pape at smarden
Mar 22, 2010, 9:04 AM
Post #8 of 8
(1693 views)
Permalink
|
|
Re: netqmail: reject unknown recipients during SMTP
[In reply to]
|
|
On Wed, Sep 09, 2009 at 02:36:55PM -0500, Kyle Wheeler wrote:
> On Wednesday, September 9 at 03:52 PM, quoth Gerrit Pape:
> >On Mon, Sep 07, 2009 at 05:36:09PM +0200, Markus Stumpf wrote:
> >> On Mon, Sep 07, 2009 at 03:06:19PM +0000, Gerrit Pape wrote:
> >> > is still a plan, work in progress, or canceled?
> >>
> >> from qmail.org:
> >> - Andrew Richards has modified Paul Jarc's realrcptto into qmail-verify.
> >> It now uses UDP for privilege separation which also allows an incoming
> >> mail server to query a separate mailstore for larger installations.
> >> http://free.acrconsulting.co.uk/email/qmail-verify.html
> >
> > Thanks, I know that, and already have seen the reply from Andrew.
> > My question was to the netqmail maintainers about the inclusion of
> > this functionality into netqmail. I take the non-answer that
> > there's no plan anymore.
>
> Not as such, but after a long stasis, it's getting some attention.
Hi, the delayed-bounce issue with qmail is one thing that I personally
think needs to be fixed. Since years I've replaced the qmail-smtp
service with mailfront, and so am able to bounce most of the junk-mail
during the smtp session.
For Debian[0] I proposed packages that include the qmail-verify patch
and its prerequisite the errmsg-logging patch, both from Andrew
Richards. Since for Debian a mail tranfer agent must support
/etc/aliases, I patched the qmail-verify patch to additionally check a
fasforward CDB if told so and if ~alias/.qmail-default exists. See
below for the patch, review and comments welcome.
May I ask again whether you motley krewe of qmail contributors plan to
include these patches into netqmail? I'd suggest to do so.
Thanks, Gerrit.
[0]
http://bugs.debian.org/510415
http://ftp-master.debian.org/new.html
-------
From e0a12b4e5772df5b656ea4cf7b7e6e2d39b9bc55 Mon Sep 17 00:00:00 2001
From: Gerrit Pape <pape [at] smarden>
Date: Fri, 5 Mar 2010 01:14:31 +0000
Subject: [PATCH 3/3] qmail-verify: optionally check aliases.cdb if fastforward is used
If qmail-verify finds ~alias/.qmail-default and the environment variable
VERIFY_FASTFORWARDCDB is set to e.g. /etc/aliases.cdb, instead of allowing
all addresses it will lookup the recipient address in that constant
database, and only allow the address if a matching entry is found.
---
qmail-verify.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 files changed, 53 insertions(+), 1 deletions(-)
diff --git a/qmail-verify.c b/qmail-verify.c
index 641f920..a33c20d 100644
--- a/qmail-verify.c
+++ b/qmail-verify.c
@@ -164,6 +164,49 @@ int userext() /* from qmail-getpw.c */
}
}
+int verify_aliasescdb(addr, fn)
+char *addr;
+char *fn;
+{
+ int fd;
+ static stralloc key = {};
+ uint32 dlen;
+ int r;
+ int at;
+
+ fd = open_read(fn);
+ if (fd == -1) die_cdb();
+ if (!stralloc_copys(&key,":")) die_nomem();
+ if (!stralloc_cats(&key,addr)) die_nomem();
+ case_lowerb(key.s,key.len);
+
+ r = cdb_seek(fd,key.s,key.len,&dlen);
+ if (r == -1) die_cdb();
+ if (r) { close(fd); return 1; }
+
+ at = str_rchr(addr,'@');
+ if (!addr[at]) { close(fd); return 0; }
+
+ if (!stralloc_copys(&key,":")) die_nomem();
+ if (!stralloc_cats(&key,addr + at)) nomem();
+ case_lowerb(key.s,key.len);
+
+ r = cdb_seek(fd,key.s,key.len,&dlen);
+ if (r == -1) die_cdb();
+ if (r) { close(fd); return 1; }
+
+ if (!stralloc_copys(&key,":")) nomem();
+ if (!stralloc_catb(&key,addr,at + 1)) nomem();
+ case_lowerb(key.s,key.len);
+
+ r = cdb_seek(fd,key.s,key.len,&dlen);
+ if (r == -1) die_cdb();
+ close(fd);
+ if (r) return 1;
+
+ return 0;
+}
+
int verifyaddr(addr)
char *addr;
{
@@ -351,7 +394,16 @@ char *addr;
if (!stralloc_cats(&qme,"default")) die_nomem();
if (!stralloc_0(&qme)) die_nomem();
/* e.g. homedir/.qmail-[xxx-]default */
- if (stat(qme.s,&st) == 0) return allowaddr(addr,ADDR_OK|QVPOS12);
+ if (stat(qme.s,&st) == 0) {
+ /* if it's ~alias/.qmail-default, optionally check aliases.cdb */
+ if (!i && (quser == auto_usera)) {
+ char *s;
+ if (s = env_get("VERIFY_FASTFORWARDCDB"))
+ if (!verify_aliasescdb(addr, s))
+ return denyaddr(addr,ADDR_NOK|QVPOS12);
+ }
+ return allowaddr(addr,ADDR_OK|QVPOS12);
+ }
if (errno != error_noent) /* Maybe not running as root so access denied */
return stat_error(qme.s,errno,STATERR|QVPOS13);
}
--
1.7.0
-------
$ cat qmail-verify/run
#!/bin/sh
exec 2>&1
if CDB=$(grep fastforward ~alias/.qmail-default 2>&1); then
CDB=${CDB#|*fastforward}
CDB=${CDB##*-* }
test -z "$CDB" ||
exec env VERIFY_FASTFORWARDCDB="$CDB" /var/qmail/bin/qmail-verify
fi
exec /var/qmail/bin/qmail-verify
|
