On Mon, 3 Mar 2003, Florian Weimer wrote: > Would people be willing to share filter rules for other MTAs to > block offending messages on relays? Wietse Venema offered the following responses for Postfix. First out of the gate was [1], this regexp-based quick-response; capable of false-positives, but not as scary as might be feared since it only looks in the headers (place this in a regexp map, assign that to header_checks): /<><><><><><>/ reject possible CA-2003-07 sendmail buffer overflow exploit Then he came out with [2], a new release of postfix with functionality like that of patched sendmail, sanitizing messages as they pass through and logging when it does so. This enhancement he then broke out as a light patch [3] to apply against most versions of postfix that might be in use, for people who'd like the protection without having to upgrade to a newer version. To be clear here: Postfix is not itself susceptible to this problem. The only purpose for this patch is to allow Postfix to mung messages to protect vulnerable sendmails downstream from it. -Bennett [1] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0254.html> [2] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0402.html> [3] <URL:http://archives.neohapsis.com/archives/postfix/2003-03/0487.html>
Attachment:
pgp00308.pgp
Description: PGP signature
