Re: filter bug?
On 02/01/20 11:08, Reio Remma wrote:
Hello!
The token|session id in v0.4 of the filter protocol were swapped to
the more sensible session id|token order in v0.5. I believe the docs
are still being worked on and will apply to the v0.5 protocol.
Thought I was going crazy. I was reading docs for .5 and testing on a
system running .4 so as usual the fault lies with myself.
Thanks!
Edgar
For example filter-rspamd was recently updated to work with both
versions, switching the argument order as needed.
Good luck,
Reio
On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7
states the following:
For all phases, excepted "data-line", the responses must follow the
same
construct, a message type "filter-result", followed by the
unique session
id, the opaque token, a decision and optional decision-specific
parameters:
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope
For my filter I had to send:
filter-result|$token|$sid|proceed
It also shows the following for connect:
connect: rdns fcrdns src dest
This request is emitted after connection, before the
banner is
displayed.
I'm only seeing 9 fields though and expected 11.
mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64
# Not thoroughly tested, but if you want to use it pretend there is
the ISC
# license here.
#!/usr/bin/awk -f
function logit(msg) {
system("logger -p mail.info " msg)
}
function die(msg) {
system("logger -p mail.err -s " msg)
exit 1
}
BEGIN {
ARGC = 0
FS = "|"
OFS = FS
version = 0.4
allowed = 3
logit("filter-authban: starting...")
}
"config|ready" == $0 {
print "register|report|smtp-in|link-connect"
print "register|report|smtp-in|link-disconnect"
print "register|report|smtp-in|link-auth"
print "register|filter|smtp-in|connect"
print "register|ready"
next
}
"link-connect" == $5 {
if (NF < 10)
die("invalid input for link-connect")
if ($2 != version)
die("version mismatch")
sid = $6
src = $9
state[sid] = src
}
"link-auth" == $5 {
if (NF < 8)
die("invalid input for link-auth")
if ($2 != version)
die("version mismatch")
sid = $6
user = $7
result = $8
if (state[sid]) {
split(state[sid], ip, ":")
addr = ip[1]
if (result == "fail") {
logit("auth failure for " user " from " addr)
state[addr] += 1
}
if (state[addr] >= allowed)
banned[addr] = 1
}
}
"link-disconnect" == $5 {
if (NF < 6)
die("invalid input for link-disconnect")
if ($2 != version)
die("version mismatch")
sid = $6
delete state[sid]
}
"connect" == $5 {
if ($2 != version)
die("version mismatch")
sid = $6
token = $7
src = $9
if (banned[src]) {
logit("rejecting connection from: " src)
print "filter-result|" token "|" sid "|reject|550 go away"
} else {
print "filter-result|" token "|" sid "|proceed"
}
}
END {
logit("filter-authban: stopping...")
}
Thanks,
Edgar
Re: filter bug?
Hello!
The token|session id in v0.4 of the filter protocol were swapped to the
more sensible session id|token order in v0.5. I believe the docs are
still being worked on and will apply to the v0.5 protocol.
For example filter-rspamd was recently updated to work with both
versions, switching the argument order as needed.
Good luck,
Reio
On 01.02.2020 4:18, Edgar Pettijohn wrote:
Not sure if its a documentation bug or not, but smtpd-filters.7 states
the following:
For all phases, excepted "data-line", the responses must follow the same
construct, a message type "filter-result", followed by the unique
session
id, the opaque token, a decision and optional decision-specific
parameters:
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|proceed
filter-result|7641df9771b4ed00|1ef1c203cc576e5d|reject|550 nope
For my filter I had to send:
filter-result|$token|$sid|proceed
It also shows the following for connect:
connect: rdns fcrdns src dest
This request is emitted after connection, before the
banner is
displayed.
I'm only seeing 9 fields though and expected 11.
mail$ uname -a
OpenBSD mail.pettijohn-web.com 6.6 GENERIC#4 amd64
# Not thoroughly tested, but if you want to use it pretend there is
the ISC
# license here.
#!/usr/bin/awk -f
function logit(msg) {
system("logger -p mail.info " msg)
}
function die(msg) {
system("logger -p mail.err -s " msg)
exit 1
}
BEGIN {
ARGC = 0
FS = "|"
OFS = FS
version = 0.4
allowed = 3
logit("filter-authban: starting...")
}
"config|ready" == $0 {
print "register|report|smtp-in|link-connect"
print "register|report|smtp-in|link-disconnect"
print "register|report|smtp-in|link-auth"
print "register|filter|smtp-in|connect"
print "register|ready"
next
}
"link-connect" == $5 {
if (NF < 10)
die("invalid input for link-connect")
if ($2 != version)
die("version mismatch")
sid = $6
src = $9
state[sid] = src
}
"link-auth" == $5 {
if (NF < 8)
die("invalid input for link-auth")
if ($2 != version)
die("version mismatch")
sid = $6
user = $7
result = $8
if (state[sid]) {
split(state[sid], ip, ":")
addr = ip[1]
if (result == "fail") {
logit("auth failure for " user " from " addr)
state[addr] += 1
}
if (state[addr] >= allowed)
banned[addr] = 1
}
}
"link-disconnect" == $5 {
if (NF < 6)
die("invalid input for link-disconnect")
if ($2 != version)
die("version mismatch")
sid = $6
delete state[sid]
}
"connect" == $5 {
if ($2 != version)
die("version mismatch")
sid = $6
token = $7
src = $9
if (banned[src]) {
logit("rejecting connection from: " src)
print "filter-result|" token "|" sid "|reject|550 go away"
} else {
print "filter-result|" token "|" sid "|proceed"
}
}
END {
logit("filter-authban: stopping...")
}
Thanks,
Edgar
