On Thu, 28 Jul 2005 11:09:59 -0400
John Peacock <[EMAIL PROTECTED]> wrote:
> Hanno Hecker wrote:
> > I excluded the check for the RFC 1918 ranges because that server
> > delivers to such a range :) If the check for RFC 1918 and 3330 is
> > included in this plugin, it should have a config file or plugin
> > options with the ranges to check for...
>
> As pointed out, the problem with any patch which mandates the
> exclusion of specific blocks of IP addresses (based on a reverse name
> lookup) is that it may be wrong for someone, with the sole exceptions
> of 127.0.0.0/8, 0.0.0.0/8, and 169.254.0.0/16 (which are all
> impossible? to be used for e-mail). We could probably even extend
> that to include 224.0.0.0/4 (multicast) since that should also be
> unable to be used with a TCP connection like SMTP requires.
[...]
> Hanno, care to make a second pass to exclude all of the blocks I
> mention above (in the first paragraph)?
Ok, here it is...
now the plugin accepts ip/mask pairs in the form
require_resolvable_fromhost 192.168.0.0/16 10.0.0.0/8
which are treated as invalid MX IPs, in addition to the default ones
defined in %invalid.
Hanno
--- require_resolvable_fromhost.orig 2005-07-28 10:02:25.000000000 +0200
+++ require_resolvable_fromhost 2005-07-28 20:32:10.000000000 +0200
@@ -1,7 +1,23 @@
use Net::DNS qw(mx);
+use Socket;
+
+## this is the default list of invalid adresses:
+my %invalid = (
+ "0.0.0.0" => 8,
+ "127.0.0.0" => 8,
+ "169.254.0.0" => 16,
+ "224.0.0.0" => 4,
+ );
sub register {
- my ($self, $qp) = @_;
+ my ($self, $qp, @args) = @_;
+ foreach my $arg (@args) {
+ if ($arg =~ m#^((\d{1,3}\.){3}\d{1,3})/(\d\d?)#) {
+ $invalid{$1} = $3;
+ } else {
+ die "invalid net/mask pair '$arg'\n";
+ }
+ }
$self->register_hook("mail", "mail_handler");
}
@@ -23,7 +39,6 @@
}
-
sub check_dns {
my ($self, $host) = @_;
@@ -35,11 +50,52 @@
my $res = new Net::DNS::Resolver;
$res->tcp_timeout(30);
$res->udp_timeout(30);
- return 1 if mx($res, $host);
+ my @mx = mx($res, $host);
+ foreach my $mx (@mx) {
+ return mx_valid($self, $mx->exchange, $host);
+ }
my $query = $res->search($host);
if ($query) {
foreach my $rr ($query->answer) {
- return 1 if $rr->type eq "A" or $rr->type eq "MX";
+ if ($rr->type eq "A") {
+ return is_valid($rr->address);
+ }
+ elsif ($rr->type eq "MX") {
+ return mx_valid($self, $rr->exchange, $host);
+ }
+ }
+ }
+ else {
+ $self->log(LOGWARN, "$$ query for $host failed: ", $res->errorstring)
+ unless $res->errorstring eq "NXDOMAIN";
+ }
+ return 0;
+}
+
+sub is_valid {
+ my $ip = shift;
+ my ($net,$mask);
+ ### while (($net,$mask) = each %invalid) {
+ ### ... does NOT reset to beginning, will start on
+ ### 2nd invocation after where it denied the first time..., so
+ ### 2nd time the same "MAIL FROM" would be accepted!
+ foreach $net (keys %invalid) {
+ $mask = $invalid{$net};
+ $mask = pack "B32", "1"x($mask)."0"x(32-$mask);
+ return 0
+ if join(".", unpack("C4", inet_aton($ip) & $mask)) eq $net;
+ }
+ return 1;
+}
+
+sub mx_valid {
+ my ($self, $name, $host) = @_;
+ my $res = new Net::DNS::Resolver;
+ my $query = $res->search($name);
+ if ($query) {
+ foreach my $rr ($query->answer) {
+ next unless $rr->type eq "A";
+ return is_valid($rr->address);
}
}
else {
@@ -49,3 +105,4 @@
return 0;
}
+# vim: ts=2 sw=2 expandtab syn=perl
