Merge remote branch 'origin/master' into godsflaw

baudehlo · Feb 24, 2012 · 0e053b8 · 0e053b8
2 parents 319e47e + 58eae88
commit 0e053b8
Show file tree

Hide file tree

Showing 18 changed files with 357 additions and 11 deletions.
diff --git a/config/mail_from.access.blacklist b/config/mail_from.access.blacklist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
diff --git a/config/mail_from.access.blacklist_regex b/config/mail_from.access.blacklist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the blacklist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you.  If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex.  This should help prevent people
+# from writing overly permissive rules on accident.
diff --git a/config/mail_from.access.ini b/config/mail_from.access.ini
@@ -0,0 +1,2 @@
+[general]
+deny_msg=bad sender address.
diff --git a/config/mail_from.access.whitelist b/config/mail_from.access.whitelist
@@ -0,0 +1 @@
+# Hostnames and IPs are matched exactly as written on each line.
diff --git a/config/mail_from.access.whitelist_regex b/config/mail_from.access.whitelist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the whitelist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you.  If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex.  This should help prevent people
+# from writing overly permissive rules on accident.
diff --git a/config/rcpt_to.access.blacklist b/config/rcpt_to.access.blacklist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
diff --git a/config/rcpt_to.access.blacklist_regex b/config/rcpt_to.access.blacklist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the blacklist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you.  If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex.  This should help prevent people
+# from writing overly permissive rules on accident.
diff --git a/config/rcpt_to.access.ini b/config/rcpt_to.access.ini
@@ -0,0 +1,2 @@
+[general]
+deny_msg=bad recipient address.
diff --git a/config/rcpt_to.access.whitelist b/config/rcpt_to.access.whitelist
@@ -0,0 +1 @@
+# addresses are matched exactly as written on each line.
diff --git a/config/rcpt_to.access.whitelist_regex b/config/rcpt_to.access.whitelist_regex
@@ -0,0 +1,5 @@
+# Does the same thing as the whitelist file, but each line is a regex.
+# Each line is also anchored for you, meaning '^' + regex + '$' is added for
+# you.  If you need to get around this restriction, you may use a '.*' at
+# either the start or the end of your regex.  This should help prevent people
+# from writing overly permissive rules on accident.
diff --git a/docs/plugins/mail_from.access.md b/docs/plugins/mail_from.access.md
@@ -0,0 +1,54 @@
+mail_from.access
+===================
+
+This plugin will evaluate the address against a set of white and black lists.
+The lists are applied in the following way:
+
+mail_from.access.whitelist         (pass)
+mail_from.access.whitelist_regex   (pass)
+mail_from.access.blacklist         (block)
+mail_from.access.blacklist_regex   (block)
+
+Configuration mail_from.access.ini
+-------------------------------------
+
+General configuration file for this plugin.
+
+* mail_from.access.general.deny_msg
+
+  Text to send the user on reject (text).
+
+
+Configuration mail_from.access.whitelist
+-------------------------------------------
+
+The whitelist is mostly to counter blacklist entries that match more than
+what one would want.  This file should be used for a specific address,
+one per line, that should bypass blacklist checks.
+NOTE: We heavily suggest tailoring blacklist entries to be as accurate as
+possible and never using whitelists.  Nevertheless, if you need whitelists,
+here they are.
+
+Configuration mail_from.access.whitelist_regex
+-------------------------------------------------
+
+Does the same thing as the whitelist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you.  If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex.  This should help prevent people
+from writing overly permissive rules on accident.
+
+Configuration mail_from.access.blacklist
+-------------------------------------------
+
+This file should be used for a specific address, one per line, that should
+fail on connect.
+
+Configuration mail_from.access.blacklist_regex
+-------------------------------------------------
+
+Does the same thing as the blacklist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you.  If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex.  This should help prevent people
+from writing overly permissive rules on accident.
diff --git a/docs/plugins/mail_from.blocklist.md b/docs/plugins/mail_from.blocklist.md
@@ -1,7 +1,11 @@
 mail_from.blocklist
 ===================
 
-This mail blocks MAIL_FROM addresses in a list.
+This plugin blocks MAIL_FROM addresses in a list.
+
+NOTE: If all you need is to deny mail based on the exact address, this plugin
+will work just fine. If you want to customize the deny message, add blocks
+based on a regex, or add whitelists, please use the mail_from.access plugin.
 
 Configuration
 -------------

diff --git a/docs/plugins/rcpt_to.access.md b/docs/plugins/rcpt_to.access.md
@@ -0,0 +1,54 @@
+rcpt_to.access
+===================
+
+This plugin blocks RCPT_TO addresses in a list or regex.
+This plugin will evaluate the RCPT_TO address against a set of white and black
+lists.  The lists are applied in the following way:
+
+rcpt_to.access.whitelist         (pass)
+rcpt_to.access.whitelist_regex   (pass)
+rcpt_to.access.blacklist         (block)
+rcpt_to.access.blacklist_regex   (block)
+
+Configuration rcpt_to.access.ini
+-------------------------------------
+
+General configuration file for this plugin.
+
+* rcpt_to.access.general.deny_msg
+
+  Text to send the user on reject (text).
+
+Configuration rcpt_to.access.whitelist
+-------------------------------------------
+
+The whitelist is mostly to counter blacklist entries that match more than
+what one would want.  This file should be used for a specific address
+one per line, that should bypass blacklist checks.
+NOTE: We heavily suggest tailoring blacklist entries to be as accurate as
+possible and never using whitelists.  Nevertheless, if you need whitelists,
+here they are.
+
+Configuration rcpt_to.access.whitelist_regex
+-------------------------------------------------
+
+Does the same thing as the whitelist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you.  If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex.  This should help prevent people
+from writing overly permissive rules on accident.
+
+Configuration rcpt_to.access.blacklist
+-------------------------------------------
+
+This file should be used for a specific address, one per line, that should
+fail on connect.
+
+Configuration rcpt_to.access.blacklist_regex
+-------------------------------------------------
+
+Does the same thing as the blacklist file, but each line is a regex.
+Each line is also anchored for you, meaning '^' + regex + '$' is added for
+you.  If you need to get around this restriction, you may use a '.*' at
+either the start or the end of your regex.  This should help prevent people
+from writing overly permissive rules on accident.
diff --git a/docs/plugins/rcpt_to.blocklist.md b/docs/plugins/rcpt_to.blocklist.md
@@ -1,7 +1,11 @@
 rcpt_to.blocklist
 ===================
 
-This mail blocks RCPT_TO addresses in a list.
+This plugin blocks RCPT_TO addresses in a list.
+
+NOTE: If all you need is to deny mail based on the exact address, this plugin
+will work just fine.  If you want to customize the deny message, add blocks
+based on a regex, or add whitelists, please use the rcpt_to.access plugin.
 
 Configuration
 -------------

diff --git a/plugins/connect.rdns_access.js b/plugins/connect.rdns_access.js
@@ -54,9 +54,10 @@ exports.rdns_access = function(next, connection) {
             ' against connect.rdns_access.blacklist');
 
         if (_in_blacklist(connection, plugin, connection.remote_ip)) {
-            connection.logdebug(plugin, "Rejecting, matched: " + connection.remote_ip);
-            return next(DENY, connection.remote_host.toLowerCase() + ' [' +
-                connection.remote_ip + '] ' + plugin.deny_msg);
+            connection.logdebug(plugin, "Rejecting, matched: " +
+                connection.remote_ip);
+            return next(DENYDISCONNECT, connection.remote_host.toLowerCase() +
+                ' [' + connection.remote_ip + '] ' + plugin.deny_msg);
         }
     }
 
@@ -66,9 +67,10 @@ exports.rdns_access = function(next, connection) {
             ' against connect.rdns_access.blacklist');
 
         if (_in_blacklist(connection, plugin, connection.remote_host.toLowerCase())) {
-            connection.logdebug(plugin, "Rejecting, matched: " + connection.remote_host);
-            return next(DENY, connection.remote_host.toLowerCase() + ' [' +
-                connection.remote_ip + '] ' + plugin.deny_msg);
+            connection.logdebug(plugin, "Rejecting, matched: " +
+               connection.remote_host);
+            return next(DENYDISCONNECT, connection.remote_host.toLowerCase() +
+                ' [' + connection.remote_ip + '] ' + plugin.deny_msg);
         }
     }
 
@@ -78,7 +80,8 @@ exports.rdns_access = function(next, connection) {
 function _in_whitelist(connection, plugin, host) {
     var i;
     for (i in plugin.wl) {
-        connection.logdebug(plugin, 'checking ' + host + ' against ' + plugin.wl[i]);
+        connection.logdebug(plugin, 'checking ' + host + ' against ' +
+            plugin.wl[i]);
 
         if (plugin.wl[i].toLowerCase() === host) {
             return 1;
@@ -100,7 +103,8 @@ function _in_whitelist(connection, plugin, host) {
 function _in_blacklist(connection, plugin, host) {
     var i;
     for (i in plugin.bl) {
-        connection.logdebug(plugin, 'checking ' + host + ' against ' + plugin.bl[i]);
+        connection.logdebug(plugin, 'checking ' + host + ' against ' +
+            plugin.bl[i]);
 
         if (plugin.bl[i].toLowerCase() === host) {
             return 1;

diff --git a/plugins/mail_from.access.js b/plugins/mail_from.access.js
@@ -0,0 +1,99 @@
+// mail_from.access plugin
+
+exports.register = function() {
+    var i;
+    var config = this.config.get('mail_from.access.ini');
+    this.wl = this.config.get('mail_from.access.whitelist', 'list');
+    this.bl = this.config.get('mail_from.access.blacklist', 'list');
+    this.deny_msg = config.general && (config.general['deny_msg'] ||
+        'Connection rejected.');
+    var white_regex =
+        this.config.get('mail_from.access.whitelist_regex', 'list');
+    var black_regex =
+        this.config.get('mail_from.access.blacklist_regex', 'list');
+
+    if (white_regex.length) {
+        this.wlregex = new RegExp('^(?:' + white_regex.join('|') + ')$', 'i');
+    }
+
+    if (black_regex.length) {
+        this.blregex = new RegExp('^(?:' + black_regex.join('|') + ')$', 'i');
+    }
+
+    this.register_hook('mail', 'mail_from_access');
+}
+
+exports.mail_from_access = function(next, connection, params) {
+    var plugin = this;
+    var mail_from = params[0].address();
+
+    // address whitelist checks
+    if (mail_from) {
+        connection.logdebug(plugin, 'checking ' + mail_from +
+            ' against mail_from.access.whitelist');
+
+        if (_in_whitelist(connection, plugin, mail_from)) {
+            connection.logdebug(plugin, "Allowing " + mail_from);
+            return next();
+        }
+    }
+
+    // address blacklist checks
+    if (mail_from) {
+        connection.logdebug(plugin, 'checking ' + mail_from +
+            ' against mail_from.access.blacklist');
+
+        if (_in_blacklist(connection, plugin, mail_from)) {
+            connection.logdebug(plugin, "Rejecting, matched: " + mail_from);
+            return next(DENY, mail_from + ' ' + plugin.deny_msg);
+        }
+    }
+
+    return next();
+}
+
+function _in_whitelist(connection, plugin, address) {
+    var i;
+    for (i in plugin.wl) {
+        connection.logdebug(plugin, 'checking ' + address + ' against ' +
+            plugin.wl[i]);
+
+        if (plugin.wl[i] === address) {
+            return 1;
+        }
+    }
+
+    if (plugin.wlregex) {
+        connection.logdebug(plugin, 'checking ' + address + ' against ' +
+            plugin.wlregex.source);
+
+        if (address.match(plugin.wlregex)) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
+
+function _in_blacklist(connection, plugin, address) {
+    var i;
+    for (i in plugin.bl) {
+        connection.logdebug(plugin, 'checking ' + address + ' against ' +
+            plugin.bl[i]);
+
+        if (plugin.bl[i] === address) {
+            return 1;
+        }
+    }
+
+    if (plugin.blregex) {
+        connection.logdebug(plugin, 'checking ' + address + ' against ' +
+            plugin.blregex.source);
+
+        if (address.match(plugin.blregex)) {
+            return 1;
+        }
+    }
+
+    return 0;
+}
diff --git a/plugins/mail_from.is_resolvable.js b/plugins/mail_from.is_resolvable.js
@@ -64,7 +64,7 @@ exports.hook_mail = function(next, connection, params) {
                 // Handle MX records that are IP addresses
                 // This is invalid - but a lot of MTAs allow it.
                 if (/^\d+\.\d+\.\d+\.\d+$/.test(addr.exchange)) {
-                   connection.logwarn(plugin, domain + ': invalid MX ' + addr.exchange)
+                   connection.logwarn(plugin, domain + ': invalid MX ' + addr.exchange);
                    if (config.main.allow_mx_ip) {
                        a_records[addr.exchange] = 1;
                    }