postfix-2.7-20090803

postfix/HISTORY

@@ -15324,3 +15324,20 @@ Apologies for any names omitted.
 	Cleanup: ${multi_instance_name:postfix}${multi_instance_name
 	?$multi_instance_name} garbage in Postfix logging is now
 	hopefully gone.  File: global/mail_task.c.
+
+20090715
+
+	Documentation: as of Postfix 2.6, the reject_unauth_pipelining
+	feature can be used meaningfully at any protocol stage.
+	File: proto/postconf.proto.
+
+20090803
+
+	Workaround: with some local DNS servers including BIND, it
+	is possible that A or MX lookups succeed, while NS lookups
+	for the same domains time out.  Spammers use this to avoid
+	access restrictions.  To deal with future variations of
+	this, check_{client,helo,sender,etc}_{mx,ns,etc}_access no
+	longer tolerate any lookup failures. Instead, they reply
+	with $access_map_defer_code or $access_map_reject_code as
+	appropriate. File: smtpd/smtpd_check.c.

postfix/RELEASE_NOTES

@@ -14,6 +14,22 @@ specifies the release date of a stable release or snapshot release.
 If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
 before proceeding.
 
+Incompatibility with snapshot 20090803-nonprod
+==============================================
+
+The check_{client,helo,sender,etc}_{mx,ns,etc}_access features no
+longer tolerate any lookup failures. Instead, they now reply with
+$access_map_defer_code or $access_map_reject_code as appropriate.
+
+The reason for this change is that spammers are using tricks where
+A or MX lookups succeed while NS lookups for the same domains fail,
+depending local DNS infrastructure details.  The change deals with
+future variants of this anomalous behavior.
+
+As a side effect, non-existent domain names in HELO commands will
+now trigger a REJECT action with check_helo_{mx,ns}_access, where
+previously such commands were silently permitted.
+
 Incompatibility with snapshot 20090606
 ======================================
 

postfix/conf/postmulti-script

@@ -229,15 +229,10 @@ deport)
 
 destroy)
 
-    # "postmulti -e destroy" will remove an entire instance only
-    # when invoked immediately after "postmulti -e create". Trying
-    # to remove more files is too dangerous.
-    #
-    # By design, postfix-owned directory trees are not trusted, and
-    # any action within those directory trees must not affect files
-    # outside those trees (e.g. via symlink race attacks). Therefore
-    # we use only known-to-be-safe names and nothing with a / because
-    # that could be subject to races.
+    # "postmulti -e destroy" will remove an entire instance only when
+    # invoked immediately after "postmulti -e create" (i.e. before
+    # other files are added to the instance). We delete only known
+    # safe names without "/".
     #
     QUEUE_SUBDIRS="active bounce corrupt defer deferred flush hold \
     incoming maildrop pid private public saved trace"

postfix/html/postconf.5.html

@@ -10735,11 +10735,15 @@ of time where it is not allowed, or when the client sends SMTP
 commands ahead of time without knowing that Postfix actually supports
 ESMTP command pipelining. This stops mail from bulk mail software
 that improperly uses ESMTP command pipelining in order to speed up
-deliveries. <br> Note: <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> is not useful
-outside <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a> when 1) the client uses ESMTP (EHLO
-instead of HELO) and 2) with "<a href="postconf.5.html#smtpd_delay_reject">smtpd_delay_reject</a> = yes" (the
-default).  The use of <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> in the other
-restriction contexts is therefore not recommended.  </dd>
+deliveries.
+<br> With Postfix 2.6 and later, the SMTP server sets a per-session
+flag whenever it detects illegal pipelining, including pipelined
+EHLO or HELO commands. The <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> feature simply
+tests whether the flag was set at any point in time during the
+session.
+<br> With older Postfix versions, <a href="postconf.5.html#reject_unauth_pipelining">reject_unauth_pipelining</a> checks
+the current status of the input read queue, and its usage is not
+recommended in contexts other than <a href="postconf.5.html#smtpd_data_restrictions">smtpd_data_restrictions</a>.  </dd>
 
 <dt><b><a name="reject">reject</a></b></dt>
 

postfix/man/man5/postconf.5

@@ -6574,11 +6574,15 @@ ESMTP command pipelining. This stops mail from bulk mail software
 that improperly uses ESMTP command pipelining in order to speed up
 deliveries.
 .br
-Note: reject_unauth_pipelining is not useful
-outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO
-instead of HELO) and 2) with "smtpd_delay_reject = yes" (the
-default).  The use of reject_unauth_pipelining in the other
-restriction contexts is therefore not recommended.
+With Postfix 2.6 and later, the SMTP server sets a per-session
+flag whenever it detects illegal pipelining, including pipelined
+EHLO or HELO commands. The reject_unauth_pipelining feature simply
+tests whether the flag was set at any point in time during the
+session.
+.br
+With older Postfix versions, reject_unauth_pipelining checks
+the current status of the input read queue, and its usage is not
+recommended in contexts other than smtpd_data_restrictions.
 .IP "\fBreject\fR"
 Reject the request. This restriction is useful at the end of
 a restriction list, to make the default policy explicit.  The

postfix/proto/postconf.proto

@@ -4939,11 +4939,15 @@ of time where it is not allowed, or when the client sends SMTP
 commands ahead of time without knowing that Postfix actually supports
 ESMTP command pipelining. This stops mail from bulk mail software
 that improperly uses ESMTP command pipelining in order to speed up
-deliveries. <br> Note: reject_unauth_pipelining is not useful
-outside smtpd_data_restrictions when 1) the client uses ESMTP (EHLO
-instead of HELO) and 2) with "smtpd_delay_reject = yes" (the
-default).  The use of reject_unauth_pipelining in the other
-restriction contexts is therefore not recommended.  </dd>
+deliveries.
+<br> With Postfix 2.6 and later, the SMTP server sets a per-session
+flag whenever it detects illegal pipelining, including pipelined
+EHLO or HELO commands. The reject_unauth_pipelining feature simply
+tests whether the flag was set at any point in time during the
+session.
+<br> With older Postfix versions, reject_unauth_pipelining checks
+the current status of the input read queue, and its usage is not
+recommended in contexts other than smtpd_data_restrictions.  </dd>
 
 <dt><b><a name="reject">reject</a></b></dt>
 

postfix/src/global/mail_version.h

@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20090712"
+#define MAIL_RELEASE_DATE	"20090803"
 #define MAIL_VERSION_NUMBER	"2.7"
 
 #ifdef SNAPSHOT

postfix/src/smtpd/smtpd_check.c

@@ -2575,7 +2575,14 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
     if (dns_status != DNS_OK) {
 	msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
 		 domain && domain[1] ? domain : name, dns_strerror(h_errno));
-	return (SMTPD_CHECK_DUNNO);
+	/* No mercy for DNS failure. */
+	return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
+				   dns_status == DNS_NOTFOUND ?
+				   var_map_reject_code : var_map_defer_code,
+				   smtpd_dsn_fix("4.1.8", reply_class),
+				   "<%s>: %s rejected: %s",
+				   reply_name, reply_class,
+				   "Domain not found"));
     }
 
     /*
@@ -2600,7 +2607,16 @@ static int check_server_access(SMTPD_STATE *state, const char *table,
 	    msg_warn("Unable to look up %s host %s for %s %s: %s",
 		     dns_strtype(type), (char *) server->data,
 		     reply_class, reply_name, MAI_STRERROR(aierr));
-	    continue;
+	    /* No mercy for DNS failure. */
+	    status = smtpd_check_reject(state,
+					MAIL_ERROR_POLICY,
+					aierr == EAI_NONAME ?
+				   var_map_reject_code : var_map_defer_code,
+					smtpd_dsn_fix("4.1.8", reply_class),
+					"<%s>: %s rejected: %s",
+					reply_name, reply_class,
+					"Domain not found");
+	    CHECK_SERVER_RETURN(status);
 	}
 	/* Now we must also free the addrinfo result. */
 	if (msg_verbose)