Affects: Postfix with IPv6 patch on Linux Credits: Peer Heinlein Background ----------- Postfix is an MTA written by Wietse Venema with security in mind. The code has a great security record. Dean Strik provides an IPv6 patch for Postfix releases. To read IPv6 addresses and netmasks on Linux, the patch uses /proc/net/if_inet6. Problem description -------------------- In some cases, the /proc/net/if_inet6 file is not available. The most common reason being that Postfix runs chrooted without /proc mounted in the chroot. A programming error in the IPv6 patch could result in Postfix relaying emails to destinations that have IPv6 addresses for their MX hosts. If /proc/net/if_inet6 is not available, so Postfix does configure any IPv6 addresses, the permit_mx_backup code erroneously returns success for relay permissions to any IPv6 host. The Postfix IPv6 patch documentation (IPV6_README) does note that - It is not currently supported to use Postfix network daemons (such as smtp and smtpd) chrooted on Linux systems without mounting the proc filesystem under /var/spool/postfix/proc This is because the proc filesystem is required on Linux to obtain the system's IPv6 address information. So the configuration where /proci is NOT available to Postfix is not supported. Impact ------- The problem is specific to the Linux operating system in unsupported configuration. Postfix does not come chrooted by default. The IPv6 patch does not change this behaviour. Packagers/distributors however may have changed this setting. The permit_mx_backup setting is not used by default and must be specificially configured by the Postfix administrator. If Postfix cannot read the /proc/net/if_inet6 file and permit_mx_backup is used, then Postfix will wrongly relay mail only to sites that have IPv6 addresses (AAAA RRs in DNS) configured for at least one MX host. Because of these four points, the impact of the relaying bug is very low. Affected versions ------------------ Since the problem is in the IPv6 patch to Postfix, the version numbers used here are those of the IPv6 patch. An administrator can query the patch version number by issuing the command postconf tls_ipv6_version Patch versions up to and including 1.25 are vulnerable to this problem. Associated Postfix versions include Postfix 2.1.x and 2.0.x. Postfix 2.2 snapshots with IPv6 included in the base Postfix (2.2-20050111-nonprod and up) are NOT vulnerable to the problem. IPv6 and TLS+IPv6 patch 1.26 provide a correction of the problem. Credits -------- Peer Heinlein reported the problem to the IPv6 patch author. Workarounds ------------ Several workarounds exist for the problem: a) Do not run the Postfix smtpd program chrooted. This can be achieved by editing master.cf and putting an 'n' in the chroot column of the smtpd line; b) Make the /proc filesystem available under the chroot. Solution --------- Upgrade the Postfix IPv6 patch to version 1.26 or higher. The patches are available from http://www.ipnet6.org/postfix/ipv6/ or ftp://ftp.stack.nl/pub/postfix/tls+ipv6/
We're currently using version 1.25 of the IPv6 patch. Please bump and if you commit please keep everything about this bug out of the Changelog for now.
postfix-2.1.5-r2 with ipv6 patches version 1.26 commited.
Seems to be public with upstream Changelog: - Linux workaround: When mynetworks isn't set, a chrooted process could not read the IPv6 address information from /proc. We now invoke own_inet_addr() before chrooting, while processing main.cf. [backported from 2.2-nonprod snapshot]
should we open this to the public now? http://secunia.com/advisories/14137/
Since draft is still not public I've opened a public bug #81024