[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SMTP Interactive Fix/Whoson Enhancements
Matti:
Below please find diffs against today's CVS to 1) correct previous
ugliness I introduced into the whoson code, 2) add additional whoson
configurability, and 3) correct smtp interactive sessions ignoring the
command line IP (-T '[x.x.x.x]') in favor of your actual IP. (The
latter added confusion to whoson testing).
These whoson enhancements all follow from granting "trust recipients" on
the fly when "trust-whoson" is found. This includes the following
config possibilities in smtp-policy.src:
Believe whoson no matter what addresses are used:
_default_ipaddr trust-whoson +
or _default_dot trust-whoson +
Believe whoson for a specific IP or net range:
[x.x.x.x]/32 trust-whoson +
Conversely, ignore whoson for this IP
[x.x.x.x]/32 trust-whoson -
Believe whoson only for a named email address or domain (e.g. this must
be found in the MAIL FROM)
User: a@b.com trust-whoson +
All sub domains: .b.com trust-whoson +
Specific domain: b.com trust whoson +
Believe whoson for all our relay-target domains (localnames)
_relaytarget relaytarget + trust-whoson +
Please note that any trust-whoson found on an email address or domain
(including the _relaytarget approach) has the effect of only believing
whoson if the remote is using a FROM address from the named
domain/address. This keeps our users from using the whoson mechanism to
send spoofed mail.
If you don't like that feature, use the "_default_ipaddr_" approach -
then your users can send as anyone (real or imagined!).
Thanks,
Neal Morgan
# diff whoson.policytest.h ./zmailer/smtpserver/policytest.h
64d63
<
66,67c65
< int valid_whoson;
< int whoson_at_ip;
---
> int whoson_result;
69d66
<
# diff whoson.policytest.c ./zmailer/smtpserver/policytest.c
200c200
< int policyinit(state, rel, submission_mode_flags, valid_whoson)
---
> int policyinit(state, rel, submission_mode_flags, whosonrc)
204c204
< int valid_whoson;
---
> int whosonrc;
212,215d211
< if (debug)
< type(NULL,0,NULL,"Policyinit call starts: submission mode: %d,
valid whoson: %d",
< submission_mode_flags, valid_whoson);
<
414c410,415
< state->valid_whoson = valid_whoson;
---
> if (debug) {
> type(NULL,0,NULL,"TEST: have-whoson found");
> type(NULL,0,NULL,"TEST: state-whoson=[%d] whosonrc=[%d]",
> state->whoson_result, whosonrc);
> }
> state->whoson_result = whosonrc;
416d416
<
939d938
< #ifdef HAVE_WHOSON_H
941d939
< #endif
1050a1049,1058
> #ifdef HAVE_WHOSON_H
> if (valueeq(state->values[P_A_TrustWhosOn], "+")) {
> if (debug)
> type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found,
accept? = %d",
> (state->whoson_result == 0));
> if (state->whoson_result == 0)
> state->always_accept = 1;
> PICK_PA_MSG(P_A_TrustWhosOn);
> }
> #endif
1059,1077d1066
< #ifdef HAVE_WHOSON_H
< if (valueeq(state->values[P_A_TrustWhosOn], "+")) {
< if (state->valid_whoson){
< state->trust_recipients = 1;
< state->whoson_at_ip = 1;
< if (debug)
< type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found at
IP address. (named or _default_ipaddr?) Trust-Recipients granted.");
< PICK_PA_MSG(P_A_TrustRecipients);
< }
< } else if (valueeq(state->values[P_A_TrustWhosOn], "-")) {
< if (state->valid_whoson){
< state->valid_whoson = 0;
< if (debug)
< type(NULL,0,NULL," policytestaddr: 'valid whoson query but
trust-whoson -' found at IP address (named or _default_ipaddr?),
Valid-Whoson revoked.");
< }
< }
<
< #endif
<
1644,1665d1632
< /*
< * This is a Whoson HACK
< * If a previous MAIL FROM in this SMTP session
< * found a trust-whoson match, state->trust-recipients
< * was granted. Reset it now, in case the policy
< * configuration specifies per domain whoson trust
< *
< * If we do not reset, all further recipients would
< * be accepted even if new from addresses did not have
< * a trust whoson match
< */
< #ifdef HAVE_WHOSON_H
< if (state->valid_whoson && state->trust_recipients &&
< (! state->whoson_at_ip) &&
< (! valueeq(state->values[P_A_TrustRecipients], "+"))){
< state->trust_recipients = 0;
< if (debug)
< type(NULL,0,NULL," pt_mailfrom: resetting whoson forged:
state->trust_recipients");
< }
< #endif
<
<
1699,1701d1665
< #ifdef HAVE_WHOSON_H
< state->valid_whoson << P_A_TrustWhosOn |
< #endif
1736,1738d1699
< #ifdef HAVE_WHOSON_H
< state->valid_whoson << P_A_TrustWhosOn |
< #endif
1855,1866d1815
< #ifdef HAVE_WHOSON_H
< if (state->valid_whoson){
< if (valueeq(state->values[P_A_TrustWhosOn], "+")) {
< state->trust_recipients = 1;
< if (debug)
< type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found at
EMail address. (named or _default_dot?) Trust-Recipients granted.");
< PICK_PA_MSG(P_A_TrustRecipients);
< }
< }
< #endif
<
<
1894a1844,1856
> /* The 'whoson' is an alternate way to authenticate via external
> mapper service. */
> #ifdef HAVE_WHOSON_H
> if (valueeq(state->values[P_A_TrustWhosOn], "+")) {
> if (debug)
> type(NULL,0,NULL," policytestaddr: 'trust-whoson +' found,
accept? = %d",
> (state->whoson_result == 0));
> if (state->whoson_result == 0)
> return 0; /* OK! */
> }
> #endif
>
>
1901d1862
<
1978a1940
> /* if (state->always_accept) return 0; */
1990a1953,1960
> #ifdef HAVE_WHOSON_H
> if (debug) {
> type(NULL,0,NULL,"TEST: 'have-whoson' found");
> type(NULL,0,NULL,"TEST: 'state-whoson=[%d] ",
> state->values[P_A_TrustWhosOn]);
> }
> #endif
>
1996a1967
> 1 << P_A_TrustWhosOn |
2000a1972,1979
> #ifdef HAVE_WHOSON_H
> if (valueeq(state->values[P_A_TrustWhosOn], "+")) {
> if (state->whoson_result == 0){
> PICK_PA_MSG(P_A_TrustWhosOn);
> return 0;
> }
> }
> #endif
2038a2018
> 1 << P_A_TrustWhosOn |
2097a2078
> 1 << P_A_TrustWhosOn |
2128a2110
> 1 << P_A_TrustWhosOn |
2183a2166,2168
> /* WHOSON processing sets 'always_accept' at connection setup..
> No need to ponder it here.. */
# diff whoson.smtpserver.c ./zmailer/smtpserver/smtpserver.c
965,996d964
< #ifdef HAVE_WHOSON_H
< char buf[64];
< if (do_whoson && SS.netconnected_flg) {
< buf[0]='\0';
< if (SS.raddr.v4.sin_family == AF_INET) {
< inet_ntop(AF_INET, (void *) &SS.raddr.v4.sin_addr,
/* IPv4 */
< buf, sizeof(buf) - 1);
< #if defined(AF_INET6) && defined(INET6)
< } else if (SS.raddr.v6.sin6_family == AF_INET6) {
< inet_ntop(AF_INET6, (void *) &SS.raddr.v6.sin6_addr,
/* IPv6 */
< buf, sizeof(buf) - 1);
< #endif
< }
< if ((SS.whoson_result = wso_query(buf, SS.whoson_data,
< sizeof(SS.whoson_data)))) {
< strcpy(SS.whoson_data,"-unregistered-");
< }
< #if DO_PERL_EMBED
< else {
< int rc;
< ZSMTP_hook_set_user(SS.whoson_data, "whoson", &rc);
< }
< #endif
< } else {
< strcpy(SS.whoson_data,"NOT-CHECKED");
< strcpy(buf,"NA");
< SS.whoson_result = -1;
< }
< if (debug)
< type(NULL,0,NULL,"Whoson Initialized: IP Used: %s,
whoson_result: %d, whoson_data: %s",
< buf, SS.whoson_result, SS.whoson_data);
< #endif /* HAVE_WHOSON_H */
2501c2469
< (! SS->whoson_result &&
SS->whoson_data));
---
> SS->whoson_result);
2505c2473
< (! SS->whoson_result &&
SS->whoson_data));
---
> SS->whoson_result);
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi