840665 – milter-regex does not evaluate TLS related macros if using STARTTLS

Bug 840665 - milter-regex does not evaluate TLS related macros if using STARTTLS

Summary: milter-regex does not evaluate TLS related macros if using STARTTLS

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	milter-regex
Sub Component:
Version:	17
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Paul Howarth
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-07-16 20:59 UTC by Fritz Elfert
Modified:	2012-07-26 22:33 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-07-26 22:33:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch to add STARTTLS support (682 bytes, patch) 2012-07-16 20:59 UTC, Fritz Elfert	no flags	Details \| Diff
View All

Description Fritz Elfert 2012-07-16 20:59:56 UTC

Created attachment 598524 [details]
Patch to add STARTTLS support

Description of problem:
Assume the following rule set:

local1 = connect // /127\.0\.0\.1/
local2 = connect // /192\.168\.1\./
secure = macro /tls_version/ /TLSv/
trusted = $local1 or $local2 or $secure
reject "Sender domain policy violation"
envfrom /<(.*@mydomain\.com)>/ei and not $trusted

It should reject any attempt to forge a local domain sender from an untrusted client. However, the TLS-specific part does not work, because those macros are evaluated too early (at the initial greeting phase). The result is that external clients using STARTTLS (which is pretty common) are still rejected.
Furthermore, even if using an untrusted cert, old-style clients (using SMTPS) *are* permitted to send.

The attached patch fixes this by
 1. Re-evaluating TLS-related macros at a later point (cb_envfrom)
 2. Adding support for sendmail's {verify} like milter-greylist)

Having the patch applied, one can use a slightly modified rule set:

-secure = macro /tls_version/ /TLSv/
+secure = macro /verify/ /^OK$/

which works as expected even when using STARTTLS.

Version-Release number of selected component (if applicable):
1.9-2.fc17

How reproducible:
always

Steps to Reproduce:
See above.

Additional info:

Comment 1 Paul Howarth 2012-07-16 22:45:23 UTC

Have you sent this upstream too?

Comment 2 Fritz Elfert 2012-07-17 03:26:29 UTC

Yes

Comment 3 Fritz Elfert 2012-07-17 08:51:26 UTC

and just got a response: It's applied in upstream.

Comment 4 Paul Howarth 2012-07-17 10:20:07 UTC

Yes, I see it's included in the current upstream development tarball.

Updates for Rawhide and F-17 on the way.

Comment 5 Fedora Update System 2012-07-17 10:44:36 UTC

milter-regex-1.9-3.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/milter-regex-1.9-3.fc17

Comment 6 Fedora Update System 2012-07-19 09:05:54 UTC

Package milter-regex-1.9-3.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing milter-regex-1.9-3.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-10810/milter-regex-1.9-3.fc17
then log in and leave karma (feedback).

Comment 7 Fedora Update System 2012-07-26 22:33:48 UTC

milter-regex-1.9-3.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.