postfix-2.7-20091110

2025-08-23 02:17:44 +00:00 · 2009-11-10 00:00:00 -05:00 · 2009-11-10 00:00:00 -05:00 · c4461a1730
commit c4461a1730
parent 705c4e1dd4
16 changed files with 288 additions and 143 deletions
--- a/postfix/HISTORY
+++ b/postfix/HISTORY
@ -15487,3 +15487,14 @@ Apologies for any names omitted.
 	caused by an incomplete API change; refined the queue space
 	check; release scratch space immediately after delivering
 	mail to the before-queue filter. Files: smtpd.c, smtpd_proxy.c.
+
+20091110
+
+	Workaround: specify "smtp_tls_block_early_mail_reply = yes"
+	to detect a mail hijacking attack based on a TLS protocol
+	vulnerability (CVE-2009-3555). The attack involves prepending
+	malicious HELO/MAIL/RCPT/DATA commands to a Postfix SMTP
+	client TLS session. The attack would succeed with non-Postfix
+	SMTP servers that reply to the malicious commands after
+	negotiating the Postfix SMTP client TLS session. File:
+	smtp/smtp_proto.c.
--- a/postfix/html/lmtp.8.html
+++ b/postfix/html/lmtp.8.html
@ -534,6 +534,14 @@ SMTP(8)                                                                SMTP(8)
              File with the Postfix SMTP client ECDSA private key
              in PEM format.

+       Available in Postfix version 2.7 and later:
+
+       <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
+              Try to detect a mail hijacking attack  based  on  a
+              TLS  protocol  vulnerability (CVE-2009-3555), where
+              an attacker prepends malicious  HELO/MAIL/RCPT/DATA
+              commands to a Postfix client TLS session.
+
 <b>OBSOLETE STARTTLS CONTROLS</b>
       The  following configuration parameters exist for compati-
       bility with Postfix versions before 2.3. Support for these
@ -781,8 +789,8 @@ SMTP(8)                                                                SMTP(8)
              The hostname to send in the LMTP LHLO command.

       <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What mechanisms when the Postfix SMTP  client  uses
-              to look up a host's IP address.
+              What  mechanisms  the  Postfix  SMTP client uses to
+              look up a host's IP address.

       <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
              Randomize the order  of  equal-preference  MX  host
--- a/postfix/html/postconf.5.html
+++ b/postfix/html/postconf.5.html
@ -9236,6 +9236,21 @@ must be inside the chroot jail. </p>
 <p> This feature is available in Postfix 2.2 and later.  </p>


+</DD>
+
+<DT><b><a name="smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a>
+(default: no)</b></DT><DD>
+
+<p> Try to detect a mail hijacking attack based on a TLS protocol
+vulnerability (CVE-2009-3555), where an attacker prepends malicious
+HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
+attack would succeed with non-Postfix SMTP servers that reply to
+the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
+Postfix SMTP client TLS session.  </p>
+
+<p> This feature is available in Postfix 2.7. </p>
+
+
 </DD>

 <DT><b><a name="smtp_tls_cert_file">smtp_tls_cert_file</a>
--- a/postfix/html/smtp.8.html
+++ b/postfix/html/smtp.8.html
@ -534,6 +534,14 @@ SMTP(8)                                                                SMTP(8)
              File with the Postfix SMTP client ECDSA private key
              in PEM format.

+       Available in Postfix version 2.7 and later:
+
+       <b><a href="postconf.5.html#smtp_tls_block_early_mail_reply">smtp_tls_block_early_mail_reply</a> (no)</b>
+              Try to detect a mail hijacking attack  based  on  a
+              TLS  protocol  vulnerability (CVE-2009-3555), where
+              an attacker prepends malicious  HELO/MAIL/RCPT/DATA
+              commands to a Postfix client TLS session.
+
 <b>OBSOLETE STARTTLS CONTROLS</b>
       The  following configuration parameters exist for compati-
       bility with Postfix versions before 2.3. Support for these
@ -781,8 +789,8 @@ SMTP(8)                                                                SMTP(8)
              The hostname to send in the LMTP LHLO command.

       <b><a href="postconf.5.html#smtp_host_lookup">smtp_host_lookup</a> (dns)</b>
-              What mechanisms when the Postfix SMTP  client  uses
-              to look up a host's IP address.
+              What  mechanisms  the  Postfix  SMTP client uses to
+              look up a host's IP address.

       <b><a href="postconf.5.html#smtp_randomize_addresses">smtp_randomize_addresses</a> (yes)</b>
              Randomize the order  of  equal-preference  MX  host
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@ -5254,6 +5254,15 @@ smtp_tls_CApath = /etc/postfix/certs
 .ft R
 .PP
 This feature is available in Postfix 2.2 and later.
+.SH smtp_tls_block_early_mail_reply (default: no)
+Try to detect a mail hijacking attack based on a TLS protocol
+vulnerability (CVE-2009-3555), where an attacker prepends malicious
+HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
+attack would succeed with non-Postfix SMTP servers that reply to
+the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
+Postfix SMTP client TLS session.
+.PP
+This feature is available in Postfix 2.7.
 .SH smtp_tls_cert_file (default: empty)
 File with the Postfix SMTP client RSA certificate in PEM format.
 This file may also contain the Postfix SMTP client private RSA key,
--- a/postfix/man/man8/smtp.8
+++ b/postfix/man/man8/smtp.8
@ -430,6 +430,12 @@ will use with opportunistic TLS encryption.
 File with the Postfix SMTP client ECDSA certificate in PEM format.
 .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
 File with the Postfix SMTP client ECDSA private key in PEM format.
+.PP
+Available in Postfix version 2.7 and later:
+.IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
+Try to detect a mail hijacking attack based on a TLS protocol
+vulnerability (CVE-2009-3555), where an attacker prepends malicious
+HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
 .SH "OBSOLETE STARTTLS CONTROLS"
 .na
 .nf
@ -610,7 +616,7 @@ The hostname to send in the SMTP EHLO or HELO command.
 .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
 The hostname to send in the LMTP LHLO command.
 .IP "\fBsmtp_host_lookup (dns)\fR"
-What mechanisms when the Postfix SMTP client uses to look up a host's IP
+What mechanisms the Postfix SMTP client uses to look up a host's IP
 address.
 .IP "\fBsmtp_randomize_addresses (yes)\fR"
 Randomize the order of equal-preference MX host addresses.
--- a/postfix/mantools/postlink
+++ b/postfix/mantools/postlink
@ -259,6 +259,7 @@ while (<>) {
    s;\blmtp_enforce_tls\b;<a href="postconf.5.html#lmtp_enforce_tls">$&</a>;g;
    s;\blmtp_tls_enforce_peername\b;<a href="postconf.5.html#lmtp_tls_enforce_peername">$&</a>;g;
    s;\blmtp_tls_note_starttls_offer\b;<a href="postconf.5.html#lmtp_tls_note_starttls_offer">$&</a>;g;
+    s;\blmtp_tls_block_early_mail_reply\b;<a href="postconf.5.html#lmtp_tls_block_early_mail_reply">$&</a>;g;
    s;\blmtp_sender_dependent_authentication\b;<a href="postconf.5.html#lmtp_sender_dependent_authentication">$&</a>;g;
    s;\blmtp_sasl_path\b;<a href="postconf.5.html#lmtp_sasl_path">$&</a>;g;
    s;\blmtp_lhlo_name\b;<a href="postconf.5.html#lmtp_lhlo_name">$&</a>;g;
@ -613,6 +614,7 @@ while (<>) {
    s;\bsmtp_tls_security_level\b;<a href="postconf.5.html#smtp_tls_security_level">$&</a>;g;
    s;\bsmtp_tls_session_cache_database\b;<a href="postconf.5.html#smtp_tls_session_cache_database">$&</a>;g;
    s;\bsmtp_tls_session_cache_timeout\b;<a href="postconf.5.html#smtp_tls_session_cache_timeout">$&</a>;g;
+    s;\bsmtp_tls_block_early_mail_reply\b;<a href="postconf.5.html#smtp_tls_block_early_mail_reply">$&</a>;g;
    s;\bsmtp_use_tls\b;<a href="postconf.5.html#smtp_use_tls">$&</a>;g;
    s;\bsmtp_header_checks\b;<a href="postconf.5.html#smtp_header_checks">$&</a>;g;
    s;\bsmtp_mime_header_checks\b;<a href="postconf.5.html#smtp_mime_header_checks">$&</a>;g;
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@ -12625,3 +12625,14 @@ result value is executed by the Postfix SMTP server.  </p>
 </pre>

 <p> This feature is available in Postfix 2.7. </p>
+
+%PARAM smtp_tls_block_early_mail_reply no
+
+<p> Try to detect a mail hijacking attack based on a TLS protocol
+vulnerability (CVE-2009-3555), where an attacker prepends malicious
+HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.  The
+attack would succeed with non-Postfix SMTP servers that reply to
+the malicious HELO/MAIL/RCPT/DATA commands after negotiating the
+Postfix SMTP client TLS session.  </p>
+
+<p> This feature is available in Postfix 2.7. </p>
--- a/postfix/src/global/mail_params.h
+++ b/postfix/src/global/mail_params.h
@ -1465,6 +1465,12 @@ extern char *var_smtp_tls_sec_cmatch;
 #define DEF_LMTP_TLS_FPT_CMATCH ""
 extern char *var_smtp_tls_fpt_cmatch;

+#define VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY "smtp_tls_block_early_mail_reply"
+#define DEF_SMTP_TLS_BLK_EARLY_MAIL_REPLY 0
+#define VAR_LMTP_TLS_BLK_EARLY_MAIL_REPLY "lmtp_tls_block_early_mail_reply"
+#define DEF_LMTP_TLS_BLK_EARLY_MAIL_REPLY 0
+extern bool var_smtp_tls_blk_early_mail_reply;
+
 /*
  * SASL authentication support, SMTP server side.
  */
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@ -20,7 +20,7 @@
  * Patches change both the patchlevel and the release date. Snapshots have no
  * patchlevel; they change the release date only.
  */
-#define MAIL_RELEASE_DATE	"20091109"
+#define MAIL_RELEASE_DATE	"20091110"
 #define MAIL_VERSION_NUMBER	"2.7"

 #ifdef SNAPSHOT
--- a/postfix/src/smtp/lmtp_params.c
+++ b/postfix/src/smtp/lmtp_params.c
@ -99,6 +99,7 @@
 #ifdef USE_TLS
 	VAR_LMTP_TLS_ENFORCE_PN, DEF_LMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
 	VAR_LMTP_TLS_NOTEOFFER, DEF_LMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+	VAR_LMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_LMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
 #endif
 	VAR_LMTP_SENDER_AUTH, DEF_LMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_LMTP_CNAME_OVERR, DEF_LMTP_CNAME_OVERR, &var_smtp_cname_overr,
--- a/postfix/src/smtp/smtp.c
+++ b/postfix/src/smtp/smtp.c
@ -400,6 +400,12 @@
 /*	File with the Postfix SMTP client ECDSA certificate in PEM format.
 /* .IP "\fBsmtp_tls_eckey_file ($smtp_tls_eccert_file)\fR"
 /*	File with the Postfix SMTP client ECDSA private key in PEM format.
+/* .PP
+/*	Available in Postfix version 2.7 and later:
+/* .IP "\fBsmtp_tls_block_early_mail_reply (no)\fR"
+/*	Try to detect a mail hijacking attack based on a TLS protocol
+/*	vulnerability (CVE-2009-3555), where an attacker prepends malicious
+/*	HELO/MAIL/RCPT/DATA commands to a Postfix client TLS session.
 /* OBSOLETE STARTTLS CONTROLS
 /* .ad
 /* .fi
@ -572,7 +578,7 @@
 /* .IP "\fBlmtp_lhlo_name ($myhostname)\fR"
 /*	The hostname to send in the LMTP LHLO command.
 /* .IP "\fBsmtp_host_lookup (dns)\fR"
-/*	What mechanisms when the Postfix SMTP client uses to look up a host's IP
+/*	What mechanisms the Postfix SMTP client uses to look up a host's IP
 /*	address.
 /* .IP "\fBsmtp_randomize_addresses (yes)\fR"
 /*	Randomize the order of equal-preference MX host addresses.
@ -769,6 +775,7 @@ char   *var_smtp_tls_proto;
 char   *var_smtp_tls_ciph;
 char   *var_smtp_tls_eccert_file;
 char   *var_smtp_tls_eckey_file;
+bool    var_smtp_tls_blk_early_mail_reply;

 #endif

--- a/postfix/src/smtp/smtp.h
+++ b/postfix/src/smtp/smtp.h
@ -119,6 +119,7 @@ typedef struct SMTP_STATE {
 #define SMTP_FEATURE_PIX_NO_ESMTP	(1<<16)	/* PIX smtp fixup mode */
 #define SMTP_FEATURE_PIX_DELAY_DOTCRLF	(1<<17)	/* PIX smtp fixup mode */
 #define SMTP_FEATURE_XFORWARD_PORT	(1<<18)
+#define SMTP_FEATURE_EARLY_TLS_MAIL_REPLY (1<<19)	/* CVE-2009-3555 */

 /*
  * Features that passivate under the endpoint.
--- a/postfix/src/smtp/smtp_params.c
+++ b/postfix/src/smtp/smtp_params.c
@ -103,6 +103,7 @@
 #ifdef USE_TLS
 	VAR_SMTP_TLS_ENFORCE_PN, DEF_SMTP_TLS_ENFORCE_PN, &var_smtp_tls_enforce_peername,
 	VAR_SMTP_TLS_NOTEOFFER, DEF_SMTP_TLS_NOTEOFFER, &var_smtp_tls_note_starttls_offer,
+	VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY, DEF_SMTP_TLS_BLK_EARLY_MAIL_REPLY, &var_smtp_tls_blk_early_mail_reply,
 #endif
 	VAR_SMTP_SENDER_AUTH, DEF_SMTP_SENDER_AUTH, &var_smtp_sender_auth,
 	VAR_SMTP_CNAME_OVERR, DEF_SMTP_CNAME_OVERR, &var_smtp_cname_overr,
--- a/postfix/src/smtp/smtp_proto.c
+++ b/postfix/src/smtp/smtp_proto.c
@ -1292,6 +1292,36 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
 		&& (session->features & SMTP_FEATURE_AUTH))
 		vstring_strcat(next_command, " AUTH=<>");
 #endif
+
+	    /*
+	     * CVE-2009-3555 (TLS renegotiation). Try to detect a mail
+	     * hijacking attack that prepends malicious EHLO/MAIL/RCPT/DATA
+	     * commands to our TLS session.
+	     * 
+	     * For the attack to succeed, the remote SMTP server must reply to
+	     * the malicious EHLO/MAIL/RCPT/DATA commands after completing
+	     * TLS (re)negotiation, so that the replies arrive in our TLS
+	     * session (otherwise the Postfix SMTP client would time out
+	     * waiting for an answer). With some luck we can detect this
+	     * specific attack as a server MAIL reply that arrives before we
+	     * send our own MAIL command.
+	     * 
+	     * We don't apply this test to the HELO command because the result
+	     * would be very timing sensitive, and we don't apply this test
+	     * to RCPT and DATA replies because these may be pipelined for
+	     * legitimate reasons.
+	     */
+#ifdef USE_TLS
+	    if (var_smtp_tls_blk_early_mail_reply
+		&& (state->misc_flags & SMTP_MISC_FLAG_IN_STARTTLS) != 0
+		&& (vstream_peek(session->stream) > 0
+		    || peekfd(vstream_fileno(session->stream)) > 0))
+		session->features |= SMTP_FEATURE_EARLY_TLS_MAIL_REPLY;
+#endif
+
+	    /*
+	     * We now return to our regular broadcast.
+	     */
 	    next_state = SMTP_STATE_RCPT;
 	    break;

@ -1512,6 +1542,32 @@ static int smtp_loop(SMTP_STATE *state, NOCLOBBER int send_state,
 				       xfer_request[SMTP_STATE_MAIL]);
 			mail_from_rejected = 1;
 		    }
+
+		    /*
+		     * CVE-2009-3555 (TLS renegotiation). Whatever it was
+		     * that arrived before we sent our MAIL FROM command, it
+		     * was not a fatal-level TLS alert message. It could be a
+		     * warning-level TLS alert message, or a ChangeCipherSpec
+		     * message, but such messages are not normally sent in
+		     * the middle of a TLS session. We disconnect and try
+		     * again later.
+		     */
+#ifdef USE_TLS
+		    if (var_smtp_tls_blk_early_mail_reply
+			&& (session->features & SMTP_FEATURE_EARLY_TLS_MAIL_REPLY)) {
+			smtp_site_fail(state, DSN_BY_LOCAL_MTA,
+				       SMTP_RESP_FAKE(&fake, "4.7.0"),
+				       "unexpected server message");
+			msg_warn("server %s violates %s policy",
+				 session->namaddr,
+				 VAR_SMTP_TLS_BLK_EARLY_MAIL_REPLY);
+			mail_from_rejected = 1;
+		    }
+#endif
+
+		    /*
+		     * We now return to our regular broadcast.
+		     */
 		    recv_state = SMTP_STATE_RCPT;
 		    break;

--- a/postfix/src/util/inet_addr_local.c
+++ b/postfix/src/util/inet_addr_local.c
@ -183,6 +183,9 @@ static int ial_getifaddrs(INET_ADDR_LIST *addr_list,
    for (ifa = ifap; ifa; ifa = ifa->ifa_next) {
 	if (!(ifa->ifa_flags & IFF_UP) || ifa->ifa_addr == 0)
 	    continue;
+	/* XXX Should we cons up a default mask instead? */
+	if (ifa->ifa_netmask == 0)
+	    continue;				
 	sa = ifa->ifa_addr;
 	sam = ifa->ifa_netmask;
 	if (af != AF_UNSPEC && sa->sa_family != af)