The check_eoh Rule Set
After all headers have been processed by
sendmail, a couple of
statistics become available that can be of use in
screening messages. One is the number of headers
found. The other is the total number of bytes in all
the headers (including the names, colons,
whitespace, and values). If you should ever need
this information, you can process it by declaring a
special rule set named check_eoh. If that rule set exists, it
will be passed the number of headers, and the total
number of bytes in all the headers:
number of headers $| total bytes
If it exists, sendmail will call
the check_eoh
rule set after all headers have otherwise been
processed.
Some users have been known to bury information in headers that should not leave a security-conscious site. Clearly, it is not possible to individually screen all possible headers. Instead, one approach might simply be to reject messages that contain more than 25 headers or more than 10,000 bytes of headers. The following extract from a site’s mc file does just that:
LOCAL_CONFIG Kcompute arith LOCAL_RULESETS Scheck_eoh R $* $| $* $: $(compute l $@ 25 $@ $1 $) $| $2 R TRUE $| $* $#error $@ 5.7.0 $: "553 Too many headers" R $* $| $* $: $(compute l $@ 10000 $@ $2 $) R TRUE $#error $@ 5.7.0 $: "553 Too many header bytes"
The LOCAL_CONFIG part of this mc
file declares an arith database map (arith on page 898) named compute.
The LOCAL_RULESETS part of this
mc file declares the
specially named rule set check_eoh, which has four rules. ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
