Close server smtp socket explicitly on connect ACL "drop"

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 1cfcc0404fd8ce00a0cb2493b6b287175272c4ba..6880e3c091a89025c92936cb07cc9c502b3dd459 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3565,6 +3565,19 @@ problem, because we get here only if some other ACL has issued "drop", and
 in that case, *its* custom messages will have been used above. */
 
 smtp_notquit_exit(US"acl-drop", NULL, NULL);
+
+/* An overenthusiastic fail2ban/iptables implimentation has been seen to result
+in the TCP conn staying open, and retrying, despite this process exiting. A
+malicious client could possibly do the same, tying up server netowrking
+resources. Close the socket explicitly to try to avoid that (there's a note in
+the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without
+close() results in the socket always lingering). */
+
+(void) poll_one_fd(fileno(smtp_in), POLLIN, 200);
+DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n");
+(void) fclose(smtp_in);
+(void) fclose(smtp_out);
+
 return 2;
 }
 

diff --git a/test/confs/0022 b/test/confs/0022
index cb41aa4224932a8ab22d23f952651e808cbc0e7c..e3fadf3e6ad6158121169a72f9cc49a1fa6211df 100644 (file)
--- a/test/confs/0022
+++ b/test/confs/0022
@@ -1,6 +1,7 @@
 # Exim test configuration 0022
 
 SERVER=
+CONTROL=
 
 .include DIR/aux-var/std_conf_prefix
 
@@ -10,6 +11,7 @@ primary_hostname = myhost.test.ex
 
 hostlist some_hosts = net-lsearch;DIR/aux-var/TESTNUM.hosts
 
+CONTROL
 acl_smtp_rcpt = $local_part
 log_selector = +smtp_connection
 hosts_connection_nolog = : 127.0.0.1

diff --git a/test/log/0022 b/test/log/0022
index fd7018bc8838504cb73a17d5fbde16deed9f4d4f..0a01877486c1be2223b8cb23c035814a2882348d 100644 (file)
--- a/test/log/0022
+++ b/test/log/0022
@@ -19,3 +19,5 @@
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss
 1999-03-02 09:44:33 10HmbD-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked

diff --git a/test/rejectlog/0022 b/test/rejectlog/0022
new file mode 100644 (file)
index 0000000..68e21ff
--- /dev/null
+++ b/test/rejectlog/0022
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked

diff --git a/test/scripts/0000-Basic/0022 b/test/scripts/0000-Basic/0022
index 9c7837304749a0036bd326cf14c41f17501a6abb..3db869992b4e4398d376503849d2811700383c05 100644 (file)
--- a/test/scripts/0000-Basic/0022
+++ b/test/scripts/0000-Basic/0022
@@ -166,4 +166,17 @@ quit
 killdaemon
 exim -bp
 ****
+sudo rm DIR/spool/input/*
+#
+#
+#
+#
+exim -DSERVER=server -DCONTROL='acl_smtp_connect=drop message=550 client disliked' -odq -bd -oX PORT_D
+****
+client 127.0.0.1 PORT_D
+??? 550 client disliked
+???*
+****
+killdaemon
+#
 no_msglog_check

diff --git a/test/stderr/0022 b/test/stderr/0022
index 536e4278bf7f6c9af0acc61621ed3c80f036a194..e988c467e2e150765aa3983ace15ccf9fd5c68b0 100644 (file)
--- a/test/stderr/0022
+++ b/test/stderr/0022
@@ -1,10 +1,10 @@
 Exim version x.yz ....
 changed uid/gid: forcing real = effective
-  uid=uuuu gid=CALLER_GID pid=p1235
+  uid=uuuu gid=CALLER_GID pid=p1236
 configuration file is TESTSUITE/test-config
 admin user
 changed uid/gid: privilege not needed
-  uid=EXIM_UID gid=EXIM_GID pid=p1235
+  uid=EXIM_UID gid=EXIM_GID pid=p1236
 seeking password data for user "CALLER": cache not available
 getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
 originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -42,9 +42,9 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
 SMTP>> 250 OK
 SMTP<< rcpt to:<warn_empty@test.ex>
 using ACL "warn_empty"
-processing "warn" (TESTSUITE/test-config 29)
+processing "warn" (TESTSUITE/test-config 31)
 warn: condition test succeeded in ACL "warn_empty"
-processing "accept" (TESTSUITE/test-config 30)
+processing "accept" (TESTSUITE/test-config 32)
 accept: condition test succeeded in ACL "warn_empty"
 end of ACL "warn_empty": ACCEPT
 SMTP>> 250 Accepted
@@ -77,14 +77,14 @@ SMTP>> 221 myhost.test.ex closing connection
 LOG: smtp_connection MAIN
   SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1235 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 changed uid/gid: forcing real = effective
-  uid=uuuu gid=CALLER_GID pid=p1236
+  uid=uuuu gid=CALLER_GID pid=p1237
 configuration file is TESTSUITE/test-config
 admin user
 changed uid/gid: privilege not needed
-  uid=EXIM_UID gid=EXIM_GID pid=p1236
+  uid=EXIM_UID gid=EXIM_GID pid=p1237
 seeking password data for user "CALLER": cache not available
 getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
 originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -122,12 +122,12 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
 SMTP>> 250 OK
 SMTP<< rcpt to:<warn_log@test.ex>
 using ACL "warn_log"
-processing "warn" (TESTSUITE/test-config 33)
+processing "warn" (TESTSUITE/test-config 35)
 l_message: warn log message
 warn: condition test succeeded in ACL "warn_log"
 LOG: MAIN
   H=(test) [V4NET.9.8.7] Warning: warn log message
-processing "accept" (TESTSUITE/test-config 34)
+processing "accept" (TESTSUITE/test-config 36)
 accept: condition test succeeded in ACL "warn_log"
 end of ACL "warn_log": ACCEPT
 SMTP>> 250 Accepted
@@ -160,14 +160,14 @@ SMTP>> 221 myhost.test.ex closing connection
 LOG: smtp_connection MAIN
   SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
 Exim version x.yz ....
 changed uid/gid: forcing real = effective
-  uid=uuuu gid=CALLER_GID pid=p1237
+  uid=uuuu gid=CALLER_GID pid=p1238
 configuration file is TESTSUITE/test-config
 admin user
 changed uid/gid: privilege not needed
-  uid=EXIM_UID gid=EXIM_GID pid=p1237
+  uid=EXIM_UID gid=EXIM_GID pid=p1238
 seeking password data for user "CALLER": cache not available
 getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID
 originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME
@@ -205,10 +205,10 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100
 SMTP>> 250 OK
 SMTP<< rcpt to:<warn_user@test.ex>
 using ACL "warn_user"
-processing "warn" (TESTSUITE/test-config 37)
+processing "warn" (TESTSUITE/test-config 39)
   message: warn user message
 warn: condition test succeeded in ACL "warn_user"
-processing "accept" (TESTSUITE/test-config 38)
+processing "accept" (TESTSUITE/test-config 40)
 accept: condition test succeeded in ACL "warn_user"
 end of ACL "warn_user": ACCEPT
 SMTP>> 250 Accepted
@@ -244,7 +244,7 @@ SMTP>> 221 myhost.test.ex closing connection
 LOG: smtp_connection MAIN
   SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
 search_tidyup called
->>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
+>>>>>>>>>>>>>>>> Exim pid=p1238 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>>
 >>> host in hosts_connection_nolog?
 >>>  list element: 
 >>>  list element: 127.0.0.1
@@ -262,17 +262,17 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "defer"
->>> processing "defer" (TESTSUITE/test-config 51)
+>>> processing "defer" (TESTSUITE/test-config 53)
 >>>   message: forcibly deferred
 >>> defer: condition test succeeded in ACL "defer"
 >>> end of ACL "defer": DEFER
 LOG: H=(test) [V4NET.9.8.7] F=<x@y> temporarily rejected RCPT <defer@y>: forcibly deferred
 >>> using ACL "accept"
->>> processing "accept" (TESTSUITE/test-config 24)
+>>> processing "accept" (TESTSUITE/test-config 26)
 >>> accept: condition test succeeded in ACL "accept"
 >>> end of ACL "accept": ACCEPT
 >>> using ACL "drop"
->>> processing "drop" (TESTSUITE/test-config 41)
+>>> processing "drop" (TESTSUITE/test-config 43)
 >>>   message: forcibly dropped
 >>> drop: condition test succeeded in ACL "drop"
 >>> end of ACL "drop": DROP
@@ -295,7 +295,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "defer_senders"
->>> processing "defer" (TESTSUITE/test-config 54)
+>>> processing "defer" (TESTSUITE/test-config 56)
 >>> check senders = :
 >>>  in ":"?
 >>>  list element: 
@@ -321,19 +321,19 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "delay_accept"
->>> processing "accept" (TESTSUITE/test-config 57)
+>>> processing "accept" (TESTSUITE/test-config 59)
 >>> check delay = 1s
 >>> delay modifier requests 1-second delay
 >>> delay skipped in -bh checking mode
 >>> accept: condition test succeeded in ACL "delay_accept"
 >>> end of ACL "delay_accept": ACCEPT
 >>> using ACL "delay_warn"
->>> processing "warn" (TESTSUITE/test-config 60)
+>>> processing "warn" (TESTSUITE/test-config 62)
 >>> check delay = 1s
 >>> delay modifier requests 1-second delay
 >>> delay skipped in -bh checking mode
 >>> warn: condition test succeeded in ACL "delay_warn"
->>> processing "accept" (TESTSUITE/test-config 61)
+>>> processing "accept" (TESTSUITE/test-config 63)
 >>> accept: condition test succeeded in ACL "delay_warn"
 >>> end of ACL "delay_warn": ACCEPT
 LOG: SMTP connection from (test) [V4NET.9.8.7] closed by QUIT
@@ -354,7 +354,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "host_check"
->>> processing "deny" (TESTSUITE/test-config 71)
+>>> processing "deny" (TESTSUITE/test-config 73)
 >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
 >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"?
 >>>  list element: net-lsearch;TESTSUITE/aux-var/0022.hosts
@@ -364,7 +364,7 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>> end of ACL "host_check": DENY
 LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
 >>> using ACL "host_check"
->>> processing "deny" (TESTSUITE/test-config 71)
+>>> processing "deny" (TESTSUITE/test-config 73)
 >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts
 >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"?
 >>>  list element: net-lsearch;TESTSUITE/aux-var/0022.hosts
@@ -374,7 +374,7 @@ LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A h
 >>> end of ACL "host_check": DENY
 LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A host-specific message<
 >>> using ACL "host_check2"
->>> processing "deny" (TESTSUITE/test-config 75)
+>>> processing "deny" (TESTSUITE/test-config 77)
 >>>   message: host data >$host_data<
 >>> check hosts = +some_hosts
 >>> host in "+some_hosts"?
@@ -387,7 +387,7 @@ LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check@y>: host data >A h
 >>> end of ACL "host_check2": DENY
 LOG: H=(test) [V4NET.9.8.7] F=<x@y> rejected RCPT <host_check2@y>: host data >A host-specific message<
 >>> using ACL "host_check2"
->>> processing "deny" (TESTSUITE/test-config 75)
+>>> processing "deny" (TESTSUITE/test-config 77)
 >>>   message: host data >$host_data<
 >>> check hosts = +some_hosts
 >>> host in "+some_hosts"?
@@ -442,10 +442,10 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "nested_drop"
->>> processing "accept" (TESTSUITE/test-config 44)
+>>> processing "accept" (TESTSUITE/test-config 46)
 >>> check acl = drop
 >>>  using ACL "drop"
->>>  processing "drop" (TESTSUITE/test-config 41)
+>>>  processing "drop" (TESTSUITE/test-config 43)
 >>>    message: forcibly dropped
 >>>  drop: condition test succeeded in ACL "drop"
 >>>  end of ACL "drop": DROP
@@ -470,10 +470,10 @@ LOG: SMTP connection from [V4NET.9.8.7]
 >>>  list element: @[]
 >>> test in helo_lookup_domains? no (end of list)
 >>> using ACL "nested_drop_require"
->>> processing "require" (TESTSUITE/test-config 48)
+>>> processing "require" (TESTSUITE/test-config 50)
 >>> check acl = drop
 >>>  using ACL "drop"
->>>  processing "drop" (TESTSUITE/test-config 41)
+>>>  processing "drop" (TESTSUITE/test-config 43)
 >>>    message: forcibly dropped
 >>>  drop: condition test succeeded in ACL "drop"
 >>>  end of ACL "drop": DROP

diff --git a/test/stdout/0022 b/test/stdout/0022
index 311dd73035adff821fa5750a6379e0316837e09a..67c0e10e17e4c3e068e11f9539000c20981ae228 100644 (file)
--- a/test/stdout/0022
+++ b/test/stdout/0022
@@ -235,3 +235,9 @@ End of script
  0m   sss 10HmbE-0005vi-00 <x@y>
           accept@y
 
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 550 client disliked
+<<< 550 client disliked
+???*
+Expected EOF read
+End of script