20090805
- Bugfix: don't panic when an unexpected smtpd access map is
- specified. File: smtpd/smtpd_check.c.
+ Bugfix: don't panic when an unexpected smtpd access map is
+ specified. File: smtpd/smtpd_check.c.
20090807
- Workaround: NS record lookups for certain domains always
- fail, while other queries for those domains always succeed
- (and even return replies with NS records as additional
- information).
-
- This inconsistency would allow spammers to avoid the Postfix
- check_{client,helo,sender,etc}_ns_access restrictions,
- because those restrictions have effect only for names that
- are known in the DNS.
-
- To address this specific inconsistency, the Postfix
- check_{client,etc}_ns_access feature now requires that a
- known-in-DNS domain name (or parent thereof) resolves to
- at least one name server IP address.
-
- For consistency, check_{client,etc}_mx_access now requires
- that a known-in-DNS domain name resolves to at least one
- mail server IP address.
-
- The IP addresses thus obtained may or may not be "correct".
- There is little to stop an uncooperative DNS server from
- lying, especially when the owner of the domain has no
- intention to receive email. File: smtpd/smtpd_check.c.
+ Workaround: NS record lookups for certain domains always
+ fail, while other queries for those domains always succeed
+ (and even return replies with NS records as additional
+ information).
+
+ This inconsistency in DNS lookup results would allow spammers
+ to circumvent the Postfix check_{client,helo,sender,etc}_ns_access
+ restrictions, because those restrictions have effect only
+ for NS records that can be looked up in the DNS.
+
+ To address this inconsistency, check_{client,etc}_ns_access
+ now require that a known-in-DNS domain name (or parent
+ thereof) always resolves to at least one name server IP
+ address.
+
+ For consistency, check_{client,etc}_mx_access now require
+ that a known-in-DNS domain name always resolves to at least
+ one mail server IP address.
+
+ These measures merely raise the difficulty level for spammers.
+ The IP address information thus obtained is not necessarily
+ "correct". There is little to stop an uncooperative DNS
+ server from lying, especially when the owner of the domain
+ has no desire to receive email. File: smtpd/smtpd_check.c.
+
+ Problem reported by MXTools.com.
lookups always succeed (and may even return NS records as additional
information). This anomaly could be used by evil elements to skip
Postfix check_{client,helo,sender,recipient}_ns_access checks,
-because these apply only to domains that are known in the DNS.
+because these apply only to NS records that are found in the DNS.
To address this specific problem, check_{client,etc}_ns_access now
-requires that a known-in-DNS domain name (or parent thereof) resolves
-to at least one name server IP address.
+requires that a known-in-DNS domain name (or parent thereof) always
+resolves to at least one name server IP address.
For consistency, check_{client,etc}_mx_access now requires that a
-known-in-DNS domain name resolves to at least one mail server IP
-address.
+known-in-DNS domain name always resolves to at least one mail server
+IP address.
-Keep in mind that these measures provide no hard assurances. There
-is little to stop an uncooperative DNS server from lying, especially
-when the owner of the domain has no intention to receive email.
+These measures provide no hard assurances that the IP address
+information thus obtained is correct. There is little to stop an
+uncooperative DNS server from lying, especially when the owner of
+the domain has no desire to receive email.
Major changes - multi-instance support
--------------------------------------
projects / thirdparty / postfix.git / commitdiff
