On Wed, 2004-07-14 at 03:25 +0300, Matti Aarnio wrote:
> > I wanted to check sender_dns_verify() even for authenticated users, and
> > for users coming from trusted networks. Because the earlier a customer
> > is hinted about mistyped "From" address the better.
> >
> > But actually I don't care too much, just thought that it would be the
> > right thing...
> Yes, that would be quite nice setup.
> Snafu are those average level cluefull users with their windows...
I realized that the current code does *almost* what I want, i.e. it
checks dns_verify for auth'ed and whoson'ed users, and for
always_accept'ed networks. Althogh, I'd like to suggest a diff that
makes the code more clear, IMHO. Attached below.
> There is also new --enable-distcache thing, which gets used in
> smtpserver's TLS code. It is 'distributed cache', and it is actually
> the _only_ session change mechanism in the code. Again: "It compiles"..
> ( www.distcache.org has some documentation about ideas behind it. )
If you do *not* enable distcache, smtptls.c does not compile, because
tls_scache_init is called at line 1167 regardless of HAVE_DISTCACHE, but
the definition of this function is #ifdef'ed out.
Eugene
=====
Index: policytest.c
===================================================================
RCS file: /cvsroot/zmailer/smtpserver/policytest.c,v
retrieving revision 1.111
diff -u -r1.111 policytest.c
--- policytest.c 13 Jul 2004 08:28:54 -0000 1.111
+++ policytest.c 14 Jul 2004 07:48:57 -0000
@@ -1849,24 +1849,19 @@
return -1;
}
+ if ((len > 0) && (at[1] != '[') && state->values[P_A_SENDERokWithDNS]) {
+ /* Accept if found in DNS, and not an address literal! */
+ int test_c = state->values[P_A_SENDERokWithDNS][0];
+ int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str));
+ if (debug)
+ type(NULL,0,NULL," sender_dns_verify returns: %d", rc);
+ PICK_PA_MSG(P_A_SENDERokWithDNS);
+ if (rc != 0) return rc;
+ }
if (state->authuser) {
- /* We do have an authenticated user, which overrides a lot
- of further tests, but lets still verify that the source
- domain exists in the DNS (if it is not an address literal): */
- if ((len > 0) && (at[1] != '[')) {
- int test_c = '-';
- int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str));
- if (debug)
- type(NULL,0,NULL," ... returns: %d", rc);
- if (rc) {
- if (state->message) free(state->message);
- state->message = strdup("Sorry, bad DNS result for your source domain");
- }
- return rc;
- }
- /* Here is zero-size source address,
- or the domain is an address literal */
+ if (debug)
+ type(NULL,0,NULL," allow authenticated user");
return 0;
}
@@ -1877,36 +1872,14 @@
if (debug)
type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found, accept? = %d",
(state->whoson_result == 0));
- if (state->whoson_result == 0) {
- /* Accept, but lets verify source address' domain existence */
- if ((len > 0) && (at[1] != '[')) {
- int test_c = '-';
- int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str));
- if (debug)
- type(NULL,0,NULL," ... returns: %d", rc);
- if (rc) {
- if (state->message) free(state->message);
- state->message = strdup("Sorry, bad DNS result for your source domain");
- }
- return rc;
- }
- /* Here is zero-size source address,
- or the domain is an address literal */
- return 0; /* OK! */
- }
+ if (state->whoson_result == 0) return 0;
}
#endif
-
- if ((len > 0) && (at[1] != '[') && state->always_accept ) {
- /* We have IP-ACL based 'always accept' setting already on,
- now we still do verification that the source address
- that is given does exist in the DNS: */
- int rc;
- rc = sender_dns_verify(state, '-', at+1, len - (1 + at - str));
+ if (state->always_accept ) {
if (debug)
- type(NULL,0,NULL," ... returns: %d", rc);
- return rc;
+ type(NULL,0,NULL," allow because \"always-accept\"");
+ return 0;
}
#ifdef Z_CHECK_SPF_DATA
@@ -1962,18 +1935,8 @@
return rc;
#endif
- if ((len > 0) && (at[1] != '[') && state->values[P_A_SENDERokWithDNS]) {
- /* Accept if found in DNS, and not an address literal! */
- int test_c = state->values[P_A_SENDERokWithDNS][0];
- int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str));
- if (debug)
- type(NULL,0,NULL," ... returns: %d", rc);
- PICK_PA_MSG(P_A_SENDERokWithDNS);
- return rc;
- }
-
- rc=0;
- return rc;
+ /* If nobody requested reject so far, proceed */
+ return 0;
}
static int pt_rcptto(state, str, len)
This is a digitally signed message part