Bug 840665
Summary: | milter-regex does not evaluate TLS related macros if using STARTTLS | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Fritz Elfert <fritz> | ||||
Component: | milter-regex | Assignee: | Paul Howarth <paul> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 17 | CC: | paul | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2012-07-26 22:33:48 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Have you sent this upstream too? Yes and just got a response: It's applied in upstream. Yes, I see it's included in the current upstream development tarball. Updates for Rawhide and F-17 on the way. milter-regex-1.9-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/milter-regex-1.9-3.fc17 Package milter-regex-1.9-3.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing milter-regex-1.9-3.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10810/milter-regex-1.9-3.fc17 then log in and leave karma (feedback). milter-regex-1.9-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |
Created attachment 598524 [details] Patch to add STARTTLS support Description of problem: Assume the following rule set: local1 = connect // /127\.0\.0\.1/ local2 = connect // /192\.168\.1\./ secure = macro /tls_version/ /TLSv/ trusted = $local1 or $local2 or $secure reject "Sender domain policy violation" envfrom /<(.*@mydomain\.com)>/ei and not $trusted It should reject any attempt to forge a local domain sender from an untrusted client. However, the TLS-specific part does not work, because those macros are evaluated too early (at the initial greeting phase). The result is that external clients using STARTTLS (which is pretty common) are still rejected. Furthermore, even if using an untrusted cert, old-style clients (using SMTPS) *are* permitted to send. The attached patch fixes this by 1. Re-evaluating TLS-related macros at a later point (cb_envfrom) 2. Adding support for sendmail's {verify} like milter-greylist) Having the patch applied, one can use a slightly modified rule set: -secure = macro /tls_version/ /TLSv/ +secure = macro /verify/ /^OK$/ which works as expected even when using STARTTLS. Version-Release number of selected component (if applicable): 1.9-2.fc17 How reproducible: always Steps to Reproduce: See above. Additional info: