On Thu, 28 Jul 2005 15:15:09 -0400
John Peacock <[EMAIL PROTECTED]> wrote:
> I hate to do this to you, but I've been having an offlist conversation
> with Roger Walker, who pointed out that some people bind qpsmtpd to
> all interfaces (0.0.0.0) and hence localhost might be valid. Rather
> than make him hack his private copy, wouldn't it make more sense to
> populate %invalid from a config/invalid_resolvable_fromhost file,
> then provide an example file containing what you currently list in
> %invalid.
Like this?
[EMAIL PROTECTED]:~/src/qpsmtpd-0.30/plugins$ cat \
../config/invalid_resolvable_fromhost
127.0.0.0/8
0.0.0.0/8
224.0.0.0/4
169.254.0.0/16
10.0.0.0/8
[EMAIL PROTECTED]:~/src/qpsmtpd-0.30/plugins$
Seems to work, just tested with one domain which MX is pointing to
127.0.0.1 .)
Hanno
--- require_resolvable_fromhost.orig 2005-07-28 10:02:25.000000000 +0200
+++ require_resolvable_fromhost 2005-07-28 21:29:59.000000000 +0200
@@ -1,4 +1,7 @@
use Net::DNS qw(mx);
+use Socket;
+
+my %invalid = ();
sub register {
my ($self, $qp) = @_;
@@ -11,6 +14,14 @@
return DECLINED
if ($self->qp->connection->notes('whitelistclient'));
+ foreach my $i ($self->qp->config("invalid_resolvable_fromhost")) {
+ $i =~ s/^\s*//;
+ $i =~ s/\s*$//;
+ if ($i =~ m#^((\d{1,3}\.){3}\d{1,3})/(\d\d?)#) {
+ $invalid{$1} = $3;
+ }
+ }
+
$sender->format ne "<>"
and $self->qp->config("require_resolvable_fromhost")
and !$self->check_dns($sender->host)
@@ -23,7 +34,6 @@
}
-
sub check_dns {
my ($self, $host) = @_;
@@ -35,11 +45,52 @@
my $res = new Net::DNS::Resolver;
$res->tcp_timeout(30);
$res->udp_timeout(30);
- return 1 if mx($res, $host);
+ my @mx = mx($res, $host);
+ foreach my $mx (@mx) {
+ return mx_valid($self, $mx->exchange, $host);
+ }
my $query = $res->search($host);
if ($query) {
foreach my $rr ($query->answer) {
- return 1 if $rr->type eq "A" or $rr->type eq "MX";
+ if ($rr->type eq "A") {
+ return is_valid($rr->address);
+ }
+ elsif ($rr->type eq "MX") {
+ return mx_valid($self, $rr->exchange, $host);
+ }
+ }
+ }
+ else {
+ $self->log(LOGWARN, "$$ query for $host failed: ", $res->errorstring)
+ unless $res->errorstring eq "NXDOMAIN";
+ }
+ return 0;
+}
+
+sub is_valid {
+ my $ip = shift;
+ my ($net,$mask);
+ ### while (($net,$mask) = each %invalid) {
+ ### ... does NOT reset to beginning, will start on
+ ### 2nd invocation after where it denied the first time..., so
+ ### 2nd time the same "MAIL FROM" would be accepted!
+ foreach $net (keys %invalid) {
+ $mask = $invalid{$net};
+ $mask = pack "B32", "1"x($mask)."0"x(32-$mask);
+ return 0
+ if join(".", unpack("C4", inet_aton($ip) & $mask)) eq $net;
+ }
+ return 1;
+}
+
+sub mx_valid {
+ my ($self, $name, $host) = @_;
+ my $res = new Net::DNS::Resolver;
+ my $query = $res->search($name);
+ if ($query) {
+ foreach my $rr ($query->answer) {
+ next unless $rr->type eq "A";
+ return is_valid($rr->address);
}
}
else {
@@ -49,3 +100,4 @@
return 0;
}
+# vim: ts=2 sw=2 expandtab syn=perl
