originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working

Sun May 27 08:01:46 CEST 2018

On 12/02/2018 10:42, Giovanni wrote:
> Karol Augustin <karol at augustin.pl> wrote:
>> Hi,
>>
>> I am explicitly copying original authors of threads I am referring to in
>> this email, as I don't know if they are still monitoring the list for
>> solution to the problem.
>> I would like to thank Giovanni for supplying the patch, which has now
>> spread across internet.
>>
>> There is evidence of a critical bug in quite a few threads on this list
>> that manifests itself in various ways. Some users have problems with
>> DKIM signatures of outgoing mail, others with mail marked as
>> RelayedOpenRelay in the logs.
>>
>> The issue is caused by Amavis not honoring originating flag, which
>> causes all sender addresses to be treated as "foreign", which obviously
>> has a huge potential of breaking mail flow especially in environments
>> where there are multiple e-mail paths and policy banks configured.
>>
>>
>> I hit the same problem when I upgraded to 2.11.0 few days ago and asked
>> similar question in a reply to existing thread.
>> https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.html
>>
>> The same issue was described earlier in following thread:
>> https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.html
>>
>> Original mention of this problem was made by Giovanni, who kindly
>> provided a one line fix to the problem:
>> https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html
>>
> for the records, the patch I sumbitted 2 years ago fixes the bug with postfix;
> there are some corner cases (spotted by an Opensmtpd instance, maybe by some other mta as well) that needs an additianal one line fix.
> Full patch follows.
>   Giovanni
> 
> --- amavisd.orig	Tue Apr 26 21:24:33 2016
> +++ amavisd	Fri Aug  5 12:32:39 2016
> @@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) {
>           }
>           # load policy banks from the 'client_ipaddr_policy' lookup
>           Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl;
> +        $msginfo->originating(c('originating'));
>   
>           $msginfo->client_addr($cl_ip);      # ADDR
>           $msginfo->client_port($cl_port);    # PORT
> @@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) {
>       $sig_ind++;
>     }
>     Amavis::load_policy_bank($_,$msginfo) for @bank_names;
> +  $msginfo->originating(c('originating'));
>     $msginfo->dkim_signatures_valid(\@signatures_valid)  if @signatures_valid;
>   # if (ll(5) && $sig_ind > 0) {
>   #   # show which header fields are covered by which signature
> 

I just wanted to add feedback to this one. I've had this issue for some 
time, but haven't had time to track it down untill now. I started 
digging and ended with the same conclusions as the two above contributors.

I have had debug turned on, and I am positive that the following holds:
- my client IP is in @mynetworks.
- the recipient is not local.
- the sending domain is in @local_domains_maps.
- Postfix uses xforward and amavis sees the proper client IP.
- the log from amavisd shows the policy bank has originating set.

And yet my log from amavis says RelayedOpenRelay.

My setup is simple; all the possible clients are on private IPs, the 
world is on public

Adding the posted one line patch to 2.11.0 seems to make it all work 
well for me, my logs now show RelayedOutbound for email going out via 
the correct policy bank.

mvh,
A
-- 
Alexander Hoogerhuis | http://no.linkedin.com/in/alexh
Boxed Solutions AS   | +47 908 21 485 - alexh at boxed.no
"Given enough eyeballs, all bugs are shallow." -Eric S. Raymond