postfix-2.0.16-20030918

postfix/HISTORY

@@ -8566,11 +8566,11 @@ Apologies for any names omitted.
 	no MX record is found, the A record is used instead. File:
 	smtpd/smtpd_check.c.
 
-	Experimental feature: ``check_{sender,recipient}_ns_access
+	Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
-	maptype:mapname'' applies the named Postfix access table
+	applies the named Postfix access table to the DNS server
-	to the DNS server hostname and IP addresses for the sender
+	hostname and IP addresses for the sender or recipient
-	or recipient address. If no NS record is found, the parent
+	address. If no NS record is found, the parent domain is
-	domain is used instead. File: smtpd/smtpd_check.c.
+	used instead. File: smtpd/smtpd_check.c.
 
 20030917
 
@@ -8590,6 +8590,12 @@ Apologies for any names omitted.
 	request with "451 server configuration error" and will log
 	a warning explaining why. File: smtpd/smtpd_check.c.
 
+20030918
+
+	Bugfix: check_mumble_ns_access did not correctly look up
+	NS records of parent domains, causing mail to be deferred
+	with a 450 status code. File: smtpd/smtpd_check.c.
+
 Open problems:
 
 	High: when virtual aliasing is turned off after content

postfix/RELEASE_NOTES

@@ -30,20 +30,34 @@ restriction that applies the specified access table to the NS or
 MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
 TO commands.  
 
-This can be used to block mail from so-called spammer havens, or
+This can be used to block mail from so-called spammer havens, from
-from sender addresses that resolve to Verisign's wild-card mail
+sender addresses that resolve to Verisign's wild-card mail responder,
-responder, currently at IP address 64.94.110.11.
+or from domains that claim to have mail servers in reserved networks
+such as 127.0.0.1.
 
     /etc/postfix/main.cf:
-	smtpd_mumble_restrictions = 
+        smtpd_mumble_restrictions = 
-	    ...
+            ...
-	    reject_unknown_sender_domain 
+            reject_unknown_sender_domain 
-	    check_sender_mx_access hash:/etc/postfix/mx_access
+            check_sender_mx_access hash:/etc/postfix/mx_access
-	    ...
+            check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
+            ...
 
     /etc/postfix/mx_access:
-	spammer.haven.tld reject spammer mx host
+        spammer.haven.tld reject spammer mx host
-	64.94.110.11 reject verisign wild-card domain
+        64.94.110.11      reject mail server in verisign wild-card domain
+
+    /etc/postfix/mx_access.cidr:
+        0.0.0.0/8         reject mail server in broadcast network
+        10.0.0.0/8        reject mail server in RFC 1918 private network
+        127.0.0.0/8       reject mail server in loopback network
+        169.254.0.0/16    reject mail server in link local network
+        172.16.0.0/12     reject mail server in RFC 1918 private network
+        192.0.2.0/24      reject mail server in TEST-NET network
+        192.168.0/16      reject mail server in RFC 1918 private network
+        224.0.0.0/4       reject mail server in class D multicast network
+        240.0.0.0/5       reject mail server in class E reserved network
+        248.0.0.0/5       reject mail server in reserved network
 
 Note: OK actions are not allowed for security reasons. Instead of
 OK, use DUNNO in order to exclude specific hosts from blacklists.

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change the patchlevel and the release date. Snapshots change the
   * release date only, unless they include the same bugfix as a patch release.
   */
-#define MAIL_RELEASE_DATE	"20030917"
+#define MAIL_RELEASE_DATE	"20030918"
 
 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	"2.0.16-" MAIL_RELEASE_DATE

postfix/src/smtpd/smtpd_check.c

@@ -2218,26 +2218,28 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
      * If the domain name exists but MX lookup fails, fabricate an MX record
      * that points to the domain name itself.
      * 
-     * If the domain name exists but NS lookup fails, look up the parent domain
+     * If the domain name exists but NS lookup fails, look up parent domain
-     * NS record.
+     * NS records.
      */
     dns_status = dns_lookup(domain, type, 0, &server_list,
 			    (VSTRING *) 0, (VSTRING *) 0);
-    if (dns_status == DNS_NOTFOUND && h_errno != HOST_NOT_FOUND) {
+    if (dns_status == DNS_NOTFOUND) {
+	if (h_errno != NO_DATA)
+	    return (SMTPD_CHECK_DUNNO);
 	if (type == T_MX) {
 	    server_list = dns_rr_create(domain, &fixed, 0,
 					domain, strlen(domain) + 1);
 	    dns_status = DNS_OK;
-	} else if (type == T_NS && (domain = strchr(domain, '.')) != 0
+	} else if (type == T_NS) {
-		   && strchr(++domain, '.') != 0) {
+	    while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
-	    dns_status = dns_lookup(domain, T_NS, 0, &server_list,
+		domain += 1;
-				    (VSTRING *) 0, (VSTRING *) 0);
+		dns_status = dns_lookup(domain, type, 0, &server_list,
-	    if (dns_status != DNS_OK)
+					(VSTRING *) 0, (VSTRING *) 0);
-		dns_status = DNS_RETRY;
+		if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA)
+		    break;
+	    }
 	}
     }
-    if (dns_status == DNS_NOTFOUND)
-	return (SMTPD_CHECK_DUNNO);
     if (dns_status != DNS_OK) {
 	DEFER_IF_PERMIT3(state, MAIL_ERROR_POLICY,
 			 "450 <%s>: %s rejected: unable to look up %s host",

postfix/src/smtpd/smtpd_check_access

@@ -58,3 +58,5 @@ discardtext@hold.domain	discard text
 dunnotext@dunno.domain	dunno text
 64.94.110.11		reject Verisign wild-card
 topica.com		reject
+10.10.10.10		reject mail server 10.10.10.10
+spike.porcupine.org	reject name server spike.porcupine.org

postfix/src/smtpd/smtpd_exp.in

@@ -73,6 +73,7 @@ mail foo@verisign.com
 recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
 rcpt foo@verisign-wildcard.com
 rcpt foo@verisign.com
+rcpt foo@1.2.3.porcupine.org
 #
 # Check NS access
 #
@@ -89,3 +90,4 @@ recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
 rcpt foo@email-publisher.com
 rcpt foo@ns1.topica.com
 rcpt foo@verisign-wildcard.com
+rcpt foo@1.2.3.porcupine.org

postfix/src/smtpd/smtpd_exp.ref

@@ -135,6 +135,9 @@ OK
 554 <foo@verisign-wildcard.com>: Recipient address rejected: Verisign wild-card
 >>> rcpt foo@verisign.com
 OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10; from=<foo@verisign.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10
 >>> #
 >>> # Check NS access
 >>> #
@@ -170,3 +173,6 @@ OK
 554 <foo@ns1.topica.com>: Recipient address rejected: Access denied
 >>> rcpt foo@verisign-wildcard.com
 OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@verisign-wildcard.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org