On Tue, 25 Jul 2000, Lars Hecking wrote:
LH | > No, I do not think that MTAs accept more than one "Date: ..." field.
LH | Your claim is not supported by RFC 822 4.1.
I confused the numbers, sorry. Explanation below.
LH | > Nevertheless, did I get this right:
LH | > RFC 821 / STD 010 indicate that MTAs must parse header fields and even
LH | > correct them, if necessary. That would mean with MTAs following STD
LH | > 010 said exploit would be harmless?
LH | Where does RFC 821 say that? 821 is about SMTP, and mail headers are
LH | totally irrelevant to SMTP. I cannot find anything in 822 and 1123
LH | that would require the MTA to rewrite (or correct) the Date: header.
LH | My, necessarily limited, experience: if a message has no Date: header,
LH | the MTA adds it, in the format specified by 822/5 and 1123/5.2.14.; if
LH | a message has at least one Date: header, the MTA leaves it/those alone.
Your're right with everything you said.
I was talking about RFC 2476, a proposed standard by Gellens and
Klensin. MTAs conform to RFC 2476 should do the correction, others not.
Since RFC 2476 may not be widely supported (is it at all?) said
exploit is not harmless at all.
This OT-thread is now closed.
Neither I nor my employer will accept any liability for any problems
or consequential loss or damage caused by relying on this information.
pgp-key fingerprint: B6A8 ED32 EFEF 3F43 6F9B 510D 7A90 7FDC 462A 1ABC
procmail mailing list