diff --git a/postfix/HISTORY b/postfix/HISTORY index 5ccc72003..7067bd124 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15269,3 +15269,14 @@ Apologies for any names omitted. Documentation: as of Postfix 2.6, the reject_unauth_pipelining feature can be used meaningfully at any protocol stage. File: proto/postconf.proto. + +20090803 + + Workaround: with some local DNS servers including BIND, it + is possible that A or MX lookups succeed, while NS lookups + for the same domains time out. Spammers use this to avoid + access restrictions. To deal with future variations of + this, check_{client,helo,sender,etc}_{mx,ns,etc}_access no + longer tolerate any lookup failures. Instead, they reply + with $access_map_defer_code or $access_map_reject_code as + appropriate. File: smtpd/smtpd_check.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 0a926aa38..8c720bbef 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,22 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 before proceeding. +Incompatibility with Postfix 2.6.4 +================================== + +The check_{client,helo,sender,etc}_{mx,ns,etc}_access features no +longer tolerate any lookup failures. Instead, they now reply with +$access_map_defer_code or $access_map_reject_code as appropriate. + +The reason for this change is that spammers are using tricks where +A or MX lookups succeed while NS lookups for the same domains fail, +depending local DNS infrastructure details. The change deals with +future variants of this anomalous behavior. + +As a side effect, non-existent domain names in HELO commands will +now trigger a REJECT action with check_helo_{mx,ns}_access, where +previously such commands were silently permitted. + Major changes - multi-instance support -------------------------------------- diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index f80a7c53a..dce91ae4b 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,8 +20,8 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20090802" -#define MAIL_VERSION_NUMBER "2.6.3" +#define MAIL_RELEASE_DATE "20090803" +#define MAIL_VERSION_NUMBER "2.6.4-RC1" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index ea3dfbf9c..74d86ec47 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -2575,7 +2575,14 @@ static int check_server_access(SMTPD_STATE *state, const char *table, if (dns_status != DNS_OK) { msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type), domain && domain[1] ? domain : name, dns_strerror(h_errno)); - return (SMTPD_CHECK_DUNNO); + /* No mercy for DNS failure. */ + return (smtpd_check_reject(state, MAIL_ERROR_POLICY, + dns_status == DNS_NOTFOUND ? + var_map_reject_code : var_map_defer_code, + smtpd_dsn_fix("4.1.8", reply_class), + "<%s>: %s rejected: %s", + reply_name, reply_class, + "Domain not found")); } /* @@ -2600,7 +2607,16 @@ static int check_server_access(SMTPD_STATE *state, const char *table, msg_warn("Unable to look up %s host %s for %s %s: %s", dns_strtype(type), (char *) server->data, reply_class, reply_name, MAI_STRERROR(aierr)); - continue; + /* No mercy for DNS failure. */ + status = smtpd_check_reject(state, + MAIL_ERROR_POLICY, + aierr == EAI_NONAME ? + var_map_reject_code : var_map_defer_code, + smtpd_dsn_fix("4.1.8", reply_class), + "<%s>: %s rejected: %s", + reply_name, reply_class, + "Domain not found"); + CHECK_SERVER_RETURN(status); } /* Now we must also free the addrinfo result. */ if (msg_verbose)