Allowing email addresses with % in them

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Allowing email addresses with % in them

Stephen Paul Weber
I have reason to allow email addresses with % in them.  If I do this:

        allow_percent_hack = no

Then I still get "relay access denied" because it seems that Postfix
considers % a relay attempt, even with the rewriting disabled?  So, if I do
this as well:

        allow_untrusted_routing = yes

It works, but of course I'd rather not.  So two questions (1) is this
"safe":

        swap_bangpath = no
        allow_percent_hack = no
        allow_untrusted_routing = yes

That is, since both bangpath and percent_hack are disable there should be no
untrusted routing to attempt anyway, and thus I am not an open relay, yes?

And (2) is there any way to acheive what I want (localpart with % in it that
is treated as just a normal character and not a relay attempt).

Currently running Postfix 3.4.5 (Debian stable).

Thanks for any pointers!
Reply | Threaded
Open this post in threaded view
|

Re: Allowing email addresses with % in them

Wietse Venema
Stephen Paul Weber:

> I have reason to allow email addresses with % in them.  If I do this:
>
> allow_percent_hack = no
>
> Then I still get "relay access denied" because it seems that Postfix
> considers % a relay attempt, even with the rewriting disabled?  So, if I do
> this as well:
>
> allow_untrusted_routing = yes
>
> It works, but of course I'd rather not.  So two questions (1) is this
> "safe":
>
> swap_bangpath = no
> allow_percent_hack = no
> allow_untrusted_routing = yes
>
> That is, since both bangpath and percent_hack are disable there should be no
> untrusted routing to attempt anyway, and thus I am not an open relay, yes?

Yes, if you never send email to other systems. The postconf(5)
manpage describes a loophole where because Postfix was forwarding
email to a system that could be exploited by % in localparts.

> And (2) is there any way to acheive what I want (localpart with % in it that
> is treated as just a normal character and not a relay attempt).

Yes, if you never send email to other systems.

        Wietse