originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

Karol Augustin karol at augustin.pl
Sat Feb 10 19:48:56 CET 2018


Hi,

I am explicitly copying original authors of threads I am referring to in
this email, as I don't know if they are still monitoring the list for
solution to the problem.
I would like to thank Giovanni for supplying the patch, which has now
spread across internet.

There is evidence of a critical bug in quite a few threads on this list
that manifests itself in various ways. Some users have problems with
DKIM signatures of outgoing mail, others with mail marked as
RelayedOpenRelay in the logs.

The issue is caused by Amavis not honoring originating flag, which
causes all sender addresses to be treated as "foreign", which obviously
has a huge potential of breaking mail flow especially in environments
where there are multiple e-mail paths and policy banks configured.


I hit the same problem when I upgraded to 2.11.0 few days ago and asked
similar question in a reply to existing thread.
https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html

The same issue was described earlier in following thread:
https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html

Original mention of this problem was made by Giovanni, who kindly
provided a one line fix to the problem:
https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html


Fedora has already fixed the issue internally and Debian has open bug
for the same:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=882324
https://bugzilla.redhat.com/show_bug.cgi?id=1364730


As there was no reaction from developer since 2.11.0 was released
(almost 2 years ago at the time of writing this email), I am sending the
fix for everyone searching for solutions to the problem.

I have tested the attached patch and it fixes the issue. It resolves the
problems where email passing through Amavis is missclassified as
originating flag is not respected. Obviously the side effect of this is
that outgoing email is not DKIM signed if Amavis is configured to do so.

This is the effect I have noticed on my system after upgrading:

Problematic log entries with 2.11.0:

amavis[24157]: (24157-01) Passed CLEAN {AcceptedInternal}, AM.PDP-SOCK
LOCAL [66.220.155.153] [66.220.155.153] /AM.PDP <external_address> ->
<local_address>

amavis[23558]: (23558-01) Passed CLEAN {RelayedOpenRelay}, ORIGINATING
[127.0.0.1]:43008 ESMTP/ESMTP <local_address> -> <external_address>

amavis[23371]: (23371-01) Passed CLEAN {RelayedInbound}, ORIGINATING
[86.47.99.235]:57284 [86.47.99.235] ESMTP/ESMTP <local_address> ->
<local_address>

The thing I do not understand is that the only policy bank marked as
originating->0 is AM.PDP-SOCK, which in 2.11.0 is the only one that is
marked LOCAL in the logs. The remaining banks mentioned in the logs
above are marked originating -> 1, and are all treated as non-local.


With 2.10 (same config):

amavis[25242]: (25242-01) Passed CLEAN {AcceptedInbound}, AM.PDP-SOCK
[2607:f8b0:4001:c0b::234] [2607:f8b0:4001:c0b::234] /AM.PDP
<external_address> -> <local_address>,

amavis[23104]: (23104-03) Passed CLEAN {RelayedOutbound}, ORIGINATING
LOCAL [78.11.15.22]:58925 [78.11.15.22] ESMTP/ESMTP <local_address> ->
<external_address>

amavis[25250]: (25250-01) Passed CLEAN {RelayedInternal}, ORIGINATING
LOCAL [127.0.0.1]:43838 ESMTP/ESMTP <local_address> -> <local_address>


After I applied the attached patch the issue was resolved. There is
literally one line that needs to be added:
"$msginfo->originating(c('originating'));".


It would be much appreciated if the following patch could be applied to
Amavis directly without relying on various distribution maintainers to
fix the problem.


--- amavisd.orig	Tue Apr 26 21:24:33 2016
+++ amavisd	Fri Jul  1 01:03:15 2016
@@ -34338,6 +34329,7 @@ sub collect_some_dkim_info($) {
     $sig_ind++;
   }
   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
   $msginfo->dkim_signatures_valid(\@signatures_valid)  if
@signatures_valid;
 # if (ll(5) && $sig_ind > 0) {
 #   # show which header fields are covered by which signature


Thanks,
Karol


-- 
Karol Augustin
karol at augustin.pl
http://karolaugustin.pl/
+353 85 775 5312


More information about the amavis-users mailing list