[Mimedefang] Accessing the source/destination port #'s at filter_relay
Philip A. Prindeville
philipp_subx at redfish-solutions.com
Tue May 4 13:40:40 EDT 2010
Decided it was cleaner to use globals than to change the signature
(prototype) of filter_relay() and filter_helo().
Introduced therefore 3 new globals:
$RelayPort
$OurAddr
$OurPort
which are set in the context of both of these hooks.
As a side-effect of introducing these variables, I can make tests now in
filter_relay() like:
if ($hostname eq "[$hostip]" && $OurPort != 587) {
md_syslog('debug', "no rDNS: reject [$hostip]");
return ('TEMPFAIL', "No rDNS records found; try again when you've properly configured your DNS.");
}
i.e. require rDNS for relays (but not for clients that are submitting locally).
Another test I can do in filter_helo():
# lastly, check to see if what he thinks is his address is
# what we think is his address. Hosts behind natting gateways
# or that are multi-homed might get this wrong, so don't be
# surprised if you need to yank this test.
if ($helo ne "[$hostip]" && $OurPort != 587) {
md_syslog('debug', "wrong ip: [$hostip] claims to be $helo");
return ('REJECT',
"Address forgery attempt, [$hostip] claims to be $helo");
}
A common attempt to subvert our filters is to either say "HELO
[192.168.x.x]" from outside, or else to say "HELO [66.232.79.143]" which
is of course my own IP address.
Relays should know their own addresses (and indeed, be using names, not
dotted-quads).
Clients, on the other hand, are often laptops or phones in hotspots
behind a NATting Wifi/DSL router, and hence will get this wrong. But
that's ok, since we require authentication on port 587.
Indeed, if you have an iPhone on AT&T's 3G network, you'll have a
10.x.x.x address, but their NATting gateway will *not* rewrite your HELO
string with your public address.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mimedefang-ports.patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20100504/52d05d25/attachment.ksh>
More information about the MIMEDefang
mailing list