| ---
tspam.c (10367B)
---
1 #include "common.h"
2 #include "smtpd.h"
3 #include
4
5 enum {
6 NORELAY = 0,
7 DNSVERIFY,
8 SAVEBLOCK,
9 DOMNAME,
10 OURNETS,
11 OURDOMS,
12
13 IP = 0,
14 STRING
15 };
16
17
18 typedef struct Keyword Keyword;
19
20 struct Keyword {
21 char *name;
22 int code;
23 };
24
25 static Keyword options[] = {
26 "norelay", NORELAY,
27 "verifysenderdom", DNSVERIFY,
28 "saveblockedmsg", SAVEBLOCK,
29 "defaultdomain", DOMNAME,
30 "ournets", OURNETS,
31 "ourdomains", OURDOMS,
32 0, NONE
33 };
34
35 static Keyword actions[] = {
36 "allow", ACCEPT,
37 "block", BLOCKED,
38 "deny", DENIED,
39 "dial", DIALUP,
40 "delay", DELAY,
41 0, NONE
42 };
43
44 static int hisaction;
45 static List ourdoms;
46 static List badguys;
47 static ulong v4peerip;
48
49 static char* getline(Biobuf*);
50 static int cidrcheck(char*);
51
52 static int
53 findkey(char *val, Keyword *p)
54 {
55
56 for(; p->name; p++)
57 if(strcmp(val, p->name) == 0)
58 break;
59 return p->code;
60 }
61
62 char*
63 actstr(int a)
64 {
65 static char buf[32];
66 Keyword *p;
67
68 for(p=actions; p->name; p++)
69 if(p->code == a)
70 return p->name;
71 if(a==NONE)
72 return "none";
73 sprint(buf, "%d", a);
74 return buf;
75 }
76
77 int
78 getaction(char *s, char *type)
79 {
80 char buf[1024];
81 Keyword *k;
82
83 if(s == nil || *s == 0)
84 return ACCEPT;
85
86 for(k = actions; k->name != 0; k++){
87 snprint(buf, sizeof buf, "%s/mail/ratify/%s/%s/%s",
88 get9root(), k->name, type, s);
89 if(access(buf,0) >= 0)
90 return k->code;
91 }
92 return ACCEPT;
93 }
94
95 int
96 istrusted(char *s)
97 {
98 char buf[1024];
99
100 if(s == nil || *s == 0)
101 return 0;
102
103 snprint(buf, sizeof buf, "%s/mail/ratify/trusted/%s", get9root(), s);
104 return access(buf,0) >= 0;
105 }
106
107 void
108 getconf(void)
109 {
110 Biobuf *bp;
111 char *cp, *p;
112 String *s;
113 char buf[512];
114 uchar addr[4];
115
116 v4parseip(addr, nci->rsys);
117 v4peerip = nhgetl(addr);
118
119 trusted = istrusted(nci->rsys);
120 hisaction = getaction(nci->rsys, "ip");
121 if(debug){
122 fprint(2, "istrusted(%s)=%d\n", nci->rsys, trusted);
123 fprint(2, "getaction(%s, ip)=%s\n", nci->rsys, actstr(hisaction));
124 }
125 snprint(buf, sizeof(buf), "%s/smtpd.conf", UPASLIB);
126 bp = sysopen(buf, "r", 0);
127 if(bp == 0)
128 return;
129
130 for(;;){
131 cp = getline(bp);
132 if(cp == 0)
133 break;
134 p = cp+strlen(cp)+1;
135 switch(findkey(cp, options)){
136 case NORELAY:
137 if(fflag == 0 && strcmp(p, "on") == 0)
138 fflag++;
139 break;
140 case DNSVERIFY:
141 if(rflag == 0 && strcmp(p, "on") == 0)
142 rflag++;
143 break;
144 case SAVEBLOCK:
145 if(sflag == 0 && strcmp(p, "on") == 0)
146 sflag++;
147 break;
148 case DOMNAME:
149 if(dom == 0)
150 dom = strdup(p);
151 break;
152 case OURNETS:
153 if (trusted == 0)
154 trusted = cidrcheck(p);
155 break;
156 case OURDOMS:
157 while(*p){
158 s = s_new();
159 s_append(s, p);
160 listadd(&ourdoms, s);
161 p += strlen(p)+1;
162 }
163 break;
164 default:
165 break;
166 }
167 }
168 sysclose(bp);
169 }
170
171 #if 0
172 /*
173 * match a user name. the only meta-char is '*' which matches all
174 * characters. we only allow it as "*", which matches anything or
175 * an * at the end of the name (e.g., "username*") which matches
176 * trailing characters.
177 */
178 static int
179 usermatch(char *pathuser, char *specuser)
180 {
181 int n;
182
183 n = strlen(specuser)-1;
184 if(specuser[n] == '*'){
185 if(n == 0) /* match everything */
186 return 0;
187 return strncmp(pathuser, specuser, n);
188 }
189 return strcmp(pathuser, specuser);
190 }
191 #endif
192
193 static int
194 dommatch(char *pathdom, char *specdom)
195 {
196 int n;
197
198 if (*specdom == '*'){
199 if (specdom[1] == '.' && specdom[2]){
200 specdom += 2;
201 n = strlen(pathdom)-strlen(specdom);
202 if(n == 0 || (n > 0 && pathdom[n-1] == '.'))
203 return strcmp(pathdom+n, specdom);
204 return n;
205 }
206 }
207 return strcmp(pathdom, specdom);
208 }
209
210 /*
211 * figure out action for this sender
212 */
213 int
214 blocked(String *path)
215 {
216 String *lpath;
217 int action;
218
219 if(debug)
220 fprint(2, "blocked(%s)\n", s_to_c(path));
221
222 /* if the sender's IP address is blessed, ignore sender email address */
223 if(trusted){
224 if(debug)
225 fprint(2, "\ttrusted => trusted\n");
226 return TRUSTED;
227 }
228
229 /* if sender's IP address is blocked, ignore sender email address */
230 if(hisaction != ACCEPT){
231 if(debug)
232 fprint(2, "\thisaction=%s => %s\n", actstr(hisaction), actstr(hisaction));
233 return hisaction;
234 }
235
236 /* convert to lower case */
237 lpath = s_copy(s_to_c(path));
238 s_tolower(lpath);
239
240 /* classify */
241 action = getaction(s_to_c(lpath), "account");
242 if(debug)
243 fprint(2, "\tgetaction account %s => %s\n", s_to_c(lpath), actstr(action));
244 s_free(lpath);
245 return action;
246 }
247
248 /*
249 * get a canonicalized line: a string of null-terminated lower-case
250 * tokens with a two null bytes at the end.
251 */
252 static char*
253 getline(Biobuf *bp)
254 {
255 char c, *cp, *p, *q;
256 int n;
257
258 static char *buf;
259 static int bufsize;
260
261 for(;;){
262 cp = Brdline(bp, '\n');
263 if(cp == 0)
264 return 0;
265 n = Blinelen(bp);
266 cp[n-1] = 0;
267 if(buf == 0 || bufsize < n+1){
268 bufsize += 512;
269 if(bufsize < n+1)
270 bufsize = n+1;
271 buf = realloc(buf, bufsize);
272 if(buf == 0)
273 break;
274 }
275 q = buf;
276 for (p = cp; *p; p++){
277 c = *p;
278 if(c == '\\' && p[1]) /* we don't allow \ */
279 c = *++p;
280 else
281 if(c == '#')
282 break;
283 else
284 if(c == ' ' || c == '\t' || c == ',')
285 if(q == buf || q[-1] == 0)
286 continue;
287 else
288 c = 0;
289 *q++ = tolower(c);
290 }
291 if(q != buf){
292 if(q[-1])
293 *q++ = 0;
294 *q = 0;
295 break;
296 }
297 }
298 return buf;
299 }
300
301 static int
302 isourdom(char *s)
303 {
304 Link *l;
305
306 if(strchr(s, '.') == nil)
307 return 1;
308
309 for(l = ourdoms.first; l; l = l->next){
310 if(dommatch(s, s_to_c(l->p)) == 0)
311 return 1;
312 }
313 return 0;
314 }
315
316 int
317 forwarding(String *path)
318 {
319 char *cp, *s;
320 String *lpath;
321
322 if(debug)
323 fprint(2, "forwarding(%s)\n", s_to_c(path));
324
325 /* first check if they want loopback */
326 lpath = s_copy(s_to_c(s_restart(path)));
327 if(nci->rsys && *nci->rsys){
328 cp = s_to_c(lpath);
329 if(strncmp(cp, "[]!", 3) == 0){
330 found:
331 s_append(path, "[");
332 s_append(path, nci->rsys);
333 s_append(path, "]!");
334 s_append(path, cp+3);
335 s_terminate(path);
336 s_free(lpath);
337 return 0;
338 }
339 cp = strchr(cp,'!'); /* skip our domain and check next */
340 if(cp++ && strncmp(cp, "[]!", 3) == 0)
341 goto found;
342 }
343
344 /* if mail is from a trusted IP addr, allow it to forward */
345 if(trusted) {
346 s_free(lpath);
347 return 0;
348 }
349
350 /* sender is untrusted; ensure receiver is in one of our domains */
351 for(cp = s_to_c(lpath); *cp; cp++) /* convert receiver lc */
352 *cp = tolower(*cp);
353
354 for(s = s_to_c(lpath); cp = strchr(s, '!'); s = cp+1){
355 *cp = 0;
356 if(!isourdom(s)){
357 s_free(lpath);
358 return 1;
359 }
360 }
361 s_free(lpath);
362 return 0;
363 }
364
365 int
366 masquerade(String *path, char *him)
367 {
368 char *cp, *s;
369 String *lpath;
370 int rv = 0;
371
372 if(debug)
373 fprint(2, "masquerade(%s)\n", s_to_c(path));
374
375 if(trusted)
376 return 0;
377 if(path == nil)
378 return 0;
379
380 lpath = s_copy(s_to_c(path));
381
382 /* sender is untrusted; ensure receiver is in one of our domains */
383 for(cp = s_to_c(lpath); *cp; cp++) /* convert receiver lc */
384 *cp = tolower(*cp);
385 s = s_to_c(lpath);
386
387 /* scan first element of ! or last element of @ paths */
388 if((cp = strchr(s, '!')) != nil){
389 *cp = 0;
390 if(isourdom(s))
391 rv = 1;
392 } else if((cp = strrchr(s, '@')) != nil){
393 if(isourdom(cp+1))
394 rv = 1;
395 } else {
396 if(isourdom(him))
397 rv = 1;
398 }
399
400 s_free(lpath);
401 return rv;
402 }
403
404 /* this is a v4 only check */
405 static int
406 cidrcheck(char *cp)
407 {
408 char *p;
409 ulong a, m;
410 uchar addr[IPv4addrlen];
411 uchar mask[IPv4addrlen];
412
413 if(v4peerip == 0)
414 return 0;
415
416 /* parse a list of CIDR addresses comparing each to the peer IP addr */
417 while(cp && *cp){
418 v4parsecidr(addr, mask, cp);
419 a = nhgetl(addr);
420 m = nhgetl(mask);
421 /*
422 * if a mask isn't specified, we build a minimal mask
423 * instead of using the default mask for that net. in this
424 * case we never allow a class A mask (0xff000000).
425 */
426 if(strchr(cp, '/') == 0){
427 m = 0xff000000;
428 p = cp;
429 for(p = strchr(p, '.'); p && p[1]; p = strchr(p+1, '.'))
430 m = (m>>8)|0xff000000;
431
432 /* force at least a class B */
433 m |= 0xffff0000;
434 }
435 if((v4peerip&m) == a)
436 return 1;
437 cp += strlen(cp)+1;
438 }
439 return 0;
440 }
441
442 int
443 isbadguy(void)
444 {
445 Link *l;
446
447 /* check if this IP address is banned */
448 for(l = badguys.first; l; l = l->next)
449 if(cidrcheck(s_to_c(l->p)))
450 return 1;
451
452 return 0;
453 }
454
455 void
456 addbadguy(char *p)
457 {
458 listadd(&badguys, s_copy(p));
459 };
460
461 char*
462 dumpfile(char *sender)
463 {
464 int i, fd;
465 ulong h;
466 static char buf[512];
467 char *cp;
468
469 if (sflag == 1){
470 cp = ctime(time(0));
471 cp[7] = 0;
472 if(cp[8] == ' ')
473 sprint(buf, "%s/queue.dump/%s%c", SPOOL, cp+4, cp[9]);
474 else
475 sprint(buf, "%s/queue.dump/%s%c%c", SPOOL, cp+4, cp[8], cp[9]);
476 cp = buf+strlen(buf);
477 if(access(buf, 0) < 0 && sysmkdir(buf, 0777) < 0)
478 return "/dev/null";
479 h = 0;
480 while(*sender)
481 h = h*257 + *sender++;
482 for(i = 0; i < 50; i++){
483 h += lrand();
484 sprint(cp, "/%lud", h);
485 if(access(buf, 0) >= 0)
486 continue;
487 fd = syscreate(buf, ORDWR, 0666);
488 if(fd >= 0){
489 if(debug)
490 fprint(2, "saving in %s\n", buf);
491 close(fd);
492 return buf;
493 }
494 }
495 }
496 return "/dev/null";
497 }
498
499 char *validator = "#9/mail/lib/validateaddress";
500
501 int
502 recipok(char *user)
503 {
504 char *cp, *p, c;
505 char buf[512];
506 int n;
507 Biobuf *bp;
508 int pid;
509 Waitmsg *w;
510 static int beenhere;
511
512 if(!beenhere){
513 beenhere++;
514 validator = unsharp(validator);
515 }
516 if(shellchars(user)){
517 syslog(0, "smtpd", "shellchars in user name");
518 return 0;
519 }
520
521 if(access(validator, AEXEC) == 0)
522 switch(pid = fork()) {
523 case -1:
524 break;
525 case 0:
526 execl(validator, "validateaddress", user, nil);
527 exits(0);
528 default:
529 while(w = wait()) {
530 if(w->pid != pid)
531 continue;
532 if(w->msg[0] != 0){
533 syslog(0, "smtpd", "validateaddress %s: %s", user, w->msg);
534 return 0;
535 }
536 break;
537 }
538 }
539
540 snprint(buf, sizeof(buf), "%s/names.blocked", UPASLIB);
541 bp = sysopen(buf, "r", 0);
542 if(bp == 0)
543 return 1;
544 for(;;){
545 cp = Brdline(bp, '\n');
546 if(cp == 0)
547 break;
548 n = Blinelen(bp);
549 cp[n-1] = 0;
550
551 while(*cp == ' ' || *cp == '\t')
552 cp++;
553 for(p = cp; c = *p; p++){
554 if(c == '#')
555 break;
556 if(c == ' ' || c == '\t')
557 break;
558 }
559 if(p > cp){
560 *p = 0;
561 if(cistrcmp(user, cp) == 0){
562 syslog(0, "smtpd", "names.blocked blocks %s", user);
563 Bterm(bp);
564 return 0;
565 }
566 }
567 }
568 Bterm(bp);
569 return 1;
570 }
571
572 /*
573 * a user can opt out of spam filtering by creating
574 * a file in his mail directory named 'nospamfiltering'.
575 */
576 int
577 optoutofspamfilter(char *addr)
578 {
579 char *p, *f;
580 int rv;
581
582 p = strchr(addr, '!');
583 if(p)
584 p++;
585 else
586 p = addr;
587
588
589 rv = 0;
590 f = smprint("%s/mail/box/%s/nospamfiltering", get9root(), p);
591 if(f != nil){
592 rv = access(f, 0)==0;
593 free(f);
594 }
595
596 return rv;
597 } |