Mercurial > dnsbl
annotate src/dnsbl.cpp @ 30:8f43f8fa1ad7 stable-2-5
ignore text including bad html tags inside comments
author | carl |
---|---|
date | Thu, 27 May 2004 21:30:26 -0700 |
parents | 4dfdf33f1db0 |
children | fc7f8f3ea90f |
rev | line source |
---|---|
0 | 1 /* |
2 | |
3 Copyright (c) 2004 Carl Byington - 510 Software Group, released under | |
4 the GPL version 2 or any later version at your choice available at | |
5 http://www.fsf.org/licenses/gpl.txt | |
6 | |
7 Based on a sample milter Copyright (c) 2000-2003 Sendmail, Inc. and its | |
8 suppliers. Inspired by the DCC by Rhyolite Software | |
9 | |
10 -p port The port through which the MTA will connect to this milter. | |
11 -t sec The timeout value. | |
9 | 12 -c Check the config, and print a copy to stdout. Don't start the |
4 | 13 milter or do anything with the socket. |
16 | 14 -d Add debug syslog entries |
15 | |
0 | 16 |
13 | 17 TODO: |
18 1) Add config for max_recipients for each mail domain. Recipients in | |
19 excess of that limit will be rejected, and the entire data will be | |
20 rejected if it is sent. | |
21 | |
22 2) Add config for poison addresses. If any recipient is poison, all | |
23 recipients are rejected even if they would be whitelisted, and the | |
24 data is rejected if sent. | |
25 | |
0 | 26 */ |
27 | |
28 | |
29 // from sendmail sample | |
30 #include <sys/types.h> | |
31 #include <sys/stat.h> | |
32 #include <errno.h> | |
33 #include <sysexits.h> | |
34 #include <unistd.h> | |
35 | |
36 // needed for socket io | |
37 #include <sys/ioctl.h> | |
38 #include <net/if.h> | |
39 #include <arpa/inet.h> | |
40 #include <netinet/in.h> | |
41 #include <netinet/tcp.h> | |
42 #include <netdb.h> | |
43 #include <sys/socket.h> | |
44 | |
45 // needed for thread | |
46 #include <pthread.h> | |
47 | |
48 // needed for std c++ collections | |
49 #include <set> | |
50 #include <map> | |
51 #include <list> | |
52 | |
53 // for the dns resolver | |
54 #include <netinet/in.h> | |
55 #include <arpa/nameser.h> | |
56 #include <resolv.h> | |
57 | |
58 // misc stuff needed here | |
59 #include <ctype.h> | |
60 #include <fstream> | |
61 #include <syslog.h> | |
62 | |
8 | 63 static char* dnsbl_version="$Id$"; |
0 | 64 |
8 | 65 #define DEFAULT "default" |
66 #define WHITE "white" | |
67 #define BLACK "black" | |
68 #define OK "ok" | |
69 #define MANY "many" | |
70 | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
71 enum status {oksofar, // not rejected yet |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
72 white, // whitelisted by envelope from |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
73 black, // blacklisted by envelope from or to |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
74 reject, // rejected by a dns list |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
75 reject_tag, // too many bad html tags |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
76 reject_host}; // too many hosts/urls in body |
1 | 77 |
0 | 78 using namespace std; |
79 | |
80 extern "C" { | |
81 #include "libmilter/mfapi.h" | |
82 sfsistat mlfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr); | |
83 sfsistat mlfi_envfrom(SMFICTX *ctx, char **argv); | |
84 sfsistat mlfi_envrcpt(SMFICTX *ctx, char **argv); | |
8 | 85 sfsistat mlfi_body(SMFICTX *ctx, u_char *data, size_t len); |
86 sfsistat mlfi_eom(SMFICTX *ctx); | |
87 sfsistat mlfi_abort(SMFICTX *ctx); | |
0 | 88 sfsistat mlfi_close(SMFICTX *ctx); |
89 } | |
90 | |
91 struct ltstr { | |
92 bool operator()(char* s1, char* s2) const { | |
93 return strcmp(s1, s2) < 0; | |
94 } | |
95 }; | |
96 | |
97 struct DNSBL { | |
98 char *suffix; // blacklist suffix like blackholes.five-ten-sg.com | |
99 char *message; // error message with one or two %s operators for the ip address replacement | |
100 DNSBL(char *s, char *m); | |
101 }; | |
102 DNSBL::DNSBL(char *s, char *m) { | |
103 suffix = s; | |
104 message = m; | |
105 } | |
106 | |
107 typedef DNSBL * DNSBLP; | |
108 typedef list<DNSBLP> DNSBLL; | |
109 typedef DNSBLL * DNSBLLP; | |
110 typedef map<char *, char *, ltstr> string_map; | |
111 typedef map<char *, string_map *, ltstr> from_map; | |
112 typedef map<char *, DNSBLP, ltstr> dnsblp_map; | |
113 typedef map<char *, DNSBLLP, ltstr> dnsbllp_map; | |
114 typedef set<char *, ltstr> string_set; | |
115 typedef list<char *> string_list; | |
116 | |
117 struct CONFIG { | |
118 // the only mutable stuff once it has been loaded from the config file | |
119 int reference_count; // protected by the global config_mutex | |
120 // all the rest is constant after loading from the config file | |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
121 int generation; |
0 | 122 time_t load_time; |
123 string_list config_files; | |
124 dnsblp_map dnsbls; | |
125 dnsbllp_map dnsblls; | |
126 from_map env_from; | |
127 string_map env_to_dnsbll; // map recipient to a named dnsbll | |
128 string_map env_to_chkfrom; // map recipient to a named from map | |
8 | 129 char * content_suffix; // for sbl url body filtering |
9 | 130 char * content_message; // "" |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
131 char * host_limit_message; // error message for excessive host names |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
132 int host_limit; // limit on host names |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
133 char * tag_limit_message; // error message for excessive bad html tags |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
134 int tag_limit; // limit on bad html tags |
24 | 135 string_set html_tags; // set of valid html tags |
28 | 136 string_set tlds; // set of valid tld components |
0 | 137 CONFIG(); |
138 ~CONFIG(); | |
139 }; | |
140 CONFIG::CONFIG() { | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
141 reference_count = 0; |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
142 generation = 0; |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
143 load_time = 0; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
144 content_suffix = NULL; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
145 content_message = NULL; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
146 host_limit_message = NULL; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
147 host_limit = 0; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
148 tag_limit_message = NULL; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
149 tag_limit = 0; |
0 | 150 } |
151 CONFIG::~CONFIG() { | |
152 for (dnsblp_map::iterator i=dnsbls.begin(); i!=dnsbls.end(); i++) { | |
153 DNSBLP d = (*i).second; | |
24 | 154 // delete the underlying DNSBL objects. |
0 | 155 delete d; |
156 } | |
157 for (dnsbllp_map::iterator i=dnsblls.begin(); i!=dnsblls.end(); i++) { | |
158 DNSBLLP d = (*i).second; | |
24 | 159 // *d is a list of pointers to DNSBL objects, but |
160 // the underlying objects have already been deleted above. | |
0 | 161 delete d; |
162 } | |
163 for (from_map::iterator i=env_from.begin(); i!=env_from.end(); i++) { | |
164 string_map *d = (*i).second; | |
165 delete d; | |
166 } | |
167 } | |
168 | |
16 | 169 static bool debug_syslog = false; |
18 | 170 static bool loader_run = true; // used to stop the config loader thread |
0 | 171 static string_set all_strings; // owns all the strings, only modified by the config loader thread |
172 static CONFIG * config = NULL; // protected by the config_mutex | |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
173 static int generation = 0; // protected by the config_mutex |
0 | 174 |
175 static pthread_mutex_t config_mutex; | |
176 static pthread_mutex_t syslog_mutex; | |
177 static pthread_mutex_t resolve_mutex; | |
178 | |
179 | |
180 //////////////////////////////////////////////// | |
8 | 181 // helper to discard the strings held by a string_set |
0 | 182 // |
9 | 183 static void discard(string_set &s); |
184 static void discard(string_set &s) { | |
8 | 185 for (string_set::iterator i=s.begin(); i!=s.end(); i++) { |
186 free(*i); | |
187 } | |
9 | 188 s.clear(); |
8 | 189 } |
0 | 190 |
12 | 191 //////////////////////////////////////////////// |
192 // helper to register a string in a string set | |
193 // | |
194 static char* register_string(string_set &s, char *name); | |
195 static char* register_string(string_set &s, char *name) { | |
196 string_set::iterator i = s.find(name); | |
197 if (i != s.end()) return *i; | |
198 char *x = strdup(name); | |
199 s.insert(x); | |
200 return x; | |
201 } | |
202 | |
16 | 203 //////////////////////////////////////////////// |
204 // syslog a message | |
205 // | |
206 static void my_syslog(char *text); | |
207 static void my_syslog(char *text) { | |
208 pthread_mutex_lock(&syslog_mutex); | |
209 openlog("dnsbl", LOG_PID, LOG_MAIL); | |
210 syslog(LOG_NOTICE, "%s", text); | |
211 closelog(); | |
212 pthread_mutex_unlock(&syslog_mutex); | |
213 } | |
214 | |
215 | |
12 | 216 // include the content scanner |
217 #include "scanner.cpp" | |
218 | |
219 | |
0 | 220 //////////////////////////////////////////////// |
221 // mail filter private data, held for us by sendmail | |
222 // | |
223 struct mlfiPriv | |
224 { | |
8 | 225 // connection specific data |
226 CONFIG *pc; // global context with our maps | |
227 int ip; // ip4 address of the smtp client | |
228 map<DNSBLP, status> checked; // status from those lists | |
229 // message specific data | |
0 | 230 char *mailaddr; // envelope from value |
231 bool authenticated; // client authenticated? if so, suppress all dnsbl checks | |
8 | 232 bool have_whites; // have at least one whitelisted recipient? need to accept content and remove all non-whitelisted recipients if it fails |
233 bool only_whites; // every recipient is whitelisted? | |
24 | 234 string_set non_whites; // remember the non-whitelisted recipients so we can remove them if need be |
235 recorder *memory; // memory for the content scanner | |
8 | 236 url_scanner *scanner; // object to handle body scanning |
0 | 237 mlfiPriv(); |
238 ~mlfiPriv(); | |
8 | 239 void reset(bool final = false); // for a new message |
0 | 240 }; |
241 mlfiPriv::mlfiPriv() { | |
242 pthread_mutex_lock(&config_mutex); | |
243 pc = config; | |
244 pc->reference_count++; | |
245 pthread_mutex_unlock(&config_mutex); | |
8 | 246 ip = 0; |
247 mailaddr = NULL; | |
248 authenticated = false; | |
249 have_whites = false; | |
250 only_whites = true; | |
28 | 251 memory = new recorder(&pc->html_tags, &pc->tlds); |
24 | 252 scanner = new url_scanner(memory); |
0 | 253 } |
254 mlfiPriv::~mlfiPriv() { | |
255 pthread_mutex_lock(&config_mutex); | |
256 pc->reference_count--; | |
257 pthread_mutex_unlock(&config_mutex); | |
8 | 258 reset(true); |
259 } | |
260 void mlfiPriv::reset(bool final) { | |
0 | 261 if (mailaddr) free(mailaddr); |
24 | 262 discard(non_whites); |
263 delete memory; | |
8 | 264 delete scanner; |
265 if (!final) { | |
266 mailaddr = NULL; | |
267 authenticated = false; | |
268 have_whites = false; | |
269 only_whites = true; | |
28 | 270 memory = new recorder(&pc->html_tags, &pc->tlds); |
24 | 271 scanner = new url_scanner(memory); |
8 | 272 } |
0 | 273 } |
274 | |
275 #define MLFIPRIV ((struct mlfiPriv *) smfi_getpriv(ctx)) | |
276 | |
277 | |
278 //////////////////////////////////////////////// | |
279 // register a global string | |
280 // | |
281 static char* register_string(char *name); | |
282 static char* register_string(char *name) { | |
12 | 283 return register_string(all_strings, name); |
0 | 284 } |
285 | |
286 | |
287 static char* next_token(char *delim); | |
288 static char* next_token(char *delim) { | |
289 char *name = strtok(NULL, delim); | |
290 if (!name) return name; | |
291 return register_string(name); | |
292 } | |
293 | |
294 | |
295 //////////////////////////////////////////////// | |
296 // lookup an email address in the env_from or env_to maps | |
297 // | |
298 static char* lookup1(char *email, string_map map); | |
299 static char* lookup1(char *email, string_map map) { | |
300 string_map::iterator i = map.find(email); | |
301 if (i != map.end()) return (*i).second; | |
302 char *x = strchr(email, '@'); | |
303 if (!x) return DEFAULT; | |
304 x++; | |
305 i = map.find(x); | |
306 if (i != map.end()) return (*i).second; | |
307 return DEFAULT; | |
308 } | |
309 | |
310 | |
311 //////////////////////////////////////////////// | |
312 // lookup an email address in the env_from or env_to maps | |
313 // this email address is passed in from sendmail, and will | |
314 // always be enclosed in <>. It may have mixed case, just | |
315 // as the mail client sent it. | |
316 // | |
317 static char* lookup(char* email, string_map map); | |
318 static char* lookup(char* email, string_map map) { | |
319 int n = strlen(email)-2; | |
320 if (n < 1) return DEFAULT; // malformed | |
321 char *key = strdup(email+1); | |
322 key[n] = '\0'; | |
323 for (int i=0; i<n; i++) key[i] = tolower(key[i]); | |
324 char *rc = lookup1(key, map); | |
325 free(key); | |
326 return rc; | |
327 } | |
328 | |
329 | |
330 //////////////////////////////////////////////// | |
331 // find the dnsbl with a specific name | |
332 // | |
333 static DNSBLP find_dnsbl(CONFIG &dc, char *name); | |
334 static DNSBLP find_dnsbl(CONFIG &dc, char *name) { | |
335 dnsblp_map::iterator i = dc.dnsbls.find(name); | |
336 if (i == dc.dnsbls.end()) return NULL; | |
337 return (*i).second; | |
338 } | |
339 | |
340 | |
341 //////////////////////////////////////////////// | |
342 // find the dnsbll with a specific name | |
343 // | |
344 static DNSBLLP find_dnsbll(CONFIG &dc, char *name); | |
345 static DNSBLLP find_dnsbll(CONFIG &dc, char *name) { | |
346 dnsbllp_map::iterator i = dc.dnsblls.find(name); | |
347 if (i == dc.dnsblls.end()) return NULL; | |
348 return (*i).second; | |
349 } | |
350 | |
351 | |
352 //////////////////////////////////////////////// | |
353 // find the envfrom map with a specific name | |
354 // | |
355 static string_map* find_from_map(CONFIG &dc, char *name); | |
356 static string_map* find_from_map(CONFIG &dc, char *name) { | |
357 from_map::iterator i = dc.env_from.find(name); | |
358 if (i == dc.env_from.end()) return NULL; | |
359 return (*i).second; | |
360 } | |
361 | |
362 | |
363 static string_map& really_find_from_map(CONFIG &dc, char *name); | |
364 static string_map& really_find_from_map(CONFIG &dc, char *name) { | |
365 string_map *sm = find_from_map(dc, name); | |
366 if (!sm) { | |
367 sm = new string_map; | |
368 dc.env_from[name] = sm; | |
369 } | |
370 return *sm; | |
371 } | |
372 | |
373 | |
374 //////////////////////////////////////////////// | |
8 | 375 // |
376 // ask a dns question and get an A record answer - we don't try | |
377 // very hard, just using the default resolver retry settings. | |
378 // If we cannot get an answer, we just accept the mail. The | |
379 // caller must ensure thread safety. | |
380 // | |
0 | 381 // |
23
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
382 static int dns_interface(char *question, bool maybe_ip); |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
383 static int dns_interface(char *question, bool maybe_ip) { |
16 | 384 #ifdef NS_PACKETSZ |
8 | 385 u_char answer[NS_PACKETSZ]; |
386 int length = res_search(question, ns_c_in, ns_t_a, answer, sizeof(answer)); | |
23
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
387 if (length >= 0) { // no error yet |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
388 // parse the answer |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
389 ns_msg handle; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
390 ns_rr rr; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
391 if (ns_initparse(answer, length, &handle) == 0) { |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
392 int rrnum = 0; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
393 while (ns_parserr(&handle, ns_s_an, rrnum++, &rr) == 0) { |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
394 if (ns_rr_type(rr) == ns_t_a) { |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
395 int address; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
396 memcpy(&address, ns_rr_rdata(rr), sizeof(address)); |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
397 return address; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
398 } |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
399 } |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
400 } |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
401 } |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
402 if (maybe_ip) { |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
403 // might be a bare ip address |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
404 in_addr ip; |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
405 if (inet_aton(question, &ip)) { |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
406 return ip.s_addr; |
8 | 407 } |
408 } | |
409 return 0; | |
16 | 410 #else |
411 struct hostent *host = gethostbyname(question); | |
412 if (!host) return 0; | |
413 if (host->h_addrtype != AF_INET) return 0; | |
414 int address; | |
415 memcpy(&address, host->h_addr, sizeof(address)); | |
416 return address; | |
417 #endif | |
8 | 418 } |
419 | |
23
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
420 static int protected_dns_interface(char *question, bool maybe_ip); |
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
421 static int protected_dns_interface(char *question, bool maybe_ip) { |
8 | 422 int ans; |
423 pthread_mutex_lock(&resolve_mutex); | |
23
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
424 ans = dns_interface(question, maybe_ip); |
8 | 425 pthread_mutex_unlock(&resolve_mutex); |
426 return ans; | |
427 | |
428 } | |
429 | |
430 //////////////////////////////////////////////// | |
431 // check a single dnsbl | |
432 // | |
433 static status check_single(int ip, char *suffix); | |
434 static status check_single(int ip, char *suffix) { | |
0 | 435 // make a dns question |
436 const u_char *src = (const u_char *)&ip; | |
437 if (src[0] == 127) return oksofar; // don't do dns lookups on localhost | |
16 | 438 #ifdef NS_MAXDNAME |
0 | 439 char question[NS_MAXDNAME]; |
16 | 440 #else |
441 char question[1000]; | |
442 #endif | |
8 | 443 snprintf(question, sizeof(question), "%u.%u.%u.%u.%s.", src[3], src[2], src[1], src[0], suffix); |
444 // ask the question, if we get an A record it implies a blacklisted ip address | |
23
06de5ab6a232
add url decoding stage, allow http:/ single / in yahoo redirector, allow ip address hostnames
carl
parents:
22
diff
changeset
|
445 return (protected_dns_interface(question, false)) ? reject : oksofar; |
8 | 446 } |
447 | |
448 | |
449 //////////////////////////////////////////////// | |
450 // check a single dnsbl | |
451 // | |
452 static status check_single(int ip, DNSBL &bl); | |
453 static status check_single(int ip, DNSBL &bl) { | |
454 return check_single(ip, bl.suffix); | |
0 | 455 } |
456 | |
457 | |
458 //////////////////////////////////////////////// | |
459 // check the dnsbls specified for this recipient | |
460 // | |
461 static status check_dnsbl(mlfiPriv &priv, DNSBLLP dnsbllp, DNSBLP &rejectlist); | |
462 static status check_dnsbl(mlfiPriv &priv, DNSBLLP dnsbllp, DNSBLP &rejectlist) { | |
463 if (priv.authenticated) return oksofar; | |
464 if (!dnsbllp) return oksofar; | |
465 DNSBLL &dnsbll = *dnsbllp; | |
466 for (DNSBLL::iterator i=dnsbll.begin(); i!=dnsbll.end(); i++) { | |
467 DNSBLP dp = *i; // non null by construction | |
468 status st; | |
469 map<DNSBLP, status>::iterator f = priv.checked.find(dp); | |
470 if (f == priv.checked.end()) { | |
471 // have not checked this list yet | |
8 | 472 st = check_single(priv.ip, *dp); |
0 | 473 rejectlist = dp; |
474 priv.checked[dp] = st; | |
475 } | |
476 else { | |
477 st = (*f).second; | |
478 rejectlist = (*f).first; | |
479 } | |
480 if (st == reject) return st; | |
481 } | |
482 return oksofar; | |
483 } | |
484 | |
485 | |
486 //////////////////////////////////////////////// | |
8 | 487 // check the dnsbls specified for this recipient |
488 // | |
16 | 489 static status check_hosts(mlfiPriv &priv, char *&host, int &ip); |
490 static status check_hosts(mlfiPriv &priv, char *&host, int &ip) { | |
8 | 491 CONFIG &dc = *priv.pc; |
492 if (!dc.content_suffix) return oksofar; | |
493 int count = 0; | |
24 | 494 for (string_set::iterator i=priv.memory->hosts.begin(); i!=priv.memory->hosts.end(); i++) { |
8 | 495 count++; |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
496 int lim = priv.pc->host_limit; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
497 if ((count > lim) && (lim > 0)) return reject_host; |
16 | 498 host = *i; |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
499 ip = protected_dns_interface(host, true); |
16 | 500 if (debug_syslog) { |
501 char buf[200]; | |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
502 if (ip) { |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
503 char adr[sizeof "255.255.255.255"]; |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
504 adr[0] = '\0'; |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
505 inet_ntop(AF_INET, (const u_char *)&ip, adr, sizeof(adr)); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
506 snprintf(buf, sizeof(buf), "host %s found at %s", host, adr); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
507 } |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
508 else { |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
509 snprintf(buf, sizeof(buf), "host %s not found", host); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
510 } |
16 | 511 my_syslog(buf); |
512 } | |
8 | 513 if (ip) { |
514 status st = check_single(ip, dc.content_suffix); | |
515 if (st == reject) return st; | |
516 } | |
517 } | |
24 | 518 host = NULL; |
26 | 519 int bin = priv.memory->binary_tags; |
24 | 520 int bad = priv.memory->bad_html_tags; |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
521 int lim = priv.pc->tag_limit; |
26 | 522 if (bin > bad) return oksofar; // probably .zip or .tar.gz with random content |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
523 if ((bad > lim) && (lim > 0)) return reject_tag; |
9 | 524 return oksofar; |
8 | 525 } |
526 | |
527 | |
528 //////////////////////////////////////////////// | |
0 | 529 // start of sendmail milter interfaces |
530 // | |
531 sfsistat mlfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr) | |
532 { | |
533 // allocate some private memory | |
534 mlfiPriv *priv = new mlfiPriv; | |
535 if (hostaddr->sa_family == AF_INET) { | |
536 priv->ip = ((struct sockaddr_in *)hostaddr)->sin_addr.s_addr; | |
537 } | |
538 | |
539 // save the private data | |
540 smfi_setpriv(ctx, (void*)priv); | |
541 | |
542 // continue processing | |
543 return SMFIS_CONTINUE; | |
544 } | |
545 | |
546 sfsistat mlfi_envfrom(SMFICTX *ctx, char **from) | |
547 { | |
548 mlfiPriv &priv = *MLFIPRIV; | |
549 priv.mailaddr = strdup(from[0]); | |
550 priv.authenticated = (smfi_getsymval(ctx, "{auth_authen}") != NULL); | |
551 return SMFIS_CONTINUE; | |
552 } | |
553 | |
554 sfsistat mlfi_envrcpt(SMFICTX *ctx, char **rcpt) | |
555 { | |
556 DNSBLP rejectlist = NULL; // list that caused the reject | |
557 status st = oksofar; | |
558 mlfiPriv &priv = *MLFIPRIV; | |
559 CONFIG &dc = *priv.pc; | |
560 char *rcptaddr = rcpt[0]; | |
561 char *dnsname = lookup(rcptaddr, dc.env_to_dnsbll); | |
562 char *fromname = lookup(rcptaddr, dc.env_to_chkfrom); | |
563 if ((strcmp(dnsname, BLACK) == 0) || | |
564 (strcmp(fromname, BLACK) == 0)) { | |
565 st = black; // two options to blacklist this recipient | |
566 } | |
567 else if (strcmp(fromname, WHITE) == 0) { | |
568 st = white; | |
569 } | |
570 else { | |
571 // check an env_from map | |
572 string_map *sm = find_from_map(dc, fromname); | |
573 if (sm != NULL) { | |
574 fromname = lookup(priv.mailaddr, *sm); // returns default if name not in map | |
575 if (strcmp(fromname, BLACK) == 0) { | |
576 st = black; // blacklist this envelope from value | |
577 } | |
578 if (strcmp(fromname, WHITE) == 0) { | |
579 st = white; // blacklist this envelope from value | |
580 } | |
581 } | |
582 } | |
583 if ((st == oksofar) && (strcmp(dnsname, WHITE) != 0)) { | |
584 // check dns lists | |
585 st = check_dnsbl(priv, find_dnsbll(dc, dnsname), rejectlist); | |
586 } | |
587 | |
588 if (st == reject) { | |
589 // reject the recipient based on some dnsbl | |
590 char adr[sizeof "255.255.255.255"]; | |
591 adr[0] = '\0'; | |
8 | 592 inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr)); |
0 | 593 char buf[2000]; |
594 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr); | |
595 smfi_setreply(ctx, "550", "5.7.1", buf); | |
596 return SMFIS_REJECT; | |
597 } | |
598 else if (st == black) { | |
599 // reject the recipient based on blacklisting either from or to | |
600 smfi_setreply(ctx, "550", "5.7.1", "no such user"); | |
601 return SMFIS_REJECT; | |
602 } | |
603 else { | |
604 // accept the recipient | |
8 | 605 if (st == oksofar) { |
606 // but remember the non-whites | |
12 | 607 register_string(priv.non_whites, rcptaddr); |
8 | 608 priv.only_whites = false; |
609 } | |
610 if (st == white) { | |
611 priv.have_whites = true; | |
612 } | |
0 | 613 return SMFIS_CONTINUE; |
614 } | |
615 } | |
616 | |
8 | 617 sfsistat mlfi_body(SMFICTX *ctx, u_char *data, size_t len) |
0 | 618 { |
619 mlfiPriv &priv = *MLFIPRIV; | |
8 | 620 if (priv.authenticated) return SMFIS_CONTINUE; |
621 if (priv.only_whites) return SMFIS_CONTINUE; | |
622 priv.scanner->scan(data, len); | |
11 | 623 return SMFIS_CONTINUE; |
8 | 624 } |
625 | |
626 sfsistat mlfi_eom(SMFICTX *ctx) | |
627 { | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
628 sfsistat rc; |
8 | 629 mlfiPriv &priv = *MLFIPRIV; |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
630 char *host = NULL; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
631 int ip; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
632 status st; |
8 | 633 // process end of message |
634 if (priv.authenticated || | |
635 priv.only_whites || | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
636 ((st=check_hosts(priv, host, ip)) == oksofar)) rc = SMFIS_CONTINUE; |
8 | 637 else { |
638 if (!priv.have_whites) { | |
639 // can reject the entire message | |
640 char buf[2000]; | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
641 if (st == reject_tag) { |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
642 // rejected due to excessive bad html tags |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
643 snprintf(buf, sizeof(buf), priv.pc->tag_limit_message); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
644 } |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
645 else if (st == reject_host) { |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
646 // rejected due to excessive unique host/urls |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
647 snprintf(buf, sizeof(buf), priv.pc->host_limit_message); |
24 | 648 } |
649 else { | |
650 char adr[sizeof "255.255.255.255"]; | |
651 adr[0] = '\0'; | |
652 inet_ntop(AF_INET, (const u_char *)&ip, adr, sizeof(adr)); | |
653 snprintf(buf, sizeof(buf), priv.pc->content_message, host, adr); | |
654 } | |
8 | 655 smfi_setreply(ctx, "550", "5.7.1", buf); |
656 rc = SMFIS_REJECT; | |
657 } | |
658 else { | |
659 // need to accept it but remove the recipients that don't want it | |
660 for (string_set::iterator i=priv.non_whites.begin(); i!=priv.non_whites.end(); i++) { | |
661 char *rcpt = *i; | |
662 smfi_delrcpt(ctx, rcpt); | |
663 } | |
664 rc = SMFIS_CONTINUE; | |
665 } | |
0 | 666 } |
8 | 667 // reset for a new message on the same connection |
668 mlfi_abort(ctx); | |
669 return rc; | |
670 } | |
671 | |
672 sfsistat mlfi_abort(SMFICTX *ctx) | |
673 { | |
674 mlfiPriv &priv = *MLFIPRIV; | |
675 priv.reset(); | |
0 | 676 return SMFIS_CONTINUE; |
677 } | |
678 | |
679 sfsistat mlfi_close(SMFICTX *ctx) | |
680 { | |
681 mlfiPriv *priv = MLFIPRIV; | |
682 if (!priv) return SMFIS_CONTINUE; | |
683 delete priv; | |
684 smfi_setpriv(ctx, NULL); | |
685 return SMFIS_CONTINUE; | |
686 } | |
687 | |
688 struct smfiDesc smfilter = | |
689 { | |
690 "DNSBL", // filter name | |
691 SMFI_VERSION, // version code -- do not change | |
692 SMFIF_DELRCPT, // flags | |
693 mlfi_connect, // connection info filter | |
694 NULL, // SMTP HELO command filter | |
695 mlfi_envfrom, // envelope sender filter | |
696 mlfi_envrcpt, // envelope recipient filter | |
697 NULL, // header filter | |
698 NULL, // end of header | |
8 | 699 mlfi_body, // body block filter |
700 mlfi_eom, // end of message | |
701 mlfi_abort, // message aborted | |
0 | 702 mlfi_close, // connection cleanup |
703 }; | |
704 | |
705 | |
706 static void dumpit(char *name, string_map map); | |
707 static void dumpit(char *name, string_map map) { | |
9 | 708 fprintf(stdout, "\n"); |
0 | 709 for (string_map::iterator i=map.begin(); i!=map.end(); i++) { |
9 | 710 fprintf(stdout, "%s %s->%s\n", name, (*i).first, (*i).second); |
0 | 711 } |
712 } | |
713 | |
714 | |
715 static void dumpit(from_map map); | |
716 static void dumpit(from_map map) { | |
717 for (from_map::iterator i=map.begin(); i!=map.end(); i++) { | |
3 | 718 char buf[2000]; |
719 snprintf(buf, sizeof(buf), "envelope from map for %s", (*i).first); | |
0 | 720 string_map *sm = (*i).second; |
3 | 721 dumpit(buf, *sm); |
0 | 722 } |
723 } | |
724 | |
725 | |
3 | 726 static void dumpit(CONFIG &dc); |
727 static void dumpit(CONFIG &dc) { | |
5 | 728 dumpit(dc.env_from); |
729 dumpit("envelope to (dnsbl list)", dc.env_to_dnsbll); | |
730 dumpit("envelope to (from map)", dc.env_to_chkfrom); | |
9 | 731 fprintf(stdout, "\ndnsbls\n"); |
0 | 732 for (dnsblp_map::iterator i=dc.dnsbls.begin(); i!=dc.dnsbls.end(); i++) { |
9 | 733 fprintf(stdout, "%s %s %s\n", (*i).first, (*i).second->suffix, (*i).second->message); |
0 | 734 } |
9 | 735 fprintf(stdout, "\ndnsbl_lists\n"); |
0 | 736 for (dnsbllp_map::iterator i=dc.dnsblls.begin(); i!=dc.dnsblls.end(); i++) { |
737 char *name = (*i).first; | |
738 DNSBLL &dl = *((*i).second); | |
9 | 739 fprintf(stdout, "%s", name); |
0 | 740 for (DNSBLL::iterator j=dl.begin(); j!=dl.end(); j++) { |
741 DNSBL &d = **j; | |
9 | 742 fprintf(stdout, " %s", d.suffix); |
0 | 743 } |
9 | 744 fprintf(stdout, "\n"); |
0 | 745 } |
9 | 746 if (dc.content_suffix) { |
747 fprintf(stdout, "\ncontent filtering enabled with %s %s\n", dc.content_suffix, dc.content_message); | |
748 } | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
749 if (dc.host_limit) { |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
750 fprintf(stdout, "\ncontent filtering for host names enabled with limit %d %s\n", dc.host_limit, dc.host_limit_message); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
751 } |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
752 if (dc.tag_limit) { |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
753 fprintf(stdout, "\ncontent filtering for excessive html tags enabled with limit %d %s\n", dc.tag_limit, dc.tag_limit_message); |
24 | 754 } |
9 | 755 fprintf(stdout, "\nfiles\n"); |
3 | 756 for (string_list::iterator i=dc.config_files.begin(); i!=dc.config_files.end(); i++) { |
757 char *f = *i; | |
9 | 758 fprintf(stdout, "config includes %s\n", f); |
3 | 759 } |
760 } | |
761 | |
762 | |
763 //////////////////////////////////////////////// | |
764 // check for redundant or recursive include files | |
765 // | |
766 static bool ok_to_include(CONFIG &dc, char *fn); | |
767 static bool ok_to_include(CONFIG &dc, char *fn) { | |
768 if (!fn) return false; | |
769 bool ok = true; | |
770 for (string_list::iterator i=dc.config_files.begin(); i!=dc.config_files.end(); i++) { | |
771 char *f = *i; | |
772 if (strcmp(f, fn) == 0) { | |
773 my_syslog("redundant or recursive include file detected"); | |
774 ok = false; | |
775 break; | |
776 } | |
777 } | |
778 return ok; | |
0 | 779 } |
780 | |
781 | |
782 //////////////////////////////////////////////// | |
783 // load a single config file | |
784 // | |
3 | 785 static void load_conf_dcc(CONFIG &dc, char *name, char *fn); |
786 static void load_conf_dcc(CONFIG &dc, char *name, char *fn) { | |
787 dc.config_files.push_back(fn); | |
788 char *list = BLACK; | |
789 const int LINE_SIZE = 2000; | |
790 ifstream is(fn); | |
791 if (is.fail()) return; | |
792 char line[LINE_SIZE]; | |
793 char *delim = " \t"; | |
794 int curline = 0; | |
795 while (!is.eof()) { | |
796 is.getline(line, LINE_SIZE); | |
797 curline++; | |
798 int n = strlen(line); | |
799 if (!n) continue; | |
800 for (int i=0; i<n; i++) line[i] = tolower(line[i]); | |
801 if (line[0] == '#') continue; | |
802 char *head = line; | |
803 if (strspn(line, delim) == 0) { | |
804 // have a leading ok/many tag to fetch | |
805 char *cmd = strtok(line, delim); | |
806 if (strcmp(cmd, MANY) == 0) list = BLACK; | |
807 else if (strcmp(cmd, OK) == 0) list = WHITE; | |
808 head = cmd + strlen(cmd) + 1; | |
809 } | |
810 char *cmd = strtok(head, delim); | |
811 if (!cmd) continue; | |
812 if (strcmp(cmd, "env_from") == 0) { | |
813 char *from = next_token(delim); | |
814 if (from) { | |
815 string_map &fm = really_find_from_map(dc, name); | |
816 fm[from] = list; | |
817 } | |
818 } | |
819 else if (strcmp(cmd, "env_to") == 0) { | |
820 char *to = next_token(delim); | |
821 if (to) { | |
822 dc.env_to_dnsbll[to] = list; | |
823 dc.env_to_chkfrom[to] = list; | |
824 } | |
825 } | |
826 else if (strcmp(cmd, "substitute") == 0) { | |
827 char *tag = next_token(delim); | |
828 if (tag && (strcmp(tag, "mail_host") == 0)) { | |
829 char *from = next_token(delim); | |
830 if (from) { | |
831 string_map &fm = really_find_from_map(dc, name); | |
832 fm[from] = list; | |
833 } | |
834 } | |
835 } | |
836 else if (strcmp(cmd, "include") == 0) { | |
837 char *fn = next_token(delim); | |
838 if (ok_to_include(dc, fn)) { | |
839 load_conf_dcc(dc, name, fn); | |
840 } | |
841 } | |
842 | |
843 } | |
844 is.close(); | |
845 } | |
846 | |
847 | |
0 | 848 static void load_conf(CONFIG &dc, char *fn); |
849 static void load_conf(CONFIG &dc, char *fn) { | |
850 dc.config_files.push_back(fn); | |
851 map<char*, int, ltstr> commands; | |
28 | 852 enum {dummy, tld, content, hostlimit, htmllimit, htmltag, dnsbl, dnsbll, envfrom, envto, include, includedcc}; |
853 commands["tld" ] = tld; | |
8 | 854 commands["content" ] = content; |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
855 commands["host_limit" ] = hostlimit; |
24 | 856 commands["html_limit" ] = htmllimit; |
857 commands["html_tag" ] = htmltag; | |
3 | 858 commands["dnsbl" ] = dnsbl; |
859 commands["dnsbl_list" ] = dnsbll; | |
860 commands["env_from" ] = envfrom; | |
861 commands["env_to" ] = envto; | |
862 commands["include" ] = include; | |
863 commands["include_dcc"] = includedcc; | |
0 | 864 const int LINE_SIZE = 2000; |
865 ifstream is(fn); | |
866 if (is.fail()) return; | |
867 char line[LINE_SIZE]; | |
868 char orig[LINE_SIZE]; | |
869 char *delim = " \t"; | |
870 int curline = 0; | |
871 while (!is.eof()) { | |
872 is.getline(line, LINE_SIZE); | |
873 snprintf(orig, sizeof(orig), "%s", line); | |
874 curline++; | |
875 int n = strlen(line); | |
876 for (int i=0; i<n; i++) line[i] = tolower(line[i]); | |
877 char *cmd = strtok(line, delim); | |
878 if (cmd && (cmd[0] != '#') && (cmd[0] != '\0')) { | |
879 // have a decent command | |
880 bool processed = false; | |
881 switch (commands[cmd]) { | |
28 | 882 case tld: { |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
883 char *tld = next_token(delim); |
28 | 884 if (!tld) break; // no tld value |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
885 dc.tlds.insert(tld); |
28 | 886 processed = true; |
887 } break; | |
888 | |
8 | 889 case content: { |
890 char *suff = strtok(NULL, delim); | |
24 | 891 if (!suff) break; // no dns suffix |
8 | 892 char *msg = suff + strlen(suff); |
893 if ((msg - line) >= strlen(orig)) break; // line ended with the dns suffix | |
894 msg = strchr(msg+1, '\''); | |
895 if (!msg) break; // no reply message template | |
896 msg++; // move over the leading ' | |
897 if ((msg - line) >= strlen(orig)) break; // line ended with the leading quote | |
898 char *last = strchr(msg, '\''); | |
899 if (!last) break; // no trailing quote | |
900 *last = '\0'; // make it a null terminator | |
901 dc.content_suffix = register_string(suff); | |
902 dc.content_message = register_string(msg); | |
903 processed = true; | |
904 } break; | |
905 | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
906 case hostlimit: { |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
907 char *limit = strtok(NULL, delim); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
908 if (!limit) break; // no integer limit |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
909 char *msg = limit + strlen(limit); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
910 if ((msg - line) >= strlen(orig)) break; // line ended with the limit |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
911 msg = strchr(msg+1, '\''); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
912 if (!msg) break; // no reply message template |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
913 msg++; // move over the leading ' |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
914 if ((msg - line) >= strlen(orig)) break; // line ended with the leading quote |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
915 char *last = strchr(msg, '\''); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
916 if (!last) break; // no trailing quote |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
917 *last = '\0'; // make it a null terminator |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
918 dc.host_limit = atoi(limit); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
919 dc.host_limit_message = register_string(msg); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
920 processed = true; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
921 } break; |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
922 |
24 | 923 case htmllimit: { |
924 char *limit = strtok(NULL, delim); | |
925 if (!limit) break; // no integer limit | |
926 char *msg = limit + strlen(limit); | |
927 if ((msg - line) >= strlen(orig)) break; // line ended with the limit | |
928 msg = strchr(msg+1, '\''); | |
929 if (!msg) break; // no reply message template | |
930 msg++; // move over the leading ' | |
931 if ((msg - line) >= strlen(orig)) break; // line ended with the leading quote | |
932 char *last = strchr(msg, '\''); | |
933 if (!last) break; // no trailing quote | |
934 *last = '\0'; // make it a null terminator | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
935 dc.tag_limit = atoi(limit); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
936 dc.tag_limit_message = register_string(msg); |
24 | 937 processed = true; |
938 } break; | |
939 | |
940 case htmltag: { | |
941 char *tag = next_token(delim); | |
942 if (!tag) break; // no html tag value | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
943 dc.html_tags.insert(tag); // base version |
26 | 944 char buf[200]; |
945 snprintf(buf, sizeof(buf), "/%s", tag); | |
27
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
946 dc.html_tags.insert(register_string(buf)); // leading / |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
947 snprintf(buf, sizeof(buf), "%s/", tag); |
43a4f6b3e668
add configurable host name limit and bad html tag limits.
carl
parents:
26
diff
changeset
|
948 dc.html_tags.insert(register_string(buf)); // trailing / |
24 | 949 processed = true; |
950 } break; | |
951 | |
0 | 952 case dnsbl: { |
953 // have a new dnsbl to use | |
954 char *name = next_token(delim); | |
955 if (!name) break; // no name name | |
956 if (find_dnsbl(dc, name)) break; // duplicate entry | |
957 char *suff = strtok(NULL, delim); | |
958 if (!suff) break; // no dns suffic | |
959 char *msg = suff + strlen(suff); | |
960 if ((msg - line) >= strlen(orig)) break; // line ended with the dns suffix | |
961 msg = strchr(msg+1, '\''); | |
962 if (!msg) break; // no reply message template | |
963 msg++; // move over the leading ' | |
964 if ((msg - line) >= strlen(orig)) break; // line ended with the leading quote | |
965 char *last = strchr(msg, '\''); | |
966 if (!last) break; // no trailing quote | |
967 *last = '\0'; // make it a null terminator | |
968 dc.dnsbls[name] = new DNSBL(register_string(suff), register_string(msg)); | |
969 processed = true; | |
970 } break; | |
971 | |
972 case dnsbll: { | |
973 // define a new combination of dnsbls | |
974 char *name = next_token(delim); | |
975 if (!name) break; | |
976 if (find_dnsbll(dc, name)) break; // duplicate entry | |
977 char *list = next_token(delim); | |
978 if (!list || (*list == '\0') || (*list == '#')) break; | |
979 DNSBLLP d = new DNSBLL; | |
980 DNSBLP p = find_dnsbl(dc, list); | |
981 if (p) d->push_back(p); | |
982 while (true) { | |
983 list = next_token(delim); | |
984 if (!list || (*list == '\0') || (*list == '#')) break; | |
985 DNSBLP p = find_dnsbl(dc, list); | |
986 if (p) d->push_back(p); | |
987 } | |
988 dc.dnsblls[name] = d; | |
989 processed = true; | |
990 } break; | |
991 | |
992 case envfrom: { | |
993 // add an entry into the named string_map | |
994 char *name = next_token(delim); | |
995 if (!name) break; | |
996 char *from = next_token(delim); | |
997 if (!from) break; | |
998 char *list = next_token(delim); | |
999 if (!list) break; | |
1000 if ((strcmp(list, WHITE) == 0) || | |
1001 (strcmp(list, BLACK) == 0)) { | |
1002 string_map &fm = really_find_from_map(dc, name); | |
1003 fm[from] = list; | |
1004 processed = true; | |
1005 } | |
1006 else { | |
1007 // list may be the name of a previously defined from_map | |
1008 string_map *m = find_from_map(dc, list); | |
1009 if (m && (strcmp(list,name) != 0)) { | |
1010 string_map &pm = *m; | |
1011 string_map &fm = really_find_from_map(dc, name); | |
1012 fm.insert(pm.begin(), pm.end()); | |
1013 processed = true; | |
1014 } | |
1015 } | |
1016 } break; | |
1017 | |
1018 case envto: { | |
1019 // define the dnsbl_list and env_from maps to use for this recipient | |
1020 char *to = next_token(delim); | |
1021 if (!to) break; | |
1022 char *list = next_token(delim); | |
1023 if (!list) break; | |
1024 char *from = next_token(delim); | |
1025 if (!from) break; | |
1026 dc.env_to_dnsbll[to] = list; | |
1027 dc.env_to_chkfrom[to] = from; | |
1028 processed = true; | |
1029 } break; | |
1030 | |
1031 case include: { | |
1032 char *fn = next_token(delim); | |
3 | 1033 if (ok_to_include(dc, fn)) { |
1034 load_conf(dc, fn); | |
1035 processed = true; | |
1036 } | |
1037 } break; | |
1038 | |
1039 case includedcc: { | |
1040 char *name = next_token(delim); | |
1041 if (!name) break; | |
1042 char *fn = next_token(delim); | |
1043 if (ok_to_include(dc, fn)) { | |
1044 load_conf_dcc(dc, name, fn); | |
1045 processed = true; | |
0 | 1046 } |
1047 } break; | |
1048 | |
1049 default: { | |
1050 } break; | |
1051 } | |
1052 if (!processed) { | |
1053 pthread_mutex_lock(&syslog_mutex); | |
1054 openlog("dnsbl", LOG_PID, LOG_MAIL); | |
1055 syslog(LOG_ERR, "ignoring file %s line %d : %s\n", fn, curline, orig); | |
1056 closelog(); | |
1057 pthread_mutex_unlock(&syslog_mutex); | |
1058 } | |
1059 } | |
1060 } | |
1061 is.close(); | |
1062 } | |
1063 | |
1064 | |
1065 //////////////////////////////////////////////// | |
1066 // reload the config | |
1067 // | |
1068 static CONFIG* new_conf(); | |
1069 static CONFIG* new_conf() { | |
1070 CONFIG *newc = new CONFIG; | |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1071 pthread_mutex_lock(&config_mutex); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1072 newc->generation = generation++; |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1073 pthread_mutex_unlock(&config_mutex); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1074 char buf[200]; |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1075 snprintf(buf, sizeof(buf), "loading configuration generation %d", newc->generation); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1076 my_syslog(buf); |
0 | 1077 load_conf(*newc, "dnsbl.conf"); |
1078 newc->load_time = time(NULL); | |
1079 return newc; | |
1080 } | |
1081 | |
1082 | |
1083 //////////////////////////////////////////////// | |
1084 // thread to watch the old config files for changes | |
1085 // and reload when needed. we also cleanup old | |
1086 // configs whose reference count has gone to zero. | |
1087 // | |
1088 static void* config_loader(void *arg); | |
1089 static void* config_loader(void *arg) { | |
1090 typedef set<CONFIG *> configp_set; | |
1091 configp_set old_configs; | |
18 | 1092 while (loader_run) { |
0 | 1093 sleep(180); // look for modifications every 3 minutes |
18 | 1094 if (!loader_run) break; |
0 | 1095 CONFIG &dc = *config; |
1096 time_t then = dc.load_time; | |
1097 struct stat st; | |
1098 bool reload = false; | |
1099 for (string_list::iterator i=dc.config_files.begin(); i!=dc.config_files.end(); i++) { | |
1100 char *fn = *i; | |
1101 if (stat(fn, &st)) reload = true; // file disappeared | |
1102 else if (st.st_mtime > then) reload = true; // file modified | |
1103 if (reload) break; | |
1104 } | |
1105 if (reload) { | |
1106 CONFIG *newc = new_conf(); | |
1107 // replace the global config pointer | |
1108 pthread_mutex_lock(&config_mutex); | |
1109 CONFIG *old = config; | |
1110 config = newc; | |
1111 pthread_mutex_unlock(&config_mutex); | |
1112 if (old) old_configs.insert(old); | |
1113 } | |
1114 // now look for old configs with zero ref counts | |
1115 for (configp_set::iterator i=old_configs.begin(); i!=old_configs.end(); ) { | |
1116 CONFIG *old = *i; | |
1117 if (!old->reference_count) { | |
29
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1118 char buf[200]; |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1119 snprintf(buf, sizeof(buf), "freeing memory for old configuration generation %d", old->generation); |
4dfdf33f1db0
add syslog msg freeing memory, use bare tld names without leading period
carl
parents:
28
diff
changeset
|
1120 my_syslog(buf); |
0 | 1121 delete old; // destructor does all the work |
1122 old_configs.erase(i++); | |
1123 } | |
1124 else i++; | |
1125 } | |
1126 } | |
18 | 1127 return NULL; |
0 | 1128 } |
1129 | |
1130 | |
1131 static void usage(char *prog); | |
1132 static void usage(char *prog) | |
1133 { | |
16 | 1134 fprintf(stderr, "Usage: %s [-d] [-c] -p socket-addr [-t timeout]\n", prog); |
0 | 1135 fprintf(stderr, "where socket-addr is for the connection to sendmail and should be one of\n"); |
1136 fprintf(stderr, " inet:port@local-ip-address\n"); | |
1137 fprintf(stderr, " local:local-domain-socket-file-name\n"); | |
9 | 1138 fprintf(stderr, "-c will load and dump the config to stdout\n"); |
16 | 1139 fprintf(stderr, "-d will add some syslog debug messages\n"); |
0 | 1140 } |
1141 | |
1142 | |
1143 int main(int argc, char**argv) | |
1144 { | |
3 | 1145 bool check = false; |
1146 bool setconn = false; | |
0 | 1147 int c; |
16 | 1148 const char *args = "p:t:hcd"; |
0 | 1149 extern char *optarg; |
1150 | |
1151 // Process command line options | |
1152 while ((c = getopt(argc, argv, args)) != -1) { | |
1153 switch (c) { | |
1154 case 'p': | |
1155 if (optarg == NULL || *optarg == '\0') { | |
1156 fprintf(stderr, "Illegal conn: %s\n", optarg); | |
1157 exit(EX_USAGE); | |
1158 } | |
1159 if (smfi_setconn(optarg) == MI_FAILURE) { | |
1160 fprintf(stderr, "smfi_setconn failed\n"); | |
1161 exit(EX_SOFTWARE); | |
1162 } | |
1163 | |
1164 if (strncasecmp(optarg, "unix:", 5) == 0) unlink(optarg + 5); | |
1165 else if (strncasecmp(optarg, "local:", 6) == 0) unlink(optarg + 6); | |
3 | 1166 setconn = true; |
0 | 1167 break; |
1168 | |
1169 case 't': | |
1170 if (optarg == NULL || *optarg == '\0') { | |
1171 fprintf(stderr, "Illegal timeout: %s\n", optarg); | |
1172 exit(EX_USAGE); | |
1173 } | |
1174 if (smfi_settimeout(atoi(optarg)) == MI_FAILURE) { | |
1175 fprintf(stderr, "smfi_settimeout failed\n"); | |
1176 exit(EX_SOFTWARE); | |
1177 } | |
1178 break; | |
1179 | |
3 | 1180 case 'c': |
1181 check = true; | |
1182 break; | |
1183 | |
16 | 1184 case 'd': |
1185 debug_syslog = true; | |
1186 break; | |
1187 | |
0 | 1188 case 'h': |
1189 default: | |
1190 usage(argv[0]); | |
1191 exit(EX_USAGE); | |
1192 } | |
1193 } | |
5 | 1194 |
1195 if (check) { | |
1196 CONFIG &dc = *new_conf(); | |
1197 dumpit(dc); | |
1198 return 0; | |
1199 } | |
1200 | |
0 | 1201 if (!setconn) { |
1202 fprintf(stderr, "%s: Missing required -p argument\n", argv[0]); | |
1203 usage(argv[0]); | |
1204 exit(EX_USAGE); | |
1205 } | |
5 | 1206 |
0 | 1207 if (smfi_register(smfilter) == MI_FAILURE) { |
1208 fprintf(stderr, "smfi_register failed\n"); | |
1209 exit(EX_UNAVAILABLE); | |
1210 } | |
1211 | |
1212 // switch to background mode | |
1213 if (daemon(1,0) < 0) { | |
1214 fprintf(stderr, "daemon() call failed\n"); | |
1215 exit(EX_UNAVAILABLE); | |
1216 } | |
1217 | |
1218 // initialize the thread sync objects | |
1219 pthread_mutex_init(&config_mutex, 0); | |
1220 pthread_mutex_init(&syslog_mutex, 0); | |
1221 pthread_mutex_init(&resolve_mutex, 0); | |
1222 | |
1223 // load the initial config | |
1224 config = new_conf(); | |
1225 | |
1226 // only create threads after the fork() in daemon | |
1227 pthread_t tid; | |
1228 if (pthread_create(&tid, 0, config_loader, 0)) | |
1229 my_syslog("failed to create config loader thread"); | |
1230 if (pthread_detach(tid)) | |
1231 my_syslog("failed to detach config loader thread"); | |
1232 | |
1233 // write the pid | |
1234 const char *pidpath = "/var/run/dnsbl.pid"; | |
1235 unlink(pidpath); | |
1236 FILE *f = fopen(pidpath, "w"); | |
1237 if (f) { | |
22 | 1238 #ifdef linux |
1239 // from a comment in the DCC source code: | |
1240 // Linux threads are broken. Signals given the | |
1241 // original process are delivered to only the | |
1242 // thread that happens to have that PID. The | |
1243 // sendmail libmilter thread that needs to hear | |
1244 // SIGINT and other signals does not, and that breaks | |
1245 // scripts that need to stop milters. | |
1246 // However, signaling the process group works. | |
0 | 1247 fprintf(f, "-%d\n", (u_int)getpgrp()); |
22 | 1248 #else |
1249 fprintf(f, "%d\n", (u_int)getpid()); | |
1250 #endif | |
0 | 1251 fclose(f); |
1252 } | |
1253 | |
18 | 1254 time_t starting = time(NULL); |
1255 int rc = smfi_main(); | |
22 | 1256 if ((rc != MI_SUCCESS) && (time(NULL) > starting+5*60)) { |
18 | 1257 my_syslog("trying to restart after smfi_main()"); |
1258 loader_run = false; // eventually the config loader thread will terminate | |
1259 execvp(argv[0], argv); | |
1260 } | |
1261 exit((rc == MI_SUCCESS) ? 0 : EX_UNAVAILABLE); | |
0 | 1262 } |
8 | 1263 |