summaryrefslogtreecommitdiff
path: root/libexec/spamd
AgeCommit message (Collapse)Author
2018-10-25When spamd(8) runs in greylist mode in the parent process (which runsRicardo Mestre
greywatcher()) we know that the only files that it will ever access are PATH_SPAMD_DB in rw mode, alloweddomains_file in r and that it will need to execute PATH_PFCTL so we can unveil(2) them with those permissions. OK deraadt@ millert@ beck@
2018-10-22More "explicitely" -> "explicitly" in various comments.Kenneth R Westerback
ok guenther@ tb@ deraadt@
2018-04-26nuke trailing whitespaceBob Beck
2017-10-18Make blacklist entries override the whitelist. When running spamdTodd C. Miller
in greylisting mode, it is not uncommon for an IP to get whitelisted before it shows up on a spam blacklist. With this change, spamd will check its blacklists before adding a WHITE entry to the <spamd-white> pf table. If the IP matches a blacklist, the WHITE entry will be removed. OK phessler@
2017-10-17Use a binary search to speed up blacklist lookups. OK phessler@Todd C. Miller
2017-10-12Check for asprintf() returning -1 instead of assuming that theTodd C. Miller
pointer will remain unchanged when fails. OK deraadt@
2017-04-06fix missing \ on \n, spotted by Edgar PettijohnBob Beck
2017-04-02note that some hosts never generate tuples and are ignored;Jason McIntyre
ok beck
2017-03-16define the role of spamd-setup a little better;Jason McIntyre
2017-03-16use one way to show filter rules, not two. the bits and pieces of theJason McIntyre
spamd setup are complex enough without freestyling the pf rules; while here, Bk/Ek no longer required
2017-01-23check EAGAIN in the correct place,Bob Beck
noticed and ok phessler@
2017-01-23Switch spamd to nonblocking descriptors so we can count on getting aBob Beck
short write when the socket buffers are full, instead of blocking. ok benno@ claudio@
2017-01-17- spamd(8)'s -l accepts an IP address as argument to bind(2) and it callsRicardo Mestre
inet_pton(3) to check if it's valid and since that function doesn't provide a proper errno (POSIX doesn't mandate to do so) then if a string is given we may get this message: spamd: inet_pton: Undefined error: 0 - Instead replace that code to use getaddrinfo(3) from which is possible to get a proper error message, and at the same time being able to parse IPs and hostnames (if either the IP or host is not local then the next bind(2) will fail) - By default without arguments, spamd(8) will still bind(2) to 127.0.0.1 as it did before With feedback from deraadt@ and OK beck@
2016-11-30Check return value of tls_config_set_protocols(3) and bail out in case ofRicardo Mestre
failure Feedback and OK jsing@
2016-11-08Remove redundant & when clearing hostname variable, as per otto@'s requestRicardo Mestre
2016-11-07Replace bzero(3) with memset(3)Ricardo Mestre
OK deraadt@
2016-10-20- Remove useless var assignmentRicardo Mestre
- Use memset(*b, 0, len) instead of bzero(*b, len) - Use memcpy(*dst, *src, len) instead of bcopy(*src, *dst, len) - Use explicit_bzero(3) instead of bzero(3) to clean temporary HMAC Remarks from deraadt@ (duly noted!!), reviewed and OK by henning@ and tb@
2016-09-06must close our fd unconditionally and not just in the !TLS case; tls_closeHenning Brauer
doesn't do that for us. found, analyzed and patch supplied by Martin Proyer <martin at proyer dot net>, many thanks! ok bcook funny since I just discussed a somewhat mysterious spamd-TLS issue with bob and brent over breakfast yesterday in cambridge - not sure it is this one, if it is I've been intensively digging in the wrong corner, almost "missing the obvious"
2016-07-13Adjust existing tls_config_set_cipher() callers for TLS cipher groupJoel Sing
changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
2016-05-17tyopJeremie Courreges-Anglas
2016-04-27Remove pledge(2)'s that are called before chroot(2) since in the near futureRicardo Mestre
this will be forbidden. The remaining pledge(2) calls after chroot(2) are still kept. OK semarie@ "it is time now"
2016-04-10per rfc, ehlo responses contain hostname, then options. from dyn+bsdTed Unangst
2016-03-25- Both checks for pw are not needed since it was already done at the start ofmestre
the program - Add error message to syslog if privdrop didn't succeed and then exit - Remove lint comments OK beck@ after his suggestion and also looks good to jca@
2016-03-10- add a define for "_spamd" user like others OpenBSD daemons;Gleydson Soares
- check for root privileges, otherwise exit early with an appropriate status code and a formatted string; - be more specific with chroot()/chdir() checks. OK beck@
2015-12-12Remove NULL-checks before free(). ok tb@mmcc
2015-12-10tighten the pledge for spamd, from Ricardo Mestre <serial@helheim.mooo.com>Bob Beck
this loads the tls certificate files pre-pledge then does the bulk of the tls setup goo pledged.
2015-12-08Initially pledge spamdBob Beck
All the work done by Ricardo Mestre <serial@helheim.mooo.com> - Thanks.
2015-12-05adjust to newer tls_read/_write semantics.Henning Brauer
quite involved, due to tls_read potentially needing to write and tls_write potentially needing to read (in the reneg case); that not fitting the spamd model too well - it needs to keep a little more state. help & ok bluhm & beck
2015-12-02in response to EHLO, don't offer STARTTLS if we already completed theHenning Brauer
STARTTLS dance. ok millert
2015-12-02I misread the standard when adding TLS; clients are supposed to start overHenning Brauer
and issue a new EHLO after STARTTLS. The misunderstaning seems to be common, so we'll still grok MAIL FROM right after the STARTTLS dance, as well as accepting a second EHLO. ok phessler beck millert
2015-12-02fix error messages to say tls_write after tls_write and not tls_read...Henning Brauer
with bluhm
2015-11-29Document that the pfdev check for 63 is /dev/fd/ only contains those nodesTheo de Raadt
2015-09-10read, tls_read, and tls_write return ssize_tBob Beck
jointly with jsing@
2015-09-10fix after libtls api changesBob Beck
ok jsing@
2015-08-12start replacing some \*([GL]t;Jason McIntyre
2015-08-12divert-to a table needs an address family;Jason McIntyre
from steve shockley ok sthen
2015-07-27use file system path (.Pa) semantic markup macros where appropriate.Igor Sobrado
ok jmc@
2015-05-18Change spamd to use divert-to instead of rdr-to.Reyk Floeter
divert-to has many advantages over rdr-to for proxies. For example, it is much easier to use, requires less code, does not depend on /dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK ioctl), saves us from additional port allocations by the rdr/NAT code, and even avoids potential collisions and race conditions that could theoretically happen with the lookup. Heads up: users will have to update their spamd PF rules from rdr-to to divert-to. spamd now also listens to 127.0.0.1 instead of "any" (0.0.0.0) by default which should be fine with most setups but has to be considered for some special configurations. Based on a diff is almost two years old but got delayed several times ... beck@: "now is the time to get it in" :) Tested by many With help from okan@ OK okan@ beck@ millert@
2015-04-18Convert many atoi() calls to strtonum(), adding range checks and failureTheo de Raadt
handling along the way. Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert
2015-04-14wrap a long lineTheo de Raadt
2015-03-12Use poll(2) instead of select(2). A pointer to the struct pollfdTodd C. Miller
is embedded in each struct con so the descriptors can't get out of sync with the pfd[] array. OK deraadt@
2015-02-22Set the TLS ciphers to "compat" mode, restoring the previous behaviour.Joel Sing
2015-02-15Don't use Aq macros when <> is intended; they are not the same thing.Anthony J. Bentley
ok schwarze@
2015-02-12Change TLS_PROTOCOLS_DEFAULT to be TLSv1.2 only. Add a TLS_PROTOCOLS_ALLJoel Sing
that includes all currently supported protocols (TLSv1.0, TLSv1.1 and TLSv1.2). Change all users of libtls to use TLS_PROTOCOLS_ALL so that they maintain existing behaviour. Discussed with tedu@ and reyk@.
2015-02-07put -G and it's args back onto one line in SYNOPSIS, to avoid having mandocJason McIntyre
split it; while here, zap trailing whitespace;
2015-02-07add STARTTLS support, using the shiny libtls.Henning Brauer
Rationale: when you publish DANE records for certificate pinning, you MUST offer TLS on the indicated service. Not offering TLS is verboten since that would re-open the door for a MitM. This is obviously fundamentally incompatible with having spamd in front of your mailservers - spamd kinda is a MitM here, but intentional and utterly valid. DANE is desirable because it allows one to not have to trust the broken SSL CA model, and, depending on the mode chosen, even show the SSL cert mafia the middle finger by not needing them at all. ok reyk jsing bob
2015-01-16Replace <sys/param.h> with <limits.h> and other less dirty headers whereTheo de Raadt
possible. Annotate <sys/param.h> lines with their current reasons. Switch to PATH_MAX, NGROUPS_MAX, HOST_NAME_MAX+1, LOGIN_NAME_MAX, etc. Change MIN() and MAX() to local definitions of MINIMUM() and MAXIMUM() where sensible to avoid pulling in the pollution. These are the files confirmed through binary verification. ok guenther, millert, doug (helped with the verification protocol)
2015-01-13Move debug printf for duplicate af to correct location.Todd C. Miller
2015-01-13Remove bogus getopt.h include.Todd C. Miller
2015-01-13Use address-family specific lists of addr/mask entries instead ofTodd C. Miller
a union that can store either ipv4 or ipv6. The old method used 4x as much memory as was really needed for ipv4. The spamd-setup protocol has changed from: tag;message;a/m;a/m;a/m...\n to :tag;message;af;count;a/m;a/m;a/m...[af;count;a/m;a/m;a/m]\n OK phessler@ "nice" beck@