RE: [vchkpw] FW: chkuser 2.0 doesn't appear to be working

[tonix (Antonio Nati)]

At 02.15 10/03/2006, you wrote:

#ifndef TLS

This means that it will only run chkuser if you didn't compile it with TLS support, which you might have done.  If TLS is defined, I don't see chkuser being included in the executable.  You need the chkuser calls in the TLS/SSL section as well.
This is not an if structure as it would be in regular code.  This is a compiler direction, that tells it to completely ignore those parts at COMPILE TIME.  Meaning, that those parts may never get included... ever... in the executable.
Of course I'm making an assumption that TLS is defined :)

-M

Yes, I agree with this observation.

But I want to tell something more: I don't understand why, in this phase, someone is still checking for TLS code.
The TLS phase has already been done initially, so I find all this TLS code here to be completely useless from an analytic point of view.
Infact, Shupp's version of this code in the same point has zero code related to TLS.

I find that if you DELETE all the code related to TLS, within this routine smtp_mail(), you'll semplify all.

Tonino

Lee Evans <[EMAIL PROTECTED]> wrote:

> You could post here (or send me) the routine where chkuser is

> called (both for sender and recipients), just to see what to change.

I have attached snippets from qmail-smtpd.c showing the send & rcpt routines

and chkuser code.... I hope this is what you meant.

> [Is chkuser.h included in a valid point within qmail-smtpd.c?]

I have:

#include "fd.h"

#include "dns.h"

#include "spf.h"

/*chkuser*/

#include "chkuser.h"

Thanks

Lee

void smtp_mail(arg) char *arg;

{

int r;

rcptcounter = 0 ;

if (!addrparse(arg)) { err_syntax(); return; }

/*chkuser*/

if (chkuser_sender (&addr) != CHKUSER_OK) { return; }

/*chkuser end*/

flagbarf = bmfcheck();

switch(mfcheck()) {

case DNS_HARD: err_hmf(); return;

case DNS_SOFT: err_smf(); return;

case DNS_MEM: die_nomem();

}

flagbarfspf = 0;

if (spfbehavior && !relayclient)

{

switch (r = spfcheck())

{

case SPF_OK: env_put2("SPFRESULT","pass"); break;

case SPF_NONE: env_put2("SPFRESULT","none"); break;

case SPF_UNKNOWN: env_put2("SPFRESULT","unknown"); break;

case SPF_NEUTRAL: env_put2("SPFRESULT","neutral"); break;

case SPF_SOFTFAIL: env_put2("SPFRESULT","softfail"); break;

case SPF_FAIL: env_put2("SPFRESULT","fail"); break;

case SPF_ERROR: env_put2("SPFRESULT","error"); break;

}

switch (r)

{

case SPF_NOMEM:

die_nomem();

case SPF_ERROR:

if (spfbehavior < 2) break ;

out ("451 SPF lookup failure (#4.3.0)\r\n");

return;

case SPF_NONE:

case SPF_UNKNOWN:

if (spfbehavior < 6) break ;

case SPF_NEUTRAL:

if (spfbehavior < 5) break ;

case SPF_SOFTFAIL:

if (spfbehavior < 4) break ;

case SPF_FAIL:

if (spfbehavior < 3) break ;

if (!spfexplanation(&spfbarfmsg)) die_nomem();

if (!stralloc_0(&spfbarfmsg)) die_nomem();

flagbarfspf = 1;

}

}

else

env_unset("SPFRESULT");

seenmail = 1;

if (!stralloc_copys(&rcptto,"")) die_nomem();

if (!stralloc_copys(&mailfrom,addr.s)) die_nomem();

if (!stralloc_0(&mailfrom)) die_nomem();

out("250 ok\r\n");

}

void smtp_rcpt(arg) char *arg; {

rcptcounter++;

if (!seenmail) { err_wantmail(); return; }

if (checkrcptcount() == 1) { err_syntax(); return; }

if (!addrparse(arg)) { err_syntax(); return; }

if (flagbarf) { err_bmf(); return; }

if (flagbarfspf) { err_spf(); return; }

if (relayclient) {

--addr.len;

if (!stralloc_cats(&addr,relayclient)) die_nomem();

if (!stralloc_0(&addr)) die_nomem();

}

else

#ifndef TLS

if (!addrallowed()) { err_nogateway(); return; }

/*chkuser*/

switch (chkuser_realrcpt (&mailfrom, &addr)) {

case CHKUSER_KO:

return;

break;

case CHKUSER_RELAYING:

--addr.len;

if (!stralloc_cats(&addr,relayclient)) die_nomem();

if (!stralloc_0(&addr)) die_nomem();

break;

}

/*end chkuser*/

#else

if (!addrallowed())

{

if (ssl)

{ STACK_OF(X509_NAME) *sk;

X509 *peercert;

stralloc tlsclients = {0};

struct constmap maptlsclients;

int r;

SSL_set_verify(ssl,

SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,

verify_cb);

if ((sk = SSL_load_client_CA_file("control/clientca.pem")) == NULL)

{ err_nogateway(); return; }

SSL_set_client_CA_list(ssl, sk);

if((control_readfile(&tlsclients,"control/tlsclients",0) != 1) ||

!constmap_init(&maptlsclients,tlsclients.s,tlsclients.len,0))

{ err_nogateway(); return; }

SSL_renegotiate(ssl);

SSL_do_handshake(ssl);

ssl->state = SSL_ST_ACCEPT;

SSL_do_handshake(ssl);

if ((r = SSL_get_verify_result(ssl)) != X509_V_OK)

{out("553 no valid cert for gatewaying: ");

out(X509_verify_cert_error_string(r));

out(" (#5.7.1)\r\n");

return;

}

if (peercert = SSL_get_peer_certificate(ssl))

{char emailAddress[256];

X509_NAME_get_text_by_NID(X509_get_subject_name(

SSL_get_peer_certificate(ssl)),

NID_pkcs9_emailAddress, emailAddress, 256); if (!stralloc_copys(&clientcert, emailAddress)) die_nomem();

if (!constmap(&maptlsclients,clientcert.s,clientcert.len))

{ err_nogwcert(); return; }

relayclient = "";

}

else { err_nogwcert(); return; }

}

else { err_nogateway(); return; }

}

#endif

if (!stralloc_cats(&rcptto,"T")) die_nomem();

if (!stralloc_cats(&rcptto,addr.s)) die_nomem();

if (!stralloc_0(&rcptto)) die_nomem();

out("250 ok\r\n");

}