originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working
Giovanni
giovanni at paclan.it
Mon Feb 12 10:42:44 CET 2018
Karol Augustin <karol at augustin.pl> wrote:
> Hi,
>
> I am explicitly copying original authors of threads I am referring to in
> this email, as I don't know if they are still monitoring the list for
> solution to the problem.
> I would like to thank Giovanni for supplying the patch, which has now
> spread across internet.
>
> There is evidence of a critical bug in quite a few threads on this list
> that manifests itself in various ways. Some users have problems with
> DKIM signatures of outgoing mail, others with mail marked as
> RelayedOpenRelay in the logs.
>
> The issue is caused by Amavis not honoring originating flag, which
> causes all sender addresses to be treated as "foreign", which obviously
> has a huge potential of breaking mail flow especially in environments
> where there are multiple e-mail paths and policy banks configured.
>
>
> I hit the same problem when I upgraded to 2.11.0 few days ago and asked
> similar question in a reply to existing thread.
> https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html
>
> The same issue was described earlier in following thread:
> https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html
>
> Original mention of this problem was made by Giovanni, who kindly
> provided a one line fix to the problem:
> https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
>
for the records, the patch I sumbitted 2 years ago fixes the bug with postfix;
there are some corner cases (spotted by an Opensmtpd instance, maybe by some other mta as well) that needs an additianal one line fix.
Full patch follows.
Giovanni
--- amavisd.orig Tue Apr 26 21:24:33 2016
+++ amavisd Fri Aug 5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) {
}
# load policy banks from the 'client_ipaddr_policy' lookup
Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+ $msginfo->originating(c('originating'));
$msginfo->client_addr($cl_ip); # ADDR
$msginfo->client_port($cl_port); # PORT
@@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
$sig_ind++;
}
Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+ $msginfo->originating(c('originating'));
$msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid;
# if (ll(5) && $sig_ind > 0) {
# # show which header fields are covered by which signature
More information about the amavis-users
mailing list