NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2003-08

Postfix 1.1.13 available

From: Wietse Venema (wietseporcupine.org)
Date: Sun Aug 03 2003 - 22:40:45 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This patch fixes a denial of service condition in the Postfix smtpd,
qmgr, and other programs that use the trivial-rewrite service.
The problem is triggered when an invalid address resolves to an
impossible result. This causes the affected programs to reject the
result and to retry the trivial-rewrite request indefinitely.

The problem was found by Michal Zalewski in Postfix version 1.11
and can be triggered remotely via addresses in SMTP commands or in
Errors-To: message headers. Vulnerable Postfix versions are fixed
by applying a one-line patch or by applying a configuration
workaround as described below.

With vulnerable Postfix versions, the invalid addresses in SMTP
commands take effect before Postfix built-in access control features
can block them. The specific address syntax depends on the Postfix
version and on Postfix configuration details.

To find out your Postfix version, use the command "postconf
mail_version". Versions prior to 1.1 show a date instead of a
version number (e.g., Postfix-20010228-pl08). Versions 1.1 and
later may show a date in addition to the version number (e.g.,
2.0.14-20030717).

Postfix versions 2.0 and later:

Not vulnerable, because the trivial-rewrite code was completely
restructured. The current Postfix version is 2.0.13.

A not vulnerable Postfix version can protect vulnerable Postfix
systems as described in the workarounds section below.

Postfix versions 1.1.9 .. 1.1.12:

    These are vulnerable, and are fixed by upgrading to version
    1.1.13 which will be made available via http://www.postfix.org/
    and via individual vendors, or by applying the patch below.
    The workarounds section below has instructions for sites that
    cannot upgrade Postfix immediately.

Postfix versions prior to 1.1.9:

    These become vulnerable only when the append_dot_mydomain
    feature is set to "no" (you can verify this with the command
    "postconf append_dot_mydomain"). Use the command "postconf -e
    append_dot_mydomain=yes" to update the setting if necessary.

    Sites that must use "append_dot_mydomain=no" should either
    upgrade to a fixed Postfix version, or should apply the one-line
    patch at the end of this text. This patch has been tested with
    Postfix versions back to 19991231.

Workarounds for Postfix versions 1.1.9 - 1.1.12:

    Verify that the append_dot_mydomain feature is set to "yes" by
    using the command "postconf append_dot_mydomain". Use the
    command "postconf -e append_dot_mydomain=yes" to update the
    setting if necessary.

    Sites that must use "append_dot_mydomain=no" should either
    upgrade to a fixed Postfix version, or should apply the one-line
    patch at the end of this text.

Specify "resolve_dequoted_address=no" in main.cf.

    An additional workaround is needed for hosts that must forward
    mail from the Internet to, for example, primary MX hosts or to
    internal hosts. This is because with resolve_dequoted_address=no,
    Postfix no longer recognizes userbad.domaingood.domain as a
    mail relaying attempt. To close this loophole, use a regular
    expression to block sender-specified routing in SMTP recipient
    addresses:

        /etc/postfix/main.cf:
            smtpd_recipient_restrictions =
                permit_mynetworks,
                check_recipient_access regexp:/etc/postfix/recipient_regexp
                ...other restrictions...
                check_relay_domains

/etc/postfix/recipient_regexp:
/[%!].*[%!]/ 550 Sender-specified routing rejected

Workarounds to protect vulnerable down-stream Postfix systems:

Reject Errors-To: message headers with multiple routing
operators:

/etc/postfix/main.cf:
header_checks = regexp:/etc/postfix/header_checks

/etc/postfix/header_checks:
/^errors-to:.*[%!].*[%!]/ reject

Reject SMTP sender addresses with multiple routing operators:

        /etc/postfix/main.cf:
            smtpd_sender_restrictions =
                check_sender_access regexp:/etc/postfix/sender_regexp
                ...other restrictions...

/etc/postfix/sender_regexp:
/[%!].*[%!]/ 550 Sender-specified routing rejected

diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c ./src/trivial-rewrite/resolve.c
*** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 2002
--- ./src/trivial-rewrite/resolve.c Mon Jul 28 11:36:49 2003
***************
*** 148,153 ****
--- 148,154 ----
              if (saved_domain)
                  tok822_free_tree(saved_domain);
              saved_domain = domain;
+ domain = 0;
          }

          /*

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]