| Age | Commit message (Collapse) | Author |
|---|
|
be used to effectively remove filesystem access.
That being said, in spamd(8) when I pledge(2)d it the main priv process got
"stdio inet" which means there's no fs access at all so calling
chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove
them.
OK deraadt@ and no objections from schwarze@
|
|
in default, cannot get anywhere near the filesystem since its only promises are
"stdio inet". Furthermore, in blacklist mode this same codepath is not
chroot'ed but once again it gets the same pledge(2).
Therefore we can remove the BUGS section from spamd(8)'s manpage.
OK millert@ deraadt@
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
|
|
greywatcher()) we know that the only files that it will ever access are
PATH_SPAMD_DB in rw mode, alloweddomains_file in r and that it will need to
execute PATH_PFCTL so we can unveil(2) them with those permissions.
OK deraadt@ millert@ beck@
|
|
ok guenther@ tb@ deraadt@
|
|
|
|
in greylisting mode, it is not uncommon for an IP to get whitelisted
before it shows up on a spam blacklist. With this change, spamd
will check its blacklists before adding a WHITE entry to the
<spamd-white> pf table. If the IP matches a blacklist, the WHITE
entry will be removed. OK phessler@
|
|
|
|
pointer will remain unchanged when fails. OK deraadt@
|
|
|
|
ok beck
|
|
|
|
spamd setup are complex enough without freestyling the pf rules;
while here, Bk/Ek no longer required
|
|
noticed and ok phessler@
|
|
short write when the socket buffers are full, instead of blocking.
ok benno@ claudio@
|
|
inet_pton(3) to check if it's valid and since that function doesn't provide
a proper errno (POSIX doesn't mandate to do so) then if a string is given we
may get this message:
spamd: inet_pton: Undefined error: 0
- Instead replace that code to use getaddrinfo(3) from which is possible to get
a proper error message, and at the same time being able to parse IPs and
hostnames (if either the IP or host is not local then the next bind(2) will
fail)
- By default without arguments, spamd(8) will still bind(2) to 127.0.0.1 as
it did before
With feedback from deraadt@ and OK beck@
|
|
failure
Feedback and OK jsing@
|
|
|
|
OK deraadt@
|
|
- Use memset(*b, 0, len) instead of bzero(*b, len)
- Use memcpy(*dst, *src, len) instead of bcopy(*src, *dst, len)
- Use explicit_bzero(3) instead of bzero(3) to clean temporary HMAC
Remarks from deraadt@ (duly noted!!), reviewed and OK by henning@ and tb@
|
|
doesn't do that for us. found, analyzed and patch supplied by Martin Proyer
<martin at proyer dot net>, many thanks! ok bcook
funny since I just discussed a somewhat mysterious spamd-TLS issue with bob
and brent over breakfast yesterday in cambridge - not sure it is this one,
if it is I've been intensively digging in the wrong corner, almost "missing
the obvious"
|
|
changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@
|
|
|
|
this will be forbidden. The remaining pledge(2) calls after chroot(2) are still
kept.
OK semarie@ "it is time now"
|
|
|
|
the program
- Add error message to syslog if privdrop didn't succeed and then exit
- Remove lint comments
OK beck@ after his suggestion and also looks good to jca@
|
|
- check for root privileges, otherwise exit early with an appropriate
status code and a formatted string;
- be more specific with chroot()/chdir() checks.
OK beck@
|
|
|
|
this loads the tls certificate files pre-pledge then does the bulk of the tls
setup goo pledged.
|
|
All the work done by Ricardo Mestre <serial@helheim.mooo.com> - Thanks.
|
|
quite involved, due to tls_read potentially needing to write and tls_write
potentially needing to read (in the reneg case); that not fitting the spamd
model too well - it needs to keep a little more state.
help & ok bluhm & beck
|
|
STARTTLS dance. ok millert
|
|
and issue a new EHLO after STARTTLS. The misunderstaning seems to be common,
so we'll still grok MAIL FROM right after the STARTTLS dance, as well as
accepting a second EHLO. ok phessler beck millert
|
|
with bluhm
|
|
|
|
jointly with jsing@
|
|
ok jsing@
|
|
|
|
from steve shockley
ok sthen
|
|
ok jmc@
|
|
divert-to has many advantages over rdr-to for proxies. For example,
it is much easier to use, requires less code, does not depend on
/dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK
ioctl), saves us from additional port allocations by the rdr/NAT code,
and even avoids potential collisions and race conditions that could
theoretically happen with the lookup.
Heads up: users will have to update their spamd PF rules from rdr-to
to divert-to. spamd now also listens to 127.0.0.1 instead of "any"
(0.0.0.0) by default which should be fine with most setups but has to
be considered for some special configurations.
Based on a diff is almost two years old but got delayed several times
... beck@: "now is the time to get it in" :)
Tested by many
With help from okan@
OK okan@ beck@ millert@
|
|
handling along the way.
Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert
|
|
|
|
is embedded in each struct con so the descriptors can't get out of
sync with the pfd[] array. OK deraadt@
|
|
|
|
ok schwarze@
|
|
that includes all currently supported protocols (TLSv1.0, TLSv1.1 and
TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they
maintain existing behaviour.
Discussed with tedu@ and reyk@.
|
|
split it; while here, zap trailing whitespace;
|
|
Rationale: when you publish DANE records for certificate pinning, you MUST
offer TLS on the indicated service. Not offering TLS is verboten since
that would re-open the door for a MitM. This is obviously fundamentally
incompatible with having spamd in front of your mailservers - spamd kinda
is a MitM here, but intentional and utterly valid.
DANE is desirable because it allows one to not have to trust the broken
SSL CA model, and, depending on the mode chosen, even show the SSL cert
mafia the middle finger by not needing them at all.
ok reyk jsing bob
|
