On Wed, 2004-07-14 at 03:25 +0300, Matti Aarnio wrote: > > I wanted to check sender_dns_verify() even for authenticated users, and > > for users coming from trusted networks. Because the earlier a customer > > is hinted about mistyped "From" address the better. > > > > But actually I don't care too much, just thought that it would be the > > right thing... > Yes, that would be quite nice setup. > Snafu are those average level cluefull users with their windows... I realized that the current code does *almost* what I want, i.e. it checks dns_verify for auth'ed and whoson'ed users, and for always_accept'ed networks. Althogh, I'd like to suggest a diff that makes the code more clear, IMHO. Attached below. > There is also new --enable-distcache thing, which gets used in > smtpserver's TLS code. It is 'distributed cache', and it is actually > the _only_ session change mechanism in the code. Again: "It compiles".. > ( www.distcache.org has some documentation about ideas behind it. ) If you do *not* enable distcache, smtptls.c does not compile, because tls_scache_init is called at line 1167 regardless of HAVE_DISTCACHE, but the definition of this function is #ifdef'ed out. Eugene ===== Index: policytest.c =================================================================== RCS file: /cvsroot/zmailer/smtpserver/policytest.c,v retrieving revision 1.111 diff -u -r1.111 policytest.c --- policytest.c 13 Jul 2004 08:28:54 -0000 1.111 +++ policytest.c 14 Jul 2004 07:48:57 -0000 @@ -1849,24 +1849,19 @@ return -1; } + if ((len > 0) && (at[1] != '[') && state->values[P_A_SENDERokWithDNS]) { + /* Accept if found in DNS, and not an address literal! */ + int test_c = state->values[P_A_SENDERokWithDNS][0]; + int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str)); + if (debug) + type(NULL,0,NULL," sender_dns_verify returns: %d", rc); + PICK_PA_MSG(P_A_SENDERokWithDNS); + if (rc != 0) return rc; + } if (state->authuser) { - /* We do have an authenticated user, which overrides a lot - of further tests, but lets still verify that the source - domain exists in the DNS (if it is not an address literal): */ - if ((len > 0) && (at[1] != '[')) { - int test_c = '-'; - int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str)); - if (debug) - type(NULL,0,NULL," ... returns: %d", rc); - if (rc) { - if (state->message) free(state->message); - state->message = strdup("Sorry, bad DNS result for your source domain"); - } - return rc; - } - /* Here is zero-size source address, - or the domain is an address literal */ + if (debug) + type(NULL,0,NULL," allow authenticated user"); return 0; } @@ -1877,36 +1872,14 @@ if (debug) type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found, accept? = %d", (state->whoson_result == 0)); - if (state->whoson_result == 0) { - /* Accept, but lets verify source address' domain existence */ - if ((len > 0) && (at[1] != '[')) { - int test_c = '-'; - int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str)); - if (debug) - type(NULL,0,NULL," ... returns: %d", rc); - if (rc) { - if (state->message) free(state->message); - state->message = strdup("Sorry, bad DNS result for your source domain"); - } - return rc; - } - /* Here is zero-size source address, - or the domain is an address literal */ - return 0; /* OK! */ - } + if (state->whoson_result == 0) return 0; } #endif - - if ((len > 0) && (at[1] != '[') && state->always_accept ) { - /* We have IP-ACL based 'always accept' setting already on, - now we still do verification that the source address - that is given does exist in the DNS: */ - int rc; - rc = sender_dns_verify(state, '-', at+1, len - (1 + at - str)); + if (state->always_accept ) { if (debug) - type(NULL,0,NULL," ... returns: %d", rc); - return rc; + type(NULL,0,NULL," allow because \"always-accept\""); + return 0; } #ifdef Z_CHECK_SPF_DATA @@ -1962,18 +1935,8 @@ return rc; #endif - if ((len > 0) && (at[1] != '[') && state->values[P_A_SENDERokWithDNS]) { - /* Accept if found in DNS, and not an address literal! */ - int test_c = state->values[P_A_SENDERokWithDNS][0]; - int rc = sender_dns_verify(state, test_c, at+1, len - (1 + at - str)); - if (debug) - type(NULL,0,NULL," ... returns: %d", rc); - PICK_PA_MSG(P_A_SENDERokWithDNS); - return rc; - } - - rc=0; - return rc; + /* If nobody requested reject so far, proceed */ + return 0; } static int pt_rcptto(state, str, len)
This is a digitally signed message part