[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bug in policy checking - is it fixed?



On 05-Apr-99 at 15:20, mea@nic.funet.fi (mea@nic.funet.fi) wrote:

> > I am still running 2.99.50-s11 on my production relay, and I wander if
> > the problem that I discovered is fixed since then.  Fighting with ORBS,
> > I noticed that when they sent
> > 
> > MAIL FROM:<sender@[my.ip.add.ress]>
> > 
> > my Zmailer allowed relaying.  Apparently, policy checker, having
> > detected the domain in the dotted quad format, treats it as IP address,
> > and quite naturally concludes that this is a trusted sender.  Which
> > is obviously wrong, because the sender may put anything there.  The
> > checker should not try to interpret domain names as dotted quad addrs.
> 
>    I think this is configuration issue; the system does not contain
> proper support those address literals in the policy searches anyway,
> and when I try this at  nic.funet.fi, I get:
> 
>      MAIL FROM:<mea@[128.214.248.6]>
>      553-5.4.3 Policy analysis reports DNS error with your
>      553-5.4.3 source domain.   Please correct your source
>      553 5.4.3 address and/or the info at the DNS.

Matti,

I think this is rather the coding issue.  In your case, the fact that
you make DNS verification saves you.  If you have the entry of the form

[your.ip.address.0]/24 fulltrustnet +

DNS lookup is not performed and the "mail from" address of the form
<somebody@[your.ip.address.anything]> apparently triggers fulltrustnet
status while it obviously should not.

220 chronos ZMailer Server 2.99.50-s14 #27 ESMTP+IDENT (nulltrans) ready at
Mon, 5 Apr 1999 16:17:05 +0400
helo ddt.demos.su
250 chronos Hello ddt.demos.su
mail from:<crosser@online.ru>
250 2.1.0 Sender syntax Ok
rcpt to:<a@aol.com>
553 5.7.1 Policy rejection on the target address
rset 
250 2.0.0 Ok
mail from:<crosser@[194.67.3.135]>
250 2.1.0 Sender syntax Ok
rcpt to:<a@aol.com>
250 2.1.5 Recipient address syntax Ok
quit
221 2.0.0 chronos Out

This is in my policy:

online.ru = _full_rights
[194.67.0.0]/18 = _full_rights
_full_rights    rejectnet - fulltrustnet + relaytarget +

Note that despite _full_rights is assigned to both "online.ru" and
IP address, mail from @online.ru does not trigger relaying.

> > My question is, was this problem addressed recently?  If not, I will
> > try to make necessary fixes these days.

I checked with todays's CVS and the behavior is still incorrect.  I will
investigate further, and if you like you can try it on chronos.sovam.com
(but don't abuse please!)  Full policy.dat available upon request.

Eugene