[Mimedefang] Fwd: Re: Accessing the source/destination port #'s at filter_relay

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Sep 30 23:36:56 EDT 2010 

  So we concluded that Postfix can't generate the queue id early enough to make read_commands_file() work from filter_relay()...

Can we consider my patch as the next best thing?

Thanks.

Oh, for what it's worth, I've been running this in-house for 4 months and it works fine.


-------- Original Message --------
Subject: 	Re: [Mimedefang] Accessing the source/destination port #'s at filter_relay
Date: 	Tue, 04 May 2010 11:40:40 -0600
From: 	Philip A. Prindeville <philipp_subx at redfish-solutions.com>
Reply-To: 	mimedefang at lists.roaringpenguin.com
To: 	mimedefang at lists.roaringpenguin.com



Decided it was cleaner to use globals than to change the signature
(prototype) of filter_relay() and filter_helo().

Introduced therefore 3 new globals:

$RelayPort
$OurAddr
$OurPort

which are set in the context of both of these hooks.

As a side-effect of introducing these variables, I can make tests now in
filter_relay() like:

     if ($hostname eq "[$hostip]"&&  $OurPort != 587) {
         md_syslog('debug', "no rDNS: reject [$hostip]");
         return ('TEMPFAIL', "No rDNS records found; try again when you've properly configured your DNS.");
     }


i.e. require rDNS for relays (but not for clients that are submitting locally).

Another test I can do in filter_helo():


     if ($helo =~ /^\[(\d{1,3}\.\d{1,3}.\d{1,3}\.\d{1,3})\]$/) {
         my $inet = inet_aton($1);

         # check for a valid dotted-quad.
         # use the same error message as above... don't make it too easy
         # to guess what our checks are.
         if (!defined($inet) || $inet eq INADDR_NONE) {
             md_syslog('debug', "badquad: $helo ($hostname [$hostip])");
             return ('REJECT', "Incorrect format for address-literal");
         }
...

         # lastly, check to see if what he thinks is his address is
         # what we think is his address.  Hosts behind NATting gateways
         # or that are multi-homed might get this wrong, so don't be
         # surprised if you need to yank this test.
         if ($helo ne "[$hostip]"&&  $OurPort != 587) {
             md_syslog('debug', "wrong ip: [$hostip] claims to be $helo");
             return ('REJECT',
                     "Address forgery attempt, [$hostip] claims to be $helo");
         }

         # we could do more tests...  For instance, only allow
         # bracketed quads for local connections...

         return ('CONTINUE', "OK");
     }



A common attempt to subvert our filters is to either say "HELO
[192.168.x.x]" from outside, or else to say "HELO [66.232.79.143]" which
is of course my own IP address.

Relays should know their own addresses (and indeed, be using names, not
dotted-quads).

Clients, on the other hand, are often laptops or phones in hotspots
behind a NATting Wifi/DSL router, and hence will get this wrong.  But
that's ok, since we require authentication on port 587.

Indeed, if you have an iPhone on AT&T's 3G network, you'll have a
10.x.x.x address, but their NATting gateway will *not* rewrite your HELO
string with your public address.


-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: mimedefang-ports.patch
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20100930/8d9fd99f/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Attached Message Part
URL: <https://lists.mimedefang.org/pipermail/mimedefang_lists.mimedefang.org/attachments/20100930/8d9fd99f/attachment-0001.ksh>

More information about the MIMEDefang mailing list