[Dovecot] Segfault in managesieve with "sieve_extensions = -redirect"

Wed Mar 2 19:21:11 EET 2011

Op 2-3-2011 15:15, Sven Hartge schreef:
> Hi!
>
> I've got a segfault in managesieve while using:
> sieve_extensions = -vacation -reject -spamtest -virustest -enotify -redirect
>
> The problem seems to lie in "-redirect".

The redirect command is part of the Sieve core specification and it is 
thus no extension. It's availability can therefore not be disabled using 
the sieve_extensions setting.

When I wouldn't have made a bug here, you would have been warned with 
the following message:

"ignored unknown extension 'redirect' while configuring available 
extensions"

Instead, you got a segfault, which is now fixed:

http://hg.rename-it.nl/dovecot-2.0-pigeonhole/rev/bb26cdb18bdf

> Reason for excluding "redirect" from sieve is my users should not use
> sieve to forward or redirect mails but use an external method
> (web-script to set LDAP attribute) which checks several things like
> active spam-checker, existing target mailbox, etc.
>
> The version ov dovecot ist 1:2.0.9-1~3.gbp785ad1~dvz60+1 on Debian
> Squeeze which is from the Debian maintainers git repository recompiled
> on Squeeze (I know, pretty wild.)

Hmm, considering what Sieve RFC 5228 says:

"Implementations MAY ignore a redirect action silently due to policy 
reasons. For example, an implementation MAY choose not to redirect to an 
address that is known to be undeliverable. Any ignored redirect MUST NOT 
cancel the implicit keep." (page 24)

"(2) MUST provide the means for administrators to limit the ability of 
users to abuse redirect. In particular, it MUST be possible to limit the 
number of redirects a script can perform.  Additionally, if no use cases 
exist for using redirect to multiple destinations, this limit SHOULD be 
set to 1. Additional limits, such as the ability to restrict redirect to 
local users, MAY also be implemented." (page 38)

"Allowing redirects at all may not be appropriate in situations where 
email accounts are freely available and/or not trackable to a human who 
can be held accountable for creating message bombs or other abuse." 
(page 39)

Unfortunately, we currently don't have a means to actually disable 
redirect. The number of redirects can be limited using the existing 
sieve_max_redirects option, but a value of 0 stands for 'unlimited', 
meaning that 1 is the minimum.  In hindsight, this was a really bad 
choice :)

So we have two options:
     - Change the meaning of 0 for sieve_max_redirects. It's quite 
likely no one has set this to 0.
     - Add a separate setting to disable redirect, e.g. 
sieve_redirect_disable.

Not sure what to choose yet.

Regards,

Stephan.