applied greylisting NFSLock patch

Issue #1 on Google issue tracker. The patch was 'accepted' by Ask in 2007, but never applied.
This commit is contained in:
Matt Simerson 2012-04-07 20:36:02 -04:00 committed by Ask Bjørn Hansen
parent 3afcc92150
commit 318c9ed4f2

View File

@ -105,6 +105,11 @@ Flag to indicate whether to use per-recipient greylisting
databases (default is to use a shared database). Per-recipient configuration databases (default is to use a shared database). Per-recipient configuration
directories, if determined, supercede I<db_dir>. directories, if determined, supercede I<db_dir>.
=item nfslock <bool>
Flag to indicate the database is stored on NFS. Uses File::NFSLock
instead of flock.
=item p0f =item p0f
Enable greylisting only when certain p0f criteria is met. The single Enable greylisting only when certain p0f criteria is met. The single
@ -126,31 +131,28 @@ away:
=head1 BUGS =head1 BUGS
Database locking is implemented using flock, which may not work on
network filesystems e.g. NFS. If this is a problem, you may want to
use something like File::NFSLock instead.
=head1 AUTHOR =head1 AUTHOR
Written by Gavin Carr <gavin@openfusion.com.au>. Written by Gavin Carr <gavin@openfusion.com.au>.
Added p0f section <msimerson@cpan.org> (2010-05-03) Added p0f section <msimerson@cpan.org> (2010-05-03)
nfslock feature added by JT Moree <jtmoree@kahalacorp.com> (2007-01-22)
=cut =cut
BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) } BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) }
use AnyDBM_File; use AnyDBM_File;
use Fcntl qw(:DEFAULT :flock); use Fcntl qw(:DEFAULT :flock LOCK_EX LOCK_NB);
use strict; use strict;
use Qpsmtpd::Constants;
my $VERSION = '0.08'; my $VERSION = '0.09';
my $DENYMSG = "This mail is temporarily denied"; my $DENYMSG = "This mail is temporarily denied";
my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!); my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!);
my $DB = "denysoft_greylist.dbm"; my $DB = "denysoft_greylist.dbm";
my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender recipient my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender recipient
black_timeout grey_timeout white_timeout deny_late mode db_dir p0f ); black_timeout grey_timeout white_timeout deny_late mode db_dir nfslock p0f );
my %DEFAULTS = ( my %DEFAULTS = (
remote_ip => 1, remote_ip => 1,
@ -160,6 +162,7 @@ my %DEFAULTS = (
grey_timeout => 3 * 3600 + 20 * 60, grey_timeout => 3 * 3600 + 20 * 60,
white_timeout => 36 * 24 * 3600, white_timeout => 36 * 24 * 3600,
mode => 'denysoft', mode => 'denysoft',
nfslock => 0,
p0f => undef, p0f => undef,
); );
@ -220,6 +223,7 @@ sub hook_data {
sub denysoft_greylist { sub denysoft_greylist {
my ($self, $transaction, $sender, $rcpt, $config) = @_; my ($self, $transaction, $sender, $rcpt, $config) = @_;
my $nfslock; #this will go out of scope and remove the lock
$config ||= $self->{_greylist_config}; $config ||= $self->{_greylist_config};
$self->log(LOGDEBUG, "config: " . join(',',map { $_ . '=' . $config->{$_} } sort keys %$config)); $self->log(LOGDEBUG, "config: " . join(',',map { $_ . '=' . $config->{$_} } sort keys %$config));
@ -250,6 +254,24 @@ sub denysoft_greylist {
my $remote_ip = $self->qp->connection->remote_ip; my $remote_ip = $self->qp->connection->remote_ip;
my $fmt = "%s:%d:%d:%d"; my $fmt = "%s:%d:%d:%d";
if ($config->{nfslock}) {
require File::NFSLock;
### set up a lock - lasts until object looses scope
unless ($nfslock = new File::NFSLock {
file => "$db.lock",
lock_type => LOCK_EX|LOCK_NB,
blocking_timeout => 10, # 10 sec
stale_lock_timeout => 30 * 60, # 30 min
}) {
$self->log(LOGCRIT, "nfs lockfile failed: $!");
return DECLINED;
}
unless (open(LOCK, "+<$db.lock")) {
$self->log(LOGCRIT, "opening nfs lockfile failed: $!");
return DECLINED;
}
}
else {
# Check denysoft db # Check denysoft db
unless (open LOCK, ">$db.lock") { unless (open LOCK, ">$db.lock") {
$self->log(LOGCRIT, "opening lockfile failed: $!"); $self->log(LOGCRIT, "opening lockfile failed: $!");
@ -260,6 +282,7 @@ sub denysoft_greylist {
close LOCK; close LOCK;
return DECLINED; return DECLINED;
} }
}
my %db = (); my %db = ();
unless (tie %db, 'AnyDBM_File', $db, O_CREAT|O_RDWR, 0600) { unless (tie %db, 'AnyDBM_File', $db, O_CREAT|O_RDWR, 0600) {
$self->log(LOGCRIT, "tie to database $db failed: $!"); $self->log(LOGCRIT, "tie to database $db failed: $!");
@ -274,12 +297,12 @@ sub denysoft_greylist {
my ($ts, $new, $black, $white) = (0,0,0,0); my ($ts, $new, $black, $white) = (0,0,0,0);
if ($db{$key}) { if ($db{$key}) {
($ts, $new, $black, $white) = split /:/, $db{$key}; ($ts, $new, $black, $white) = split /:/, $db{$key};
$self->log(LOGERROR, "ts: " . localtime($ts) . ", now: " . localtime); $self->log(LOGINFO, "ts: " . localtime($ts) . ", now: " . localtime);
if (! $white) { if (! $white) {
# Black IP - deny, but don't update timestamp # Black IP - deny, but don't update timestamp
if (time - $ts < $config->{black_timeout}) { if (time - $ts < $config->{black_timeout}) {
$db{$key} = sprintf $fmt, $ts, $new, ++$black, 0; $db{$key} = sprintf $fmt, $ts, $new, ++$black, 0;
$self->log(LOGCRIT, "key $key black DENYSOFT - $black failed connections"); $self->log(LOGWARN, "key $key black DENYSOFT - $black failed connections");
untie %db; untie %db;
close LOCK; close LOCK;
return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG; return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG;
@ -287,33 +310,33 @@ sub denysoft_greylist {
# Grey IP - accept unless timed out # Grey IP - accept unless timed out
elsif (time - $ts < $config->{grey_timeout}) { elsif (time - $ts < $config->{grey_timeout}) {
$db{$key} = sprintf $fmt, time, $new, $black, 1; $db{$key} = sprintf $fmt, time, $new, $black, 1;
$self->log(LOGCRIT, "key $key updated grey->white"); $self->log(LOGWARN, "key $key updated grey->white");
untie %db; untie %db;
close LOCK; close LOCK;
return DECLINED; return DECLINED;
} }
else { else {
$self->log(LOGERROR, "key $key has timed out (grey)"); $self->log(LOGWARN, "key $key has timed out (grey)");
} }
} }
# White IP - accept unless timed out # White IP - accept unless timed out
else { else {
if (time - $ts < $config->{white_timeout}) { if (time - $ts < $config->{white_timeout}) {
$db{$key} = sprintf $fmt, time, $new, $black, ++$white; $db{$key} = sprintf $fmt, time, $new, $black, ++$white;
$self->log(LOGCRIT, "key $key is white, $white deliveries"); $self->log(LOGWARN, "key $key is white, $white deliveries");
untie %db; untie %db;
close LOCK; close LOCK;
return DECLINED; return DECLINED;
} }
else { else {
$self->log(LOGERROR, "key $key has timed out (white)"); $self->log(LOGWARN, "key $key has timed out (white)");
} }
} }
} }
# New ip or entry timed out - record new and return DENYSOFT # New ip or entry timed out - record new and return DENYSOFT
$db{$key} = sprintf $fmt, time, ++$new, $black, 0; $db{$key} = sprintf $fmt, time, ++$new, $black, 0;
$self->log(LOGCRIT, "key $key initial DENYSOFT, unknown"); $self->log(LOGWARN, "key $key initial DENYSOFT, unknown");
untie %db; untie %db;
close LOCK; close LOCK;
return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG; return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG;
@ -341,3 +364,4 @@ sub p0f_match {
} }
# arch-tag: 6ef5919e-404b-4c87-bcfe-7e9f383f3901 # arch-tag: 6ef5919e-404b-4c87-bcfe-7e9f383f3901