Bugfix: don't panic when an unexpected smtpd access map is
specified. File: smtpd/smtpd_check.c.
+20090807
+
Workaround: NS record lookups for certain domains always
fail, while other queries for those domains always succeed
(and even return replies with NS records as additional
information).
- This specific inconsistency would allow spammers to avoid
- the Postfix check_{client,helo,sender,etc}_ns_access
- restrictions, because those restrictions have effect only
- for NS records that can be looked up in the DNS.
+ This inconsistency would allow spammers to avoid the Postfix
+ check_{client,helo,sender,etc}_ns_access restrictions,
+ because those restrictions have effect only for names that
+ are known in the DNS.
To address this specific inconsistency, the Postfix
- reject_unknown_helo_hostname, reject_unknown_sender_domain
- and reject_unknown_recipient_domain restrictions now require
- that a domain has NS records that resolve to at least one
- IP address, and they now accept only MX records that resolve
- to at least one IP address; those addresses may or may not
- be "correct". Postfix has no code to determine whether the
- SMTP client name has a resolvable NS or MX record. File:
- smtpd/smtpd_check.c.
+ check_{client,etc}_ns_access feature now requires that a
+ known-in-DNS domain name (or parent thereof) resolves to
+ at least one name server IP address.
+
+ For consistency, check_{client,etc}_mx_access now requires
+ that a known-in-DNS domain name resolves to at least one
+ mail server IP address.
+
+ In addition, reject_unknown_helo_hostname,
+ reject_unknown_sender_domain now require that an MX record
+ resolves to at least one IP address. Until now, the existence
+ of an MX record was sufficient.
+
+ The IP addresses thus obtained may or may not be "correct".
+ There is little to stop an uncooperative DNS server from
+ lying, especially when the owner of the domain has no
+ intention to receive email. File: smtpd/smtpd_check.c.
If you upgrade from Postfix 2.5 or earlier, read RELEASE_NOTES-2.6
before proceeding.
-Incompatibility with snapshot 20090805
+Incompatibility with snapshot 20090807
======================================
With some domain names, NS record lookups always fail while other
-lookups always succeed (and often return NS records as additional
+lookups always succeed (and may even return NS records as additional
information). This anomaly could be used by evil elements to skip
Postfix check_{client,helo,sender,recipient}_ns_access checks,
-because those apply only domains with an NS record in the DNS.
-
-To address this specific problem, the reject_unknown_helo_hostname,
-reject_unknown_sender_domain and reject_unknown_recipient_domain
-features now require that a domain name has NS records that resolve
-to at least one IP address, and they now accept only MX records
-that resolve to at least one IP address; those addresses may or may
-not be "correct". Postfix has no code to determine whether the
-SMTP client name has a resolvable NS or MX record.
+because these apply only to domains that are known in the DNS.
+
+To address this specific problem, check_{client,etc}_ns_access now
+requires that a known-in-DNS domain name (or parent thereof) resolves
+to at least one name server IP address.
+
+For consistency, check_{client,etc}_mx_access now requires that a
+known-in-DNS domain name resolves to at least one mail server IP
+address.
+
+In addition, reject_unknown_helo_hostname, reject_unknown_sender_domain
+and reject_unknown_recipient_domain now require that an MX record
+resolves to at least one IP address. Until now, the existence of
+an MX record was sufficient.
+
+Keep in mind that these measures provide no hard assurances. There
+is little to stop an uncooperative DNS server from lying, especially
+when the owner of the domain has no intention to receive email.
Incompatibility with snapshot 20090606
======================================
*/
dns_status = dns_lookup(domain, type, 0, &server_list,
(VSTRING *) 0, (VSTRING *) 0);
- if (dns_status == DNS_NOTFOUND && h_errno == NO_DATA) {
+ if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) {
if (type == T_MX) {
server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
domain, strlen(domain) + 1);
dns_status = DNS_OK;
- } else if (type == T_NS) {
+ } else if (type == T_NS && h_errno == NO_DATA) {
while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
domain += 1;
dns_status = dns_lookup(domain, type, 0, &server_list,
* check_server_access() wants to check.
*/
dns_status = resolve_server_list(name, T_MX, reply_name, reply_class);
+#ifdef REQUIRE_NS_FOR_REJECT_UNKNOWN_DOMAIN_CHECK
if (dns_status == DNS_OK)
dns_status = resolve_server_list(name, T_NS, reply_name, reply_class);
+#endif
if (dns_status != DNS_OK) { /* incl. DNS_INVAL */
if (dns_status != DNS_RETRY)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
* check_server_access() wants to check.
*/
dns_status = resolve_server_list(name, T_MX, reply_name, reply_class);
+#ifdef REQUIRE_NS_FOR_REJECT_UNKNOWN_DOMAIN_CHECK
if (dns_status == DNS_OK)
dns_status = resolve_server_list(name, T_NS, reply_name, reply_class);
+#endif
if (dns_status != DNS_OK) { /* incl. DNS_INVAL */
if (dns_status != DNS_RETRY)
return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
struct addrinfo *res;
int status;
INET_PROTO_INFO *proto_info;
+ const char *saved_domain;
+ int non_err, soft_err;
+ int known_name_in_dns;
+ int ping_status;
/*
* Sanity check.
*
* If the domain name exists but no NS record exists, look up parent domain
* NS records.
+ *
+ * After the initial lookup fails, do one final DNS sanity check. Reject
+ * mail when the name exists, but MX lookup produces no valid response or
+ * NS lookup fails for any reason. Beware, this sanity check provides no
+ * hard assurance. An uncooperative DNS server may lie about everything,
+ * including non-existence.
*/
+#define SOME_DNS_RR_EXISTS(stat, herr) \
+ ((stat) == DNS_OK || (stat) == DNS_INVAL || (herr) == NO_DATA)
+
+ saved_domain = domain;
dns_status = dns_lookup(domain, type, 0, &server_list,
(VSTRING *) 0, (VSTRING *) 0);
- if (dns_status == DNS_NOTFOUND && h_errno == NO_DATA) {
+ known_name_in_dns = SOME_DNS_RR_EXISTS(dns_status, h_errno);
+ if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) {
if (type == T_MX) {
server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0,
domain, strlen(domain) + 1);
dns_status = DNS_OK;
- } else if (type == T_NS) {
+ } else if (type == T_NS && h_errno == NO_DATA) {
while ((domain = strchr(domain, '.')) != 0 && domain[1]) {
domain += 1;
dns_status = dns_lookup(domain, type, 0, &server_list,
if (dns_status != DNS_OK) {
msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type),
domain && domain[1] ? domain : name, dns_strerror(h_errno));
+ if (known_name_in_dns == 0) {
+ /* With hostile DNS, an address query is more likely to work. */
+ ping_status = dns_lookup_l(saved_domain, 0, (DNS_RR **) 0,
+ (VSTRING *) 0, (VSTRING *) 0,
+ DNS_REQ_FLAG_STOP_OK,
+ CHECK_RR_ADDR_TYPES, 0);
+ known_name_in_dns = SOME_DNS_RR_EXISTS(ping_status, h_errno);
+ }
+ if (known_name_in_dns)
+ return (smtpd_check_reject(state, MAIL_ERROR_POLICY,
+ dns_status == DNS_RETRY ?
+ var_map_defer_code : var_map_reject_code,
+ smtpd_dsn_fix("4.1.8", reply_class),
+ "<%s>: %s rejected: %s",
+ reply_name, reply_class,
+ "Domain not found"));
return (SMTPD_CHECK_DUNNO);
}
* Check the hostnames first, then the addresses.
*/
proto_info = inet_proto_info();
+ non_err = soft_err = 0;
for (server = server_list; server != 0; server = server->next) {
if (msg_verbose)
msg_info("%s: %s hostname check: %s",
myname, dns_strtype(type), (char *) server->data);
if (valid_hostaddr((char *) server->data, DONT_GRIPE)) {
+ non_err = 1;
if ((status = check_addr_access(state, table, (char *) server->data,
FULL, &found, reply_name, reply_class,
def_acl)) != 0 || found)
msg_warn("Unable to look up %s host %s for %s %s: %s",
dns_strtype(type), (char *) server->data,
reply_class, reply_name, MAI_STRERROR(aierr));
+ if (aierr == EAI_AGAIN || aierr == EAI_SYSTEM)
+ soft_err = 1;
continue;
}
+ non_err = 1;
/* Now we must also free the addrinfo result. */
if (msg_verbose)
msg_info("%s: %s host address check: %s",
}
freeaddrinfo(res0); /* 200412 */
}
- CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO);
+ status = non_err ? SMTPD_CHECK_DUNNO :
+ smtpd_check_reject(state, MAIL_ERROR_POLICY,
+ soft_err ? var_map_defer_code :
+ var_map_reject_code,
+ smtpd_dsn_fix("4.1.8", reply_class),
+ "<%s>: %s rejected: %s",
+ reply_name, reply_class,
+ "Domain not found");
+ CHECK_SERVER_RETURN(status);
}
/* check_ccert_access - access for TLS clients by certificate fingerprint */
projects / thirdparty / postfix.git / commitdiff
