[exim-cvs] Close server smtp socket explicitly on connect AC…

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Asunto: [exim-cvs] Close server smtp socket explicitly on connect ACL "drop"
Gitweb: https://git.exim.org/exim.git/commitdiff/57d70161718e02927a22d6a3481803b72035ac46
Commit:     57d70161718e02927a22d6a3481803b72035ac46
Parent:     5281dce92f37ab268bfa781e384d64dc5947203f
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sat Dec 31 13:37:17 2022 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sat Dec 31 17:14:58 2022 +0000


    Close server smtp socket explicitly on connect ACL "drop"
---
 src/src/smtp_in.c            | 13 ++++++++++
 test/confs/0022              |  2 ++
 test/log/0022                |  2 ++
 test/rejectlog/0022          |  3 +++
 test/scripts/0000-Basic/0022 | 13 ++++++++++
 test/stderr/0022             | 60 ++++++++++++++++++++++----------------------
 test/stdout/0022             |  6 +++++
 7 files changed, 69 insertions(+), 30 deletions(-)


diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 1cfcc0404..6880e3c09 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3565,6 +3565,19 @@ problem, because we get here only if some other ACL has issued "drop", and
in that case, *its* custom messages will have been used above. */

smtp_notquit_exit(US"acl-drop", NULL, NULL);
+
+/* An overenthusiastic fail2ban/iptables implimentation has been seen to result
+in the TCP conn staying open, and retrying, despite this process exiting. A
+malicious client could possibly do the same, tying up server netowrking
+resources. Close the socket explicitly to try to avoid that (there's a note in
+the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without
+close() results in the socket always lingering). */
+
+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
+DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n");
+(void) fclose(smtp_in);
+(void) fclose(smtp_out);
+
return 2;
}

diff --git a/test/confs/0022 b/test/confs/0022
index cb41aa422..e3fadf3e6 100644
--- a/test/confs/0022
+++ b/test/confs/0022
@@ -1,6 +1,7 @@
# Exim test configuration 0022

SERVER=
+CONTROL=

.include DIR/aux-var/std_conf_prefix

@@ -10,6 +11,7 @@ primary_hostname = myhost.test.ex

hostlist some_hosts = net-lsearch;DIR/aux-var/TESTNUM.hosts

+CONTROL
acl_smtp_rcpt = $local_part
log_selector = +smtp_connection
hosts_connection_nolog = : 127.0.0.1
diff --git a/test/log/0022 b/test/log/0022
index fd7018bc8..0a0187748 100644
--- a/test/log/0022
+++ b/test/log/0022
@@ -19,3 +19,5 @@
1999-03-02 09:44:33 10HmbD-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss
1999-03-02 09:44:33 10HmbD-0005vi-00 no immediate delivery: queued by ACL
1999-03-02 09:44:33 10HmbE-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked
diff --git a/test/rejectlog/0022 b/test/rejectlog/0022
new file mode 100644
index 000000000..68e21fff3
--- /dev/null
+++ b/test/rejectlog/0022
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked
diff --git a/test/scripts/0000-Basic/0022 b/test/scripts/0000-Basic/0022
index 9c7837304..3db869992 100644
--- a/test/scripts/0000-Basic/0022
+++ b/test/scripts/0000-Basic/0022
@@ -166,4 +166,17 @@ quit
killdaemon
exim -bp
****
+sudo rm DIR/spool/input/*
+#
+#
+#
+#
+exim -DSERVER=server -DCONTROL='acl_smtp_connect=drop message=550 client disliked' -odq -bd -oX PORT_D
+****
+client 127.0.0.1 PORT_D
+??? 550 client disliked
+???*
+****
+killdaemon
+#
no_msglog_check
diff --git a/test/stderr/0022 b/test/stderr/0022
index 536e4278b..e988c467e 100644
--- a/test/stderr/0022
+++ b/test/stderr/0022
@@ -1,10 +1,10 @@
Exim version x.yz ....
changed uid/gid: forcing real = effective
- uid=uuuu gid=CALLER_GID pid=p1235
+ uid=uuuu gid=CALLER_GID pid=p1236
configuration file is TESTSUITE/test-config
admin user
changed uid/gid: privilege not needed
- uid=EXIM_UID gid=EXIM_GID pid=p1235
+ uid=EXIM_UID gid=EXIM_GID pid=p1236
seeking password data for user "CALLER": cache not available
getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -42,9 +42,9 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
SMTP>> 250 OK

SMTP<< rcpt to:<warn_empty@???>
using ACL "warn_empty"
-processing "warn" (TESTSUITE/test-config 29)
+processing "warn" (TESTSUITE/test-config 31)
warn: condition test succeeded in ACL "warn_empty"
-processing "accept" (TESTSUITE/test-config 30)
+processing "accept" (TESTSUITE/test-config 32)
accept: condition test succeeded in ACL "warn_empty"
end of ACL "warn_empty": ACCEPT
SMTP>> 250 Accepted

@@ -77,14 +77,14 @@ SMTP>> 221 myhost.test.ex closing connection
LOG: smtp_connection MAIN
SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1235 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
Exim version x.yz ....
changed uid/gid: forcing real = effective
- uid=uuuu gid=CALLER_GID pid=p1236
+ uid=uuuu gid=CALLER_GID pid=p1237
configuration file is TESTSUITE/test-config
admin user
changed uid/gid: privilege not needed
- uid=EXIM_UID gid=EXIM_GID pid=p1236
+ uid=EXIM_UID gid=EXIM_GID pid=p1237
seeking password data for user "CALLER": cache not available
getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -122,12 +122,12 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
SMTP>> 250 OK

SMTP<< rcpt to:<warn_log@???>
using ACL "warn_log"
-processing "warn" (TESTSUITE/test-config 33)
+processing "warn" (TESTSUITE/test-config 35)
l_message: warn log message
warn: condition test succeeded in ACL "warn_log"
LOG: MAIN
H=(test) [V4NET.9.8.7] Warning: warn log message
-processing "accept" (TESTSUITE/test-config 34)
+processing "accept" (TESTSUITE/test-config 36)
accept: condition test succeeded in ACL "warn_log"
end of ACL "warn_log": ACCEPT
SMTP>> 250 Accepted

@@ -160,14 +160,14 @@ SMTP>> 221 myhost.test.ex closing connection
LOG: smtp_connection MAIN
SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
Exim version x.yz ....
changed uid/gid: forcing real = effective
- uid=uuuu gid=CALLER_GID pid=p1237
+ uid=uuuu gid=CALLER_GID pid=p1238
configuration file is TESTSUITE/test-config
admin user
changed uid/gid: privilege not needed
- uid=EXIM_UID gid=EXIM_GID pid=p1237
+ uid=EXIM_UID gid=EXIM_GID pid=p1238
seeking password data for user "CALLER": cache not available
getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -205,10 +205,10 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
SMTP>> 250 OK

SMTP<< rcpt to:<warn_user@???>
using ACL "warn_user"
-processing "warn" (TESTSUITE/test-config 37)
+processing "warn" (TESTSUITE/test-config 39)
message: warn user message
warn: condition test succeeded in ACL "warn_user"
-processing "accept" (TESTSUITE/test-config 38)
+processing "accept" (TESTSUITE/test-config 40)
accept: condition test succeeded in ACL "warn_user"
end of ACL "warn_user": ACCEPT
SMTP>> 250 Accepted

@@ -244,7 +244,7 @@ SMTP>> 221 myhost.test.ex closing connection
LOG: smtp_connection MAIN
SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1238 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
>>> host in hosts_connection_nolog?
>>> list element:
>>> list element: 127.0.0.1

@@ -262,17 +262,17 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "defer"

->>> processing "defer" (TESTSUITE/test-config 51)
+>>> processing "defer" (TESTSUITE/test-config 53)
>>> message: forcibly deferred
>>> defer: condition test succeeded in ACL "defer"
>>> end of ACL "defer": DEFER

LOG: H=(test) [V4NET.9.8.7] F=<x@y> temporarily rejected RCPT <defer@y>: forcibly deferred
>>> using ACL "accept"

->>> processing "accept" (TESTSUITE/test-config 24)
+>>> processing "accept" (TESTSUITE/test-config 26)
>>> accept: condition test succeeded in ACL "accept"
>>> end of ACL "accept": ACCEPT
>>> using ACL "drop"

->>> processing "drop" (TESTSUITE/test-config 41)
+>>> processing "drop" (TESTSUITE/test-config 43)
>>> message: forcibly dropped
>>> drop: condition test succeeded in ACL "drop"
>>> end of ACL "drop": DROP

@@ -295,7 +295,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "defer_senders"

->>> processing "defer" (TESTSUITE/test-config 54)
+>>> processing "defer" (TESTSUITE/test-config 56)
>>> check senders = :
>>> in ":"?
>>> list element:

@@ -321,19 +321,19 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "delay_accept"

->>> processing "accept" (TESTSUITE/test-config 57)
+>>> processing "accept" (TESTSUITE/test-config 59)
>>> check delay = 1s
>>> delay modifier requests 1-second delay
>>> delay skipped in -bh checking mode
>>> accept: condition test succeeded in ACL "delay_accept"
>>> end of ACL "delay_accept": ACCEPT
>>> using ACL "delay_warn"

->>> processing "warn" (TESTSUITE/test-config 60)
+>>> processing "warn" (TESTSUITE/test-config 62)
>>> check delay = 1s
>>> delay modifier requests 1-second delay
>>> delay skipped in -bh checking mode
>>> warn: condition test succeeded in ACL "delay_warn"

->>> processing "accept" (TESTSUITE/test-config 61)
+>>> processing "accept" (TESTSUITE/test-config 63)
>>> accept: condition test succeeded in ACL "delay_warn"
>>> end of ACL "delay_warn": ACCEPT

LOG: SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
@@ -354,7 +354,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "host_check"

->>> processing "deny" (TESTSUITE/test-config 71)
+>>> processing "deny" (TESTSUITE/test-config 73)
>>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
>>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"?
>>> list element: net-lsearch;TESTSUITE/aux-var/0022.hosts

@@ -364,7 +364,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> end of ACL "host_check": DENY

LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
>>> using ACL "host_check"

->>> processing "deny" (TESTSUITE/test-config 71)
+>>> processing "deny" (TESTSUITE/test-config 73)
>>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
>>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"?
>>> list element: net-lsearch;TESTSUITE/aux-var/0022.hosts

@@ -374,7 +374,7 @@ LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A h
>>> end of ACL "host_check": DENY

LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
>>> using ACL "host_check2"

->>> processing "deny" (TESTSUITE/test-config 75)
+>>> processing "deny" (TESTSUITE/test-config 77)
>>> message: host data >$host_data<
>>> check hosts = +some_hosts
>>> host in "+some_hosts"?

@@ -387,7 +387,7 @@ LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A h
>>> end of ACL "host_check2": DENY

LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check2@y>: host data >A host-specific message<
>>> using ACL "host_check2"

->>> processing "deny" (TESTSUITE/test-config 75)
+>>> processing "deny" (TESTSUITE/test-config 77)
>>> message: host data >$host_data<
>>> check hosts = +some_hosts
>>> host in "+some_hosts"?

@@ -442,10 +442,10 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "nested_drop"

->>> processing "accept" (TESTSUITE/test-config 44)
+>>> processing "accept" (TESTSUITE/test-config 46)
>>> check acl = drop
>>> using ACL "drop"

->>> processing "drop" (TESTSUITE/test-config 41)
+>>> processing "drop" (TESTSUITE/test-config 43)
 >>>    message: forcibly dropped
 >>>  drop: condition test succeeded in ACL "drop"
 >>>  end of ACL "drop": DROP

@@ -470,10 +470,10 @@ LOG: SMTP connection from [V4NET.9.8.7]
>>> list element: @[]
>>> test in helo_lookup_domains? no (end of list)
>>> using ACL "nested_drop_require"

->>> processing "require" (TESTSUITE/test-config 48)
+>>> processing "require" (TESTSUITE/test-config 50)
>>> check acl = drop
>>> using ACL "drop"

->>> processing "drop" (TESTSUITE/test-config 41)
+>>> processing "drop" (TESTSUITE/test-config 43)
 >>>    message: forcibly dropped
 >>>  drop: condition test succeeded in ACL "drop"
 >>>  end of ACL "drop": DROP

diff --git a/test/stdout/0022 b/test/stdout/0022
index 311dd7303..67c0e10e1 100644
--- a/test/stdout/0022
+++ b/test/stdout/0022
@@ -235,3 +235,9 @@ End of script
  0m   sss 10HmbE-0005vi-00 <x@y>
           accept@y


+Connecting to 127.0.0.1 port 1225 ... connected
+??? 550 client disliked
+<<< 550 client disliked
+???*
+Expected EOF read
+End of script