diff -Naur policyd-v1.73/DATABASE.mysql policyd-v1.73-mp/DATABASE.mysql --- policyd-v1.73/DATABASE.mysql 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/DATABASE.mysql 2006-05-29 09:29:16.000000000 +0200 @@ -74,6 +74,7 @@ _whitelist char(15) NOT NULL default '', _description char(60) NOT NULL default '', _expire int(10) unsigned NOT NULL default '0', + _scope smallint unsigned NOT NULL default 0xffff, UNIQUE KEY _whitelist (_whitelist), KEY _expire (_expire) ) TYPE=MyISAM; @@ -82,6 +83,7 @@ _whitelist char(60) NOT NULL default '', _description char(60) NOT NULL default '', _expire int(10) unsigned NOT NULL default '0', + _scope smallint unsigned NOT NULL default 0xffff, UNIQUE KEY _whitelist (_whitelist), KEY _expire (_expire) ) TYPE=MyISAM; @@ -90,6 +92,7 @@ _whitelist char(60) NOT NULL default '', _description char(60) NOT NULL default '', _expire int(10) unsigned NOT NULL default '0', + _scope smallint unsigned NOT NULL default 0xffff, UNIQUE KEY _whitelist (_whitelist), KEY _expire (_expire) ) TYPE=MyISAM; diff -Naur policyd-v1.73/generic.c policyd-v1.73-mp/generic.c --- policyd-v1.73/generic.c 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/generic.c 2006-05-29 09:34:41.000000000 +0200 @@ -224,6 +224,13 @@ AUTO_WHITE_LISTING=atol(extract_array[0]); } + /* AUTO_WHITE_LISTING SCOPE */ + if(strncmp(confbuf, "AUTO_WHITE_LISTING_SCOPE=", 25) == 0) + { + extract(0, confbuf, 24); + AUTO_WHITE_LISTING_SCOPE=strtol(extract_array[0], NULL, 16); + } + /* SPAMTRAP_AUTO_EXPIRE */ if(strncmp(confbuf, "SPAMTRAP_AUTO_EXPIRE=", 21) == 0) { @@ -336,6 +343,13 @@ WHITELISTNULL=atol(extract_array[0]); } + /* WHITELIST NULL SENDER SCOPE */ + if(strncmp(confbuf, "WHITELISTNULL_SCOPE=", 20) == 0) + { + extract(0, confbuf, 19); + WHITELISTNULL_SCOPE=strtol(extract_array[0], NULL, 16); + } + /* WHITELIST SENDER */ if(strncmp(confbuf, "WHITELISTSENDER=", 16) == 0) { @@ -692,9 +706,11 @@ logmessage(" ---- WHITELISTING ----\n"); logmessage("config: whitelisting> %d\n", WHITELISTING); logmessage("config: whitelistnullsender> %d\n", WHITELISTNULL); + logmessage("config: whitelistnullsender_scope> %x\n", WHITELISTNULL_SCOPE); logmessage("config: whitelistsender> %d\n", WHITELISTSENDER); logmessage("config: whitelistdnsname> %d\n", WHITELISTDNSNAME); logmessage("config: autowhitelisting> %d\n", AUTO_WHITE_LISTING); + logmessage("config: autowhitelisting_scope> %x\n", AUTO_WHITE_LISTING_SCOPE); logmessage("config: autowhitelist_number> %d\n", AUTO_WHITELIST_NUMBER); logmessage("config: autowhitelist_netblock> %d\n", AUTO_WHITELIST_NETBLOCK); logmessage("config: autowhitelist_expire> %d\n\n", AUTO_WHITELIST_EXPIRE); @@ -1145,7 +1161,7 @@ { /* dump greylisting information into mail? */ - if((GREYLISTING==1) && (GREYLIST_X_HEADER==1)) + if((GREYLISTING==1) && (GREYLIST_X_HEADER==1) && !CHECK_GREYLIST(whitelist_array[fd])) { /* whitelisted */ diff -Naur policyd-v1.73/greylist.c policyd-v1.73-mp/greylist.c --- policyd-v1.73/greylist.c 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/greylist.c 2006-05-29 09:29:16.000000000 +0200 @@ -249,13 +249,13 @@ { /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, - "INSERT INTO whitelist (_whitelist,_description,_expire) VALUES ('%s.%%','# autowhitelisted host',%d)", - triplet_array[fd][0], expire); + "INSERT INTO whitelist (_whitelist,_description,_expire,_scope) VALUES ('%s.%%','# autowhitelisted host',%d,%d)", + triplet_array[fd][0], expire, AUTO_WHITE_LISTING_SCOPE); } else { /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, - "INSERT INTO whitelist (_whitelist,_description,_expire) VALUES ('%s','# autowhitelisted host',%d)", - host_array[fd][2], expire); + "INSERT INTO whitelist (_whitelist,_description,_expire,_scope) VALUES ('%s','# autowhitelisted host',%d,%d)", + host_array[fd][2], expire, AUTO_WHITE_LISTING_SCOPE); } if(db_doquery(fd) == -1) return(db_failure(fd, "greylist")); @@ -271,7 +271,8 @@ triplet_array[fd][1], /* sender */ triplet_array[fd][2], /* recipient */ triplet_array[fd][3], /* size */ - expire); /* expiry date */ + expire, /* expiry date */ + AUTO_WHITE_LISTING_SCOPE); /* whitelisting scope */ return(0); } diff -Naur policyd-v1.73/policyd.c policyd-v1.73-mp/policyd.c --- policyd-v1.73/policyd.c 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/policyd.c 2006-05-29 09:31:03.000000000 +0200 @@ -303,7 +303,7 @@ /* * future modules go here: (order matters) - * + * * [X]: whitelisting * [X]: whitelisting(sender/domain) * [X]: whitelisting(dnsname) @@ -317,18 +317,18 @@ * [X]: recipient throttling * */ - + + /* reset the whitelist scope */ + whitelist_array[fd] = SCOPE_NONE; /* whitelist */ if(WHITELISTING==1) { /* check if whitelisted */ - action_array[fd]=whitelist_check(fd); - if(action_array[fd] == 1) /* whitelisted */ + whitelist_array[fd] |= whitelist_check(fd); + if(whitelist_array[fd] == SCOPE_ALL) /* fully whitelisted */ return(policy_reply(fd, 0)); - - /* handle database failure */ - if(action_array[fd] == -20) + else if(whitelist_array[fd] == -20) /* handle database failure */ return (1); } @@ -336,12 +336,10 @@ if(WHITELISTSENDER==1) { /* check if sender/domain is whitelisted */ - action_array[fd]=whitelist_sender_check(fd); - if(action_array[fd] == 1) /* whitelisted */ + whitelist_array[fd] |= whitelist_sender_check(fd); + if(whitelist_array[fd] == SCOPE_ALL) /* fully whitelisted */ return(policy_reply(fd, 0)); - - /* handle database failure */ - if(action_array[fd] == -20) + else if(whitelist_array[fd] == -20) /* handle database failure */ return (1); } @@ -349,17 +347,15 @@ if(WHITELISTDNSNAME==1) { /* check if sender/domain is whitelisted */ - action_array[fd]=whitelist_dnsname_check(fd); - if(action_array[fd] == 1) /* whitelisted */ + whitelist_array[fd] |= whitelist_dnsname_check(fd); + if(whitelist_array[fd] == SCOPE_ALL) /* fully whitelisted */ return(policy_reply(fd, 0)); - - /* handle database failure */ - if(action_array[fd] == -20) + else if(whitelist_array[fd] == -20) /* handle database failure */ return (1); } /* blacklist */ - if(BLACKLISTING==1) + if(BLACKLISTING==1 && CHECK_BLACKLIST(whitelist_array[fd])) { /* check if blacklisted */ action_array[fd]=blacklist_check(fd); @@ -372,7 +368,7 @@ } /* blacklist helo */ - if(BLACKLIST_HELO==1) + if(BLACKLIST_HELO==1 && CHECK_BLACKLIST_HELO(whitelist_array[fd])) { /* check if helo is blacklisted */ action_array[fd]=blacklist_helo_check(fd); @@ -385,7 +381,7 @@ } /* blacklist sender/domain */ - if(BLACKLISTSENDER==1) + if(BLACKLISTSENDER==1 && CHECK_BLACKLIST_SENDER(whitelist_array[fd])) { /* check if sender/domain is blacklisted */ action_array[fd]=blacklist_sender_check(fd); @@ -398,7 +394,7 @@ } /* blacklist dnsname */ - if(BLACKLISTDNSNAME==1) + if(BLACKLISTDNSNAME==1 && CHECK_BLACKLIST_DNSNAME(whitelist_array[fd])) { /* check if sender/domain is blacklisted */ action_array[fd]=blacklist_dnsname_check(fd); @@ -411,7 +407,7 @@ } /* spamtrap */ - if(SPAMTRAPPING==1) + if(SPAMTRAPPING==1 && CHECK_SPAMTRAP(whitelist_array[fd])) { /* check if spamtrap */ action_array[fd]=spamtrap_check(fd); @@ -424,7 +420,7 @@ } /* helo check */ - if(HELO_CHECK==1) + if(HELO_CHECK==1 && CHECK_HELO(whitelist_array[fd])) { /* check if helo is blacklisted */ action_array[fd]=helo_check(fd); @@ -437,7 +433,7 @@ } /* greylisting */ - if(GREYLISTING==1) + if(GREYLISTING==1 && CHECK_GREYLIST(whitelist_array[fd])) { /* check if greylisted */ action_array[fd]=greylist_check(fd); @@ -455,7 +451,7 @@ } /* sender throttling */ - if(SENDERTHROTTLE==1) + if(SENDERTHROTTLE==1 && CHECK_THROTTLE_SENDER(whitelist_array[fd])) { /* check if sender is throttled */ action_array[fd]=throttle_check(fd); @@ -476,7 +472,7 @@ } /* recipient throttling */ - if(RECIPIENTTHROTTLE==1) + if(RECIPIENTTHROTTLE==1 && CHECK_THROTTLE_RECIPIENT(whitelist_array[fd])) { /* check if recipient is throttled */ action_array[fd]=throttle_rcpt(fd); diff -Naur policyd-v1.73/policyd.conf policyd-v1.73-mp/policyd.conf --- policyd-v1.73/policyd.conf 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/policyd.conf 2006-05-29 09:29:16.000000000 +0200 @@ -160,6 +160,37 @@ ##################################################################### # WHITELISTING (functional) # ##################################################################### + +# whitelist scope: +# +# the whitelist scope is defined as binary OR of following values: +# +# NONE 0x0 +# BLACKLISTING 0x1 +# BLACKLIST_HELO 0x2 +# BLACKLISTSENDER 0x4 +# BLACKLISTDNSNAME 0x8 +# SPAMTRAPPING 0x10 +# GREYLISTING 0x20 +# HELO_CHECK 0x40 +# SENDERTHROTTLE 0x80 +# RECIPIENTTHROTTLE 0x100 +# ALL 0xFFFF +# +# for example: +# +# 1.) to set the scope of the whitelist entry to skip all +# other testing modules, set the scope to 0xFFFF (i.e. full +# whitelisting) +# +# 2.) to set the scope of the whitelist just to the BLACKLISTING, +# BLACKLISTDNSNAME, GREYLIST and HELO, set the scope to 0x69: +# +# BLACKLISTING|BLACKLISTDNSNAME|GREYLISTING|HELO_CHECK = +# 0x1|0x8|0x20|0x40 = +# 0x69 +# + # # whitelisting: default: on # @@ -179,6 +210,14 @@ WHITELISTNULL=0 # +# whitelist null sender scope: default: 0xFFFF +# +# set the whitelist scope for the null sender. by default skip +# all modules +# +WHITELISTNULL_SCOPE=0xFFFF + +# # whitelist sender address/domain # # this allows you to do whitelisting based on envelope sender @@ -214,6 +253,14 @@ AUTO_WHITE_LISTING=0 # +# automatic whitelist scope: default: 0x20 +# +# set the whitelist scope for the automaticaly whitelisted remote +# networks. by default skip just the greylist module +# +AUTO_WHITE_LISTING_SCOPE=0x20 + +# # auto whitelist number: default: 500 # # how many succesfull triplets does it require before a diff -Naur policyd-v1.73/policyd.h policyd-v1.73-mp/policyd.h --- policyd-v1.73/policyd.h 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/policyd.h 2006-05-29 09:31:43.000000000 +0200 @@ -75,6 +75,31 @@ #define POSTFIX_BLACKLIST_TEMP "action=defer_if_permit Policy Rejection:" #define POSTFIX_MODULE_FAILURE "action=defer_if_permit Policy Rejection: Invalid data\n\n" +/* whitelist scope */ +#define SCOPE_NONE 0x0 +#define SCOPE_BLACKLIST 0x1 +#define SCOPE_BLACKLIST_HELO 0x2 +#define SCOPE_BLACKLIST_SENDER 0x4 +#define SCOPE_BLACKLIST_DNSNAME 0x8 +#define SCOPE_SPAMTRAP 0x10 +#define SCOPE_GREYLIST 0x20 +#define SCOPE_HELO 0x40 +#define SCOPE_THROTTLE_SENDER 0x80 +#define SCOPE_THROTTLE_RECIPIENT 0x100 +#define SCOPE_ALL 0xFFFF + +/* whitelist scope macros */ +#define _CHECK(scope, mask) ( (scope & mask)?0:1 ) +#define CHECK_BLACKLIST(scope) ( _CHECK(scope, SCOPE_BLACKLIST) ) +#define CHECK_BLACKLIST_HELO(scope) ( _CHECK(scope, SCOPE_BLACKLIST_HELO) ) +#define CHECK_BLACKLIST_SENDER(scope) ( _CHECK(scope, SCOPE_BLACKLIST_SENDER) ) +#define CHECK_BLACKLIST_DNSNAME(scope) ( _CHECK(scope, SCOPE_BLACKLIST_DNSNAME) ) +#define CHECK_SPAMTRAP(scope) ( _CHECK(scope, SCOPE_SPAMTRAP) ) +#define CHECK_GREYLIST(scope) ( _CHECK(scope, SCOPE_GREYLIST) ) +#define CHECK_HELO(scope) ( _CHECK(scope, SCOPE_HELO) ) +#define CHECK_THROTTLE_SENDER(scope) ( _CHECK(scope, SCOPE_THROTTLE_SENDER) ) +#define CHECK_THROTTLE_RECIPIENT(scope) ( _CHECK(scope, SCOPE_THROTTLE_RECIPIENT) ) + /* MySQL VARIABLES */ char *MYSQLHOST; @@ -98,6 +123,7 @@ int TRAINING_MODE; int TRAINING_POLICY_TIMEOUT; int AUTO_WHITE_LISTING; + int AUTO_WHITE_LISTING_SCOPE; int AUTO_WHITELIST_NUMBER; int AUTO_BLACKLIST_NUMBER; int AUTO_WHITELIST_EXPIRE; @@ -106,6 +132,7 @@ int SPAMTRAP_AUTO_EXPIRE; int WHITELISTING; int WHITELISTNULL; + int WHITELISTNULL_SCOPE; int WHITELISTSENDER; int WHITELISTDNSNAME; int BLACKLIST_TEMP_REJECT; @@ -189,6 +216,7 @@ unsigned int timenow; FILE *fd_config, *pidfile; int action_array[MAXFDS]; + int whitelist_array[MAXFDS]; char confbuf[256]; char buf[MAXFDS][MAXLINE]; diff -Naur policyd-v1.73/whitelist.c policyd-v1.73-mp/whitelist.c --- policyd-v1.73/whitelist.c 2006-03-15 07:02:14.000000000 +0100 +++ policyd-v1.73-mp/whitelist.c 2006-05-29 09:29:16.000000000 +0200 @@ -33,56 +33,64 @@ /* * function: whitelist_check * purpose: check if the connecting host is whitelisted - * return: 1=yes, 0=no + * return: whitelist scope */ int whitelist_check (unsigned int fd) { - + /* reset values */ + mysql_array[fd][0] = 0; /* number of matching records */ + mysql_array[fd][1] = SCOPE_NONE; /* whitelist scope mask */ + if(DEBUG > 0) logmessage("DEBUG: fd: %d checking whitelist\n", fd); /* whitelist null senders */ - if((WHITELISTNULL == 1) && (strlen(triplet_array[fd][1]) == 2)) - mysql_optarray[fd][0] = 1; - - else { - - /* reset value */ - mysql_optarray[fd][0] = 0; - + if((WHITELISTNULL == 1) && (strlen(triplet_array[fd][1]) == 2)) { + mysql_array[fd][0] = 1; + mysql_array[fd][1] = WHITELISTNULL_SCOPE; + } else { /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, - "SELECT COUNT(*) FROM whitelist WHERE _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s'", + "SELECT" + " COUNT(*), BIT_OR(_scope)" + " FROM" + " whitelist" + " WHERE" + " _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s' OR _whitelist='%s'", host_array[fd][2], host_array[fd][3], host_array[fd][4], host_array[fd][5]); - if(db_optquery(fd) == -1) return(db_failure(fd, "whitelist")); + if(db_doquery(fd) == -1) return(db_failure(fd, "whitelist")); + } /* whitelisted */ - if(mysql_optarray[fd][0] >= 1) + if(mysql_array[fd][0] >= 1) { if(DEBUG > 0) { - logmessage("DEBUG: fd: %d whitelist found: %s\n", fd, host_array[fd][2]); - logmessage("DEBUG: fd: %d bypassing other modules\n", fd); + logmessage("DEBUG: fd: %d whitelist found: %s (scope %x)\n", + fd, + host_array[fd][2], + mysql_array[fd][1]); } - logmessage("rcpt=%lu, type=whitelist, host=%s (%s), from=%s, to=%s, size=%s\n", + logmessage("rcpt=%lu, type=whitelist, host=%s (%s), from=%s, to=%s, size=%s, scope=%x\n", rcpt_count, /* recipient count */ host_array[fd][2], /* ip address */ host_array[fd][0], /* hostname */ triplet_array[fd][1], /* from address */ triplet_array[fd][2], /* recipient address */ - triplet_array[fd][3]); /* mail size */ + triplet_array[fd][3], /* mail size */ + mysql_array[fd][1]); /* whitelist scope */ - return (1); /* found */ + return (mysql_array[fd][1]); /* found */ } if(DEBUG > 0) logmessage("DEBUG: fd: %d whitelist not found: %s\n", fd, host_array[fd][2]); - return (0); /* not found */ + return (SCOPE_NONE); /* not found */ } @@ -90,49 +98,57 @@ /* * function: whitelist_sender_check * purpose: check if the sender address/domain host is whitelisted - * return: 1=yes, 0=no + * return: whitelist scope */ int whitelist_sender_check (unsigned int fd) { + /* reset values */ + mysql_array[fd][0] = 0; /* number of matching records */ + mysql_array[fd][1] = SCOPE_NONE; /* whitelist scope mask */ if(DEBUG > 0) logmessage("DEBUG: fd: %d checking whitelist sender/domain\n", fd); - /* reset value */ - mysql_optarray[fd][0] = 0; - /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, - "SELECT COUNT(*) FROM whitelist_sender WHERE _whitelist='@%s' OR _whitelist='%s'", + "SELECT" + " COUNT(*), BIT_OR(_scope)" + " FROM" + " whitelist_sender" + " WHERE" + " _whitelist='@%s' OR _whitelist='%s'", host_array[fd][7], triplet_array[fd][1]); - if(db_optquery(fd) == -1) return(db_failure(fd, "whitelist_sender")); + if(db_doquery(fd) == -1) return(db_failure(fd, "whitelist_sender")); /* whitelisted */ - if(mysql_optarray[fd][0] >= 1) + if(mysql_array[fd][0] >= 1) { if(DEBUG > 0) { - logmessage("DEBUG: fd: %d whitelist sender found: %s/%s\n", fd, - host_array[fd][7], triplet_array[fd][1]); - logmessage("DEBUG: fd: %d bypassing other modules\n", fd); + logmessage("DEBUG: fd: %d whitelist sender found: %s/%s (scope %x)\n", + fd, + host_array[fd][7], + triplet_array[fd][1], + mysql_array[fd][1]); } - logmessage("rcpt=%lu, type=whitelist_sender, host=%s (%s), from=%s, to=%s, size=%s\n", + logmessage("rcpt=%lu, type=whitelist_sender, host=%s (%s), from=%s, to=%s, size=%s, scope=%x\n", rcpt_count, /* recipient count */ host_array[fd][2], /* ip address */ host_array[fd][0], /* hostname */ triplet_array[fd][1], /* from address */ triplet_array[fd][2], /* recipient address */ - triplet_array[fd][3]); /* mail size */ + triplet_array[fd][3], /* mail size */ + mysql_array[fd][1]); /* whitelist scope */ - return (1); /* found */ + return (mysql_array[fd][1]); /* found */ } if(DEBUG > 0) logmessage("DEBUG: fd: %d whitelist_sender not found: %s\n", fd, host_array[fd][2]); - return (0); /* not found */ + return (SCOPE_NONE); /* not found */ } @@ -140,11 +156,14 @@ /* * function: whitelist_dnsname_check * purpose: check if the dns sender address/domain host is whitelisted - * return: 1=yes, 0=no + * return: whitelist scope */ int whitelist_dnsname_check (unsigned int fd) { + /* reset values */ + mysql_array[fd][0] = 0; /* number of matching records */ + mysql_array[fd][1] = SCOPE_NONE; /* whitelist scope mask */ if(DEBUG > 0) logmessage("DEBUG: fd: %d checking whitelist dnsname\n", fd); @@ -153,34 +172,38 @@ if(strcmp(host_array[fd][0], "unknown") == 0) goto end; - /* reset value */ - mysql_optarray[fd][0] = 0; - /* build up & execute query */ snprintf(mysqlquery_array[fd], 512, - "SELECT COUNT(*) FROM whitelist_dnsname WHERE '%s' LIKE _whitelist", + "SELECT" + " COUNT(*), BIT_OR(_scope)" + " FROM" + " whitelist_dnsname" + " WHERE '%s' LIKE _whitelist", host_array[fd][0]); - if(db_optquery(fd) == -1) return(db_failure(fd, "whitelist_dnsname")); + if(db_doquery(fd) == -1) return(db_failure(fd, "whitelist_dnsname")); /* whitelisted */ - if(mysql_optarray[fd][0] >= 1) + if(mysql_array[fd][0] >= 1) { if(DEBUG > 0) { - logmessage("DEBUG: fd: %d whitelist dnsname found: %s/%s\n", fd, - host_array[fd][7], triplet_array[fd][1]); - logmessage("DEBUG: fd: %d bypassing other modules\n", fd); + logmessage("DEBUG: fd: %d whitelist dnsname found: %s/%s (scope %x)\n", + fd, + host_array[fd][7], + triplet_array[fd][1], + mysql_array[fd][1]); } - logmessage("rcpt=%lu, type=whitelist_dnsname, host=%s (%s), from=%s, to=%s, size=%s\n", + logmessage("rcpt=%lu, type=whitelist_dnsname, host=%s (%s), from=%s, to=%s, size=%s, scope=%x\n", rcpt_count, /* recipient count */ host_array[fd][2], /* ip address */ host_array[fd][0], /* hostname */ triplet_array[fd][1], /* from address */ triplet_array[fd][2], /* recipient address */ - triplet_array[fd][3]); /* mail size */ + triplet_array[fd][3], /* mail size */ + mysql_array[fd][1]); /* whitelist scope */ - return (1); /* found */ + return (mysql_array[fd][1]); /* found */ } end: @@ -188,7 +211,7 @@ if(DEBUG > 0) logmessage("DEBUG: fd: %d whitelist_sender not found: %s\n", fd, host_array[fd][2]); - return (0); /* not found */ + return (SCOPE_NONE); /* not found */ } /* EOF */