On 02/01/20 11:08, Reio Remma wrote:
Hello!

The token|session id in v0.4 of the filter protocol were swapped to the more sensible session id|token order in v0.5. I believe the docs are still being worked on and will apply to the v0.5 protocol.


Thought I was going crazy. I was reading docs for .5 and testing on a system running .4 so as usual the fault lies with myself.

Thanks!

Edgar

For example filter-rspamd was recently updated to work with both versions, switching the argument order as needed.

Good luck,
Reio

On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 states the following:

 For all phases, excepted "data-line", the responses must follow the same      construct, a message type "filter-result", followed by the unique session
     id, the opaque token, a decision and optional decision-specific
     parameters:

filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope

For my filter I had to send:

            filter-result|$token|$sid|proceed

It also shows the following for connect:

 connect: rdns fcrdns src dest
             This request is emitted after connection, before the banner is
             displayed.

I'm only seeing 9 fields though and expected 11.

mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64

# Not thoroughly tested, but if you want to use it pretend there is the ISC

# license here.

#!/usr/bin/awk -f

function logit(msg) {
    system("logger -p mail.info " msg)
}

function die(msg) {
    system("logger -p mail.err -s " msg)

    exit 1
}

BEGIN {
    ARGC = 0
    FS = "|"
    OFS = FS
    version = 0.4
    allowed = 3
    logit("filter-authban: starting...")
}

"config|ready" == $0 {
    print "register|report|smtp-in|link-connect"
    print "register|report|smtp-in|link-disconnect"
    print "register|report|smtp-in|link-auth"
    print "register|filter|smtp-in|connect"
    print "register|ready"
    next
}

"link-connect" == $5 {
    if (NF < 10)
        die("invalid input for link-connect")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    src = $9

    state[sid] = src
}

"link-auth" == $5 {
    if (NF < 8)
        die("invalid input for link-auth")
    if ($2 != version)
        die("version mismatch")
    sid = $6
    user = $7
    result = $8

    if (state[sid]) {
        split(state[sid], ip, ":")
        addr = ip[1]
        if (result == "fail") {
            logit("auth failure for " user " from " addr)
            state[addr] += 1
        }
        if (state[addr] >= allowed)
            banned[addr] = 1
    }
}

"link-disconnect" == $5 {
    if (NF < 6)
        die("invalid input for link-disconnect")
    if ($2 != version)
        die("version mismatch")
    sid = $6

    delete state[sid]
}

"connect" == $5 {
    if ($2 != version)
        die("version mismatch")
    sid = $6
    token = $7
    src = $9

    if (banned[src]) {
        logit("rejecting connection from: " src)
        print "filter-result|" token "|" sid "|reject|550 go away"
    } else {
        print "filter-result|" token "|" sid "|proceed"
    }
}

END {
    logit("filter-authban: stopping...")
}

Thanks,


Edgar






Reply via email to