~ubuntu-branches/ubuntu/trusty/postfix/trusty-proposed

Viewing changes to src/postscreen/postscreen.c

Committer: Bazaar Package Importer
Author(s): LaMont Jones, Wietse Venema, Kees Cook
Date: 2011-02-23 02:04:21 UTC
mfrom: (1.1.28 upstream)
Revision ID: james.westby@ubuntu.com-20110223020421-1hxhntwr0fvyzucd

http://bugs.debian.org/614748

http://bugs.debian.org/614750

[Wietse Venema]

* new upstream version

[Kees Cook]

* debian/init.d: fix relative path problem in CA bundle chroot copying.
Closes: #614748, #614750 LP: #723312

files modified:
HISTORY

README_FILES/POSTSCREEN_README

debian/changelog

debian/init.d

html/POSTSCREEN_README.html

html/postscreen.8.html

man/man8/postscreen.8

proto/POSTSCREEN_README.html

src/global/mail_version.h

src/postscreen/postscreen.c

src/postscreen/postscreen_send.c

src/qmqpd/qmqpd_peer.c

src/smtpd/smtpd.c

src/smtpd/smtpd_peer.c

src/tls/tls.h

src/tls/tls_server.c

src/tlsproxy/tlsproxy.c

src/util/myaddrinfo.c

src/util/myaddrinfo.h

Show diffs side-by-side

added added

removed removed

src/postscreen/postscreen.c

/* RFC 1985 (ETRN command)

/* RFC 2034 (SMTP Enhanced Status Codes)

/* RFC 2821 (SMTP protocol)

/* RFC 2920 (SMTP Pipelining)

/* Not: RFC 2920 (SMTP Pipelining)

/* RFC 3207 (STARTTLS command)

/* RFC 3461 (SMTP DSN Extension)

/* RFC 3463 (Enhanced Status Codes)

/* Support for AUTH may be added in the future.

/* In the mean time, if you need to make these services available

/* on port 25, then do not enable the optional "after 220

/* server greeting" tests.

/* server greeting" tests, and do not use DNSBLs that reject

/* traffic from dial-up and residential networks.

/* The optional "after 220 server greeting" tests involve

/* \fBpostscreen\fR(8)'s built-in SMTP protocol engine. When

416

417

int var_psc_pre_queue_limit;

417

418

int var_psc_watchdog;

418

419

#undef MIGRATION_WARNING

420

421

#ifdef MIGRATION_WARNING

422

char *var_psc_wlist_nets;

423

char *var_psc_blist_nets;

424

425

#endif

426

420

char *var_psc_acl;

427

421

char *var_psc_blist_action;

428

422

495

489

496

490

* Local variables.

497

491

498

#ifdef MIGRATION_WARNING

499

static ADDR_MATCH_LIST *psc_wlist_nets; /* permanently whitelisted networks */

500

static ADDR_MATCH_LIST *psc_blist_nets; /* permanently blacklisted networks */

501

502

#endif

503

492

static ARGV *psc_acl; /* permanent white/backlist */

504

493

static int psc_blist_action; /* PSC_ACT_DROP/ENFORCE/etc */

505

494

715

704

break;

716

705

}

717

706

}

718

#ifdef MIGRATION_WARNING

719

720

721

* The permanent whitelist has highest precedence (never block mail from

722

* whitelisted sites, and never run tests against those sites).

723

724

if (psc_wlist_nets != 0

725

&& psc_addr_match_list_match(psc_wlist_nets, state->smtp_client_addr)) {

726

msg_info("WHITELISTED [%s]:%s", PSC_CLIENT_ADDR_PORT(state));

727

psc_conclude(state);

728

return;

729

}

730

731

732

* The permanent blacklist has second precedence. If the client is

733

* permanently blacklisted, send some generic reply and hang up

734

* immediately, or run more tests for logging purposes.

735

736

if (psc_blist_nets != 0

737

&& psc_addr_match_list_match(psc_blist_nets, state->smtp_client_addr)) {

738

msg_info("BLACKLISTED [%s]:%s", PSC_CLIENT_ADDR_PORT(state));

739

PSC_FAIL_SESSION_STATE(state, PSC_STATE_FLAG_BLIST_FAIL);

740

switch (psc_blist_action) {

741

case PSC_ACT_DROP:

742

PSC_DROP_SESSION_STATE(state,

743

"521 5.3.2 Service currently unavailable\r\n");

744

return;

745

case PSC_ACT_ENFORCE:

746

PSC_ENFORCE_SESSION_STATE(state,

747

"550 5.3.2 Service currently unavailable\r\n");

748

break;

749

case PSC_ACT_IGNORE:

750

PSC_UNFAIL_SESSION_STATE(state, PSC_STATE_FLAG_BLIST_FAIL);

751

/* Not: PSC_PASS_SESSION_STATE. Repeat this test the next time. */

752

break;

753

default:

754

msg_panic("%s: unknown blacklist action value %d",

755

myname, psc_blist_action);

756

}

757

}

758

#endif

759

707

760

708

761

709

* The temporary whitelist (i.e. the postscreen cache) has the lowest

841

789

* Open read-only maps before dropping privilege, for consistency with

842

790

* other Postfix daemons.

843

791

844

#ifdef MIGRATION_WARNING

845

if (*var_psc_wlist_nets)

846

psc_wlist_nets =

847

addr_match_list_init(MATCH_FLAG_NONE, var_psc_wlist_nets);

848

849

if (*var_psc_blist_nets)

850

psc_blist_nets = addr_match_list_init(MATCH_FLAG_NONE,

851

var_psc_blist_nets);

852

if (psc_blist_nets || psc_wlist_nets) {

853

msg_warn("The %s and %s features will be removed soon. Use %s instead",

854

VAR_PSC_WLIST_NETS, VAR_PSC_BLIST_NETS, VAR_PSC_ACL);

855

msg_warn("To stop this warning, specify empty values for %s and %s",

856

VAR_PSC_WLIST_NETS, VAR_PSC_BLIST_NETS);

857

}

858

#endif

859

792

psc_acl_pre_jail_init();

860

793

if (*var_psc_acl)

861

794

psc_acl = psc_acl_parse(var_psc_acl, VAR_PSC_ACL);

1095

1028

VAR_PSC_PIPEL_ACTION, DEF_PSC_PIPEL_ACTION, &var_psc_pipel_action, 1, 0,

1096

1029

VAR_PSC_NSMTP_ACTION, DEF_PSC_NSMTP_ACTION, &var_psc_nsmtp_action, 1, 0,

1097

1030

VAR_PSC_BARLF_ACTION, DEF_PSC_BARLF_ACTION, &var_psc_barlf_action, 1, 0,

1098

#ifdef MIGRATION_WARNING

1099

VAR_PSC_WLIST_NETS, DEF_PSC_WLIST_NETS, &var_psc_wlist_nets, 0, 0,

1100

VAR_PSC_BLIST_NETS, DEF_PSC_BLIST_NETS, &var_psc_blist_nets, 0, 0,

1101

#endif

1102

1031

VAR_PSC_ACL, DEF_PSC_ACL, &var_psc_acl, 0, 0,

1103

1032

VAR_PSC_BLIST_ACTION, DEF_PSC_BLIST_ACTION, &var_psc_blist_action, 1, 0,

1104

1033

VAR_PSC_FORBID_CMDS, DEF_PSC_FORBID_CMDS, &var_psc_forbid_cmds, 0, 0,

Older »