From 57d70161718e02927a22d6a3481803b72035ac46 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sat, 31 Dec 2022 13:37:17 +0000 Subject: [PATCH] Close server smtp socket explicitly on connect ACL "drop" --- src/src/smtp_in.c | 13 ++++++++ test/confs/0022 | 2 ++ test/log/0022 | 2 ++ test/rejectlog/0022 | 3 ++ test/scripts/0000-Basic/0022 | 13 ++++++++ test/stderr/0022 | 60 ++++++++++++++++++------------------ test/stdout/0022 | 6 ++++ 7 files changed, 69 insertions(+), 30 deletions(-) create mode 100644 test/rejectlog/0022 diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 1cfcc0404..6880e3c09 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -3565,6 +3565,19 @@ problem, because we get here only if some other ACL has issued "drop", and in that case, *its* custom messages will have been used above. */ smtp_notquit_exit(US"acl-drop", NULL, NULL); + +/* An overenthusiastic fail2ban/iptables implimentation has been seen to result +in the TCP conn staying open, and retrying, despite this process exiting. A +malicious client could possibly do the same, tying up server netowrking +resources. Close the socket explicitly to try to avoid that (there's a note in +the Linux socket(7) manpage, SO_LINGER para, to the effect that exim() without +close() results in the socket always lingering). */ + +(void) poll_one_fd(fileno(smtp_in), POLLIN, 200); +DEBUG(D_any) debug_printf_indent("SMTP(close)>>\n"); +(void) fclose(smtp_in); +(void) fclose(smtp_out); + return 2; } diff --git a/test/confs/0022 b/test/confs/0022 index cb41aa422..e3fadf3e6 100644 --- a/test/confs/0022 +++ b/test/confs/0022 @@ -1,6 +1,7 @@ # Exim test configuration 0022 SERVER= +CONTROL= .include DIR/aux-var/std_conf_prefix @@ -10,6 +11,7 @@ primary_hostname = myhost.test.ex hostlist some_hosts = net-lsearch;DIR/aux-var/TESTNUM.hosts +CONTROL acl_smtp_rcpt = $local_part log_selector = +smtp_connection hosts_connection_nolog = : 127.0.0.1 diff --git a/test/log/0022 b/test/log/0022 index fd7018bc8..0a0187748 100644 --- a/test/log/0022 +++ b/test/log/0022 @@ -19,3 +19,5 @@ 1999-03-02 09:44:33 10HmbD-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss 1999-03-02 09:44:33 10HmbD-0005vi-00 no immediate delivery: queued by ACL 1999-03-02 09:44:33 10HmbE-0005vi-00 <= x@y H=(test) [127.0.0.1] P=smtp S=sss +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D +1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked diff --git a/test/rejectlog/0022 b/test/rejectlog/0022 new file mode 100644 index 000000000..68e21fff3 --- /dev/null +++ b/test/rejectlog/0022 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 H=[127.0.0.1] rejected connection in "connect" ACL: 550 client disliked diff --git a/test/scripts/0000-Basic/0022 b/test/scripts/0000-Basic/0022 index 9c7837304..3db869992 100644 --- a/test/scripts/0000-Basic/0022 +++ b/test/scripts/0000-Basic/0022 @@ -166,4 +166,17 @@ quit killdaemon exim -bp **** +sudo rm DIR/spool/input/* +# +# +# +# +exim -DSERVER=server -DCONTROL='acl_smtp_connect=drop message=550 client disliked' -odq -bd -oX PORT_D +**** +client 127.0.0.1 PORT_D +??? 550 client disliked +???* +**** +killdaemon +# no_msglog_check diff --git a/test/stderr/0022 b/test/stderr/0022 index 536e4278b..e988c467e 100644 --- a/test/stderr/0022 +++ b/test/stderr/0022 @@ -1,10 +1,10 @@ Exim version x.yz .... changed uid/gid: forcing real = effective - uid=uuuu gid=CALLER_GID pid=p1235 + uid=uuuu gid=CALLER_GID pid=p1236 configuration file is TESTSUITE/test-config admin user changed uid/gid: privilege not needed - uid=EXIM_UID gid=EXIM_GID pid=p1235 + uid=EXIM_UID gid=EXIM_GID pid=p1236 seeking password data for user "CALLER": cache not available getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME @@ -42,9 +42,9 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 SMTP>> 250 OK SMTP<< rcpt to: using ACL "warn_empty" -processing "warn" (TESTSUITE/test-config 29) +processing "warn" (TESTSUITE/test-config 31) warn: condition test succeeded in ACL "warn_empty" -processing "accept" (TESTSUITE/test-config 30) +processing "accept" (TESTSUITE/test-config 32) accept: condition test succeeded in ACL "warn_empty" end of ACL "warn_empty": ACCEPT SMTP>> 250 Accepted @@ -77,14 +77,14 @@ SMTP>> 221 myhost.test.ex closing connection LOG: smtp_connection MAIN SMTP connection from (test) [V4NET.9.8.7] closed by QUIT search_tidyup called ->>>>>>>>>>>>>>>> Exim pid=p1235 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> +>>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> Exim version x.yz .... changed uid/gid: forcing real = effective - uid=uuuu gid=CALLER_GID pid=p1236 + uid=uuuu gid=CALLER_GID pid=p1237 configuration file is TESTSUITE/test-config admin user changed uid/gid: privilege not needed - uid=EXIM_UID gid=EXIM_GID pid=p1236 + uid=EXIM_UID gid=EXIM_GID pid=p1237 seeking password data for user "CALLER": cache not available getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME @@ -122,12 +122,12 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 SMTP>> 250 OK SMTP<< rcpt to: using ACL "warn_log" -processing "warn" (TESTSUITE/test-config 33) +processing "warn" (TESTSUITE/test-config 35) l_message: warn log message warn: condition test succeeded in ACL "warn_log" LOG: MAIN H=(test) [V4NET.9.8.7] Warning: warn log message -processing "accept" (TESTSUITE/test-config 34) +processing "accept" (TESTSUITE/test-config 36) accept: condition test succeeded in ACL "warn_log" end of ACL "warn_log": ACCEPT SMTP>> 250 Accepted @@ -160,14 +160,14 @@ SMTP>> 221 myhost.test.ex closing connection LOG: smtp_connection MAIN SMTP connection from (test) [V4NET.9.8.7] closed by QUIT search_tidyup called ->>>>>>>>>>>>>>>> Exim pid=p1236 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> +>>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> Exim version x.yz .... changed uid/gid: forcing real = effective - uid=uuuu gid=CALLER_GID pid=p1237 + uid=uuuu gid=CALLER_GID pid=p1238 configuration file is TESTSUITE/test-config admin user changed uid/gid: privilege not needed - uid=EXIM_UID gid=EXIM_GID pid=p1237 + uid=EXIM_UID gid=EXIM_GID pid=p1238 seeking password data for user "CALLER": cache not available getpwnam() succeeded uid=CALLER_UID gid=CALLER_GID originator: uid=CALLER_UID gid=CALLER_GID login=CALLER name=CALLER_NAME @@ -205,10 +205,10 @@ log directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 SMTP>> 250 OK SMTP<< rcpt to: using ACL "warn_user" -processing "warn" (TESTSUITE/test-config 37) +processing "warn" (TESTSUITE/test-config 39) message: warn user message warn: condition test succeeded in ACL "warn_user" -processing "accept" (TESTSUITE/test-config 38) +processing "accept" (TESTSUITE/test-config 40) accept: condition test succeeded in ACL "warn_user" end of ACL "warn_user": ACCEPT SMTP>> 250 Accepted @@ -244,7 +244,7 @@ SMTP>> 221 myhost.test.ex closing connection LOG: smtp_connection MAIN SMTP connection from (test) [V4NET.9.8.7] closed by QUIT search_tidyup called ->>>>>>>>>>>>>>>> Exim pid=p1237 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> +>>>>>>>>>>>>>>>> Exim pid=p1238 (fresh-exec) terminating with rc=0 >>>>>>>>>>>>>>>> >>> host in hosts_connection_nolog? >>> list element: >>> list element: 127.0.0.1 @@ -262,17 +262,17 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "defer" ->>> processing "defer" (TESTSUITE/test-config 51) +>>> processing "defer" (TESTSUITE/test-config 53) >>> message: forcibly deferred >>> defer: condition test succeeded in ACL "defer" >>> end of ACL "defer": DEFER LOG: H=(test) [V4NET.9.8.7] F= temporarily rejected RCPT : forcibly deferred >>> using ACL "accept" ->>> processing "accept" (TESTSUITE/test-config 24) +>>> processing "accept" (TESTSUITE/test-config 26) >>> accept: condition test succeeded in ACL "accept" >>> end of ACL "accept": ACCEPT >>> using ACL "drop" ->>> processing "drop" (TESTSUITE/test-config 41) +>>> processing "drop" (TESTSUITE/test-config 43) >>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" >>> end of ACL "drop": DROP @@ -295,7 +295,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "defer_senders" ->>> processing "defer" (TESTSUITE/test-config 54) +>>> processing "defer" (TESTSUITE/test-config 56) >>> check senders = : >>> in ":"? >>> list element: @@ -321,19 +321,19 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "delay_accept" ->>> processing "accept" (TESTSUITE/test-config 57) +>>> processing "accept" (TESTSUITE/test-config 59) >>> check delay = 1s >>> delay modifier requests 1-second delay >>> delay skipped in -bh checking mode >>> accept: condition test succeeded in ACL "delay_accept" >>> end of ACL "delay_accept": ACCEPT >>> using ACL "delay_warn" ->>> processing "warn" (TESTSUITE/test-config 60) +>>> processing "warn" (TESTSUITE/test-config 62) >>> check delay = 1s >>> delay modifier requests 1-second delay >>> delay skipped in -bh checking mode >>> warn: condition test succeeded in ACL "delay_warn" ->>> processing "accept" (TESTSUITE/test-config 61) +>>> processing "accept" (TESTSUITE/test-config 63) >>> accept: condition test succeeded in ACL "delay_warn" >>> end of ACL "delay_warn": ACCEPT LOG: SMTP connection from (test) [V4NET.9.8.7] closed by QUIT @@ -354,7 +354,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "host_check" ->>> processing "deny" (TESTSUITE/test-config 71) +>>> processing "deny" (TESTSUITE/test-config 73) >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? >>> list element: net-lsearch;TESTSUITE/aux-var/0022.hosts @@ -364,7 +364,7 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> end of ACL "host_check": DENY LOG: H=(test) [V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check" ->>> processing "deny" (TESTSUITE/test-config 71) +>>> processing "deny" (TESTSUITE/test-config 73) >>> check hosts = net-lsearch;TESTSUITE/aux-var/0022.hosts >>> host in "net-lsearch;TESTSUITE/aux-var/0022.hosts"? >>> list element: net-lsearch;TESTSUITE/aux-var/0022.hosts @@ -374,7 +374,7 @@ LOG: H=(test) [V4NET.9.8.7] F= rejected RCPT : host data >A h >>> end of ACL "host_check": DENY LOG: H=(test) [V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check2" ->>> processing "deny" (TESTSUITE/test-config 75) +>>> processing "deny" (TESTSUITE/test-config 77) >>> message: host data >$host_data< >>> check hosts = +some_hosts >>> host in "+some_hosts"? @@ -387,7 +387,7 @@ LOG: H=(test) [V4NET.9.8.7] F= rejected RCPT : host data >A h >>> end of ACL "host_check2": DENY LOG: H=(test) [V4NET.9.8.7] F= rejected RCPT : host data >A host-specific message< >>> using ACL "host_check2" ->>> processing "deny" (TESTSUITE/test-config 75) +>>> processing "deny" (TESTSUITE/test-config 77) >>> message: host data >$host_data< >>> check hosts = +some_hosts >>> host in "+some_hosts"? @@ -442,10 +442,10 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "nested_drop" ->>> processing "accept" (TESTSUITE/test-config 44) +>>> processing "accept" (TESTSUITE/test-config 46) >>> check acl = drop >>> using ACL "drop" ->>> processing "drop" (TESTSUITE/test-config 41) +>>> processing "drop" (TESTSUITE/test-config 43) >>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" >>> end of ACL "drop": DROP @@ -470,10 +470,10 @@ LOG: SMTP connection from [V4NET.9.8.7] >>> list element: @[] >>> test in helo_lookup_domains? no (end of list) >>> using ACL "nested_drop_require" ->>> processing "require" (TESTSUITE/test-config 48) +>>> processing "require" (TESTSUITE/test-config 50) >>> check acl = drop >>> using ACL "drop" ->>> processing "drop" (TESTSUITE/test-config 41) +>>> processing "drop" (TESTSUITE/test-config 43) >>> message: forcibly dropped >>> drop: condition test succeeded in ACL "drop" >>> end of ACL "drop": DROP diff --git a/test/stdout/0022 b/test/stdout/0022 index 311dd7303..67c0e10e1 100644 --- a/test/stdout/0022 +++ b/test/stdout/0022 @@ -235,3 +235,9 @@ End of script 0m sss 10HmbE-0005vi-00 accept@y +Connecting to 127.0.0.1 port 1225 ... connected +??? 550 client disliked +<<< 550 client disliked +???* +Expected EOF read +End of script -- 2.30.2