[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bug in policy checking - is it fixed?
On 05-Apr-99 at 15:20, mea@nic.funet.fi (mea@nic.funet.fi) wrote:
> > I am still running 2.99.50-s11 on my production relay, and I wander if
> > the problem that I discovered is fixed since then. Fighting with ORBS,
> > I noticed that when they sent
> >
> > MAIL FROM:<sender@[my.ip.add.ress]>
> >
> > my Zmailer allowed relaying. Apparently, policy checker, having
> > detected the domain in the dotted quad format, treats it as IP address,
> > and quite naturally concludes that this is a trusted sender. Which
> > is obviously wrong, because the sender may put anything there. The
> > checker should not try to interpret domain names as dotted quad addrs.
>
> I think this is configuration issue; the system does not contain
> proper support those address literals in the policy searches anyway,
> and when I try this at nic.funet.fi, I get:
>
> MAIL FROM:<mea@[128.214.248.6]>
> 553-5.4.3 Policy analysis reports DNS error with your
> 553-5.4.3 source domain. Please correct your source
> 553 5.4.3 address and/or the info at the DNS.
Matti,
I think this is rather the coding issue. In your case, the fact that
you make DNS verification saves you. If you have the entry of the form
[your.ip.address.0]/24 fulltrustnet +
DNS lookup is not performed and the "mail from" address of the form
<somebody@[your.ip.address.anything]> apparently triggers fulltrustnet
status while it obviously should not.
220 chronos ZMailer Server 2.99.50-s14 #27 ESMTP+IDENT (nulltrans) ready at
Mon, 5 Apr 1999 16:17:05 +0400
helo ddt.demos.su
250 chronos Hello ddt.demos.su
mail from:<crosser@online.ru>
250 2.1.0 Sender syntax Ok
rcpt to:<a@aol.com>
553 5.7.1 Policy rejection on the target address
rset
250 2.0.0 Ok
mail from:<crosser@[194.67.3.135]>
250 2.1.0 Sender syntax Ok
rcpt to:<a@aol.com>
250 2.1.5 Recipient address syntax Ok
quit
221 2.0.0 chronos Out
This is in my policy:
online.ru = _full_rights
[194.67.0.0]/18 = _full_rights
_full_rights rejectnet - fulltrustnet + relaytarget +
Note that despite _full_rights is assigned to both "online.ru" and
IP address, mail from @online.ru does not trigger relaying.
> > My question is, was this problem addressed recently? If not, I will
> > try to make necessary fixes these days.
I checked with todays's CVS and the behavior is still incorrect. I will
investigate further, and if you like you can try it on chronos.sovam.com
(but don't abuse please!) Full policy.dat available upon request.
Eugene