 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |
| Subject: | Proposed patch 2.5-20071006: change behavior with respect to recipients matching /^-/ |
| Group: | Postfix-users |
| From: | Victor Duchovni |
| Date: | 27 Nov 2007 |
> > The use case is an outbound MSA or smarthost, that sends mail to external
> > addresses. This request does seem to be a duplication of effort.
> >
> > Perhaps the allow_min_user test could be moved from "qmgr" into
> > "trivial-rewrite", where such addresses would by default result in
> > "error:..." routing, and perhaps then both qmgr and smtpd get the benefit
> > without duplication of code?
>
> I suppose so. Recipient validation was bolted onto Postfix long
> after the -username safety mechanism was implemented.
This is simple to do, if we accept the following (natural?) limitations:
- With "allow_min_user = no", it is no longer possible to accept
and rewrite such addresses, they are simply treated as syntactically
invalid input, rather than unavailable mailboxes.
Reason: resolving to the "error" transport does not preclude
content filter delivery, and that's the most likely problem
area. So, we set RESOLVE_FLAG_ERROR rather than resolve to
MAIL_SERVICE_ERROR.
- With "allow_min_user = no", sender addresses starting with "-"
will also be treated as invalid by smtpd. Both sender and recipient
addresses are validated via trivial-rewrite. The negative response
will be directly to the "MAIL" command, it is not part of restriction
processing and so is not delayed by smtpd_delay_reject.
Note: with content filters in place, and rewriting delayed to post-filter
re-injection, "allow_min_user" is already incompatible with sanitization
through rewriting, so the change increases consistency.
Note: rejecting sender addresses for which we are unable to return a
reply, ... is also reasonable, the main drawback is that logging will
be just a warning:
Illegal address syntax from name[addr] in MAIL command: <-address>
not nearly as detailed as with restriction action logging.
mail from:<-viktor>
501 5.1.7 Bad sender address syntax
mail from:<viktor>
250 2.1.0 Ok
rcpt to:<-viktor>
501 5.1.3 Bad recipient address syntax
quit
221 2.0.0 Bye
Nov 27 00:21:43 amnesiac postfix/smtpd[994]:
connect from localhost[127.0.0.1]
Nov 27 00:21:52 amnesiac postfix/smtpd[994]:
warning: Illegal address syntax from localhost[127.0.0.1]
in MAIL command: <-viktor>
Nov 27 00:22:14 amnesiac postfix/smtpd[994]:
warning: Illegal address syntax from localhost[127.0.0.1]
in RCPT command: <-viktor>
Nov 27 00:22:31 amnesiac postfix/smtpd[994]:
disconnect from localhost[127.0.0.1]
If the patch is acceptable, how should the documentation be updated?
allow_min_user (default: no)
Allow a recipient address to have `-' as the first character. By
default, this is not allowed, to avoid accidents with software that
passes email addresses via the command line. Such software would
not be able to distinguish a malicious address from a bona fide
command-line option. Although this can be prevented by inserting a
"--" option terminator into the command line, this is difficult to
enforce consistently and globally.
The scope would now be both sender and recipient addresses. Protects
against auto-responders getting bit, DSN notices being undeliverable, ...
Straight-forward preliminary patch:
Index: qmgr/qmgr.c
--- qmgr/qmgr.c 29 Mar 2007 06:20:10 -0000 1.1.1.1
+++ qmgr/qmgr.c 27 Nov 2007 04:46:52 -0000
@@ -156,7 +156,2 @@
/* \fBmaster.cf\fR entry.
-/* COMPATIBILITY CONTROLS
-/* .ad
-/* .fi
-/* .IP "\fBallow_min_user (no)\fR"
-/* Allow a recipient address to have `-' as the first character.
/* ACTIVE QUEUE CONTROLS
@@ -386,3 +382,2 @@
char *var_defer_xports;
-bool var_allow_min_user;
int var_local_con_lim;
@@ -659,3 +666,2 @@
static CONFIG_BOOL_TABLE bool_table[] = {
- VAR_ALLOW_MIN_USER, DEF_ALLOW_MIN_USER, &var_allow_min_user,
VAR_VERP_BOUNCE_OFF, DEF_VERP_BOUNCE_OFF, &var_verp_bounce_off,
Index: qmgr/qmgr_message.c
--- qmgr/qmgr_message.c 29 Oct 2007 19:59:51 -0000 1.1.1.3.2.2
+++ qmgr/qmgr_message.c 27 Nov 2007 04:46:04 -0000
@@ -1072,18 +1072,2 @@
/*
- * Bounce recipient addresses that start with `-'. External commands
- * may misinterpret such addresses as command-line options.
- *
- * In theory I could say people should always carefully set up their
- * master.cf pipe mailer entries with `--' before the first
- * non-option argument, but mistakes will happen regardless.
- *
- * Therefore the protection is put in place here, in the queue manager,
- * where it cannot be bypassed.
- */
- if (var_allow_min_user == 0 && recipient->address[0] == '-') {
- QMGR_REDIRECT(&reply, MAIL_SERVICE_ERROR,
- "5.1.3 bad address syntax");
- }
-
- /*
* Discard mail to the local double bounce address here, so this
Index: trivial-rewrite/resolve.c
--- trivial-rewrite/resolve.c 29 Mar 2007 06:20:12 -0000 1.1.1.1
+++ trivial-rewrite/resolve.c 27 Nov 2007 05:08:44 -0000
@@ -632,2 +632,22 @@
/*
+ * Bounce recipient addresses that start with `-'. External commands
+ * may misinterpret such addresses as command-line options.
+ *
+ * In theory I could say people should always carefully set up their
+ * master.cf pipe mailer entries with `--' before the first
+ * non-option argument, but mistakes will happen regardless.
+ *
+ * Therefore the protection is put in place here, in trivial-rewrite,
+ * where it cannot be bypassed.
+ *
+ * Resolving to the "error" transport is not enough, such mail is still
+ * subjected to content filters, which are the most likely sources of
+ * problematic code. We need to flag a syntax issue to prevent delivery
+ * even to content filters.
+ */
+ if (var_allow_min_user == 0 && STR(nextrcpt)[0] == '-') {
+ *flags |= RESOLVE_FLAG_ERROR;
+ }
+
+ /*
* Clean up.
Index: trivial-rewrite/trivial-rewrite.c
--- trivial-rewrite/trivial-rewrite.c 14 May 2007 21:47:39 -0000 1.1.1.2
+++ trivial-rewrite/trivial-rewrite.c 27 Nov 2007 04:51:27 -0000
@@ -82,2 +82,4 @@
/* .fi
+/* .IP "\fBallow_min_user (no)\fR"
+/* Allow a recipient address to have `-' as the first character.
/* .IP "\fBresolve_dequoted_address (yes)\fR"
@@ -299,2 +301,3 @@
bool var_swap_bangpath;
+bool var_allow_min_user;
bool var_append_dot_mydomain;
@@ -564,2 +567,3 @@
VAR_SWAP_BANGPATH, DEF_SWAP_BANGPATH, &var_swap_bangpath,
+ VAR_ALLOW_MIN_USER, DEF_ALLOW_MIN_USER, &var_allow_min_user,
VAR_APP_DOT_MYDOMAIN, DEF_APP_DOT_MYDOMAIN, &var_append_dot_mydomain,
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomo?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
| Prev-Msg | Prev-Thread | Postfix-users | Nov-2007 | Next-Thread | Next-Msg |