View Issue Details

IDProjectCategoryView StatusLast Update
0000948Main CAcert Websitesource codepublic2013-01-15 17:22
Reporterdakon Assigned ToUli60  
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Fixed in Version2011 Q3 
Summary0000948: Email address verification violates SMTP protocol
DescriptionIf I want to verify a new email address a connection to my server is is created. The transaction looks as follows:

Jun 5 00:07:09 mail Qsmtpd[7431]: > 220 mail.sf-mail.de Qsmtpd 0.19svn ESMTP
Jun 5 00:07:09 mail Qsmtpd[7431]: < HELO www.cacert.org
Jun 5 00:07:09 mail Qsmtpd[7431]: > 250 mail.sf-mail.de
Jun 5 00:07:09 mail Qsmtpd[7431]: < MAIL FROM: <returns@cacert.org>
Jun 5 00:07:09 mail Qsmtpd[7431]: > 250 2.1.5 sender <returns@cacert.org> is syntactically correct
Jun 5 00:07:09 mail Qsmtpd[7431]: < RCPT TO: <foobar@example.com>
Jun 5 00:07:09 mail Qsmtpd[7431]: > 500 5.5.2 command syntax error
Jun 5 00:07:09 mail Qsmtpd[7431]: < QUIT
Jun 5 00:07:09 mail Qsmtpd[7431]: > 221 2.0.0 mail.sf-mail.de service closing transmission channel

The mails are rejected because of the space between ':' and '<' in both the MAIL FROM and RCPT TO commands.
Additional InformationSee RfC 2821 and RfC 5321, section 4.1.1.2:
mail = "MAIL FROM:" Reverse-path [SP Mail-parameters] CRLF

As you might have noticed there is an explicit mentioning of SP before extra parameters. This means there has to be a single whitespace if you want to add a parameter behind the closing bracket and the start of the parameter. Other spaces may not appear on the line.
TagsNo tags attached.
Reviewed bydastrath, NEOatNHNG
Test Instructions

Activities

2011-06-05 12:44

 

mysql.php.sample (3,652 bytes)

Uli60

2011-06-05 12:51

updater   ~0002011

Last edited: 2011-06-05 13:09

/includes/mysql.php.sample
is the proposed RFC-2821 compliant fix, to remove the extra
white space before mail-from and before rcpt-to addresses
from the code base
extra infos:
- http://www.snertsoft.com/smtp/smtpf/summary.html#opt_rfc2821_extra_spaces
- http://bugs.php.net/28038

as production mysql.php is not distributed
with the repository, this fix needs to be added manualy
by the Software-Assessors or the Critical Team

One question that araises:
can the function sendmail() outsourced to another
include file ?
eg mysql.php
    ..
    include_once("/includes/mysql-functions.php");
    ..
???

Uli60

2011-06-06 02:47

updater   ~0002012

Last edited: 2011-06-06 02:47

domain check is affected too
/includes/general.php

2011-06-06 02:48

 

general.php (30,439 bytes)

Ted

2011-06-07 22:16

administrator   ~0002013

Added the proposed changes to git branch bug-948

Uli60

2011-06-08 01:58

updater   ~0002021

patch added, review #1 by Ted
test is difficult for testers, as a raw smtp log is not available to check.
emails are redirected on testserver to TMS mailbox
but w/o further header debug infos

needs 2nd review

Uli60

2011-06-28 23:59

updater   ~0002069

dirk, NEO, added to cacert-devel, added to testserver

Uli60

2011-06-29 00:05

updater   ~0002070

Last edited: 2011-06-29 00:24

View 4 revisions

new account join -> TMS rcvd mail probe: ok
2nd account: assure someone -> new account ->
rcvd mail by new account:
 You were issued 35 points and you now have 35 points in total. -> ok
assurer rcvd email:
 You issued 35 points and they now have 35 points in total. -> ok

new user - create client cert
rcvd email:
If you have not imported CAcert´s root certificate, please go to:
https://www.cacert.org/index.php?id=3
Root cert fingerprint = A6:1B:37:5E:39:0D:9C:36:54:EE:BD:20:31:46:1F:6B
Root cert fingerprint = 135C EC36 F49C B8E9 3B1A B270 CD80 8846 76CE 8F33
-> ok

add domain - rcvd mail:
Below is the link you need to open to verify your domain 'xxx'. Once your address is verified you will be able to start issuing certificates to your heart's content! -> ok

find an assurer - contact assurer -> ok

assure someone - use non-existent email - send reminder notice
mhh, don't know where to find the email ...
account doesn't exist, cannot login to tms (this is as expected)
cannot be checked

NEOatNHNG

2011-06-29 11:59

administrator   ~0002071

Patch reviewed. No complaints, good to go. So once we have a few extra tests we can put it into production.

INOPIAE

2011-06-30 08:46

updater   ~0002074

Tested:
join new member: ok
assure sombody: assuree OK, assurer OK
client certificate: OK

Uli60

2011-07-05 21:26

updater   ~0002090

client.pl needs update too
line 640 sub sendmail()
l.673 print $smtp "MAIL FROM: <returns\@cacert.org>\r\n";
l.679 print $smtp "RCPT TO: <".trim($user).">\r\n";

NEOatNHNG

2011-07-07 00:06

administrator   ~0002100

Reminder sent to: egal

Dirk made those changes to the /CommModule/client.pl and applied them to the test server on our last Software Assessment meeting yesterday.

NEOatNHNG

2011-07-07 00:09

administrator   ~0002101

I have reviewed the changes to the /CommModule/client.pl and they are OK. So only some more testing needed before it can go to production.

Uli60

2011-07-07 01:00

updater   ~0002102

client.pl update effects _all_ mails on cert creations
org / individual members, client / server certs
as sub sendmail is a function used in main HandleCerts function

Uli60

2011-07-13 01:03

updater   ~0002123

tests finished review:
needs more testing, see instructions under
https://bugs.cacert.org/view.php?id=948#c2070

INOPIAE

2011-07-19 21:58

updater   ~0002154

join new member: mail recivied -> ok
assure sombody: assuree mail recivied -> ok, assurer mail recivied -> ok
client certificate: mail recivied -> ok
add domain: mail recivied -> ok
find assurer: mail recivied -> ok
Edit data: mail recivied -> ok

Uli60

2011-07-19 23:29

updater   ~0002163

small bugfix to get smtp routines rfc aware
no function blocked
tested by 2 users at application level
further testing needs low level testing.
this is impossible with testserver environment
so therefor ready to deploy

NEOatNHNG

2011-07-21 13:35

administrator   ~0002173

Patch request sent to critical admins

wytze

2011-07-22 14:17

developer   ~0002179

Patch applied to production system on July 22, 2011.
See https://lists.cacert.org/wws/arc/cacert-systemlog/2011-07/msg00008.html

Issue History

Date Modified Username Field Change
2011-06-04 22:11 dakon New Issue
2011-06-05 12:44 Uli60 File Added: mysql.php.sample
2011-06-05 12:51 Uli60 Note Added: 0002011
2011-06-05 13:08 Uli60 Note Edited: 0002011
2011-06-05 13:09 Uli60 Note Edited: 0002011
2011-06-06 02:47 Uli60 Note Added: 0002012
2011-06-06 02:47 Uli60 Note Edited: 0002012
2011-06-06 02:48 Uli60 File Added: general.php
2011-06-07 22:16 Ted Note Added: 0002013
2011-06-08 01:56 Uli60 Status new => needs work
2011-06-08 01:56 Uli60 Assigned To => Uli60
2011-06-08 01:58 Uli60 Note Added: 0002021
2011-06-08 01:58 Uli60 Status needs work => confirmed
2011-06-14 22:08 NEOatNHNG Assigned To Uli60 => Ted
2011-06-14 22:08 NEOatNHNG Status confirmed => needs review & testing
2011-06-14 22:08 NEOatNHNG Assigned To Ted => Uli60
2011-06-14 22:08 NEOatNHNG Status needs review & testing => needs work
2011-06-14 22:09 NEOatNHNG Status needs work => needs review & testing
2011-06-28 23:59 Uli60 Note Added: 0002069
2011-06-29 00:05 Uli60 Note Added: 0002070
2011-06-29 00:07 NEOatNHNG Source_changeset_attached => cacert-devel master 4d94bd33
2011-06-29 00:07 Source_changeset_attached => cacert-devel master 5bdc30d8
2011-06-29 00:12 Uli60 Note Edited: 0002070 View Revisions
2011-06-29 00:20 Uli60 Note Edited: 0002070 View Revisions
2011-06-29 00:24 Uli60 Note Edited: 0002070 View Revisions
2011-06-29 11:59 NEOatNHNG Note Added: 0002071
2011-06-29 11:59 NEOatNHNG Status needs review & testing => needs testing
2011-06-30 08:46 INOPIAE Note Added: 0002074
2011-07-05 21:26 Uli60 Note Added: 0002090
2011-07-05 22:05 Source_changeset_attached => cacert-devel master 50939092
2011-07-05 22:05 Source_changeset_attached => cacert-devel master 3d6c4ebb
2011-07-07 00:06 NEOatNHNG Note Added: 0002100
2011-07-07 00:09 NEOatNHNG Note Added: 0002101
2011-07-07 00:10 NEOatNHNG Reviewed by => dastrath, NEOatNHNG
2011-07-07 01:00 Uli60 Note Added: 0002102
2011-07-13 01:03 Uli60 Note Added: 0002123
2011-07-19 21:58 INOPIAE Note Added: 0002154
2011-07-19 23:29 Uli60 Note Added: 0002163
2011-07-19 23:29 Uli60 Status needs testing => ready to deploy
2011-07-21 13:35 NEOatNHNG Note Added: 0002173
2011-07-21 13:40 NEOatNHNG Source_changeset_attached => cacert-devel release 18e17465
2011-07-22 14:17 wytze Note Added: 0002179
2011-07-22 14:17 wytze Status ready to deploy => closed
2011-07-22 14:17 wytze Resolution open => fixed
2012-08-28 10:02 Uli60 Relationship added related to 0001054
2012-08-28 12:11 NEOatNHNG Relationship deleted related to 0001054
2013-01-15 17:22 Werner Dworak Fixed in Version => 2011 Q3