This patch fixes a denial of service condition in the Postfix smtpd, qmgr, and other programs that use the trivial-rewrite service. The problem is triggered when an invalid address resolves to an impossible result. This causes the affected programs to reject the result and to retry the trivial-rewrite request indefinitely. The problem was found by Michal Zalewski in Postfix version 1.11 and can be triggered remotely via addresses in SMTP commands or in Errors-To: message headers. Vulnerable Postfix versions are fixed by applying a one-line patch or by applying a configuration workaround. With vulnerable Postfix versions, the invalid addresses in SMTP commands take effect before Postfix built-in access control features can block them. The specific address syntax depends on the Postfix version and on Postfix configuration details. To find out your Postfix version, use the command "postconf mail_version". Versions prior to 1.1 show a date instead of a version number (e.g., Postfix-20010228-pl08). Versions 1.1 and later may show a date in addition to the version number (e.g., 2.0.14-20030717). Postfix versions 2.0 and later: Not vulnerable, because the trivial-rewrite code was completely restructured. The current Postfix version is 2.0.13. A not vulnerable Postfix version can protect vulnerable Postfix systems as described in the workarounds section below. Postfix versions 1.1.9 .. 1.1.12: These are vulnerable, and are fixed by upgrading to version 1.1.13 which will be made available via http://www.postfix.org/ and via individual vendors, or by applying the patch below. The workarounds section below has instructions for sites that cannot upgrade Postfix immediately. Postfix versions prior to 1.1.9: These become vulnerable only when the append_dot_mydomain feature is set to "no" (you can verify this with the command "postconf append_dot_mydomain"). Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. This patch has been tested with Postfix versions back to 19991231. Workarounds for Postfix versions 1.1.9 - 1.1.12: Verify that the append_dot_mydomain feature is set to "yes" by using the command "postconf append_dot_mydomain". Use the command "postconf -e append_dot_mydomain=yes" to update the setting if necessary. Sites that must use "append_dot_mydomain=no" should either upgrade to a fixed Postfix version, or should apply the one-line patch at the end of this text. Specify "resolve_dequoted_address=no" in main.cf. An additional workaround is needed for hosts that must forward mail from the Internet to, for example, primary MX hosts or to internal hosts. This is because with resolve_dequoted_address=no, Postfix no longer recognizes user@bad.domain@good.domain as a mail relaying attempt. To close this loophole, use a regular expression to block sender-specified routing in SMTP recipient addresses: /etc/postfix/main.cf: smtpd_recipient_restrictions = permit_mynetworks, check_recipient_access regexp:/etc/postfix/recipient_regexp ...other restrictions... check_relay_domains /etc/postfix/recipient_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected Workarounds to protect vulnerable down-stream Postfix systems: Reject Errors-To: message headers with multiple routing operators: /etc/postfix/main.cf: header_checks = regexp:/etc/postfix/header_checks /etc/postfix/header_checks: /^errors-to:.*[%!@].*[%!@]/ reject Reject SMTP sender addresses with multiple routing operators: /etc/postfix/main.cf: smtpd_sender_restrictions = check_sender_access regexp:/etc/postfix/sender_regexp ...other restrictions... /etc/postfix/sender_regexp: /[%!@].*[%!@]/ 550 Sender-specified routing rejected Prereq: "1.1.12" diff -cr /tmp/postfix-1.1.12/src/global/mail_version.h ./src/global/mail_version.h *** /tmp/postfix-1.1.12/src/global/mail_version.h Fri Nov 22 17:15:49 2002 --- ./src/global/mail_version.h Mon Jul 28 11:41:26 2003 *************** *** 21,34 **** * release date only, unless they include the same bugfix as a patch release. */ #define VAR_MAIL_VERSION "mail_version" ! #define DEF_MAIL_VERSION "1.1.12" extern char *var_mail_version; /* * Release date. */ #define VAR_MAIL_RELEASE "mail_release_date" ! #define DEF_MAIL_RELEASE "20021122" extern char *var_mail_release; /* LICENSE --- 21,34 ---- * release date only, unless they include the same bugfix as a patch release. */ #define VAR_MAIL_VERSION "mail_version" ! #define DEF_MAIL_VERSION "1.1.13" extern char *var_mail_version; /* * Release date. */ #define VAR_MAIL_RELEASE "mail_release_date" ! #define DEF_MAIL_RELEASE "20030728" extern char *var_mail_release; /* LICENSE diff -cr /tmp/postfix-1.1.12/HISTORY ./HISTORY *** /tmp/postfix-1.1.12/HISTORY Fri Nov 22 12:48:33 2002 --- ./HISTORY Mon Jul 28 15:26:37 2003 *************** *** 6340,6345 **** --- 6340,6353 ---- send data into unauthorized ports. Files: *qmgr/qmgr_message.c, trivial-rewrite/resolve.c. + 20030728 + + Bugfix: an invalid address resolved to an invalid result, + and caused the address resolver client to keep trying + forever, resulting in a local or remote DOS condition of + smtpd, qmgr, and other programs. Reported by Michal + Zalewski. File: trivial-rewrite/resolve.c. + Open problems: Low: sendmail does not store null command-line recipients. diff -cr /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c ./src/trivial-rewrite/resolve.c *** /tmp/postfix-1.1.12/src/trivial-rewrite/resolve.c Fri Nov 22 12:32:33 2002 --- ./src/trivial-rewrite/resolve.c Mon Jul 28 11:36:49 2003 *************** *** 148,153 **** --- 148,154 ---- if (saved_domain) tok822_free_tree(saved_domain); saved_domain = domain; + domain = 0; } /*