postfix-2.0.16-20030918

2025-08-31 14:17:41 +00:00 · 2003-09-18 00:00:00 -05:00
parent 116a98032d
commit 4089fa66d6
7 changed files with 59 additions and 27 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@@ -8566,11 +8566,11 @@ Apologies for any names omitted.
 	no MX record is found, the A record is used instead. File:
 	smtpd/smtpd_check.c.

-	Experimental feature: ``check_{sender,recipient}_ns_access
-	maptype:mapname'' applies the named Postfix access table
-	to the DNS server hostname and IP addresses for the sender
-	or recipient address. If no NS record is found, the parent
-	domain is used instead. File: smtpd/smtpd_check.c.
+	Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
+	applies the named Postfix access table to the DNS server
+	hostname and IP addresses for the sender or recipient
+	address. If no NS record is found, the parent domain is
+	used instead. File: smtpd/smtpd_check.c.

 20030917

@@ -8590,6 +8590,12 @@ Apologies for any names omitted.
 	request with "451 server configuration error" and will log
 	a warning explaining why. File: smtpd/smtpd_check.c.

+20030918
+
+	Bugfix: check_mumble_ns_access did not correctly look up
+	NS records of parent domains, causing mail to be deferred
+	with a 450 status code. File: smtpd/smtpd_check.c.
+
 Open problems:

 	High: when virtual aliasing is turned off after content
--- a/postfix/RELEASE_NOTES
+++ b/postfix/RELEASE_NOTES
@@ -30,20 +30,34 @@ restriction that applies the specified access table to the NS or
 MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
 TO commands.  

-This can be used to block mail from so-called spammer havens, or
-from sender addresses that resolve to Verisign's wild-card mail
-responder, currently at IP address 64.94.110.11.
+This can be used to block mail from so-called spammer havens, from
+sender addresses that resolve to Verisign's wild-card mail responder,
+or from domains that claim to have mail servers in reserved networks
+such as 127.0.0.1.

    /etc/postfix/main.cf:
        smtpd_mumble_restrictions = 
            ...
            reject_unknown_sender_domain 
            check_sender_mx_access hash:/etc/postfix/mx_access
+            check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
            ...

    /etc/postfix/mx_access:
        spammer.haven.tld reject spammer mx host
-	64.94.110.11 reject verisign wild-card domain
+        64.94.110.11      reject mail server in verisign wild-card domain
+
+    /etc/postfix/mx_access.cidr:
+        0.0.0.0/8         reject mail server in broadcast network
+        10.0.0.0/8        reject mail server in RFC 1918 private network
+        127.0.0.0/8       reject mail server in loopback network
+        169.254.0.0/16    reject mail server in link local network
+        172.16.0.0/12     reject mail server in RFC 1918 private network
+        192.0.2.0/24      reject mail server in TEST-NET network
+        192.168.0/16      reject mail server in RFC 1918 private network
+        224.0.0.0/4       reject mail server in class D multicast network
+        240.0.0.0/5       reject mail server in class E reserved network
+        248.0.0.0/5       reject mail server in reserved network

 Note: OK actions are not allowed for security reasons. Instead of
 OK, use DUNNO in order to exclude specific hosts from blacklists.
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
  * Patches change the patchlevel and the release date. Snapshots change the
  * release date only, unless they include the same bugfix as a patch release.
  */
-#define MAIL_RELEASE_DATE	"20030917"
+#define MAIL_RELEASE_DATE	"20030918"

 #define VAR_MAIL_VERSION	"mail_version"
 #define DEF_MAIL_VERSION	"2.0.16-" MAIL_RELEASE_DATE
--- a/postfix/src/smtpd/smtpd_check.c
+++ b/postfix/src/smtpd/smtpd_check.c
@@ -2218,26 +2218,28 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     * If the domain name exists but MX lookup fails, fabricate an MX record
     * that points to the domain name itself.
     * 
-     * If the domain name exists but NS lookup fails, look up the parent domain
-     * NS record.
+     * If the domain name exists but NS lookup fails, look up parent domain
+     * NS records.
     */
    dns_status = dns_lookup(domain, type, 0, &server_list,
 			    (VSTRING *) 0, (VSTRING *) 0);
-    if (dns_status == DNS_NOTFOUND && h_errno != HOST_NOT_FOUND) {
+    if (dns_status == DNS_NOTFOUND) {
+	if (h_errno != NO_DATA)
+	    return (SMTPD_CHECK_DUNNO);
 	if (type == T_MX) {
 	    server_list = dns_rr_create(domain, &fixed, 0,
 					domain, strlen(domain) + 1);
 	    dns_status = DNS_OK;
-	} else if (type == T_NS && (domain = strchr(domain, '.')) != 0
-		   && strchr(++domain, '.') != 0) {
-	    dns_status = dns_lookup(domain, T_NS, 0, &server_list,
+	} else if (type == T_NS) {
+	    while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
+		domain += 1;
+		dns_status = dns_lookup(domain, type, 0, &server_list,
 					(VSTRING *) 0, (VSTRING *) 0);
-	    if (dns_status != DNS_OK)
-		dns_status = DNS_RETRY;
+		if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA)
+		    break;
+	    }
 	}
    }
-    if (dns_status == DNS_NOTFOUND)
-	return (SMTPD_CHECK_DUNNO);
    if (dns_status != DNS_OK) {
 	DEFER_IF_PERMIT3(state, MAIL_ERROR_POLICY,
 			 "450 <%s>: %s rejected: unable to look up %s host",
--- a/postfix/src/smtpd/smtpd_check_access
+++ b/postfix/src/smtpd/smtpd_check_access
@@ -58,3 +58,5 @@ discardtext@hold.domain	discard text
 dunnotext@dunno.domain	dunno text
 64.94.110.11		reject Verisign wild-card
 topica.com		reject
+10.10.10.10		reject mail server 10.10.10.10
+spike.porcupine.org	reject name server spike.porcupine.org
--- a/postfix/src/smtpd/smtpd_exp.in
+++ b/postfix/src/smtpd/smtpd_exp.in
@@ -73,6 +73,7 @@ mail foo@verisign.com
 recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
 rcpt foo@verisign-wildcard.com
 rcpt foo@verisign.com
+rcpt foo@1.2.3.porcupine.org
 #
 # Check NS access
 #
@@ -89,3 +90,4 @@ recipient_restrictions check_recipient_ns_access,hash:smtpd_check_access
 rcpt foo@email-publisher.com
 rcpt foo@ns1.topica.com
 rcpt foo@verisign-wildcard.com
+rcpt foo@1.2.3.porcupine.org
--- a/postfix/src/smtpd/smtpd_exp.ref
+++ b/postfix/src/smtpd/smtpd_exp.ref
@@ -135,6 +135,9 @@ OK
 554 <foo@verisign-wildcard.com>: Recipient address rejected: Verisign wild-card
 >>> rcpt foo@verisign.com
 OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10; from=<foo@verisign.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10
 >>> #
 >>> # Check NS access
 >>> #
@@ -170,3 +173,6 @@ OK
 554 <foo@ns1.topica.com>: Recipient address rejected: Access denied
 >>> rcpt foo@verisign-wildcard.com
 OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@verisign-wildcard.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org