[milters] Archive

Lists Index Date Thread Search

Article: 377
From: Ismael Perin
Date: 2005-03-04 08:30:55 -0500
Subject: Re: Sender invalid

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Hi,

This error ocurred in command to patch milter-sender.

----------------------------------------------------
[root@server]# patch milter-sender.c mxCallBackThisHost.patch
patching file milter-sender.c
Hunk #1 FAILED at 297.
Hunk #2 FAILED at 366.
Hunk #3 FAILED at 1645.
Hunk #4 FAILED at 1732.
4 out of 4 hunks FAILED -- saving rejects to file milter-sender.c.rej
-----------------------------------------------------

Or I'm wrong in execute patch?
Thanks.


----- Original Message ----- 
From: "Anthony Howe" <achowe@snert.com>
To: <milters@milter.info>
Sent: Friday, March 04, 2005 9:24 AM
Subject: [milters] Re: Sender invalid


Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Ismael Perin wrote:
> This log show messages authorizated for the milter-sender becouse is my
> host, but this user (vnha_hnpm_h_t_u) does not exists.
>
> -------------------------------------------------
> Mar  3 16:04:39 myserver milter-sender[27810]: 08809 j23J4ad8024769: MX 
> for
> <vnha_hnpm_h_t_u@myserver.com> is this host, skipping
>
> Mar  3 16:04:52 myserver sendmail[24769]: j23J4ad8024769:
> from=<vnha_hnpm_h_t_u@myserver.com>, size=9106, class=0, nrcpts=20,
> msgid=<200503031904.j23J4ad8024769@myserver.com>, proto=SMTP, daemon=MTA,
> relay=[201.10.169.96]
> -------------------------------------------------
>
> What I do to verify senders in my host?
milter-sender does not verify local recipients or senders on the host. I
tried to do this once to support another feature, but it just wasn't
possible to do properly.

Essentially, when milter-sender sees email destined for a local
recipient, it leaves sendmail to delivery the message or return user
unknown.

In the case of the sender causing a callback to ourselves, I choose not
to do this. Here's the comment from the source code:

/* BY-PASS: Skip checking sender when the MX points to this
* host. There is no point in doing an expensive check of
* the sender, when sendmail has better means to do this.
* Even if the sender has falsified their address, better
* to pass and let some other tool reject it based on
* different critieria.
*
* This BY-PASS might be removed in the future in favour of
* calling ourselves back to validate the address.
*/

I've included an untested patch that provides an option to disable this
by-pass.

-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

"held in my arms / his sun washed face / eyes closed" - Anthony


-- Attached file included as plaintext by Ecartis --
-- File: mxCallBackThisHost.patch

--- milter-sender.c.orig 2005-02-14 09:02:50.859375000 +0100
+++ milter-sender.c 2005-03-04 13:02:43.234375000 +0100
@@ -297,6 +297,7 @@
 static NumericOption mxCallBackIpBlocked = { 1, "MxCallBackIpBlocked", 0, 
"if our IP appears in an callback error response, assume accepts any 
email" };
 static NumericOption mxCallBackConnect = { 1, "MxCallBackConnect", 1, 
"enable the callback SMTP connection" };
 static NumericOption mxCallBackMaxAttempts = { 0, "MxCallBackMaxAttempts", 
3, "maximum number of MX hosts to attempt callback with, 0 = disable 
callback" };
+static NumericOption mxCallBackThisHost = { 1, "mxCallBackThisHost", 0, 
"when true, call ourselves back to validate sender; default false" };
 static NumericOption mxCallAheadOn = { 1, "MxCallAhead", 0, "an MX gateway

can call the next hop to verify the recipient" };
 static NumericOption mxRejectBenchmark = { 1, "MxRejectBenchmark", 1, 
"reject MX with RFC 3330 benchmark network 198.18.0.0/15" };
 static NumericOption mxRejectLinkLocal = { 1, "MxRejectLinkLocal", 1, 
"reject MX with RFC 3330 link local addresses 169.254.0.0/16" };
@@ -365,6 +366,7 @@
  &mxCallBackConnect,
  &mxCallBackIpBlocked,
  &mxCallBackMaxAttempts,
+ &mxCallBackThisHost,
  &mxRejectBenchmark,
  &mxRejectLinkLocal,
  &mxRejectLoopback,
@@ -1643,10 +1645,8 @@
  Dns dns;
  sfsistat rc;
  DnsRecord mx;
- char *if_addr;
  CacheEntry entry;
  const char *error;
- struct in_addr if_addr_ip;
  int i, rcode, mxLimit, mxError, status;

  /* Assume the sender will pass the tests. Note that any "goto ok"
@@ -1732,37 +1732,42 @@
  goto error2;
  }

- /* BY-PASS: Skip checking sender when the MX points to this
- * host. There is no point in doing an expensive check of
- * the sender, when sendmail has better means to do this.
- * Even if the sender has falsified their address, better
- * to pass and let some other tool reject it based on
- * different critieria.
- *
- * This BY-PASS might be removed in the future in favour of
- * calling ourselves back to validate the address.
- */
+ if (!mxCallBackThisHost.value) {
+ char *if_addr;
+ struct in_addr if_addr_ip;
+
+ /* BY-PASS: Skip checking sender when the MX points to this
+ * host. There is no point in doing an expensive check of
+ * the sender, when sendmail has better means to do this.
+ * Even if the sender has falsified their address, better
+ * to pass and let some other tool reject it based on
+ * different critieria.
+ *
+ * This BY-PASS might be removed in the future in favour of
+ * calling ourselves back to validate the address.
+ */

- if ((if_addr = smfi_getsymval(data->work.ctx, macro_if_addr)) == NULL)
- if_addr = "0.0.0.0";
+ if ((if_addr = smfi_getsymval(data->work.ctx, macro_if_addr)) == NULL)
+ if_addr = "0.0.0.0";

- /* Using inet_ntoa() fills a static buffer, which is NOT  a
- * good thing in a threaded application like this. Instead
- * convert from a string to a binary form and compare those,
- * which avoids the need for a mutex.
- */
- if (SocketAddressToIP(if_addr, &if_addr_ip)) {
- (void) setReply(data, 550, "5.0.0", "internal error converting 
{if_addr}=\"%s\"", if_addr);
- rc = SMFIS_ACCEPT;
- goto error2;
- }
+ /* Using inet_ntoa() fills a static buffer, which is NOT  a
+ * good thing in a threaded application like this. Instead
+ * convert from a string to a binary form and compare those,
+ * which avoids the need for a mutex.
+ */
+ if (SocketAddressToIP(if_addr, &if_addr_ip)) {
+ (void) setReply(data, 550, "5.0.0", "internal error converting 
{if_addr}=\"%s\"", if_addr);
+ rc = SMFIS_ACCEPT;
+ goto error2;
+ }

- if (memcmp(&if_addr_ip, &mx->ip, sizeof if_addr_ip) == 0) {
- if (smfLogDetail & SMF_LOG_INFO)
- syslog(LOG_INFO, TAG_FORMAT "MX for <%s> is this host, skipping", 
TAG_ARGS, data->work.mail->address.string);
- goto ok;
+ if (memcmp(&if_addr_ip, &mx->ip, sizeof if_addr_ip) == 0) {
+ if (smfLogDetail & SMF_LOG_INFO)
+ syslog(LOG_INFO, TAG_FORMAT "MX for <%s> is this host, skipping", 
TAG_ARGS, data->work.mail->address.string);
+ goto ok;
+ }
  }
-
+
  /* TEST for internal error conditons that shouldn't occur. */
  if (data->mxlist == NULL) {
  syslog(LOG_ERR, TAG_FORMAT "internal error: empty MX list", TAG_ARGS);



Lists Index Date Thread Search