GithubHelp home page GithubHelp logo

*BSD blocklist support about notqmail HOT 4 OPEN

notqmail avatar notqmail commented on June 6, 2024
*BSD blocklist support

from notqmail.

Comments (4)

skarnet avatar skarnet commented on June 6, 2024 1

Note that on opportunistic TLS, you already have the network socket (it's the plaintext one that you're not supposed to use anymore once you activate TLS, but you still have a fd to it), so you don't need that workaround.
The fd-holding dance is only necessary if you're going to tlsify the connection from the get go.

from notqmail.

schmonz avatar schmonz commented on June 6, 2024

@skarnet offers a third option:

  1. Have an fd-holder daemon running (example: s6-fdholder-daemon)
  2. In your command chain, right after tcpserver and before the TLS part, store the socket in the fd-holder, with a short timeout and a long-and-random-enough identifier
  3. Pass that identifier in the environment
  4. In your command chain, after the TLS part and right before (or in) the program that calls blocklist(), use the identifier to retrieve the socket
  5. On AUTH success or failure, pass the socket to blocklist()

For opportunistic TLS, it could be a while before we can retrieve the right socket in the right state. Say we set a 30-second timeout on the fd-holder; if an initially unencrypted connection finally establishes TLS 31 seconds later, the fd-retriever program (example: s6-fdholder-retrieve) will fail and the connection will close. We can, of course, set a longer timeout on the socket-holder. (The longer the timeout, the easier it is to DoS the fd-holder by creating lots of connections.)

Alternatively, blocklist_sa() may not need the socket to be in any particular state. The manual page says "blocklist_sa() can be used with unconnected sockets, where getpeername(2) will not work". In which case the application can retrieve the socket immediately and have it available in case AUTH happens.

from notqmail.

schmonz avatar schmonz commented on June 6, 2024

Remembered that a user has requested this.

from notqmail.

schmonz avatar schmonz commented on June 6, 2024

I'd been thinking about this for the case of "too many" failed authentication attempts on a port 587 service, but after seeing a particularly intent dictionary-attack spammer I'm thinking sysadmins might also want this for the case of "too many" rejected recipients on a port 25 service.

from notqmail.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.