Merge pull request #174 from jaredj/test-greylisting
Get rid of grey_timeout and 'white' clients
This commit is contained in:
commit
f8d66348f6
@ -33,9 +33,9 @@ How that works is best explained by example:
|
||||
A new connection arrives from the host shvj1.jpmchase.com. The sender is
|
||||
chase@alerts.chase.com and the recipient is londonwhale@example.com. This is
|
||||
the first connection for that triplet so the connection is deferred for
|
||||
I<black_timeout> minutes. After the timeout, but before the I<grey_timeout>
|
||||
elapses, shvj1.jpmchase.com retries and successfully delivers the mail. For
|
||||
the next I<white_timeout> days, emails for that triplet are not delayed.
|
||||
I<black_timeout> minutes. After the timeout elapses, shvj1.jpmchase.com retries
|
||||
and successfully delivers the mail. For the next I<white_timeout> days, emails
|
||||
for that triplet are not delayed.
|
||||
|
||||
The next day, shvj1.jpmchase.com tries to deliver a new email from
|
||||
alerts@alerts.chase.com to jdimon@example.com. Since this triplet is new, it
|
||||
@ -73,14 +73,6 @@ e.g. to allow per-recipient logging. Default: 0.
|
||||
The initial period during which we issue DENYSOFTs for connections from an
|
||||
unknown (or timed out) 'connection triplet'. Default: 50 minutes.
|
||||
|
||||
=head2 grey_timeout <timeout_seconds>
|
||||
|
||||
The subsequent 'grey' period, after the initial black blocking period,
|
||||
when we will accept a delivery from a formerly-unknown connection
|
||||
triplet. If a new connection is received during this time, we will
|
||||
record a successful delivery against this IP address, which whitelists
|
||||
it for future deliveries (see following). Default: 3 hours 20 minutes.
|
||||
|
||||
=head2 white_timeout <timeout_seconds>
|
||||
|
||||
The period after which a known connection triplet will be considered
|
||||
@ -180,8 +172,9 @@ my $VERSION = '0.12';
|
||||
|
||||
my $DENYMSG = "This mail is temporarily denied";
|
||||
my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender
|
||||
recipient black_timeout grey_timeout white_timeout deny_late db_dir
|
||||
recipient black_timeout white_timeout deny_late db_dir
|
||||
nfslock p0f reject loglevel geoip upgrade );
|
||||
$PERMITTED_ARGS{grey_timeout} = 1; # Legacy argument now ignored
|
||||
|
||||
my %DEFAULTS = (
|
||||
remote_ip => 1,
|
||||
@ -189,7 +182,6 @@ my %DEFAULTS = (
|
||||
recipient => 0,
|
||||
reject => 1,
|
||||
black_timeout => 50 * 60, # 50m
|
||||
grey_timeout => 3 * 3600 + 20 * 60, # 3h:20m
|
||||
white_timeout => 36 * 3600 * 24, # 36 days
|
||||
nfslock => 0,
|
||||
p0f => undef,
|
||||
@ -360,7 +352,7 @@ sub greylist {
|
||||
my $value = $self->db->get($key);
|
||||
if ( ! $value ) {
|
||||
# new IP or entry timed out - record new
|
||||
$self->db->set( $key, sprintf $fmt, time, 1, 0, 0 );
|
||||
$self->db->set( $key, sprintf $fmt, $self->now, 1, 0, 0 );
|
||||
$self->log(LOGWARN, "fail: initial DENYSOFT, unknown");
|
||||
return $self->cleanup_and_return();
|
||||
}
|
||||
@ -371,8 +363,8 @@ sub greylist {
|
||||
if ($white) {
|
||||
|
||||
# white IP - accept unless timed out
|
||||
if (time - $ts < $config->{white_timeout}) {
|
||||
$self->db->set( $key, sprintf $fmt, time, $new, $black, ++$white );
|
||||
if ( $self->now - $ts < $config->{white_timeout} ) {
|
||||
$self->db->set( $key, sprintf $fmt, $self->now, $new, $black, ++$white );
|
||||
$self->log(LOGINFO, "pass: white, $white deliveries");
|
||||
return $self->cleanup_and_return(DECLINED);
|
||||
}
|
||||
@ -382,24 +374,20 @@ sub greylist {
|
||||
}
|
||||
|
||||
# Black IP - deny, but don't update timestamp
|
||||
if (time - $ts < $config->{black_timeout}) {
|
||||
if ( $self->now - $ts < $config->{black_timeout} ) {
|
||||
$self->db->set( $key, sprintf $fmt, $ts, $new, ++$black, 0 );
|
||||
$self->log(LOGWARN,
|
||||
"fail: black DENYSOFT - $black deferred connections");
|
||||
return $self->cleanup_and_return();
|
||||
}
|
||||
|
||||
# Grey IP - accept unless timed out
|
||||
elsif (time - $ts < $config->{grey_timeout}) {
|
||||
$self->db->set( $key, sprintf $fmt, time, $new, $black, 1 );
|
||||
$self->log(LOGWARN, "pass: updated grey->white");
|
||||
return $self->cleanup_and_return(DECLINED);
|
||||
}
|
||||
|
||||
$self->log(LOGWARN, "pass: timed out (grey)");
|
||||
return $self->cleanup_and_return(DECLINED);
|
||||
}
|
||||
|
||||
# This exists purely to be overridden for testing
|
||||
sub now { time() }
|
||||
|
||||
sub cleanup_and_return {
|
||||
my ($self, $return_val) = @_;
|
||||
|
||||
@ -461,7 +449,7 @@ sub prune_db {
|
||||
my $pruned = 0;
|
||||
foreach my $key ( $self->db->get_keys ) {
|
||||
my ($ts, $new, $black, $white) = split /:/, $self->db->get($key);
|
||||
my $age = time - $ts;
|
||||
my $age = $self->now - $ts;
|
||||
next if $age < $self->{_args}{white_timeout};
|
||||
$pruned++;
|
||||
$self->db->delete($key);
|
||||
|
@ -26,6 +26,7 @@ sub register_tests {
|
||||
$self->register_test("test_greylist_p0f_link");
|
||||
$self->register_test("test_greylist_p0f_uptime");
|
||||
$self->register_test('test_exclude_file_match');
|
||||
$self->register_test('test_greylist');
|
||||
}
|
||||
|
||||
sub test_load_exclude_files {
|
||||
@ -219,6 +220,56 @@ sub test_greylist_p0f_uptime {
|
||||
ok( ! $self->p0f_match(), 'p0f uptime miss');
|
||||
}
|
||||
|
||||
my $mocktime;
|
||||
sub test_greylist {
|
||||
my ( $self ) = @_;
|
||||
$self->{_args} = {
|
||||
remote_ip => 1,
|
||||
sender => 0,
|
||||
recipient => 0,
|
||||
reject => 1,
|
||||
black_timeout => 50 * 60, # 50m
|
||||
grey_timeout => 3 * 3600 + 20 * 60, # 3h:20m
|
||||
white_timeout => 36 * 3600 * 24, # 36 days
|
||||
p0f => 0,
|
||||
geoip => 0,
|
||||
};
|
||||
$self->connection->remote_host('example.com');
|
||||
$self->connection->remote_ip('1.2.3.4');
|
||||
my $sender = Qpsmtpd::Address->new( "<$test_email>" );
|
||||
my $rcpt = Qpsmtpd::Address->new( "<$test_email>" );
|
||||
my $start = time() - 40 * 3600 * 24; # 40 days ago
|
||||
$mocktime = $start;
|
||||
is( $self->rc( $self->greylist( $self->transaction, $sender, $rcpt ) ),
|
||||
'DENYSOFT: This mail is temporarily denied',
|
||||
'Initial connection attempt greylisted' );
|
||||
$mocktime = $start + 60 * 49;
|
||||
is( $self->rc( $self->greylist( $self->transaction, $sender, $rcpt ) ),
|
||||
'DENYSOFT: This mail is temporarily denied',
|
||||
'Greylisted 49 minutes later' );
|
||||
$mocktime = $start + 60 * 51;
|
||||
is( $self->rc( $self->greylist( $self->transaction, $sender, $rcpt ) ),
|
||||
'DECLINED',
|
||||
'Allowed 51 minutes later' );
|
||||
$mocktime = $start + 60 * 52 + 36 * 3600 * 24;
|
||||
$self->prune_db;
|
||||
is( $self->rc( $self->greylist( $self->transaction, $sender, $rcpt ) ),
|
||||
'DENYSOFT: This mail is temporarily denied',
|
||||
're-greylisted 36 days later' );
|
||||
}
|
||||
|
||||
{
|
||||
no warnings qw( redefine );
|
||||
sub now { $mocktime || time() }
|
||||
}
|
||||
|
||||
sub rc {
|
||||
my ( $self, $r, $msg ) = @_;
|
||||
return '' if ! defined $r;
|
||||
return return_code($r) if ! defined $msg;
|
||||
return return_code($r) . ": $msg";
|
||||
}
|
||||
|
||||
sub _reset_transaction {
|
||||
my $self = shift;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user