|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: *Hobbit* (hobbit_at_avian.org)
Date: Sat Sep 21 2002 - 02:01:44 CDT
> [snapshot-20020106] Postfix SMTP access maps will no longer return
> OK for non-local multi-domain recipient mail addresses (user
dom1dom2,
> user%dom1dom2, etcetera); the lookup now returns DUNNO (undetermined).
> Non-local multi-domain recipient addresses were already prohibited
> from matching the permit_mx_backup and the relay_domains-based
> restrictions.
I also finally found this stuff, starting in trivial-rewrite/resolve.c,
and I think it's the same thing causing Zot's problem. By commenting
the bit of code that treats abc or a%bc specially, I finally got
proper rejection working, but I'm sure it wasn't the right solution.
My regexp rule is still skipped, because [I assume from what Wietse said]
it is invoked after the address is "resolved" to ab.
> So does this mean that local multi-domain recipient mail addresses get
> an OK (userdom1localhost). This would be the style of attack that
> still works on the system.
Apparently. And apparently ORDB decided to launch a massive sweep for this
kind of thing over the last couple of days, and they're discovering lots
of Postfixes with this clear and present problem. The obvious things
that an administrator can try [making sure all the anti-relaying is on,
putting /.*/ in the ruleset, etc] are not helping me, and not helping
Zot, and not helping anybody else who is suddenly finding themselves
blacklisted by ORDB for the same reason.
I question the usefulness of the recipient restrictions being applied
*after* trivial-rewrite resolves the address. It would be nice to be able
to at least get a look at the raw envelope destination, because that's
what most people *assume* is being examined and it's a nasty subtlety
that my own domain got stripped off already in the "" case and defeats
what I was trying to do. Yes, it's an older Postfix release -- is this how
it's still supposed to work now, though?
What I don't understand is why the problem may exist in one mailer setup,
and doesn't exist in another one with a very similar configuration. Can
someone describe how the sender-specified routing "bypass" actually works,
what happens in what order, so that we can get a clearer idea of what's
going on?? A discussion of how it *used* to work in past releases [with
specific order-of-operations layout there too] would be useful for contrast.
_H*
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]