File: | src/libexec/spamd/spamd.c |
Warning: | line 1061, column 12 Null pointer passed as 1st argument to string length function |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: spamd.c,v 1.161 2023/09/05 16:01:58 jca Exp $ */ | |||
2 | ||||
3 | /* | |||
4 | * Copyright (c) 2015 Henning Brauer <henning@openbsd.org> | |||
5 | * Copyright (c) 2002-2007 Bob Beck. All rights reserved. | |||
6 | * Copyright (c) 2002 Theo de Raadt. All rights reserved. | |||
7 | * | |||
8 | * Permission to use, copy, modify, and distribute this software for any | |||
9 | * purpose with or without fee is hereby granted, provided that the above | |||
10 | * copyright notice and this permission notice appear in all copies. | |||
11 | * | |||
12 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES | |||
13 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF | |||
14 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR | |||
15 | * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES | |||
16 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN | |||
17 | * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF | |||
18 | * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. | |||
19 | */ | |||
20 | ||||
21 | #include <sys/types.h> | |||
22 | #include <sys/socket.h> | |||
23 | #include <sys/sysctl.h> | |||
24 | #include <sys/resource.h> | |||
25 | #include <sys/signal.h> | |||
26 | #include <sys/stat.h> | |||
27 | ||||
28 | #include <netinet/in.h> | |||
29 | #include <arpa/inet.h> | |||
30 | ||||
31 | #include <err.h> | |||
32 | #include <errno(*__errno()).h> | |||
33 | #include <fcntl.h> | |||
34 | #include <limits.h> | |||
35 | #include <poll.h> | |||
36 | #include <pwd.h> | |||
37 | #include <stdio.h> | |||
38 | #include <stdlib.h> | |||
39 | #include <string.h> | |||
40 | #include <syslog.h> | |||
41 | #include <unistd.h> | |||
42 | #include <tls.h> | |||
43 | ||||
44 | #include <netdb.h> | |||
45 | ||||
46 | #include "sdl.h" | |||
47 | #include "grey.h" | |||
48 | #include "sync.h" | |||
49 | ||||
50 | struct con { | |||
51 | struct pollfd *pfd; | |||
52 | int state; | |||
53 | int laststate; | |||
54 | int af; | |||
55 | int il; | |||
56 | struct sockaddr_storage ss; | |||
57 | void *ia; | |||
58 | char addr[32]; | |||
59 | char caddr[32]; | |||
60 | char helo[MAX_MAIL1024], mail[MAX_MAIL1024], rcpt[MAX_MAIL1024]; | |||
61 | struct sdlist **blacklists; | |||
62 | struct tls *cctx; | |||
63 | ||||
64 | /* | |||
65 | * we will do stuttering by changing these to time_t's of | |||
66 | * now + n, and only advancing when the time is in the past/now | |||
67 | */ | |||
68 | time_t r; | |||
69 | time_t w; | |||
70 | time_t s; | |||
71 | ||||
72 | char ibuf[8192]; | |||
73 | char *ip; | |||
74 | char rend[5]; /* any chars in here causes input termination */ | |||
75 | ||||
76 | char *obuf; | |||
77 | char *lists; | |||
78 | size_t osize; | |||
79 | char *op; | |||
80 | int ol; | |||
81 | int data_lines; | |||
82 | int data_body; | |||
83 | int stutter; | |||
84 | int badcmd; | |||
85 | int sr; | |||
86 | int tlsaction; | |||
87 | } *con; | |||
88 | ||||
89 | #define SPAMD_TLS_ACT_NONE0 0 | |||
90 | #define SPAMD_TLS_ACT_READ_POLLIN1 1 | |||
91 | #define SPAMD_TLS_ACT_READ_POLLOUT2 2 | |||
92 | #define SPAMD_TLS_ACT_WRITE_POLLIN3 3 | |||
93 | #define SPAMD_TLS_ACT_WRITE_POLLOUT4 4 | |||
94 | ||||
95 | #define SPAMD_USER"_spamd" "_spamd" | |||
96 | ||||
97 | void usage(void); | |||
98 | char *grow_obuf(struct con *, int); | |||
99 | int parse_configline(char *); | |||
100 | void parse_configs(void); | |||
101 | void do_config(void); | |||
102 | int append_error_string (struct con *, size_t, char *, int, void *); | |||
103 | void doreply(struct con *); | |||
104 | void setlog(char *, size_t, char *); | |||
105 | void initcon(struct con *, int, struct sockaddr *); | |||
106 | void closecon(struct con *); | |||
107 | int match(const char *, const char *); | |||
108 | void nextstate(struct con *); | |||
109 | void handler(struct con *); | |||
110 | void handlew(struct con *, int one); | |||
111 | char *loglists(struct con *); | |||
112 | void getcaddr(struct con *); | |||
113 | void gethelo(char *, size_t, char *); | |||
114 | int read_configline(FILE *); | |||
115 | void spamd_tls_init(void); | |||
116 | void check_spamd_db(void); | |||
117 | void blackcheck(int); | |||
118 | ||||
119 | char hostname[HOST_NAME_MAX255+1]; | |||
120 | struct syslog_data sdata = SYSLOG_DATA_INIT{0, (const char *)0, (1<<3), 0xff}; | |||
121 | char *nreply = "450"; | |||
122 | char *spamd = "spamd IP-based SPAM blocker"; | |||
123 | int greyback[2]; | |||
124 | int greypipe[2]; | |||
125 | int trappipe[2]; | |||
126 | FILE *grey; | |||
127 | FILE *trapcfg; | |||
128 | time_t passtime = PASSTIME(60 * 25); | |||
129 | time_t greyexp = GREYEXP(60 * 60 * 4); | |||
130 | time_t whiteexp = WHITEEXP(60 * 60 * 24 * 36); | |||
131 | time_t trapexp = TRAPEXP(60 * 60 * 24); | |||
132 | struct passwd *pw; | |||
133 | pid_t jail_pid = -1; | |||
134 | u_short cfg_port; | |||
135 | u_short sync_port; | |||
136 | struct tls_config *tlscfg; | |||
137 | struct tls *tlsctx; | |||
138 | char *tlskeyfile = NULL((void *)0); | |||
139 | char *tlscertfile = NULL((void *)0); | |||
140 | ||||
141 | extern struct sdlist *blacklists; | |||
142 | extern int pfdev; | |||
143 | extern char *low_prio_mx_ip; | |||
144 | ||||
145 | time_t slowdowntill; | |||
146 | ||||
147 | int conffd = -1; | |||
148 | int trapfd = -1; | |||
149 | char *cb; | |||
150 | size_t cbs, cbu; | |||
151 | ||||
152 | time_t t; | |||
153 | ||||
154 | #define MAXCON800 800 | |||
155 | int maxfiles; | |||
156 | int maxcon = MAXCON800; | |||
157 | int maxblack = MAXCON800; | |||
158 | int blackcount; | |||
159 | int clients; | |||
160 | int debug; | |||
161 | int greylist = 1; | |||
162 | int grey_stutter = 10; | |||
163 | int verbose; | |||
164 | int stutter = 1; | |||
165 | int window; | |||
166 | int syncrecv; | |||
167 | int syncsend; | |||
168 | #define MAXTIME400 400 | |||
169 | ||||
170 | #define MAXIMUM(a,b)(((a)>(b))?(a):(b)) (((a)>(b))?(a):(b)) | |||
171 | ||||
172 | void | |||
173 | usage(void) | |||
174 | { | |||
175 | extern char *__progname; | |||
176 | ||||
177 | fprintf(stderr(&__sF[2]), | |||
178 | "usage: %s [-45bdv] [-B maxblack] [-C file] [-c maxcon] " | |||
179 | "[-G passtime:greyexp:whiteexp]\n" | |||
180 | "\t[-h hostname] [-K file] [-l address] [-M address] [-n name]\n" | |||
181 | "\t[-p port] [-S secs] [-s secs] " | |||
182 | "[-w window] [-Y synctarget] [-y synclisten]\n", | |||
183 | __progname); | |||
184 | ||||
185 | exit(1); | |||
186 | } | |||
187 | ||||
188 | char * | |||
189 | grow_obuf(struct con *cp, int off) | |||
190 | { | |||
191 | char *tmp; | |||
192 | ||||
193 | tmp = realloc(cp->obuf, cp->osize + 8192); | |||
194 | if (tmp == NULL((void *)0)) { | |||
195 | free(cp->obuf); | |||
196 | cp->obuf = NULL((void *)0); | |||
197 | cp->osize = 0; | |||
198 | return (NULL((void *)0)); | |||
199 | } else { | |||
200 | cp->osize += 8192; | |||
201 | cp->obuf = tmp; | |||
202 | return (cp->obuf + off); | |||
203 | } | |||
204 | } | |||
205 | ||||
206 | int | |||
207 | parse_configline(char *line) | |||
208 | { | |||
209 | char *cp, prev, *name, *msg, *tmp; | |||
210 | char **v4 = NULL((void *)0), **v6 = NULL((void *)0); | |||
211 | const char *errstr; | |||
212 | u_int nv4 = 0, nv6 = 0; | |||
213 | int mdone = 0; | |||
214 | sa_family_t af; | |||
215 | ||||
216 | name = line; | |||
217 | ||||
218 | for (cp = name; *cp && *cp != ';'; cp++) | |||
219 | ; | |||
220 | if (*cp != ';') | |||
221 | goto parse_error; | |||
222 | *cp++ = '\0'; | |||
223 | if (!*cp) { | |||
224 | sdl_del(name); | |||
225 | return (0); | |||
226 | } | |||
227 | msg = cp; | |||
228 | if (*cp++ != '"') | |||
229 | goto parse_error; | |||
230 | prev = '\0'; | |||
231 | for (; !mdone; cp++) { | |||
232 | switch (*cp) { | |||
233 | case '\\': | |||
234 | if (!prev) | |||
235 | prev = *cp; | |||
236 | else | |||
237 | prev = '\0'; | |||
238 | break; | |||
239 | case '"': | |||
240 | if (prev != '\\') { | |||
241 | cp++; | |||
242 | if (*cp == ';') { | |||
243 | mdone = 1; | |||
244 | *cp = '\0'; | |||
245 | } else { | |||
246 | if (debug > 0) | |||
247 | printf("bad message: %s\n", msg); | |||
248 | goto parse_error; | |||
249 | } | |||
250 | } | |||
251 | break; | |||
252 | case '\0': | |||
253 | if (debug > 0) | |||
254 | printf("bad message: %s\n", msg); | |||
255 | goto parse_error; | |||
256 | default: | |||
257 | prev = '\0'; | |||
258 | break; | |||
259 | } | |||
260 | } | |||
261 | ||||
262 | while ((tmp = strsep(&cp, ";")) != NULL((void *)0)) { | |||
263 | char **av; | |||
264 | u_int au, ac; | |||
265 | ||||
266 | if (*tmp == '\0') | |||
267 | continue; | |||
268 | ||||
269 | if (strncmp(tmp, "inet", 4) != 0) | |||
270 | goto parse_error; | |||
271 | switch (tmp[4]) { | |||
272 | case '\0': | |||
273 | af = AF_INET2; | |||
274 | break; | |||
275 | case '6': | |||
276 | if (tmp[5] == '\0') { | |||
277 | af = AF_INET624; | |||
278 | break; | |||
279 | } | |||
280 | /* FALLTHROUGH */ | |||
281 | default: | |||
282 | if (debug > 0) | |||
283 | printf("unsupported address family: %s\n", tmp); | |||
284 | goto parse_error; | |||
285 | } | |||
286 | ||||
287 | tmp = strsep(&cp, ";"); | |||
288 | if (tmp == NULL((void *)0)) { | |||
289 | if (debug > 0) | |||
290 | printf("missing address count\n"); | |||
291 | goto parse_error; | |||
292 | } | |||
293 | ac = strtonum(tmp, 0, UINT_MAX0xffffffffU, &errstr); | |||
294 | if (errstr != NULL((void *)0)) { | |||
295 | if (debug > 0) | |||
296 | printf("count \"%s\" is %s\n", tmp, errstr); | |||
297 | goto parse_error; | |||
298 | } | |||
299 | ||||
300 | av = reallocarray(NULL((void *)0), ac, sizeof(char *)); | |||
301 | for (au = 0; au < ac; au++) { | |||
302 | tmp = strsep(&cp, ";"); | |||
303 | if (tmp == NULL((void *)0)) { | |||
304 | if (debug > 0) | |||
305 | printf("expected %u addrs, got %u\n", | |||
306 | ac, au + 1); | |||
307 | free(av); | |||
308 | goto parse_error; | |||
309 | } | |||
310 | if (*tmp == '\0') | |||
311 | continue; | |||
312 | av[au] = tmp; | |||
313 | } | |||
314 | if (af == AF_INET2) { | |||
315 | if (v4 != NULL((void *)0)) { | |||
316 | if (debug > 0) | |||
317 | printf("duplicate inet\n"); | |||
318 | goto parse_error; | |||
319 | } | |||
320 | v4 = av; | |||
321 | nv4 = ac; | |||
322 | } else { | |||
323 | if (v6 != NULL((void *)0)) { | |||
324 | if (debug > 0) | |||
325 | printf("duplicate inet6\n"); | |||
326 | goto parse_error; | |||
327 | } | |||
328 | v6 = av; | |||
329 | nv6 = ac; | |||
330 | } | |||
331 | } | |||
332 | if (nv4 == 0 && nv6 == 0) { | |||
333 | if (debug > 0) | |||
334 | printf("no addresses\n"); | |||
335 | goto parse_error; | |||
336 | } | |||
337 | sdl_add(name, msg, v4, nv4, v6, nv6); | |||
338 | free(v4); | |||
339 | free(v6); | |||
340 | return (0); | |||
341 | ||||
342 | parse_error: | |||
343 | if (debug > 0) | |||
344 | printf("bogus config line - need 'tag;message;af;count;a/m;a/m;a/m...'\n"); | |||
345 | free(v4); | |||
346 | free(v6); | |||
347 | return (-1); | |||
348 | } | |||
349 | ||||
350 | void | |||
351 | parse_configs(void) | |||
352 | { | |||
353 | char *start, *end; | |||
354 | size_t i; | |||
355 | ||||
356 | /* We always leave an extra byte for the NUL. */ | |||
357 | cb[cbu++] = '\0'; | |||
358 | ||||
359 | start = cb; | |||
360 | end = start; | |||
361 | for (i = 0; i < cbu; i++) { | |||
362 | if (*end == '\n') { | |||
363 | *end = '\0'; | |||
364 | if (end > start + 1) | |||
365 | parse_configline(start); | |||
366 | start = ++end; | |||
367 | } else | |||
368 | ++end; | |||
369 | } | |||
370 | if (end > start + 1) | |||
371 | parse_configline(start); | |||
372 | } | |||
373 | ||||
374 | void | |||
375 | do_config(void) | |||
376 | { | |||
377 | int n; | |||
378 | ||||
379 | if (debug > 0) | |||
380 | printf("got configuration connection\n"); | |||
381 | ||||
382 | /* Leave an extra byte for the terminating NUL. */ | |||
383 | if (cbu + 1 >= cbs) { | |||
384 | char *tmp; | |||
385 | ||||
386 | tmp = realloc(cb, cbs + (1024 * 1024)); | |||
387 | if (tmp == NULL((void *)0)) { | |||
388 | if (debug > 0) | |||
389 | warn("realloc"); | |||
390 | goto configdone; | |||
391 | } | |||
392 | cbs += 1024 * 1024; | |||
393 | cb = tmp; | |||
394 | } | |||
395 | ||||
396 | n = read(conffd, cb + cbu, cbs - cbu); | |||
397 | if (debug > 0) | |||
398 | printf("read %d config bytes\n", n); | |||
399 | if (n == 0) { | |||
400 | if (cbu != 0) | |||
401 | parse_configs(); | |||
402 | goto configdone; | |||
403 | } else if (n == -1) { | |||
404 | if (debug > 0) | |||
405 | warn("read"); | |||
406 | goto configdone; | |||
407 | } else | |||
408 | cbu += n; | |||
409 | return; | |||
410 | ||||
411 | configdone: | |||
412 | free(cb); | |||
413 | cb = NULL((void *)0); | |||
414 | cbs = 0; | |||
415 | cbu = 0; | |||
416 | close(conffd); | |||
417 | conffd = -1; | |||
418 | slowdowntill = 0; | |||
419 | } | |||
420 | ||||
421 | int | |||
422 | read_configline(FILE *config) | |||
423 | { | |||
424 | char *buf; | |||
425 | size_t len; | |||
426 | ||||
427 | if ((buf = fgetln(config, &len))) { | |||
428 | if (buf[len - 1] == '\n') | |||
429 | buf[len - 1] = '\0'; | |||
430 | else | |||
431 | return (-1); /* all valid lines end in \n */ | |||
432 | parse_configline(buf); | |||
433 | } else { | |||
434 | syslog_r(LOG_DEBUG7, &sdata, "read_configline: fgetln (%m)"); | |||
435 | return (-1); | |||
436 | } | |||
437 | return (0); | |||
438 | } | |||
439 | ||||
440 | void | |||
441 | spamd_tls_init(void) | |||
442 | { | |||
443 | if (tlskeyfile == NULL((void *)0) && tlscertfile == NULL((void *)0)) | |||
444 | return; | |||
445 | if (tlskeyfile == NULL((void *)0) || tlscertfile == NULL((void *)0)) | |||
446 | errx(1, "need key and certificate for TLS"); | |||
447 | ||||
448 | if ((tlscfg = tls_config_new()) == NULL((void *)0)) | |||
449 | errx(1, "failed to get tls config"); | |||
450 | if ((tlsctx = tls_server()) == NULL((void *)0)) | |||
451 | errx(1, "failed to get tls server"); | |||
452 | ||||
453 | if (tls_config_set_protocols(tlscfg, TLS_PROTOCOLS_ALL((1 << 3)|(1 << 4))) != 0) | |||
454 | errx(1, "failed to set tls protocols"); | |||
455 | ||||
456 | /* might need user-specified ciphers, tls_config_set_ciphers */ | |||
457 | if (tls_config_set_ciphers(tlscfg, "all") != 0) | |||
458 | errx(1, "failed to set tls ciphers"); | |||
459 | ||||
460 | if (tls_config_set_cert_file(tlscfg, tlscertfile) == -1) | |||
461 | errx(1, "unable to set TLS certificate file %s", tlscertfile); | |||
462 | if (tls_config_set_key_file(tlscfg, tlskeyfile) == -1) | |||
463 | errx(1, "unable to set TLS key file %s", tlskeyfile); | |||
464 | if (tls_configure(tlsctx, tlscfg) != 0) | |||
465 | errx(1, "failed to configure TLS - %s", tls_error(tlsctx)); | |||
466 | ||||
467 | /* set hostname to cert's CN unless explicitly given? */ | |||
468 | } | |||
469 | ||||
470 | int | |||
471 | append_error_string(struct con *cp, size_t off, char *fmt, int af, void *ia) | |||
472 | { | |||
473 | char sav = '\0'; | |||
474 | static int lastcont = 0; | |||
475 | char *c = cp->obuf + off; | |||
476 | char *s = fmt; | |||
477 | size_t len = cp->osize - off; | |||
478 | int i = 0; | |||
479 | ||||
480 | if (off
| |||
481 | lastcont = 0; | |||
482 | ||||
483 | if (lastcont
| |||
484 | cp->obuf[lastcont] = '-'; | |||
485 | snprintf(c, len, "%s ", nreply); | |||
486 | i += strlen(c); | |||
487 | lastcont = off + i - 1; | |||
488 | if (*s == '"') | |||
489 | s++; | |||
490 | while (*s) { | |||
491 | /* | |||
492 | * Make sure we at minimum, have room to add a | |||
493 | * format code (4 bytes), and a v6 address(39 bytes) | |||
494 | * and a byte saved in sav. | |||
495 | */ | |||
496 | if (i >= len - 46) { | |||
497 | c = grow_obuf(cp, off); | |||
498 | if (c
| |||
499 | return (-1); | |||
500 | len = cp->osize - (off + i); | |||
501 | } | |||
502 | ||||
503 | if (c[i-1] == '\n') { | |||
504 | if (lastcont != 0) | |||
505 | cp->obuf[lastcont] = '-'; | |||
506 | snprintf(c + i, len, "%s ", nreply); | |||
507 | i += strlen(c); | |||
508 | lastcont = off + i - 1; | |||
509 | } | |||
510 | ||||
511 | switch (*s) { | |||
512 | case '\\': | |||
513 | case '%': | |||
514 | if (!sav) | |||
515 | sav = *s; | |||
516 | else { | |||
517 | c[i++] = sav; | |||
518 | sav = '\0'; | |||
519 | c[i] = '\0'; | |||
520 | } | |||
521 | break; | |||
522 | case '"': | |||
523 | case 'A': | |||
524 | case 'n': | |||
525 | if (*(s+1) == '\0') { | |||
526 | break; | |||
527 | } | |||
528 | if (sav == '\\' && *s == 'n') { | |||
529 | c[i++] = '\n'; | |||
530 | sav = '\0'; | |||
531 | c[i] = '\0'; | |||
532 | break; | |||
533 | } else if (sav == '\\' && *s == '"') { | |||
534 | c[i++] = '"'; | |||
535 | sav = '\0'; | |||
536 | c[i] = '\0'; | |||
537 | break; | |||
538 | } else if (sav == '%' && *s == 'A') { | |||
539 | inet_ntop(af, ia, c + i, (len - i)); | |||
540 | i += strlen(c + i); | |||
541 | sav = '\0'; | |||
542 | break; | |||
543 | } | |||
544 | /* FALLTHROUGH */ | |||
545 | default: | |||
546 | if (sav) | |||
547 | c[i++] = sav; | |||
548 | c[i++] = *s; | |||
549 | sav = '\0'; | |||
550 | c[i] = '\0'; | |||
551 | break; | |||
552 | } | |||
553 | s++; | |||
554 | } | |||
555 | return (i); | |||
556 | } | |||
557 | ||||
558 | char * | |||
559 | loglists(struct con *cp) | |||
560 | { | |||
561 | static char matchlists[80]; | |||
562 | struct sdlist **matches; | |||
563 | int s = sizeof(matchlists) - 4; | |||
564 | ||||
565 | matchlists[0] = '\0'; | |||
566 | matches = cp->blacklists; | |||
567 | if (matches == NULL((void *)0)) | |||
568 | return (NULL((void *)0)); | |||
569 | for (; *matches; matches++) { | |||
570 | ||||
571 | /* don't report an insane amount of lists in the logs. | |||
572 | * just truncate and indicate with ... | |||
573 | */ | |||
574 | if (strlen(matchlists) + strlen(matches[0]->tag) + 1 >= s) | |||
575 | strlcat(matchlists, " ...", sizeof(matchlists)); | |||
576 | else { | |||
577 | strlcat(matchlists, " ", s); | |||
578 | strlcat(matchlists, matches[0]->tag, s); | |||
579 | } | |||
580 | } | |||
581 | return matchlists; | |||
582 | } | |||
583 | ||||
584 | void | |||
585 | doreply(struct con *cp) | |||
586 | { | |||
587 | struct sdlist **matches; | |||
588 | int off = 0; | |||
589 | ||||
590 | matches = cp->blacklists; | |||
591 | if (matches == NULL((void *)0)) | |||
592 | goto nomatch; | |||
593 | for (; *matches; matches++) { | |||
594 | int used = 0; | |||
595 | int left = cp->osize - off; | |||
596 | ||||
597 | used = append_error_string(cp, off, matches[0]->string, | |||
598 | cp->af, cp->ia); | |||
599 | if (used == -1) | |||
600 | goto bad; | |||
601 | off += used; | |||
602 | left -= used; | |||
603 | if (cp->obuf[off - 1] != '\n') { | |||
604 | if (left < 1) { | |||
605 | if (grow_obuf(cp, off) == NULL((void *)0)) | |||
606 | goto bad; | |||
607 | } | |||
608 | cp->obuf[off++] = '\n'; | |||
609 | cp->obuf[off] = '\0'; | |||
610 | } | |||
611 | } | |||
612 | return; | |||
613 | nomatch: | |||
614 | /* No match. give generic reply */ | |||
615 | free(cp->obuf); | |||
616 | if (cp->blacklists != NULL((void *)0)) | |||
617 | cp->osize = asprintf(&cp->obuf, | |||
618 | "%s-Sorry %s\n" | |||
619 | "%s-You are trying to send mail from an address " | |||
620 | "listed by one\n" | |||
621 | "%s or more IP-based registries as being a SPAM source.\n", | |||
622 | nreply, cp->addr, nreply, nreply); | |||
623 | else | |||
624 | cp->osize = asprintf(&cp->obuf, | |||
625 | "451 Temporary failure, please try again later.\r\n"); | |||
626 | if (cp->osize == -1) | |||
627 | cp->obuf = NULL((void *)0); | |||
628 | cp->osize++; /* size includes the NUL (also changes -1 to 0) */ | |||
629 | return; | |||
630 | bad: | |||
631 | if (cp->obuf
| |||
632 | free(cp->obuf); | |||
633 | cp->obuf = NULL((void *)0); | |||
634 | cp->osize = 0; | |||
635 | } | |||
636 | } | |||
637 | ||||
638 | void | |||
639 | setlog(char *p, size_t len, char *f) | |||
640 | { | |||
641 | char *s; | |||
642 | ||||
643 | s = strsep(&f, ":"); | |||
644 | if (!f) | |||
645 | return; | |||
646 | while (*f == ' ' || *f == '\t') | |||
647 | f++; | |||
648 | s = strsep(&f, " \t"); | |||
649 | if (s == NULL((void *)0)) | |||
650 | return; | |||
651 | strlcpy(p, s, len); | |||
652 | s = strsep(&p, " \t\n\r"); | |||
653 | if (s == NULL((void *)0)) | |||
654 | return; | |||
655 | s = strsep(&p, " \t\n\r"); | |||
656 | if (s) | |||
657 | *s = '\0'; | |||
658 | } | |||
659 | ||||
660 | /* | |||
661 | * Get address client connected to, by doing a getsockname call. | |||
662 | * Must not be used with a NAT'ed connection (use divert-to instead of rdr-to). | |||
663 | */ | |||
664 | void | |||
665 | getcaddr(struct con *cp) | |||
666 | { | |||
667 | struct sockaddr_storage original_destination; | |||
668 | struct sockaddr *odp = (struct sockaddr *) &original_destination; | |||
669 | socklen_t len = sizeof(struct sockaddr_storage); | |||
670 | int error; | |||
671 | ||||
672 | cp->caddr[0] = '\0'; | |||
673 | if (getsockname(cp->pfd->fd, odp, &len) == -1) | |||
674 | return; | |||
675 | error = getnameinfo(odp, odp->sa_len, cp->caddr, sizeof(cp->caddr), | |||
676 | NULL((void *)0), 0, NI_NUMERICHOST1); | |||
677 | if (error) | |||
678 | cp->caddr[0] = '\0'; | |||
679 | } | |||
680 | ||||
681 | void | |||
682 | gethelo(char *p, size_t len, char *f) | |||
683 | { | |||
684 | char *s; | |||
685 | ||||
686 | /* skip HELO/EHLO */ | |||
687 | f+=4; | |||
688 | /* skip whitespace */ | |||
689 | while (*f == ' ' || *f == '\t') | |||
690 | f++; | |||
691 | s = strsep(&f, " \t"); | |||
692 | if (s == NULL((void *)0)) | |||
693 | return; | |||
694 | strlcpy(p, s, len); | |||
695 | s = strsep(&p, " \t\n\r"); | |||
696 | if (s == NULL((void *)0)) | |||
697 | return; | |||
698 | s = strsep(&p, " \t\n\r"); | |||
699 | if (s) | |||
700 | *s = '\0'; | |||
701 | } | |||
702 | ||||
703 | void | |||
704 | initcon(struct con *cp, int fd, struct sockaddr *sa) | |||
705 | { | |||
706 | struct pollfd *pfd = cp->pfd; | |||
707 | char ctimebuf[26]; | |||
708 | time_t tt; | |||
709 | int error; | |||
710 | ||||
711 | if (sa->sa_family != AF_INET2) | |||
712 | errx(1, "not supported yet"); | |||
713 | ||||
714 | time(&tt); | |||
715 | free(cp->obuf); | |||
716 | free(cp->blacklists); | |||
717 | free(cp->lists); | |||
718 | memset(cp, 0, sizeof(*cp)); | |||
719 | if (grow_obuf(cp, 0) == NULL((void *)0)) | |||
720 | err(1, "malloc"); | |||
721 | cp->pfd = pfd; | |||
722 | cp->pfd->fd = fd; | |||
723 | memcpy(&cp->ss, sa, sa->sa_len); | |||
724 | cp->af = sa->sa_family; | |||
725 | cp->ia = &((struct sockaddr_in *)&cp->ss)->sin_addr; | |||
726 | cp->blacklists = sdl_lookup(blacklists, cp->af, cp->ia); | |||
727 | cp->stutter = (greylist && !grey_stutter && cp->blacklists == NULL((void *)0)) ? | |||
728 | 0 : stutter; | |||
729 | error = getnameinfo(sa, sa->sa_len, cp->addr, sizeof(cp->addr), NULL((void *)0), 0, | |||
730 | NI_NUMERICHOST1); | |||
731 | if (error) | |||
732 | strlcpy(cp->addr, "<unknown>", sizeof(cp->addr)); | |||
733 | ctime_r(&t, ctimebuf); | |||
734 | ctimebuf[sizeof(ctimebuf) - 2] = '\0'; /* nuke newline */ | |||
735 | snprintf(cp->obuf, cp->osize, "220 %s ESMTP %s; %s\r\n", | |||
736 | hostname, spamd, ctimebuf); | |||
737 | cp->op = cp->obuf; | |||
738 | cp->ol = strlen(cp->op); | |||
739 | cp->w = tt + cp->stutter; | |||
740 | cp->s = tt; | |||
741 | strlcpy(cp->rend, "\n", sizeof cp->rend); | |||
742 | clients++; | |||
743 | if (cp->blacklists != NULL((void *)0)) { | |||
744 | blackcount++; | |||
745 | if (greylist && blackcount > maxblack) | |||
746 | cp->stutter = 0; | |||
747 | cp->lists = strdup(loglists(cp)); | |||
748 | if (cp->lists == NULL((void *)0)) | |||
749 | err(1, "malloc"); | |||
750 | } | |||
751 | else | |||
752 | cp->lists = NULL((void *)0); | |||
753 | } | |||
754 | ||||
755 | void | |||
756 | closecon(struct con *cp) | |||
757 | { | |||
758 | time_t tt; | |||
759 | ||||
760 | if (cp->cctx) { | |||
761 | tls_close(cp->cctx); | |||
762 | tls_free(cp->cctx); | |||
763 | } | |||
764 | close(cp->pfd->fd); | |||
765 | cp->pfd->fd = -1; | |||
766 | ||||
767 | slowdowntill = 0; | |||
768 | ||||
769 | time(&tt); | |||
770 | syslog_r(LOG_INFO6, &sdata, "%s: disconnected after %lld seconds.%s%s", | |||
771 | cp->addr, (long long)(tt - cp->s), | |||
772 | ((cp->lists == NULL((void *)0)) ? "" : " lists:"), | |||
773 | ((cp->lists == NULL((void *)0)) ? "": cp->lists)); | |||
774 | if (debug > 0) | |||
775 | printf("%s connected for %lld seconds.\n", cp->addr, | |||
776 | (long long)(tt - cp->s)); | |||
777 | free(cp->lists); | |||
778 | cp->lists = NULL((void *)0); | |||
779 | if (cp->blacklists != NULL((void *)0)) { | |||
780 | blackcount--; | |||
781 | free(cp->blacklists); | |||
782 | cp->blacklists = NULL((void *)0); | |||
783 | } | |||
784 | if (cp->obuf != NULL((void *)0)) { | |||
785 | free(cp->obuf); | |||
786 | cp->obuf = NULL((void *)0); | |||
787 | cp->osize = 0; | |||
788 | } | |||
789 | clients--; | |||
790 | } | |||
791 | ||||
792 | int | |||
793 | match(const char *s1, const char *s2) | |||
794 | { | |||
795 | return (strncasecmp(s1, s2, strlen(s2)) == 0); | |||
796 | } | |||
797 | ||||
798 | void | |||
799 | nextstate(struct con *cp) | |||
800 | { | |||
801 | if (match(cp->ibuf, "QUIT") && cp->state < 99) { | |||
802 | snprintf(cp->obuf, cp->osize, "221 %s\r\n", hostname); | |||
803 | cp->op = cp->obuf; | |||
804 | cp->ol = strlen(cp->op); | |||
805 | cp->w = t + cp->stutter; | |||
806 | cp->laststate = cp->state; | |||
807 | cp->state = 99; | |||
808 | return; | |||
809 | } | |||
810 | ||||
811 | if (match(cp->ibuf, "RSET") && cp->state > 2 && cp->state < 50) { | |||
812 | snprintf(cp->obuf, cp->osize, | |||
813 | "250 Ok to start over.\r\n"); | |||
814 | cp->op = cp->obuf; | |||
815 | cp->ol = strlen(cp->op); | |||
816 | cp->w = t + cp->stutter; | |||
817 | cp->laststate = cp->state; | |||
818 | cp->state = 2; | |||
819 | return; | |||
820 | } | |||
821 | switch (cp->state) { | |||
| ||||
822 | case 0: | |||
823 | tlsinitdone: | |||
824 | /* banner sent; wait for input */ | |||
825 | cp->ip = cp->ibuf; | |||
826 | cp->il = sizeof(cp->ibuf) - 1; | |||
827 | cp->laststate = cp->state; | |||
828 | cp->state = 1; | |||
829 | cp->r = t; | |||
830 | break; | |||
831 | case 1: | |||
832 | /* received input: parse, and select next state */ | |||
833 | if (match(cp->ibuf, "HELO") || | |||
834 | match(cp->ibuf, "EHLO")) { | |||
835 | int nextstate = 2; | |||
836 | cp->helo[0] = '\0'; | |||
837 | gethelo(cp->helo, sizeof cp->helo, cp->ibuf); | |||
838 | if (cp->helo[0] == '\0') { | |||
839 | nextstate = 0; | |||
840 | snprintf(cp->obuf, cp->osize, | |||
841 | "501 helo requires domain name.\r\n"); | |||
842 | } else { | |||
843 | if (cp->cctx == NULL((void *)0) && tlsctx != NULL((void *)0) && | |||
844 | cp->blacklists == NULL((void *)0) && | |||
845 | match(cp->ibuf, "EHLO")) { | |||
846 | snprintf(cp->obuf, cp->osize, | |||
847 | "250-%s\r\n" | |||
848 | "250 STARTTLS\r\n", | |||
849 | hostname); | |||
850 | nextstate = 7; | |||
851 | } else { | |||
852 | snprintf(cp->obuf, cp->osize, | |||
853 | "250 Hello, spam sender. Pleased " | |||
854 | "to be wasting your time.\r\n"); | |||
855 | } | |||
856 | } | |||
857 | cp->op = cp->obuf; | |||
858 | cp->ol = strlen(cp->op); | |||
859 | cp->laststate = cp->state; | |||
860 | cp->state = nextstate; | |||
861 | cp->w = t + cp->stutter; | |||
862 | break; | |||
863 | } | |||
864 | goto mail; | |||
865 | case 2: | |||
866 | /* sent 250 Hello, wait for input */ | |||
867 | cp->ip = cp->ibuf; | |||
868 | cp->il = sizeof(cp->ibuf) - 1; | |||
869 | cp->laststate = cp->state; | |||
870 | cp->state = 3; | |||
871 | cp->r = t; | |||
872 | break; | |||
873 | case 3: | |||
874 | mail: | |||
875 | if (match(cp->ibuf, "MAIL")) { | |||
876 | setlog(cp->mail, sizeof cp->mail, cp->ibuf); | |||
877 | snprintf(cp->obuf, cp->osize, | |||
878 | "250 You are about to try to deliver spam. " | |||
879 | "Your time will be spent, for nothing.\r\n"); | |||
880 | cp->op = cp->obuf; | |||
881 | cp->ol = strlen(cp->op); | |||
882 | cp->laststate = cp->state; | |||
883 | cp->state = 4; | |||
884 | cp->w = t + cp->stutter; | |||
885 | break; | |||
886 | } | |||
887 | goto rcpt; | |||
888 | case 4: | |||
889 | /* sent 250 Sender ok */ | |||
890 | cp->ip = cp->ibuf; | |||
891 | cp->il = sizeof(cp->ibuf) - 1; | |||
892 | cp->laststate = cp->state; | |||
893 | cp->state = 5; | |||
894 | cp->r = t; | |||
895 | break; | |||
896 | case 5: | |||
897 | rcpt: | |||
898 | if (match(cp->ibuf, "RCPT")) { | |||
899 | setlog(cp->rcpt, sizeof(cp->rcpt), cp->ibuf); | |||
900 | snprintf(cp->obuf, cp->osize, | |||
901 | "250 This is hurting you more than it is " | |||
902 | "hurting me.\r\n"); | |||
903 | cp->op = cp->obuf; | |||
904 | cp->ol = strlen(cp->op); | |||
905 | cp->laststate = cp->state; | |||
906 | cp->state = 6; | |||
907 | cp->w = t + cp->stutter; | |||
908 | ||||
909 | if (cp->mail[0] && cp->rcpt[0]) { | |||
910 | if (verbose) | |||
911 | syslog_r(LOG_INFO6, &sdata, | |||
912 | "(%s) %s: %s -> %s", | |||
913 | cp->blacklists ? "BLACK" : "GREY", | |||
914 | cp->addr, cp->mail, | |||
915 | cp->rcpt); | |||
916 | if (debug) | |||
917 | fprintf(stderr(&__sF[2]), "(%s) %s: %s -> %s\n", | |||
918 | cp->blacklists ? "BLACK" : "GREY", | |||
919 | cp->addr, cp->mail, cp->rcpt); | |||
920 | if (greylist && cp->blacklists == NULL((void *)0)) { | |||
921 | /* send this info to the greylister */ | |||
922 | getcaddr(cp); | |||
923 | fprintf(grey, | |||
924 | "CO:%s\nHE:%s\nIP:%s\nFR:%s\nTO:%s\n", | |||
925 | cp->caddr, cp->helo, cp->addr, | |||
926 | cp->mail, cp->rcpt); | |||
927 | fflush(grey); | |||
928 | } | |||
929 | } | |||
930 | break; | |||
931 | } | |||
932 | goto spam; | |||
933 | case 6: | |||
934 | /* sent 250 blah */ | |||
935 | cp->ip = cp->ibuf; | |||
936 | cp->il = sizeof(cp->ibuf) - 1; | |||
937 | cp->laststate = cp->state; | |||
938 | cp->state = 5; | |||
939 | cp->r = t; | |||
940 | break; | |||
941 | case 7: | |||
942 | /* sent 250 STARTTLS, wait for input */ | |||
943 | cp->ip = cp->ibuf; | |||
944 | cp->il = sizeof(cp->ibuf) - 1; | |||
945 | cp->laststate = cp->state; | |||
946 | cp->state = 8; | |||
947 | cp->r = t; | |||
948 | break; | |||
949 | case 8: | |||
950 | if (tlsctx != NULL((void *)0) && cp->blacklists == NULL((void *)0) && | |||
951 | cp->cctx == NULL((void *)0) && match(cp->ibuf, "STARTTLS")) { | |||
952 | snprintf(cp->obuf, cp->osize, | |||
953 | "220 glad you want to burn more CPU cycles on " | |||
954 | "your spam\r\n"); | |||
955 | cp->op = cp->obuf; | |||
956 | cp->ol = strlen(cp->op); | |||
957 | cp->laststate = cp->state; | |||
958 | cp->state = 9; | |||
959 | cp->w = t + cp->stutter; | |||
960 | break; | |||
961 | } | |||
962 | goto mail; | |||
963 | case 9: | |||
964 | if (tls_accept_socket(tlsctx, &cp->cctx, cp->pfd->fd) == -1) { | |||
965 | snprintf(cp->obuf, cp->osize, | |||
966 | "500 STARTTLS failed\r\n"); | |||
967 | cp->op = cp->obuf; | |||
968 | cp->ol = strlen(cp->op); | |||
969 | cp->laststate = cp->state; | |||
970 | cp->state = 98; | |||
971 | goto done; | |||
972 | } | |||
973 | goto tlsinitdone; | |||
974 | ||||
975 | case 50: | |||
976 | spam: | |||
977 | if (match(cp->ibuf, "DATA")) { | |||
978 | snprintf(cp->obuf, cp->osize, | |||
979 | "354 Enter spam, end with \".\" on a line by " | |||
980 | "itself\r\n"); | |||
981 | cp->state = 60; | |||
982 | if (window && setsockopt(cp->pfd->fd, SOL_SOCKET0xffff, | |||
983 | SO_RCVBUF0x1002, &window, sizeof(window)) == -1) { | |||
984 | syslog_r(LOG_DEBUG7, &sdata,"setsockopt: %m"); | |||
985 | /* don't fail if this doesn't work. */ | |||
986 | } | |||
987 | cp->ip = cp->ibuf; | |||
988 | cp->il = sizeof(cp->ibuf) - 1; | |||
989 | cp->op = cp->obuf; | |||
990 | cp->ol = strlen(cp->op); | |||
991 | cp->w = t + cp->stutter; | |||
992 | if (greylist && cp->blacklists == NULL((void *)0)) { | |||
993 | cp->laststate = cp->state; | |||
994 | cp->state = 98; | |||
995 | goto done; | |||
996 | } | |||
997 | } else { | |||
998 | if (match(cp->ibuf, "NOOP")) | |||
999 | snprintf(cp->obuf, cp->osize, | |||
1000 | "250 2.0.0 OK I did nothing\r\n"); | |||
1001 | else { | |||
1002 | snprintf(cp->obuf, cp->osize, | |||
1003 | "500 5.5.1 Command unrecognized\r\n"); | |||
1004 | cp->badcmd++; | |||
1005 | if (cp->badcmd > 20) { | |||
1006 | cp->laststate = cp->state; | |||
1007 | cp->state = 98; | |||
1008 | goto done; | |||
1009 | } | |||
1010 | } | |||
1011 | cp->state = cp->laststate; | |||
1012 | cp->ip = cp->ibuf; | |||
1013 | cp->il = sizeof(cp->ibuf) - 1; | |||
1014 | cp->op = cp->obuf; | |||
1015 | cp->ol = strlen(cp->op); | |||
1016 | cp->w = t + cp->stutter; | |||
1017 | } | |||
1018 | break; | |||
1019 | case 60: | |||
1020 | /* sent 354 blah */ | |||
1021 | cp->ip = cp->ibuf; | |||
1022 | cp->il = sizeof(cp->ibuf) - 1; | |||
1023 | cp->laststate = cp->state; | |||
1024 | cp->state = 70; | |||
1025 | cp->r = t; | |||
1026 | break; | |||
1027 | case 70: { | |||
1028 | char *p, *q; | |||
1029 | ||||
1030 | for (p = q = cp->ibuf; q <= cp->ip; ++q) | |||
1031 | if (*q == '\n' || q == cp->ip) { | |||
1032 | *q = 0; | |||
1033 | if (q > p && q[-1] == '\r') | |||
1034 | q[-1] = 0; | |||
1035 | if (!strcmp(p, ".") || | |||
1036 | (cp->data_body && ++cp->data_lines >= 10)) { | |||
1037 | cp->laststate = cp->state; | |||
1038 | cp->state = 98; | |||
1039 | goto done; | |||
1040 | } | |||
1041 | if (!cp->data_body && !*p) | |||
1042 | cp->data_body = 1; | |||
1043 | if (verbose && cp->data_body && *p) | |||
1044 | syslog_r(LOG_DEBUG7, &sdata, "%s: " | |||
1045 | "Body: %s", cp->addr, p); | |||
1046 | else if (verbose && (match(p, "FROM:") || | |||
1047 | match(p, "TO:") || match(p, "SUBJECT:"))) | |||
1048 | syslog_r(LOG_INFO6, &sdata, "%s: %s", | |||
1049 | cp->addr, p); | |||
1050 | p = ++q; | |||
1051 | } | |||
1052 | cp->ip = cp->ibuf; | |||
1053 | cp->il = sizeof(cp->ibuf) - 1; | |||
1054 | cp->r = t; | |||
1055 | break; | |||
1056 | } | |||
1057 | case 98: | |||
1058 | done: | |||
1059 | doreply(cp); | |||
1060 | cp->op = cp->obuf; | |||
1061 | cp->ol = strlen(cp->op); | |||
| ||||
1062 | cp->w = t + cp->stutter; | |||
1063 | cp->laststate = cp->state; | |||
1064 | cp->state = 99; | |||
1065 | break; | |||
1066 | case 99: | |||
1067 | closecon(cp); | |||
1068 | break; | |||
1069 | default: | |||
1070 | errx(1, "illegal state %d", cp->state); | |||
1071 | break; | |||
1072 | } | |||
1073 | } | |||
1074 | ||||
1075 | void | |||
1076 | handler(struct con *cp) | |||
1077 | { | |||
1078 | int end = 0; | |||
1079 | ssize_t n; | |||
1080 | ||||
1081 | if (cp->r || cp->tlsaction != SPAMD_TLS_ACT_NONE0) { | |||
1082 | if (cp->cctx) { | |||
1083 | cp->tlsaction = SPAMD_TLS_ACT_NONE0; | |||
1084 | n = tls_read(cp->cctx, cp->ip, cp->il); | |||
1085 | if (n == TLS_WANT_POLLIN-2) | |||
1086 | cp->tlsaction = SPAMD_TLS_ACT_READ_POLLIN1; | |||
1087 | if (n == TLS_WANT_POLLOUT-3) | |||
1088 | cp->tlsaction = SPAMD_TLS_ACT_READ_POLLOUT2; | |||
1089 | if (cp->tlsaction != SPAMD_TLS_ACT_NONE0) | |||
1090 | return; | |||
1091 | } else | |||
1092 | n = read(cp->pfd->fd, cp->ip, cp->il); | |||
1093 | ||||
1094 | if (n == 0) | |||
1095 | closecon(cp); | |||
1096 | else if (n == -1) { | |||
1097 | if (errno(*__errno()) == EAGAIN35) | |||
1098 | return; | |||
1099 | if (debug > 0) | |||
1100 | warn("read"); | |||
1101 | closecon(cp); | |||
1102 | } else { | |||
1103 | cp->ip[n] = '\0'; | |||
1104 | if (cp->rend[0]) | |||
1105 | if (strpbrk(cp->ip, cp->rend)) | |||
1106 | end = 1; | |||
1107 | cp->ip += n; | |||
1108 | cp->il -= n; | |||
1109 | } | |||
1110 | } | |||
1111 | if (end || cp->il == 0) { | |||
1112 | while (cp->ip > cp->ibuf && | |||
1113 | (cp->ip[-1] == '\r' || cp->ip[-1] == '\n')) | |||
1114 | cp->ip--; | |||
1115 | *cp->ip = '\0'; | |||
1116 | cp->r = 0; | |||
1117 | nextstate(cp); | |||
1118 | } | |||
1119 | } | |||
1120 | ||||
1121 | void | |||
1122 | handlew(struct con *cp, int one) | |||
1123 | { | |||
1124 | ssize_t n; | |||
1125 | ||||
1126 | /* kill stutter on greylisted connections after initial delay */ | |||
1127 | if (cp->stutter && greylist && cp->blacklists == NULL((void *)0) && | |||
1128 | (t - cp->s) > grey_stutter) | |||
1129 | cp->stutter=0; | |||
1130 | ||||
1131 | if (cp->w || cp->tlsaction != SPAMD_TLS_ACT_NONE0) { | |||
1132 | if (*cp->op == '\n' && !cp->sr) { | |||
1133 | /* insert \r before \n */ | |||
1134 | if (cp->cctx) { | |||
1135 | cp->tlsaction = SPAMD_TLS_ACT_NONE0; | |||
1136 | n = tls_write(cp->cctx, "\r", 1); | |||
1137 | if (n == TLS_WANT_POLLIN-2) | |||
1138 | cp->tlsaction = | |||
1139 | SPAMD_TLS_ACT_WRITE_POLLIN3; | |||
1140 | if (n == TLS_WANT_POLLOUT-3) | |||
1141 | cp->tlsaction = | |||
1142 | SPAMD_TLS_ACT_WRITE_POLLOUT4; | |||
1143 | if (cp->tlsaction != SPAMD_TLS_ACT_NONE0) | |||
1144 | return; | |||
1145 | } else | |||
1146 | n = write(cp->pfd->fd, "\r", 1); | |||
1147 | ||||
1148 | if (n == 0) { | |||
1149 | closecon(cp); | |||
1150 | goto handled; | |||
1151 | } else if (n == -1) { | |||
1152 | if (errno(*__errno()) == EAGAIN35) | |||
1153 | return; | |||
1154 | if (debug > 0 && errno(*__errno()) != EPIPE32) | |||
1155 | warn("write"); | |||
1156 | closecon(cp); | |||
1157 | goto handled; | |||
1158 | } | |||
1159 | } | |||
1160 | if (*cp->op == '\r') | |||
1161 | cp->sr = 1; | |||
1162 | else | |||
1163 | cp->sr = 0; | |||
1164 | if (cp->cctx) { | |||
1165 | cp->tlsaction = SPAMD_TLS_ACT_NONE0; | |||
1166 | n = tls_write(cp->cctx, cp->op, cp->ol); | |||
1167 | if (n == TLS_WANT_POLLIN-2) | |||
1168 | cp->tlsaction = SPAMD_TLS_ACT_WRITE_POLLIN3; | |||
1169 | if (n == TLS_WANT_POLLOUT-3) | |||
1170 | cp->tlsaction = SPAMD_TLS_ACT_WRITE_POLLOUT4; | |||
1171 | if (cp->tlsaction != SPAMD_TLS_ACT_NONE0) | |||
1172 | return; | |||
1173 | } else | |||
1174 | n = write(cp->pfd->fd, cp->op, | |||
1175 | (one && cp->stutter) ? 1 : cp->ol); | |||
1176 | ||||
1177 | if (n == 0) | |||
1178 | closecon(cp); | |||
1179 | else if (n == -1) { | |||
1180 | if (errno(*__errno()) == EAGAIN35) | |||
1181 | return; | |||
1182 | if (debug > 0 && errno(*__errno()) != EPIPE32) | |||
1183 | warn("write"); | |||
1184 | closecon(cp); | |||
1185 | } else { | |||
1186 | cp->op += n; | |||
1187 | cp->ol -= n; | |||
1188 | } | |||
1189 | } | |||
1190 | handled: | |||
1191 | cp->w = t + cp->stutter; | |||
1192 | if (cp->ol == 0) { | |||
1193 | cp->w = 0; | |||
1194 | nextstate(cp); | |||
1195 | } | |||
1196 | } | |||
1197 | ||||
1198 | static int | |||
1199 | get_maxfiles(void) | |||
1200 | { | |||
1201 | int mib[2], maxfiles; | |||
1202 | size_t len; | |||
1203 | ||||
1204 | mib[0] = CTL_KERN1; | |||
1205 | mib[1] = KERN_MAXFILES7; | |||
1206 | len = sizeof(maxfiles); | |||
1207 | if (sysctl(mib, 2, &maxfiles, &len, NULL((void *)0), 0) == -1) | |||
1208 | return(MAXCON800); | |||
1209 | if ((maxfiles - 200) < 10) | |||
1210 | errx(1, "kern.maxfiles is only %d, can not continue\n", | |||
1211 | maxfiles); | |||
1212 | else | |||
1213 | return(maxfiles - 200); | |||
1214 | } | |||
1215 | ||||
1216 | /* Symbolic indexes for pfd[] below */ | |||
1217 | #define PFD_SMTPLISTEN0 0 | |||
1218 | #define PFD_CONFLISTEN1 1 | |||
1219 | #define PFD_SYNCFD2 2 | |||
1220 | #define PFD_CONFFD3 3 | |||
1221 | #define PFD_TRAPFD4 4 | |||
1222 | #define PFD_GREYBACK5 5 | |||
1223 | #define PFD_FIRSTCON6 6 | |||
1224 | ||||
1225 | int | |||
1226 | main(int argc, char *argv[]) | |||
1227 | { | |||
1228 | struct pollfd *pfd; | |||
1229 | struct sockaddr_in sin; | |||
1230 | struct sockaddr_in lin; | |||
1231 | int ch, smtplisten, conflisten, syncfd = -1, i, one = 1; | |||
1232 | u_short port; | |||
1233 | long long passt, greyt, whitet; | |||
1234 | struct servent *ent; | |||
1235 | struct rlimit rlp; | |||
1236 | char *bind_address = NULL((void *)0); | |||
1237 | const char *errstr; | |||
1238 | char *sync_iface = NULL((void *)0); | |||
1239 | char *sync_baddr = NULL((void *)0); | |||
1240 | struct addrinfo hints, *res; | |||
1241 | char *addr; | |||
1242 | char portstr[6]; | |||
1243 | int error; | |||
1244 | ||||
1245 | tzset(); | |||
1246 | openlog_r("spamd", LOG_PID0x01 | LOG_NDELAY0x08, LOG_DAEMON(3<<3), &sdata); | |||
1247 | ||||
1248 | if ((ent = getservbyname("spamd", "tcp")) == NULL((void *)0)) | |||
1249 | errx(1, "Can't find service \"spamd\" in /etc/services"); | |||
1250 | port = ntohs(ent->s_port)(__uint16_t)(__builtin_constant_p(ent->s_port) ? (__uint16_t )(((__uint16_t)(ent->s_port) & 0xffU) << 8 | ((__uint16_t )(ent->s_port) & 0xff00U) >> 8) : __swap16md(ent ->s_port)); | |||
1251 | if ((ent = getservbyname("spamd-cfg", "tcp")) == NULL((void *)0)) | |||
1252 | errx(1, "Can't find service \"spamd-cfg\" in /etc/services"); | |||
1253 | cfg_port = ntohs(ent->s_port)(__uint16_t)(__builtin_constant_p(ent->s_port) ? (__uint16_t )(((__uint16_t)(ent->s_port) & 0xffU) << 8 | ((__uint16_t )(ent->s_port) & 0xff00U) >> 8) : __swap16md(ent ->s_port)); | |||
1254 | if ((ent = getservbyname("spamd-sync", "udp")) == NULL((void *)0)) | |||
1255 | errx(1, "Can't find service \"spamd-sync\" in /etc/services"); | |||
1256 | sync_port = ntohs(ent->s_port)(__uint16_t)(__builtin_constant_p(ent->s_port) ? (__uint16_t )(((__uint16_t)(ent->s_port) & 0xffU) << 8 | ((__uint16_t )(ent->s_port) & 0xff00U) >> 8) : __swap16md(ent ->s_port)); | |||
1257 | ||||
1258 | if (gethostname(hostname, sizeof hostname) == -1) | |||
1259 | err(1, "gethostname"); | |||
1260 | maxfiles = get_maxfiles(); | |||
1261 | if (maxcon > maxfiles) | |||
1262 | maxcon = maxfiles; | |||
1263 | if (maxblack > maxfiles) | |||
1264 | maxblack = maxfiles; | |||
1265 | while ((ch = | |||
1266 | getopt(argc, argv, "45l:c:B:p:bdG:h:s:S:M:n:vw:y:Y:C:K:")) != -1) { | |||
1267 | switch (ch) { | |||
1268 | case '4': | |||
1269 | nreply = "450"; | |||
1270 | break; | |||
1271 | case '5': | |||
1272 | nreply = "550"; | |||
1273 | break; | |||
1274 | case 'l': | |||
1275 | bind_address = optarg; | |||
1276 | break; | |||
1277 | case 'B': | |||
1278 | maxblack = strtonum(optarg, 0, INT_MAX0x7fffffff, &errstr); | |||
1279 | if (errstr) | |||
1280 | errx(1, "-B %s: %s", optarg, errstr); | |||
1281 | break; | |||
1282 | case 'c': | |||
1283 | maxcon = strtonum(optarg, 1, maxfiles, &errstr); | |||
1284 | if (errstr) { | |||
1285 | fprintf(stderr(&__sF[2]), "-c %s: %s\n", optarg, errstr); | |||
1286 | usage(); | |||
1287 | } | |||
1288 | break; | |||
1289 | case 'p': | |||
1290 | port = strtonum(optarg, 1, USHRT_MAX0xffff, &errstr); | |||
1291 | if (errstr) | |||
1292 | errx(1, "-p %s: %s", optarg, errstr); | |||
1293 | break; | |||
1294 | case 'd': | |||
1295 | debug = 1; | |||
1296 | break; | |||
1297 | case 'b': | |||
1298 | greylist = 0; | |||
1299 | break; | |||
1300 | case 'G': | |||
1301 | if (sscanf(optarg, "%lld:%lld:%lld", &passt, &greyt, | |||
1302 | &whitet) != 3) | |||
1303 | usage(); | |||
1304 | passtime = passt; | |||
1305 | greyexp = greyt; | |||
1306 | whiteexp = whitet; | |||
1307 | /* convert to seconds from minutes */ | |||
1308 | passtime *= 60; | |||
1309 | /* convert to seconds from hours */ | |||
1310 | whiteexp *= (60 * 60); | |||
1311 | /* convert to seconds from hours */ | |||
1312 | greyexp *= (60 * 60); | |||
1313 | break; | |||
1314 | case 'h': | |||
1315 | memset(hostname, 0, sizeof(hostname)); | |||
1316 | if (strlcpy(hostname, optarg, sizeof(hostname)) >= | |||
1317 | sizeof(hostname)) | |||
1318 | errx(1, "-h arg too long"); | |||
1319 | break; | |||
1320 | case 's': | |||
1321 | stutter = strtonum(optarg, 0, 10, &errstr); | |||
1322 | if (errstr) | |||
1323 | usage(); | |||
1324 | break; | |||
1325 | case 'S': | |||
1326 | grey_stutter = strtonum(optarg, 0, 90, &errstr); | |||
1327 | if (errstr) | |||
1328 | usage(); | |||
1329 | break; | |||
1330 | case 'M': | |||
1331 | low_prio_mx_ip = optarg; | |||
1332 | break; | |||
1333 | case 'n': | |||
1334 | spamd = optarg; | |||
1335 | break; | |||
1336 | case 'v': | |||
1337 | verbose = 1; | |||
1338 | break; | |||
1339 | case 'w': | |||
1340 | window = strtonum(optarg, 1, INT_MAX0x7fffffff, &errstr); | |||
1341 | if (errstr) | |||
1342 | errx(1, "-w %s: %s", optarg, errstr); | |||
1343 | break; | |||
1344 | case 'Y': | |||
1345 | if (sync_addhost(optarg, sync_port) != 0) | |||
1346 | sync_iface = optarg; | |||
1347 | syncsend++; | |||
1348 | break; | |||
1349 | case 'y': | |||
1350 | sync_baddr = optarg; | |||
1351 | syncrecv++; | |||
1352 | break; | |||
1353 | case 'C': | |||
1354 | tlscertfile = optarg; | |||
1355 | break; | |||
1356 | case 'K': | |||
1357 | tlskeyfile = optarg; | |||
1358 | break; | |||
1359 | default: | |||
1360 | usage(); | |||
1361 | break; | |||
1362 | } | |||
1363 | } | |||
1364 | ||||
1365 | setproctitle("[priv]%s%s", | |||
1366 | greylist ? " (greylist)" : "", | |||
1367 | (syncrecv || syncsend) ? " (sync)" : ""); | |||
1368 | ||||
1369 | if (syncsend || syncrecv) { | |||
1370 | syncfd = sync_init(sync_iface, sync_baddr, sync_port); | |||
1371 | if (syncfd == -1) | |||
1372 | err(1, "sync init"); | |||
1373 | } | |||
1374 | ||||
1375 | if (geteuid()) | |||
1376 | errx(1, "need root privileges"); | |||
1377 | ||||
1378 | if ((pw = getpwnam(SPAMD_USER"_spamd")) == NULL((void *)0)) | |||
1379 | errx(1, "no such user %s", SPAMD_USER"_spamd"); | |||
1380 | ||||
1381 | if (!greylist) { | |||
1382 | maxblack = maxcon; | |||
1383 | } else if (maxblack > maxcon) | |||
1384 | usage(); | |||
1385 | ||||
1386 | spamd_tls_init(); | |||
1387 | ||||
1388 | rlp.rlim_cur = rlp.rlim_max = maxcon + 15; | |||
1389 | if (setrlimit(RLIMIT_NOFILE8, &rlp) == -1) | |||
1390 | err(1, "setrlimit"); | |||
1391 | ||||
1392 | pfd = reallocarray(NULL((void *)0), PFD_FIRSTCON6 + maxcon, sizeof(*pfd)); | |||
1393 | if (pfd == NULL((void *)0)) | |||
1394 | err(1, "reallocarray"); | |||
1395 | ||||
1396 | con = calloc(maxcon, sizeof(*con)); | |||
1397 | if (con == NULL((void *)0)) | |||
1398 | err(1, "calloc"); | |||
1399 | ||||
1400 | con->obuf = malloc(8192); | |||
1401 | ||||
1402 | if (con->obuf == NULL((void *)0)) | |||
1403 | err(1, "malloc"); | |||
1404 | con->osize = 8192; | |||
1405 | ||||
1406 | for (i = 0; i < maxcon; i++) { | |||
1407 | con[i].pfd = &pfd[PFD_FIRSTCON6 + i]; | |||
1408 | con[i].pfd->fd = -1; | |||
1409 | } | |||
1410 | ||||
1411 | signal(SIGPIPE13, SIG_IGN(void (*)(int))1); | |||
1412 | ||||
1413 | smtplisten = socket(AF_INET2, SOCK_STREAM1, 0); | |||
1414 | if (smtplisten == -1) | |||
1415 | err(1, "socket"); | |||
1416 | ||||
1417 | if (setsockopt(smtplisten, SOL_SOCKET0xffff, SO_REUSEADDR0x0004, &one, | |||
1418 | sizeof(one)) == -1) | |||
1419 | return (-1); | |||
1420 | ||||
1421 | conflisten = socket(AF_INET2, SOCK_STREAM1, 0); | |||
1422 | if (conflisten == -1) | |||
1423 | err(1, "socket"); | |||
1424 | ||||
1425 | if (setsockopt(conflisten, SOL_SOCKET0xffff, SO_REUSEADDR0x0004, &one, | |||
1426 | sizeof(one)) == -1) | |||
1427 | return (-1); | |||
1428 | ||||
1429 | memset(&hints, 0, sizeof(hints)); | |||
1430 | hints.ai_family = AF_INET2; | |||
1431 | addr = bind_address; | |||
1432 | snprintf(portstr, sizeof(portstr), "%hu", port); | |||
1433 | ||||
1434 | if ((error = getaddrinfo(addr, portstr, &hints, &res)) != 0) { | |||
1435 | errx(1, "getaddrinfo: %s", gai_strerror(error)); | |||
1436 | } | |||
1437 | ||||
1438 | if (bind(smtplisten, res->ai_addr, res->ai_addrlen) == -1) { | |||
1439 | freeaddrinfo(res); | |||
1440 | err(1, "bind"); | |||
1441 | } | |||
1442 | freeaddrinfo(res); | |||
1443 | ||||
1444 | memset(&lin, 0, sizeof sin); | |||
1445 | lin.sin_len = sizeof(sin); | |||
1446 | lin.sin_addr.s_addr = htonl(INADDR_LOOPBACK)(__uint32_t)(__builtin_constant_p(((u_int32_t)(0x7f000001))) ? (__uint32_t)(((__uint32_t)(((u_int32_t)(0x7f000001))) & 0xff ) << 24 | ((__uint32_t)(((u_int32_t)(0x7f000001))) & 0xff00) << 8 | ((__uint32_t)(((u_int32_t)(0x7f000001)) ) & 0xff0000) >> 8 | ((__uint32_t)(((u_int32_t)(0x7f000001 ))) & 0xff000000) >> 24) : __swap32md(((u_int32_t)( 0x7f000001)))); | |||
1447 | lin.sin_family = AF_INET2; | |||
1448 | lin.sin_port = htons(cfg_port)(__uint16_t)(__builtin_constant_p(cfg_port) ? (__uint16_t)((( __uint16_t)(cfg_port) & 0xffU) << 8 | ((__uint16_t) (cfg_port) & 0xff00U) >> 8) : __swap16md(cfg_port)); | |||
1449 | ||||
1450 | if (bind(conflisten, (struct sockaddr *)&lin, sizeof lin) == -1) | |||
1451 | err(1, "bind local"); | |||
1452 | ||||
1453 | if (debug == 0) { | |||
1454 | if (daemon(1, 1) == -1) | |||
1455 | err(1, "daemon"); | |||
1456 | } | |||
1457 | ||||
1458 | if (greylist) { | |||
1459 | pfdev = open("/dev/pf", O_RDWR0x0002); | |||
1460 | if (pfdev == -1) { | |||
1461 | syslog_r(LOG_ERR3, &sdata, "open /dev/pf: %m"); | |||
1462 | exit(1); | |||
1463 | } | |||
1464 | ||||
1465 | check_spamd_db(); | |||
1466 | ||||
1467 | maxblack = (maxblack >= maxcon) ? maxcon - 100 : maxblack; | |||
1468 | if (maxblack < 0) | |||
1469 | maxblack = 0; | |||
1470 | ||||
1471 | /* open pipe to talk to greylister */ | |||
1472 | if (socketpair(AF_UNIX1, SOCK_DGRAM2, 0, greyback) == -1) { | |||
1473 | syslog(LOG_ERR3, "socketpair (%m)"); | |||
1474 | exit(1); | |||
1475 | } | |||
1476 | if (pipe(greypipe) == -1) { | |||
1477 | syslog(LOG_ERR3, "pipe (%m)"); | |||
1478 | exit(1); | |||
1479 | } | |||
1480 | /* open pipe to receive spamtrap configs */ | |||
1481 | if (pipe(trappipe) == -1) { | |||
1482 | syslog(LOG_ERR3, "pipe (%m)"); | |||
1483 | exit(1); | |||
1484 | } | |||
1485 | jail_pid = fork(); | |||
1486 | switch (jail_pid) { | |||
1487 | case -1: | |||
1488 | syslog(LOG_ERR3, "fork (%m)"); | |||
1489 | exit(1); | |||
1490 | case 0: | |||
1491 | /* child - continue */ | |||
1492 | signal(SIGPIPE13, SIG_IGN(void (*)(int))1); | |||
1493 | grey = fdopen(greypipe[1], "w"); | |||
1494 | if (grey == NULL((void *)0)) { | |||
1495 | syslog(LOG_ERR3, "fdopen (%m)"); | |||
1496 | _exit(1); | |||
1497 | } | |||
1498 | close(greyback[0]); | |||
1499 | close(greypipe[0]); | |||
1500 | trapfd = trappipe[0]; | |||
1501 | trapcfg = fdopen(trappipe[0], "r"); | |||
1502 | if (trapcfg == NULL((void *)0)) { | |||
1503 | syslog(LOG_ERR3, "fdopen (%m)"); | |||
1504 | _exit(1); | |||
1505 | } | |||
1506 | close(trappipe[1]); | |||
1507 | ||||
1508 | if (setgroups(1, &pw->pw_gid) || | |||
1509 | setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) || | |||
1510 | setresuid(pw->pw_uid, pw->pw_uid, pw->pw_uid)) | |||
1511 | err(1, "failed to drop privs"); | |||
1512 | ||||
1513 | goto jail; | |||
1514 | } | |||
1515 | /* parent - run greylister */ | |||
1516 | close(greyback[1]); | |||
1517 | grey = fdopen(greypipe[0], "r"); | |||
1518 | if (grey == NULL((void *)0)) { | |||
1519 | syslog(LOG_ERR3, "fdopen (%m)"); | |||
1520 | exit(1); | |||
1521 | } | |||
1522 | close(greypipe[1]); | |||
1523 | trapcfg = fdopen(trappipe[1], "w"); | |||
1524 | if (trapcfg == NULL((void *)0)) { | |||
1525 | syslog(LOG_ERR3, "fdopen (%m)"); | |||
1526 | exit(1); | |||
1527 | } | |||
1528 | close(trappipe[0]); | |||
1529 | return (greywatcher()); | |||
1530 | } | |||
1531 | ||||
1532 | jail: | |||
1533 | if (pledge("stdio inet", NULL((void *)0)) == -1) | |||
1534 | err(1, "pledge"); | |||
1535 | ||||
1536 | if (listen(smtplisten, 10) == -1) | |||
1537 | err(1, "listen"); | |||
1538 | ||||
1539 | if (listen(conflisten, 10) == -1) | |||
1540 | err(1, "listen"); | |||
1541 | ||||
1542 | if (debug != 0) | |||
1543 | printf("listening for incoming connections.\n"); | |||
1544 | syslog_r(LOG_WARNING4, &sdata, "listening for incoming connections."); | |||
1545 | ||||
1546 | /* We always check for trap and sync events if configured. */ | |||
1547 | if (trapfd != -1) { | |||
1548 | pfd[PFD_TRAPFD4].fd = trapfd; | |||
1549 | pfd[PFD_TRAPFD4].events = POLLIN0x0001; | |||
1550 | } else { | |||
1551 | pfd[PFD_TRAPFD4].fd = -1; | |||
1552 | pfd[PFD_TRAPFD4].events = 0; | |||
1553 | } | |||
1554 | if (syncrecv) { | |||
1555 | pfd[PFD_SYNCFD2].fd = syncfd; | |||
1556 | pfd[PFD_SYNCFD2].events = POLLIN0x0001; | |||
1557 | } else { | |||
1558 | pfd[PFD_SYNCFD2].fd = -1; | |||
1559 | pfd[PFD_SYNCFD2].events = 0; | |||
1560 | } | |||
1561 | if (greylist) { | |||
1562 | pfd[PFD_GREYBACK5].fd = greyback[1]; | |||
1563 | pfd[PFD_GREYBACK5].events = POLLIN0x0001; | |||
1564 | } else { | |||
1565 | pfd[PFD_GREYBACK5].fd = -1; | |||
1566 | pfd[PFD_GREYBACK5].events = 0; | |||
1567 | } | |||
1568 | ||||
1569 | /* events and pfd entries for con[] are filled in below. */ | |||
1570 | pfd[PFD_SMTPLISTEN0].fd = smtplisten; | |||
1571 | pfd[PFD_CONFLISTEN1].fd = conflisten; | |||
1572 | ||||
1573 | while (1) { | |||
1574 | int numcon = 0, n, timeout, writers; | |||
1575 | ||||
1576 | time(&t); | |||
1577 | ||||
1578 | writers = 0; | |||
1579 | for (i = 0; i < maxcon; i++) { | |||
1580 | if (con[i].pfd->fd == -1) | |||
1581 | continue; | |||
1582 | con[i].pfd->events = 0; | |||
1583 | if (con[i].r) { | |||
1584 | if (con[i].r + MAXTIME400 <= t) { | |||
1585 | closecon(&con[i]); | |||
1586 | continue; | |||
1587 | } | |||
1588 | con[i].pfd->events |= POLLIN0x0001; | |||
1589 | } | |||
1590 | if (con[i].w) { | |||
1591 | if (con[i].w + MAXTIME400 <= t) { | |||
1592 | closecon(&con[i]); | |||
1593 | continue; | |||
1594 | } | |||
1595 | if (con[i].w <= t) | |||
1596 | con[i].pfd->events |= POLLOUT0x0004; | |||
1597 | writers = 1; | |||
1598 | } | |||
1599 | if (con[i].tlsaction == SPAMD_TLS_ACT_READ_POLLIN1 || | |||
1600 | con[i].tlsaction == SPAMD_TLS_ACT_WRITE_POLLIN3) | |||
1601 | con[i].pfd->events = POLLIN0x0001; | |||
1602 | if (con[i].tlsaction == SPAMD_TLS_ACT_READ_POLLOUT2 || | |||
1603 | con[i].tlsaction == SPAMD_TLS_ACT_WRITE_POLLOUT4) | |||
1604 | con[i].pfd->events = POLLOUT0x0004; | |||
1605 | if (i + 1 > numcon) | |||
1606 | numcon = i + 1; | |||
1607 | } | |||
1608 | pfd[PFD_SMTPLISTEN0].events = 0; | |||
1609 | pfd[PFD_CONFLISTEN1].events = 0; | |||
1610 | pfd[PFD_CONFFD3].events = 0; | |||
1611 | pfd[PFD_CONFFD3].fd = conffd; | |||
1612 | if (slowdowntill == 0) { | |||
1613 | pfd[PFD_SMTPLISTEN0].events = POLLIN0x0001; | |||
1614 | ||||
1615 | /* only one active config conn at a time */ | |||
1616 | if (conffd == -1) | |||
1617 | pfd[PFD_CONFLISTEN1].events = POLLIN0x0001; | |||
1618 | else | |||
1619 | pfd[PFD_CONFFD3].events = POLLIN0x0001; | |||
1620 | } | |||
1621 | ||||
1622 | /* If we are not listening, wake up at least once a second */ | |||
1623 | if (writers == 0 && slowdowntill == 0) | |||
1624 | timeout = INFTIM(-1); | |||
1625 | else | |||
1626 | timeout = 1000; | |||
1627 | ||||
1628 | n = poll(pfd, PFD_FIRSTCON6 + numcon, timeout); | |||
1629 | if (n == -1) { | |||
1630 | if (errno(*__errno()) != EINTR4) | |||
1631 | err(1, "poll"); | |||
1632 | continue; | |||
1633 | } | |||
1634 | ||||
1635 | /* Check if we can speed up accept() calls */ | |||
1636 | if (slowdowntill && slowdowntill > t) | |||
1637 | slowdowntill = 0; | |||
1638 | ||||
1639 | for (i = 0; i < maxcon; i++) { | |||
1640 | if (con[i].pfd->fd == -1) | |||
1641 | continue; | |||
1642 | if (pfd[PFD_FIRSTCON6 + i].revents & POLLHUP0x0010) { | |||
1643 | closecon(&con[i]); | |||
1644 | continue; | |||
1645 | } | |||
1646 | if (pfd[PFD_FIRSTCON6 + i].revents & POLLIN0x0001) { | |||
1647 | if (con[i].tlsaction == | |||
1648 | SPAMD_TLS_ACT_WRITE_POLLIN3) | |||
1649 | handlew(&con[i], clients + 5 < maxcon); | |||
1650 | else | |||
1651 | handler(&con[i]); | |||
1652 | } | |||
1653 | if (pfd[PFD_FIRSTCON6 + i].revents & POLLOUT0x0004) { | |||
1654 | if (con[i].tlsaction == | |||
1655 | SPAMD_TLS_ACT_READ_POLLOUT2) | |||
1656 | handler(&con[i]); | |||
1657 | else | |||
1658 | handlew(&con[i], clients + 5 < maxcon); | |||
1659 | } | |||
1660 | } | |||
1661 | if (pfd[PFD_SMTPLISTEN0].revents & (POLLIN0x0001|POLLHUP0x0010)) { | |||
1662 | socklen_t sinlen; | |||
1663 | int s2; | |||
1664 | ||||
1665 | sinlen = sizeof(sin); | |||
1666 | s2 = accept4(smtplisten, (struct sockaddr *)&sin, &sinlen, | |||
1667 | SOCK_NONBLOCK0x4000); | |||
1668 | if (s2 == -1) { | |||
1669 | switch (errno(*__errno())) { | |||
1670 | case EINTR4: | |||
1671 | case ECONNABORTED53: | |||
1672 | break; | |||
1673 | case EMFILE24: | |||
1674 | case ENFILE23: | |||
1675 | slowdowntill = time(NULL((void *)0)) + 1; | |||
1676 | break; | |||
1677 | default: | |||
1678 | errx(1, "accept"); | |||
1679 | } | |||
1680 | } else { | |||
1681 | /* Check if we hit the chosen fd limit */ | |||
1682 | for (i = 0; i < maxcon; i++) | |||
1683 | if (con[i].pfd->fd == -1) | |||
1684 | break; | |||
1685 | if (i == maxcon) { | |||
1686 | close(s2); | |||
1687 | slowdowntill = 0; | |||
1688 | } else { | |||
1689 | initcon(&con[i], s2, | |||
1690 | (struct sockaddr *)&sin); | |||
1691 | syslog_r(LOG_INFO6, &sdata, | |||
1692 | "%s: connected (%d/%d)%s%s", | |||
1693 | con[i].addr, clients, blackcount, | |||
1694 | ((con[i].lists == NULL((void *)0)) ? "" : | |||
1695 | ", lists:"), | |||
1696 | ((con[i].lists == NULL((void *)0)) ? "": | |||
1697 | con[i].lists)); | |||
1698 | } | |||
1699 | } | |||
1700 | } | |||
1701 | if (pfd[PFD_CONFLISTEN1].revents & (POLLIN0x0001|POLLHUP0x0010)) { | |||
1702 | socklen_t sinlen; | |||
1703 | ||||
1704 | sinlen = sizeof(lin); | |||
1705 | conffd = accept(conflisten, (struct sockaddr *)&lin, | |||
1706 | &sinlen); | |||
1707 | if (conffd == -1) { | |||
1708 | switch (errno(*__errno())) { | |||
1709 | case EINTR4: | |||
1710 | case ECONNABORTED53: | |||
1711 | break; | |||
1712 | case EMFILE24: | |||
1713 | case ENFILE23: | |||
1714 | slowdowntill = time(NULL((void *)0)) + 1; | |||
1715 | break; | |||
1716 | default: | |||
1717 | errx(1, "accept"); | |||
1718 | } | |||
1719 | } else if (ntohs(lin.sin_port)(__uint16_t)(__builtin_constant_p(lin.sin_port) ? (__uint16_t )(((__uint16_t)(lin.sin_port) & 0xffU) << 8 | ((__uint16_t )(lin.sin_port) & 0xff00U) >> 8) : __swap16md(lin.sin_port )) >= IPPORT_RESERVED1024) { | |||
1720 | close(conffd); | |||
1721 | conffd = -1; | |||
1722 | slowdowntill = 0; | |||
1723 | } | |||
1724 | } else if (pfd[PFD_CONFFD3].revents & (POLLIN0x0001|POLLHUP0x0010)) | |||
1725 | do_config(); | |||
1726 | if (pfd[PFD_TRAPFD4].revents & (POLLIN0x0001|POLLHUP0x0010)) | |||
1727 | read_configline(trapcfg); | |||
1728 | if (pfd[PFD_SYNCFD2].revents & (POLLIN0x0001|POLLHUP0x0010)) | |||
1729 | sync_recv(); | |||
1730 | if (pfd[PFD_GREYBACK5].revents & (POLLIN0x0001|POLLHUP0x0010)) | |||
1731 | blackcheck(greyback[1]); | |||
1732 | } | |||
1733 | exit(1); | |||
1734 | } | |||
1735 | ||||
1736 | void | |||
1737 | blackcheck(int fd) | |||
1738 | { | |||
1739 | struct sockaddr_storage ss; | |||
1740 | ssize_t nread; | |||
1741 | void *ia; | |||
1742 | char ch; | |||
1743 | ||||
1744 | /* Read sockaddr from greylister and look it up in the blacklists. */ | |||
1745 | nread = recv(fd, &ss, sizeof(ss), 0); | |||
1746 | if (nread == -1) { | |||
1747 | syslog(LOG_ERR3, "%s: recv: %m", __func__); | |||
1748 | return; | |||
1749 | } | |||
1750 | if (nread != sizeof(struct sockaddr_in) && | |||
1751 | nread != sizeof(struct sockaddr_in6)) { | |||
1752 | syslog(LOG_ERR3, "%s: invalid size %zd", __func__, nread); | |||
1753 | return; | |||
1754 | } | |||
1755 | if (ss.ss_family == AF_INET2) { | |||
1756 | ia = &((struct sockaddr_in *)&ss)->sin_addr; | |||
1757 | } else if (ss.ss_family == AF_INET624) { | |||
1758 | ia = &((struct sockaddr_in6 *)&ss)->sin6_addr; | |||
1759 | } else { | |||
1760 | syslog(LOG_ERR3, "%s: bad family %d", __func__, ss.ss_family); | |||
1761 | return; | |||
1762 | } | |||
1763 | ch = sdl_check(blacklists, ss.ss_family, ia) ? '1' : '0'; | |||
1764 | ||||
1765 | /* Send '1' for match or '0' for no match. */ | |||
1766 | if (send(fd, &ch, sizeof(ch), 0) == -1) { | |||
1767 | syslog(LOG_ERR3, "%s: send: %m", __func__); | |||
1768 | return; | |||
1769 | } | |||
1770 | } |