Reject non-empty DNSBL results by default

icgood · May 21, 2021 · a58db80 · a58db80
1 parent 180ad65
commit a58db80
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/pymap/config.py b/pymap/config.py
@@ -102,6 +102,7 @@ class IMAPConfig(metaclass=ABCMeta):
         preauth_credentials: If given, clients will pre-authenticate on
             connection using these credentials.
         proxy_protocol: The PROXY protocol implementation to use.
+        reject_dnsbl: Reject connections with a non-empty DNSBL result.
         max_append_len: The maximum allowed length of the message body to an
             ``APPEND`` command.
         bad_command_limit: The number of consecutive commands received from
@@ -124,6 +125,7 @@ def __init__(self, args: Namespace, *,
                  secure_auth: bool = True,
                  preauth_credentials: AuthenticationCredentials = None,
                  proxy_protocol: ProxyProtocol = None,
+                 reject_dnsbl: bool = True,
                  admin_key: bytes = None,
                  hash_context: HashInterface = None,
                  cpu_subsystem: Subsystem = None,
@@ -145,6 +147,7 @@ def __init__(self, args: Namespace, *,
             get_hash(passlib_config=args.passlib_cfg)
         self.cpu_subsystem: Final = cpu_subsystem or \
             self._get_cpu_subsystem()
+        self.reject_dnsbl: Final = reject_dnsbl
         self._ssl_context = ssl_context or self._load_certs(extra)
         self._tls_enabled = tls_enabled
         self._preauth_credentials = preauth_credentials

diff --git a/pymap/imap/state.py b/pymap/imap/state.py
@@ -8,7 +8,8 @@
 from pymap.concurrent import Event
 from pymap.config import IMAPConfig
 from pymap.context import socket_info, connection_exit
-from pymap.exceptions import NotSupportedError, CloseConnection
+from pymap.exceptions import NotAllowedError, NotSupportedError, \
+    CloseConnection
 from pymap.fetch import MessageAttributes
 from pymap.interfaces.login import LoginInterface
 from pymap.interfaces.session import SessionInterface
@@ -101,10 +102,13 @@ async def _login(self, creds: AuthenticationCredentials) \
         return await stack.enter_async_context(identity.new_session())
 
     async def do_greeting(self) -> CommandResponse:
+        sock_info = socket_info.get()
+        if self.config.reject_dnsbl and sock_info.dnsbl is not None:
+            raise NotAllowedError(f'Connection rejected: {sock_info.dnsbl}')
         preauth_creds = self.config.preauth_credentials
         if preauth_creds:
             self._session = await self._login(preauth_creds)
-        elif socket_info.get().from_localhost:
+        elif sock_info.from_localhost:
             self.auth = self.config.tls_auth
         resp_cls = ResponsePreAuth if preauth_creds else ResponseOk
         return resp_cls(b'*', self.config.greeting, self.capability)

diff --git a/setup.py b/setup.py
@@ -50,7 +50,7 @@
       packages=find_packages(),
       install_requires=[
           'pysasl ~= 0.8.0',
-          'proxy-protocol ~= 0.6.0'],
+          'proxy-protocol ~= 0.7.0'],
       extras_require={
           'admin': ['pymap-admin ~= 0.7.0', 'googleapis-common-protos'],
           'macaroon': ['pymacaroons'],