introduce new matching criteria 'from rdns' to match sessions based on rDNS

of the client, works with literal and tables, both string and regex:

	match from rdns "mx1.poolp.org" for any action blahblah

4 files changed, 71 insertions, 9 deletions

diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index d0efed8b828..406a3ae0a93 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parse.y,v 1.241 2018/12/21 21:35:29 gilles Exp $	*/
+/*	$OpenBSD: parse.y,v 1.242 2018/12/22 08:54:02 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -190,7 +190,7 @@ typedef struct {
 %token	ON
 %token	PKI PORT PROC PROC_EXEC
 %token	QUEUE QUIT
-%token	RCPT_TO RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET
+%token	RCPT_TO RDNS RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET
 %token	SCHEDULER SENDER SENDERS SMTP SMTP_IN SMTP_OUT SMTPS SOCKET SRC SUB_ADDR_DELIM
 %token	TABLE TAG TAGGED TLS TLS_REQUIRE TTL
 %token	USER USERBASE
@@ -927,11 +927,12 @@ negation TAG REGEX tables {
 	rule->flag_tag_regex = 1;
 	rule->table_tag = strdup(t->t_name);
 }
+
 | negation HELO tables {
 	struct table   *t = $3;
 
 	if (rule->flag_smtp_helo) {
-		yyerror("mail-helo already specified for this rule");
+		yyerror("helo already specified for this rule");
 		YYERROR;
 	}
 
@@ -948,7 +949,7 @@ negation TAG REGEX tables {
 	struct table   *t = $4;
 
 	if (rule->flag_smtp_helo) {
-		yyerror("mail-helo already specified for this rule");
+		yyerror("helo already specified for this rule");
 		YYERROR;
 	}
 
@@ -1146,6 +1147,45 @@ negation TAG REGEX tables {
 	rule->table_from = strdup(t->t_name);
 }
 
+| negation FROM RDNS tables {
+	struct table   *t = $4;
+
+	if (rule->flag_from) {
+		yyerror("from already specified for this rule");
+		YYERROR;
+	}
+
+	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_DOMAIN)) {
+		yyerror("table \"%s\" may not be used for rdns lookups",
+		    t->t_name);
+		YYERROR;
+	}
+
+	rule->flag_from = $1 ? -1 : 1;
+	rule->flag_from_rdns = 1;
+	rule->table_from = strdup(t->t_name);
+}
+| negation FROM RDNS REGEX tables {
+	struct table   *t = $5;
+
+	if (rule->flag_from) {
+		yyerror("from already specified for this rule");
+		YYERROR;
+	}
+
+	if (!table_check_use(t, T_DYNAMIC|T_LIST, K_DOMAIN)) {
+		yyerror("table \"%s\" may not be used for rdns lookups",
+		    t->t_name);
+		YYERROR;
+	}
+
+	rule->flag_from = $1 ? -1 : 1;
+	rule->flag_from_regex = 1;
+	rule->flag_from_rdns = 1;
+	rule->table_from = strdup(t->t_name);
+}
+
+
 | negation FOR LOCAL {
 	struct table   *t = table_find(conf, "<localnames>", NULL);
 
@@ -2164,6 +2204,7 @@ lookup(char *s)
 		{ "queue",		QUEUE },
 		{ "quit",		QUIT },
 		{ "rcpt-to",		RCPT_TO },
+		{ "rdns",		RDNS },
 		{ "received-auth",     	RECEIVEDAUTH },
 		{ "recipient",		RECIPIENT },
 		{ "regex",		REGEX },
diff --git a/usr.sbin/smtpd/ruleset.c b/usr.sbin/smtpd/ruleset.c
index 0aa9806c828..7ab7755cff6 100644
--- a/usr.sbin/smtpd/ruleset.c
+++ b/usr.sbin/smtpd/ruleset.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ruleset.c,v 1.37 2018/12/21 21:35:29 gilles Exp $ */
+/*	$OpenBSD: ruleset.c,v 1.38 2018/12/22 08:54:02 gilles Exp $ */
 
 /*
  * Copyright (c) 2009 Gilles Chehade <gilles@poolp.org>
@@ -86,9 +86,13 @@ ruleset_match_from(struct rule *r, const struct envelope *evp)
 		return -1;
 	}
 
-	/* XXX - socket should also be considered local */
 	if (evp->flags & EF_INTERNAL)
 		key = "local";
+	else if (r->flag_from_rdns) {
+		if (strcmp(evp->hostname, "<unknown>") == 0)
+			return 0;
+		key = evp->hostname;
+	}
 	else
 		key = ss_to_text(&evp->ss);
 
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 1e4ae85136d..e9ca99ed9d7 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: smtpd.conf.5,v 1.209 2018/12/22 08:18:55 gilles Exp $
+.\"	$OpenBSD: smtpd.conf.5,v 1.210 2018/12/22 08:54:02 gilles Exp $
 .\"
 .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
 .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -504,6 +504,22 @@ or from the local enqueuer.
 This is the default, and may be omitted.
 .It Xo
 .Op Ic \&!
+.Cm from rdns
+.Ar hostname | Pf < Ar hostname Ns >
+.Xc
+Specify that session may only originate from an IP address that
+resolves to a reverse DNS matching string or list string
+.Ar hostname .
+.It Xo
+.Op Ic \&!
+.Cm from rdns regex
+.Ar hostname | Pf < Ar hostname Ns >
+.Xc
+Specify that session may only originate from an IP address that
+resolves to a reverse DNS matching regex or list regex
+.Ar hostname .
+.It Xo
+.Op Ic \&!
 .Cm from socket
 .Xc
 Specify that session may only originate from the local enqueuer.
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index d3c7b4d9d3b..913c44782c2 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: smtpd.h,v 1.597 2018/12/21 21:35:29 gilles Exp $	*/
+/*	$OpenBSD: smtpd.h,v 1.598 2018/12/22 08:54:02 gilles Exp $	*/
 
 /*
  * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1201,11 +1201,12 @@ struct rule {
 	int8_t	flag_tag;
 	int8_t	flag_from;
 	int8_t	flag_for;
+	int8_t	flag_from_rdns;
 	int8_t	flag_from_socket;
 
 	int8_t	flag_tag_regex;
-	int8_t	flag_for_regex;
 	int8_t	flag_from_regex;
+	int8_t	flag_for_regex;
 
 	int8_t	flag_smtp_helo;
 	int8_t	flag_smtp_starttls;