systems against exploitation of the remote buffer overflow
vulnerability described in CERT advisory CA-2003-07.
+20030311-19
+
+ Bugfix: the access map actions HOLD, DISCARD and FILTER
+ were broken with smtpd_delay_reject=no and with ETRN. Fixing
+ this required re-architecting of the actions code. Files:
+ smtpd/smtpd.[hc], smtpd/smtpd_check.c, smtpd/smtpd_state.c.
+
+20030315
+
+ Bugfix: the postsuper manual page documented support for
+ the -c command line option, but it was not implemented.
+ File: postsuper/postsuper.c.
+
+ Bugfix: the Postfix 2.0 recipient map checking code broke
+ the VRFY command, causing it to reply with status code 252
+ for non-existent addresses. This required re-architecting
+ the recipient table lookup code. File: smtpd/smtpd_check.c.
+
Open problems:
Low: after successful delivery, per-queue window += 1/window,
# directory (pathname is controlled by the queue_directory configuration
# variable in the main.cf file). Presently, all Postfix daemons can run
# chrooted, except for the pipe, virtual and local delivery daemons.
+# The proxymap server can run chrooted, but doing so defeats most of
+# the purpose of having that service in the first place.
# The files in the examples/chroot-setup subdirectory describe how
# to set up a Postfix chroot environment for your type of machine.
#
The proxymap server opens only tables that are approved
via the <b>proxy</b><i>_</i><b>read</b><i>_</i><b>maps</b> configuration parameter, does not
talk to users, and can run at fixed low privilege,
- chrooted or not.
+ chrooted or not. However, running the proxymap server
+ chrooted severely limits usability, because it can open
+ only chrooted tables.
The proxymap server is not a trusted daemon process, and
must not be used to look up sensitive information such as
<li>Postfix is the final destination: any destination that matches
<a href="basic.html#mydestination">$mydestination</a>, <a
href="basic.html#inet_interfaces">$inet_interfaces</a>, <a
-href="virtual.5.html">$virtual_alias_domains</a>, or
+href="virtual.5.html">$virtual_alias_domains</a>, or <a
href="virtual.8.html">$virtual_mailbox_domains</a>.
</ul>
The proxymap server opens only tables that are approved via the
\fBproxy_read_maps\fR configuration parameter, does not talk to
users, and can run at fixed low privilege, chrooted or not.
+However, running the proxymap server chrooted severely limits
+usability, because it can open only chrooted tables.
The proxymap server is not a trusted daemon process, and must
not be used to look up sensitive information such as user or
tok822_parse.o: ../../include/vstring.h
tok822_parse.o: ../../include/vbuf.h
tok822_parse.o: ../../include/msg.h
+tok822_parse.o: ../../include/stringops.h
tok822_parse.o: lex_822.h
tok822_parse.o: quote_822_local.h
tok822_parse.o: quote_flags.h
* Patches change the patchlevel and the release date. Snapshots change the
* release date only, unless they include the same bugfix as a patch release.
*/
-#define MAIL_RELEASE_DATE "20030305"
+#define MAIL_RELEASE_DATE "20030319"
#define VAR_MAIL_VERSION "mail_version"
-#define DEF_MAIL_VERSION "2.0.6"
+#define DEF_MAIL_VERSION "2.0.7"
extern char *var_mail_version;
/*
continue;
if ((expansion = dict_get(dict, name)) != 0) {
if (msg_verbose)
- msg_info("%s: %s: %s = %s", myname, *map_name, name, expansion);
+ msg_info("%s: %s: %s: %s = %s", myname, maps->title,
+ *map_name, name, expansion);
return (expansion);
} else if (dict_errno != 0) {
break;
}
}
if (msg_verbose)
- msg_info("%s: %s: %s", myname, name, dict_errno ?
+ msg_info("%s: %s: %s: %s", myname, maps->title, name, dict_errno ?
"search aborted" : "not found");
return (0);
}
#include <vstring.h>
#include <msg.h>
+#include <stringops.h>
/* Global library. */
* Emit plain <address>. Discard any comments or phrases.
*/
msg_warn("stripping too many comments from address: %.100s...",
- vstring_str(vp) + start);
+ printable(vstring_str(vp) + start, '?'));
vstring_truncate(vp, start);
VSTRING_ADDCH(vp, '<');
if (addr) {
VSTRING_ADDCH(vp, '>');
}
-
/* tok822_externalize - token tree to string, external form */
VSTRING *tok822_externalize(VSTRING *vp, TOK822 *tree, int flags)
#include <sys/stat.h>
#include <unistd.h>
#include <stdlib.h>
+#include <string.h>
/* Utility library. */
msg_fatal("open /dev/null: %m");
/*
- * Process environment options as early as we can. We might be called
- * from a set-uid (set-gid) program, so be careful with importing
- * environment variables.
+ * Process this environment option as early as we can, to aid debugging.
*/
if (safe_getenv(CONF_ENV_VERB))
msg_verbose = 1;
/*
- * Initialize. Set up logging, read the global configuration file and
- * extract configuration information.
+ * Initialize logging.
*/
if ((slash = strrchr(argv[0], '/')) != 0)
argv[0] = slash + 1;
msg_syslog_init(mail_task(argv[0]), LOG_PID, LOG_FACILITY);
set_mail_conf_str(VAR_PROCNAME, var_procname = mystrdup(argv[0]));
- mail_conf_read();
- if (chdir(var_queue_dir))
- msg_fatal("chdir %s: %m", var_queue_dir);
-
/*
- * Be sure to log a warning if we do not finish structural repair. Maybe
- * we should have an fsck-style "clean" flag so Postfix will not start
- * with a broken queue.
- */
- signal(SIGHUP, interrupted);
- signal(SIGINT, interrupted);
- signal(SIGQUIT, interrupted);
- signal(SIGTERM, interrupted);
- msg_cleanup(fatal_exit);
-
- /*
- * All file/directory updates must be done as the mail system owner. This
- * is because Postfix daemons manipulate the queue with those same
- * privileges, so directories must be created with the right ownership.
- *
- * Running as a non-root user is also required for security reasons. When
- * the Postfix queue hierarchy is compromised, an attacker could trick us
- * into entering other file hierarchies and afflicting damage. Running as
- * a non-root user limits the damage to the already compromised mail
- * owner.
+ * Disallow unsafe practices, and refuse to run set-uid (or as the child
+ * of a set-uid process). Whenever a privileged wrapper program is
+ * needed, it must properly sanitize the real/effective/saved UID/GID,
+ * the secondary groups, the process environment, and so on. Otherwise,
+ * accidents can happen. If not with Postfix, then with other software.
*/
+ if (unsafe() != 0)
+ msg_fatal("this postfix command must not run as a set-uid process");
if (getuid())
msg_fatal("use of this command is reserved for the superuser");
- set_ugid(var_owner_uid, var_owner_gid);
/*
* Parse JCL.
*/
- while ((c = GETOPT(argc, argv, "d:h:H:pr:sv")) > 0) {
+ while ((c = GETOPT(argc, argv, "c:d:h:H:pr:sv")) > 0) {
switch (c) {
default:
- msg_fatal("usage: %s [-d queue_id (delete)] "
+ msg_fatal("usage: %s "
+ "[-c config_dir] "
+ "[-d queue_id (delete)] "
"[-h queue_id (hold)] [-H queue_id (un-hold)] "
"[-p (purge temporary files)] [-r queue_id (requeue)] "
"[-s (structure fix)] [-v (verbose)] "
"[queue...]", argv[0]);
+ case 'c':
+ if (*optarg != '/')
+ msg_fatal("-c requires absolute pathname");
+ if (setenv(CONF_ENV_PATH, optarg, 1) < 0)
+ msg_fatal("setenv: %m");
+ break;
case 'd':
if (delete_names == 0)
delete_names = argv_alloc(1);
}
}
+ /*
+ * Read the global configuration file and extract configuration
+ * information. The -c command option can override the default
+ * configuration directory location.
+ */
+ mail_conf_read();
+ if (chdir(var_queue_dir))
+ msg_fatal("chdir %s: %m", var_queue_dir);
+
+ /*
+ * All file/directory updates must be done as the mail system owner. This
+ * is because Postfix daemons manipulate the queue with those same
+ * privileges, so directories must be created with the right ownership.
+ *
+ * Running as a non-root user is also required for security reasons. When
+ * the Postfix queue hierarchy is compromised, an attacker could trick us
+ * into entering other file hierarchies and afflicting damage. Running as
+ * a non-root user limits the damage to the already compromised mail
+ * owner.
+ */
+ set_ugid(var_owner_uid, var_owner_gid);
+
+ /*
+ * Be sure to log a warning if we do not finish structural repair. Maybe
+ * we should have an fsck-style "clean" flag so Postfix will not start
+ * with a broken queue.
+ *
+ * Set up signal handlers after permanently dropping super-user privileges,
+ * so that signal handlers will always run with the correct privileges.
+ */
+ signal(SIGHUP, interrupted);
+ signal(SIGINT, interrupted);
+ signal(SIGQUIT, interrupted);
+ signal(SIGTERM, interrupted);
+ msg_cleanup(fatal_exit);
+
/*
* Sanity checks.
*/
/* The proxymap server opens only tables that are approved via the
/* \fBproxy_read_maps\fR configuration parameter, does not talk to
/* users, and can run at fixed low privilege, chrooted or not.
+/* However, running the proxymap server chrooted severely limits
+/* usability, because it can open only chrooted tables.
/*
/* The proxymap server is not a trusted daemon process, and must
/* not be used to look up sensitive information such as user or
if (var_smtpd_sasl_enable)
smtpd_sasl_mail_reset(state);
#endif
+ state->discard = 0;
}
/* rcpt_cmd - process RCPT TO command */
smtpd_chat_reply(state, "%s", err);
return (-1);
}
- if ((err = smtpd_check_rcptmap(state, argv[2].strval)) != 0) {
- smtpd_chat_reply(state, "%s", err);
- return (-1);
- }
}
/*
return (-1);
}
if (SMTPD_STAND_ALONE(state) == 0
- && (err = smtpd_check_rcptmap(state, argv[1].strval)) != 0) {
+ && (err = smtpd_check_rcpt(state, argv[1].strval)) != 0) {
smtpd_chat_reply(state, "%s", err);
return (-1);
}
int defer_if_permit_client; /* force permit into warning */
int defer_if_permit_helo; /* force permit into warning */
int defer_if_permit_sender; /* force permit into warning */
+ int discard; /* discard message */
VSTRING *expand_buf; /* scratch space for $name expansion */
} SMTPD_STATE;
/* SMTPD_STATE *state;
/* char *recipient;
/*
-/* char *smtpd_check_rcptmap(state, recipient)
-/* SMTPD_STATE *state;
-/* char *recipient;
-/*
/* char *smtpd_check_etrn(state, destination)
/* SMTPD_STATE *state;
/* char *destination;
/* .IP smtpd_recipient_restrictions
/* Restrictions on the recipient address that is sent with the RCPT
/* TO command.
-/* .PP
-/* smtpd_check_rcptmap() validates the recipient address provided
-/* with an RCPT TO request and sets the rcptmap_checked flag.
-/* Relevant configuration parameters:
-/* .IP local_recipients_map
+/* .IP local_recipient_maps
/* Tables of user names (not addresses) that exist in $mydestination.
/* Mail for local users not in these tables is rejected.
/* .PP
return (reject_unknown_mailhost(state, domain, reply_name, reply_class));
}
+/* warn_skip_access_action - FILTER etc. action in unsupported context */
+
+static void warn_skip_access_action(const char *table, const char *action,
+ const char *reply_class)
+{
+
+ /*
+ * Warn only about FILTER/HOLD/etc. access table actions that appear in
+ * restrictions where they will always be ignored.
+ */
+ if (strcmp(reply_class, SMTPD_NAME_CLIENT) == 0
+ || strcmp(reply_class, SMTPD_NAME_HELO) == 0
+ || strcmp(reply_class, SMTPD_NAME_SENDER) == 0) {
+ if (var_smtpd_delay_reject == 0)
+ msg_warn("access table %s: with %s=%s, "
+ "action %s is always skipped in %s restrictions",
+ table, VAR_SMTPD_DELAY_REJECT, CONFIG_BOOL_NO,
+ action, reply_class);
+ } else {
+ msg_warn("access table %s: action %s is always "
+ "skipped in %s restrictions",
+ table, action, reply_class);
+ }
+}
+
/* check_table_result - translate table lookup result into pass/reject */
static int check_table_result(SMTPD_STATE *state, const char *table,
* mind, and reject/discard the message for other reasons.
*/
if (STREQUAL(value, "FILTER", cmd_len)) {
+#ifndef TEST
+ if (state->dest == 0) {
+ warn_skip_access_action(table, "FILTER", reply_class);
+ return (SMTPD_CHECK_DUNNO);
+ }
+#endif
if (*cmd_text == 0) {
msg_warn("access map %s entry \"%s\" has FILTER entry without value",
table, datum);
* reject/discard the message for other reasons.
*/
if (STREQUAL(value, "HOLD", cmd_len)) {
+#ifndef TEST
+ if (state->dest == 0) {
+ warn_skip_access_action(table, "HOLD", reply_class);
+ return (SMTPD_CHECK_DUNNO);
+ }
+#endif
vstring_sprintf(error_text, "<%s>: %s %s", reply_name, reply_class,
*cmd_text ? cmd_text : "triggers HOLD action");
log_whatsup(state, "hold", STR(error_text));
/*
* DISCARD means silently discard and claim successful delivery.
- *
- * XXX Set some global flag that disables all further restrictions.
- * Triggering a "reject" or "hold" action after "discard" is silly.
*/
if (STREQUAL(value, "DISCARD", cmd_len)) {
+#ifndef TEST
+ if (state->dest == 0) {
+ warn_skip_access_action(table, "DISCARD", reply_class);
+ return (SMTPD_CHECK_DUNNO);
+ }
+#endif
vstring_sprintf(error_text, "<%s>: %s %s", reply_name, reply_class,
*cmd_text ? cmd_text : "triggers DISCARD action");
log_whatsup(state, "discard", STR(error_text));
#ifndef TEST
rec_fprintf(state->dest->stream, REC_TYPE_FLGS, "%d",
CLEANUP_FLAG_DISCARD);
+ state->discard = 1;
#endif
return (SMTPD_CHECK_OK);
}
for (cpp = restrictions->argv; (name = *cpp) != 0; cpp++) {
+ if (state->discard != 0)
+ break;
+
if (msg_verbose)
msg_info("%s: name=%s", myname, name);
/*
* The "check_recipient_maps" restriction is relevant only when
- * responding to RCPT TO. It's effectively disabled with DATA (recipient
- * context is explicitly turned off) and not applicable with undelayed
- * client/helo/sender restrictions (no recipient info) or with ETRN
- * (command not allowed in the middle of an ongoing MAIL transaction).
+ * responding to RCPT TO or VRFY.
*/
state->rcptmap_checked = 0;
SMTPD_CHECK_RESET();
status = setjmp(smtpd_check_buf);
if (status == 0 && rcpt_restrctions->argc)
- status = generic_checks(state, rcpt_restrctions,
+ status = generic_checks(state, rcpt_restrctions,
recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL);
/*
status = smtpd_check_reject(state, state->defer_if_permit.class,
"%s", STR(state->defer_if_permit.reason));
+ /*
+ * If the "check_recipient_maps" restriction was not applied, and if mail
+ * is not being rejected or discarded, validate the recipient here.
+ */
+ if (status != SMTPD_CHECK_REJECT && state->rcptmap_checked == 0
+ && state->discard == 0)
+ status = check_rcpt_maps(state, recipient);
+
SMTPD_CHECK_RCPT_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0);
}
SMTPD_CHECK_ETRN_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0);
}
-/* smtpd_check_rcptmap - permit if recipient address matches lookup table */
-
-char *smtpd_check_rcptmap(SMTPD_STATE *state, char *recipient)
-{
- char *myname = "smtpd_check_rcptmap";
- int status;
-
- if (msg_verbose)
- msg_info("%s: %s", myname, recipient);
-
- /*
- * Return here in case of serious trouble.
- */
- if ((status = setjmp(smtpd_check_buf)) == 0)
- status = check_rcpt_maps(state, recipient);
-
- return (status == SMTPD_CHECK_REJECT ? STR(error_text) : 0);
-}
-
/* check_rcpt_maps - generic_checks() interface for recipient table check */
static int check_rcpt_maps(SMTPD_STATE *state, const char *recipient)
if ((reply->flags & RESOLVE_CLASS_LOCAL)
&& *var_local_rcpt_maps
- /* Generated by bounce, absorbed by qmgr. */
+ /* Generated by bounce, absorbed by qmgr. */
&& !MATCH_LEFT(var_double_bounce_sender, CONST_STR(reply->recipient),
strlen(var_double_bounce_sender))
- /* Absorbed by qmgr. */
+ /* Absorbed by qmgr. */
&& !MATCH_LEFT(MAIL_ADDR_POSTMASTER, CONST_STR(reply->recipient),
strlen(MAIL_ADDR_POSTMASTER))
- /* Generated by bounce. */
+ /* Generated by bounce. */
&& !MATCH_LEFT(MAIL_ADDR_MAIL_DAEMON, CONST_STR(reply->recipient),
strlen(MAIL_ADDR_MAIL_DAEMON))
&& NOMATCH(local_rcpt_maps, CONST_STR(reply->recipient)))
int var_relay_rcpt_code;
int var_virt_mailbox_code;
int var_virt_alias_code;
+int var_show_unk_rcpt_table;
static INT_TABLE int_table[] = {
"msg_verbose", 0, &msg_verbose,
VAR_RELAY_RCPT_CODE, DEF_RELAY_RCPT_CODE, &var_relay_rcpt_code,
VAR_VIRT_ALIAS_CODE, DEF_VIRT_ALIAS_CODE, &var_virt_alias_code,
VAR_VIRT_MAILBOX_CODE, DEF_VIRT_MAILBOX_CODE, &var_virt_mailbox_code,
+ VAR_SHOW_UNK_RCPT_TABLE, DEF_SHOW_UNK_RCPT_TABLE, &var_show_unk_rcpt_table,
0,
};
} else if (strcasecmp(args->argv[0], "rcpt") == 0) {
state.where = "RCPT";
TRIM_ADDR(args->argv[1], addr);
- (resp = smtpd_check_rcpt(&state, addr))
- || (resp = smtpd_check_rcptmap(&state, addr));
+ resp = smtpd_check_rcpt(&state, addr);
}
break;
extern char *smtpd_check_client(SMTPD_STATE *);
extern char *smtpd_check_helo(SMTPD_STATE *, char *);
extern char *smtpd_check_mail(SMTPD_STATE *, char *);
-extern char *smtpd_check_rcptmap(SMTPD_STATE *, char *);
extern char *smtpd_check_size(SMTPD_STATE *, off_t);
extern char *smtpd_check_rcpt(SMTPD_STATE *, char *);
extern char *smtpd_check_etrn(SMTPD_STATE *, char *);
mail rejecttext@bad.domain
mail filter@filter.domain
mail filtertext@filter.domain
+mail filtertexttext@filter.domain
mail hold@hold.domain
mail holdtext@hold.domain
mail discard@hold.domain
./smtpd_check: <queue id>: reject: MAIL from localhost[127.0.0.1]: 554 <rejecttext@bad.domain>: Sender address rejected: text; from=<rejecttext@bad.domain> proto=SMTP
554 <rejecttext@bad.domain>: Sender address rejected: text
>>> mail filter@filter.domain
-./smtpd_check: warning: access map hash:./smtpd_check_access entry filter@filter.domain has FILTER entry without value
+./smtpd_check: warning: access map hash:./smtpd_check_access entry "filter@filter.domain" has FILTER entry without value
OK
>>> mail filtertext@filter.domain
-./smtpd_check: <queue id>: filter: MAIL from localhost[127.0.0.1]: <filtertext@filter.domain>: Sender address triggers FILTER text; from=<filtertext@filter.domain> proto=SMTP
+./smtpd_check: warning: access map hash:./smtpd_check_access entry "filtertext@filter.domain" requires transport:destination
+OK
+>>> mail filtertexttext@filter.domain
+./smtpd_check: <queue id>: filter: MAIL from localhost[127.0.0.1]: <filtertexttext@filter.domain>: Sender address triggers FILTER text:text; from=<filtertexttext@filter.domain> proto=SMTP
OK
>>> mail hold@hold.domain
./smtpd_check: <queue id>: hold: MAIL from localhost[127.0.0.1]: <hold@hold.domain>: Sender address triggers HOLD action; from=<hold@hold.domain> proto=SMTP
rejecttext@bad.domain reject text
filter@filter.domain filter
filtertext@filter.domain filter text
+filtertexttext@filter.domain filter text:text
hold@hold.domain hold
holdtext@hold.domain hold text
discard@hold.domain discard
state->defer_if_permit_sender = 0;
state->defer_if_reject.reason = 0;
state->defer_if_permit.reason = 0;
+ state->discard = 0;
state->expand_buf = 0;
#ifdef USE_SASL_AUTH
projects / thirdparty / postfix.git / commitdiff
