[Avcheck] Re: Combined avcheck / Postfix question -- open relay issue

Michael Tokarev mjt@tls.msk.ru
Wed, 08 May 2002 16:55:42 +0400 

Ralf Hildebrandt wrote:
> 
> Initial injection from my home host:
> 
> May  8 14:19:51 hauptpostamt postfix/smtpd[4629]: 26FAB15C005: client=port-213-20-228-47.reverse.qdsl-home.de[213.20.228.47]
> May  8 14:20:00 hauptpostamt postfix/cleanup[4630]: 26FAB15C005: message-id=<20020508121951.26FAB15C005@hauptpostamt.charite.de>
> May  8 14:20:00 hauptpostamt postfix/nqmgr[4627]: 26FAB15C005: from=<bitbucket@ordb.org>, size=401, nrcpt=1 (queue active)
> May  8 14:20:00 hauptpostamt postfix/cleanup[4657]: A596715C009: message-id=<20020508121951.26FAB15C005@hauptpostamt.charite.de>
> May  8 14:20:00 hauptpostamt postfix/pipe[4632]: 26FAB15C005: to=<catchall+foo@bar.com@hauptpostamt.charite.de>, relay=avcheck, delay=9, status=sent (hauptpostamt.charite.de)
> 
> The original envelope information was:
> MAIL FROM:<bitbucket@ordb.org>
> RCPT TO:<"foo@bar.com"@charite.de>
> 
> My virtual_maps entry:
> /^(.*)@charite\.de$/   catchall+$1@hauptpostamt.charite.de
> has stripped the "'s
> 
> The mail is injected into avcheck (content_filter = avcheck), and now it comes out again:
> 
> May  8 14:20:00 hauptpostamt postfix/smtpd[4636]: A596715C009: client=localhost[127.0.0.1]
> May  8 14:20:00 hauptpostamt postfix/cleanup[4657]: A596715C009: message-id=<20020508121951.26FAB15C005@hauptpostamt.charite.de>
> May  8 14:20:00 hauptpostamt postfix/nqmgr[4627]: A596715C009: from=<bitbucket@ordb.org>, size=402, nrcpt=1 (queue active)
> May  8 14:20:00 hauptpostamt postfix/smtp[4637]: A596715C009: to=<catchall+foo@bar.com>, relay=none, delay=0, status=bounced (mail for bar.com loops back to myself)
> 
> All over a sudden the envelope recipient is "catchall+foo@bar.com"
> instead of "catchall+foo@bar.com@hauptpostamt.charite.de".

What's in your master.cf for avcheck?  What's about quotes (flags=q) ?
Avcheck, if compiled with -DQUOTEADDR, will.. let me check.. *will* rewrite
foo@bar.com@example.com as "foo@bar.com"@example.com.  So should do postfix,
since the code in avcheck was in fact originally stolen from postfix.

> Where's the rest gone?

This is interesting.  I suspect missing flags=q entry.  Errm.  By default,
avcheck just passes all addresses to the SMTP server AS IS, without ANY
modification (and the only non-default is to #define QUOTEADDR).  I'll
look to the pipe code shortly.

> Surely due to the two @'s.
> 
> And: Now it tries to sent to bar.com, so it's relaying. This sucks.

Yes.  And should be resolved very quickly.

BTW, the best method will be to stop using catchalls.  This makes great
server load after various dictionary attacks etc.

> My "postconf -n" is attached.

Regards,
 Michael.