[Sqlgrey-users] [BUGFIX] 1.2.0

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

1.2.0 is out on sourceforge.

[SEC BUGFIX]
I did some cleanups before coding new things and had a look at each SQL 
statements and found some places where SQLgrey trusted Postfix input too 
much.

I don't know if there really was an exploit possible (you must trick 
Postfix to accept invalid "MAIL FROM: " or "RCPT TO:" before SQLgrey 
gets the bogus values itself).

Anyway, if Postfix didn't check for something like this :
"MAIL FROM: <cr...@io...>; INSERT INTO domain_awl ....; DELETE 
FROM connect; ..."
now SQLgrey does (even if Postfix is actually checking now, we don't 
want to rely on the current behaviour).

[RELIABILITY BUGFIX]
There was a small bug where most of the time SQLgrey didn't reconnect to 
the DB when the connection was lost (it waited until the DB cleanups are 
triggered). Symptom : SQLgrey reverts to always accept (as it prefers to 
let mails in if it can't greylist dumping errors on each mail to syslog) 
until a DB cleanup comes (once every 24 hour in 1.1.3).

[NUMBERING]
I switched to a new numbering scheme :
- odd subversions are stable releases : 1.2.0.
- even subversions are devel releases : pending 1.3.0.

Best regards,

Lionel.