diff options
| author | Gilles Chehade <gilles@cvs.openbsd.org> | 2019-08-11 17:23:13 +0000 |
|---|---|---|
| committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2019-08-11 17:23:13 +0000 |
| commit | b69c50c229b9fc5ff9d54cd271cfebb564a975a4 (patch) | |
| tree | 2d9bb81d60a8b2a2e333163eb2c9e353473d4ad0 | |
| parent | 4a82f890a09e690decfaf1474a905504dbb717fe (diff) | |
add 'from rdns' to ruleset match criterias making it possible to match
envelopes created by sessions that had or did not have an rDNS:
match from rdns [...] action "local"
match !from rdns [...] reject
| -rw-r--r-- | usr.sbin/smtpd/parse.y | 11 | ||||
| -rw-r--r-- | usr.sbin/smtpd/ruleset.c | 8 | ||||
| -rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 8 | ||||
| -rw-r--r-- | usr.sbin/smtpd/to.c | 9 |
4 files changed, 30 insertions, 6 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index f958c711091..a04393a2827 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.256 2019/08/11 16:35:10 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.257 2019/08/11 17:23:12 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1145,7 +1145,14 @@ negation TAG REGEX tables { rule->flag_from_regex = 1; rule->table_from = strdup(t->t_name); } - +| negation FROM RDNS { + if (rule->flag_from) { + yyerror("from already specified for this rule"); + YYERROR; + } + rule->flag_from = $1 ? -1 : 1; + rule->flag_from_rdns = 1; +} | negation FROM RDNS tables { struct table *t = $4; diff --git a/usr.sbin/smtpd/ruleset.c b/usr.sbin/smtpd/ruleset.c index c8b8aa48ba9..2e282367886 100644 --- a/usr.sbin/smtpd/ruleset.c +++ b/usr.sbin/smtpd/ruleset.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ruleset.c,v 1.43 2019/08/11 10:54:44 gilles Exp $ */ +/* $OpenBSD: ruleset.c,v 1.44 2019/08/11 17:23:12 gilles Exp $ */ /* * Copyright (c) 2009 Gilles Chehade <gilles@poolp.org> @@ -58,6 +58,7 @@ static int ruleset_match_from(struct rule *r, const struct envelope *evp) { int ret; + int has_rdns; const char *key; struct table *table; enum table_service service = K_NETADDR; @@ -68,7 +69,10 @@ ruleset_match_from(struct rule *r, const struct envelope *evp) if (evp->flags & EF_INTERNAL) key = "local"; else if (r->flag_from_rdns) { - if (strcmp(evp->hostname, "<unknown>") == 0) + has_rdns = strcmp(evp->hostname, "<unknown>") != 0; + if (r->table_from == NULL) + return MATCH_RESULT(has_rdns, r->flag_from); + if (!has_rdns) return 0; key = evp->hostname; } diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index a5a57868cd1..e0e10cd71bf 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.218 2019/08/11 14:43:52 gilles Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.219 2019/08/11 17:23:12 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -571,6 +571,12 @@ This is the default, and may be omitted. .It Xo .Op Ic \&! .Cm from rdns +.Xc +Specify that session may only originate from an IP address that +resolves to a reverse DNS. +.It Xo +.Op Ic \&! +.Cm from rdns .Ar hostname | Pf < Ar hostname Ns > .Xc Specify that session may only originate from an IP address that diff --git a/usr.sbin/smtpd/to.c b/usr.sbin/smtpd/to.c index 306f6f189b7..369073817e2 100644 --- a/usr.sbin/smtpd/to.c +++ b/usr.sbin/smtpd/to.c @@ -1,4 +1,4 @@ -/* $OpenBSD: to.c,v 1.38 2019/08/11 10:54:44 gilles Exp $ */ +/* $OpenBSD: to.c,v 1.39 2019/08/11 17:23:12 gilles Exp $ */ /* * Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -460,6 +460,13 @@ rule_to_text(struct rule *r) (void)strlcat(buf, "!", sizeof buf); if (r->flag_from_socket) (void)strlcat(buf, "from socket ", sizeof buf); + if (r->flag_from_rdns) { + (void)strlcat(buf, "from rdns ", sizeof buf); + if (r->table_from) { + (void)strlcat(buf, r->table_from, sizeof buf); + (void)strlcat(buf, " ", sizeof buf); + } + } else if (strcmp(r->table_from, "<anyhost>") == 0) (void)strlcat(buf, "from any ", sizeof buf); else if (strcmp(r->table_from, "<localhost>") == 0) |