dnsbl: src/dnsbl.cpp comparison

comparison src/dnsbl.cpp @ 8:dbe18921f741

integration work on url scanner

author	carl
date	Thu, 22 Apr 2004 11:25:45 -0700
parents	793ac9cc114d
children	8c65411cd7ab

comparison

equal deleted inserted replaced

-:93ff6d1ef647
+:dbe18921f741
 // from sendmail sample
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
-#include <stdio.h>
+//#include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sysexits.h>
 #include <unistd.h>
 // misc stuff needed here
 #include <ctype.h>
 #include <fstream>
 #include <syslog.h>
+static char* dnsbl_version="$Id$";
-static char* version="$Id$";
+#define DEFAULT "default"
+#define WHITE   "white"
+#define BLACK   "black"
+#define OK      "ok"
+#define MANY    "many"
+enum status {oksofar,   // not rejected yet
+white,     // whitelisted by envelope from
+black,     // blacklisted by envelope from or to
+reject};   // rejected by a dns list
 using namespace std;
 extern "C" {
 #include "libmilter/mfapi.h"
 sfsistat mlfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr);
 sfsistat mlfi_envfrom(SMFICTX *ctx, char **argv);
 sfsistat mlfi_envrcpt(SMFICTX *ctx, char **argv);
-sfsistat mlfi_eom_or_abort(SMFICTX *ctx);
+sfsistat mlfi_body(SMFICTX *ctx, u_char *data, size_t len);
+sfsistat mlfi_eom(SMFICTX *ctx);
+sfsistat mlfi_abort(SMFICTX *ctx);
 sfsistat mlfi_close(SMFICTX *ctx);
 }
 struct ltstr {
 bool operator()(char* s1, char* s2) const {
 dnsblp_map  dnsbls;
 dnsbllp_map dnsblls;
 from_map    env_from;
 string_map  env_to_dnsbll;      // map recipient to a named dnsbll
 string_map  env_to_chkfrom;     // map recipient to a named from map
+char *      content_suffix;     // for sbl url body filtering
+char *      content_message;
 CONFIG();
 ~CONFIG();
 };
 CONFIG::CONFIG() {
 reference_count = 0;
 load_time       = 0;
+content_suffix  = NULL;
+content_message = NULL;
 }
 CONFIG::~CONFIG() {
 for (dnsblp_map::iterator i=dnsbls.begin(); i!=dnsbls.end(); i++) {
 DNSBLP d = (*i).second;
 delete d;
 static pthread_mutex_t  syslog_mutex;
 static pthread_mutex_t  resolve_mutex;
-////////////////////////////////////////////////
+// include the content scanner
-// predefined names
+#include "scanner.cpp"
-//
-#define DEFAULT "default"
-#define WHITE   "white"
+////////////////////////////////////////////////
-#define BLACK   "black"
+// helper to discard the strings held by a string_set
-#define OK      "ok"
+//
-#define MANY    "many"
+static void discard(string_set s);
+static void discard(string_set s) {
+for (string_set::iterator i=s.begin(); i!=s.end(); i++) {
+free(*i);
+}
+}
 ////////////////////////////////////////////////
 // mail filter private data, held for us by sendmail
 //
-enum status {oksofar,   // not rejected yet
-white,     // whitelisted by envelope from
-black,     // blacklisted by envelope from or to
-reject};   // rejected by a dns list
 struct mlfiPriv
 {
-CONFIG  *pc;            // global context with our maps
+// connection specific data
-int     ip;             // ip4 address of the smtp client
+CONFIG  *pc;                    // global context with our maps
+int     ip;                     // ip4 address of the smtp client
+map<DNSBLP, status> checked;    // status from those lists
+// message specific data
 char    *mailaddr;      // envelope from value
 bool    authenticated;  // client authenticated? if so, suppress all dnsbl checks
-map<DNSBLP, status> checked;    // status from those lists
+bool    have_whites;    // have at least one whitelisted recipient? need to accept content and remove all non-whitelisted recipients if it fails
+bool    only_whites;    // every recipient is whitelisted?
+url_scanner *scanner;   // object to handle body scanning
+string_set  non_whites; // remember the non-whitelisted recipients so we can remove them if need be
+string_set  urls;       // remember the urls that we have checked
 mlfiPriv();
 ~mlfiPriv();
+void reset(bool final = false); // for a new message
 };
 mlfiPriv::mlfiPriv() {
 pthread_mutex_lock(&config_mutex);
 pc = config;
 pc->reference_count++;
 pthread_mutex_unlock(&config_mutex);
-ip       = 0;
+ip            = 0;
-mailaddr = NULL;
+mailaddr      = NULL;
+authenticated = false;
+have_whites   = false;
+only_whites   = true;
+scanner       = new url_scanner(&urls);
 }
 mlfiPriv::~mlfiPriv() {
 pthread_mutex_lock(&config_mutex);
 pc->reference_count--;
 pthread_mutex_unlock(&config_mutex);
+reset(true);
+}
+void mlfiPriv::reset(bool final) {
 if (mailaddr) free(mailaddr);
+delete scanner;
+discard(non_whites);
+discard(urls);
+if (!final) {
+mailaddr      = NULL;
+authenticated = false;
+have_whites   = false;
+only_whites   = true;
+scanner       = new url_scanner(&urls);
+}
 }
 #define MLFIPRIV    ((struct mlfiPriv *) smfi_getpriv(ctx))
 return *sm;
 }
 ////////////////////////////////////////////////
-//  check a single dnsbl - we don't try very hard, just
+//
-//  using the default resolver retry settings. If we cannot
+//  ask a dns question and get an A record answer - we don't try
-//  get an answer, we just accept the mail. The caller
+//  very hard, just using the default resolver retry settings.
-//  must ensure thread safety.
+//  If we cannot get an answer, we just accept the mail.  The
-//
+//  caller must ensure thread safety.
-static status check_single(int ip, DNSBL &bl);
+//
-static status check_single(int ip, DNSBL &bl) {
+//
+static int dns_interface(char *question);
+static int dns_interface(char *question) {
+u_char answer[NS_PACKETSZ];
+int length = res_search(question, ns_c_in, ns_t_a, answer, sizeof(answer));
+if (length < 0) return 0;   // error in getting answer
+// parse the answer
+ns_msg handle;
+ns_rr  rr;
+if (ns_initparse(answer, length, &handle) != 0) return 0;
+int rrnum = 0;
+while (ns_parserr(&handle, ns_s_an, rrnum++, &rr) == 0) {
+if (ns_rr_type(rr) == ns_t_a) {
+int address;
+memcpy(&address, ns_rr_rdata(rr), sizeof(address));
+return address;
+}
+}
+return 0;
+}
+static int protected_dns_interface(char *question);
+static int protected_dns_interface(char *question) {
+int ans;
+pthread_mutex_lock(&resolve_mutex);
+ans = dns_interface(question);
+pthread_mutex_unlock(&resolve_mutex);
+return ans;
+}
+////////////////////////////////////////////////
+//  check a single dnsbl
+//
+static status check_single(int ip, char *suffix);
+static status check_single(int ip, char *suffix) {
 // make a dns question
 const u_char *src = (const u_char *)&ip;
 if (src[0] == 127) return oksofar;  // don't do dns lookups on localhost
 char question[NS_MAXDNAME];
-snprintf(question, sizeof(question), "%u.%u.%u.%u.%s.", src[3], src[2], src[1], src[0], bl.suffix);
+snprintf(question, sizeof(question), "%u.%u.%u.%u.%s.", src[3], src[2], src[1], src[0], suffix);
-// ask the question
+// ask the question, if we get an A record it implies a blacklisted ip address
-u_char answer[NS_PACKETSZ];
+return (protected_dns_interface(question)) ? reject : oksofar;
-int length = res_search(question, ns_c_in, ns_t_a, answer, sizeof(answer));
+}
-if (length < 0) return oksofar;     // error in getting answer
-// parse the answer
-ns_msg handle;
+////////////////////////////////////////////////
-ns_rr  rr;
+//  check a single dnsbl
-if (ns_initparse(answer, length, &handle) != 0) return oksofar;
+//
-int rrnum = 0;
+static status check_single(int ip, DNSBL &bl);
-while (ns_parserr(&handle, ns_s_an, rrnum++, &rr) == 0) {
+static status check_single(int ip, DNSBL &bl) {
-if (ns_rr_type(rr) == ns_t_a) {
+return check_single(ip, bl.suffix);
-// we see an A record, implies blacklisted ip address
-return reject;
-}
-}
-return oksofar;
 }
 ////////////////////////////////////////////////
 //  check the dnsbls specified for this recipient
 DNSBLP dp = *i;     // non null by construction
 status st;
 map<DNSBLP, status>::iterator f = priv.checked.find(dp);
 if (f == priv.checked.end()) {
 // have not checked this list yet
-pthread_mutex_lock(&resolve_mutex);
+st = check_single(priv.ip, *dp);
-st = check_single(priv.ip, *dp);
-pthread_mutex_unlock(&resolve_mutex);
 rejectlist = dp;
 priv.checked[dp] = st;
 }
 else {
 st = (*f).second;
 rejectlist = (*f).first;
 }
 if (st == reject) return st;
 }
 return oksofar;
+}
+////////////////////////////////////////////////
+//  check the dnsbls specified for this recipient
+//
+static status check_urls(mlfiPriv &priv, char *&url, int &ip);
+static status check_urls(mlfiPriv &priv, char *&url, int &ip) {
+CONFIG     &dc   = *priv.pc;
+if (!dc.content_suffix) return oksofar;
+int count = 0;
+for (string_set::iterator i=priv.urls.begin(); i!=priv.urls.end(); i++) {
+count++;
+if (count > 20) break;  // silly to check too many urls
+url = *i;
+char buf[200];
+snprintf(buf, sizeof(buf), "looking for url %s", url);
+my_syslog(buf);
+ip  = protected_dns_interface(url);
+if (ip) {
+status st = check_single(ip, dc.content_suffix);
+if (st == reject) return st;
+}
+}
 }
 ////////////////////////////////////////////////
 // start of sendmail milter interfaces
 if (st == reject) {
 // reject the recipient based on some dnsbl
 char adr[sizeof "255.255.255.255"];
 adr[0] = '\0';
-const char *rc = inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr));
+inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr));
 char buf[2000];
 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr);
 smfi_setreply(ctx, "550", "5.7.1", buf);
 return SMFIS_REJECT;
 }
 smfi_setreply(ctx, "550", "5.7.1", "no such user");
 return SMFIS_REJECT;
 }
 else {
 // accept the recipient
+if (st == oksofar) {
+// but remember the non-whites
+priv.non_whites.insert(strdup(rcptaddr));
+priv.only_whites = false;
+}
+if (st == white) {
+priv.have_whites = true;
+}
 return SMFIS_CONTINUE;
 }
 }
-sfsistat mlfi_eom_or_abort(SMFICTX *ctx)
+sfsistat mlfi_body(SMFICTX *ctx, u_char *data, size_t len)
 {
 mlfiPriv &priv = *MLFIPRIV;
-if (priv.mailaddr) {
+if (priv.authenticated) return SMFIS_CONTINUE;
-free(priv.mailaddr);
+if (priv.only_whites)   return SMFIS_CONTINUE;
-priv.mailaddr = NULL;
+priv.scanner->scan(data, len);
 }
+sfsistat mlfi_eom(SMFICTX *ctx)
+{
+sfsistat rc;
+mlfiPriv &priv = *MLFIPRIV;
+char *url = NULL;
+int  ip;
+// process end of message
+if (priv.authenticated ||
+priv.only_whites   ||
+(check_urls(priv, url, ip) == oksofar)) rc = SMFIS_CONTINUE;
+else {
+if (!priv.have_whites) {
+// can reject the entire message
+char adr[sizeof "255.255.255.255"];
+adr[0] = '\0';
+inet_ntop(AF_INET, (const u_char *)&ip, adr, sizeof(adr));
+char buf[2000];
+snprintf(buf, sizeof(buf), priv.pc->content_message, url, adr);
+smfi_setreply(ctx, "550", "5.7.1", buf);
+rc = SMFIS_REJECT;
+}
+else {
+// need to accept it but remove the recipients that don't want it
+for (string_set::iterator i=priv.non_whites.begin(); i!=priv.non_whites.end(); i++) {
+char *rcpt = *i;
+smfi_delrcpt(ctx, rcpt);
+}
+rc = SMFIS_CONTINUE;
+}
+}
+// reset for a new message on the same connection
+mlfi_abort(ctx);
+return rc;
+}
+sfsistat mlfi_abort(SMFICTX *ctx)
+{
+mlfiPriv &priv = *MLFIPRIV;
+priv.reset();
 return SMFIS_CONTINUE;
 }
 sfsistat mlfi_close(SMFICTX *ctx)
 {
 NULL,               // SMTP HELO command filter
 mlfi_envfrom,       // envelope sender filter
 mlfi_envrcpt,       // envelope recipient filter
 NULL,               // header filter
 NULL,               // end of header
-NULL,               // body block filter
+mlfi_body,          // body block filter
-mlfi_eom_or_abort,  // end of message
+mlfi_eom,           // end of message
-mlfi_eom_or_abort,  // message aborted
+mlfi_abort,         // message aborted
 mlfi_close,         // connection cleanup
 };
 static void dumpit(char *name, string_map map);
 static void load_conf(CONFIG &dc, char *fn);
 static void load_conf(CONFIG &dc, char *fn) {
 dc.config_files.push_back(fn);
 map<char*, int, ltstr> commands;
-enum {dummy, dnsbl, dnsbll, envfrom, envto, include, includedcc};
+enum {dummy, content, dnsbl, dnsbll, envfrom, envto, include, includedcc};
+commands["content"    ] = content;
 commands["dnsbl"      ] = dnsbl;
 commands["dnsbl_list" ] = dnsbll;
 commands["env_from"   ] = envfrom;
 commands["env_to"     ] = envto;
 commands["include"    ] = include;
 char *cmd = strtok(line, delim);
 if (cmd && (cmd[0] != '#') && (cmd[0] != '\0')) {
 // have a decent command
 bool processed = false;
 switch (commands[cmd]) {
+case content: {
+char *suff = strtok(NULL, delim);
+if (!suff) break;                           // no dns suffic
+char *msg = suff + strlen(suff);
+if ((msg - line) >= strlen(orig)) break;    // line ended with the dns suffix
+msg  = strchr(msg+1, '\'');
+if (!msg) break;                            // no reply message template
+msg++; // move over the leading '
+if ((msg - line) >= strlen(orig)) break;    // line ended with the leading quote
+char *last = strchr(msg, '\'');
+if (!last) break;                           // no trailing quote
+*last = '\0';                               // make it a null terminator
+dc.content_suffix  = register_string(suff);
+dc.content_message = register_string(msg);
+processed = true;
+} break;
 case dnsbl: {
 // have a new dnsbl to use
 char *name = next_token(delim);
 if (!name) break;                           // no name name
 if (find_dnsbl(dc, name)) break;            // duplicate entry
 fclose(f);
 }
 return smfi_main();
 }

Mercurial > dnsbl

comparison src/dnsbl.cpp @ 8:dbe18921f741