no MX record is found, the A record is used instead. File:
smtpd/smtpd_check.c.
- Experimental feature: ``check_{sender,recipient}_ns_access
- maptype:mapname'' applies the named Postfix access table
- to the DNS server hostname and IP addresses for the sender
- or recipient address. If no NS record is found, the parent
- domain is used instead. File: smtpd/smtpd_check.c.
+ Feature: ``check_{sender,recipient}_ns_access maptype:mapname''
+ applies the named Postfix access table to the DNS server
+ hostname and IP addresses for the sender or recipient
+ address. If no NS record is found, the parent domain is
+ used instead. File: smtpd/smtpd_check.c.
20030917
request with "451 server configuration error" and will log
a warning explaining why. File: smtpd/smtpd_check.c.
+20030918
+
+ Bugfix: check_mumble_ns_access did not correctly look up
+ NS records of parent domains, causing mail to be deferred
+ with a 450 status code. File: smtpd/smtpd_check.c.
+
Open problems:
High: when virtual aliasing is turned off after content
MX hosts of the host/domain given in HELO, EHLO, MAIL FROM or RCPT
TO commands.
-This can be used to block mail from so-called spammer havens, or
-from sender addresses that resolve to Verisign's wild-card mail
-responder, currently at IP address 64.94.110.11.
+This can be used to block mail from so-called spammer havens, from
+sender addresses that resolve to Verisign's wild-card mail responder,
+or from domains that claim to have mail servers in reserved networks
+such as 127.0.0.1.
/etc/postfix/main.cf:
- smtpd_mumble_restrictions =
- ...
- reject_unknown_sender_domain
- check_sender_mx_access hash:/etc/postfix/mx_access
- ...
+ smtpd_mumble_restrictions =
+ ...
+ reject_unknown_sender_domain
+ check_sender_mx_access hash:/etc/postfix/mx_access
+ check_sender_mx_access cidr:/etc/postfix/mx_access.cidr
+ ...
/etc/postfix/mx_access:
- spammer.haven.tld reject spammer mx host
- 64.94.110.11 reject verisign wild-card domain
+ spammer.haven.tld reject spammer mx host
+ 64.94.110.11 reject mail server in verisign wild-card domain
+
+ /etc/postfix/mx_access.cidr:
+ 0.0.0.0/8 reject mail server in broadcast network
+ 10.0.0.0/8 reject mail server in RFC 1918 private network
+ 127.0.0.0/8 reject mail server in loopback network
+ 169.254.0.0/16 reject mail server in link local network
+ 172.16.0.0/12 reject mail server in RFC 1918 private network
+ 192.0.2.0/24 reject mail server in TEST-NET network
+ 192.168.0/16 reject mail server in RFC 1918 private network
+ 224.0.0.0/4 reject mail server in class D multicast network
+ 240.0.0.0/5 reject mail server in class E reserved network
+ 248.0.0.0/5 reject mail server in reserved network
Note: OK actions are not allowed for security reasons. Instead of
OK, use DUNNO in order to exclude specific hosts from blacklists.
* Patches change the patchlevel and the release date. Snapshots change the
* release date only, unless they include the same bugfix as a patch release.
*/
-#define MAIL_RELEASE_DATE "20030917"
+#define MAIL_RELEASE_DATE "20030918"
#define VAR_MAIL_VERSION "mail_version"
#define DEF_MAIL_VERSION "2.0.16-" MAIL_RELEASE_DATE
* If the domain name exists but MX lookup fails, fabricate an MX record
* that points to the domain name itself.
*
- * If the domain name exists but NS lookup fails, look up the parent domain
- * NS record.
+ * If the domain name exists but NS lookup fails, look up parent domain
+ * NS records.
*/
dns_status = dns_lookup(domain, type, 0, &server_list,
(VSTRING *) 0, (VSTRING *) 0);
- if (dns_status == DNS_NOTFOUND && h_errno != HOST_NOT_FOUND) {
+ if (dns_status == DNS_NOTFOUND) {
+ if (h_errno != NO_DATA)
+ return (SMTPD_CHECK_DUNNO);
if (type == T_MX) {
server_list = dns_rr_create(domain, &fixed, 0,
domain, strlen(domain) + 1);
dns_status = DNS_OK;
- } else if (type == T_NS && (domain = strchr(domain, '.')) != 0
- && strchr(++domain, '.') != 0) {
- dns_status = dns_lookup(domain, T_NS, 0, &server_list,
- (VSTRING *) 0, (VSTRING *) 0);
- if (dns_status != DNS_OK)
- dns_status = DNS_RETRY;
+ } else if (type == T_NS) {
+ while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
+ domain += 1;
+ dns_status = dns_lookup(domain, type, 0, &server_list,
+ (VSTRING *) 0, (VSTRING *) 0);
+ if (dns_status != DNS_NOTFOUND || h_errno != NO_DATA)
+ break;
+ }
}
}
- if (dns_status == DNS_NOTFOUND)
- return (SMTPD_CHECK_DUNNO);
if (dns_status != DNS_OK) {
DEFER_IF_PERMIT3(state, MAIL_ERROR_POLICY,
"450 <%s>: %s rejected: unable to look up %s host",
dunnotext@dunno.domain dunno text
64.94.110.11 reject Verisign wild-card
topica.com reject
+10.10.10.10 reject mail server 10.10.10.10
+spike.porcupine.org reject name server spike.porcupine.org
recipient_restrictions check_recipient_mx_access,hash:smtpd_check_access
rcpt foo@verisign-wildcard.com
rcpt foo@verisign.com
+rcpt foo@1.2.3.porcupine.org
#
# Check NS access
#
rcpt foo@email-publisher.com
rcpt foo@ns1.topica.com
rcpt foo@verisign-wildcard.com
+rcpt foo@1.2.3.porcupine.org
554 <foo@verisign-wildcard.com>: Recipient address rejected: Verisign wild-card
>>> rcpt foo@verisign.com
OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10; from=<foo@verisign.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: mail server 10.10.10.10
>>> #
>>> # Check NS access
>>> #
554 <foo@ns1.topica.com>: Recipient address rejected: Access denied
>>> rcpt foo@verisign-wildcard.com
OK
+>>> rcpt foo@1.2.3.porcupine.org
+./smtpd_check: <queue id>: reject: RCPT from spike.porcupine.org[168.100.189.2]: 554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org; from=<foo@verisign-wildcard.com> to=<foo@1.2.3.porcupine.org> proto=SMTP helo=<example.tld>
+554 <foo@1.2.3.porcupine.org>: Recipient address rejected: name server spike.porcupine.org
projects / thirdparty / postfix.git / commitdiff
