c840a1d04f
o plugins/check_badmailfromto
- New plugin in the style of check_badmailfrom, which matches a pair
of FROM/TO and makes it seem like the recipient's address no longer
exists (but only from the matching sender's point of view). Useful
for stalkers and other harassment cases.
o plugins/dns_whitelist_soft
- New plugin to provide a DNS-based whitelist (good for distributed
sites).
o various files
- Replaced tab character with 8 spaces and adjusted line breaks for
better readability.
Changes by mct@toren.net (Michael C. Toren)
o lib/Qpsmtpd/SMTP.pm
- Assumes a MAIL FROM value of "<#@[]>" (utilized by qmail to
indicate a null sender when generating a doublebounce message)
is equivalent to "<>". Previously qpsmtpd complained that the
value could not be parsed.
- Adds LOGIN to the default list of supported auth mechanisms.
The documentation in Auth.pm indicated that auth-login was not
currently supported due to lack of functionality, however I can
confirm that LOGIN appears to work fine as tested by using msmtp
(http://msmtp.sourceforge.net/). Are there any indications that
LOGIN support is actually broken in the current implementation?
- Removes the "X-Qpsmtpd-Auth: True" header appended when a message
has been sent by an authenticated user. One problem with such a
header is that it's impossible to say which SMTP hop added it,
and it provides no information which could be used to backtrack
the transaction. I grepped through my mail archives a bit
looking for how other MTAs handled the problem, and decided it
would be best to place this information in the Received: header:
Received: from remotehost (HELO remotehost) (192.168.42.42)
(smtp-auth username foo, mechanism cram-md5)
by mail.netisland.net (qpsmtpd/0.28) with ESMTP; <date>
o lib/Qpsmtpd/Auth.pm:
- Documentation update for the arguments passed to an auth
handler; previously the $mechanism argument was not mentioned,
which threw off the argument offsets.
- Documentation update for auth-login removing the warning
that auth-login is not currently supported due to lack of
functionality.
- Fix to execute a generic auth hook when a more specific
auth-$mechanism hook does not exist. (Previously posted
to the list last week.)
- Upon authentication, sets $session->{_auth_user} and
$session->{_auth_mechanism} so that SMTP.pm can include them
in the Received: header.
o plugins/queue/qmail-queue
- Added a timestamp and the qmail-queue qp identifier to the
"Queued!" 250 message, for compatibility with qmail-smtpd, which
can be very useful for tracking message delivery from machine to
machine. For example, the new 250 message might be:
250 Queued! 1105927468 qp 3210 <1105927457@netisland.net>
qmail-smtpd returns:
250 ok 1106546213 qp 7129
Additionally, for consistency angle brackets are placed around
the Message-ID displayed in the 250 if they were missing in the
message header.
o plugins/check_badmailfrom:
- Changed the error message from "Mail from $bad not accepted
here" to "sorry, your envelope sender is in my badmailfrom
list", for compatibility with qmail-smtpd. I didn't see any
reason to share with the sender the value of $bad, especially
for situations where the sender was rejected resulting from a
wildcard.
o plugins/check_earlytalker:
o plugins/require_resolvable_fromhost:
- No longer checks for earlytalkers or resolvable senders if the
connection note "whitelistclient" is set, which is nice for
helping backup MX hosts empty their queue faster.
o plugins/count_unrecognized_commands:
- Return code changed from DENY_DISCONNECT, which isn't valid in
an unrecognized_command hook, to DENY, which in this context
drops the connection anyway. (Previously posted to the list
last week.)
git-svn-id: https://svn.perl.org/qpsmtpd/trunk@356 958fd67b-6ff1-0310-b445-bb7760255be9
168 lines
4.5 KiB
Plaintext
168 lines
4.5 KiB
Plaintext
=head1 NAME
|
|
|
|
dns_whitelist_soft - dns-based whitelist override for other qpsmtpd plugins
|
|
|
|
=head1 DESCRIPTION
|
|
|
|
The dns_whitelist_soft plugin allows selected host to be whitelisted as
|
|
exceptions to later plugin processing. It is strongly based on the original
|
|
dnsbl plugin as well as Gavin Carr's original whitelist_soft plugin. It is
|
|
most suitable for multisite installations, so that the whitelist is stored
|
|
in one location and available from all.
|
|
|
|
=head1 CONFIGURATION
|
|
|
|
To enable the plugin, add it to the ~qpsmtpd/config/plugins file as usual.
|
|
It should precede any plugins whose rejections you wish to override. You may
|
|
have to alter those plugins to check the appropriate notes field.
|
|
|
|
Several configuration files are supported, corresponding to different
|
|
parts of the SMTP conversation:
|
|
|
|
=over 4
|
|
|
|
=item whitelist_zones
|
|
|
|
Any IP address listed in the whitelist_zones file is queried using
|
|
the connecting MTA's IP address. Any A or TXT answer is means that the
|
|
remote HOST address can be selectively exempted at other stages by plugins
|
|
testing for a 'whitelisthost' connection note.
|
|
|
|
NOTE: other 'connect' hooks will continue to fire (e.g. dnsbl), since the DNS
|
|
queries happen in the background. This plugin's 'rcpt_handler' retrieves
|
|
the results of the query and sets the connection note if found.
|
|
|
|
=head1 AUTHOR
|
|
|
|
John Peacock <jpeacock@rowman.com>
|
|
|
|
Based on the 'whitelist_soft' plugin by Gavin Carr <gavin@openfusion.com.au>,
|
|
based on the 'whitelist' plugin by Devin Carraway <qpsmtpd@devin.com>.
|
|
|
|
=cut
|
|
|
|
sub register {
|
|
my ($self, $qp) = @_;
|
|
|
|
$self->register_hook("connect", "connect_handler");
|
|
$self->register_hook("rcpt", "rcpt_handler");
|
|
}
|
|
|
|
sub connect_handler {
|
|
my ($self, $transaction) = @_;
|
|
|
|
my $remote_ip = $self->qp->connection->remote_ip;
|
|
|
|
my %whitelist_zones = map { (split /\s+/, $_, 2)[0,1] }
|
|
$self->qp->config('whitelist_zones');
|
|
|
|
return DECLINED unless %whitelist_zones;
|
|
|
|
my $reversed_ip = join(".", reverse(split(/\./, $remote_ip)));
|
|
|
|
# we queue these lookups in the background and just fetch the
|
|
# results in the first rcpt handler
|
|
|
|
my $res = new Net::DNS::Resolver;
|
|
my $sel = IO::Select->new();
|
|
|
|
for my $dnsbl (keys %whitelist_zones) {
|
|
$self->log(LOGDEBUG, "Checking $reversed_ip.$dnsbl in the background");
|
|
$sel->add($res->bgsend("$reversed_ip.$dnsbl", "TXT"));
|
|
}
|
|
|
|
$self->qp->connection->notes('whitelist_sockets', $sel);
|
|
|
|
return DECLINED;
|
|
}
|
|
|
|
sub process_sockets {
|
|
my ($self) = @_;
|
|
|
|
my $conn = $self->qp->connection;
|
|
|
|
return $conn->notes('whitelisthost')
|
|
if $conn->notes('whitelisthost');
|
|
|
|
my $res = new Net::DNS::Resolver;
|
|
my $sel = $conn->notes('whitelist_sockets') or return "";
|
|
|
|
my $result;
|
|
|
|
$self->log(LOGDEBUG, "waiting for whitelist dns");
|
|
|
|
# don't wait more than 4 seconds here
|
|
my @ready = $sel->can_read(4);
|
|
|
|
$self->log(LOGDEBUG, "DONE waiting for whitelist dns, got ",
|
|
scalar @ready, " answers ...") ;
|
|
return '' unless @ready;
|
|
|
|
for my $socket (@ready) {
|
|
my $query = $res->bgread($socket);
|
|
$sel->remove($socket);
|
|
undef $socket;
|
|
|
|
my $whitelist;
|
|
|
|
if ($query) {
|
|
my $a_record = 0;
|
|
foreach my $rr ($query->answer) {
|
|
$a_record = 1 if $rr->type eq "A";
|
|
my $name = $rr->name;
|
|
($whitelist) = ($name =~ m/(?:\d+\.){4}(.*)/) unless $whitelist;
|
|
$whitelist = $name unless $whitelist;
|
|
$self->log(LOGDEBUG, "name ", $rr->name);
|
|
next unless $rr->type eq "TXT";
|
|
$self->log(LOGDEBUG, "got txt record");
|
|
$result = $rr->txtdata and last;
|
|
}
|
|
$a_record and $result = "Blocked by $whitelist";
|
|
}
|
|
else {
|
|
$self->log(LOGERROR, "$whitelist query failed: ", $res->errorstring)
|
|
unless $res->errorstring eq "NXDOMAIN";
|
|
}
|
|
|
|
if ($result) {
|
|
#kill any other pending I/O
|
|
$conn->notes('whitelist_sockets', undef);
|
|
return $conn->notes('whitelisthost', $result);
|
|
}
|
|
}
|
|
|
|
if ($sel->count) {
|
|
# loop around if we have dns blacklists left to see results from
|
|
return $self->process_sockets();
|
|
}
|
|
|
|
# er, the following code doesn't make much sense anymore...
|
|
|
|
# if there was more to read; then forget it
|
|
$conn->notes('whitelist_sockets', undef);
|
|
|
|
return $conn->notes('whitelisthost', $result);
|
|
|
|
}
|
|
|
|
sub rcpt_handler {
|
|
my ($self, $transaction, $rcpt) = @_;
|
|
my $ip = $self->qp->connection->remote_ip || return (DECLINED);
|
|
my $note = $self->process_sockets;
|
|
if ( $note ) {
|
|
$self->log(LOGNOTICE,"Host $ip is whitelisted: $note");
|
|
}
|
|
return DECLINED;
|
|
}
|
|
|
|
sub disconnect_handler {
|
|
my ($self, $transaction) = @_;
|
|
|
|
$self->qp->connection->notes('whitelist_sockets', undef);
|
|
|
|
return DECLINED;
|
|
}
|
|
|
|
|
|
1;
|