diff options
author | gilles <gilles@openbsd.org> | 2020-01-08 01:41:11 +0000 |
---|---|---|
committer | gilles <gilles@openbsd.org> | 2020-01-08 01:41:11 +0000 |
commit | bdf9247d5599b621ad765bb3e5badebd06af110d (patch) | |
tree | f8fcf6a0339763115c123b885e09098214a63eab /usr.sbin/smtpd | |
parent | enable builtin filtering for commit phase (diff) | |
download | wireguard-openbsd-bdf9247d5599b621ad765bb3e5badebd06af110d.tar.xz wireguard-openbsd-bdf9247d5599b621ad765bb3e5badebd06af110d.zip |
allow using the session username in builtin filters when available
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r-- | usr.sbin/smtpd/lka_filter.c | 56 | ||||
-rw-r--r-- | usr.sbin/smtpd/parse.y | 47 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.conf.5 | 10 | ||||
-rw-r--r-- | usr.sbin/smtpd/smtpd.h | 11 |
4 files changed, 116 insertions, 8 deletions
diff --git a/usr.sbin/smtpd/lka_filter.c b/usr.sbin/smtpd/lka_filter.c index fc85192848a..9141c39f040 100644 --- a/usr.sbin/smtpd/lka_filter.c +++ b/usr.sbin/smtpd/lka_filter.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka_filter.c,v 1.59 2020/01/08 00:33:29 gilles Exp $ */ +/* $OpenBSD: lka_filter.c,v 1.60 2020/01/08 01:41:11 gilles Exp $ */ /* * Copyright (c) 2018 Gilles Chehade <gilles@poolp.org> @@ -80,6 +80,7 @@ struct filter_session { int fcrdns; char *helo; + char *username; char *mail_from; enum filter_phase phase; @@ -530,6 +531,7 @@ lka_filter_end(uint64_t reqid) free(fs->rdns); free(fs->helo); free(fs->mail_from); + free(fs->username); free(fs->lastparam); free(fs); log_trace(TRACE_FILTERS, "%016"PRIx64" filters session-end", reqid); @@ -886,7 +888,6 @@ filter_protocol(uint64_t reqid, enum filter_phase phase, const char *param) param = nparam; break; case FILTER_STARTTLS: - case FILTER_AUTH: /* TBD */ break; default: @@ -1110,6 +1111,47 @@ filter_check_helo_regex(struct filter *filter, const char *key) } static int +filter_check_auth(struct filter *filter, const char *username) +{ + int ret = 0; + + if (!filter->config->auth) + return 0; + + ret = username ? 1 : 0; + + return filter->config->not_auth < 0 ? !ret : ret; +} + +static int +filter_check_auth_table(struct filter *filter, enum table_service kind, const char *key) +{ + int ret = 0; + + if (filter->config->auth_table == NULL) + return 0; + + if (key && table_match(filter->config->auth_table, kind, key) > 0) + ret = 1; + + return filter->config->not_auth_table < 0 ? !ret : ret; +} + +static int +filter_check_auth_regex(struct filter *filter, const char *key) +{ + int ret = 0; + + if (filter->config->auth_regex == NULL) + return 0; + + if (key && table_match(filter->config->auth_regex, K_REGEX, key) > 0) + ret = 1; + return filter->config->not_auth_regex < 0 ? !ret : ret; +} + + +static int filter_check_mail_from_table(struct filter *filter, enum table_service kind, const char *key) { int ret = 0; @@ -1211,6 +1253,10 @@ filter_builtins_global(struct filter_session *fs, struct filter *filter, uint64_ filter_check_src_regex(filter, ss_to_text(&fs->ss_src)) || filter_check_helo_table(filter, K_DOMAIN, fs->helo) || filter_check_helo_regex(filter, fs->helo) || + filter_check_auth(filter, fs->username) || + filter_check_auth_table(filter, K_STRING, fs->username) || + filter_check_auth_table(filter, K_CREDENTIALS, fs->username) || + filter_check_auth_regex(filter, fs->username) || filter_check_mail_from_table(filter, K_MAILADDR, fs->mail_from) || filter_check_mail_from_regex(filter, fs->mail_from); } @@ -1424,6 +1470,12 @@ void lka_report_smtp_link_auth(const char *direction, struct timeval *tv, uint64_t reqid, const char *username, const char *result) { + struct filter_session *fs; + + if (strcmp(result, "pass") == 0) { + fs = tree_xget(&sessions, reqid); + fs->username = xstrdup(username); + } report_smtp_broadcast(reqid, direction, tv, "link-auth", "%s|%s\n", username, result); } diff --git a/usr.sbin/smtpd/parse.y b/usr.sbin/smtpd/parse.y index 41f98ed05cd..ef332a7fc61 100644 --- a/usr.sbin/smtpd/parse.y +++ b/usr.sbin/smtpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.272 2019/12/21 11:07:38 gilles Exp $ */ +/* $OpenBSD: parse.y,v 1.273 2020/01/08 01:41:11 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1599,6 +1599,25 @@ negation HELO REGEX tables { } ; +filter_phase_check_auth: +negation AUTH { + filter_config->not_auth = $1 ? -1 : 1; + filter_config->auth = 1; +} +; +filter_phase_check_auth_table: +negation AUTH tables { + filter_config->not_auth_table = $1 ? -1 : 1; + filter_config->auth_table = $3; +} +; +filter_phase_check_auth_regex: +negation AUTH REGEX tables { + filter_config->not_auth_regex = $1 ? -1 : 1; + filter_config->auth_regex = $4; +} +; + filter_phase_check_mail_from_table: negation MAIL_FROM tables { filter_config->not_mail_from_table = $1 ? -1 : 1; @@ -1641,9 +1660,20 @@ filter_phase_check_helo_table | filter_phase_check_helo_regex | filter_phase_global_options; +filter_phase_auth_options: +filter_phase_check_helo_table | +filter_phase_check_helo_regex | +filter_phase_check_auth | +filter_phase_check_auth_table | +filter_phase_check_auth_regex | +filter_phase_global_options; + filter_phase_mail_from_options: filter_phase_check_helo_table | filter_phase_check_helo_regex | +filter_phase_check_auth | +filter_phase_check_auth_table | +filter_phase_check_auth_regex | filter_phase_check_mail_from_table | filter_phase_check_mail_from_regex | filter_phase_global_options; @@ -1651,6 +1681,9 @@ filter_phase_global_options; filter_phase_rcpt_to_options: filter_phase_check_helo_table | filter_phase_check_helo_regex | +filter_phase_check_auth | +filter_phase_check_auth_table | +filter_phase_check_auth_regex | filter_phase_check_mail_from_table | filter_phase_check_mail_from_regex | filter_phase_check_rcpt_to_table | @@ -1660,6 +1693,9 @@ filter_phase_global_options; filter_phase_data_options: filter_phase_check_helo_table | filter_phase_check_helo_regex | +filter_phase_check_auth | +filter_phase_check_auth_table | +filter_phase_check_auth_regex | filter_phase_check_mail_from_table | filter_phase_check_mail_from_regex | filter_phase_global_options; @@ -1684,6 +1720,9 @@ filter_phase_global_options; filter_phase_commit_options: filter_phase_check_helo_table | filter_phase_check_helo_regex | +filter_phase_check_auth | +filter_phase_check_auth_table | +filter_phase_check_auth_regex | filter_phase_check_mail_from_table | filter_phase_check_mail_from_regex | filter_phase_global_options; @@ -1708,6 +1747,11 @@ EHLO { } MATCH filter_phase_helo_options filter_action_builtin ; +filter_phase_auth: +AUTH { +} MATCH filter_phase_auth_options filter_action_builtin +; + filter_phase_mail_from: MAIL_FROM { filter_config->phase = FILTER_MAIL_FROM; @@ -1764,6 +1808,7 @@ filter_phase: filter_phase_connect | filter_phase_helo | filter_phase_ehlo +| filter_phase_auth | filter_phase_mail_from | filter_phase_rcpt_to | filter_phase_data diff --git a/usr.sbin/smtpd/smtpd.conf.5 b/usr.sbin/smtpd/smtpd.conf.5 index 74f3ca6e4a5..d6d40c99448 100644 --- a/usr.sbin/smtpd/smtpd.conf.5 +++ b/usr.sbin/smtpd/smtpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: smtpd.conf.5,v 1.246 2019/12/19 13:34:45 jmc Exp $ +.\" $OpenBSD: smtpd.conf.5,v 1.247 2020/01/08 01:41:11 gilles Exp $ .\" .\" Copyright (c) 2008 Janne Johansson <jj@openbsd.org> .\" Copyright (c) 2009 Jacek Masiulaniec <jacekm@dobremiasto.net> @@ -17,7 +17,7 @@ .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" .\" -.Dd $Mdocdate: December 19 2019 $ +.Dd $Mdocdate: January 8 2020 $ .Dt SMTPD.CONF 5 .Os .Sh NAME @@ -979,8 +979,10 @@ but other data must have been already submitted before they are available. .It rdns Pf < Ar table Ns > Ta session has a reverse DNS in table .It src Pf < Ar table Ns > Ta source address is in table .It helo Pf < Ar table Ns > Ta helo name is in table -.It mail-from Pf < Ar table Ns > Ta sender address is in table -.It rcpt-to Pf < Ar table Ns > Ta recipient address is in table +.It auth Ta session is authenticated +.It auth Pf < Ar table Ns > Ta session username is in table +.It mail-from Pf < Ar table Ns > Ta sender address is in table +.It rcpt-to Pf < Ar table Ns > Ta recipient address is in table .El .Pp These conditions may all be negated by prefixing them with an exclamation mark: diff --git a/usr.sbin/smtpd/smtpd.h b/usr.sbin/smtpd/smtpd.h index 7e59d4d32b2..b1a90d375fe 100644 --- a/usr.sbin/smtpd/smtpd.h +++ b/usr.sbin/smtpd/smtpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.h,v 1.649 2019/12/21 10:40:20 gilles Exp $ */ +/* $OpenBSD: smtpd.h,v 1.650 2020/01/08 01:41:11 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -1093,6 +1093,15 @@ struct filter_config { int8_t not_helo_regex; struct table *helo_regex; + int8_t not_auth; + int8_t auth; + + int8_t not_auth_table; + struct table *auth_table; + + int8_t not_auth_regex; + struct table *auth_regex; + int8_t not_mail_from_table; struct table *mail_from_table; |