Mercurial > dnsbl
comparison src/dnsbl.cpp @ 340:be776a246f97
when dkim require_signed overrides envelope from whitelisting, we still want to check dns based white/blacklists before content filtering
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Wed, 21 Dec 2016 15:08:28 -0800 |
| parents | f375a67ee516 |
| children | 6d27b4f45799 |
comparison
equal
deleted
inserted
replaced
| 339:bd16c9005d79 | 340:be776a246f97 |
|---|---|
| 1265 char msg[maxlen]; | 1265 char msg[maxlen]; |
| 1266 snprintf(msg, sizeof(msg), "from <%s> to <%s> using context %s state %s reply context %s state %s", priv.mailaddr, loto, con.get_full_name(buf,maxlen), fromvalue, con2.get_full_name(buf2,maxlen), replyvalue); | 1266 snprintf(msg, sizeof(msg), "from <%s> to <%s> using context %s state %s reply context %s state %s", priv.mailaddr, loto, con.get_full_name(buf,maxlen), fromvalue, con2.get_full_name(buf2,maxlen), replyvalue); |
| 1267 my_syslog(&priv, msg); | 1267 my_syslog(&priv, msg); |
| 1268 } | 1268 } |
| 1269 free((void*)loto); | 1269 free((void*)loto); |
| 1270 status st; | 1270 status st = oksofar; |
| 1271 if (replyvalue == token_black) { | 1271 if (replyvalue == token_black) { |
| 1272 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"recipient can not reply due to blacklisting"); | 1272 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"recipient can not reply due to blacklisting"); |
| 1273 return SMFIS_REJECT; | 1273 return SMFIS_REJECT; |
| 1274 } | 1274 } |
| 1275 if (priv.authenticated) { | 1275 if (priv.authenticated) { |
| 1303 } | 1303 } |
| 1304 else st = white; | 1304 else st = white; |
| 1305 } | 1305 } |
| 1306 else st = white; // might be <>, envelope from has no @ | 1306 else st = white; // might be <>, envelope from has no @ |
| 1307 } | 1307 } |
| 1308 else { | 1308 |
| 1309 if (st == oksofar) { | |
| 1309 // check the dns based lists, whitelist first | 1310 // check the dns based lists, whitelist first |
| 1310 DNSWLP acceptlist = NULL; // list that caused the whitelisting | 1311 DNSWLP acceptlist = NULL; // list that caused the whitelisting |
| 1311 if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { | 1312 if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { |
| 1312 st = white; | 1313 st = white; |
| 1313 if (debug_syslog > 1) { | 1314 if (debug_syslog > 1) { |
| 1315 snprintf(msg, sizeof(msg), "whitelisted by %s", acceptlist->name); | 1316 snprintf(msg, sizeof(msg), "whitelisted by %s", acceptlist->name); |
| 1316 my_syslog(&priv, msg); | 1317 my_syslog(&priv, msg); |
| 1317 } | 1318 } |
| 1318 } | 1319 } |
| 1319 else if (check_dnsbl(priv, con.get_dnsbl_list(), rejectlist)) { | 1320 else if (check_dnsbl(priv, con.get_dnsbl_list(), rejectlist)) { |
| 1320 st = reject; | 1321 // reject the recipient based on some dnsbl |
| 1321 } | 1322 char adr[sizeof "255.255.255.255 "]; |
| 1322 else { | 1323 adr[0] = '\0'; |
| 1323 st = oksofar; | 1324 inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr)); |
| 1324 } | 1325 char buf[maxlen]; |
| 1325 } | 1326 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr); |
| 1326 if (st == reject) { | 1327 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); |
| 1327 // reject the recipient based on some dnsbl | 1328 return SMFIS_REJECT; |
| 1328 char adr[sizeof "255.255.255.255 "]; | 1329 } |
| 1329 adr[0] = '\0'; | 1330 } |
| 1330 inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr)); | 1331 |
| 1331 char buf[maxlen]; | |
| 1332 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr); | |
| 1333 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); | |
| 1334 return SMFIS_REJECT; | |
| 1335 } | |
| 1336 if (st == oksofar) { | 1332 if (st == oksofar) { |
| 1337 // check forged rdns | 1333 // check forged rdns |
| 1338 if (con.get_requirerdns() && (!priv.client_dns_name || priv.client_dns_forged)) { | 1334 if (con.get_requirerdns() && (!priv.client_dns_name || priv.client_dns_forged)) { |
| 1339 // reject the recipient based on forged reverse dns | 1335 // reject the recipient based on forged reverse dns |
| 1340 char buf[maxlen]; | 1336 char buf[maxlen]; |
| 1352 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); | 1348 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); |
| 1353 return SMFIS_REJECT; | 1349 return SMFIS_REJECT; |
| 1354 } | 1350 } |
| 1355 } | 1351 } |
| 1356 } | 1352 } |
| 1353 | |
| 1357 if (st == black) { | 1354 if (st == black) { |
| 1358 // reject the recipient based on blacklisting either from or to | 1355 // reject the recipient based on blacklisting either from or to |
| 1359 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"no such user"); | 1356 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"no such user"); |
| 1360 return SMFIS_REJECT; | 1357 return SMFIS_REJECT; |
| 1361 } | 1358 } |
| 1359 | |
| 1362 if (ver) { | 1360 if (ver) { |
| 1363 // try to verify this from/to pair of addresses even if it might be explicitly whitelisted | 1361 // try to verify this from/to pair of addresses even if it might be explicitly whitelisted |
| 1364 const char *loto = to_lower_string(rcptaddr); | 1362 const char *loto = to_lower_string(rcptaddr); |
| 1365 bool rc = ver->ok(priv.queueid, priv.mailaddr, loto); | 1363 bool rc = ver->ok(priv.queueid, priv.mailaddr, loto); |
| 1366 free((void*)loto); | 1364 free((void*)loto); |
| 1367 if (!rc) { | 1365 if (!rc) { |
| 1368 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"no such user"); | 1366 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"no such user"); |
| 1369 return SMFIS_REJECT; | 1367 return SMFIS_REJECT; |
| 1370 } | 1368 } |
| 1371 } | 1369 } |
| 1370 | |
| 1372 if (!priv.authenticated && dc.default_context->is_unauthenticated_limited(priv.mailaddr)) { | 1371 if (!priv.authenticated && dc.default_context->is_unauthenticated_limited(priv.mailaddr)) { |
| 1373 int hourly, daily; | 1372 int hourly, daily; |
| 1374 incr_rcpt_count(priv.mailaddr, hourly, daily); | 1373 incr_rcpt_count(priv.mailaddr, hourly, daily); |
| 1375 int h_limit = dc.default_context->find_rate_limit(priv.mailaddr); | 1374 int h_limit = dc.default_context->find_rate_limit(priv.mailaddr); |
| 1376 int d_limit = dc.default_context->get_daily_rate_multiple() * h_limit; | 1375 int d_limit = dc.default_context->get_daily_rate_multiple() * h_limit; |
| 1382 if ((hourly > h_limit) || (daily > d_limit)){ | 1381 if ((hourly > h_limit) || (daily > d_limit)){ |
| 1383 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"recipient rate limit exceeded"); | 1382 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", (char*)"recipient rate limit exceeded"); |
| 1384 return SMFIS_REJECT; | 1383 return SMFIS_REJECT; |
| 1385 } | 1384 } |
| 1386 } | 1385 } |
| 1386 | |
| 1387 // we will accept the recipient, but add an auto-whitelist entry | 1387 // we will accept the recipient, but add an auto-whitelist entry |
| 1388 // if needed to ensure we can accept replies | 1388 // if needed to ensure we can accept replies |
| 1389 loto = to_lower_string(rcptaddr); | 1389 loto = to_lower_string(rcptaddr); |
| 1390 WHITELISTERP w = con2.find_autowhite(loto, priv.mailaddr); | 1390 WHITELISTERP w = con2.find_autowhite(loto, priv.mailaddr); |
| 1391 | 1391 |