name:
mail.* -/var/log/mail.log
-
-SPAM BLOCKING SOURCE ROUTED ADDRESSES
-=====================================
-
-If you are responsible for a backup MX host for some domain (either
-your own domain or the domain of some other organization) it is
-prudent to block addresses with multiple address operators at the
-SMTP port, such as:
-
- user@elsewhere@some.domain
- user%elsewhere@some.domain
- elsewhere!user@some.domain
-
-The problem is that the primary MX host for some.domain may forward
-the above to user@elsewhere. This can happen because the primary
-MX host somehow "trusts" your backup MX host, or because the primary
-MX host is badly configured.
-
-The bad news is that your backup MX machine can end up on a black
-list because it accepted the mail, even though the problem involves
-a primary MX host that perhaps is not under your control.
-
-The simplest solution is to install a regular expression filter:
-
- /etc/postfix/main.cf:
- smtpd_recipient_restrictions =
- regexp:/etc/postfix/regexp_access
- ...other restrictions...
-
- /etc/postfix/regexp_access:
- /[%!@].*[%!@]/ 550 Sender specified routing is not supported here.
-
-For the local domain, Postfix will do the right thing with:
-
- user@elsewhere@my.own.domain
- user%elsewhere@my.own.domain
- elsewhere!user@my.own.domain
-
-That is, it bounces the first form because "user@elsewhere" is not
-a valid local user, and it accepts the second and third forms only
-when user@elsewhere is a valid relay destination.
Bugfix: the relative symlink code in INSTALL.sh computed
the ../ prefix from the wrong pathname.
-1999122[56]
-
- Feature: "allow_routed_relaying = no" (default) disallows
- forwarding of mail with sender-specified routing (example:
- user%domain2@domain1, user@domain2@domain1, etc.). This
- plugs an "open relay" loophole where a backup MX host would
- forward junk mail to a primary MX host which would forward
- it to the Internet. Files: global/quote_822_local.c,
- smtp/quote_821_local.c, trivial-rewrite/rewrite.c,
- trivial-rewrite/resolve.c, smtp/smtpd_check.c.
-
- In order to make this possible, the resolver now passes a
- status back to the client that says if the result is a
- routed address.
+1999122[5-7]
+
+ Feature: "allow_untrusted_routing = no" (default) prevents
+ forwarding of source-routed mail from untrusted clients to
+ destinations that are blessed by the relay_domains parameter
+ (example: user@domain2@domain1 etc.). This plugs a mail
+ relay loophole where a backup MX host forwards junk mail
+ to a primary MX host which forwards the junk to the Internet.
+ Files: global/quote_822_local.c, smtp/quote_821_local.c,
+ trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c,
+ smtp/smtpd_check.c.
+
+ In order to make this possible, the Postfix resolver data
+ structure and protocol has changed, so that all resolver
+ clients need to be re-compiled.
Side effect from the above change: from now on, an address
with @ in the recipient localpart no longer bounces with
-Incompatible changes with snapshot 19991226
+Incompatible changes with snapshot 19991227
===========================================
-- The SMTP server by default no longer forwards mail to non-local
-destinations with sender-specified routing (stuff[@%!]stuff[@%!]stuff).
-This closes an open relay loophole with primary and secondary MX
-hosts. To get old behavior, specify "allow_routed_relaying = yes".
+- The SMTP server no longer forwards mail from untrusted clients
+with sender-specified routing (stuff[@%!]stuff[@%!]stuff) to
+destinations that are authorized by the relay_domains parameter.
+This closes a loophole that exploits trust relationships between
+hosts. Example: a trusted backup MX host forwards junk mail to
+a primary MX host which forwards the junk to the Internet. Specify
+"allow_untrusted_routing = yes" to restore the old behavior.
- In order to support the above, the data structure and protocol
of the trivial-rewrite service was changed. This means you must
re-compile and re-link existing software that uses the Postfix
resolve_clnt interface.
-- As a side effect of the above, an address with @ in the localpart
-(user@there@here) no longer bounces with "user unknown" but instead
-is rejected with "relay access denied".
+- As a side effect of the above, an address from an untrusted client
+with @ in the localpart (user@remote@here) no longer bounces with
+"user unknown" but instead is rejected with "relay access denied".
- The experimental permit_recipient_map and local_transports features
are gone. They were never part of an official release. Both are
all domain names you have in $mydestination. See the html/faq.html
sections for firewalls and intranets.
-Major changes with snapshot 19991226
+Major changes with snapshot 19991227
====================================
- It is now much more difficult to configure Postfix as an open
is the default). There were too many accidents with changes to
the UCE restrictions.
-- An "open relay" loophole is now plugged where a backup MX host
-would forward stuff[@%!]stuff[@%!]stuff to a primary MX host which
-would then spam it out to the world. To get the old behavior,
-specify "allow_routed_relaying = yes". The old behavior is safe
-only for non-MX hosts, and for primary MX hosts of domains that
-have no backup MX hosts.
+- The SMTP server no longer forwards mail from untrusted clients
+with sender-specified routing (stuff[@%!]stuff[@%!]stuff) to
+destinations that are authorized by the relay_domains parameter.
+This closes a loophole that exploits trust relationships between
+hosts. Example: a trusted backup MX host forwards junk mail to
+a primary MX host which forwards the junk to the Internet. Specify
+"allow_untrusted_routing = yes" to restore the old behavior.
- The relay_domains parameter no longer needs to contain $virtual_maps.
# file sample-smtpd.cf.
#
# By default, Postfix relays mail
-# - from clients whose IP address matches $mynetworks,
-# - from clients matching $relay_domains or subdomains thereof,
-# - to destinations that match $relay_domains or subdomains thereof.
+# - from trusted clients whose IP address matches $mynetworks,
+# - from trusted clients matching $relay_domains or subdomains thereof,
+# - from untrusted clients to destinations that match $relay_domains
+# or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# recipient addresses that SMTP clients can send in RCPT TO commands.
#
# By default, Postfix relays mail
-# - from clients whose IP address matches $mynetworks,
-# - from clients matching $relay_domains or subdomains thereof,
-# - to destinations that match $relay_domains or subdomains thereof.
+# - from trusted clients whose IP address matches $mynetworks,
+# - from trusted clients matching $relay_domains or subdomains thereof,
+# - from untrusted clients to destinations that match $relay_domains
+# or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
# reject_unknown_hostname: reject HELO hostname without DNS A or MX record.
# reject_unknown_sender_domain: reject sender domain without A or MX record.
# *check_relay_domains: permit only mail
-# - from clients matching $relay_domains or subdomain thereof,
-# - to destinations matching $relay_domains or subdomain thereof,
# - to destinations matching $inet_interfaces, $mydestination,
-# or $virtual_maps.
+# or $virtual_maps,
+# - from trusted clients matching $relay_domains or subdomain thereof,
+# - from untrusted clients to destinations matching $relay_domains or
+# subdomain thereof (except addresses with sender-specified routing),
# Reject anything else.
# permit_auth_destination: permit mail
-# - to destinations matching $relay_domains or subdomain thereof,
# - to destinations matching $inet_interfaces, $mydestination,
# or $virtual_maps.
-# reject_unauth_destination: reject mail unless it is sent
# - to destinations matching $relay_domains or subdomain thereof,
+# except for addresses with sender-specified routing.
+# reject_unauth_destination: reject mail unless it is sent
# - to destinations matching $inet_interfaces, $mydestination,
# or $virtual_maps.
+# - to destinations matching $relay_domains or subdomain thereof,
+# except for addresses with sender-specified routing.
# reject_unauth_pipelining: reject mail from improperly pipelining spamware
# permit_mx_backup: accept mail for sites that list me as MX host.
# reject_unknown_recipient_domain: reject domains without A or MX record.
# ADDITIONAL UCE CONTROLS
#
-# The allow_routed_relaying parameter controls whether the host will
-# forward addresses with sender-specified routing. This is disabled
-# by default, in order to close a nasty open relay loophole where a
-# backup MX host can be tricked into forwarding mail to a primary MX
-# host which then spams it out to the world. Don't change this if
-# this system is backup MX host for any domain, or if this system
-# receives mail from any backup MX host.
-#
-allow_routed_relaying = no
+# The allow_untrusted_routing parameter controls if Postfix will
+# forward mail with sender-specified routing (user[@%!]remote[@%!]site)
+# from untrusted clients to destinations that are blessed by the
+# relay_domains parameter.
+#
+# By default, untrusted clients are not allowed to specify routing.
+# This closes a nasty open relay loophole where a backup MX host can
+# be tricked into forwarding junk mail to a primary MX host which
+# then spams it out to the world.
+#
+allow_untrusted_routing = no
# The maps_rbl_domains parameter specifies an optional list of DNS
# domains that publish the network addresses of blacklisted hosts.
# this system will relay mail to.
#
# By default, Postfix relays mail
-# - from clients whose IP address matches $mynetworks,
-# - from clients matching $relay_domains or subdomains thereof,
-# - to destinations that match $relay_domains or subdomains thereof.
+# - from trusted clients whose IP address matches $mynetworks,
+# - from trusted clients matching $relay_domains or subdomains thereof,
+# - from untrusted clients to destinations that match $relay_domains
+# or subdomains thereof, except addresses with sender-specified routing.
# The default relay_domains value is $mydestination.
#
# In addition to the above, the Postfix SMTP server by default accepts mail
#define DEF_REST_CLASSES ""
extern char *var_rest_classes;
-#define VAR_ALLOW_ROUTED_RELAY "allow_routed_relaying"
-#define DEF_ALLOW_ROUTED_RELAY 0
-extern bool var_allow_routed_relay;
+#define VAR_ALLOW_UNTRUST_ROUTE "allow_untrusted_routing"
+#define DEF_ALLOW_UNTRUST_ROUTE 0
+extern bool var_allow_untrust_route;
/*
* Names of specific restrictions, and the corresponding configuration
* Version of this program.
*/
#define VAR_MAIL_VERSION "mail_version"
-#define DEF_MAIL_VERSION "Snapshot-19991226"
+#define DEF_MAIL_VERSION "Snapshot-19991227"
extern char *var_mail_version;
/* LICENSE
/* domain that is handled by the local machine. This flag is currently
/* not used.
/* .IP RESOLVE_FLAG_ROUTED
-/* The recipient address contains routing information, so the
-/* destination domain is not necessarily the final destination.
+/* After address resolution the recipient localpart contains further
+/* routing information, so the resolved next-hop destination is not
+/* the final destination.
/* DIAGNOSTICS
/* Warnings: communication failure. Fatal error: mail system is down.
/* SEE ALSO
<li><a href="#command">Commands don't work in Postfix virtual maps</a>
-<li><a href="#unknown_virtual">Mail for unknown virtual users fails
-with a mail loop error</a>
+<li><a href="#unknown_virtual">Rejecting mail for unknown virtual users</a>
<li><a href="#relay_virtual">Postfix refuses to receive mail for some
virtual domains</a>
<p>
-Don't Panic! Upgrade to a Postfix version of 19991226 or later.
+Don't Panic! Upgrade to a Postfix version of 19991227 or later.
<p>
-Older Postfix versions would either bounce the mail because
+Older Postfix versions would either <i>bounce</i> the mail because
"test@some.other.site" is not a known local username (which is
-good), or they would forward the mail to a primary MX host for
-"some.site" which would then spam it into the Internet (which is
-bad).
+good), or they would <i>forward</i> the mail to a primary MX host
+for "some.site" which would then spam it into the Internet (which
+is bad).
<hr>
<hr>
-<a name="unknown_virtual"><h3>Mail for unknown virtual users fails
-with a mail loop error</h3>
+<a name="unknown_virtual"><h3>Rejecting mail for unknown virtual users</h3>
+
+Problem: mail for an unknown virtual user is misdelivered to a local
+user with the same name.
+
+<p>
Problem: mail for an unknown virtual user results in an ugly "mail
-loops back to myself" error from the Postfix SMTP client. Why
-doesn't Postfix generate a "user unknown" instead?
+loops back to myself" error from Postfix.
<p>
Restrict what domain names can be used in <b>ETRN</b> com-
mands, and what clients may issue <b>ETRN</b> commands.
+ <b>allow</b><i>_</i><b>untrusted</b><i>_</i><b>routing</b>
+ Allow untrusted clients to specify addresses with
+ sender-specified routing. Enabling this opens up
+ nasty relay loopholes involving trusted backup MX
+ hosts.
+
<b>restriction</b><i>_</i><b>classes</b>
- Declares the name of zero or more parameters that
- contain a list of UCE restrictions. The names of
- these parameters can then be used instead of the
+ Declares the name of zero or more parameters that
+ contain a list of UCE restrictions. The names of
+ these parameters can then be used instead of the
restriction lists that they represent.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b>
- List of DNS domains that publish the addresses of
+ List of DNS domains that publish the addresses of
blacklisted hosts.
<b>relay</b><i>_</i><b>domains</b>
- Restrict what domains or networks this mail system
+ Restrict what domains or networks this mail system
will relay mail from or to.
<b>UCE</b> <b>control</b> <b>responses</b>
<b>access</b><i>_</i><b>map</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates an access
+ Server response when a client violates an access
database restriction.
<b>invalid</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>reject</b><i>_</i><b>invalid</b><i>_</i><b>hostname</b> restriction.
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>maps</b><i>_</i><b>rbl</b><i>_</i><b>domains</b> restriction.
<b>reject</b><i>_</i><b>code</b>
- Response code when the client matches a <b>reject</b>
+ Response code when the client matches a <b>reject</b>
restriction.
<b>relay</b><i>_</i><b>domains</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client attempts to violate
+ Server response when a client attempts to violate
the mail relay policy.
- <b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
- <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction.
- <b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client without address to
- name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
SMTPD(8) SMTPD(8)
+ <b>unknown</b><i>_</i><b>address</b><i>_</i><b>reject</b><i>_</i><b>code</b>
+ Server response when a client violates the
+ <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>address</b> restriction.
+
+ <b>unknown</b><i>_</i><b>client</b><i>_</i><b>reject</b><i>_</i><b>code</b>
+ Server response when a client without address to
+ name mapping violates the <b>reject</b><i>_</i><b>unknown</b><i>_</i><b>clients</b>
restriction.
<b>unknown</b><i>_</i><b>hostname</b><i>_</i><b>reject</b><i>_</i><b>code</b>
- Server response when a client violates the
+ Server response when a client violates the
<b>reject</b><i>_</i><b>unknown</b><i>_</i><b>hostname</b> restriction.
<b>SEE</b> <b>ALSO</b>
syslogd(8) system logging
<b>LICENSE</b>
- The Secure Mailer license must be distributed with this
+ The Secure Mailer license must be distributed with this
software.
<b>AUTHOR(S)</b>
-
-
-
-
-
-
-
<ul>
-<li>from clients whose IP address matches <a
+<li>from
trusted clients whose IP address matches <a
href="basic.html#mynetworks">$mynetworks</a>,
-<li>from clients whose hostname matches <a
+<li>from
trusted clients whose hostname matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
-<li>to destinations that match <a href="#relay_domains">
-$relay_domains</a> or a subdomain thereof.
+<li>from untrusted clients to destinations that match <a
+href="#relay_domains"> $relay_domains</a> or a subdomain thereof,
+except for addresses that contain sender-specified routing
+(<i>user@there@here</i>).
</ul>
<dt> Example:
-<dd> <b>smtpd_recipient_restrictions = permit_mynetworks,
-check_relay_domains</b>
-
<dd> <b>smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination</b>
<a name="check_relay_domains">
<dt> <b>check_relay_domains</b> <dd> Permit the request when
+one of the following is true:
<ul>
<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
+and the address contains no sender-specified routing
+(<i>user@there@here</i>),
<li>Postfix is the final destination: any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
+and the address contains no sender-specified routing
+(<i>user@there@here</i>),
<li>Postfix is the final destination: any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
<li>the resolved destination address matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
+and the address contains no sender-specified routing
+(<i>user@there@here</i>),
<li>Postfix is the final destination: any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
<ul>
-<li>from clients whose IP address matches <a
+<li>from
trusted clients whose IP address matches <a
href="basic.html#mynetworks">$mynetworks</a>,
-<li>from clients whose hostname matches <a
+<li>from
trusted clients whose hostname matches <a
href="#relay_domains">$relay_domains</a> or a subdomain thereof,
-<li>to destinations that match <a href="#relay_domains">
-$relay_domains</a> or a subdomain thereof.
+<li>from untrusted clients to destinations that match <a
+href="#relay_domains"> $relay_domains</a> or a subdomain thereof,
+except for addresses that contain sender-specified routing
+(<i>user@there@here</i>).
</ul>
.IP \fBsmtpd_etrn_restrictions\fR
Restrict what domain names can be used in \fBETRN\fR commands,
and what clients may issue \fBETRN\fR commands.
+.IP \fBallow_untrusted_routing\fR
+Allow untrusted clients to specify addresses with sender-specified
+routing. Enabling this opens up nasty relay loopholes involving
+trusted backup MX hosts.
.IP \fBrestriction_classes\fR
Declares the name of zero or more parameters that contain a
list of UCE restrictions. The names of these parameters can
/* .IP \fBsmtpd_etrn_restrictions\fR
/* Restrict what domain names can be used in \fBETRN\fR commands,
/* and what clients may issue \fBETRN\fR commands.
-/* .IP \fBallow_routed_relaying\fR
-/* Allow the relaying of addresses with sender-specified routing.
-/* Enabling this opens up nasty relay loopholes if your domain has
-/* primary and backup MX hosts.
+/* .IP \fBallow_untrusted_routing\fR
+/* Allow untrusted clients to specify addresses with sender-specified
+/* routing. Enabling this opens up nasty relay loopholes involving
+/* trusted backup MX hosts.
/* .IP \fBrestriction_classes\fR
/* Declares the name of zero or more parameters that contain a
/* list of UCE restrictions. The names of these parameters can
char *var_virtual_maps;
char *var_alias_maps;
char *var_local_rcpt_maps;
-bool var_allow_routed_relay;
+bool var_allow_untrust_route;
/*
* Global state, for stand-alone mode queue file cleanup. When this is
VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject,
VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env,
VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd,
- VAR_ALLOW_ROUTED_RELAY, DEF_ALLOW_ROUTED_RELAY, &var_allow_routed_relay,
+ VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
0,
};
static CONFIG_STR_TABLE str_table[] = {
VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0,
VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0,
VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0,
- VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0,
VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0,
VAR_VIRTUAL_MAPS, DEF_VIRTUAL_MAPS, &var_virtual_maps, 0, 0,
VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0,
+ VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0,
0,
};
return (argv);
}
-/* check_required - make sure minimally-required restriction is present */
+/* has_required - make sure required restriction is present */
-static void check_required(char *name, ARGV *restrictions, char **required)
+static int has_required(ARGV *restrictions, char **required)
{
char **rest;
char **reqd;
- VSTRING *example;
+ ARGV *expansion;
- for (rest = restrictions->argv; *rest; rest++)
+ /*
+ * Recursively check list membership.
+ */
+ for (rest = restrictions->argv; *rest; rest++) {
for (reqd = required; *reqd; reqd++)
if (strcmp(*rest, *reqd) == 0)
- return;
+ return (1);
+ if ((expansion = (ARGV *) htable_find(smtpd_rest_classes, *rest)) != 0)
+ if (has_required(expansion, required))
+ return (1);
+ }
+ return (0);
+}
+
+/* fail_required - handle failure to use required restriction */
+
+static void fail_required(char *name, char **required)
+{
+ char *myname = "fail_required";
+ char **reqd;
+ VSTRING *example;
+
+ /*
+ * Sanity check.
+ */
+ if (required[0] == 0)
+ msg_panic("%s: null required list", myname);
+
+ /*
+ * Go bust.
+ */
example = vstring_alloc(10);
for (reqd = required; *reqd; reqd++)
vstring_sprintf_append(example, "%s ", *reqd);
- msg_fatal("%s requires at least one of %s", name, STR(example));
+ msg_fatal("parameter \"%s\": specify at least one explicit instance of: %s",
+ name, STR(example));
}
/* smtpd_check_init - initialize once during process lifetime */
rcpt_restrctions = smtpd_check_parse(var_rcpt_checks);
etrn_restrctions = smtpd_check_parse(var_etrn_checks);
- /*
- * People screw up the relay restrictions too often. Require that they
- * list at least one restriction that rejects mail by default.
- */
-#ifndef TEST
- check_required(VAR_RCPT_CHECKS, rcpt_restrctions, rcpt_required);
-#endif
-
/*
* Parse the pre-defined restriction classes.
*/
htable_enter(smtpd_rest_classes, "check_relay_domains",
smtpd_check_parse("permit_mydomain reject_unauth_destination"));
#endif
+
+ /*
+ * People screw up the relay restrictions too often. Require that they
+ * list at least one restriction that rejects mail by default.
+ */
+#ifndef TEST
+ if (!has_required(rcpt_restrctions, rcpt_required))
+ fail_required(VAR_RCPT_CHECKS, rcpt_required);
+#endif
}
/* smtpd_check_reject - do the boring things that must be done */
|| (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
return (SMTPD_CHECK_OK);
+ /*
+ * Skip source-routed mail (uncertain destination).
+ */
+ if (var_allow_untrust_route == 0 && (reply.flags & RESOLVE_FLAG_ROUTED))
+ return (SMTPD_CHECK_DUNNO);
+
/*
* Permit if the destination matches the relay_domains list.
*/
msg_info("%s: %s", myname, recipient);
/*
- * Permit authorized destination.
+ * Skip authorized destination.
*/
if (permit_auth_destination(recipient) == SMTPD_CHECK_OK)
return (SMTPD_CHECK_DUNNO);
return (SMTPD_CHECK_DUNNO);
}
-/* reject_routed_relay - FAIL for relaying via sender-specified route */
-
-static int reject_routed_relay(SMTPD_STATE *state, char *recipient,
- char *reply_name, char *reply_class)
-{
- char *myname = "reject_routed_relay";
- char *domain;
-
- if (msg_verbose)
- msg_info("%s: %s", myname, recipient);
-
- /*
- * Resolve the address.
- */
- canon_addr_internal(query, recipient);
- resolve_clnt_query(STR(query), &reply);
-
- /*
- * Handle special case that is not supposed to happen.
- */
- if ((domain = strrchr(STR(reply.recipient), '@')) == 0)
- return (SMTPD_CHECK_DUNNO);
- domain += 1;
-
- /*
- * Permit final delivery: the destination matches mydestination or
- * virtual_maps.
- */
- if (resolve_local(domain)
- || (*var_virtual_maps && maps_find(virtual_maps, domain, 0)))
- return (SMTPD_CHECK_DUNNO);
-
- /*
- * Reject source-routed mail to a non-local destination.
- */
- if ((reply.flags & RESOLVE_FLAG_ROUTED) != 0)
- return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
- "%d <%s>: %s rejected: Source-routed relay access denied",
- var_relay_code, reply_name, reply_class));
-
- /*
- * Something else.
- */
- return (SMTPD_CHECK_DUNNO);
-}
-
/* has_my_addr - see if this host name lists one of my network addresses */
static int has_my_addr(char *host)
*/
state->recursion = 0;
status = setjmp(smtpd_check_buf);
- if (status == 0 && rcpt_restrctions->argc) {
+ if (status == 0 && rcpt_restrctions->argc)
status = generic_checks(state, rcpt_restrctions,
recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL);
- if (var_allow_routed_relay == 0 && status != SMTPD_CHECK_REJECT)
- status = reject_routed_relay(state, recipient,
- recipient, SMTPD_NAME_RECIPIENT);
- }
+
SMTPD_CHECK_RCPT_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0);
}
int var_reject_code;
int var_non_fqdn_code;
int var_smtpd_delay_reject;
-int var_allow_routed_relay;
+int var_allow_untrust_route;
static INT_TABLE int_table[] = {
"msg_verbose", 0, &msg_verbose,
VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code,
VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code,
VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject,
- VAR_ALLOW_ROUTED_RELAY, DEF_ALLOW_ROUTED_RELAY, &var_allow_routed_relay,
+ VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route,
0,
};
typedef struct {
char *name;
ARGV **target;
-} REST_TABLE;
+} REST_TABLE;
static REST_TABLE rest_table[] = {
"client_restrictions", &client_restrctions,
/*
* After stripping the local domain, if any, replace foo%bar by
* foo@bar, site!user by user@site, rewrite to canonical form, and
- * retry. Recognize routing operators in the address localpart. This
- * is needed to prevent primary MX hosts from relaying third-party
- * destinations from backup MX hosts, otherwise the primary could end
- * up on black lists.
+ * retry.
*
* Otherwise we're done.
*/
if (tok822_rfind_type(tree->tail, '@')
|| (var_swap_bangpath && tok822_rfind_type(tree->tail, '!'))
|| (var_percent_hack && tok822_rfind_type(tree->tail, '%'))) {
- *flags |= RESOLVE_FLAG_ROUTED;
rewrite_tree(REWRITE_CANON, tree);
} else {
domain = 0;
projects / thirdparty / postfix.git / commitdiff
