Package: qmail-src Version: 1.03-38 Severity: wishlist Tags: patch Hi Jon!
Please consider adding mfcheck (or similar) patch to debian-qmail. It's short patch, which adds capability to check validity of envelope sender's domain (DNS lookup). It's behavior is controlled by control file and environment variable (disabled by default). Patch is available from: http://www.jms1.net/qmail/patches/qmail-1.03-mfcheck.3.patch Short description can be found at: http://www.jms1.net/qmail/patches/combined.shtml#details Patch modified to apply cleanly to debian-qmail is in attachment. Similar patch is also part of Spamcontrol. Thanks! th. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27-grsec Locale: LANG=sk_SK, LC_CTYPE=sk_SK (charmap=ISO-8859-2) Versions of packages qmail-src depends on: ii debconf 1.4.30.13 Debian configuration management sy ii dpkg-dev 1.10.28 Package building tools for Debian ii fakeroot 1.2.10 Gives a fake root environment ii gcc 4:3.3.5-3 The GNU C compiler ii groff-base 1.18.1.1-7 GNU troff text-formatting system ( ii make 3.80-9 The GNU version of the "make" util ii patch 2.5.9-2 Apply a diff file to an original ii sudo 1.6.8p7-1.1 Provide limited super user privile -- debconf information excluded
diff -ruN qmail-1.03-orig/Makefile qmail-1.03/Makefile --- qmail-1.03-orig/Makefile 2005-06-20 13:43:48.000000000 +0200 +++ qmail-1.03/Makefile 2005-06-20 13:48:23.000000000 +0200 @@ -1536,13 +1536,13 @@ timeoutwrite.o ip.o ipme.o ipalloc.o control.o constmap.o received.o \ date822fmt.o now.o qmail.o cdb.a fd.a wait.a datetime.a getln.a \ open.a sig.a case.a env.a stralloc.a alloc.a strerr.a substdio.a error.a str.a \ -fs.a auto_qmail.o socket.lib +fs.a auto_qmail.o socket.lib dns.o dns.lib ./load qmail-smtpd qregex.o rcpthosts.o commands.o timeoutread.o \ timeoutwrite.o ip.o ipme.o ipalloc.o control.o constmap.o \ received.o date822fmt.o now.o qmail.o cdb.a fd.a wait.a \ datetime.a getln.a open.a sig.a case.a env.a stralloc.a \ alloc.a strerr.a substdio.a error.a str.a fs.a auto_qmail.o `cat \ - socket.lib` + socket.lib` dns.o `cat dns.lib` qmail-smtpd.0: \ qmail-smtpd.8 diff -ruN qmail-1.03-orig/qmail-control.9 qmail-1.03/qmail-control.9 --- qmail-1.03-orig/qmail-control.9 2005-06-20 13:43:48.000000000 +0200 +++ qmail-1.03/qmail-control.9 2005-06-20 13:44:36.000000000 +0200 @@ -63,6 +63,7 @@ .I idhost \fIme \fRqmail-inject .I localiphost \fIme \fRqmail-smtpd .I locals \fIme \fRqmail-send +.I mfcheck \fR0 \fRqmail-smtpd .I morercpthosts \fR(none) \fRqmail-smtpd .I percenthack \fR(none) \fRqmail-send .I plusdomain \fIme \fRqmail-inject diff -ruN qmail-1.03-orig/qmail-smtpd.8 qmail-1.03/qmail-smtpd.8 --- qmail-1.03-orig/qmail-smtpd.8 2005-06-20 13:43:48.000000000 +0200 +++ qmail-1.03/qmail-smtpd.8 2005-06-20 13:44:36.000000000 +0200 @@ -138,6 +138,12 @@ This is done before .IR rcpthosts . .TP 5 +.I mfcheck +If set, +.B qmail-smtpd +tries to resolve the domain of the envelope from address. It can be +handy when you want to filter out spamhosts. +.TP 5 .I morercpthosts Extra allowed RCPT domains. If diff -ruN qmail-1.03-orig/qmail-smtpd.c qmail-1.03/qmail-smtpd.c --- qmail-1.03-orig/qmail-smtpd.c 2005-06-20 13:43:48.000000000 +0200 +++ qmail-1.03/qmail-smtpd.c 2005-06-20 14:06:59.000000000 +0200 @@ -25,6 +25,7 @@ #include "commands.h" #include "qregex.h" #include "strerr.h" +#include "dns.h" #define BMCHECK_BMF 0 #define BMCHECK_BMFNR 1 @@ -35,6 +36,7 @@ #define MAXHOPS 100 unsigned int databytes = 0; +unsigned int mfchk = 0; int timeout = 1200; int safewrite(fd,buf,len) int fd; char *buf; int len; @@ -61,6 +63,8 @@ void err_bmf() { out("553 sorry, your envelope sender has been denied (#5.7.1)\r\n"); } void err_bmt() { out("553 sorry, your envelope recipient has been denied (#5.7.1)\r\n"); } void err_bhelo() { out("553 sorry, your HELO host name has been denied (#5.7.1)\r\n"); } +void err_hmf() { out("553 sorry, your envelope sender domain must exist (#5.7.1)\r\n"); } +void err_smf() { out("451 DNS temporary failure (#4.3.0)\r\n"); } void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); } void err_unimpl(arg) char *arg; { out("502 unimplemented (#5.5.1)\r\n"); } void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); } @@ -135,6 +139,10 @@ if (rcpthosts_init() == -1) die_control(); + if (control_readint(&mfchk,"control/mfcheck") == -1) die_control(); + x = env_get("MFCHECK"); + if (x) { scan_ulong(x,&u); mfchk = u; } + bmfok = control_readfile(&bmf,"control/badmailfrom",0); if (bmfok == -1) die_control(); @@ -276,6 +284,25 @@ return 0; } +int mfcheck() +{ + stralloc sa = {0}; + ipalloc ia = {0}; + unsigned int random; + int j; + + if (!mfchk) return 0; + random = now() + (getpid() << 16); + j = byte_rchr(addr.s,addr.len,'@') + 1; + if (j < addr.len) { + stralloc_copys(&sa, addr.s + j); + dns_init(0); + j = dns_mxip(&ia,&sa,random); + if (j < 0) return j; + } + return 0; +} + int addrallowed() { int r; @@ -317,6 +344,11 @@ if ((!flagbarfbmf) && (bmfnrok) && (addr.len != 1) && (!relayclient)) { flagbarfbmf = bmcheck(BMCHECK_BMFNR); } + switch(mfcheck()) { + case DNS_HARD: err_hmf(); return; + case DNS_SOFT: err_smf(); return; + case DNS_MEM: die_nomem(); + } seenmail = 1; if (!stralloc_copys(&rcptto,"")) die_nomem(); if (!stralloc_copys(&mailfrom,addr.s)) die_nomem();