Comments (4)
Note that on opportunistic TLS, you already have the network socket (it's the plaintext one that you're not supposed to use anymore once you activate TLS, but you still have a fd to it), so you don't need that workaround.
The fd-holding dance is only necessary if you're going to tlsify the connection from the get go.
from notqmail.
@skarnet offers a third option:
- Have an fd-holder daemon running (example:
s6-fdholder-daemon
) - In your command chain, right after
tcpserver
and before the TLS part, store the socket in the fd-holder, with a short timeout and a long-and-random-enough identifier - Pass that identifier in the environment
- In your command chain, after the TLS part and right before (or in) the program that calls
blocklist()
, use the identifier to retrieve the socket - On AUTH success or failure, pass the socket to
blocklist()
For opportunistic TLS, it could be a while before we can retrieve the right socket in the right state. Say we set a 30-second timeout on the fd-holder; if an initially unencrypted connection finally establishes TLS 31 seconds later, the fd-retriever program (example: s6-fdholder-retrieve
) will fail and the connection will close. We can, of course, set a longer timeout on the socket-holder. (The longer the timeout, the easier it is to DoS the fd-holder by creating lots of connections.)
Alternatively, blocklist_sa()
may not need the socket to be in any particular state. The manual page says "blocklist_sa() can be used with unconnected sockets, where getpeername(2) will not work". In which case the application can retrieve the socket immediately and have it available in case AUTH happens.
from notqmail.
Remembered that a user has requested this.
from notqmail.
I'd been thinking about this for the case of "too many" failed authentication attempts on a port 587 service, but after seeing a particularly intent dictionary-attack spammer I'm thinking sysadmins might also want this for the case of "too many" rejected recipients on a port 25 service.
from notqmail.
Related Issues (20)
- add const to function parameters and variables
- Feature request: TLS and SMTP AUTH support in qmail-remote HOT 3
- Feature request: relaying to different smarthosts HOT 3
- configuration for systemd? HOT 2
- License, unlicense, etc. HOT 7
- Default to -Wall (but not -Werror) HOT 12
- "Use of a standard library function that is not thread-safe" (CodeQL #1 and #2) HOT 3
- Solaris make does not support "make -C"
- when we broke the TLS patch, we didn't notice immediately HOT 7
- Specify public key for verifying signatures for downloaded tarball releases
- "qmail" package installation destroys Debian systems HOT 2
- Rethink about group qmail ownership
- Upgrade from qmail to notqmail HOT 6
- SCRAM-SHA-1(-PLUS) + SCRAM-SHA-256(-PLUS) + SCRAM-SHA-512(-PLUS) + SCRAM-SHA3-512(-PLUS) supports HOT 3
- No `stralloc_free` and not freeing memory
- Create a security policy HOT 3
- Supports for BDAT extension? HOT 2
- systemd file missing HOT 7
- missing qmail-remote leads to immediate bounce of a mail
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from notqmail.