#include /* for exit(), getenv() */ #include #include #include #include /* for stat(), getaddrinfo() */ #include /* for stat() */ #include /* for stat() */ #include /* for perror */ #include /* for ENOENT */ #include /* for ofstream() */ #include /* for creat() */ #include /* for gettimeofday() */ #include /* for stringstream */ #include /* for kill(), SIGUSR1 */ // requires apt-get install libboost-filesystem-dev: #include #include /* for getaddrinfo() */ #include /* for getaddrinfo() */ #include /* for memset() */ #include /* for inet_ntop() */ using namespace std; const int minute(60); const int hour(60*minute); const int day(24*hour); const int minimum_age(15*minute); const int maximum_age(32*day); const int probation(4*hour); #include "qq_exit_codes.h" pid_t mypid; string progname; void dump(const string var){ char* str = getenv(var.c_str()); cerr << progname << "[" << mypid << "] " << var; if (str) cerr << " is set to '" << str << "'" << endl; else cerr << " is not set." << endl; } void exeunt(const int sts){ if (sts == ex_good) exit(sts); #ifndef PENALIZE_SPAMMERS if (sts == ex_penaltybox) exit(sts); #endif #ifndef KILL_GROUP exit(sts); #endif const char* foo = getenv("HI_Q_GROUP"); if (!foo) exit(sts); // No point in signalling ourself: sighandler_t rslt = signal(SIGUSR1, SIG_IGN); if (rslt == SIG_ERR) { cerr << "error setting signal" << endl; } int k = kill(-atoi(foo), SIGUSR1); if (k) { cerr << "kill failed on group " << atoi(foo) << " ... "; perror(0); } exit(sts); } #include "utils.h" class whatsit{ public: string dirname; string progname; pid_t mypid; timeval now; char* ipvar; char* hostvar; string ipbase; string ipname; string hostname; int mod_age; int ac_age; string suffix; string progid; int verbosity; whatsit(const string name, const string _dirname) : dirname(_dirname), progname(name), mypid(getpid()), mod_age(0), ac_age(0), verbosity(0) { gettimeofday(&now, NULL); } int doit(const int penalty, const int stain); // access comes after modification: void update(const string msg, const timeval new_mod, const timeval new_ac, const int penalty, const int stain); int setup(); int check_dns(); int check_dns_sub(string &addr, string &host, vector &checked); }; int whatsit::setup(){ stringstream foo; foo << basename(progname) << suffix << "[" << mypid << "]"; progid = foo.str(); ipvar = getenv("TCPREMOTEIP"); if (ipvar) ipbase = ipvar; hostvar = getenv("TCPREMOTEHOST"); if (hostvar) hostname = hostvar; return 0; } void scan(const string progid, const string p, const int copies=1){ timeval now; gettimeofday(&now, NULL); using namespace boost::filesystem; if (is_directory(p)) { for (directory_iterator itr(p); itr!=directory_iterator(); ++itr) { string basename = itr->path().filename().string(); for (int ii = 0; ii < copies; ii++) cout << setw(20) << left << basename << ' '; // display filename only if (is_regular_file(itr->status())) { // cout << " [" << file_size(itr->path()) << ']'; struct stat mystat; string fn = p + "/" + basename; int rslt = stat(fn.c_str(), &mystat); if (rslt != 0){ cerr << progid << ": stat failed for '" << fn << "' : "; perror(0); } int mod_age = now.tv_sec - mystat.st_mtime; int ac_age = now.tv_sec - mystat.st_atime; cout << setw(10) << time_out(mod_age) << " " << setw(10) << time_out(ac_age); if (0) { } else if (mod_age < 0) { cout << " penalty"; } else if (mod_age < ac_age) { cout << " parole"; } else if (mod_age - ac_age < minimum_age // early bird, or completely unused && mod_age > probation) { // did not diligently resubmit cout << " disprobation"; if (mod_age != ac_age) cout << "!"; } else if (mod_age < minimum_age) { cout << " young"; if (mod_age != ac_age) cout << "!"; } else if (mod_age == ac_age) { cout << " unused"; } else if (mod_age > maximum_age) { cout << " expired"; } else { cout << " OK"; } } cout << '\n'; } } else { // starting point is not a directory: cout << (exists(p) ? "Found: " : "Not found: ") << p << '\n'; } } void whatsit::update(const string msg, const timeval new_mod, const timeval new_ac, const int penalty, const int stain){ if (verbosity){ if (penalty || stain || verbosity>1) cerr << progid << ": "; if (penalty) cerr << " penalty " << penalty; if (stain) cerr << " stain " << stain; if (verbosity > 1) { if (penalty || stain) cerr << "+"; // separation, punctuation cerr << msg << ": " << ipbase; if (hostname.length()) cerr << " " << hostname; cerr << " mod_age: " << time_out(mod_age) << " ac_age: " << time_out(ac_age); } cerr << endl; } timeval pen_mod(new_mod); timeval stain_ac(new_ac); if (penalty) { pen_mod = now; pen_mod.tv_sec += penalty; } if (stain) { stain_ac = now; stain_ac.tv_sec -= stain; } timeval upd[2] = { // beware: access illogically comes *before* modification here: stain_ac, pen_mod }; if (utimes(ipname.c_str(), upd)) cerr << "oops" << endl; } int main(int _argc, char** _argv){ mypid = getpid(); int argc(_argc); char** argv(_argv); const string dirname("/var/qmail/greylist"); whatsit foo(argv[0], dirname); argc--; argv++; int scanmode(0); int copies(1); int penalty(0); int stain(0); int check(0); while (argc > 0) { string arg = argv[0]; argc--; argv++; if (prefix(arg, "-scan")) { scanmode++; } else if (prefix(arg, "-copy")) { copies++; } else if (prefix(arg, "-verbose")) { foo.verbosity++; } else if (prefix(arg, "-check")) { check++; } else if (prefix(arg, "-penalize") || prefix(arg, "-penalty")) { if (!argc){ cerr << "Option '" << arg << "' requires an argument" << endl; exeunt(ex_syserr); } penalty = atoi(*argv++); argc--; } else if (prefix(arg, "-stain")) { if (!argc){ cerr << "Option '" << arg << "' requires an argument" << endl; exeunt(ex_syserr); } stain = atoi(*argv++); argc--; } else if (prefix(arg, "-suffix")) { if (!argc){ cerr << "Option '" << arg << "' requires an argument" << endl; exeunt(ex_syserr); } foo.suffix += *argv++; argc--; } else { cerr << "Unrecognized arg: " << arg << endl; exeunt(ex_syserr); } } if (foo.setup()) return ex_syserr; if (scanmode) { scan(foo.progid, dirname, copies); return 0; } int sts = foo.doit(penalty, stain); if (sts == ex_syserr) return sts; if (!check) return ex_good; // check mode ... perform some extra checks. // Probably a better design would be to // (a) make more thorough DNS checks, and // (b) move all the DNS checking to a separate module int dns = foo.check_dns(); if (dns == ex_syserr || dns == ex_spam) return dns; exeunt(sts); } int whatsit::doit(const int penalty, const int stain){ if (!ipvar) { cerr << progid << " TCPREMOTEIP not set???" << endl; // should never happen // although you can make it happen using a weird test-harness return(ex_syserr); } // see if our directory exists: struct stat dirstat; int rslt = stat(dirname.c_str(), &dirstat); if (rslt != 0){ if (errno != ENOENT) { cerr << progid << ": stat failed for '" << dirname << "' : "; perror(0); } rslt = mkdir(dirname.c_str(), 0755); if (rslt != 0) { cerr << progid << "uid " << getuid() << ": mkdir failed for '" << dirname << "' : "; perror(0); return(ex_syserr); } } ipname = dirname + "/" + ipbase; struct stat ipstat; rslt = stat(ipname.c_str(), &ipstat); if (rslt != 0){ if (errno != ENOENT) { cerr << progid << ": stat failed for '" << ipname << "' : "; perror(0); } ofstream foo; int fd = creat(ipname.c_str(), 0644); if (fd < 0){ cerr << progid << ": create failed for '" << ipname << "' : "; perror(0); } close(fd); update("new customer", now, now, penalty, stain); return(ex_greylisting); } // now for really checking the greylist status: mod_age = now.tv_sec - ipstat.st_mtime; ac_age = now.tv_sec - ipstat.st_atime; timeval mod_orig = {ipstat.st_mtime, 0}; if (mod_age < 0) { update("penalty box", mod_orig, now, penalty, stain); return(ex_penaltybox); } if (mod_age < ac_age){ // when he comes out on parole, he starts over with no reputation: update("paroled spammer", now, now, penalty, stain); return(ex_greylisting); } if (mod_age < minimum_age) { update("early bird", mod_orig, now, penalty, stain); return(ex_greylisting); } if (mod_age - ac_age < minimum_age // early bird, or completely unused && mod_age > probation) { // did not diligently resubmit update("disprobation", now, now, penalty, stain); return(ex_greylisting); } if (ac_age > maximum_age) { update("too old, starting over", now, now, penalty, stain); return(ex_greylisting); } // if all checks are passed, must be OK: update("returning customer", mod_orig, now, penalty, stain); return 0; } typedef vector VU; class VUx{ public: VU addr; sa_family_t fam; string str(); }; string VUx::str(){ char msgbuf[INET6_ADDRSTRLEN]; const char* rslt = inet_ntop(fam, &addr[0], msgbuf, sizeof(msgbuf)); if (!rslt) rslt = ""; return rslt; } VUx parse_sockaddr(const sockaddr* ai_addr) { void* numericAddress; VUx rslt; int addrsize; rslt.addr = VU(0); rslt.fam = ((sockaddr *)ai_addr)->sa_family; switch (rslt.fam) { case AF_INET: numericAddress = &(((sockaddr_in *)ai_addr)->sin_addr.s_addr); addrsize = sizeof(in_addr); break; case AF_INET6: numericAddress = &(((sockaddr_in6 *)ai_addr)->sin6_addr.s6_addr); addrsize = sizeof(in6_addr); break; default: cerr << "?Unknown address family " << rslt.fam << endl; return rslt; } unsigned char* foo = (unsigned char*) numericAddress; rslt.addr = VU(foo, foo+addrsize); return rslt; } int diff(const VU aaa, const VU bbb){ if(aaa.size() != bbb.size()) return 1; for (unsigned int ii=0; ii < aaa.size(); ii++){ if (aaa[ii] != bbb[ii]) return 1; } return 0; } int whatsit::check_dns(){ string addr("()"), host("()"); vector checked; int sts = check_dns_sub(addr, host, checked); if (sts == 0) return sts; if (sts != ex_badDNS) return sts; // possible ex_syserr #ifndef badDNSfatal sts = 0; // demote badDNS to just a warning #endif cerr << progid; if (!sts) cerr << " (warning)"; cerr << " DNS inconsistency: " << addr << " --> " << host << " ==>"; if (!checked.size()) cerr << " ()"; else for (vector::const_iterator chk = checked.begin(); chk != checked.end(); chk++) cerr << " " << *chk; cerr << endl; return sts; } int whatsit::check_dns_sub(string &addr, string &host, vector &checked){ #ifdef badDNSfatal int ex_dns_fail = ex_syserr; #else int ex_dns_fail = ex_badDNS; #endif struct addrinfo *result; struct addrinfo *ipresult; struct addrinfo *res; addrinfo hints; int error; memset(&hints, 0, sizeof(struct addrinfo)); #if 1 // restrict to TCP only; otherwise we get N records per address hints.ai_protocol = IPPROTO_TCP; #endif error = getaddrinfo(ipvar, NULL, &hints, &ipresult); if (error == EAI_NONAME) return ex_badDNS; if (error) { // some unexpected error cerr << progid << " odd error " << error << " in getaddrinfo for " << ipvar << " : " << gai_strerror(error) << endl; return ex_dns_fail; } if (!ipresult) { cerr << "should never happen (addr with no addrs?)" << endl; return ex_dns_fail; } VUx ipAddr = parse_sockaddr(ipresult->ai_addr); addr = ipAddr.str(); char* hostvar = getenv("TCPREMOTEHOST"); if (hostvar) host = hostvar; else return(ex_badDNS); error = getaddrinfo(hostvar, NULL, &hints, &result); if (error == EAI_NONAME) return ex_badDNS; if (error) { cerr << progid << " error " << error << " compare " << EAI_NONAME << " in getaddrinfo for " << ipvar << " :: " << gai_strerror(error) << endl; return ex_dns_fail; } // loop over all returned results and check for a match. for (res = result; res != NULL; res = res->ai_next){ VUx hostAddr = parse_sockaddr(res->ai_addr); checked.push_back(hostAddr.str()); if (!diff(hostAddr.addr, ipAddr.addr)) { ///// cerr << "match! " << ipAddr.addr.size() << endl; goto done; } } return ex_badDNS; done: return 0; }