F=1 (one)
Don’t send null bytes V8.10 and later
Prior to V8.10, sendmail would not screen header lines to make sure they contained no null (zero) bytes. Instead, such null bytes were passed through, and sometimes caused misinterpretation of addresses and the like.
It might seem impossible that a null byte could appear in a string, because the C-language string library routines use a null character to terminate all strings. But consider the case of a hexadecimal 0x80 character. Such a character has the high bit set, but when delivery is to a 7-bit-only site, sendmail will strip the high bit from 0x80, leaving behind a new 0x00 value in the middle of a string. A null byte!
Beginning with V8.10, sendmail
offers a way to strip such null bytes from headers
before sending those headers onward. The F=1 delivery agent flag,
when set, tells sendmail to
strip all null bytes that it finds from all headers.
Note that only the headers in the header portion of
the message are screened. MIME headers in the body
of the message are not screened.
The F=1 delivery
agent flag is not set by default for any delivery
agent. To add it, just use the MODIFY_MAILER_FLAGS
command (The MODIFY_MAILER_FLAGS mc macro on page 744). In the following, for example, we
add it to the smtp class of delivery agents:
MODIFY_MAILER_FLAGS(`SMTP', `+1')
In general, this delivery agent flag should be set for outbound delivery agents and for local, final delivery agents. In both, there is a small vulnerability to forgeries that use ...
Get sendmail, 4th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
