From 501e5bd2ceffddb5fb49faae04b11fc914285504 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Fri, 28 Aug 2009 00:00:00 -0500 Subject: [PATCH] postfix-2.6.5 --- postfix/HISTORY | 29 ------------------- postfix/RELEASE_NOTES | 22 --------------- postfix/src/global/mail_version.h | 4 +-- postfix/src/smtpd/smtpd_check.c | 46 +------------------------------ 4 files changed, 3 insertions(+), 98 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index e66ca54ac..5f9750b5f 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15274,32 +15274,3 @@ Apologies for any names omitted. Bugfix: don't panic when an unexpected smtpd access map is specified. File: smtpd/smtpd_check.c. - -20090807 - - Workaround: NS record lookups for certain domains always - fail, while other queries for those domains always succeed - (and even return replies with NS records as additional - information). - - This inconsistency in DNS lookup results would allow spammers - to circumvent the Postfix check_{client,helo,sender,etc}_ns_access - restrictions, because those restrictions have effect only - for NS records that can be looked up in the DNS. - - To address this inconsistency, check_{client,etc}_ns_access - now require that a known-in-DNS domain name (or parent - thereof) always resolves to at least one name server IP - address. - - For consistency, check_{client,etc}_mx_access now require - that a known-in-DNS domain name always resolves to at least - one mail server IP address. - - These measures merely raise the difficulty level for spammers. - The IP address information thus obtained is not necessarily - "correct". There is little to stop an uncooperative DNS - server from lying, especially when the owner of the domain - has no desire to receive email. File: smtpd/smtpd_check.c. - - Problem reported by MXTools.com. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index f85b4bb24..0a926aa38 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,28 +14,6 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 before proceeding. -Incompatibility with Postfix 2.6.4 -================================== - -With some domain names, NS record lookups always fail while other -lookups always succeed (and may even return NS records as additional -information). This anomaly could be used by evil elements to skip -Postfix check_{client,helo,sender,recipient}_ns_access checks, -because these apply only to NS records that are found in the DNS. - -To address this specific problem, check_{client,etc}_ns_access now -requires that a known-in-DNS domain name (or parent thereof) always -resolves to at least one name server IP address. - -For consistency, check_{client,etc}_mx_access now requires that a -known-in-DNS domain name always resolves to at least one mail server -IP address. - -These measures provide no hard assurances that the IP address -information thus obtained is correct. There is little to stop an -uncooperative DNS server from lying, especially when the owner of -the domain has no desire to receive email. - Major changes - multi-instance support -------------------------------------- diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f6f1e3179..a38994fed 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20090825" -#define MAIL_VERSION_NUMBER "2.6.4" +#define MAIL_RELEASE_DATE "20090828" +#define MAIL_VERSION_NUMBER "2.6.5" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index a2e04f4cb..9b5e522fc 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -2515,10 +2515,6 @@ static int check_server_access(SMTPD_STATE *state, const char *table, struct addrinfo *res; int status; INET_PROTO_INFO *proto_info; - const char *saved_domain; - int non_err, soft_err; - int known_name_in_dns; - int ping_status; /* * Sanity check. @@ -2573,20 +2569,9 @@ static int check_server_access(SMTPD_STATE *state, const char *table, * * If the domain name exists but no NS record exists, look up parent domain * NS records. - * - * After the initial lookup fails, do one final DNS sanity check. Reject - * mail when the name exists, but MX lookup produces no valid response or - * NS lookup fails for any reason. Beware, this sanity check provides no - * hard assurance. An uncooperative DNS server may lie about everything, - * including non-existence. */ -#define SOME_DNS_RR_EXISTS(stat, herr) \ - ((stat) == DNS_OK || (stat) == DNS_INVAL || (herr) == NO_DATA) - - saved_domain = domain; dns_status = dns_lookup(domain, type, 0, &server_list, (VSTRING *) 0, (VSTRING *) 0); - known_name_in_dns = SOME_DNS_RR_EXISTS(dns_status, h_errno); if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) { if (type == T_MX) { server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0, @@ -2605,22 +2590,6 @@ static int check_server_access(SMTPD_STATE *state, const char *table, if (dns_status != DNS_OK) { msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type), domain && domain[1] ? domain : name, dns_strerror(h_errno)); - if (known_name_in_dns == 0) { - /* With hostile DNS, an address query is more likely to work. */ - ping_status = dns_lookup_l(saved_domain, 0, (DNS_RR **) 0, - (VSTRING *) 0, (VSTRING *) 0, - DNS_REQ_FLAG_STOP_OK, - RR_ADDR_TYPES, 0); - known_name_in_dns = SOME_DNS_RR_EXISTS(ping_status, h_errno); - } - if (known_name_in_dns) - return (smtpd_check_reject(state, MAIL_ERROR_POLICY, - dns_status == DNS_RETRY ? - var_map_defer_code : var_map_reject_code, - smtpd_dsn_fix("4.1.8", reply_class), - "<%s>: %s rejected: %s", - reply_name, reply_class, - "Domain not found")); return (SMTPD_CHECK_DUNNO); } @@ -2633,13 +2602,11 @@ static int check_server_access(SMTPD_STATE *state, const char *table, * Check the hostnames first, then the addresses. */ proto_info = inet_proto_info(); - non_err = soft_err = 0; for (server = server_list; server != 0; server = server->next) { if (msg_verbose) msg_info("%s: %s hostname check: %s", myname, dns_strtype(type), (char *) server->data); if (valid_hostaddr((char *) server->data, DONT_GRIPE)) { - non_err = 1; if ((status = check_addr_access(state, table, (char *) server->data, FULL, &found, reply_name, reply_class, def_acl)) != 0 || found) @@ -2655,11 +2622,8 @@ static int check_server_access(SMTPD_STATE *state, const char *table, msg_warn("Unable to look up %s host %s for %s %s: %s", dns_strtype(type), (char *) server->data, reply_class, reply_name, MAI_STRERROR(aierr)); - if (aierr == EAI_AGAIN || aierr == EAI_SYSTEM) - soft_err = 1; continue; } - non_err = 1; /* Now we must also free the addrinfo result. */ if (msg_verbose) msg_info("%s: %s host address check: %s", @@ -2683,15 +2647,7 @@ static int check_server_access(SMTPD_STATE *state, const char *table, } freeaddrinfo(res0); /* 200412 */ } - status = non_err ? SMTPD_CHECK_DUNNO : - smtpd_check_reject(state, MAIL_ERROR_POLICY, - soft_err ? var_map_defer_code : - var_map_reject_code, - smtpd_dsn_fix("4.1.8", reply_class), - "<%s>: %s rejected: %s", - reply_name, reply_class, - "Domain not found"); - CHECK_SERVER_RETURN(status); + CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO); } /* check_ccert_access - access for TLS clients by certificate fingerprint */