On Mon, 27 Nov 2006 08:43:43 -0700
Bryan Scott <[EMAIL PROTECTED]> wrote:
> The first thought I had was if we could make the forkserver code
> perform similarly. It wouldn't be able to block just based on the
> SYN packets, but it could immediately close the connection (no
> banner, no error message, very un-RFC like), freeing it up for
> another host that much quicker. Not something a plugin can do.
That's what the hosts_allow plugin does. After accept()ing the incoming
connection, the pre-connection hook is run (while still in the main
server, before fork()ing). The hosts_allow plugin searches in it's
config file for the IP of the incoming connection and returns
DENY (or one of it's variants) or DECLINED. If a connection is denied
(soft or hard) the connection ends and no forking is done.
You want a disconnect without a message? I doubt it's that useful,
returning a 5xx message helps at least normal SMTP clients not to try
the connection again (for this message), just disconnecting is seen as
a temp error.
If you really want it... what about:
--- 0.3x/qpsmtpd-forkserver 2006-11-07 20:07:00.000000000 +0100
+++ qpsmtpd-forkserver 2006-11-27 19:09:38.000000000 +0100
@@ -252,7 +252,7 @@
close $client;
next;
}
- elsif ($rc == DENY || $rc == DENY_DISCONNECT) {
+ elsif ($rc == DENY) {
unless ($msg[0]) {
@msg = ("Sorry, service not available for you");
}
@@ -260,7 +260,10 @@
close $client;
next;
}
-
+ elsif ($rc == DENY_DISCONNECT) {
+ close $client;
+ next;
+ }
my $pid = safe_fork();
if ($pid) {
# parent
> The idea progressed to have some other plugin keep track of how many
> times a particular host errors out, assigning higher weights to 5xx
> errors vs. 4xx errors. After hitting a certain threshold, the
> forkserver code begins closing connections from those hosts (I
> personally don't care if I can hang up on known spam hosts).
Uh... I would not use such a plugin, or at least not without a
really good whitelist :)
But... write a plugin hooking the deny and pre-connection hooks. In
hook_deny do your accounting and write to a database which the
pre-connection hook uses.
Hanno
