originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

Mon Feb 12 11:06:59 CET 2018

Wouldn't this be avoided by simply using opendkim for DKIM signing instead of relying on amavis for that? Or are there other use scenarios for the originating flag where this would come into play?



-----Original Message-----
From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail.net at amavis.org] On Behalf Of Giovanni
Sent: Monday, February 12, 2018 4:43 AM
To: amavis-users at amavis.org
Subject: Re: originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

Karol Augustin <karol at augustin.pl> wrote:
> Hi,
> 
> I am explicitly copying original authors of threads I am referring to 
> in this email, as I don't know if they are still monitoring the list 
> for solution to the problem.
> I would like to thank Giovanni for supplying the patch, which has now 
> spread across internet.
> 
> There is evidence of a critical bug in quite a few threads on this 
> list that manifests itself in various ways. Some users have problems 
> with DKIM signatures of outgoing mail, others with mail marked as 
> RelayedOpenRelay in the logs.
> 
> The issue is caused by Amavis not honoring originating flag, which 
> causes all sender addresses to be treated as "foreign", which 
> obviously has a huge potential of breaking mail flow especially in 
> environments where there are multiple e-mail paths and policy banks configured.
> 
> 
> I hit the same problem when I upgraded to 2.11.0 few days ago and 
> asked similar question in a reply to existing thread.
> https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.h
> tml
> 
> The same issue was described earlier in following thread:
> https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.h
> tml
> 
> Original mention of this problem was made by Giovanni, who kindly 
> provided a one line fix to the problem:
> https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
> 
for the records, the patch I sumbitted 2 years ago fixes the bug with postfix; there are some corner cases (spotted by an Opensmtpd instance, maybe by some other mta as well) that needs an additianal one line fix.
Full patch follows.
 Giovanni

--- amavisd.orig	Tue Apr 26 21:24:33 2016
+++ amavisd	Fri Aug  5 12:32:39 2016
@@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) {
         }
         # load policy banks from the 'client_ipaddr_policy' lookup
         Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
+        $msginfo->originating(c('originating'));
 
         $msginfo->client_addr($cl_ip);      # ADDR
         $msginfo->client_port($cl_port);    # PORT
@@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
     $sig_ind++;
   }
   Amavis::load_policy_bank($_,$msginfo) for @bank_names;
+  $msginfo->originating(c('originating'));
   $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;  # if (ll(5) && $sig_ind > 0) {
 #   # show which header fields are covered by which signature

