Endian – Register EFW Community: watch your email addresses
Posted by jpluimers on 2010/10/08
Endian is a nice *nix based open source firewall appliance which has a free Community Edition (which always is a virtual appliance) and paid (either virtual or physical) edition.
It does a lot of things, including spam filtering, http caching, proxying, VPN, DHCP, routing, et cetera.
Those things are done very well, in a reasonably small footprint:
Registering for their community edition is meant to enable the on-line update mechanism for it.
It is supposed to work like this:
- You enter your email address
- They dispatch a mail to you with a verification link
- Clicking the verification link confirms that email address, and flags it in their database as valid for Endian Community updates
- You enter the same email on your Endian appliance to get updates
But using that registration is hard: their registration mechanism has at least two flaws:
- Sender Address Verification of their own email fails, which means you have to
– whitelist these hosts: validate.endian.com, cerbero2.endian.it
– whitelist this email address: check@validate.endian.com - You cannot use the + plus sign in your email address, because when the Endian fetches the updates, the URL is not recognized.
It then tries to fetch URLs like this: http://name%2Bendian%40example.org:comunity@updates.endian.org/stable/repodata/repomd.xml and fails.
Using the plus sign is a neat way to distinguish incoming mails, as the plus sign and everything after it is ignored by almost all mailers.
However, their initial step does not prohibit you from using an email address like this:
– email like name+endian@example.org is forbidden.
You’d think that a community that lives from protecting against SPAM, and doing low-level communication stuff is bitten by these obvious problems.
Now lets hope the community solves this, as Endian is a really nice product.
–jeroen
via: Endian – Register EFW Community .
The Wiert Corner - irregular stream of stuff 
Leave a comment