Subject: postfix rDNS verification and getaddrinfo()
To: None <tech-net@netbsd.org>
From: Wolfgang S. Rupprecht <wolfgang+gnus20030815T141901@wsrcc.com>
List: tech-net
Date: 08/15/2003 14:45:55
I'm trying to track down why pkgsrc's postfix doesn't verify a
hostname lookup for me this morning. Situation:
connection from [1.2.3.4]
rDNS lookup yields name foo.example.com
DNS verification of foo.example.com yields one IP address,
[5.6.7.8]. (Note this address is NOT the address
from step #1. We have a very clear forgery.)
postfix incorrectly accepted the name foo.example.com[1.2.3.4]
The ipv6 patches look like they no longer verify the IP address at
all. There is a lookup done of the name, but the resulting IP address
or addreses are never checked against anything. Is there something
that getaddrinfo() is doing behind the scenes? There is a comment in
the code that "memcmp() isn't needed if we use getaddrinfo". I don't
understand that comment.
/usr/pkgsrc/mail/postfix/work/postfix-2.0.13/src/qmqpd/qmqpd_peer.c:180:
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
error = getaddrinfo(state->name, NULL, &hints, &rnull);
if (error) {
msg_warn("%s: hostname %s verification failed: %s",
state->addr, state->name, GAI_STRERROR(error));
REJECT_PEER_NAME(state);
}
/* memcmp() isn't needed if we use getaddrinfo */
if (rnull)
freeaddrinfo(rnull);
Is this the bug?
-wolfgang
--
Wolfgang S. Rupprecht http://www.wsrcc.com/wolfgang/
(NOTE: The email address above is valid. Edit it at your own peril.)