mailcow-dockerized
mailcow-dockerized copied to clipboard
mailcow
dns_diagnostics.php SPF DNS lookup loop
Contribution guidelines
- [X] I've read the contribution guidelines and wholeheartedly agree
I've found a bug and checked that ...
- [X] ... I understand that not following the below instructions will result in immediate closure and/or deletion of my issue.
- [X] ... I have understood that this bug report is dedicated for bugs, and not for support-related inquiries.
- [X] ... I have understood that answers are voluntary and community-driven, and not commercial support.
- [X] ... I have verified that my issue has not been already answered in the past. I also checked previous issues.
Description
The problem:
When using dns diagnostics to check SPF records, a possible loop can occur.
If the domain has an SPF record pointing to another domain that has an SPF record referencing the original via include:.
This causes an infinite stall.
Example:
- call dns_diagnostics.php?domain=example.com
- example.com has an SPF record with
include:mail.example.com - mail.example.com has an SPF record with
include:example.com
Line 50 of data/web/inc/spf.inc.php only checks for the current domain $check_domain != $domain but the function below passes in the currently checking domain without context of what originally called it, so a loop occurs in this case.
I understand in this situation, technically the SPF records may be at fault/invalid, but I found this bug while moving an existing mail system over to mailcow that had been working this way for years, and so may cause frustration to troubleshoot for others in a similar situation.
There are no logs generated (or needed) for this action as it simply keeps looping forever, stalling the current php-fpm session, at least on my system.
The fix:
I appended , $orig_domain = "" to the get_spf_allowed_hosts(.. function in data/web/inc/spf.inc.php and also set every call within spf.inc.php to pass $check_domain to this new argument. Then by adding an additional check on line 50 for this original domain && $orig_domain != $domain it correctly stops after one loop as we're back on the original domain.
~~I may open a pull request for the fix, but it's a hacky workaround and am not sure if it handles edge cases or effects anything else.~~ Opened #4716 Any better way to solve this is welcome.
Thank you!
Logs
N/A
Steps to reproduce
- example.com has an SPF record with
include:mail.example.com - mail.example.com has an SPF record with
include:example.com - call dns_diagnostics.php?domain=example.com
- It will hang indefinitely
System information
N/A
