[Mimedefang] Request for "Trusted Relay" Feature

Rick Mallett rmallett at ccs.carleton.ca
Mon Nov 25 15:16:02 EST 2002 

David, 
I was reading through the list archives and I came across the 
following exchange 

  > I'd really prefer to disable the milter for a specific relay address,
  > even if it saves me just a little bit of processor power, it might be
  > enough..

  The proper place to do this would be in the mimedefang C code.  This
  may be a common enough requirement that I'll consider adding it.

I have such a requirement, since I have a mailing list server called
"lists" that posts a weekly newsletter to several thousand subscribers
through the main campus SMTP server, and although it might be possible to
create a different server for this purpose, I'd prefer to simply bypass
mimedefang processing for all messages originating from the "lists"
machine. 

I've already found that placing the following line at the top of
"mfconnect" in "mimedefang.c "

    if (!strcmp(hostname,"lists")) return SMFIS_ACCEPT;

does the trick, but it would be nice if there was a command line
option for specifying a "trusted relay", or alternatively reading the
name(s) of trusted relay(s) from a file at startup, to avoid having to
make source code changes to each new distribution.

In case you might decide to add this feature, I took the liberty of
coding it up, using a file called "trusted-relay" in /etc/mail which
would be expected to contain a one-line regexp which would be matched
against the hostname and also the hostip in case it turned out to be
easier to do it that way for some sites. I don't have a decent test 
environment so I have no idea if the code works, but it does compile
and its pretty straightforward so I don't expect that there are any 
bugs. The changes to mimedefang.c are:

Add the following to the top of the file 

  #include <regexpr.h>

  #define TRUSTED_RELAY CONFDIR "/trusted-relay"

  /* Names of trusted relays */
  static char *trusted_relay = NULL;

Move the hostip determination code up to the top of mfconnect and
check for trusted relays as follows:

    if (trusted_relay && step(hostname,trusted_relay)) 
        return SMFIS_ACCEPT;

    tmp = inet_ntoa(insa->sin_addr);
    if (!tmp) {
      syslog(LOG_WARNING, "inet_ntoa failed: %m");
      mfclose(ctx);
      DEBUG_EXIT("mfconnect", __LINE__, "SMFIS_TEMPFAIL");
      return SMFIS_TEMPFAIL;
    }

    if (trusted_relay && step(tmp,trusted_relay)) 
        return SMFIS_ACCEPT;

Add the following to main (after the code for reading the 
key file) to get/set the regexp of trusted relays 

    /* Read the names of trusted relays */
    fp = fopen(TRUSTED_RELAY, "r");
    if (fp) {
        char pattern[SMALLBUF];
        fgets(pattern, sizeof(pattern), fp);
        fclose(fp);
        chomp(pattern);
        if ((trusted_relay = compile(pattern, NULL, NULL)) == NULL) {
            fprintf(stderr,
                "ERROR: Unable to compile regexp %s\n",pattern);
            exit(EXIT_FAILURE);
        }
    }

Finally, the Makefile has to be adjusted to append "-lgen" to the
make instructions for the mimedefang target.

I realize that the code is incomplete, since some sites may not have
the regexp library, so you would probably need to add IFDEF's around
the code and adjust the autoconf file accordingly.  There would also
be a need to write some documentation and do some testing. However,
I don't think it would take much time, and I do think it would be a
useful feature. 

Not to worry if you don't have time, or if you think it would not
be a good idea, since the one line of code that I have to add now is
a pretty simple fix to my problem.

- rick --

More information about the MIMEDefang mailing list