Page MenuHomeFreeBSD

Add blacklist support to sendmail
ClosedPublic

Authored by lidl on May 27 2016, 4:25 AM.

Details

Summary

When compiled with SASL support, blacklistd will notified about bad login attempts during SMTP AUTH interactions. The "stop_attack" code is also augmented with blacklistd support - too many bad commands (typically 25) also count as a bad user. The "greet_pause" violaters will also be counted as a "bad user" attempt too.

These are pretty conservative places to add support. More could be added in the future. In conjunction with a milter, some innovative blacklist support could be added.

Diff Detail

Repository
rP FreeBSD ports repository
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

lidl updated this revision to Diff 16971.May 27 2016, 4:25 AM
lidl retitled this revision from to Add blacklist support to sendmail.
lidl updated this object.
lidl edited the test plan for this revision. (Show Details)
lidl added reviewers: rpaulo, emaste.
lidl set the repository for this revision to rS FreeBSD src repository.
gshapiro edited edge metadata.May 27 2016, 6:58 AM

I would prefer not to modify the base sendmail as it is a direct import from the upstream vendor source. Modifications like this belong in either a milter port or the sendmail port.

rpaulo accepted this revision.May 27 2016, 7:25 PM
rpaulo edited edge metadata.
This revision is now accepted and ready to land.May 27 2016, 7:25 PM
gshapiro requested changes to this revision.May 28 2016, 7:19 AM
gshapiro edited edge metadata.

Setting action to request change to a port diff instead of a base diff.

This revision now requires changes to proceed.May 28 2016, 7:19 AM
lidl updated this revision to Diff 17547.Jun 12 2016, 11:10 PM
lidl edited edge metadata.
lidl changed the repository for this revision from rS FreeBSD src repository to rP FreeBSD ports repository.

This review has been moved to be relative to the ports/sendmail infrastructure.

I don't know if the installed portname should be altered or not. (Typically, each of
the options gets added to the portname, so "sendmail+sasl+db2", etc.)

I also don't know how to make the option available only to systems that are have
libblacklist.so installed (ie, recent FreeBSD-head systems, or FreeBSD-11 when it
is released).

At any rate, this is a new starting point for discussion about how to add blacklistd
support to sendmail. I ended up putting the new functions into existing files, so
as to minimize the diff to the port. I think that ideally, the blacklist functions would
go into an entirely new file in the sendmail distribution.

dinoex edited edge metadata.Jun 15 2016, 4:50 AM

Looks fine, but I would like to preseve the functional ordering in the Makefile and in the options.

[...] CYRUSLOOKUP BLACKLISTD PICKY_HELO_CHECK [...]

lidl updated this revision to Diff 18063.Jul 2 2016, 3:42 AM
lidl edited edge metadata.

I placed the option where you suggested in the Makefile, and
adjusted the order of the other parts of the Makefile to match.

The rest of the patch is unchanged.

dinoex edited edge metadata.May 22 2017, 10:05 AM

stalled, there is no port that installs the needed library blacklist.so

/usr/bin/ld: cannot find -lblacklist

This revision now requires changes to proceed.May 22 2017, 10:05 AM

Please commit D6595 to ports HEAD.
I'm using this on 11.1-RELEASE-p1 and good working with patched files/patch-sendmail.h as follows.

--- sendmail/sendmail.h.orig    2016-06-12 18:23:05.239106000 -0400
+++ sendmail/sendmail.h 2016-06-12 18:42:38.972341000 -0400
@@ -2647,6 +2647,13 @@
 extern char    *milter_unknown __P((char *, ENVELOPE *, char *));
 #endif /* MILTER */
 
+#ifdef USE_BLACKLIST
+/* blacklistd functions */
+void blacklist_init(void);
+void blacklist_notify(int, int, char *);
+#include <blacklist.h>
+#endif
+
 extern char    *addquotes __P((char *, SM_RPOOL_T *));
 extern char    *arpadate __P((char *));
 extern bool    atobool __P((char *));

Patch does not aply to HEAD.

After merging:
Port with this OPTION does not build on FreeBBSD 10.

dinoex requested changes to this revision.Oct 16 2017, 8:49 AM
This revision was automatically updated to reflect the committed changes.

Thank you very much to commit to HEAD.

I think a better Makefile is as follows.

# diff -ruN Makefile.org Makefile
--- Makefile.org        2017-10-16 18:18:49.000000000 +0900
+++ Makefile    2017-10-16 20:20:04.716251000 +0900
@@ -2,7 +2,7 @@
 
 PORTNAME=      sendmail
 PORTVERSION=   8.15.2
-PORTREVISION=  3
+PORTREVISION=  4
 CATEGORIES=    mail ipv6
 MASTER_SITES=  ftp://ftp.sendmail.org/pub/sendmail/
 PKGNAMESUFFIX?=        ${TLS_SUFFIX}${SASL_SUFFIX}${LDAP_SUFFIX}${BDB_SUFFIX}${PKGNAMESUFFIX2}
@@ -45,9 +45,16 @@
 BASEMAIL=      /usr/libexec/sendmail/sendmail
 MILTER_SOVER?= 6
 
+.include <bsd.port.pre.mk>
+.if ${OSVERSION} < 1100000
 OPTIONS_DEFINE?=       SHMEM SEM LA NIS IPV6 TLS SASL SASLAUTHD LDAP BDB \
+                       GDBM SOCKETMAP CYRUSLOOKUP \
+                       PICKY_HELO_CHECK MILTER DOCS
+.else
+OPTIONS_DEFINE?=       SHMEM SEM LA NIS IPV6 TLS SASL SASLAUTHD LDAP BDB \
                        GDBM SOCKETMAP CYRUSLOOKUP BLACKLISTD \
                        PICKY_HELO_CHECK MILTER DOCS
+.endif
 OPTIONS_DEFAULT?=      SHMEM SEM LA NIS TLS SASL SASLAUTHD BDB1 \
                        PICKY_HELO_CHECK MILTER
 NO_OPTIONS_SORT=yes