[pfx] Re: Potential bug in milter interface, can't change first header field

2024-02-21 Thread Wietse Venema via Postfix-users 
Taco de Wolff via Postfix-users:
> Thanks Wietse and Steffen, I forgot to mention that I'm using Postfix
> 3.5.8, but it appears the bug is thus still present in the latest version.
> Looking forward to the fix :-)

Another solution is to adopt Postfix 3.9 (the development release)
where this was fixed two months ago.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Potential bug in milter interface, can't change first header field

2024-02-21 Thread Steffen Nurpmeso via Postfix-users 
Taco de Wolff via Postfix-users wrote in
 :
 |Thanks Wietse and Steffen, I forgot to mention that I'm using Postfix
 |3.5.8, but it appears the bug is thus still present in the latest version.
 |Looking forward to the fix :-)
 |
 |@Steffen, that is genius and hadn't thought of it. I can confirm that
 |issuing two modifications works as expected. The first prepend the header,
 |and now the chgheader works since it skips the first (recently prepended)
 |header field.
 |
 |insheader index=0 name="From" value="ot...@domain.com"
 |chgheader index=1 name="From" value=""

hm.  Great it works!

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Potential bug in milter interface, can't change first header field

2024-02-21 Thread Taco de Wolff via Postfix-users 
Thanks Wietse and Steffen, I forgot to mention that I'm using Postfix
3.5.8, but it appears the bug is thus still present in the latest version.
Looking forward to the fix :-)

@Steffen, that is genius and hadn't thought of it. I can confirm that
issuing two modifications works as expected. The first prepend the header,
and now the chgheader works since it skips the first (recently prepended)
header field.

insheader index=0 name="From" value="ot...@domain.com"
chgheader index=1 name="From" value=""

Kind regards,
Taco de Wolff


On Wed, Feb 21, 2024 at 8:01 PM Steffen Nurpmeso via Postfix-users <
postfix-users@postfix.org> wrote:

> Taco de Wolff via Postfix-users wrote in
>  :
>  |While writing a milter for use with Postfix, I was unable to change the
>  |first header field and instead of changing it, Postfix appends it to the
>  |end of the header. Incidentally, as I believed this was a bug with the
>
> insheader with index 0 worked for me two weeks ago with 3.8.5.
> ('Suggesting insheader 0 plus further deletion should, then.
> 'Currently cannot test.)
> There was also a thread on problems with offset 0 a few weeks ago
> regarding such, resulting in a change, but i think this is not
> released yet.
>
> --steffen
> |
> |Der Kragenbaer,The moon bear,
> |der holt sich munter   he cheerfully and one by one
> |einen nach dem anderen runter  wa.ks himself off
> |(By Robert Gernhardt)
> ___
> Postfix-users mailing list -- postfix-users@postfix.org
> To unsubscribe send an email to postfix-users-le...@postfix.org
>
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Potential bug in milter interface, can't change first header field

2024-02-21 Thread Steffen Nurpmeso via Postfix-users 
Taco de Wolff via Postfix-users wrote in
 :
 |While writing a milter for use with Postfix, I was unable to change the
 |first header field and instead of changing it, Postfix appends it to the
 |end of the header. Incidentally, as I believed this was a bug with the

insheader with index 0 worked for me two weeks ago with 3.8.5.
('Suggesting insheader 0 plus further deletion should, then.
'Currently cannot test.)
There was also a thread on problems with offset 0 a few weeks ago
regarding such, resulting in a change, but i think this is not
released yet.

--steffen
|
|Der Kragenbaer,The moon bear,
|der holt sich munter   he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Potential bug in milter interface, can't change first header field

2024-02-21 Thread Wietse Venema via Postfix-users 
The Postfix Milter implementation is sometimes inconsistent about
the "first" header so that it can sometimes not be updated. 

The fix below was in the queue for Postfix 3.5 - 3.8 a few days
before the SMTP smuggling shitshow happened. The last SMTP smuggling
patch was released on January 21. For the sake of everyone's sanity
I will not do more than one stable release per month.

I am cirrently working on a release for Postfix 3.5 - 3.8 that
addresses several old problems and some new ones.

Wietse

20231213

Bugfix (defect introduced: Postfix 2.3): after prepending
a message header with a Postfix access table PREPEND action,
a Milter request to delete or update an existing header
could have no effect, or it could target the wrong instance
of an existing header. Root cause: the fix dated 20141018
for the Postfix Milter client was incomplete. The client
did correctly hide the first, Postfix-generated, Received:
header when sending message header information to a Milter
with the smfi_header() application callback function, but
it was still hiding the first header (instead of the first
Received: header) when handling requests from a Milter to
delete or update an existing header. Problem report by
Carlos Velasco. This change was verified to have no effect
on requests from a Milter to add or insert a header. Files:
cleanup/cleanup_milter.c, cleanup/Makefile.in,
cleanup/test-queue-file18, cleanup/cleanup_milter.in18[a-d],
cleanup/cleanup_milter.ref18
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Potential bug in milter interface, can't change first header field

2024-02-21 Thread Taco de Wolff via Postfix-users 
Hi,

While writing a milter for use with Postfix, I was unable to change the
first header field and instead of changing it, Postfix appends it to the
end of the header. Incidentally, as I believed this was a bug with the
milter library, I rewrote the milter server implementation from scratch and
came to the same conclusion.

Steps to reproduce:

1. Create a file mail.txt with contents:
From: f...@domain.com
To: t...@domain.com
Subject: Test mail

Content.


2. Execute: cat mail.txt > sendmail -t -f f...@domain.com

3. Return modification response in the EOB request as a "chgheader" with
index=1, name="From", value="ot...@domain.com"

4 Verify in /var/spool/mail/[user] that it appends the header field:
>From f...@domain.com Wed Feb 21 21:54:27 2024
Return-Path: 
X-Original-To: r...@domain.com
Delivered-To: r...@domain.com
From: f...@domain.com
To: t...@domain.com
Subject: Test mail
Message-Id: <20240221205427.dfe8187...@domain.com>
Date: Wed, 21 Feb 2024 21:54:27 +0100 (CET)
From: ot...@domain.com

Content.


This will append a header field "From: ot...@domain.com" to the end of the
header fields, instead of replacing the first header field. When you
reverse the order of From and To (i.e. To comes first, and From second) and
you return the same modification response from the milter, it works as
expected; it does not append a new header, but replaces now the second
header field (or equally, the first From header field).

Is this because Postfix expects the first header field to be a "Received"
header field it prepends itself? According to the source code this field
cannot be changed and is skipped when issuing chgheader from a filter (
https://github.com/vdukhovni/postfix/blob/master/postfix/src/cleanup/cleanup_milter.c#L798).
Reading the "/var/spool/mail/root" file I do not see a Received header
prepended for these mails (it does for other mails...!).

Kind regards,
Taco de Wolff
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postconf.5 smtp_tls_loglevel 2

2024-02-21 Thread Wietse Venema via Postfix-users 
Viktor Dukhovni via Postfix-users:
> On Wed, Feb 21, 2024 at 08:32:49AM +, Rune Philosof via Postfix-users 
> wrote:
> > It seems a bit unclearly phrased
> > > 2 Also log levels during TLS negotiation.
> 
> Indeed this is not very helpful.  See the description of the "-L" option
> in .
> 
> > Should it be
> > > 2 Also log certificate trust\-chain verification errors even if server 
> > > certificate verification is not required
> 
> Not, this is basically everythingbut the raw packet dumps.  So handshake
> states, sesion cache operations, certificate matching, and more...

Updated smtp{,d}_tls_loglevel descriptions:

  2 Also enable verbose logging in the Postfix TLS library, log
session cache operations, and enable OpenSSL logging of the
progress of the SSL handshake.

Wairing for an hourly cronjob to update www.postfix.org.

Wietse
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Re: Postconf.5 smtp_tls_loglevel 2

2024-02-21 Thread Viktor Dukhovni via Postfix-users 
On Wed, Feb 21, 2024 at 08:32:49AM +, Rune Philosof via Postfix-users wrote:
> It seems a bit unclearly phrased
> > 2 Also log levels during TLS negotiation.

Indeed this is not very helpful.  See the description of the "-L" option
in .

> Should it be
> > 2 Also log certificate trust\-chain verification errors even if server 
> > certificate verification is not required

Not, this is basically everythingbut the raw packet dumps.  So handshake
states, sesion cache operations, certificate matching, and more...

-- 
Viktor.
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org

[pfx] Postconf.5 smtp_tls_loglevel 2

2024-02-21 Thread Rune Philosof via Postfix-users 
It seems a bit unclearly phrased
> 2 Also log levels during TLS negotiation.

Should it be
> 2 Also log certificate trust\-chain verification errors even if server 
> certificate verification is not required
___
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org