5bf688294f
This version extends the log messages to show why a blacklist is matched. It also fixes a few minor bugs. Added a filter to sendrecv so input containing "\r\n" will be translated into CRLF without being interpreted as a line terminator (so multiple commands can be sent in a single "packet") and input containing "\0" will be translated into NULL bytes so NULL characters don't have to be embedded in the test scripts. Added support for the RSET command to smtpdummy. Added a "priority" field to the input file for dnsdummy to force some responses to be sent after others, no matter what order they were received. Fixed nihdns_mx() to query names for A records using the query types configured for MX queries, not A queries. Thanks to Eric Shubert for reporting this one. Changed smtp_filter() and middleman() to discard any buffered input after TLS is started. This prevents the injection of commands into a secure session by sending extra input in the same packet as the "STARTTLS" command. Not really a security problem but good practice anyway. Thanks to Eric Shubert for reporting this one. Fixed a bug in examine_entry() that was cutting off 1-3 characters from the end of target_entry every time it was called. Changed check_ip_in_rdns_keyword() to return the line number of the matching file as its return value and the name of the matchine file in a reference variable. Added reject_reason and strlen_reject_reason to struct rejection_data to allow the triggered filter to return some text to indicate why it triggered. Changed set_rejection() to accept new parameters to set reason text within the rejection structure if available. Changed set_rejection() to accept a new parameter to append to the rejection text if available. Added reset_rejection() to change either the rejection text or the reason text within an existing rejection_data structure without erasing previously-set values. Changed nihdns_rbl(), check_dnsrbl() and check_rhsbl() not to accept a format string or build part of the rejection message. That job belongs to the caller(s). Changed filter_rdns_blacklist(), filter_rdns_blacklist_file(), filter_rdns_blacklist_dir(), filter_ip_blacklist(), filter_ip_in_rdns_blacklist(), filter_dns_rbl(), filter_dns_rhsbl(), filter_sender_blacklist(), filter_sender_rhsbl() and filter_recipient_blacklist() to save the reason for their rejection in the reject_reason variable in rejection_data. Changed the log messages showing ALLOWED/DENIED to always output the "reason:" field and fill it with the text returned by the triggered filter so the sysadmin can figure out what happened or "(empty)" if no text was saved. Thanks to Eric Shubert for suggesting this one. Changed the way DNS timeout values are read from the configuration file, the command line, /etc/resolv.conf and the environment so that values given in the config file or on the command line are not overridden by values in /etc/resolv.conf or the environment. Thanks to Teodor Milkov for reporting this one. Changed the reject-empty-rdns filter, the IP-related black/whitelist filters and the IP-related RBL filters to skip their tests if the incoming IP address is 0.0.0.0. This is for connections from IPv6 hosts -- those filters can be skipped until full IPv6 support can be added. Thanks to Daniel Anliker for suggesting this. Changed the way the flag FILTER_DECISION_TRANSIENT_DO_NOT_FILTER is handled by smtp_filter() and middleman() so a transient non-rejection (e.g a recipient whitelist) isn't held over to later recipients. The interaction between the recipient whitelist and the graylist filter was fixed in version 4.0.0 but an issue still remained between recipient whitelists and other non-transient rejections like the missing rDNS filter. Thanks to bischowski for reporting this one. Changed smtpdummy to use memchr() instead of strchr() so testing input with NULL bytes will work correctly. |
||
---|---|---|
.. | ||
patch-aa |