originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

Giovanni giovanni at paclan.it
Mon Feb 12 10:42:44 CET 2018 

Karol Augustin <karol at augustin.pl> wrote:
> Hi,
> 
> I am explicitly copying original authors of threads I am referring to in
> this email, as I don't know if they are still monitoring the list for
> solution to the problem.
> I would like to thank Giovanni for supplying the patch, which has now
> spread across internet.
> 
> There is evidence of a critical bug in quite a few threads on this list
> that manifests itself in various ways. Some users have problems with
> DKIM signatures of outgoing mail, others with mail marked as
> RelayedOpenRelay in the logs.
> 
> The issue is caused by Amavis not honoring originating flag, which
> causes all sender addresses to be treated as "foreign", which obviously
> has a huge potential of breaking mail flow especially in environments
> where there are multiple e-mail paths and policy banks configured.
> 
> 
> I hit the same problem when I upgraded to 2.11.0 few days ago and asked
> similar question in a reply to existing thread.
> https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html
> 
> The same issue was described earlier in following thread:
> https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html
> 
> Original mention of this problem was made by Giovanni, who kindly
> provided a one line fix to the problem:
> https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
> 
for the records, the patch I sumbitted 2 years ago fixes the bug with postfix;
there are some corner cases (spotted by an Opensmtpd instance, maybe by some other mta as well) that needs an additianal one line fix.
Full patch follows.
 Giovanni

--- amavisd.orig	Tue Apr 26 21:24:33 2016
+++ amavisd	Fri Aug  5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) {
         }
         # load policy banks from the 'client_ipaddr_policy' lookup
         Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+        $msginfo->originating(c('originating'));
 
         $msginfo->client_addr($cl_ip);      # ADDR
         $msginfo->client_port($cl_port);    # PORT
@@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
     $sig_ind++;
   }
   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
 # if (ll(5) && $sig_ind > 0) {
 #   # show which header fields are covered by which signature

More information about the amavis-users mailing list