Gnu - Anubis
 » 
Gnu - Anubis - Discuss

2 bugs and an annoyance

View: New views
2 Messages — Rating Filter:   Alert me  

2 bugs and an annoyance

by Pascal-41 :: Rate this Message:

| View Threaded | Show Only this Message

1.  On a server with IP address 10.1.1.1 and anubisrc containing:

bind 10.1.1.1:25
remote-mta 127.0.0.1

Anubis gives the error "Loop not allowed. Connection rejected."  It
appears Anubis includes code to avoid loops, but this code has a bug
wherein if both bind and remote IPs are on the same box and the port
numbers match, it incorrectly believes that it would be talking to itself.

CLIENT <<< 235 Authentication successful.(32)
 > [6752] UID:99 (nobody), GID:99, EUID:99, EGID:99
[6752] Loop not allowed. Connection rejected.
 > [6745] Child [6752] finished. Failed with status 1. 0 clients left.


2.  I have been using Anubis v4.0 compiled with OpenSSL instead of
GnuTLS.  Anubis v4.1 only supports GnuTLS.  After upgrading, when
Thunderbird connects to Anubis I am now prompted for a certificate.
Same thing after I downgraded to Anubis v4.0 with GnuTLS.  It appears
GnuTLS asks for a client cert while OpenSSL does not.

GnuTLS:
CLIENT >>> STARTTLS(10)
CLIENT <<< 220 Ready to start TLS(24)
 > [6353] Initializing the TLS/SSL connection with MUA...
<Thunderbird prompts for client cert here>
- Key Exchange: DHE RSA
- Ephemeral DH using prime of 776 bits.
- Protocol: TLS 1.0
- Certificate Type: X.509
- Compression: NULL
- Cipher: AES 128 CBC
- MAC: SHA
CLIENT >>> EHLO [192.168.1.5](20)

OpenSSL:
CLIENT >>> STARTTLS(10)
CLIENT <<< 220 Ready to start TLS(24)
 > [6627] Initializing the TLS/SSL connection with MUA...
 > [6627] TLSv1/SSLv3 connection using AES256-SHA (256 bits)
CLIENT >>> EHLO [192.168.1.5](20)


3.  I have tested using Anubis v4.1 and v4.0, with both OpenSSL and
GnuTLS using Thunderbird as the MUA.  In all cases I am unable to send
emails with a 150k file attachment if TLS is enabled.  As soon as I
disable TLS between Thunderbird and Anubis, the email goes through fine.
  10k file attachments work fine.  Not sure the exact size required to
break it.  Not sure if this bug is in Anubis or Thunderbird.

-Pascal


_______________________________________________
Bug-anubis mailing list
Bug-anubis@...
http://lists.gnu.org/mailman/listinfo/bug-anubis

Re: 2 bugs and an annoyance

by Sergey Poznyakoff-2 :: Rate this Message:

| View Threaded | Show Only this Message

Hi Pascal,

Thanks for your report.

> 1.  On a server with IP address 10.1.1.1 and anubisrc containing:
>
> bind 10.1.1.1:25
> remote-mta 127.0.0.1
>
> Anubis gives the error "Loop not allowed. Connection rejected."  It
> appears Anubis includes code to avoid loops, but this code has a bug
> wherein if both bind and remote IPs are on the same box and the port
> numbers match, it incorrectly believes that it would be talking to
> itself.
Indeed, this code seems a leftover from early versions.  Moreover, I see
no reason why this check needs to be repeated on every connection.
Please try the attached patch.

I will return to points 2 and 3 later.

Regards,
Sergey


Index: src/authmode.c
===================================================================
RCS file: /cvsroot/anubis/anubis/src/authmode.c,v
retrieving revision 1.45
diff -p -u -r1.45 authmode.c
--- src/authmode.c 3 Nov 2007 17:04:40 -0000 1.45
+++ src/authmode.c 2 Jul 2008 13:08:45 -0000
@@ -596,51 +596,6 @@ anubis_authenticate_mode (struct sockadd
     "Set either REMOTE-MTA or LOCAL-MTA."));
  }
 
-      /*
- Protection against a loop connection.
-      */
-      
-      if (!(topt & T_LOCAL_MTA))
- {
-  unsigned long inaddr;
-  struct sockaddr_in ad;
-  
-  memset (&ad, 0, sizeof (ad));
-  inaddr = inet_addr (session.mta);
-  if (inaddr != INADDR_NONE)
-    memcpy (&ad.sin_addr, &inaddr, sizeof (inaddr));
-  else
-    {
-      struct hostent *hp = 0;
-      hp = gethostbyname (session.mta);
-      if (hp == 0)
- {
-  hostname_error (session.mta);
-  return EXIT_FAILURE;
- }
-      else
- {
-  if (hp->h_length != 4 && hp->h_length != 8)
-    {
-      anubis_error (EXIT_FAILURE, 0,
- _("Illegal address length received for host %s"),
-    session.mta);
-    }
-  else
-    {
-      memcpy ((char *) &ad.sin_addr.s_addr,
-      hp->h_addr, hp->h_length);
-    }
- }
-    }
-  if (ntohl (ad.sin_addr.s_addr) == INADDR_LOOPBACK
-      && session.anubis_port == session.mta_port)
-    {
-      anubis_error (EXIT_FAILURE, 0,
-                             _("Loop not allowed. Connection rejected."));
-    }
- }
-      
       alarm (300);
       if (topt & T_LOCAL_MTA)
  {
Index: src/env.opt
===================================================================
RCS file: /cvsroot/anubis/anubis/src/env.opt,v
retrieving revision 1.3
diff -p -u -r1.3 env.opt
--- src/env.opt 6 Aug 2007 15:29:22 -0000 1.3
+++ src/env.opt 2 Jul 2008 13:08:46 -0000
@@ -1,4 +1,4 @@
-/* -* c -*-
+/* -*- c -*-
    env.c
 
    This file is part of GNU Anubis.
@@ -155,6 +155,38 @@ OPTIONS_END
 int x_argc;
 char **x_argv;
 
+static unsigned long
+string_to_ipaddr (const char *str)
+{
+  unsigned long inaddr;
+  struct sockaddr_in ad;
+
+  memset (&ad, 0, sizeof (ad));
+  inaddr = inet_addr (str);
+  if (inaddr != INADDR_NONE)
+    memcpy (&ad.sin_addr, &inaddr, sizeof (inaddr));
+  else
+    {
+      struct hostent *hp = 0;
+      hp = gethostbyname (str);
+      if (hp == 0)
+ hostname_error (str);
+      else
+ {
+  if (hp->h_length != 4 && hp->h_length != 8)
+    {
+      anubis_error (EXIT_FAILURE, 0,
+    _("Illegal address length received for host %s"),
+    str);
+    }
+  else
+    memcpy ((char *) &ad.sin_addr.s_addr, hp->h_addr, hp->h_length);
+ }
+    }
+
+  return inaddr;
+}
+
 void
 get_options (int argc, char *argv[])
 {
@@ -172,6 +204,11 @@ get_options (int argc, char *argv[])
       if (x_argc == 0)
  anubis_error (EX_USAGE, 0, _("Missing recipient addresses"));
     }
+  if (!(topt & T_LOCAL_MTA)
+      && string_to_ipaddr (session.mta) == string_to_ipaddr (session.anubis)
+      && session.anubis_port == session.mta_port)
+    anubis_error (EXIT_FAILURE, 0,
+                  _("remote-mta loops back to Anubis"));
 }
 
 /*********************
Index: src/transmode.c
===================================================================
RCS file: /cvsroot/anubis/anubis/src/transmode.c,v
retrieving revision 1.17
diff -p -u -r1.17 transmode.c
--- src/transmode.c 6 Aug 2007 15:29:24 -0000 1.17
+++ src/transmode.c 2 Jul 2008 13:08:46 -0000
@@ -62,50 +62,6 @@ anubis_transparent_mode (struct sockaddr
                "Set the REMOTE-MTA or LOCAL-MTA."));
     }
 
-  /*
-     Protection against a loop connection.
-   */
-
-  if (!(topt & T_LOCAL_MTA))
-    {
-      unsigned long inaddr;
-      struct sockaddr_in ad;
-
-      memset (&ad, 0, sizeof (ad));
-      inaddr = inet_addr (session.mta);
-      if (inaddr != INADDR_NONE)
- memcpy (&ad.sin_addr, &inaddr, sizeof (inaddr));
-      else
- {
-  struct hostent *hp = 0;
-  hp = gethostbyname (session.mta);
-  if (hp == 0)
-    {
-      hostname_error (session.mta);
-    }
-  else
-    {
-      if (hp->h_length != 4 && hp->h_length != 8)
- {
-  anubis_error (EXIT_FAILURE, 0,
- _("Illegal address length received for host %s"),
- session.mta);
- }
-      else
- {
-  memcpy ((char *) &ad.sin_addr.s_addr,
-  hp->h_addr, hp->h_length);
- }
-    }
- }
-      if (ntohl (ad.sin_addr.s_addr) == INADDR_LOOPBACK
-  && session.anubis_port == session.mta_port)
- {
-  anubis_error (EXIT_FAILURE, 0,
-                        _("Loop not allowed. Connection rejected."));
- }
-    }
-
   alarm (300);
   if (topt & T_LOCAL_MTA)
     {

_______________________________________________
Bug-anubis mailing list
Bug-anubis@...
http://lists.gnu.org/mailman/listinfo/bug-anubis
Free embeddable forum powered by Nabble Forum Help