qpsmtpd/sme10/0015-add-TCPLOCAL-variables-to-qp-connection.patch

From 671a6953b0c9503717bda10dd07f434cbd302c9c Mon Sep 17 00:00:00 2001
From: Matt Simerson <matt@tnpi.net>
Date: Tue, 11 May 2010 00:55:53 -0400
Subject: add TCPLOCAL* variables to $qp->connection

(patch remade against latest rspier/qpsmtpd)

added remote_port, local_ip, local_port, and local_host to $qp->connection, as the p0f plugin relies on it.
added notes to TcpServer.pm and the p0f plugin noting the dependence, and the lack of support for models other than tcpserver.

Signed-off-by: Robert <rspier@pobox.com>
---
 lib/Qpsmtpd/TcpServer.pm |   21 ++++++++++++--
 plugins/greylisting      |   68 ++++++++++++++++++++++++++++++++++++++-------
 plugins/ident/p0f        |    8 +++++
 3 files changed, 83 insertions(+), 14 deletions(-)

diff --git a/lib/Qpsmtpd/TcpServer.pm b/lib/Qpsmtpd/TcpServer.pm
index 3398c3e..07d8d16 100644
--- a/lib/Qpsmtpd/TcpServer.pm
+++ b/lib/Qpsmtpd/TcpServer.pm
@@ -30,7 +30,10 @@ my $first_0;
 sub start_connection {
     my $self = shift;
 
-    my ($remote_host, $remote_info, $remote_ip);
+    my (
+        $remote_host, $remote_info, $remote_ip, $remote_port,
+        $local_ip,    $local_port,  $local_host
+       );
 
     if ($ENV{TCPREMOTEIP}) {
        # started from tcpserver (or some other superserver which
@@ -38,6 +41,10 @@ sub start_connection {
        $remote_ip   = $ENV{TCPREMOTEIP};
        $remote_host = $ENV{TCPREMOTEHOST} || "[$remote_ip]";
        $remote_info = $ENV{TCPREMOTEINFO} ? "$ENV{TCPREMOTEINFO}\@$remote_host" : $remote_host;
+        $remote_port = $ENV{TCPREMOTEPORT};
+        $local_ip    = $ENV{TCPLOCALIP};
+        $local_port  = $ENV{TCPLOCALPORT};
+        $local_host  = $ENV{TCPLOCALHOST};
     } else {
        # Started from inetd or similar. 
        # get info on the remote host from the socket.
@@ -48,6 +55,10 @@ sub start_connection {
        $remote_ip     = inet_ntoa($iaddr);
        $remote_host    = gethostbyaddr($iaddr, AF_INET) || "[$remote_ip]";
        $remote_info    = $remote_host;
+### TODO
+# set $remote_port, $local_ip, and $local_port. Those values are
+# required for the p0f plugin to function.
+### /TODO
     }
     $self->log(LOGNOTICE, "Connection from $remote_info [$remote_ip]");
 
@@ -61,8 +72,12 @@ sub start_connection {
     $0 = "$first_0 [$remote_ip : $remote_host : $now]";
 
     $self->SUPER::connection->start(remote_info => $remote_info,
-                                   remote_ip   => $remote_ip,
-                                   remote_host => $remote_host,
+                                    remote_ip   => $remote_ip,
+                                    remote_host => $remote_host,
+                                    remote_port => $remote_port,
+                                    local_ip    => $local_ip,
+                                    local_port  => $local_port,
+                                    local_host  => $local_host,
                                    @_);
 }
 
diff --git a/plugins/greylisting b/plugins/greylisting
index 975563c..ebdec8f 100644
--- a/plugins/greylisting
+++ b/plugins/greylisting
@@ -106,6 +106,23 @@ directories, if determined, supercede I<db_dir>.
 
 =back
 
+=item p0f
+
+Enable greylisting only when certain p0f criteria is met. The single
+required argument is a comma delimited list of key/value pairs. The keys
+are the following p0f TCP fingerprint elements: genre, detail, uptime,
+link, and distance.
+
+To greylist emails from computers whose remote OS is windows, you'd use
+this syntax:
+
+  p0f genre,windows
+
+To greylist only windows computers on DSL links more than 3 network hops
+away:
+
+  p0f genre,windows,link,dsl,distance,3
+
 =head1 BUGS
 
 Database locking is implemented using flock, which may not work on 
@@ -116,6 +133,8 @@ use something like File::NFSLock instead.
 
 Written by Gavin Carr <gavin@openfusion.com.au>.
 
+Added p0f section <mattsimerson@cpan.org> (2010-05-03)
+
 =cut
 
 BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) }
@@ -123,22 +142,23 @@ use AnyDBM_File;
 use Fcntl qw(:DEFAULT :flock);
 use strict;
 
-my $VERSION = '0.07';
+my $VERSION = '0.08';
 
 my $DENYMSG = "This mail is temporarily denied";
 my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!);
 my $DB = "denysoft_greylist.dbm";
 my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender recipient 
-  black_timeout grey_timeout white_timeout deny_late mode db_dir);
+  black_timeout grey_timeout white_timeout deny_late mode db_dir p0f );
 
 my %DEFAULTS = (
-  remote_ip => 1,
-  sender => 0,
-  recipient => 0,
-  black_timeout => 50 * 60,
-  grey_timeout =>  3 * 3600 + 20 * 60,
-  white_timeout => 36 * 24 * 3600,
-  mode => 'denysoft',
+    remote_ip => 1,
+    sender => 0,
+    recipient => 0,
+    black_timeout => 50 * 60,
+    grey_timeout =>  3 * 3600 + 20 * 60,
+    white_timeout => 36 * 24 * 3600,
+    mode => 'denysoft',
+    p0f  => undef,
 );
 
 sub register {
@@ -206,6 +226,9 @@ sub denysoft_greylist {
   return DECLINED if $self->qp->connection->notes('whitelisthost');
   return DECLINED if $transaction->notes('whitelistsender');
 
+  # do not greylist if p0f matching is selected and message does not match
+  return DECLINED if $config->{'p0f'} && !$self->p0f_match( $config );
+
   if ($config->{db_dir} && $config->{db_dir} =~ m{^([-a-zA-Z0-9./_]+)$}) {
     $config->{db_dir} = $1; 
   }
@@ -214,8 +237,10 @@ sub denysoft_greylist {
   my $dbdir = $transaction->notes('per_rcpt_configdir') 
     if $config->{per_recipient_db};
   for my $d ($dbdir, $config->{db_dir}, "/var/lib/qpsmtpd/greylisting",
-             "$QPHOME/var/db", "$QPHOME/config") {
-    last if $dbdir ||= $d && -d $d && $d;
+             "$QPHOME/var/db", "$QPHOME/config", '.' ) {
+      last if $dbdir && -d $dbdir;
+      next if ( ! $d || ! -d $d );
+      $dbdir = $d;
   }
   my $db = "$dbdir/$DB";
   $self->log(LOGINFO,"using $db as greylisting database");
@@ -292,5 +317,26 @@ sub denysoft_greylist {
   return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG;
 }
 
+sub p0f_match {
+    my $self = shift;
+    my $config = shift;
+
+    my $p0f = $self->connection->notes('p0f');
+    return if !$p0f || !ref $p0f;     # p0f fingerprint info not found
+
+    my %valid_matches = map { $_ => 1 } qw( genre detail uptime link distance );
+    my %requested_matches = split(/\,/, $config->{'p0f'} );
+
+    foreach my $key (keys %requested_matches) {
+        next if !defined $valid_matches{$key}; # discard invalid match keys
+        my $value = $requested_matches{$key};
+        return 1 if $key eq 'distance' && $p0f->{$key} > $value;
+        return 1 if $key eq 'genre'    && $p0f->{$key} =~ /$value/i;
+        return 1 if $key eq 'uptime'   && $p0f->{$key} < $value;
+        return 1 if $key eq 'link'     && $p0f->{$key} =~ /$value/i;
+    }
+    return;
+}
+
 # arch-tag: 6ef5919e-404b-4c87-bcfe-7e9f383f3901
 
diff --git a/plugins/ident/p0f b/plugins/ident/p0f
index 720adca..98b56ec 100644
--- a/plugins/ident/p0f
+++ b/plugins/ident/p0f
@@ -18,6 +18,14 @@ things based on source OS.
 
 All code heavily based upon the p0fq.pl included with the p0f distribution.
 
+=head1 Environment requirements
+
+p0f requires four pieces of information to look up the p0f fingerprint:
+local_ip, local_port, remote_ip, and remote_port. TcpServer.pm has been
+has been updated to provide that information when running under djb's
+tcpserver. The async, forkserver, and prefork models will likely require
+some additional changes to make sure these fields are populated.
+
 =cut
 
 use IO::Socket;
-- 
1.7.2.2

1	From 671a6953b0c9503717bda10dd07f434cbd302c9c Mon Sep 17 00:00:00 2001
2	From: Matt Simerson <matt@tnpi.net>
3	Date: Tue, 11 May 2010 00:55:53 -0400
4	Subject: add TCPLOCAL* variables to $qp->connection
5
6	(patch remade against latest rspier/qpsmtpd)
7
8	added remote_port, local_ip, local_port, and local_host to $qp->connection, as the p0f plugin relies on it.
9	added notes to TcpServer.pm and the p0f plugin noting the dependence, and the lack of support for models other than tcpserver.
10
11	Signed-off-by: Robert <rspier@pobox.com>
12	---
13	lib/Qpsmtpd/TcpServer.pm \| 21 ++++++++++++--
14	plugins/greylisting \| 68 ++++++++++++++++++++++++++++++++++++++-------
15	plugins/ident/p0f \| 8 +++++
16	3 files changed, 83 insertions(+), 14 deletions(-)
17
18	diff --git a/lib/Qpsmtpd/TcpServer.pm b/lib/Qpsmtpd/TcpServer.pm
19	index 3398c3e..07d8d16 100644
20	--- a/lib/Qpsmtpd/TcpServer.pm
21	+++ b/lib/Qpsmtpd/TcpServer.pm
22	@@ -30,7 +30,10 @@ my $first_0;
23	sub start_connection {
24	my $self = shift;
25
26	- my ($remote_host, $remote_info, $remote_ip);
27	+ my (
28	+ $remote_host, $remote_info, $remote_ip, $remote_port,
29	+ $local_ip, $local_port, $local_host
30	+ );
31
32	if ($ENV{TCPREMOTEIP}) {
33	# started from tcpserver (or some other superserver which
34	@@ -38,6 +41,10 @@ sub start_connection {
35	$remote_ip = $ENV{TCPREMOTEIP};
36	$remote_host = $ENV{TCPREMOTEHOST} \|\| "[$remote_ip]";
37	$remote_info = $ENV{TCPREMOTEINFO} ? "$ENV{TCPREMOTEINFO}\@$remote_host" : $remote_host;
38	+ $remote_port = $ENV{TCPREMOTEPORT};
39	+ $local_ip = $ENV{TCPLOCALIP};
40	+ $local_port = $ENV{TCPLOCALPORT};
41	+ $local_host = $ENV{TCPLOCALHOST};
42	} else {
43	# Started from inetd or similar.
44	# get info on the remote host from the socket.
45	@@ -48,6 +55,10 @@ sub start_connection {
46	$remote_ip = inet_ntoa($iaddr);
47	$remote_host = gethostbyaddr($iaddr, AF_INET) \|\| "[$remote_ip]";
48	$remote_info = $remote_host;
49	+### TODO
50	+# set $remote_port, $local_ip, and $local_port. Those values are
51	+# required for the p0f plugin to function.
52	+### /TODO
53	}
54	$self->log(LOGNOTICE, "Connection from $remote_info [$remote_ip]");
55
56	@@ -61,8 +72,12 @@ sub start_connection {
57	$0 = "$first_0 [$remote_ip : $remote_host : $now]";
58
59	$self->SUPER::connection->start(remote_info => $remote_info,
60	- remote_ip => $remote_ip,
61	- remote_host => $remote_host,
62	+ remote_ip => $remote_ip,
63	+ remote_host => $remote_host,
64	+ remote_port => $remote_port,
65	+ local_ip => $local_ip,
66	+ local_port => $local_port,
67	+ local_host => $local_host,
68	@_);
69	}
70
71	diff --git a/plugins/greylisting b/plugins/greylisting
72	index 975563c..ebdec8f 100644
73	--- a/plugins/greylisting
74	+++ b/plugins/greylisting
75	@@ -106,6 +106,23 @@ directories, if determined, supercede I<db_dir>.
76
77	=back
78
79	+=item p0f
80	+
81	+Enable greylisting only when certain p0f criteria is met. The single
82	+required argument is a comma delimited list of key/value pairs. The keys
83	+are the following p0f TCP fingerprint elements: genre, detail, uptime,
84	+link, and distance.
85	+
86	+To greylist emails from computers whose remote OS is windows, you'd use
87	+this syntax:
88	+
89	+ p0f genre,windows
90	+
91	+To greylist only windows computers on DSL links more than 3 network hops
92	+away:
93	+
94	+ p0f genre,windows,link,dsl,distance,3
95	+
96	=head1 BUGS
97
98	Database locking is implemented using flock, which may not work on
99	@@ -116,6 +133,8 @@ use something like File::NFSLock instead.
100
101	Written by Gavin Carr <gavin@openfusion.com.au>.
102
103	+Added p0f section <mattsimerson@cpan.org> (2010-05-03)
104	+
105	=cut
106
107	BEGIN { @AnyDBM_File::ISA = qw(DB_File GDBM_File NDBM_File) }
108	@@ -123,22 +142,23 @@ use AnyDBM_File;
109	use Fcntl qw(:DEFAULT :flock);
110	use strict;
111
112	-my $VERSION = '0.07';
113	+my $VERSION = '0.08';
114
115	my $DENYMSG = "This mail is temporarily denied";
116	my ($QPHOME) = ($0 =~ m!(.*?)/([^/]+)$!);
117	my $DB = "denysoft_greylist.dbm";
118	my %PERMITTED_ARGS = map { $_ => 1 } qw(per_recipient remote_ip sender recipient
119	- black_timeout grey_timeout white_timeout deny_late mode db_dir);
120	+ black_timeout grey_timeout white_timeout deny_late mode db_dir p0f );
121
122	my %DEFAULTS = (
123	- remote_ip => 1,
124	- sender => 0,
125	- recipient => 0,
126	- black_timeout => 50 * 60,
127	- grey_timeout => 3 * 3600 + 20 * 60,
128	- white_timeout => 36 * 24 * 3600,
129	- mode => 'denysoft',
130	+ remote_ip => 1,
131	+ sender => 0,
132	+ recipient => 0,
133	+ black_timeout => 50 * 60,
134	+ grey_timeout => 3 * 3600 + 20 * 60,
135	+ white_timeout => 36 * 24 * 3600,
136	+ mode => 'denysoft',
137	+ p0f => undef,
138	);
139
140	sub register {
141	@@ -206,6 +226,9 @@ sub denysoft_greylist {
142	return DECLINED if $self->qp->connection->notes('whitelisthost');
143	return DECLINED if $transaction->notes('whitelistsender');
144
145	+ # do not greylist if p0f matching is selected and message does not match
146	+ return DECLINED if $config->{'p0f'} && !$self->p0f_match( $config );
147	+
148	if ($config->{db_dir} && $config->{db_dir} =~ m{^([-a-zA-Z0-9./_]+)$}) {
149	$config->{db_dir} = $1;
150	}
151	@@ -214,8 +237,10 @@ sub denysoft_greylist {
152	my $dbdir = $transaction->notes('per_rcpt_configdir')
153	if $config->{per_recipient_db};
154	for my $d ($dbdir, $config->{db_dir}, "/var/lib/qpsmtpd/greylisting",
155	- "$QPHOME/var/db", "$QPHOME/config") {
156	- last if $dbdir \|\|= $d && -d $d && $d;
157	+ "$QPHOME/var/db", "$QPHOME/config", '.' ) {
158	+ last if $dbdir && -d $dbdir;
159	+ next if ( ! $d \|\| ! -d $d );
160	+ $dbdir = $d;
161	}
162	my $db = "$dbdir/$DB";
163	$self->log(LOGINFO,"using $db as greylisting database");
164	@@ -292,5 +317,26 @@ sub denysoft_greylist {
165	return $config->{mode} eq 'testonly' ? DECLINED : DENYSOFT, $DENYMSG;
166	}
167
168	+sub p0f_match {
169	+ my $self = shift;
170	+ my $config = shift;
171	+
172	+ my $p0f = $self->connection->notes('p0f');
173	+ return if !$p0f \|\| !ref $p0f; # p0f fingerprint info not found
174	+
175	+ my %valid_matches = map { $_ => 1 } qw( genre detail uptime link distance );
176	+ my %requested_matches = split(/\,/, $config->{'p0f'} );
177	+
178	+ foreach my $key (keys %requested_matches) {
179	+ next if !defined $valid_matches{$key}; # discard invalid match keys
180	+ my $value = $requested_matches{$key};
181	+ return 1 if $key eq 'distance' && $p0f->{$key} > $value;
182	+ return 1 if $key eq 'genre' && $p0f->{$key} =~ /$value/i;
183	+ return 1 if $key eq 'uptime' && $p0f->{$key} < $value;
184	+ return 1 if $key eq 'link' && $p0f->{$key} =~ /$value/i;
185	+ }
186	+ return;
187	+}
188	+
189	# arch-tag: 6ef5919e-404b-4c87-bcfe-7e9f383f3901
190
191	diff --git a/plugins/ident/p0f b/plugins/ident/p0f
192	index 720adca..98b56ec 100644
193	--- a/plugins/ident/p0f
194	+++ b/plugins/ident/p0f
195	@@ -18,6 +18,14 @@ things based on source OS.
196
197	All code heavily based upon the p0fq.pl included with the p0f distribution.
198
199	+=head1 Environment requirements
200	+
201	+p0f requires four pieces of information to look up the p0f fingerprint:
202	+local_ip, local_port, remote_ip, and remote_port. TcpServer.pm has been
203	+has been updated to provide that information when running under djb's
204	+tcpserver. The async, forkserver, and prefork models will likely require
205	+some additional changes to make sure these fields are populated.
206	+
207	=cut
208
209	use IO::Socket;
210	--
211	1.7.2.2
212