Prereq: "2.6.4" diff -cr --new-file /var/tmp/postfix-2.6.4/src/global/mail_version.h ./src/global/mail_version.h *** /var/tmp/postfix-2.6.4/src/global/mail_version.h Tue Aug 25 20:05:58 2009 --- ./src/global/mail_version.h Fri Aug 28 20:37:10 2009 *************** *** 20,27 **** * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20090825" ! #define MAIL_VERSION_NUMBER "2.6.4" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE --- 20,27 ---- * Patches change both the patchlevel and the release date. Snapshots have no * patchlevel; they change the release date only. */ ! #define MAIL_RELEASE_DATE "20090828" ! #define MAIL_VERSION_NUMBER "2.6.5" #ifdef SNAPSHOT # define MAIL_VERSION_DATE "-" MAIL_RELEASE_DATE diff -cr --new-file /var/tmp/postfix-2.6.4/HISTORY ./HISTORY *** /var/tmp/postfix-2.6.4/HISTORY Tue Aug 25 20:09:34 2009 --- ./HISTORY Fri Aug 28 20:30:38 2009 *************** *** 15274,15305 **** Bugfix: don't panic when an unexpected smtpd access map is specified. File: smtpd/smtpd_check.c. - - 20090807 - - Workaround: NS record lookups for certain domains always - fail, while other queries for those domains always succeed - (and even return replies with NS records as additional - information). - - This inconsistency in DNS lookup results would allow spammers - to circumvent the Postfix check_{client,helo,sender,etc}_ns_access - restrictions, because those restrictions have effect only - for NS records that can be looked up in the DNS. - - To address this inconsistency, check_{client,etc}_ns_access - now require that a known-in-DNS domain name (or parent - thereof) always resolves to at least one name server IP - address. - - For consistency, check_{client,etc}_mx_access now require - that a known-in-DNS domain name always resolves to at least - one mail server IP address. - - These measures merely raise the difficulty level for spammers. - The IP address information thus obtained is not necessarily - "correct". There is little to stop an uncooperative DNS - server from lying, especially when the owner of the domain - has no desire to receive email. File: smtpd/smtpd_check.c. - - Problem reported by MXTools.com. --- 15274,15276 ---- diff -cr --new-file /var/tmp/postfix-2.6.4/RELEASE_NOTES ./RELEASE_NOTES *** /var/tmp/postfix-2.6.4/RELEASE_NOTES Tue Aug 25 20:02:05 2009 --- ./RELEASE_NOTES Fri Aug 28 20:30:54 2009 *************** *** 14,41 **** If you upgrade from Postfix 2.4 or earlier, read RELEASE_NOTES-2.5 before proceeding. - Incompatibility with Postfix 2.6.4 - ================================== - - With some domain names, NS record lookups always fail while other - lookups always succeed (and may even return NS records as additional - information). This anomaly could be used by evil elements to skip - Postfix check_{client,helo,sender,recipient}_ns_access checks, - because these apply only to NS records that are found in the DNS. - - To address this specific problem, check_{client,etc}_ns_access now - requires that a known-in-DNS domain name (or parent thereof) always - resolves to at least one name server IP address. - - For consistency, check_{client,etc}_mx_access now requires that a - known-in-DNS domain name always resolves to at least one mail server - IP address. - - These measures provide no hard assurances that the IP address - information thus obtained is correct. There is little to stop an - uncooperative DNS server from lying, especially when the owner of - the domain has no desire to receive email. - Major changes - multi-instance support -------------------------------------- --- 14,19 ---- diff -cr --new-file /var/tmp/postfix-2.6.4/src/smtpd/smtpd_check.c ./src/smtpd/smtpd_check.c *** /var/tmp/postfix-2.6.4/src/smtpd/smtpd_check.c Fri Aug 7 20:58:09 2009 --- ./src/smtpd/smtpd_check.c Fri Aug 28 20:29:22 2009 *************** *** 2515,2524 **** struct addrinfo *res; int status; INET_PROTO_INFO *proto_info; - const char *saved_domain; - int non_err, soft_err; - int known_name_in_dns; - int ping_status; /* * Sanity check. --- 2515,2520 ---- *************** *** 2573,2592 **** * * If the domain name exists but no NS record exists, look up parent domain * NS records. - * - * After the initial lookup fails, do one final DNS sanity check. Reject - * mail when the name exists, but MX lookup produces no valid response or - * NS lookup fails for any reason. Beware, this sanity check provides no - * hard assurance. An uncooperative DNS server may lie about everything, - * including non-existence. */ - #define SOME_DNS_RR_EXISTS(stat, herr) \ - ((stat) == DNS_OK || (stat) == DNS_INVAL || (herr) == NO_DATA) - - saved_domain = domain; dns_status = dns_lookup(domain, type, 0, &server_list, (VSTRING *) 0, (VSTRING *) 0); - known_name_in_dns = SOME_DNS_RR_EXISTS(dns_status, h_errno); if (dns_status == DNS_NOTFOUND /* Not: h_errno == NO_DATA */ ) { if (type == T_MX) { server_list = dns_rr_create(domain, domain, type, C_IN, 0, 0, --- 2569,2577 ---- *************** *** 2605,2626 **** if (dns_status != DNS_OK) { msg_warn("Unable to look up %s host for %s: %s", dns_strtype(type), domain && domain[1] ? domain : name, dns_strerror(h_errno)); - if (known_name_in_dns == 0) { - /* With hostile DNS, an address query is more likely to work. */ - ping_status = dns_lookup_l(saved_domain, 0, (DNS_RR **) 0, - (VSTRING *) 0, (VSTRING *) 0, - DNS_REQ_FLAG_STOP_OK, - RR_ADDR_TYPES, 0); - known_name_in_dns = SOME_DNS_RR_EXISTS(ping_status, h_errno); - } - if (known_name_in_dns) - return (smtpd_check_reject(state, MAIL_ERROR_POLICY, - dns_status == DNS_RETRY ? - var_map_defer_code : var_map_reject_code, - smtpd_dsn_fix("4.1.8", reply_class), - "<%s>: %s rejected: %s", - reply_name, reply_class, - "Domain not found")); return (SMTPD_CHECK_DUNNO); } --- 2590,2595 ---- *************** *** 2633,2645 **** * Check the hostnames first, then the addresses. */ proto_info = inet_proto_info(); - non_err = soft_err = 0; for (server = server_list; server != 0; server = server->next) { if (msg_verbose) msg_info("%s: %s hostname check: %s", myname, dns_strtype(type), (char *) server->data); if (valid_hostaddr((char *) server->data, DONT_GRIPE)) { - non_err = 1; if ((status = check_addr_access(state, table, (char *) server->data, FULL, &found, reply_name, reply_class, def_acl)) != 0 || found) --- 2602,2612 ---- *************** *** 2655,2665 **** msg_warn("Unable to look up %s host %s for %s %s: %s", dns_strtype(type), (char *) server->data, reply_class, reply_name, MAI_STRERROR(aierr)); - if (aierr == EAI_AGAIN || aierr == EAI_SYSTEM) - soft_err = 1; continue; } - non_err = 1; /* Now we must also free the addrinfo result. */ if (msg_verbose) msg_info("%s: %s host address check: %s", --- 2622,2629 ---- *************** *** 2683,2697 **** } freeaddrinfo(res0); /* 200412 */ } ! status = non_err ? SMTPD_CHECK_DUNNO : ! smtpd_check_reject(state, MAIL_ERROR_POLICY, ! soft_err ? var_map_defer_code : ! var_map_reject_code, ! smtpd_dsn_fix("4.1.8", reply_class), ! "<%s>: %s rejected: %s", ! reply_name, reply_class, ! "Domain not found"); ! CHECK_SERVER_RETURN(status); } /* check_ccert_access - access for TLS clients by certificate fingerprint */ --- 2647,2653 ---- } freeaddrinfo(res0); /* 200412 */ } ! CHECK_SERVER_RETURN(SMTPD_CHECK_DUNNO); } /* check_ccert_access - access for TLS clients by certificate fingerprint */