From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] dma: update to 0.12 Date: Mon, 03 Feb 2020 14:55:27 +0000 Message-ID: <416C26E3-4A5C-4971-96D7-EA71C4B8D515@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0642230523047832955==" List-Id: --===============0642230523047832955== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer > On 1 Feb 2020, at 20:26, Peter M=C3=BCller wro= te: >=20 > All of the dma patches in src/patches/ were merged into its upstream > repository by now, thus becoming obsolete and deleted by this patch. >=20 > Cc: Michael Tremer > Signed-off-by: Peter M=C3=BCller > --- > lfs/dma | 9 +- > src/patches/dma-0.10-better-authentication.patch | 373 --------------------= --- > src/patches/dma-0.10-better-tls.patch | 26 -- > src/patches/dma-0.11-compile-fixes.patch | 29 -- > 4 files changed, 3 insertions(+), 434 deletions(-) > delete mode 100644 src/patches/dma-0.10-better-authentication.patch > delete mode 100644 src/patches/dma-0.10-better-tls.patch > delete mode 100644 src/patches/dma-0.11-compile-fixes.patch >=20 > diff --git a/lfs/dma b/lfs/dma > index 2b89bcc6e..aceb2704e 100644 > --- a/lfs/dma > +++ b/lfs/dma > @@ -1,7 +1,7 @@ > ###########################################################################= #### > # = # > # IPFire.org - A linux based firewall = # > -# Copyright (C) 2007-2018 IPFire Team = # > +# Copyright (C) 2007-2020 IPFire Team = # > # = # > # This program is free software: you can redistribute it and/or modify = # > # it under the terms of the GNU General Public License as published by = # > @@ -24,7 +24,7 @@ >=20 > include Config >=20 > -VER =3D 0.11 > +VER =3D 0.12 >=20 > THISAPP =3D dma-$(VER) > DL_FILE =3D $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects =3D $(DL_FILE) >=20 > $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE) >=20 > -$(DL_FILE)_MD5 =3D 4090572921fc33be0977f4010881b501 > +$(DL_FILE)_MD5 =3D 58cb2a286995381c92dc557e639622d6 >=20 > install : $(TARGET) >=20 > @@ -73,9 +73,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar zxf $(DIR_DL)/$(DL_FILE) > mkdir -pv /var/ipfire/dma > touch /var/ipfire/dma/mail.conf > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-auth= entication.patch > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.10-better-tls.= patch > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/dma-0.11-compile-fix= es.patch > cd $(DIR_APP) && sed -i '/PREFIX/s/usr\/local/usr/g' Makefile > cd $(DIR_APP) && sed -i '/CONFDIR/s/etc\/dma/var\/ipfire\/dma/g' Makefile > cd $(DIR_APP) && make > diff --git a/src/patches/dma-0.10-better-authentication.patch b/src/patches= /dma-0.10-better-authentication.patch > deleted file mode 100644 > index 596168d2a..000000000 > --- a/src/patches/dma-0.10-better-authentication.patch > +++ /dev/null > @@ -1,373 +0,0 @@ > -From 1fa7a882dd22d5f619b3645c6597a419034e9b4e Mon Sep 17 00:00:00 2001 > -From: Michael Tremer > -Date: Mon, 9 Nov 2015 21:52:08 +0000 > -Subject: [PATCH] Implement better authentication > - > -DMA tries to authenticate by simply trying various authentication > -mechanisms. This is obviously not conforming to RFC and some mail > -providers detect this is spam and reject all emails. > - > -This patch parses the EHLO response and reads various keywords > -from it that can then later in the program be used to jump into > -certain code paths. > - > -Currently this is used to only authenticate with CRAM-MD5 and/or > -LOGIN if the server supports one or both of these. The > -implementation can be easily be extended though. > - > -Signed-off-by: Michael Tremer > ---- > - crypto.c | 6 +- > - dma.h | 13 +++- > - net.c | 219 +++++++++++++++++++++++++++++++++++++++++++++++-----------= ----- > - 3 files changed, 181 insertions(+), 57 deletions(-) > - > -diff --git a/crypto.c b/crypto.c > -index 897b55b..8048f20 100644 > ---- a/crypto.c > -+++ b/crypto.c > -@@ -77,7 +77,7 @@ init_cert_file(SSL_CTX *ctx, const char *path) > - } > -=20 > - int > --smtp_init_crypto(int fd, int feature) > -+smtp_init_crypto(int fd, int feature, struct smtp_features* features) > - { > - SSL_CTX *ctx =3D NULL; > - #if (OPENSSL_VERSION_NUMBER >=3D 0x00909000L) > -@@ -118,8 +118,7 @@ smtp_init_crypto(int fd, int feature) > - /* TLS init phase, disable SSL_write */ > - config.features |=3D NOSSL; > -=20 > -- send_remote_command(fd, "EHLO %s", hostname()); > -- if (read_remote(fd, 0, NULL) =3D=3D 2) { > -+ if (perform_server_greeting(fd, features) =3D=3D 0) { > - send_remote_command(fd, "STARTTLS"); > - if (read_remote(fd, 0, NULL) !=3D 2) { > - if ((feature & TLS_OPP) =3D=3D 0) { > -@@ -131,6 +130,7 @@ smtp_init_crypto(int fd, int feature) > - } > - } > - } > -+ > - /* End of TLS init phase, enable SSL_write/read */ > - config.features &=3D ~NOSSL; > - } > -diff --git a/dma.h b/dma.h > -index acf5e44..ee749d8 100644 > ---- a/dma.h > -+++ b/dma.h > -@@ -51,6 +51,7 @@ > - #define BUF_SIZE 2048 > - #define ERRMSG_SIZE 200 > - #define USERNAME_SIZE 50 > -+#define EHLO_RESPONSE_SIZE BUF_SIZE > - #define MIN_RETRY 300 /* 5 minutes */ > - #define MAX_RETRY (3*60*60) /* retry at least every 3 hours */ > - #define MAX_TIMEOUT (5*24*60*60) /* give up after 5 days */ > -@@ -160,6 +161,15 @@ struct mx_hostentry { > - struct sockaddr_storage sa; > - }; > -=20 > -+struct smtp_auth_mechanisms { > -+ int cram_md5; > -+ int login; > -+}; > -+ > -+struct smtp_features { > -+ struct smtp_auth_mechanisms auth; > -+ int starttls; > -+}; > -=20 > - /* global variables */ > - extern struct aliases aliases; > -@@ -187,7 +197,7 @@ void parse_authfile(const char *); > - /* crypto.c */ > - void hmac_md5(unsigned char *, int, unsigned char *, int, unsigned char *= ); > - int smtp_auth_md5(int, char *, char *); > --int smtp_init_crypto(int, int); > -+int smtp_init_crypto(int, int, struct smtp_features*); > -=20 > - /* dns.c */ > - int dns_get_mx_list(const char *, int, struct mx_hostentry **, int); > -@@ -196,6 +206,7 @@ int dns_get_mx_list(const char *, int, struct mx_hoste= ntry **, int); > - char *ssl_errstr(void); > - int read_remote(int, int, char *); > - ssize_t send_remote_command(int, const char*, ...) __attribute__((__nonn= ull__(2), __format__ (__printf__, 2, 3))); > -+int perform_server_greeting(int, struct smtp_features*); > - int deliver_remote(struct qitem *); > -=20 > - /* base64.c */ > -diff --git a/net.c b/net.c > -index 26935a8..33ff8f5 100644 > ---- a/net.c > -+++ b/net.c > -@@ -247,64 +247,70 @@ read_remote(int fd, int extbufsize, char *extbuf) > - * Handle SMTP authentication > - */ > - static int > --smtp_login(int fd, char *login, char* password) > -+smtp_login(int fd, char *login, char* password, const struct smtp_feature= s* features) > - { > - char *temp; > - int len, res =3D 0; > -=20 > -- res =3D smtp_auth_md5(fd, login, password); > -- if (res =3D=3D 0) { > -- return (0); > -- } else if (res =3D=3D -2) { > -- /* > -- * If the return code is -2, then then the login attempt failed, > -- * do not try other login mechanisms > -- */ > -- return (1); > -- } > -- > -- if ((config.features & INSECURE) !=3D 0 || > -- (config.features & SECURETRANS) !=3D 0) { > -- /* Send AUTH command according to RFC 2554 */ > -- send_remote_command(fd, "AUTH LOGIN"); > -- if (read_remote(fd, 0, NULL) !=3D 3) { > -- syslog(LOG_NOTICE, "remote delivery deferred:" > -- " AUTH login not available: %s", > -- neterr); > -+ // CRAM-MD5 > -+ if (features->auth.cram_md5) { > -+ res =3D smtp_auth_md5(fd, login, password); > -+ if (res =3D=3D 0) { > -+ return (0); > -+ } else if (res =3D=3D -2) { > -+ /* > -+ * If the return code is -2, then then the login attempt failed, > -+ * do not try other login mechanisms > -+ */ > - return (1); > - } > -+ } > -=20 > -- len =3D base64_encode(login, strlen(login), &temp); > -- if (len < 0) { > -+ // LOGIN > -+ if (features->auth.login) { > -+ if ((config.features & INSECURE) !=3D 0 || > -+ (config.features & SECURETRANS) !=3D 0) { > -+ /* Send AUTH command according to RFC 2554 */ > -+ send_remote_command(fd, "AUTH LOGIN"); > -+ if (read_remote(fd, 0, NULL) !=3D 3) { > -+ syslog(LOG_NOTICE, "remote delivery deferred:" > -+ " AUTH login not available: %s", > -+ neterr); > -+ return (1); > -+ } > -+ > -+ len =3D base64_encode(login, strlen(login), &temp); > -+ if (len < 0) { > - encerr: > -- syslog(LOG_ERR, "can not encode auth reply: %m"); > -- return (1); > -- } > -+ syslog(LOG_ERR, "can not encode auth reply: %m"); > -+ return (1); > -+ } > -=20 > -- send_remote_command(fd, "%s", temp); > -- free(temp); > -- res =3D read_remote(fd, 0, NULL); > -- if (res !=3D 3) { > -- syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s", > -- res =3D=3D 5 ? "failed" : "deferred", neterr); > -- return (res =3D=3D 5 ? -1 : 1); > -- } > -+ send_remote_command(fd, "%s", temp); > -+ free(temp); > -+ res =3D read_remote(fd, 0, NULL); > -+ if (res !=3D 3) { > -+ syslog(LOG_NOTICE, "remote delivery %s: AUTH login failed: %s", > -+ res =3D=3D 5 ? "failed" : "deferred", neterr); > -+ return (res =3D=3D 5 ? -1 : 1); > -+ } > -=20 > -- len =3D base64_encode(password, strlen(password), &temp); > -- if (len < 0) > -- goto encerr; > -- > -- send_remote_command(fd, "%s", temp); > -- free(temp); > -- res =3D read_remote(fd, 0, NULL); > -- if (res !=3D 2) { > -- syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s", > -- res =3D=3D 5 ? "failed" : "deferred", neterr); > -- return (res =3D=3D 5 ? -1 : 1); > -+ len =3D base64_encode(password, strlen(password), &temp); > -+ if (len < 0) > -+ goto encerr; > -+ > -+ send_remote_command(fd, "%s", temp); > -+ free(temp); > -+ res =3D read_remote(fd, 0, NULL); > -+ if (res !=3D 2) { > -+ syslog(LOG_NOTICE, "remote delivery %s: Authentication failed: %s", > -+ res =3D=3D 5 ? "failed" : "deferred", neterr); > -+ return (res =3D=3D 5 ? -1 : 1); > -+ } > -+ } else { > -+ syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, s= o skipping it. "); > -+ return (1); > - } > -- } else { > -- syslog(LOG_WARNING, "non-encrypted SMTP login is disabled in config, so= skipping it. "); > -- return (1); > - } > -=20 > - return (0); > -@@ -348,10 +354,115 @@ close_connection(int fd) > - close(fd); > - } > -=20 > -+static void parse_auth_line(char* line, struct smtp_auth_mechanisms* auth= ) { > -+ // Skip the auth prefix > -+ line +=3D strlen("AUTH "); > -+ > -+ char* method =3D strtok(line, " "); > -+ while (method) { > -+ if (strcmp(method, "CRAM-MD5") =3D=3D 0) > -+ auth->cram_md5 =3D 1; > -+ > -+ else if (strcmp(method, "LOGIN") =3D=3D 0) > -+ auth->login =3D 1; > -+ > -+ method =3D strtok(NULL, " "); > -+ } > -+} > -+ > -+int perform_server_greeting(int fd, struct smtp_features* features) { > -+ /* > -+ Send EHLO > -+ XXX allow HELO fallback > -+ */ > -+ send_remote_command(fd, "EHLO %s", hostname()); > -+ > -+ char buffer[EHLO_RESPONSE_SIZE]; > -+ memset(buffer, 0, sizeof(buffer)); > -+ > -+ int res =3D read_remote(fd, sizeof(buffer) - 1, buffer); > -+ > -+ // Got an unexpected response > -+ if (res !=3D 2) > -+ return -1; > -+ > -+ // Reset all features > -+ memset(features, 0, sizeof(*features)); > -+ > -+ // Run through the buffer line by line > -+ char linebuffer[EHLO_RESPONSE_SIZE]; > -+ char* p =3D buffer; > -+ > -+ while (*p) { > -+ char* line =3D linebuffer; > -+ while (*p && *p !=3D '\n') { > -+ *line++ =3D *p++; > -+ } > -+ > -+ // p should never point to NULL after the loop > -+ // above unless we reached the end of the buffer. > -+ // In that case we will raise an error. > -+ if (!*p) { > -+ return -1; > -+ } > -+ > -+ // Otherwise p points to the newline character which > -+ // we will skip. > -+ p++; > -+ > -+ // Terminte the string (and remove the carriage-return character) > -+ *--line =3D '\0'; > -+ line =3D linebuffer; > -+ > -+ // End main loop for empty lines > -+ if (*line =3D=3D '\0') > -+ break; > -+ > -+ // Process the line > -+ // - Must start with 250, followed by dash or space > -+ // - We won't check for the correct usage of space and dash because > -+ // that is already done in read_remote(). > -+ if ((strncmp(line, "250-", 4) !=3D 0) && (strncmp(line, "250 ", 4) !=3D= 0)) { > -+ syslog(LOG_ERR, "Invalid line: %s\n", line); > -+ return -1; > -+ } > -+ > -+ // Skip the prefix > -+ line +=3D 4; > -+ > -+ // Check for STARTTLS > -+ if (strcmp(line, "STARTTLS") =3D=3D 0) > -+ features->starttls =3D 1; > -+ > -+ // Parse authentication mechanisms > -+ else if (strncmp(line, "AUTH ", 5) =3D=3D 0) > -+ parse_auth_line(line, &features->auth); > -+ } > -+ > -+ syslog(LOG_DEBUG, "Server greeting successfully completed"); > -+ > -+ // STARTTLS > -+ if (features->starttls) > -+ syslog(LOG_DEBUG, " Server supports STARTTLS"); > -+ else > -+ syslog(LOG_DEBUG, " Server does not support STARTTLS"); > -+ > -+ // Authentication > -+ if (features->auth.cram_md5) { > -+ syslog(LOG_DEBUG, " Server supports CRAM-MD5 authentication"); > -+ } > -+ if (features->auth.login) { > -+ syslog(LOG_DEBUG, " Server supports LOGIN authentication"); > -+ } > -+ > -+ return 0; > -+} > -+ > - static int > - deliver_to_host(struct qitem *it, struct mx_hostentry *host) > - { > - struct authuser *a; > -+ struct smtp_features features; > - char line[1000]; > - size_t linelen; > - int fd, error =3D 0, do_auth =3D 0, res =3D 0; > -@@ -389,7 +500,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry = *host) > - } > -=20 > - if ((config.features & SECURETRANS) !=3D 0) { > -- error =3D smtp_init_crypto(fd, config.features); > -+ error =3D smtp_init_crypto(fd, config.features, &features); > - if (error =3D=3D 0) > - syslog(LOG_DEBUG, "SSL initialization successful"); > - else > -@@ -399,10 +510,12 @@ deliver_to_host(struct qitem *it, struct mx_hostentr= y *host) > - READ_REMOTE_CHECK("connect", 2); > - } > -=20 > -- /* XXX allow HELO fallback */ > -- /* XXX record ESMTP keywords */ > -- send_remote_command(fd, "EHLO %s", hostname()); > -- READ_REMOTE_CHECK("EHLO", 2); > -+ // Say EHLO > -+ if (perform_server_greeting(fd, &features) !=3D 0) { > -+ syslog(LOG_ERR, "Could not perform server greeting at %s [%s]: %s", > -+ host->host, host->addr, neterr); > -+ return -1; > -+ } > -=20 > - /* > - * Use SMTP authentication if the user defined an entry for the remote > -@@ -421,7 +534,7 @@ deliver_to_host(struct qitem *it, struct mx_hostentry = *host) > - * encryption. > - */ > - syslog(LOG_INFO, "using SMTP authentication for user %s", a->login); > -- error =3D smtp_login(fd, a->login, a->password); > -+ error =3D smtp_login(fd, a->login, a->password, &features); > - if (error < 0) { > - syslog(LOG_ERR, "remote delivery failed:" > - " SMTP login failed: %m"); > diff --git a/src/patches/dma-0.10-better-tls.patch b/src/patches/dma-0.10-b= etter-tls.patch > deleted file mode 100644 > index 8f60fdd04..000000000 > --- a/src/patches/dma-0.10-better-tls.patch > +++ /dev/null > @@ -1,26 +0,0 @@ > -commit e94f50bbbe7318eec5b6b165ff73d94bbc9d20b0 > -Author: Michael Tremer > -Date: Sun Feb 11 11:05:43 2018 +0000 > - > - crypto: Don't limit to TLSv1 only > - =20 > - Signed-off-by: Michael Tremer > - > -diff --git a/crypto.c b/crypto.c > -index 897b55bfdcfc..440c882880b5 100644 > ---- a/crypto.c > -+++ b/crypto.c > -@@ -93,7 +93,12 @@ smtp_init_crypto(int fd, int feature) > - SSL_library_init(); > - SSL_load_error_strings(); > -=20 > -- meth =3D TLSv1_client_method(); > -+ // Allow any possible version > -+#if (OPENSSL_VERSION_NUMBER >=3D 0x10100000L) > -+ meth =3D TLS_client_method(); > -+#else > -+ meth =3D SSLv23_client_method(); > -+#endif > -=20 > - ctx =3D SSL_CTX_new(meth); > - if (ctx =3D=3D NULL) { > diff --git a/src/patches/dma-0.11-compile-fixes.patch b/src/patches/dma-0.1= 1-compile-fixes.patch > deleted file mode 100644 > index a6e5165c9..000000000 > --- a/src/patches/dma-0.11-compile-fixes.patch > +++ /dev/null > @@ -1,29 +0,0 @@ > -From 60cf6f03a4b13ec0e491a282ab5233a1619a7a66 Mon Sep 17 00:00:00 2001 > -From: Michael Tremer > -Date: Tue, 24 Apr 2018 12:30:13 +0100 > -Subject: [PATCH] net.c: Include string.h > - > -Various functions that have been used come from string.h. GCC compiled > -dma without this header, but unfortunately the binary segfaulted at random > -times. > - > -Signed-off-by: Michael Tremer > ---- > - net.c | 1 + > - 1 file changed, 1 insertion(+) > - > -diff --git a/net.c b/net.c > -index a1cc3e3bfd79..221dda131a23 100644 > ---- a/net.c > -+++ b/net.c > -@@ -53,6 +53,7 @@ > - #include > - #include > - #include > -+#include > - #include > - #include > -=20 > ---=20 > -2.14.3 > - > --=20 > 2.16.4 --===============0642230523047832955==--