postfix-2.6.4-RC1

postfix/HISTORY

@@ -15269,3 +15269,14 @@ Apologies for any names omitted.
 	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
 	feature can be used meaningfully at any protocol stage.
 	File: proto/postconf.proto.
+
+20090803
+
+	Workaround: with some local DNS servers including BIND, it
+	is possible that A or MX lookups succeed, while NS lookups
+	for the same domains time out.  Spammers use this to avoid
+	access restrictions.  To deal with future variations of
+	this, check_{client,helo,sender,etc}_{mx,ns,etc}_access no
+	longer tolerate any lookup failures. Instead, they reply
+	with $access_map_defer_code or $access_map_reject_code as
+	appropriate. File: smtpd/smtpd_check.c.

postfix/RELEASE_NOTES

@@ -14,6 +14,22 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5
 before proceeding.
 
+Incompatibility with Postfix 2.6.4
+==================================
+
+The check_{client,helo,sender,etc}_{mx,ns,etc}_access features no
+longer tolerate any lookup failures. Instead, they now reply with
+$access_map_defer_code or $access_map_reject_code as appropriate.
+
+The reason for this change is that spammers are using tricks where
+A or MX lookups succeed while NS lookups for the same domains fail,
+depending local DNS infrastructure details.  The change deals with
+future variants of this anomalous behavior.
+
+As a side effect, non-existent domain names in HELO commands will
+now trigger a REJECT action with check_helo_{mx,ns}_access, where
+previously such commands were silently permitted.
+
 Major changes - multi-instance support
 --------------------------------------
 

postfix/src/global/mail_version.h

@@ -20,8 +20,8 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090802"
+#define MAIL_RELEASE_DATE	"20090803"
-#define MAIL_VERSION_NUMBER	"2.6.3"
+#define MAIL_VERSION_NUMBER	"2.6.4-RC1"
 
 #ifdef SNAPSHOT
 # define MAIL_VERSION_DATE	"-" MAIL_RELEASE_DATE

postfix/src/smtpd/smtpd_check.c

@@ -2575,7 +2575,14 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     if (dns_status != DNS_OK) {
 	msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
 		 domain && domain[1] ? domain : name, dns_strerror(h_errno));
-	return (SMTPD_CHECK_DUNNO);
+	/* No mercy for DNS failure. */
+	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
+				   dns_status == DNS_NOTFOUND ?
+				   var_map_reject_code : var_map_defer_code,
+				   smtpd_dsn_fix("4.1.8", reply_class),
+				   "<%s>: %s rejected: %s",
+				   reply_name, reply_class,
+				   "Domain not found"));
     }
 
     /*
@@ -2600,7 +2607,16 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
 	    msg_warn("Unable to look up %s host %s for %s %s: %s",
 		     dns_strtype(type), (char *) server->data,
 		     reply_class, reply_name, MAI_STRERROR(aierr));
-	    continue;
+	    /* No mercy for DNS failure. */
+	    status = smtpd_check_reject(state,
+					MAIL_ERROR_POLICY,
+					aierr == EAI_NONAME ?
+				   var_map_reject_code : var_map_defer_code,
+					smtpd_dsn_fix("4.1.8", reply_class),
+					"<%s>: %s rejected: %s",
+					reply_name, reply_class,
+					"Domain not found");
+	    CHECK_SERVER_RETURN(status);
 	}
 	/* Now we must also free the addrinfo result. */
 	if (msg_verbose)