Wouldn't this be avoided by simply using opendkim for DKIM signing instead of relying on amavis for that? Or are there other use scenarios for the originating flag where this would come into play?
-----Original Message----- From: amavis-users [mailto:amavis-users-bounces+dino.edwards=mydirectmail....@amavis.org] On Behalf Of Giovanni Sent: Monday, February 12, 2018 4:43 AM To: amavis-users@amavis.org Subject: Re: originating flag not working - critical bug - RelayedOpenRelay / DKIM signing not working Karol Augustin <ka...@augustin.pl> wrote: > Hi, > > I am explicitly copying original authors of threads I am referring to > in this email, as I don't know if they are still monitoring the list > for solution to the problem. > I would like to thank Giovanni for supplying the patch, which has now > spread across internet. > > There is evidence of a critical bug in quite a few threads on this > list that manifests itself in various ways. Some users have problems > with DKIM signatures of outgoing mail, others with mail marked as > RelayedOpenRelay in the logs. > > The issue is caused by Amavis not honoring originating flag, which > causes all sender addresses to be treated as "foreign", which > obviously has a huge potential of breaking mail flow especially in > environments where there are multiple e-mail paths and policy banks > configured. > > > I hit the same problem when I upgraded to 2.11.0 few days ago and > asked similar question in a reply to existing thread. > https://lists.amavis.org/pipermail/amavis-users/2018-February/005284.h > tml > > The same issue was described earlier in following thread: > https://lists.amavis.org/pipermail/amavis-users/2017-November/005116.h > tml > > Original mention of this problem was made by Giovanni, who kindly > provided a one line fix to the problem: > https://lists.amavis.org/pipermail/amavis-users/2016-July/004428.html > for the records, the patch I sumbitted 2 years ago fixes the bug with postfix; there are some corner cases (spotted by an Opensmtpd instance, maybe by some other mta as well) that needs an additianal one line fix. Full patch follows. Giovanni --- amavisd.orig Tue Apr 26 21:24:33 2016 +++ amavisd Fri Aug 5 12:32:39 2016 @@ -22806,6 +22806,7 @@ sub process_smtp_request($$$$) { } # load policy banks from the 'client_ipaddr_policy' lookup Amavis::load_policy_bank($_,$msginfo) for @bank_names_cl; + $msginfo->originating(c('originating')); $msginfo->client_addr($cl_ip); # ADDR $msginfo->client_port($cl_port); # PORT @@ -34338,6 +34330,7 @@ sub collect_some_dkim_info($) { $sig_ind++; } Amavis::load_policy_bank($_,$msginfo) for @bank_names; + $msginfo->originating(c('originating')); $msginfo->dkim_signatures_valid(\@signatures_valid) if @signatures_valid; # if (ll(5) && $sig_ind > 0) { # # show which header fields are covered by which signature
