mir/postfix
2
0
Fork 0
mirror of https://github.com/vdukhovni/postfix synced 2025-08-23 10:28:06 +00:00
Code Issues Releases Wiki Activity

postfix-2.7-20091110

Browse Source
This commit is contained in:
Wietse Venema 2009-11-10 00:00:00 -05:00 committed by Viktor Dukhovni
parent 705c4e1dd4
commit c4461a1730
16 changed files with 288 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
postfix/HISTORY
View File

@ -15487,3 +15487,14 @@ Apologies for any names omitted.
caused by an incomplete API change; refined the queue space caused by an incomplete API change; refined the queue space
check; release scratch space immediately after delivering check; release scratch space immediately after delivering
mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c. mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
20091110
Workaround: specify "smtp_tls_block_early_mail_reply = yes"
to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555). The attack involves prepending
malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
client TLS session. The attack would succeed with non-Postfix
SMTP servers that reply to the malicious commands after
negotiating the Postfix SMTP client TLS session. File:
smtp/smtp_proto.c.

12
postfix/html/lmtp.8.html
View File

@ -534,6 +534,14 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client ECDSA private key File with the Postfix SMTP client ECDSA private key
in PEM format. in PEM format.
Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a
TLS protocol vulnerability (CVE-2009-3555), where
an attacker prepends malicious HELO/MAIL/RCPT/DATA
commands to a Postfix client TLS session.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compati- The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these bility with Postfix versions before 2.3. Support for these
@ -781,8 +789,8 @@ SMTP(8) SMTP(8)
The hostname to send in the LMTP LHLO command. The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
What mechanisms when the Postfix SMTP client uses What mechanisms the Postfix SMTP client uses to
to look up a host's IP address. look up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
Randomize the order of equal-preference MX host Randomize the order of equal-preference MX host

15
postfix/html/postconf.5.html
View File

@ -9236,6 +9236,21 @@ must be inside the chroot jail. </p>
<p> This feature is available in Postfix 2.2 and later. </p> <p> This feature is available in Postfix 2.2 and later. </p>
</DD>
<DT><b><a name="smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a>
(default: no)</b></DT><DD>
<p> Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends malicious
HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. The
attack would succeed with non-Postfix SMTP servers that reply to
the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
Postfix SMTP client TLS session. </p>
<p> This feature is available in Postfix 2.7. </p>
</DD> </DD>
<DT><b><a name="smtp_tls_cert_file">smtp_tls_cert_file</a> <DT><b><a name="smtp_tls_cert_file">smtp_tls_cert_file</a>

12
postfix/html/smtp.8.html
View File

@ -534,6 +534,14 @@ SMTP(8) SMTP(8)
File with the Postfix SMTP client ECDSA private key File with the Postfix SMTP client ECDSA private key
in PEM format. in PEM format.
Available in Postfix version 2.7 and later:
<b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
Try to detect a mail hijacking attack based on a
TLS protocol vulnerability (CVE-2009-3555), where
an attacker prepends malicious HELO/MAIL/RCPT/DATA
commands to a Postfix client TLS session.
<b>OBSOLETE STARTTLS CONTROLS</b> <b>OBSOLETE STARTTLS CONTROLS</b>
The following configuration parameters exist for compati- The following configuration parameters exist for compati-
bility with Postfix versions before 2.3. Support for these bility with Postfix versions before 2.3. Support for these
@ -781,8 +789,8 @@ SMTP(8) SMTP(8)
The hostname to send in the LMTP LHLO command. The hostname to send in the LMTP LHLO command.
<b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b> <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
What mechanisms when the Postfix SMTP client uses What mechanisms the Postfix SMTP client uses to
to look up a host's IP address. look up a host's IP address.
<b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b> <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
Randomize the order of equal-preference MX host Randomize the order of equal-preference MX host

9
postfix/man/man5/postconf.5
View File

@ -5254,6 +5254,15 @@ smtp_tls_CApath = /etc/postfix/certs
.ft R .ft R
.PP .PP
This feature is available in Postfix 2.2 and later. This feature is available in Postfix 2.2 and later.
.SH smtp_tls_block_early_mail_reply (default: no)
Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends malicious
HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. The
attack would succeed with non-Postfix SMTP servers that reply to
the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
Postfix SMTP client TLS session.
.PP
This feature is available in Postfix 2.7.
.SH smtp_tls_cert_file (default: empty) .SH smtp_tls_cert_file (default: empty)
File with the Postfix SMTP client RSA certificate in PEM format. File with the Postfix SMTP client RSA certificate in PEM format.
This file may also contain the Postfix SMTP client private RSA key, This file may also contain the Postfix SMTP client private RSA key,

8
postfix/man/man8/smtp.8
View File

@ -430,6 +430,12 @@ will use with opportunistic TLS encryption.
File with the Postfix SMTP client ECDSA certificate in PEM format. File with the Postfix SMTP client ECDSA certificate in PEM format.
.IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR" .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
File with the Postfix SMTP client ECDSA private key in PEM format. File with the Postfix SMTP client ECDSA private key in PEM format.
.PP
Available in Postfix version 2.7 and later:
.IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends malicious
HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
.SH "OBSOLETE STARTTLS CONTROLS" .SH "OBSOLETE STARTTLS CONTROLS"
.na .na
.nf .nf
@ -610,7 +616,7 @@ The hostname to send in the SMTP EHLO or HELO command.
.IP "\fBlmtp_lhlo_name ($myhostname)\fR" .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
The hostname to send in the LMTP LHLO command. The hostname to send in the LMTP LHLO command.
.IP "\fBsmtp_host_lookup (dns)\fR" .IP "\fBsmtp_host_lookup (dns)\fR"
What mechanisms when the Postfix SMTP client uses to look up a host's IP What mechanisms the Postfix SMTP client uses to look up a host's IP
address. address.
.IP "\fBsmtp_randomize_addresses (yes)\fR" .IP "\fBsmtp_randomize_addresses (yes)\fR"
Randomize the order of equal-preference MX host addresses. Randomize the order of equal-preference MX host addresses.

2
postfix/mantools/postlink
View File

@ -259,6 +259,7 @@ while (<>) {
s;\blmtp_enforce_tls\b;<a href="postconf.5.html#lmtp_enforce_tls">$&</a>;g; s;\blmtp_enforce_tls\b;<a href="postconf.5.html#lmtp_enforce_tls">$&</a>;g;
s;\blmtp_tls_enforce_peername\b;<a href="postconf.5.html#lmtp_tls_enforce_peername">$&</a>;g; s;\blmtp_tls_enforce_peername\b;<a href="postconf.5.html#lmtp_tls_enforce_peername">$&</a>;g;
s;\blmtp_tls_note_starttls_offer\b;<a href="postconf.5.html#lmtp_tls_note_starttls_offer">$&</a>;g; s;\blmtp_tls_note_starttls_offer\b;<a href="postconf.5.html#lmtp_tls_note_starttls_offer">$&</a>;g;
s;\blmtp_tls_block_early_mail_reply\b;<a href="postconf.5.html#lmtp_tls_block_early_mail_reply">$&</a>;g;
s;\blmtp_sender_dependent_authentication\b;<a href="postconf.5.html#lmtp_sender_dependent_authentication">$&</a>;g; s;\blmtp_sender_dependent_authentication\b;<a href="postconf.5.html#lmtp_sender_dependent_authentication">$&</a>;g;
s;\blmtp_sasl_path\b;<a href="postconf.5.html#lmtp_sasl_path">$&</a>;g; s;\blmtp_sasl_path\b;<a href="postconf.5.html#lmtp_sasl_path">$&</a>;g;
s;\blmtp_lhlo_name\b;<a href="postconf.5.html#lmtp_lhlo_name">$&</a>;g; s;\blmtp_lhlo_name\b;<a href="postconf.5.html#lmtp_lhlo_name">$&</a>;g;
@ -613,6 +614,7 @@ while (<>) {
s;\bsmtp_tls_security_level\b;<a href="postconf.5.html#smtp_tls_security_level">$&</a>;g; s;\bsmtp_tls_security_level\b;<a href="postconf.5.html#smtp_tls_security_level">$&</a>;g;
s;\bsmtp_tls_session_cache_database\b;<a href="postconf.5.html#smtp_tls_session_cache_database">$&</a>;g; s;\bsmtp_tls_session_cache_database\b;<a href="postconf.5.html#smtp_tls_session_cache_database">$&</a>;g;
s;\bsmtp_tls_session_cache_timeout\b;<a href="postconf.5.html#smtp_tls_session_cache_timeout">$&</a>;g; s;\bsmtp_tls_session_cache_timeout\b;<a href="postconf.5.html#smtp_tls_session_cache_timeout">$&</a>;g;
s;\bsmtp_tls_block_early_mail_reply\b;<a href="postconf.5.html#smtp_tls_block_early_mail_reply">$&</a>;g;
s;\bsmtp_use_tls\b;<a href="postconf.5.html#smtp_use_tls">$&</a>;g; s;\bsmtp_use_tls\b;<a href="postconf.5.html#smtp_use_tls">$&</a>;g;
s;\bsmtp_header_checks\b;<a href="postconf.5.html#smtp_header_checks">$&</a>;g; s;\bsmtp_header_checks\b;<a href="postconf.5.html#smtp_header_checks">$&</a>;g;
s;\bsmtp_mime_header_checks\b;<a href="postconf.5.html#smtp_mime_header_checks">$&</a>;g; s;\bsmtp_mime_header_checks\b;<a href="postconf.5.html#smtp_mime_header_checks">$&</a>;g;

11
postfix/proto/postconf.proto
View File

@ -12625,3 +12625,14 @@ result value is executed by the Postfix SMTP server. </p>
</pre> </pre>
<p> This feature is available in Postfix 2.7. </p> <p> This feature is available in Postfix 2.7. </p>
%PARAM smtp_tls_block_early_mail_reply no
<p> Try to detect a mail hijacking attack based on a TLS protocol
vulnerability (CVE-2009-3555), where an attacker prepends malicious
HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session. The
attack would succeed with non-Postfix SMTP servers that reply to
the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
Postfix SMTP client TLS session. </p>
<p> This feature is available in Postfix 2.7. </p>

6
postfix/src/global/mail_params.h
View File

@ -1465,6 +1465,12 @@ extern char *var_smtp_tls_sec_cmatch;
#define DEF_LMTP_TLS_FPT_CMATCH "" #define DEF_LMTP_TLS_FPT_CMATCH ""
extern char *var_smtp_tls_fpt_cmatch; extern char *var_smtp_tls_fpt_cmatch;
#define VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY "smtp_tls_block_early_mail_reply"
#define DEF_SMTP_TLS_BLK_EARLY_MAIL_REPLY 0
#define VAR_LMTP_TLS_BLK_EARLY_MAIL_REPLY "lmtp_tls_block_early_mail_reply"
#define DEF_LMTP_TLS_BLK_EARLY_MAIL_REPLY 0
extern bool var_smtp_tls_blk_early_mail_reply;
/* /*
* SASL authentication support, SMTP server side. * SASL authentication support, SMTP server side.
*/ */

2
postfix/src/global/mail_version.h
View File

@ -20,7 +20,7 @@
* Patches change both the patchlevel and the release date. Snapshots have no * Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only. * patchlevel; they change the release date only.
*/ */
#define MAIL_RELEASE_DATE "20091109" #define MAIL_RELEASE_DATE "20091110"
#define MAIL_VERSION_NUMBER "2.7" #define MAIL_VERSION_NUMBER "2.7"
#ifdef SNAPSHOT #ifdef SNAPSHOT

1
postfix/src/smtp/lmtp_params.c
View File

@ -99,6 +99,7 @@
#ifdef USE_TLS #ifdef USE_TLS
VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
VAR_LMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_LMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
#endif #endif
VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,

9
postfix/src/smtp/smtp.c
View File

@ -400,6 +400,12 @@
/* File with the Postfix SMTP client ECDSA certificate in PEM format. /* File with the Postfix SMTP client ECDSA certificate in PEM format.
/* .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR" /* .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
/* File with the Postfix SMTP client ECDSA private key in PEM format. /* File with the Postfix SMTP client ECDSA private key in PEM format.
/* .PP
/* Available in Postfix version 2.7 and later:
/* .IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
/* Try to detect a mail hijacking attack based on a TLS protocol
/* vulnerability (CVE-2009-3555), where an attacker prepends malicious
/* HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
/* OBSOLETE STARTTLS CONTROLS /* OBSOLETE STARTTLS CONTROLS
/* .ad /* .ad
/* .fi /* .fi
@ -572,7 +578,7 @@
/* .IP "\fBlmtp_lhlo_name ($myhostname)\fR" /* .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
/* The hostname to send in the LMTP LHLO command. /* The hostname to send in the LMTP LHLO command.
/* .IP "\fBsmtp_host_lookup (dns)\fR" /* .IP "\fBsmtp_host_lookup (dns)\fR"
/* What mechanisms when the Postfix SMTP client uses to look up a host's IP /* What mechanisms the Postfix SMTP client uses to look up a host's IP
/* address. /* address.
/* .IP "\fBsmtp_randomize_addresses (yes)\fR" /* .IP "\fBsmtp_randomize_addresses (yes)\fR"
/* Randomize the order of equal-preference MX host addresses. /* Randomize the order of equal-preference MX host addresses.
@ -769,6 +775,7 @@ char *var_smtp_tls_proto;
char *var_smtp_tls_ciph; char *var_smtp_tls_ciph;
char *var_smtp_tls_eccert_file; char *var_smtp_tls_eccert_file;
char *var_smtp_tls_eckey_file; char *var_smtp_tls_eckey_file;
bool var_smtp_tls_blk_early_mail_reply;
#endif #endif

1
postfix/src/smtp/smtp.h
View File

@ -119,6 +119,7 @@ typedef struct SMTP_STATE {
#define SMTP_FEATURE_PIX_NO_ESMTP (1<<16) /* PIX smtp fixup mode */ #define SMTP_FEATURE_PIX_NO_ESMTP (1<<16) /* PIX smtp fixup mode */
#define SMTP_FEATURE_PIX_DELAY_DOTCRLF (1<<17) /* PIX smtp fixup mode */ #define SMTP_FEATURE_PIX_DELAY_DOTCRLF (1<<17) /* PIX smtp fixup mode */
#define SMTP_FEATURE_XFORWARD_PORT (1<<18) #define SMTP_FEATURE_XFORWARD_PORT (1<<18)
#define SMTP_FEATURE_EARLY_TLS_MAIL_REPLY (1<<19) /* CVE-2009-3555 */
/* /*
* Features that passivate under the endpoint. * Features that passivate under the endpoint.

1
postfix/src/smtp/smtp_params.c
View File

@ -103,6 +103,7 @@
#ifdef USE_TLS #ifdef USE_TLS
VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername, VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer, VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_SMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
#endif #endif
VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth, VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr, VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,

56
postfix/src/smtp/smtp_proto.c
View File

@ -1292,6 +1292,36 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
&& (session->features & SMTP_FEATURE_AUTH)) && (session->features & SMTP_FEATURE_AUTH))
vstring_strcat(next_command, " AUTH=<>"); vstring_strcat(next_command, " AUTH=<>");
#endif #endif
/*
* CVE-2009-3555 (TLS renegotiation). Try to detect a mail
* hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
* commands to our TLS session.
*
* For the attack to succeed, the remote SMTP server must reply to
* the malicious EHLO/MAIL/RCPT/DATA commands after completing
* TLS (re)negotiation, so that the replies arrive in our TLS
* session (otherwise the Postfix SMTP client would time out
* waiting for an answer). With some luck we can detect this
* specific attack as a server MAIL reply that arrives before we
* send our own MAIL command.
*
* We don't apply this test to the HELO command because the result
* would be very timing sensitive, and we don't apply this test
* to RCPT and DATA replies because these may be pipelined for
* legitimate reasons.
*/
#ifdef USE_TLS
if (var_smtp_tls_blk_early_mail_reply
&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
&& (vstream_peek(session->stream) > 0
|| peekfd(vstream_fileno(session->stream)) > 0))
session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
#endif
/*
* We now return to our regular broadcast.
*/
next_state = SMTP_STATE_RCPT; next_state = SMTP_STATE_RCPT;
break; break;
@ -1512,6 +1542,32 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
xfer_request[SMTP_STATE_MAIL]); xfer_request[SMTP_STATE_MAIL]);
mail_from_rejected = 1; mail_from_rejected = 1;
} }
/*
* CVE-2009-3555 (TLS renegotiation). Whatever it was
* that arrived before we sent our MAIL FROM command, it
* was not a fatal-level TLS alert message. It could be a
* warning-level TLS alert message, or a ChangeCipherSpec
* message, but such messages are not normally sent in
* the middle of a TLS session. We disconnect and try
* again later.
*/
#ifdef USE_TLS
if (var_smtp_tls_blk_early_mail_reply
&& (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
smtp_site_fail(state, DSN_BY_LOCAL_MTA,
SMTP_RESP_FAKE(&fake, "4.7.0"),
"unexpected server message");
msg_warn("server %s violates %s policy",
session->namaddr,
VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY);
mail_from_rejected = 1;
}
#endif
/*
* We now return to our regular broadcast.
*/
recv_state = SMTP_STATE_RCPT; recv_state = SMTP_STATE_RCPT;
break; break;

3
postfix/src/util/inet_addr_local.c
View File

@ -183,6 +183,9 @@ static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
for (ifa = ifap; ifa; ifa = ifa->ifa_next) { for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
if (!(ifa->ifa_flags & IFF_UP) || ifa->ifa_addr == 0) if (!(ifa->ifa_flags & IFF_UP) || ifa->ifa_addr == 0)
continue; continue;
/* XXX Should we cons up a default mask instead? */
if (ifa->ifa_netmask == 0)
continue;
sa = ifa->ifa_addr; sa = ifa->ifa_addr;
sam = ifa->ifa_netmask; sam = ifa->ifa_netmask;
if (af != AF_UNSPEC && sa->sa_family != af) if (af != AF_UNSPEC && sa->sa_family != af)