summaryrefslogtreecommitdiff
path: root/libexec/spamd
AgeCommit message (Collapse)Author
2021-12-15spamd: convert to opaque HMAC_CTXTheo Buehler
ok jsing
2021-07-14Remove unneeded calls to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove explicit tls_init() calls from base to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-07Hoist whole TLS initialization instead of loading the cert/key into memory firstRicardo Mestre
and setting them up later on, nowadays it's possible to do both steps in just one go through tls_config_set_{cert,key}_file(3) so use it and then init TLS. No functional change. OK kn@
2019-08-06By now we are already confident that pledge(2) "just works(tm)" and that it canRicardo Mestre
be used to effectively remove filesystem access. That being said, in spamd(8) when I pledge(2)d it the main priv process got "stdio inet" which means there's no fs access at all so calling chroot(2)/chdir(2) here doesn't get us any additional protection. Just remove them. OK deraadt@ and no objections from schwarze@
2019-07-24Ever since I introduced pledge(2) on spamd(8) the chroot'ed process, if runningRicardo Mestre
in default, cannot get anywhere near the filesystem since its only promises are "stdio inet". Furthermore, in blacklist mode this same codepath is not chroot'ed but once again it gets the same pledge(2). Therefore we can remove the BUGS section from spamd(8)'s manpage. OK millert@ deraadt@
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-01-25I am retiring my old email address; replace it with my OpenBSD one.Todd C. Miller
2018-10-25When spamd(8) runs in greylist mode in the parent process (which runsRicardo Mestre
greywatcher()) we know that the only files that it will ever access are PATH_SPAMD_DB in rw mode, alloweddomains_file in r and that it will need to execute PATH_PFCTL so we can unveil(2) them with those permissions. OK deraadt@ millert@ beck@
2018-10-22More "explicitely" -> "explicitly" in various comments.Kenneth R Westerback
ok guenther@ tb@ deraadt@
2018-04-26nuke trailing whitespaceBob Beck
2017-10-18Make blacklist entries override the whitelist. When running spamdTodd C. Miller
in greylisting mode, it is not uncommon for an IP to get whitelisted before it shows up on a spam blacklist. With this change, spamd will check its blacklists before adding a WHITE entry to the <spamd-white> pf table. If the IP matches a blacklist, the WHITE entry will be removed. OK phessler@
2017-10-17Use a binary search to speed up blacklist lookups. OK phessler@Todd C. Miller
2017-10-12Check for asprintf() returning -1 instead of assuming that theTodd C. Miller
pointer will remain unchanged when fails. OK deraadt@
2017-04-06fix missing \ on \n, spotted by Edgar PettijohnBob Beck
2017-04-02note that some hosts never generate tuples and are ignored;Jason McIntyre
ok beck
2017-03-16define the role of spamd-setup a little better;Jason McIntyre
2017-03-16use one way to show filter rules, not two. the bits and pieces of theJason McIntyre
spamd setup are complex enough without freestyling the pf rules; while here, Bk/Ek no longer required
2017-01-23check EAGAIN in the correct place,Bob Beck
noticed and ok phessler@
2017-01-23Switch spamd to nonblocking descriptors so we can count on getting aBob Beck
short write when the socket buffers are full, instead of blocking. ok benno@ claudio@
2017-01-17- spamd(8)'s -l accepts an IP address as argument to bind(2) and it callsRicardo Mestre
inet_pton(3) to check if it's valid and since that function doesn't provide a proper errno (POSIX doesn't mandate to do so) then if a string is given we may get this message: spamd: inet_pton: Undefined error: 0 - Instead replace that code to use getaddrinfo(3) from which is possible to get a proper error message, and at the same time being able to parse IPs and hostnames (if either the IP or host is not local then the next bind(2) will fail) - By default without arguments, spamd(8) will still bind(2) to 127.0.0.1 as it did before With feedback from deraadt@ and OK beck@
2016-11-30Check return value of tls_config_set_protocols(3) and bail out in case ofRicardo Mestre
failure Feedback and OK jsing@
2016-11-08Remove redundant & when clearing hostname variable, as per otto@'s requestRicardo Mestre
2016-11-07Replace bzero(3) with memset(3)Ricardo Mestre
OK deraadt@
2016-10-20- Remove useless var assignmentRicardo Mestre
- Use memset(*b, 0, len) instead of bzero(*b, len) - Use memcpy(*dst, *src, len) instead of bcopy(*src, *dst, len) - Use explicit_bzero(3) instead of bzero(3) to clean temporary HMAC Remarks from deraadt@ (duly noted!!), reviewed and OK by henning@ and tb@
2016-09-06must close our fd unconditionally and not just in the !TLS case; tls_closeHenning Brauer
doesn't do that for us. found, analyzed and patch supplied by Martin Proyer <martin at proyer dot net>, many thanks! ok bcook funny since I just discussed a somewhat mysterious spamd-TLS issue with bob and brent over breakfast yesterday in cambridge - not sure it is this one, if it is I've been intensively digging in the wrong corner, almost "missing the obvious"
2016-07-13Adjust existing tls_config_set_cipher() callers for TLS cipher groupJoel Sing
changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release. Discussed with beck@
2016-05-17tyopJeremie Courreges-Anglas
2016-04-27Remove pledge(2)'s that are called before chroot(2) since in the near futureRicardo Mestre
this will be forbidden. The remaining pledge(2) calls after chroot(2) are still kept. OK semarie@ "it is time now"
2016-04-10per rfc, ehlo responses contain hostname, then options. from dyn+bsdTed Unangst
2016-03-25- Both checks for pw are not needed since it was already done at the start ofmestre
the program - Add error message to syslog if privdrop didn't succeed and then exit - Remove lint comments OK beck@ after his suggestion and also looks good to jca@
2016-03-10- add a define for "_spamd" user like others OpenBSD daemons;Gleydson Soares
- check for root privileges, otherwise exit early with an appropriate status code and a formatted string; - be more specific with chroot()/chdir() checks. OK beck@
2015-12-12Remove NULL-checks before free(). ok tb@mmcc
2015-12-10tighten the pledge for spamd, from Ricardo Mestre <serial@helheim.mooo.com>Bob Beck
this loads the tls certificate files pre-pledge then does the bulk of the tls setup goo pledged.
2015-12-08Initially pledge spamdBob Beck
All the work done by Ricardo Mestre <serial@helheim.mooo.com> - Thanks.
2015-12-05adjust to newer tls_read/_write semantics.Henning Brauer
quite involved, due to tls_read potentially needing to write and tls_write potentially needing to read (in the reneg case); that not fitting the spamd model too well - it needs to keep a little more state. help & ok bluhm & beck
2015-12-02in response to EHLO, don't offer STARTTLS if we already completed theHenning Brauer
STARTTLS dance. ok millert
2015-12-02I misread the standard when adding TLS; clients are supposed to start overHenning Brauer
and issue a new EHLO after STARTTLS. The misunderstaning seems to be common, so we'll still grok MAIL FROM right after the STARTTLS dance, as well as accepting a second EHLO. ok phessler beck millert
2015-12-02fix error messages to say tls_write after tls_write and not tls_read...Henning Brauer
with bluhm
2015-11-29Document that the pfdev check for 63 is /dev/fd/ only contains those nodesTheo de Raadt
2015-09-10read, tls_read, and tls_write return ssize_tBob Beck
jointly with jsing@
2015-09-10fix after libtls api changesBob Beck
ok jsing@
2015-08-12start replacing some \*([GL]t;Jason McIntyre
2015-08-12divert-to a table needs an address family;Jason McIntyre
from steve shockley ok sthen
2015-07-27use file system path (.Pa) semantic markup macros where appropriate.Igor Sobrado
ok jmc@
2015-05-18Change spamd to use divert-to instead of rdr-to.Reyk Floeter
divert-to has many advantages over rdr-to for proxies. For example, it is much easier to use, requires less code, does not depend on /dev/pf, works in-band without the asynchronous lookup (DIOCNATLOOK ioctl), saves us from additional port allocations by the rdr/NAT code, and even avoids potential collisions and race conditions that could theoretically happen with the lookup. Heads up: users will have to update their spamd PF rules from rdr-to to divert-to. spamd now also listens to 127.0.0.1 instead of "any" (0.0.0.0) by default which should be fine with most setups but has to be considered for some special configurations. Based on a diff is almost two years old but got delayed several times ... beck@: "now is the time to get it in" :) Tested by many With help from okan@ OK okan@ beck@ millert@
2015-04-18Convert many atoi() calls to strtonum(), adding range checks and failureTheo de Raadt
handling along the way. Reviews by Brendan MacDonell, Jeremy Devenport, florian, doug, millert
2015-04-14wrap a long lineTheo de Raadt
2015-03-12Use poll(2) instead of select(2). A pointer to the struct pollfdTodd C. Miller
is embedded in each struct con so the descriptors can't get out of sync with the pfd[] array. OK deraadt@
2015-02-22Set the TLS ciphers to "compat" mode, restoring the previous behaviour.Joel Sing
2015-02-15Don't use Aq macros when <> is intended; they are not the same thing.Anthony J. Bentley
ok schwarze@