There was an interesting topic about bare newlines on MIMEDefang
mailing list recently. In short, RFCs 2821 and 2822 state that bare LF
or CR must not appear on the wire by thenself (only allowed as CRLF
pair). Sendmail's philosophy was alway 'be liberal in what you accept,
be strict in what you send' (which I kind of like). However, in this
case Sendmail is also very liberal in what it sends too, happily
sending out bare CR (bare LF gets converted to CRLF before it hits the
wire as side-effect of running on Unix system). Violating 'must not'
requirement from relevant RFCs in the process.

Now, one of the problems discussed in mentioned topic was that there
was (apperently) some malware (virus, worm, whatever) that exploited
mishandling of bare LF/CR in some client software. Repairing them (for
example, transforming LF to CRLF by Sendmail saving message in local
queue, and than retransmitting on the wire) prevented some virus
scanners from detecting the malware.

As one person indicated, changing Sendmail to reject bare LF/CR
probably wouldn't be good idea. There is so many programs that relay
on Sendmail accepting bare LF and transforming it to CRLF. Not really
and feature of Sendmail, but rather side effect of being Unix
application that was historically not doing many checks in what it
accepts. Rejecting messages with bare CR would probably be less
troublesome (many sites are rejecting them anyhow, default MIMEDefang
config rejects them, Cyrus IMAPD will reject to accept them during
LMTP). Or probably if bare LF is detected and rejected in mail that
otherwise uses CRLF.

Just wondering what others think of this issue, and if Sendmail should
pay attention to any of these.

Aleksandar Milivojevic wrote:

> As one person indicated, changing Sendmail to reject bare LF/CR
> probably wouldn't be good idea. There is so many programs that relay
> on Sendmail accepting bare LF and transforming it to CRLF. Not really

Only if used as MSP, right? If the mail is coming in via SMTP it is
hopefully "correct".

> and feature of Sendmail, but rather side effect of being Unix
> application that was historically not doing many checks in what it
> accepts. Rejecting messages with bare CR would probably be less
> troublesome (many sites are rejecting them anyhow, default MIMEDefang
> config rejects them, Cyrus IMAPD will reject to accept them during
> LMTP). Or probably if bare LF is detected and rejected in mail that
> otherwise uses CRLF.

smX doesn't touch the message but sends it unmodified to a milter (if
requested), hence the milter could perform those checks (see also
a different thread about "new milter flag").

--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.

Claus Aßmann wrote:
> Aleksandar Milivojevic wrote:
>
> > As one person indicated, changing Sendmail to reject bare LF/CR
> > probably wouldn't be good idea. There is so many programs that relay
> > on Sendmail accepting bare LF and transforming it to CRLF. Not really
>
> Only if used as MSP, right? If the mail is coming in via SMTP it is
> hopefully "correct".

Nope. Same thing with SMTP. I was looking with tcpdump what is
actually going on the wire (per RFC, there must not be bare CR or LF on
the wire). Sendmail was happy to accept email with embeded bare CR.
It was also more than happy to send it out to the wire as-is (the dump
file contained embeded bare CR). I haven't tested bare LF, but I guess
same thing would happen. Do note that I used Red Hat packaged Sendmail
(so probably something like "last year's version"). I guess I could
also download/compile current version and repeat the test. Who knows,
maybe it was fixed sometime in the (recent) past.

> > and feature of Sendmail, but rather side effect of being Unix
> > application that was historically not doing many checks in what it
> > accepts. Rejecting messages with bare CR would probably be less
> > troublesome (many sites are rejecting them anyhow, default MIMEDefang
> > config rejects them, Cyrus IMAPD will reject to accept them during
> > LMTP). Or probably if bare LF is detected and rejected in mail that
> > otherwise uses CRLF.
>
> smX doesn't touch the message but sends it unmodified to a milter (if
> requested), hence the milter could perform those checks (see also
> a different thread about "new milter flag").

Is this a new thing with smX or is this also valid for "older" Milter
interfaces? I guess it is the former.

Aleksandar Milivojevic wrote:

> Nope. Same thing with SMTP. I was looking with tcpdump what is
> actually going on the wire (per RFC, there must not be bare CR or LF on
> the wire). Sendmail was happy to accept email with embeded bare CR.
> It was also more than happy to send it out to the wire as-is (the dump
> file contained embeded bare CR). I haven't tested bare LF, but I guess
> same thing would happen.

I *have* tested it, and this is what happens on Sendmail 8:

CR in --> CR out
LF in --> CRLF out
CRLF in --> CRLF out

Regards,

David.

David F. Skoll (dfs [at] roaringpenguin.com) wrote:
: Aleksandar Milivojevic wrote:

: > Nope. Same thing with SMTP. I was looking with tcpdump what is
: > actually going on the wire (per RFC, there must not be bare CR or LF on
: > the wire). Sendmail was happy to accept email with embeded bare CR.
: > It was also more than happy to send it out to the wire as-is (the dump
: > file contained embeded bare CR). I haven't tested bare LF, but I guess
: > same thing would happen.

: I *have* tested it, and this is what happens on Sendmail 8:

: CR in --> CR out
: LF in --> CRLF out
: CRLF in --> CRLF out

How about LFCR in? I'm guessing that you will get CRLFCR out.