Mailing List Archive: DBMail: users

buggy postfix sql recipients query against dbmail_aliases

Index | Next | Previous | View Threaded

aleksander at krediidiinfo

Mar 11, 2009, 4:15 AM

Post #1 of 5 (528 views)
Permalink

buggy postfix sql recipients query against dbmail_aliases

Hi, I have the following standard settings for postfix doing the RCPT
TO: check via sql against the dbmail_aliases table.

sql-recipients.cf:

user = xxx
password = xxx
hosts = 127.0.0.1
dbname = xxx
table = dbmail_aliases
select_field = alias
where_field = alias

Here's a working and buggy example:

# netcat localhost 25
220 mail.krediidiinfo.ee ESMTP Postfix
HELO mail.krediidiinfo.ee
250 mail.krediidiinfo.ee
MAIL FROM:<test[at]example.com>
250 Ok
RCPT TO:<nosuchuser[at]krediidiinfo.ee>
550 <nosuchuser[at]krediidiinfo.ee>: Recipient address rejected: User
unknown in local recipient table
RCPT TO:<nosuchuser[at]nosuchdomain.krediidiinfo.ee>
250 Ok
QUIT
221 Bye

The second response to RCPT TO: should have been a 550 too, not 250. The
dbmail_aliases table contains only proper "user[at]domain" entries, no
wildcard stuff like simply a "@domain" or similar.

So a there's a problem, when a subhost is specified in the address.
Another issue is with when no user is specified. Here's an example:

# netcat localhost 25
220 mail.krediidiinfo.ee ESMTP Postfix
HELO mail.krediidiinfo.ee
250 mail.krediidiinfo.ee
MAIL FROM:<test[at]example.com>
250 Ok
RCPT TO:<@krediidiinfo.ee>
250 Ok
QUIT
221 Bye

These wrong addresses are often expanded from user typos like
"@user[at]domain" for example or whatever combination. Spamming postfix
with these invalid addresses would result in a DOS.

This is postfix 2.2.9 and dbmail 2.2.11 on SLES10SP2.

Could a postfix/sql knowledgeable person please refine the
sql-recipients file, so invalid addresses would be denied immediately? I
have no idea how to do this.

Regards,

PS: The dbmail news page does not have an announcement for dbmail-2.2.11
final release.

--

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander[at]krediidiinfo.ee

http://www.krediidiinfo.ee/
http://www.experiangroup.com/
_______________________________________________
DBmail mailing list
DBmail[at]dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

rabbit+list at rabbit

Mar 11, 2009, 4:42 AM

Post #2 of 5 (498 views)
Permalink

Re: buggy postfix sql recipients query against dbmail_aliases [In reply to]

Aleksander Kamenik wrote:
> Hi, I have the following standard settings for postfix doing the RCPT
> TO: check via sql against the dbmail_aliases table.
>
> sql-recipients.cf:
>
> user = xxx
> password = xxx
> hosts = 127.0.0.1
> dbname = xxx
> table = dbmail_aliases
> select_field = alias
> where_field = alias
>
>
> Here's a working and buggy example:
>
> # netcat localhost 25
> 220 mail.krediidiinfo.ee ESMTP Postfix
> HELO mail.krediidiinfo.ee
> 250 mail.krediidiinfo.ee
> MAIL FROM:<test[at]example.com>
> 250 Ok
> RCPT TO:<nosuchuser[at]krediidiinfo.ee>
> 550 <nosuchuser[at]krediidiinfo.ee>: Recipient address rejected: User
> unknown in local recipient table
> RCPT TO:<nosuchuser[at]nosuchdomain.krediidiinfo.ee>
> 250 Ok
> QUIT
> 221 Bye
>
> The second response to RCPT TO: should have been a 550 too, not 250. The
> dbmail_aliases table contains only proper "user[at]domain" entries, no
> wildcard stuff like simply a "@domain" or similar.
>
> So a there's a problem, when a subhost is specified in the address.
> Another issue is with when no user is specified. Here's an example:
>
> # netcat localhost 25
> 220 mail.krediidiinfo.ee ESMTP Postfix
> HELO mail.krediidiinfo.ee
> 250 mail.krediidiinfo.ee
> MAIL FROM:<test[at]example.com>
> 250 Ok
> RCPT TO:<@krediidiinfo.ee>
> 250 Ok
> QUIT
> 221 Bye
>
> These wrong addresses are often expanded from user typos like
> "@user[at]domain" for example or whatever combination. Spamming postfix
> with these invalid addresses would result in a DOS.
>
> This is postfix 2.2.9 and dbmail 2.2.11 on SLES10SP2.
>
>
> Could a postfix/sql knowledgeable person please refine the
> sql-recipients file, so invalid addresses would be denied immediately? I
> have no idea how to do this.

Just my 2c - I have never seen this error, as I do not blindly accept mail
for my subdomains (unlike the default):

root[at]Arzamas:~# postconf -d | grep parent_domain_matches_subdomains
parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
root[at]Arzamas:~# postconf -n | grep parent_domain_matches_subdomains
parent_domain_matches_subdomains =

With this settings the user gets a 554 Relay Denied unless the domain
is explicitly listed in <whatever delivery method you use>_domains=
_______________________________________________
DBmail mailing list
DBmail[at]dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

aleksander at krediidiinfo

Mar 11, 2009, 5:11 AM

Post #3 of 5 (495 views)
Permalink

Re: buggy postfix sql recipients query against dbmail_aliases [In reply to]

Thanks for the fast reply.

Peter Rabbitson wrote:
> Just my 2c - I have never seen this error, as I do not blindly accept mail
> for my subdomains (unlike the default):
>
> root[at]Arzamas:~# postconf -d | grep parent_domain_matches_subdomains
> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
> root[at]Arzamas:~# postconf -n | grep parent_domain_matches_subdomains
> parent_domain_matches_subdomains =
>
> With this settings the user gets a 554 Relay Denied unless the domain
> is explicitly listed in <whatever delivery method you use>_domains=

Ok, I set the parent_domain_matches_subdomains to blank.

# postconf -n | grep parent_domain_matches_subdomains
parent_domain_matches_subdomains =
# netcat localhost 25
220 mail.krediidiinfo.ee ESMTP Postfix
HELO mail.krediidiinfo.ee
250 mail.krediidiinfo.ee
MAIL FROM:<test[at]example.com>
250 Ok
RCPT TO:<nosuchuser[at]nosuchdomain.krediidiinfo.ee>
250 Ok
QUIT
221 Bye

Still accepted the address. All *_domains settings are the default, that
is empty. The domains I receive mail for are defined in mydestination.

Yes, I reloaded and restarted postfix, the settings are definitely in
effect.

Why does postfix still accept the address? I looked at my postfix
settings and couldn't find anything useful.

PS: In my previous mail I forgot to mention I'm using mysql:
local_recipient_maps = proxy:mysql:/etc/postfix/sql-recipients.cf

Regards,

--

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander[at]krediidiinfo.ee

http://www.krediidiinfo.ee/
http://www.experiangroup.com/
_______________________________________________
DBmail mailing list
DBmail[at]dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

rabbit+list at rabbit

Mar 11, 2009, 5:14 AM

Post #4 of 5 (496 views)
Permalink

Re: buggy postfix sql recipients query against dbmail_aliases [In reply to]

Aleksander Kamenik wrote:
> Thanks for the fast reply.
>
> Peter Rabbitson wrote:
>> Just my 2c - I have never seen this error, as I do not blindly accept mail
>> for my subdomains (unlike the default):
>>
>> root[at]Arzamas:~# postconf -d | grep parent_domain_matches_subdomains
>> parent_domain_matches_subdomains = debug_peer_list,fast_flush_domains,mynetworks,permit_mx_backup_networks,qmqpd_authorized_clients,smtpd_access_maps
>> root[at]Arzamas:~# postconf -n | grep parent_domain_matches_subdomains
>> parent_domain_matches_subdomains =
>>
>> With this settings the user gets a 554 Relay Denied unless the domain
>> is explicitly listed in <whatever delivery method you use>_domains=
>
> Ok, I set the parent_domain_matches_subdomains to blank.
>
> # postconf -n | grep parent_domain_matches_subdomains
> parent_domain_matches_subdomains =
> # netcat localhost 25
> 220 mail.krediidiinfo.ee ESMTP Postfix
> HELO mail.krediidiinfo.ee
> 250 mail.krediidiinfo.ee
> MAIL FROM:<test[at]example.com>
> 250 Ok
> RCPT TO:<nosuchuser[at]nosuchdomain.krediidiinfo.ee>
> 250 Ok
> QUIT
> 221 Bye
>
> Still accepted the address. All *_domains settings are the default, that
> is empty. The domains I receive mail for are defined in mydestination.
>
> Yes, I reloaded and restarted postfix, the settings are definitely in
> effect.
>
> Why does postfix still accept the address? I looked at my postfix
> settings and couldn't find anything useful.
>
> PS: In my previous mail I forgot to mention I'm using mysql:
> local_recipient_maps = proxy:mysql:/etc/postfix/sql-recipients.cf
>

Can you show your postconf -n (edit whatever information you want to hide)
_______________________________________________
DBmail mailing list
DBmail[at]dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

aleksander at krediidiinfo

Mar 11, 2009, 5:30 AM

Post #5 of 5 (497 views)
Permalink

Re: buggy postfix sql recipients query against dbmail_aliases [In reply to]

Peter Rabbitson wrote:
> Can you show your postconf -n (edit whatever information you want to hide)

biff = no
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/lib/postfix
debug_peer_level = 2
default_privs = nobody
header_checks = pcre:/etc/postfix/dspam_headers
html_directory = /usr/share/doc/packages/postfix/html
inet_interfaces = 127.0.0.1, 192.168.x.x, 213.180.27.233
local_recipient_maps = proxy:mysql:/etc/postfix/sql-recipients.cf
mail_owner = postfix
mail_spool_directory = /var/mail
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
message_size_limit = 12582912
mydestination = xxx.yyy, localhost, krediidiinfo.ee, krediidiinfo.eu,
experian.ee, kredinfo.ee, arveregister.ee, inspektor.ee
myhostname = mail.krediidiinfo.ee
mynetworks = 192.168.0.0/16, 127.0.0.0/8, 172.16.x.x/24
myorigin = mail.krediidiinfo.ee
newaliases_path = /usr/bin/newaliases
parent_domain_matches_subdomains =
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/packages/postfix/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/packages/postfix/samples
sendmail_path = /usr/sbin/sendmail
setgid_group = maildrop
smtpd_recipient_restrictions = permit_mynetworks,
reject_unauth_destination, reject_rbl_client zen.spamhaus.org,
check_policy_service inet:127.0.0.1:2501
transport_maps = hash:/etc/postfix/transport
unknown_local_recipient_reject_code = 550

I thought maybe receive_override_options = no_address_mappings is
causing problems, but setting it to blank didn't change a thing.

Regards,

--

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: aleksander[at]krediidiinfo.ee

http://www.krediidiinfo.ee/
http://www.experiangroup.com/
_______________________________________________
DBmail mailing list
DBmail[at]dbmail.org
http://mailman.fastxs.nl/cgi-bin/mailman/listinfo/dbmail

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com