summaryrefslogtreecommitdiff
path: root/usr.sbin
diff options
context:
space:
mode:
authorGilles Chehade <gilles@cvs.openbsd.org>2018-12-22 08:54:03 +0000
committerGilles Chehade <gilles@cvs.openbsd.org>2018-12-22 08:54:03 +0000
commit8071fe9a663ae31b1f090bf8401c28ec016f5a25 (patch)
treebc4ac24adc4a1fbc0d6e5945f68c4ce5291c9a08 /usr.sbin
parent55944c0ddd5527036eff33f10e53ee38e0026563 (diff)
introduce new matching criteria 'from rdns' to match sessions based on rDNS
of the client, works with literal and tables, both string and regex: match from rdns "mx1.poolp.org" for any action blahblah
Diffstat (limited to 'usr.sbin')
-rw-r--r--usr.sbin/smtpd/parse.y49
-rw-r--r--usr.sbin/smtpd/ruleset.c8
-rw-r--r--usr.sbin/smtpd/smtpd.conf.518
-rw-r--r--usr.sbin/smtpd/smtpd.h5
4 files changed, 71 insertions, 9 deletions
diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y
index d0efed8b828..406a3ae0a93 100644
--- a/usr.sbin/smtpd/parse.y
+++ b/usr.sbin/smtpd/parse.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse.y,v 1.241 2018/12/21 21:35:29 gilles Exp $ */
+/* $OpenBSD: parse.y,v 1.242 2018/12/22 08:54:02 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -190,7 +190,7 @@ typedef struct {
%token ON
%token PKI PORT PROC PROC_EXEC
%token QUEUE QUIT
-%token RCPT_TO RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET
+%token RCPT_TO RDNS RECIPIENT RECEIVEDAUTH REGEX RELAY REJECT REPORT REWRITE RSET
%token SCHEDULER SENDER SENDERS SMTP SMTP_IN SMTP_OUT SMTPS SOCKET SRC SUB_ADDR_DELIM
%token TABLE TAG TAGGED TLS TLS_REQUIRE TTL
%token USER USERBASE
@@ -927,11 +927,12 @@ negation TAG REGEX tables {
rule->flag_tag_regex = 1;
rule->table_tag = strdup(t->t_name);
}
+
| negation HELO tables {
struct table *t = $3;
if (rule->flag_smtp_helo) {
- yyerror("mail-helo already specified for this rule");
+ yyerror("helo already specified for this rule");
YYERROR;
}
@@ -948,7 +949,7 @@ negation TAG REGEX tables {
struct table *t = $4;
if (rule->flag_smtp_helo) {
- yyerror("mail-helo already specified for this rule");
+ yyerror("helo already specified for this rule");
YYERROR;
}
@@ -1146,6 +1147,45 @@ negation TAG REGEX tables {
rule->table_from = strdup(t->t_name);
}
+| negation FROM RDNS tables {
+ struct table *t = $4;
+
+ if (rule->flag_from) {
+ yyerror("from already specified for this rule");
+ YYERROR;
+ }
+
+ if (!table_check_use(t, T_DYNAMIC|T_LIST, K_DOMAIN)) {
+ yyerror("table \"%s\" may not be used for rdns lookups",
+ t->t_name);
+ YYERROR;
+ }
+
+ rule->flag_from = $1 ? -1 : 1;
+ rule->flag_from_rdns = 1;
+ rule->table_from = strdup(t->t_name);
+}
+| negation FROM RDNS REGEX tables {
+ struct table *t = $5;
+
+ if (rule->flag_from) {
+ yyerror("from already specified for this rule");
+ YYERROR;
+ }
+
+ if (!table_check_use(t, T_DYNAMIC|T_LIST, K_DOMAIN)) {
+ yyerror("table \"%s\" may not be used for rdns lookups",
+ t->t_name);
+ YYERROR;
+ }
+
+ rule->flag_from = $1 ? -1 : 1;
+ rule->flag_from_regex = 1;
+ rule->flag_from_rdns = 1;
+ rule->table_from = strdup(t->t_name);
+}
+
+
| negation FOR LOCAL {
struct table *t = table_find(conf, "<localnames>", NULL);
@@ -2164,6 +2204,7 @@ lookup(char *s)
{ "queue", QUEUE },
{ "quit", QUIT },
{ "rcpt-to", RCPT_TO },
+ { "rdns", RDNS },
{ "received-auth", RECEIVEDAUTH },
{ "recipient", RECIPIENT },
{ "regex", REGEX },
diff --git a/usr.sbin/smtpd/ruleset.c b/usr.sbin/smtpd/ruleset.c
index 0aa9806c828..7ab7755cff6 100644
--- a/usr.sbin/smtpd/ruleset.c
+++ b/usr.sbin/smtpd/ruleset.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ruleset.c,v 1.37 2018/12/21 21:35:29 gilles Exp $ */
+/* $OpenBSD: ruleset.c,v 1.38 2018/12/22 08:54:02 gilles Exp $ */
/*
* Copyright (c) 2009 Gilles Chehade <gilles@poolp.org>
@@ -86,9 +86,13 @@ ruleset_match_from(struct rule *r, const struct envelope *evp)
return -1;
}
- /* XXX - socket should also be considered local */
if (evp->flags & EF_INTERNAL)
key = "local";
+ else if (r->flag_from_rdns) {
+ if (strcmp(evp->hostname, "<unknown>") == 0)
+ return 0;
+ key = evp->hostname;
+ }
else
key = ss_to_text(&evp->ss);
diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5
index 1e4ae85136d..e9ca99ed9d7 100644
--- a/usr.sbin/smtpd/smtpd.conf.5
+++ b/usr.sbin/smtpd/smtpd.conf.5
@@ -1,4 +1,4 @@
-.\" $OpenBSD: smtpd.conf.5,v 1.209 2018/12/22 08:18:55 gilles Exp $
+.\" $OpenBSD: smtpd.conf.5,v 1.210 2018/12/22 08:54:02 gilles Exp $
.\"
.\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org>
.\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net>
@@ -504,6 +504,22 @@ or from the local enqueuer.
This is the default, and may be omitted.
.It Xo
.Op Ic \&!
+.Cm from rdns
+.Ar hostname | Pf < Ar hostname Ns >
+.Xc
+Specify that session may only originate from an IP address that
+resolves to a reverse DNS matching string or list string
+.Ar hostname .
+.It Xo
+.Op Ic \&!
+.Cm from rdns regex
+.Ar hostname | Pf < Ar hostname Ns >
+.Xc
+Specify that session may only originate from an IP address that
+resolves to a reverse DNS matching regex or list regex
+.Ar hostname .
+.It Xo
+.Op Ic \&!
.Cm from socket
.Xc
Specify that session may only originate from the local enqueuer.
diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h
index d3c7b4d9d3b..913c44782c2 100644
--- a/usr.sbin/smtpd/smtpd.h
+++ b/usr.sbin/smtpd/smtpd.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: smtpd.h,v 1.597 2018/12/21 21:35:29 gilles Exp $ */
+/* $OpenBSD: smtpd.h,v 1.598 2018/12/22 08:54:02 gilles Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -1201,11 +1201,12 @@ struct rule {
int8_t flag_tag;
int8_t flag_from;
int8_t flag_for;
+ int8_t flag_from_rdns;
int8_t flag_from_socket;
int8_t flag_tag_regex;
- int8_t flag_for_regex;
int8_t flag_from_regex;
+ int8_t flag_for_regex;
int8_t flag_smtp_helo;
int8_t flag_smtp_starttls;