postfix-2.6.5

postfix/HISTORY

@@ -15274,32 +15274,3 @@ Apologies for any names omitted.
 
 	Bugfix: don't panic when an unexpected smtpd access map is
 	specified. File: smtpd/smtpd_check.c.
-
-20090807
-
-	Workaround: NS record lookups for certain domains always
-	fail, while other queries for those domains always succeed
-	(and even return replies with NS records as additional
-	information).
-
-	This inconsistency in DNS lookup results would allow spammers
-	to circumvent the Postfix check_{client,helo,sender,etc}_ns_access
-	restrictions, because those restrictions have effect only
-	for NS records that can be looked up in the DNS.
-
-	To address this inconsistency, check_{client,etc}_ns_access
-	now require that a known-in-DNS domain name (or parent
-	thereof) always resolves to at least one name server IP
-	address.
-
-	For consistency, check_{client,etc}_mx_access now require
-	that a known-in-DNS domain name always resolves to at least
-	one mail server IP address.
-
-	These measures merely raise the difficulty level for spammers.
-	The IP address information thus obtained is not necessarily
-	"correct".  There is little to stop an uncooperative DNS
-	server from lying, especially when the owner of the domain
-	has no desire to receive email.  File: smtpd/smtpd_check.c.
-
-	Problem reported by MXTools.com.

postfix/RELEASE_NOTES

@@ -14,28 +14,6 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5
 before proceeding.
 
-Incompatibility with Postfix 2.6.4
-==================================
-
-With some domain names, NS record lookups always fail while other
-lookups always succeed (and may even return NS records as additional
-information).  This anomaly could be used by evil elements to skip
-Postfix check_{client,helo,sender,recipient}_ns_access checks,
-because these apply only to NS records that are found in the DNS.
-
-To address this specific problem, check_{client,etc}_ns_access now
-requires that a known-in-DNS domain name (or parent thereof) always
-resolves to at least one name server IP address.
-
-For consistency, check_{client,etc}_mx_access now requires that a
-known-in-DNS domain name always resolves to at least one mail server
-IP address.
-
-These measures provide no hard assurances that the IP address
-information thus obtained is correct. There is little to stop an
-uncooperative DNS server from lying, especially when the owner of
-the domain has no desire to receive email.
-
 Major changes - multi-instance support
 --------------------------------------
 

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090825"
+#define MAIL_RELEASE_DATE	"20090828"
-#define MAIL_VERSION_NUMBER	"2.6.4"
+#define MAIL_VERSION_NUMBER	"2.6.5"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/smtpd/smtpd_check.c

@@ -2515,10 +2515,6 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     struct addrinfo *res;
     int     status;
     INET_PROTO_INFO *proto_info;
-    const char *saved_domain;
-    int     non_err, soft_err;
-    int     known_name_in_dns;
-    int     ping_status;
 
     /*
      * Sanity check.
@@ -2573,20 +2569,9 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
      * 
      * If the domain name exists but no NS record exists, look up parent domain
      * NS records.
-     * 
-     * After the initial lookup fails, do one final DNS sanity check. Reject
-     * mail when the name exists, but MX lookup produces no valid response or
-     * NS lookup fails for any reason. Beware, this sanity check provides no
-     * hard assurance. An uncooperative DNS server may lie about everything,
-     * including non-existence.
      */
-#define SOME_DNS_RR_EXISTS(stat, herr) \
-	((stat) == DNS_OK || (stat) == DNS_INVAL || (herr) == NO_DATA)
-
-    saved_domain = domain;
     dns_status = dns_lookup(domain, type, 0, &server_list,
 			    (VSTRING *) 0, (VSTRING *) 0);
-    known_name_in_dns = SOME_DNS_RR_EXISTS(dns_status, h_errno);
     if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) {
 	if (type == T_MX) {
 	    server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
@@ -2605,22 +2590,6 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     if (dns_status != DNS_OK) {
 	msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
 		 domain && domain[1] ? domain : name, dns_strerror(h_errno));
-	if (known_name_in_dns == 0) {
-	    /* With hostile DNS, an address query is more likely to work. */
-	    ping_status = dns_lookup_l(saved_domain, 0, (DNS_RR **) 0,
-				       (VSTRING *) 0, (VSTRING *) 0,
-				       DNS_REQ_FLAG_STOP_OK,
-				       RR_ADDR_TYPES, 0);
-	    known_name_in_dns = SOME_DNS_RR_EXISTS(ping_status, h_errno);
-	}
-	if (known_name_in_dns)
-	    return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
-				       dns_status == DNS_RETRY ?
-				   var_map_defer_code : var_map_reject_code,
-				       smtpd_dsn_fix("4.1.8", reply_class),
-				       "<%s>: %s rejected: %s",
-				       reply_name, reply_class,
-				       "Domain not found"));
 	return (SMTPD_CHECK_DUNNO);
     }
 
@@ -2633,13 +2602,11 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
      * Check the hostnames first, then the addresses.
      */
     proto_info = inet_proto_info();
-    non_err = soft_err = 0;
     for (server = server_list; server != 0; server = server->next) {
 	if (msg_verbose)
 	    msg_info("%s: %s hostname check: %s",
 		     myname, dns_strtype(type), (char *) server->data);
 	if (valid_hostaddr((char *) server->data, DONT_GRIPE)) {
-	    non_err = 1;
 	    if ((status = check_addr_access(state, table, (char *) server->data,
 				      FULL, &found, reply_name, reply_class,
 					    def_acl)) != 0 || found)
@@ -2655,11 +2622,8 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
 	    msg_warn("Unable to look up %s host %s for %s %s: %s",
 		     dns_strtype(type), (char *) server->data,
 		     reply_class, reply_name, MAI_STRERROR(aierr));
-	    if (aierr == EAI_AGAIN || aierr == EAI_SYSTEM)
-		soft_err = 1;
 	    continue;
 	}
-	non_err = 1;
 	/* Now we must also free the addrinfo result. */
 	if (msg_verbose)
 	    msg_info("%s: %s host address check: %s",
@@ -2683,15 +2647,7 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
 	}
 	freeaddrinfo(res0);			/* 200412 */
     }
-    status = non_err ? SMTPD_CHECK_DUNNO :
+    CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
-	smtpd_check_reject(state, MAIL_ERROR_POLICY,
-			   soft_err ? var_map_defer_code :
-			   var_map_reject_code,
-			   smtpd_dsn_fix("4.1.8", reply_class),
-			   "<%s>: %s rejected: %s",
-			   reply_name, reply_class,
-			   "Domain not found");
-    CHECK_SERVER_RETURN(status);
 }
 
 /* check_ccert_access - access for TLS clients by certificate fingerprint */