mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-29 13:18:12 +00:00
Code Issues Releases Wiki Activity

postfix-2.6.4

Browse Source
This commit is contained in:
Wietse Venema 2009-08-25 00:00:00 -05:00 committed by Viktor Dukhovni
parent e0e6c0c596
commit ad36d9786b
3 changed files with 35 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
postfix/HISTORY
View File

@ -15272,31 +15272,34 @@ Apologies for any names omitted.
20090805 20090805
Bugfix: don't panic when an unexpected smtpd access map is Bugfix: don't panic when an unexpected smtpd access map is
specified. File: smtpd/smtpd_check.c. specified. File: smtpd/smtpd_check.c.
20090807 20090807
Workaround: NS record lookups for certain domains always Workaround: NS record lookups for certain domains always
fail, while other queries for those domains always succeed fail, while other queries for those domains always succeed
(and even return replies with NS records as additional (and even return replies with NS records as additional
information). information).
This inconsistency would allow spammers to avoid the Postfix This inconsistency in DNS lookup results would allow spammers
check_{client,helo,sender,etc}_ns_access restrictions, to circumvent the Postfix check_{client,helo,sender,etc}_ns_access
because those restrictions have effect only for names that restrictions, because those restrictions have effect only
are known in the DNS. for NS records that can be looked up in the DNS.
To address this specific inconsistency, the Postfix To address this inconsistency, check_{client,etc}_ns_access
check_{client,etc}_ns_access feature now requires that a now require that a known-in-DNS domain name (or parent
known-in-DNS domain name (or parent thereof) resolves to thereof) always resolves to at least one name server IP
at least one name server IP address. address.
For consistency, check_{client,etc}_mx_access now requires For consistency, check_{client,etc}_mx_access now require
that a known-in-DNS domain name resolves to at least one that a known-in-DNS domain name always resolves to at least
mail server IP address. one mail server IP address.
The IP addresses thus obtained may or may not be "correct". These measures merely raise the difficulty level for spammers.
There is little to stop an uncooperative DNS server from The IP address information thus obtained is not necessarily
lying, especially when the owner of the domain has no "correct". There is little to stop an uncooperative DNS
intention to receive email. File: smtpd/smtpd_check.c. server from lying, especially when the owner of the domain
has no desire to receive email. File: smtpd/smtpd_check.c.
Problem reported by MXTools.com.

17
postfix/RELEASE_NOTES
View File

@ -21,19 +21,20 @@ With some domain names, NS record lookups always fail while other
lookups always succeed (and may even return NS records as additional lookups always succeed (and may even return NS records as additional
information). This anomaly could be used by evil elements to skip information). This anomaly could be used by evil elements to skip
Postfix check_{client,helo,sender,recipient}_ns_access checks, Postfix check_{client,helo,sender,recipient}_ns_access checks,
because these apply only to domains that are known in the DNS. because these apply only to NS records that are found in the DNS.
To address this specific problem, check_{client,etc}_ns_access now To address this specific problem, check_{client,etc}_ns_access now
requires that a known-in-DNS domain name (or parent thereof) resolves requires that a known-in-DNS domain name (or parent thereof) always
to at least one name server IP address. resolves to at least one name server IP address.
For consistency, check_{client,etc}_mx_access now requires that a For consistency, check_{client,etc}_mx_access now requires that a
known-in-DNS domain name resolves to at least one mail server IP known-in-DNS domain name always resolves to at least one mail server
address. IP address.
Keep in mind that these measures provide no hard assurances. There These measures provide no hard assurances that the IP address
is little to stop an uncooperative DNS server from lying, especially information thus obtained is correct. There is little to stop an
when the owner of the domain has no intention to receive email. uncooperative DNS server from lying, especially when the owner of
the domain has no desire to receive email.
Major changes - multi-instance support Major changes - multi-instance support
-------------------------------------- --------------------------------------

4
postfix/src/global/mail_version.h
View File

@ -20,8 +20,8 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20090807" #define MAIL_RELEASE_DATE "20090825"
#define MAIL_VERSION_NUMBER "2.6.4-RC2" #define MAIL_VERSION_NUMBER "2.6.4"
#ifdef SNAPSHOT #ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE