Documentation: as of Postfix 2.6, the reject_unauth_pipelining
feature can be used meaningfully at any protocol stage.
File: proto/postconf.proto.
+
+20090803
+
+ Workaround: with some local DNS servers including BIND, it
+ is possible that A or MX lookups succeed, while NS lookups
+ for the same domains time out. Spammers use this to avoid
+ access restrictions. To deal with future variations of
+ this, check_{client,helo,sender,etc}_{mx,ns,etc}_access no
+ longer tolerate any lookup failures. Instead, they reply
+ with $access_map_defer_code or $access_map_reject_code as
+ appropriate. File: smtpd/smtpd_check.c.
If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5
before proceeding.
+Incompatibility with Postfix 2.6.4
+==================================
+
+The check_{client,helo,sender,etc}_{mx,ns,etc}_access features no
+longer tolerate any lookup failures. Instead, they now reply with
+$access_map_defer_code or $access_map_reject_code as appropriate.
+
+The reason for this change is that spammers are using tricks where
+A or MX lookups succeed while NS lookups for the same domains fail,
+depending local DNS infrastructure details. The change deals with
+future variants of this anomalous behavior.
+
+As a side effect, non-existent domain names in HELO commands will
+now trigger a REJECT action with check_helo_{mx,ns}_access, where
+previously such commands were silently permitted.
+
Major changes - multi-instance support
--------------------------------------
* Patches change both the patchlevel and the release date. Snapshots have no
* patchlevel; they change the release date only.
*/
-#define MAIL_RELEASE_DATE "20090802"
-#define MAIL_VERSION_NUMBER "2.6.3"
+#define MAIL_RELEASE_DATE "20090803"
+#define MAIL_VERSION_NUMBER "2.6.4-RC1"
#ifdef SNAPSHOT
# define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE
if (dns_status != DNS_OK) {
msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
domain && domain[1] ? domain : name, dns_strerror(h_errno));
- return (SMTPD_CHECK_DUNNO);
+ /* No mercy for DNS failure. */
+ return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
+ dns_status == DNS_NOTFOUND ?
+ var_map_reject_code : var_map_defer_code,
+ smtpd_dsn_fix("4.1.8", reply_class),
+ "<%s>: %s rejected: %s",
+ reply_name, reply_class,
+ "Domain not found"));
}
/*
msg_warn("Unable to look up %s host %s for %s %s: %s",
dns_strtype(type), (char *) server->data,
reply_class, reply_name, MAI_STRERROR(aierr));
- continue;
+ /* No mercy for DNS failure. */
+ status = smtpd_check_reject(state,
+ MAIL_ERROR_POLICY,
+ aierr == EAI_NONAME ?
+ var_map_reject_code : var_map_defer_code,
+ smtpd_dsn_fix("4.1.8", reply_class),
+ "<%s>: %s rejected: %s",
+ reply_name, reply_class,
+ "Domain not found");
+ CHECK_SERVER_RETURN(status);
}
/* Now we must also free the addrinfo result. */
if (msg_verbose)
projects / thirdparty / postfix.git / commitdiff
