Postfix version 1.1 patch 12 fixes a malformed address problem. The garbage in "user@garbage"@domain address forms may cause the SMTP or LMTP client to terminate with a fatal error exit because garbage/tcp is not an existing service. This cannot be abused to cause the SMTP or LMTP client to send data into unauthorized ports. Prereq: "1.1.11" diff -cr /tmp/postfix-1.1.11/src/global/mail_version.h ./src/global/mail_version.h *** /tmp/postfix-1.1.11/src/global/mail_version.h Tue May 28 20:43:34 2002 --- ./src/global/mail_version.h Fri Nov 22 12:49:17 2002 *************** *** 21,27 **** * release date only, unless they include the same bugfix as a patch release. */ #define VAR_MAIL_VERSION "mail_version" ! #define DEF_MAIL_VERSION "1.1.11" extern char *var_mail_version; /* --- 21,27 ---- * release date only, unless they include the same bugfix as a patch release. */ #define VAR_MAIL_VERSION "mail_version" ! #define DEF_MAIL_VERSION "1.1.12" extern char *var_mail_version; /* diff -cr /tmp/postfix-1.1.11/HISTORY ./HISTORY *** /tmp/postfix-1.1.11/HISTORY Tue May 28 16:59:20 2002 --- ./HISTORY Fri Nov 22 12:48:33 2002 *************** *** 6331,6336 **** --- 6331,6345 ---- MAIL_CONFIG environment setting to the postdrop command. File: global/mail_config.h. + 20021121 + + Bugfix: garbage in "user@garbage"@domain address forms may + cause the SMTP or LMTP client to terminate with a fatal + error exit because garbage/tcp is not an existing service. + This cannot be abused to cause the SMTP or LMTP client to + send data into unauthorized ports. Files: *qmgr/qmgr_message.c, + trivial-rewrite/resolve.c. + Open problems: Low: sendmail does not store null command-line recipients. diff -cr /tmp/postfix-1.1.11/src/global/resolve_clnt.c ./src/global/resolve_clnt.c *** /tmp/postfix-1.1.11/src/global/resolve_clnt.c Fri Nov 2 19:51:23 2001 --- ./src/global/resolve_clnt.c Fri Nov 22 12:32:32 2002 *************** *** 48,53 **** --- 48,55 ---- /* After address resolution the recipient localpart contains further /* routing information, so the resolved next-hop destination is not /* the final destination. + /* .IP RESOLVE_FLAG_ERROR + /* The address resolved to something that has invalid syntax. /* DIAGNOSTICS /* Warnings: communication failure. Fatal error: mail system is down. /* SEE ALSO diff -cr /tmp/postfix-1.1.11/src/global/resolve_clnt.h ./src/global/resolve_clnt.h *** /tmp/postfix-1.1.11/src/global/resolve_clnt.h Sat Dec 25 13:28:55 1999 --- ./src/global/resolve_clnt.h Fri Nov 22 12:32:32 2002 *************** *** 23,28 **** --- 23,29 ---- #define RESOLVE_FLAG_FINAL (1<<0) /* final delivery */ #define RESOLVE_FLAG_ROUTED (1<<1) /* routed destination */ + #define RESOLVE_FLAG_ERROR (1<<2) /* bad destination */ typedef struct RESOLVE_REPLY { VSTRING *transport; diff -cr /tmp/postfix-1.1.11/src/nqmgr/qmgr_message.c ./src/nqmgr/qmgr_message.c *** /tmp/postfix-1.1.11/src/nqmgr/qmgr_message.c Fri Feb 22 19:16:14 2002 --- ./src/nqmgr/qmgr_message.c Fri Nov 22 12:34:24 2002 *************** *** 618,623 **** --- 618,629 ---- * result address may differ from the one specified by the sender. */ resolve_clnt_query(recipient->address, &reply); + if (reply.flags & RESOLVE_FLAG_ERROR) { + qmgr_bounce_recipient(message, recipient, + "bad address syntax: \"%s\"", + recipient->address); + continue; + } if (message->filter_xport) { vstring_strcpy(reply.transport, message->filter_xport); if ((nexthop = split_at(STR(reply.transport), ':')) == 0 diff -cr /tmp/postfix-1.1.11/src/qmgr/qmgr_message.c ./src/qmgr/qmgr_message.c *** /tmp/postfix-1.1.11/src/qmgr/qmgr_message.c Fri Feb 22 19:16:17 2002 --- ./src/qmgr/qmgr_message.c Fri Nov 22 12:33:44 2002 *************** *** 498,503 **** --- 498,509 ---- * result address may differ from the one specified by the sender. */ resolve_clnt_query(recipient->address, &reply); + if (reply.flags & RESOLVE_FLAG_ERROR) { + qmgr_bounce_recipient(message, recipient, + "bad address syntax: \"%s\"", + recipient->address); + continue; + } if (message->filter_xport) { vstring_strcpy(reply.transport, message->filter_xport); if ((nexthop = split_at(STR(reply.transport), ':')) == 0 diff -cr /tmp/postfix-1.1.11/src/trivial-rewrite/Makefile.in ./src/trivial-rewrite/Makefile.in *** /tmp/postfix-1.1.11/src/trivial-rewrite/Makefile.in Mon May 13 12:42:51 2002 --- ./src/trivial-rewrite/Makefile.in Fri Nov 22 12:38:00 2002 *************** *** 67,72 **** --- 67,73 ---- resolve.o: ../../include/vstream.h resolve.o: ../../include/vstring_vstream.h resolve.o: ../../include/split_at.h + resolve.o: ../../include/valid_hostname.h resolve.o: ../../include/mail_params.h resolve.o: ../../include/mail_proto.h resolve.o: ../../include/iostuff.h diff -cr /tmp/postfix-1.1.11/src/trivial-rewrite/resolve.c ./src/trivial-rewrite/resolve.c *** /tmp/postfix-1.1.11/src/trivial-rewrite/resolve.c Mon May 13 16:08:57 2002 --- ./src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 2002 *************** *** 61,66 **** --- 61,67 ---- #include #include #include + #include /* Global library. */ *************** *** 219,226 **** vstring_strcpy(nexthop, destination); else if (*var_relayhost) vstring_strcpy(nexthop, var_relayhost); ! else tok822_internalize(nexthop, domain->next, TOK822_STR_DEFL); if (*STR(channel) == 0) msg_fatal("null transport is not allowed: %s = %s", VAR_DEF_TRANSPORT, var_def_transport); --- 220,231 ---- vstring_strcpy(nexthop, destination); else if (*var_relayhost) vstring_strcpy(nexthop, var_relayhost); ! else { tok822_internalize(nexthop, domain->next, TOK822_STR_DEFL); + if (STR(nexthop)[strspn(STR(nexthop), "[]0123456789.")] != 0 + && valid_hostname(STR(nexthop), DONT_GRIPE) == 0) + *flags |= RESOLVE_FLAG_ERROR; + } if (*STR(channel) == 0) msg_fatal("null transport is not allowed: %s = %s", VAR_DEF_TRANSPORT, var_def_transport);