On 4/8/2019 4:55 PM, @lbutlr via dovecot wrote:> On 8 Apr 2019, at 16:35, Shawn Heisey via dovecot <dovecot at
dovecot.org> wrote:
>> I would like to create a sieve rule where I do a regex match on ALL
headers, not a specific header.
>
> This is a really bad idea. Headers can be quite long, contain data that you
do not have control over, and checking all headers will be very expensive and
may leave you open to various regex attacks.
I want to catch any email where a specific IP address appears in any
header. I do not know what header it might appear in - that could vary
widely depending on what email account is being used to send the message.
This will appear in exactly one sieve script (the one for my mailbox),
and I will be in complete control of the regex used, so the regular
expression denial of service is extremely unlikely.
I'm already potentially vulnerable to that because I have a handful of
external users on my mail server and they can create whatever sieve
scripts they want via the managesieve service. Thankfully all of those
people are pretty trustworthy folks.
Thanks,
Shawn