1.2.0 is out on sourceforge.
[SEC BUGFIX]
I did some cleanups before coding new things and had a look at each SQL
statements and found some places where SQLgrey trusted Postfix input too
much.
I don't know if there really was an exploit possible (you must trick
Postfix to accept invalid "MAIL FROM: " or "RCPT TO:" before SQLgrey
gets the bogus values itself).
Anyway, if Postfix didn't check for something like this :
"MAIL FROM: <cr...@io...>; INSERT INTO domain_awl ....; DELETE
FROM connect; ..."
now SQLgrey does (even if Postfix is actually checking now, we don't
want to rely on the current behaviour).
[RELIABILITY BUGFIX]
There was a small bug where most of the time SQLgrey didn't reconnect to
the DB when the connection was lost (it waited until the DB cleanups are
triggered). Symptom : SQLgrey reverts to always accept (as it prefers to
let mails in if it can't greylist dumping errors on each mail to syslog)
until a DB cleanup comes (once every 24 hour in 1.1.3).
[NUMBERING]
I switched to a new numbering scheme :
- odd subversions are stable releases : 1.2.0.
- even subversions are devel releases : pending 1.3.0.
Best regards,
Lionel.
|
