think that in this case it is not necessary to use a very "horrible
> complicated" full RFC compliant regexp. It may be sufficient to ignore
> all parenthesized text after the last ">". Or even ignore all text in
> parentheses after the last ">".
>
> ${if
> eq{${addresses:$rh_From:}}{}{${sg{$rh_From:}{\N^.*<(\S+?@\S+?)>[^>]*$\N}{\$1}}}{${addresses:$rh_From:}}}
>

And then you get something as this:

From: "postmaster@your-domain.tld" <charles@example.org> (<confuse@domain.tld>)

:-)))

My point was, that regex can be not reliable too.

I consider the ${address:} expansion as way to prevent needing that
anyone have to develop own parser, which can end in ugly or even wrong
way as not all (including me) are regex experts...

I do not expect, that ${address:} will parse any wrong syntax. I can
accept, that it can fail in some corner cases of valid syntax. But
i expect, that when header will pass the header_syntax check, then that
expansion will be able to parse it, otherwise something is wrong.

regards

--
Slavko
https://www.slavino.sk