Debian Bug report logs - #604707
postfix: permit_mynetworks doesn't override reject_unauth_pipelining

Reply or subscribe to this bug.

Display info messages

Message #5 received at [email protected] (full text, mbox, reply):

From: Shawn Heisey <[email protected]>

To: Debian Bug Tracking System <[email protected]>

Subject: postfix: permit_mynetworks doesn't override reject_unauth_pipelining

Date: Tue, 23 Nov 2010 10:03:56 -0700

Package: postfix
Version: 2.7.1-1~bpo50+1
Severity: normal


I have permit_mynetworks before reject_unauth_pipelining in my
main.cf file.  Despite this, postfix logs an entry about improper
pipelining when a mail client doesn't wait for a response before
sending the next command.

As soon as I upgraded postfix from 2.5.5 to 2.7.1, I started getting
the improper pipelining message in my logs every five minutes, which
resulted in noisy logcheck reports.  The problem client was xymon
monitoring smtp/smtps.

I discussed this on the xymon user list and managed to find a
workaround in the xymon configuration, but it should have been
resolved as soon as I added permit_mynetworks to the postix config.

I won't argue the merits of rejecting unauthorized pipelining, I
completely agree with the practice ... but I should have the option
of allowing it if I have a broken program that I have to use.

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-bpo.5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages postfix depends on:
ii  adduser           3.110                  add and remove users and groups
ii  debconf [debconf- 1.5.24                 Debian configuration management sy
ii  dpkg              1.14.29+b1             Debian package management system
ii  libc6             2.7-18lenny6           GNU C Library: Shared libraries
ii  libdb4.6          4.6.21-11              Berkeley v4.6 Database Libraries [
ii  libsasl2-2        2.1.22.dfsg1-23+lenny1 Cyrus SASL - authentication abstra
ii  libssl0.9.8       0.9.8g-15+lenny8       SSL shared libraries
ii  lsb-base          3.2-20                 Linux Standard Base 3.2 init scrip
ii  netbase           4.34                   Basic TCP/IP networking system
ii  ssl-cert          1.0.23                 simple debconf wrapper for OpenSSL

Versions of packages postfix recommends:
ii  python                        2.5.2-3    An interactive high-level object-o

Versions of packages postfix suggests:
ii  bsd-mailx [mail-r 8.1.2-0.20071201cvs-3  A simple mail user agent
ii  evolution [mail-r 2.22.3.1-1             groupware suite with mail client a
ii  libsasl2-modules  2.1.22.dfsg1-23+lenny1 Cyrus SASL - pluggable authenticat
ii  mutt [mail-reader 1.5.20-5~bpo50+1       text-based mailreader supporting M
pn  postfix-cdb       <none>                 (no description available)
pn  postfix-ldap      <none>                 (no description available)
ii  postfix-mysql     2.7.1-1~bpo50+1        MySQL map support for Postfix
ii  postfix-pcre      2.7.1-1~bpo50+1        PCRE map support for Postfix
pn  postfix-pgsql     <none>                 (no description available)
ii  procmail          3.22-16                Versatile e-mail processor
ii  resolvconf        1.42                   name server information handler
pn  sasl2-bin         <none>                 (no description available)
pn  ufw               <none>                 (no description available)

-- debconf-show failed

Message #10 received at [email protected] (full text, mbox, reply):

From: Michael Tokarev <[email protected]>

To: [email protected]

Subject: Re: Bug#604707: postfix: permit_mynetworks doesn't override reject_unauth_pipelining

Date: Sun, 1 Dec 2024 17:03:04 +0300

Control: tag -1 + moreinfo unreproducible

[Yes, it's been 14 years...]

On Tue, 23 Nov 2010 10:03:56 -0700 Shawn Heisey <[email protected]> wrote:
> Package: postfix
> Version: 2.7.1-1~bpo50+1
> Severity: normal
> 
> 
> I have permit_mynetworks before reject_unauth_pipelining in my
> main.cf file.  Despite this, postfix logs an entry about improper
> pipelining when a mail client doesn't wait for a response before
> sending the next command.
> 
> As soon as I upgraded postfix from 2.5.5 to 2.7.1, I started getting
> the improper pipelining message in my logs every five minutes, which
> resulted in noisy logcheck reports.  The problem client was xymon
> monitoring smtp/smtps.
> 
> I discussed this on the xymon user list and managed to find a
> workaround in the xymon configuration, but it should have been
> resolved as soon as I added permit_mynetworks to the postix config.
> 
> I won't argue the merits of rejecting unauthorized pipelining, I
> completely agree with the practice ... but I should have the option
> of allowing it if I have a broken program that I have to use.
Is it still a problem today with current postfix versions?

I did't try 2.7.1.  But with current 3.9 I can't reproduce this.
When I've permit_mynetworks before reject_unauth_pipelining, I
can dump whole client-side smtp conversation to smtp port at once.
But when I place reject_unauth_pipelining before permit_mynetworks,
postfix correctly detects and rejects the wrong pipelining.

Thanks,

/mjt

Send a report that this bug log contains spam.