From d42f0b6b3f5c97f2e3af8c88b02af06772da5ea1 Mon Sep 17 00:00:00 2001 From: Wietse Venema Date: Mon, 3 Aug 2009 00:00:00 -0500 Subject: [PATCH] postfix-2.7-20090803 --- postfix/HISTORY | 17 +++++++++++++++++ postfix/RELEASE_NOTES | 16 ++++++++++++++++ postfix/conf/postmulti-script | 13 ++++--------- postfix/html/postconf.5.html | 14 +++++++++----- postfix/man/man5/postconf.5 | 14 +++++++++----- postfix/proto/postconf.proto | 14 +++++++++----- postfix/src/global/mail_version.h | 2 +- postfix/src/smtpd/smtpd_check.c | 20 ++++++++++++++++++-- 8 files changed, 83 insertions(+), 27 deletions(-) diff --git a/postfix/HISTORY b/postfix/HISTORY index 9cd139277..1fc1ec5f6 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -15324,3 +15324,20 @@ Apologies for any names omitted. Cleanup: ${multi_instance_name:postfix}${multi_instance_name ?$multi_instance_name} garbage in Postfix logging is now hopefully gone. File: global/mail_task.c. + +20090715 + + Documentation: as of Postfix 2.6, the reject_unauth_pipelining + feature can be used meaningfully at any protocol stage. + File: proto/postconf.proto. + +20090803 + + Workaround: with some local DNS servers including BIND, it + is possible that A or MX lookups succeed, while NS lookups + for the same domains time out. Spammers use this to avoid + access restrictions. To deal with future variations of + this, check_{client,helo,sender,etc}_{mx,ns,etc}_access no + longer tolerate any lookup failures. Instead, they reply + with $access_map_defer_code or $access_map_reject_code as + appropriate. File: smtpd/smtpd_check.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 620a44132..31e754323 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -14,6 +14,22 @@ specifies the release date of a stable release or snapshot release. If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6 before proceeding. +Incompatibility with snapshot 20090803-nonprod +============================================== + +The check_{client,helo,sender,etc}_{mx,ns,etc}_access features no +longer tolerate any lookup failures. Instead, they now reply with +$access_map_defer_code or $access_map_reject_code as appropriate. + +The reason for this change is that spammers are using tricks where +A or MX lookups succeed while NS lookups for the same domains fail, +depending local DNS infrastructure details. The change deals with +future variants of this anomalous behavior. + +As a side effect, non-existent domain names in HELO commands will +now trigger a REJECT action with check_helo_{mx,ns}_access, where +previously such commands were silently permitted. + Incompatibility with snapshot 20090606 ====================================== diff --git a/postfix/conf/postmulti-script b/postfix/conf/postmulti-script index 1c3f3ad88..417a8718a 100644 --- a/postfix/conf/postmulti-script +++ b/postfix/conf/postmulti-script @@ -229,15 +229,10 @@ deport) destroy) - # "postmulti -e destroy" will remove an entire instance only - # when invoked immediately after "postmulti -e create". Trying - # to remove more files is too dangerous. - # - # By design, postfix-owned directory trees are not trusted, and - # any action within those directory trees must not affect files - # outside those trees (e.g. via symlink race attacks). Therefore - # we use only known-to-be-safe names and nothing with a / because - # that could be subject to races. + # "postmulti -e destroy" will remove an entire instance only when + # invoked immediately after "postmulti -e create" (i.e. before + # other files are added to the instance). We delete only known + # safe names without "/". # QUEUE_SUBDIRS="active bounce corrupt defer deferred flush hold \ incoming maildrop pid private public saved trace" diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index bcdf362d9..9dced2a3f 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -10735,11 +10735,15 @@ of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up -deliveries.
Note: reject_unauth_pipelining is not useful -outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO -instead of HELO) and 2) with "smtpd_delay_reject = yes" (the -default). The use of reject_unauth_pipelining in the other -restriction contexts is therefore not recommended. +deliveries. +
With Postfix 2.6 and later, the SMTP server sets a per-session +flag whenever it detects illegal pipelining, including pipelined +EHLO or HELO commands. The reject_unauth_pipelining feature simply +tests whether the flag was set at any point in time during the +session. +
With older Postfix versions, reject_unauth_pipelining checks +the current status of the input read queue, and its usage is not +recommended in contexts other than smtpd_data_restrictions.
reject
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5 index 76c201bf9..e984d837b 100644 --- a/postfix/man/man5/postconf.5 +++ b/postfix/man/man5/postconf.5 @@ -6574,11 +6574,15 @@ ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up deliveries. .br -Note: reject_unauth_pipelining is not useful -outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO -instead of HELO) and 2) with "smtpd_delay_reject = yes" (the -default). The use of reject_unauth_pipelining in the other -restriction contexts is therefore not recommended. +With Postfix 2.6 and later, the SMTP server sets a per-session +flag whenever it detects illegal pipelining, including pipelined +EHLO or HELO commands. The reject_unauth_pipelining feature simply +tests whether the flag was set at any point in time during the +session. +.br +With older Postfix versions, reject_unauth_pipelining checks +the current status of the input read queue, and its usage is not +recommended in contexts other than smtpd_data_restrictions. .IP "\fBreject\fR" Reject the request. This restriction is useful at the end of a restriction list, to make the default policy explicit. The diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto index 348a7927b..1c988ec03 100644 --- a/postfix/proto/postconf.proto +++ b/postfix/proto/postconf.proto @@ -4939,11 +4939,15 @@ of time where it is not allowed, or when the client sends SMTP commands ahead of time without knowing that Postfix actually supports ESMTP command pipelining. This stops mail from bulk mail software that improperly uses ESMTP command pipelining in order to speed up -deliveries.
Note: reject_unauth_pipelining is not useful -outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO -instead of HELO) and 2) with "smtpd_delay_reject = yes" (the -default). The use of reject_unauth_pipelining in the other -restriction contexts is therefore not recommended. +deliveries. +
With Postfix 2.6 and later, the SMTP server sets a per-session +flag whenever it detects illegal pipelining, including pipelined +EHLO or HELO commands. The reject_unauth_pipelining feature simply +tests whether the flag was set at any point in time during the +session. +
With older Postfix versions, reject_unauth_pipelining checks +the current status of the input read queue, and its usage is not +recommended in contexts other than smtpd_data_restrictions.
reject
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h index 877572a02..d93cc4361 100644 --- a/postfix/src/global/mail_version.h +++ b/postfix/src/global/mail_version.h @@ -20,7 +20,7 @@ * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ -#define MAIL_RELEASE_DATE "20090712" +#define MAIL_RELEASE_DATE "20090803" #define MAIL_VERSION_NUMBER "2.7" #ifdef SNAPSHOT diff --git a/postfix/src/smtpd/smtpd_check.c b/postfix/src/smtpd/smtpd_check.c index ea3dfbf9c..74d86ec47 100644 --- a/postfix/src/smtpd/smtpd_check.c +++ b/postfix/src/smtpd/smtpd_check.c @@ -2575,7 +2575,14 @@ static int check_server_access(SMTPD_STATE *state, const char *table, if (dns_status != DNS_OK) { msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type), domain && domain[1] ? domain : name, dns_strerror(h_errno)); - return (SMTPD_CHECK_DUNNO); + /* No mercy for DNS failure. */ + return (smtpd_check_reject(state, MAIL_ERROR_POLICY, + dns_status == DNS_NOTFOUND ? + var_map_reject_code : var_map_defer_code, + smtpd_dsn_fix("4.1.8", reply_class), + "<%s>: %s rejected: %s", + reply_name, reply_class, + "Domain not found")); } /* @@ -2600,7 +2607,16 @@ static int check_server_access(SMTPD_STATE *state, const char *table, msg_warn("Unable to look up %s host %s for %s %s: %s", dns_strtype(type), (char *) server->data, reply_class, reply_name, MAI_STRERROR(aierr)); - continue; + /* No mercy for DNS failure. */ + status = smtpd_check_reject(state, + MAIL_ERROR_POLICY, + aierr == EAI_NONAME ? + var_map_reject_code : var_map_defer_code, + smtpd_dsn_fix("4.1.8", reply_class), + "<%s>: %s rejected: %s", + reply_name, reply_class, + "Domain not found"); + CHECK_SERVER_RETURN(status); } /* Now we must also free the addrinfo result. */ if (msg_verbose)