189
190
my $trusted = $self->{main}->{conf}->{trusted_networks};
191
if (scalar @ips + scalar @originating > 0) {
192
# If name is foo-notfirsthop, check all addresses except for
193
# the originating one. Suitable for use with dialup lists, like the PDL.
194
# note that if there's only 1 IP in the untrusted set, do NOT pop the
195
# list, since it'd remove that one, and a legit user is supposed to
196
# use their SMTP server (ie. have at least 1 more hop)!
197
# If name is foo-lastexternal, check only the Received header just before
198
# it enters our internal networks; we can trust it and it's the one that
199
# passed mail between networks
200
if ($set =~ /-(notfirsthop|lastexternal)$/)
202
# use the external IP set, instead of the trusted set; the user may have
203
# specified some third-party relays as trusted. Also, don't use
204
# @originating; those headers are added by a phase of relaying through
205
# a server like Hotmail, which is not going to be in dialup lists anyway.
206
@ips = $self->ip_list_uniq_and_strip_private(@fullexternal);
207
if ($1 eq "lastexternal") {
208
@ips = (defined $ips[0]) ? ($ips[0]) : ();
192
# If name is foo-notfirsthop, check all addresses except for
193
# the originating one. Suitable for use with dialup lists, like the PDL.
194
# note that if there's only 1 IP in the untrusted set, do NOT pop the
195
# list, since it'd remove that one, and a legit user is supposed to
196
# use their SMTP server (ie. have at least 1 more hop)!
197
# If name is foo-lastexternal, check only the Received header just before
198
# it enters our internal networks; we can trust it and it's the one that
199
# passed mail between networks
200
if ($set =~ /-(notfirsthop|lastexternal)$/)
202
# use the external IP set, instead of the trusted set; the user may have
203
# specified some third-party relays as trusted. Also, don't use
204
# @originating; those headers are added by a phase of relaying through
205
# a server like Hotmail, which is not going to be in dialup lists anyway.
206
@ips = $self->ip_list_uniq_and_strip_private(@fullexternal);
207
if ($1 eq "lastexternal") {
208
@ips = (defined $ips[0]) ? ($ips[0]) : ();
210
210
pop @ips if (scalar @ips > 1);
213
# If name is foo-firsttrusted, check only the Received header just
214
# after it enters our trusted networks; that's the only one we can
215
# trust the IP address from (since our relay added that header).
216
# And if name is foo-untrusted, check any untrusted IP address.
217
elsif ($set =~ /-(first|un)trusted$/)
220
foreach my $ip (@originating) {
221
if ($ip && !$trusted->contains_ip($ip)) {
225
@ips = $self->ip_list_uniq_and_strip_private (@ips, @tips);
227
@ips = (defined $ips[0]) ? ($ips[0]) : ();
235
foreach my $ip (@originating) {
236
if ($ip && !$trusted->contains_ip($ip)) {
240
# add originating IPs as untrusted IPs (if they are untrusted)
241
@ips = reverse $self->ip_list_uniq_and_strip_private (@ips, @tips);
243
# How many IPs max you check in the received lines
244
my $checklast=$self->{main}->{conf}->{num_check_received};
246
if (scalar @ips > $checklast) {
247
splice (@ips, $checklast); # remove all others
213
# If name is foo-firsttrusted, check only the Received header just
214
# after it enters our trusted networks; that's the only one we can
215
# trust the IP address from (since our relay added that header).
216
# And if name is foo-untrusted, check any untrusted IP address.
217
elsif ($set =~ /-(first|un)trusted$/)
220
foreach my $ip (@originating) {
221
if ($ip && !$trusted->contains_ip($ip)) {
225
@ips = $self->ip_list_uniq_and_strip_private (@ips, @tips);
227
@ips = (defined $ips[0]) ? ($ips[0]) : ();
235
foreach my $ip (@originating) {
236
if ($ip && !$trusted->contains_ip($ip)) {
241
# add originating IPs as untrusted IPs (if they are untrusted)
242
@ips = reverse $self->ip_list_uniq_and_strip_private (@ips, @tips);
245
# How many IPs max you check in the received lines
246
my $checklast=$self->{main}->{conf}->{num_check_received};
248
if (scalar @ips > $checklast) {
249
splice (@ips, $checklast); # remove all others
252
my $tflags = $pms->{conf}->{tflags}->{$rule};
254
# Trusted relays should only be checked against nice rules (dnswls)
255
if (defined $tflags && $tflags !~ /\bnice\b/) {
256
foreach my $ip (@ips) {
257
last if !$trusted->contains_ip($ip);
258
shift @ips; # remove trusted hosts from beginning
262
unless (scalar @ips > 0) {
263
dbg("dns: no untrusted IPs to check");
251
267
dbg("dns: only inspecting the following IPs: ".join(", ", @ips));