diff --git a/postfix/HISTORY b/postfix/HISTORY index e3008675f..6f05f09c7 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -8566,11 +8566,11 @@ Apologies for any names omitted. no MX record is found, the A record is used instead. File: smtpd/smtpd_check.c. - Experimental feature: ``check_{sender,recipient}_ns_access - maptype:mapname'' applies the named Postfix access table - to the DNS server hostname and IP addresses for the sender - or recipient address. If no NS record is found, the parent - domain is used instead. File: smtpd/smtpd_check.c. + Feature: ``check_{sender,recipient}_ns_access maptype:mapname'' + applies the named Postfix access table to the DNS server + hostname and IP addresses for the sender or recipient + address. If no NS record is found, the parent domain is + used instead. File: smtpd/smtpd_check.c. 20030917 @@ -8590,6 +8590,12 @@ Apologies for any names omitted. request with "451 server configuration error" and will log a warning explaining why. File: smtpd/smtpd_check.c. +20030918 + + Bugfix: check_mumble_ns_access did not correctly look up + NS records of parent domains, causing mail to be deferred + with a 450 status code. File: smtpd/smtpd_check.c. + Open problems: High: when virtual aliasing is turned off after content diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 65de58f6b..84211b0c8 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -30,20 +30,34 @@ restriction that applies the specified access table to the NS or MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT TO commands. -This can be used to block mail from so-called spammer havens, or -from sender addresses that resolve to Verisign's wild-card mail -responder, currently at IP address 64.94.110.11. +This can be used to block mail from so-called spammer havens, from +sender addresses that resolve to Verisign's wild-card mail responder, +or from domains that claim to have mail servers in reserved networks +such as 127.0.0.1. /etc/postfix/main.cf: - smtpd_mumble_restrictions = - ... - reject_unknown_sender_domain - check_sender_mx_access hash:/etc/postfix/mx_access - ... + smtpd_mumble_restrictions = + ... + reject_unknown_sender_domain + check_sender_mx_access hash:/etc/postfix/mx_access + check_sender_mx_access cidr:/etc/postfix/mx_access.cidr + ... /etc/postfix/mx_access: - spammer.haven.tld reject spammer mx host - 64.94.110.11 reject verisign wild-card domain + spammer.haven.tld reject spammer mx host + 64.94.110.11 reject mail server in verisign wild-card domain + + /etc/postfix/mx_access.cidr: + 0.0.0.0/8 reject mail server in broadcast network + 10.0.0.0/8 reject mail server in RFC 1918 private network + 127.0.0.0/8 reject mail server in loopback network + 169.254.0.0/16 reject mail server in link local network + 172.16.0.0/12 reject mail server in RFC 1918 private network + 192.0.2.0/24 reject mail server in TEST-NET network + 192.168.0/16 reject mail server in RFC 1918 private network + 224.0.0.0/4 reject mail server in class D multicast network + 240.0.0.0/5 reject mail server in class E reserved network + 248.0.0.0/5 reject mail server in reserved network Note: OK actions are not allowed for security reasons. Instead of OK, use DUNNO in order to exclude specific hosts from blacklists. diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 0b394b79b..cbcf52748 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change the patchlevel and the release date. Snapshots change the * release date only, unless they include the same bugfix as a patch release. */ -#define MAIL_RELEASE_DATE "20030917" +#define MAIL_RELEASE_DATE "20030918" #define VAR_MAIL_VERSION "mail_version" #define DEF_MAIL_VERSION "2.0.16-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index 2f0f0cc20..93f54006f 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -2218,26 +2218,28 @@ static int check_server_access(SMTPD_STATE *state, const char *table, * If the domain name exists but MX lookup fails, fabricate an MX record * that points to the domain name itself. * - * If the domain name exists but NS lookup fails, look up the parent domain - * NS record. + * If the domain name exists but NS lookup fails, look up parent domain + * NS records. */ dns_status = dns_lookup(domain, type, 0, &server_list, (VSTRING *) 0, (VSTRING *) 0); - if (dns_status == DNS_NOTFOUND && h_errno != HOST_NOT_FOUND) { + if (dns_status == DNS_NOTFOUND) { + if (h_errno != NO_DATA) + return (SMTPD_CHECK_DUNNO); if (type == T_MX) { server_list = dns_rr_create(domain, &fixed, 0, domain, strlen(domain) + 1); dns_status = DNS_OK; - } else if (type == T_NS && (domain = strchr(domain, '.')) != 0 - && strchr(++domain, '.') != 0) { - dns_status = dns_lookup(domain, T_NS, 0, &server_list, - (VSTRING *) 0, (VSTRING *) 0); - if (dns_status != DNS_OK) - dns_status = DNS_RETRY; + } else if (type == T_NS) { + while ((domain = strchr(domain, '.')) != 0 && domain[1]) { + domain += 1; + dns_status = dns_lookup(domain, type, 0, &server_list, + (VSTRING *) 0, (VSTRING *) 0); + if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA) + break; + } } } - if (dns_status == DNS_NOTFOUND) - return (SMTPD_CHECK_DUNNO); if (dns_status != DNS_OK) { DEFER_IF_PERMIT3(state, MAIL_ERROR_POLICY, "450 <%s>: %s rejected: unable to look up %s host", diff --git a/postfix/src/smtpd/smtpd_check_access b/postfix/src/smtpd/smtpd_check_access index 1ee24aa48..4e230914c 100644 --- a/postfix/src/smtpd/smtpd_check_access +++ b/postfix/src/smtpd/smtpd_check_access @@ -58,3 +58,5 @@ discardtext@hold.domain discard text dunnotext@dunno.domain dunno text 64.94.110.11 reject Verisign wild-card topica.com reject +10.10.10.10 reject mail server 10.10.10.10 +spike.porcupine.org reject name server spike.porcupine.org diff --git a/postfix/src/smtpd/smtpd_exp.in b/postfix/src/smtpd/smtpd_exp.in index 71b188ef3..10f514bd8 100644 --- a/postfix/src/smtpd/smtpd_exp.in +++ b/postfix/src/smtpd/smtpd_exp.in @@ -73,6 +73,7 @@ mail foo@verisign.com recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access rcpt foo@verisign-wildcard.com rcpt foo@verisign.com +rcpt foo@1.2.3.porcupine.org # # Check NS access # @@ -89,3 +90,4 @@ recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access rcpt foo@email-publisher.com rcpt foo@ns1.topica.com rcpt foo@verisign-wildcard.com +rcpt foo@1.2.3.porcupine.org diff --git a/postfix/src/smtpd/smtpd_exp.ref b/postfix/src/smtpd/smtpd_exp.ref index 2495de5f0..22c257b1a 100644 --- a/postfix/src/smtpd/smtpd_exp.ref +++ b/postfix/src/smtpd/smtpd_exp.ref @@ -135,6 +135,9 @@ OK 554 : Recipient address rejected: Verisign wild-card >>> rcpt foo@verisign.com OK +>>> rcpt foo@1.2.3.porcupine.org +./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 : Recipient address rejected: mail server 10.10.10.10; from= to= proto=SMTP helo= +554 : Recipient address rejected: mail server 10.10.10.10 >>> # >>> # Check NS access >>> # @@ -170,3 +173,6 @@ OK 554 : Recipient address rejected: Access denied >>> rcpt foo@verisign-wildcard.com OK +>>> rcpt foo@1.2.3.porcupine.org +./smtpd_check: : reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 : Recipient address rejected: name server spike.porcupine.org; from= to= proto=SMTP helo= +554 : Recipient address rejected: name server spike.porcupine.org