Your message dated Mon, 30 Aug 2010 16:17:17 +0000 with message-id <e1oq72r-0001qc...@franck.debian.org> and subject line Bug#591678: fixed in greylistd 0.8.7+nmu2 has caused the Debian Bug report #591678, regarding greylistd-setup-exim4 causes excessive callouts and cause the server to be blacklisted to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 591678: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=591678 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: greylistd Version: 0.8.7+nmu1 Severity: grave Tags: security patch Justification: renders package unusable The 'greylistd-setup-exim4' script added a section 'deny' to /etc/exim4/conf.d/acl/30_exim4-config_check_rcpt. # Deny if blacklisted by greylist deny message = $sender_host_address is blacklisted from delivering \\ mail from <$sender_address> to <$local_p...@$domain>. log_message = blacklisted. !senders = : !authenticated = * verify = recipient/callout=20s,use_sender,defer_ok condition = ${readsocket{/var/run/greylistd/socket}\\ {--black \\ $sender_host_address \\ $sender_address \\ $local_p...@$domain}\\ {5s}{}{false}} In this added section, recipient/callouts are performed without verifying recipient's hostname. Thus, when spammers send to the hosting server emails with recipient refering to other domains that are not relayed, excessive and wrong recipient callouts will be performed. The final results then include 1, high server load due to excessive callouts 2, potential DDOS attack to other domains 3, the hosting server being blocked because of sending callouts to spam-trap addresses 4, complain from ISP and termination of service A simple fix should be removing the recipient/callout verification in this 'deny' section, since there is NO POINT TO NOT DENY if recipient/callout would fail. The patch is then as following *** greylistd-0.8.7+nmu1/program/greylistd-setup-exim4 2007-12-02 10:51:35.000000000 -0500 --- greylistd-0.8.7+nmu1.my/program/greylistd-setup-exim4 2010-08-04 12:54:31.802439372 -0400 *************** exim4conf_texts = { *** 85,91 **** log_message = blacklisted. !senders = : !authenticated = * - verify = recipient/callout=20s,use_sender,defer_ok condition = ${readsocket{/var/run/greylistd/socket}\\ {--black \\ $sender_host_address \\ --- 85,90 ---- -- System Information: Debian Release: 5.0.5 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.26-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages greylistd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii python 2.5.2-3 An interactive high-level object-o Versions of packages greylistd recommends: ii exim4 4.69-9 metapackage to ease Exim MTA (v4) greylistd suggests no packages. -- debconf information: greylistd/autoconfig_notdone: greylistd/restartexim: true * greylistd/autoconfig_notdone_exim4:
--- End Message ---
--- Begin Message ---Source: greylistd Source-Version: 0.8.7+nmu2 We believe that the bug you reported is fixed in the latest version of greylistd, which is due to be installed in the Debian FTP archive: greylistd_0.8.7+nmu2.dsc to main/g/greylistd/greylistd_0.8.7+nmu2.dsc greylistd_0.8.7+nmu2.tar.gz to main/g/greylistd/greylistd_0.8.7+nmu2.tar.gz greylistd_0.8.7+nmu2_all.deb to main/g/greylistd/greylistd_0.8.7+nmu2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 591...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dominic Hargreaves <d...@earth.li> (supplier of updated greylistd package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Mon, 30 Aug 2010 16:59:54 +0100 Source: greylistd Binary: greylistd Architecture: source all Version: 0.8.7+nmu2 Distribution: unstable Urgency: low Maintainer: Matthew Wakeling <matt...@wakeling.homeip.net> Changed-By: Dominic Hargreaves <d...@earth.li> Description: greylistd - Greylisting daemon for use with Exim 4 Closes: 464084 591678 Changes: greylistd (0.8.7+nmu2) unstable; urgency=low . * Non-maintainer upload. * Add missing recipient domains check in deny portion of Exim ACL, and stop doing recipient callouts in defer and deny ACLs (Closes: #591678, #464084) * Fix lintian error: don't include /var/run/greylistd in package (init script already creates it dynamically) Checksums-Sha1: 2c5f2b2c4b8993b327c39c466e92bafeadde9e37 788 greylistd_0.8.7+nmu2.dsc f8a6a875acc210757b511bcb28dff81d7d367630 57152 greylistd_0.8.7+nmu2.tar.gz 47827cfc6ed2ab162ad835f510e15364783f697b 54936 greylistd_0.8.7+nmu2_all.deb Checksums-Sha256: 40c52837d3308843902b0eaacb3894f27495b111283784d0f1d64cb5ed125cf4 788 greylistd_0.8.7+nmu2.dsc 1a5ad91f94993c55d0e8bf8dbe76bfc5b33eeb40ab7a03a49cda07f795352f0b 57152 greylistd_0.8.7+nmu2.tar.gz cb8ea756d8205e18edc1d9ed4666a0841ffbacbbb355745bf6335309f88578d5 54936 greylistd_0.8.7+nmu2_all.deb Files: 73b7c4bc414a5beabcbf6c9f85a5d5cb 788 mail optional greylistd_0.8.7+nmu2.dsc 8801255264729a20afcebcfbaf28d3f8 57152 mail optional greylistd_0.8.7+nmu2.tar.gz d081a1d5e4675eb65dd355ca26a510c4 54936 mail optional greylistd_0.8.7+nmu2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iD8DBQFMe9XnYzuFKFF44qURAjayAKDDcZ03V1XuLIvoxdTxyPUfjCVC3QCgn9kH dxNKlo/qMftcqOSTrjJRKbo= =ZrVP -----END PGP SIGNATURE-----
--- End Message ---
