From: Wietse Venema Date: Mon, 27 Dec 1999 05:00:00 +0000 (-0500) Subject: snapshot-19991227 X-Git-Tag: v20010228~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1027c207e70917341d4d92c084733994d1c7d1de;p=thirdparty%2Fpostfix.git snapshot-19991227 --- diff --git a/postfix/BEWARE b/postfix/BEWARE index 89cf9f8a0..10adbd496 100644 --- a/postfix/BEWARE +++ b/postfix/BEWARE @@ -7,44 +7,3 @@ disable synchronous logfile writes by prepending a - to the logfile name: mail.* -/var/log/mail.log - -SPAM BLOCKING SOURCE ROUTED ADDRESSES -===================================== - -If you are responsible for a backup MX host for some domain (either -your own domain or the domain of some other organization) it is -prudent to block addresses with multiple address operators at the -SMTP port, such as: - - user@elsewhere@some.domain - user%elsewhere@some.domain - elsewhere!user@some.domain - -The problem is that the primary MX host for some.domain may forward -the above to user@elsewhere. This can happen because the primary -MX host somehow "trusts" your backup MX host, or because the primary -MX host is badly configured. - -The bad news is that your backup MX machine can end up on a black -list because it accepted the mail, even though the problem involves -a primary MX host that perhaps is not under your control. - -The simplest solution is to install a regular expression filter: - - /etc/postfix/main.cf: - smtpd_recipient_restrictions = - regexp:/etc/postfix/regexp_access - ...other restrictions... - - /etc/postfix/regexp_access: - /[%!@].*[%!@]/ 550 Sender specified routing is not supported here. - -For the local domain, Postfix will do the right thing with: - - user@elsewhere@my.own.domain - user%elsewhere@my.own.domain - elsewhere!user@my.own.domain - -That is, it bounces the first form because "user@elsewhere" is not -a valid local user, and it accepts the second and third forms only -when user@elsewhere is a valid relay destination. diff --git a/postfix/HISTORY b/postfix/HISTORY index b87f5c7b9..31cc0327f 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -3477,20 +3477,21 @@ Apologies for any names omitted. Bugfix: the relative symlink code in INSTALL.sh computed the ../ prefix from the wrong pathname. -1999122[56] - - Feature: "allow_routed_relaying = no" (default) disallows - forwarding of mail with sender-specified routing (example: - user%domain2@domain1, user@domain2@domain1, etc.). This - plugs an "open relay" loophole where a backup MX host would - forward junk mail to a primary MX host which would forward - it to the Internet. Files: global/quote_822_local.c, - smtp/quote_821_local.c, trivial-rewrite/rewrite.c, - trivial-rewrite/resolve.c, smtp/smtpd_check.c. - - In order to make this possible, the resolver now passes a - status back to the client that says if the result is a - routed address. +1999122[5-7] + + Feature: "allow_untrusted_routing = no" (default) prevents + forwarding of source-routed mail from untrusted clients to + destinations that are blessed by the relay_domains parameter + (example: user@domain2@domain1 etc.). This plugs a mail + relay loophole where a backup MX host forwards junk mail + to a primary MX host which forwards the junk to the Internet. + Files: global/quote_822_local.c, smtp/quote_821_local.c, + trivial-rewrite/rewrite.c, trivial-rewrite/resolve.c, + smtp/smtpd_check.c. + + In order to make this possible, the Postfix resolver data + structure and protocol has changed, so that all resolver + clients need to be re-compiled. Side effect from the above change: from now on, an address with @ in the recipient localpart no longer bounces with diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index 57de19125..ebdd3f783 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -1,19 +1,22 @@ -Incompatible changes with snapshot 19991226 +Incompatible changes with snapshot 19991227 =========================================== -- The SMTP server by default no longer forwards mail to non-local -destinations with sender-specified routing (stuff[@%!]stuff[@%!]stuff). -This closes an open relay loophole with primary and secondary MX -hosts. To get old behavior, specify "allow_routed_relaying = yes". +- The SMTP server no longer forwards mail from untrusted clients +with sender-specified routing (stuff[@%!]stuff[@%!]stuff) to +destinations that are authorized by the relay_domains parameter. +This closes a loophole that exploits trust relationships between +hosts. Example: a trusted backup MX host forwards junk mail to +a primary MX host which forwards the junk to the Internet. Specify +"allow_untrusted_routing = yes" to restore the old behavior. - In order to support the above, the data structure and protocol of the trivial-rewrite service was changed. This means you must re-compile and re-link existing software that uses the Postfix resolve_clnt interface. -- As a side effect of the above, an address with @ in the localpart -(user@there@here) no longer bounces with "user unknown" but instead -is rejected with "relay access denied". +- As a side effect of the above, an address from an untrusted client +with @ in the localpart (user@remote@here) no longer bounces with +"user unknown" but instead is rejected with "relay access denied". - The experimental permit_recipient_map and local_transports features are gone. They were never part of an official release. Both are @@ -40,7 +43,7 @@ transport maps, it is better to always have explicit entries for all domain names you have in $mydestination. See the html/faq.html sections for firewalls and intranets. -Major changes with snapshot 19991226 +Major changes with snapshot 19991227 ==================================== - It is now much more difficult to configure Postfix as an open @@ -49,12 +52,13 @@ contains at least one restriction that by default refuses mail (as is the default). There were too many accidents with changes to the UCE restrictions. -- An "open relay" loophole is now plugged where a backup MX host -would forward stuff[@%!]stuff[@%!]stuff to a primary MX host which -would then spam it out to the world. To get the old behavior, -specify "allow_routed_relaying = yes". The old behavior is safe -only for non-MX hosts, and for primary MX hosts of domains that -have no backup MX hosts. +- The SMTP server no longer forwards mail from untrusted clients +with sender-specified routing (stuff[@%!]stuff[@%!]stuff) to +destinations that are authorized by the relay_domains parameter. +This closes a loophole that exploits trust relationships between +hosts. Example: a trusted backup MX host forwards junk mail to +a primary MX host which forwards the junk to the Internet. Specify +"allow_untrusted_routing = yes" to restore the old behavior. - The relay_domains parameter no longer needs to contain $virtual_maps. diff --git a/postfix/conf/main.cf b/postfix/conf/main.cf index 7aa37deff..538eb04e9 100644 --- a/postfix/conf/main.cf +++ b/postfix/conf/main.cf @@ -278,9 +278,10 @@ mail_owner = postfix # file sample-smtpd.cf. # # By default, Postfix relays mail -# - from clients whose IP address matches $mynetworks, -# - from clients matching $relay_domains or subdomains thereof, -# - to destinations that match $relay_domains or subdomains thereof. +# - from trusted clients whose IP address matches $mynetworks, +# - from trusted clients matching $relay_domains or subdomains thereof, +# - from untrusted clients to destinations that match $relay_domains +# or subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail diff --git a/postfix/conf/sample-smtpd.cf b/postfix/conf/sample-smtpd.cf index 22dac53d9..f662bfa2c 100644 --- a/postfix/conf/sample-smtpd.cf +++ b/postfix/conf/sample-smtpd.cf @@ -188,9 +188,10 @@ smtpd_sender_restrictions = # recipient addresses that SMTP clients can send in RCPT TO commands. # # By default, Postfix relays mail -# - from clients whose IP address matches $mynetworks, -# - from clients matching $relay_domains or subdomains thereof, -# - to destinations that match $relay_domains or subdomains thereof. +# - from trusted clients whose IP address matches $mynetworks, +# - from trusted clients matching $relay_domains or subdomains thereof, +# - from untrusted clients to destinations that match $relay_domains +# or subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail @@ -209,19 +210,22 @@ smtpd_sender_restrictions = # reject_unknown_hostname: reject HELO hostname without DNS A or MX record. # reject_unknown_sender_domain: reject sender domain without A or MX record. # *check_relay_domains: permit only mail -# - from clients matching $relay_domains or subdomain thereof, -# - to destinations matching $relay_domains or subdomain thereof, # - to destinations matching $inet_interfaces, $mydestination, -# or $virtual_maps. +# or $virtual_maps, +# - from trusted clients matching $relay_domains or subdomain thereof, +# - from untrusted clients to destinations matching $relay_domains or +# subdomain thereof (except addresses with sender-specified routing), # Reject anything else. # permit_auth_destination: permit mail -# - to destinations matching $relay_domains or subdomain thereof, # - to destinations matching $inet_interfaces, $mydestination, # or $virtual_maps. -# reject_unauth_destination: reject mail unless it is sent # - to destinations matching $relay_domains or subdomain thereof, +# except for addresses with sender-specified routing. +# reject_unauth_destination: reject mail unless it is sent # - to destinations matching $inet_interfaces, $mydestination, # or $virtual_maps. +# - to destinations matching $relay_domains or subdomain thereof, +# except for addresses with sender-specified routing. # reject_unauth_pipelining: reject mail from improperly pipelining spamware # permit_mx_backup: accept mail for sites that list me as MX host. # reject_unknown_recipient_domain: reject domains without A or MX record. @@ -254,15 +258,17 @@ smtpd_recipient_restrictions = permit_mynetworks,check_relay_domains # ADDITIONAL UCE CONTROLS # -# The allow_routed_relaying parameter controls whether the host will -# forward addresses with sender-specified routing. This is disabled -# by default, in order to close a nasty open relay loophole where a -# backup MX host can be tricked into forwarding mail to a primary MX -# host which then spams it out to the world. Don't change this if -# this system is backup MX host for any domain, or if this system -# receives mail from any backup MX host. -# -allow_routed_relaying = no +# The allow_untrusted_routing parameter controls if Postfix will +# forward mail with sender-specified routing (user[@%!]remote[@%!]site) +# from untrusted clients to destinations that are blessed by the +# relay_domains parameter. +# +# By default, untrusted clients are not allowed to specify routing. +# This closes a nasty open relay loophole where a backup MX host can +# be tricked into forwarding junk mail to a primary MX host which +# then spams it out to the world. +# +allow_untrusted_routing = no # The maps_rbl_domains parameter specifies an optional list of DNS # domains that publish the network addresses of blacklisted hosts. @@ -282,9 +288,10 @@ maps_rbl_domains = rbl.maps.vix.com # this system will relay mail to. # # By default, Postfix relays mail -# - from clients whose IP address matches $mynetworks, -# - from clients matching $relay_domains or subdomains thereof, -# - to destinations that match $relay_domains or subdomains thereof. +# - from trusted clients whose IP address matches $mynetworks, +# - from trusted clients matching $relay_domains or subdomains thereof, +# - from untrusted clients to destinations that match $relay_domains +# or subdomains thereof, except addresses with sender-specified routing. # The default relay_domains value is $mydestination. # # In addition to the above, the Postfix SMTP server by default accepts mail diff --git a/postfix/global/mail_params.h b/postfix/global/mail_params.h index 81194ed53..d01ad5977 100644 --- a/postfix/global/mail_params.h +++ b/postfix/global/mail_params.h @@ -748,9 +748,9 @@ extern char *var_etrn_checks; #define DEF_REST_CLASSES "" extern char *var_rest_classes; -#define VAR_ALLOW_ROUTED_RELAY "allow_routed_relaying" -#define DEF_ALLOW_ROUTED_RELAY 0 -extern bool var_allow_routed_relay; +#define VAR_ALLOW_UNTRUST_ROUTE "allow_untrusted_routing" +#define DEF_ALLOW_UNTRUST_ROUTE 0 +extern bool var_allow_untrust_route; /* * Names of specific restrictions, and the corresponding configuration diff --git a/postfix/global/mail_version.h b/postfix/global/mail_version.h index 35757105b..82bec8f2d 100644 --- a/postfix/global/mail_version.h +++ b/postfix/global/mail_version.h @@ -15,7 +15,7 @@ * Version of this program. */ #define VAR_MAIL_VERSION "mail_version" -#define DEF_MAIL_VERSION "Snapshot-19991226" +#define DEF_MAIL_VERSION "Snapshot-19991227" extern char *var_mail_version; /* LICENSE diff --git a/postfix/global/resolve_clnt.c b/postfix/global/resolve_clnt.c index fc86c798d..ff27504a6 100644 --- a/postfix/global/resolve_clnt.c +++ b/postfix/global/resolve_clnt.c @@ -45,8 +45,9 @@ /* domain that is handled by the local machine. This flag is currently /* not used. /* .IP RESOLVE_FLAG_ROUTED -/* The recipient address contains routing information, so the -/* destination domain is not necessarily the final destination. +/* After address resolution the recipient localpart contains further +/* routing information, so the resolved next-hop destination is not +/* the final destination. /* DIAGNOSTICS /* Warnings: communication failure. Fatal error: mail system is down. /* SEE ALSO diff --git a/postfix/html/faq.html b/postfix/html/faq.html index df99aa277..d5f5d8e65 100644 --- a/postfix/html/faq.html +++ b/postfix/html/faq.html @@ -157,8 +157,7 @@ distribution list
  • Commands don't work in Postfix virtual maps -
  • Mail for unknown virtual users fails -with a mail loop error +
  • Rejecting mail for unknown virtual users
  • Postfix refuses to receive mail for some virtual domains @@ -708,15 +707,15 @@ mail for arbitrary non-local destinations:

    -Don't Panic! Upgrade to a Postfix version of 19991226 or later. +Don't Panic! Upgrade to a Postfix version of 19991227 or later.

    -Older Postfix versions would either bounce the mail because +Older Postfix versions would either bounce the mail because "test@some.other.site" is not a known local username (which is -good), or they would forward the mail to a primary MX host for -"some.site" which would then spam it into the Internet (which is -bad). +good), or they would forward the mail to a primary MX host +for "some.site" which would then spam it into the Internet (which +is bad).

    @@ -1481,12 +1480,15 @@ To find out the location for your system, execute the command
    -

    Mail for unknown virtual users fails -with a mail loop error

    +

    Rejecting mail for unknown virtual users

    + +Problem: mail for an unknown virtual user is misdelivered to a local +user with the same name. + +

    Problem: mail for an unknown virtual user results in an ugly "mail -loops back to myself" error from the Postfix SMTP client. Why -doesn't Postfix generate a "user unknown" instead? +loops back to myself" error from Postfix.

    diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html index d977b5b8f..ad4d3024f 100644 --- a/postfix/html/smtpd.8.html +++ b/postfix/html/smtpd.8.html @@ -215,48 +215,48 @@ SMTPD(8) SMTPD(8) Restrict what domain names can be used in ETRN com- mands, and what clients may issue ETRN commands. + allow_untrusted_routing + Allow untrusted clients to specify addresses with + sender-specified routing. Enabling this opens up + nasty relay loopholes involving trusted backup MX + hosts. + restriction_classes - Declares the name of zero or more parameters that - contain a list of UCE restrictions. The names of - these parameters can then be used instead of the + Declares the name of zero or more parameters that + contain a list of UCE restrictions. The names of + these parameters can then be used instead of the restriction lists that they represent. maps_rbl_domains - List of DNS domains that publish the addresses of + List of DNS domains that publish the addresses of blacklisted hosts. relay_domains - Restrict what domains or networks this mail system + Restrict what domains or networks this mail system will relay mail from or to. UCE control responses access_map_reject_code - Server response when a client violates an access + Server response when a client violates an access database restriction. invalid_hostname_reject_code - Server response when a client violates the + Server response when a client violates the reject_invalid_hostname restriction. maps_rbl_reject_code - Server response when a client violates the + Server response when a client violates the maps_rbl_domains restriction. reject_code - Response code when the client matches a reject + Response code when the client matches a reject restriction. relay_domains_reject_code - Server response when a client attempts to violate + Server response when a client attempts to violate the mail relay policy. - unknown_address_reject_code - Server response when a client violates the - reject_unknown_address restriction. - unknown_client_reject_code - Server response when a client without address to - name mapping violates the reject_unknown_clients @@ -269,10 +269,17 @@ SMTPD(8) SMTPD(8) SMTPD(8) SMTPD(8) + unknown_address_reject_code + Server response when a client violates the + reject_unknown_address restriction. + + unknown_client_reject_code + Server response when a client without address to + name mapping violates the reject_unknown_clients restriction. unknown_hostname_reject_code - Server response when a client violates the + Server response when a client violates the reject_unknown_hostname restriction. SEE ALSO @@ -281,7 +288,7 @@ SMTPD(8) SMTPD(8) syslogd(8) system logging LICENSE - The Secure Mailer license must be distributed with this + The Secure Mailer license must be distributed with this software. AUTHOR(S) @@ -311,13 +318,6 @@ SMTPD(8) SMTPD(8) - - - - - - - diff --git a/postfix/html/uce.html b/postfix/html/uce.html index 857dcd193..7c82ad5d9 100644 --- a/postfix/html/uce.html +++ b/postfix/html/uce.html @@ -575,14 +575,16 @@ relays mail:

    @@ -625,9 +627,6 @@ on the client hostname or network address.
    Example: -
    smtpd_recipient_restrictions = permit_mynetworks, -check_relay_domains -
    smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination @@ -647,6 +646,7 @@ mail otherwise.
    check_relay_domains
    Permit the request when +one of the following is true: diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8 index 9067b806a..fbc3225ba 100644 --- a/postfix/man/man8/smtpd.8 +++ b/postfix/man/man8/smtpd.8 @@ -157,6 +157,10 @@ Restrict what recipient addresses are allowed in \fBRCPT TO\fR commands. .IP \fBsmtpd_etrn_restrictions\fR Restrict what domain names can be used in \fBETRN\fR commands, and what clients may issue \fBETRN\fR commands. +.IP \fBallow_untrusted_routing\fR +Allow untrusted clients to specify addresses with sender-specified +routing. Enabling this opens up nasty relay loopholes involving +trusted backup MX hosts. .IP \fBrestriction_classes\fR Declares the name of zero or more parameters that contain a list of UCE restrictions. The names of these parameters can diff --git a/postfix/smtpd/smtpd.c b/postfix/smtpd/smtpd.c index ceb1ba681..17e7cdd9a 100644 --- a/postfix/smtpd/smtpd.c +++ b/postfix/smtpd/smtpd.c @@ -141,10 +141,10 @@ /* .IP \fBsmtpd_etrn_restrictions\fR /* Restrict what domain names can be used in \fBETRN\fR commands, /* and what clients may issue \fBETRN\fR commands. -/* .IP \fBallow_routed_relaying\fR -/* Allow the relaying of addresses with sender-specified routing. -/* Enabling this opens up nasty relay loopholes if your domain has -/* primary and backup MX hosts. +/* .IP \fBallow_untrusted_routing\fR +/* Allow untrusted clients to specify addresses with sender-specified +/* routing. Enabling this opens up nasty relay loopholes involving +/* trusted backup MX hosts. /* .IP \fBrestriction_classes\fR /* Declares the name of zero or more parameters that contain a /* list of UCE restrictions. The names of these parameters can @@ -304,7 +304,7 @@ char *var_rcpt_canon_maps; char *var_virtual_maps; char *var_alias_maps; char *var_local_rcpt_maps; -bool var_allow_routed_relay; +bool var_allow_untrust_route; /* * Global state, for stand-alone mode queue file cleanup. When this is @@ -1327,7 +1327,7 @@ int main(int argc, char **argv) VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject, VAR_STRICT_RFC821_ENV, DEF_STRICT_RFC821_ENV, &var_strict_rfc821_env, VAR_DISABLE_VRFY_CMD, DEF_DISABLE_VRFY_CMD, &var_disable_vrfy_cmd, - VAR_ALLOW_ROUTED_RELAY, DEF_ALLOW_ROUTED_RELAY, &var_allow_routed_relay, + VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route, 0, }; static CONFIG_STR_TABLE str_table[] = { @@ -1344,11 +1344,11 @@ int main(int argc, char **argv) VAR_ALWAYS_BCC, DEF_ALWAYS_BCC, &var_always_bcc, 0, 0, VAR_ERROR_RCPT, DEF_ERROR_RCPT, &var_error_rcpt, 1, 0, VAR_REST_CLASSES, DEF_REST_CLASSES, &var_rest_classes, 0, 0, - VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0, VAR_CANONICAL_MAPS, DEF_CANONICAL_MAPS, &var_canonical_maps, 0, 0, VAR_RCPT_CANON_MAPS, DEF_RCPT_CANON_MAPS, &var_rcpt_canon_maps, 0, 0, VAR_VIRTUAL_MAPS, DEF_VIRTUAL_MAPS, &var_virtual_maps, 0, 0, VAR_ALIAS_MAPS, DEF_ALIAS_MAPS, &var_alias_maps, 0, 0, + VAR_LOCAL_RCPT_MAPS, DEF_LOCAL_RCPT_MAPS, &var_local_rcpt_maps, 0, 0, 0, }; diff --git a/postfix/smtpd/smtpd_check.c b/postfix/smtpd/smtpd_check.c index c5ae37d8d..3be739290 100644 --- a/postfix/smtpd/smtpd_check.c +++ b/postfix/smtpd/smtpd_check.c @@ -377,22 +377,50 @@ static ARGV *smtpd_check_parse(const char *checks) return (argv); } -/* check_required - make sure minimally-required restriction is present */ +/* has_required - make sure required restriction is present */ -static void check_required(char *name, ARGV *restrictions, char **required) +static int has_required(ARGV *restrictions, char **required) { char **rest; char **reqd; - VSTRING *example; + ARGV *expansion; - for (rest = restrictions->argv; *rest; rest++) + /* + * Recursively check list membership. + */ + for (rest = restrictions->argv; *rest; rest++) { for (reqd = required; *reqd; reqd++) if (strcmp(*rest, *reqd) == 0) - return; + return (1); + if ((expansion = (ARGV *) htable_find(smtpd_rest_classes, *rest)) != 0) + if (has_required(expansion, required)) + return (1); + } + return (0); +} + +/* fail_required - handle failure to use required restriction */ + +static void fail_required(char *name, char **required) +{ + char *myname = "fail_required"; + char **reqd; + VSTRING *example; + + /* + * Sanity check. + */ + if (required[0] == 0) + msg_panic("%s: null required list", myname); + + /* + * Go bust. + */ example = vstring_alloc(10); for (reqd = required; *reqd; reqd++) vstring_sprintf_append(example, "%s ", *reqd); - msg_fatal("%s requires at least one of %s", name, STR(example)); + msg_fatal("parameter \"%s\": specify at least one explicit instance of: %s", + name, STR(example)); } /* smtpd_check_init - initialize once during process lifetime */ @@ -446,14 +474,6 @@ void smtpd_check_init(void) rcpt_restrctions = smtpd_check_parse(var_rcpt_checks); etrn_restrctions = smtpd_check_parse(var_etrn_checks); - /* - * People screw up the relay restrictions too often. Require that they - * list at least one restriction that rejects mail by default. - */ -#ifndef TEST - check_required(VAR_RCPT_CHECKS, rcpt_restrctions, rcpt_required); -#endif - /* * Parse the pre-defined restriction classes. */ @@ -477,6 +497,15 @@ void smtpd_check_init(void) htable_enter(smtpd_rest_classes, "check_relay_domains", smtpd_check_parse("permit_mydomain reject_unauth_destination")); #endif + + /* + * People screw up the relay restrictions too often. Require that they + * list at least one restriction that rejects mail by default. + */ +#ifndef TEST + if (!has_required(rcpt_restrctions, rcpt_required)) + fail_required(VAR_RCPT_CHECKS, rcpt_required); +#endif } /* smtpd_check_reject - do the boring things that must be done */ @@ -798,6 +827,12 @@ static int permit_auth_destination(char *recipient) || (*var_virtual_maps && maps_find(virtual_maps, domain, 0))) return (SMTPD_CHECK_OK); + /* + * Skip source-routed mail (uncertain destination). + */ + if (var_allow_untrust_route == 0 && (reply.flags & RESOLVE_FLAG_ROUTED)) + return (SMTPD_CHECK_DUNNO); + /* * Permit if the destination matches the relay_domains list. */ @@ -820,7 +855,7 @@ static int reject_unauth_destination(SMTPD_STATE *state, char *recipient) msg_info("%s: %s", myname, recipient); /* - * Permit authorized destination. + * Skip authorized destination. */ if (permit_auth_destination(recipient) == SMTPD_CHECK_OK) return (SMTPD_CHECK_DUNNO); @@ -852,52 +887,6 @@ static int reject_unauth_pipelining(SMTPD_STATE *state) return (SMTPD_CHECK_DUNNO); } -/* reject_routed_relay - FAIL for relaying via sender-specified route */ - -static int reject_routed_relay(SMTPD_STATE *state, char *recipient, - char *reply_name, char *reply_class) -{ - char *myname = "reject_routed_relay"; - char *domain; - - if (msg_verbose) - msg_info("%s: %s", myname, recipient); - - /* - * Resolve the address. - */ - canon_addr_internal(query, recipient); - resolve_clnt_query(STR(query), &reply); - - /* - * Handle special case that is not supposed to happen. - */ - if ((domain = strrchr(STR(reply.recipient), '@')) == 0) - return (SMTPD_CHECK_DUNNO); - domain += 1; - - /* - * Permit final delivery: the destination matches mydestination or - * virtual_maps. - */ - if (resolve_local(domain) - || (*var_virtual_maps && maps_find(virtual_maps, domain, 0))) - return (SMTPD_CHECK_DUNNO); - - /* - * Reject source-routed mail to a non-local destination. - */ - if ((reply.flags & RESOLVE_FLAG_ROUTED) != 0) - return (smtpd_check_reject(state, MAIL_ERROR_POLICY, - "%d <%s>: %s rejected: Source-routed relay access denied", - var_relay_code, reply_name, reply_class)); - - /* - * Something else. - */ - return (SMTPD_CHECK_DUNNO); -} - /* has_my_addr - see if this host name lists one of my network addresses */ static int has_my_addr(char *host) @@ -1847,13 +1836,10 @@ char *smtpd_check_rcpt(SMTPD_STATE *state, char *recipient) */ state->recursion = 0; status = setjmp(smtpd_check_buf); - if (status == 0 && rcpt_restrctions->argc) { + if (status == 0 && rcpt_restrctions->argc) status = generic_checks(state, rcpt_restrctions, recipient, SMTPD_NAME_RECIPIENT, CHECK_RECIP_ACL); - if (var_allow_routed_relay == 0 && status != SMTPD_CHECK_REJECT) - status = reject_routed_relay(state, recipient, - recipient, SMTPD_NAME_RECIPIENT); - } + SMTPD_CHECK_RCPT_RETURN(status == SMTPD_CHECK_REJECT ? STR(error_text) : 0); } @@ -2114,7 +2100,7 @@ int var_access_map_code; int var_reject_code; int var_non_fqdn_code; int var_smtpd_delay_reject; -int var_allow_routed_relay; +int var_allow_untrust_route; static INT_TABLE int_table[] = { "msg_verbose", 0, &msg_verbose, @@ -2128,7 +2114,7 @@ static INT_TABLE int_table[] = { VAR_REJECT_CODE, DEF_REJECT_CODE, &var_reject_code, VAR_NON_FQDN_CODE, DEF_NON_FQDN_CODE, &var_non_fqdn_code, VAR_SMTPD_DELAY_REJECT, DEF_SMTPD_DELAY_REJECT, &var_smtpd_delay_reject, - VAR_ALLOW_ROUTED_RELAY, DEF_ALLOW_ROUTED_RELAY, &var_allow_routed_relay, + VAR_ALLOW_UNTRUST_ROUTE, DEF_ALLOW_UNTRUST_ROUTE, &var_allow_untrust_route, 0, }; @@ -2165,7 +2151,7 @@ static int int_update(char **argv) typedef struct { char *name; ARGV **target; -} REST_TABLE; +} REST_TABLE; static REST_TABLE rest_table[] = { "client_restrictions", &client_restrctions, diff --git a/postfix/trivial-rewrite/resolve.c b/postfix/trivial-rewrite/resolve.c index 3d0324bfd..eb45b6d13 100644 --- a/postfix/trivial-rewrite/resolve.c +++ b/postfix/trivial-rewrite/resolve.c @@ -140,17 +140,13 @@ void resolve_addr(char *addr, VSTRING *channel, VSTRING *nexthop, /* * After stripping the local domain, if any, replace foo%bar by * foo@bar, site!user by user@site, rewrite to canonical form, and - * retry. Recognize routing operators in the address localpart. This - * is needed to prevent primary MX hosts from relaying third-party - * destinations from backup MX hosts, otherwise the primary could end - * up on black lists. + * retry. * * Otherwise we're done. */ if (tok822_rfind_type(tree->tail, '@') || (var_swap_bangpath && tok822_rfind_type(tree->tail, '!')) || (var_percent_hack && tok822_rfind_type(tree->tail, '%'))) { - *flags |= RESOLVE_FLAG_ROUTED; rewrite_tree(REWRITE_CANON, tree); } else { domain = 0;