#!/usr/bin/perl use DB_File; use Fcntl; use Sys::Syslog qw(:DEFAULT setlogsock); use IO::Socket; use Net::IP; # # Usage: os-greylist.pl [-v] # # Delegated Postfix SMTPD policy server. This server implements # greylisting on detected OS basis. State is kept in a Berkeley DB database. # Logging is sent to syslogd. # # How it works: each time a Postfix SMTP server process is started # it connects to the policy service socket, and Postfix runs one # instance of this PERL script. By default, a Postfix SMTP server # process terminates after 100 seconds of idle time, or after serving # 100 clients. Thus, the cost of starting this PERL script is smoothed # out over time. # # To run this from /etc/postfix/master.cf: # # policy unix - n n - - spawn # user=nobody argv=/usr/bin/perl /usr/lib/postfix/os-greylist.pl # # To use this from Postfix SMTPD, use in /etc/postfix/main.cf: # # smtpd_recipient_restrictions = # ... # reject_unauth_destination # check_policy_service unix:private/policy # ... # # NOTE: specify check_policy_service AFTER reject_unauth_destination # or else your system can become an open relay. # # To test this script by hand, execute: # # % perl os-greylist.pl # # Each query is a bunch of attributes. Order does not matter, and # the demo script uses only a few of all the attributes shown below: # # request=smtpd_access_policy # protocol_state=RCPT # protocol_name=SMTP # helo_name=some.domain.tld # queue_id=8045F2AB23 # sender=foo@bar.tld # recipient=bar@foo.tld # client_address=1.2.3.4 # client_name=another.domain.tld # instance=123.456.7 # sasl_method=plain # sasl_username=you # sasl_sender= # size=12345 # [empty line] # # The policy server script will answer in the same style, with an # attribute list followed by a empty line: # # action=dunno # [empty line] # # # greylist status database and greylist time interval. DO NOT create the # greylist status database in a world-writable directory such as /tmp # or /var/tmp. DO NOT create the greylist database in a file system # that can run out of space. # # In case of database corruption, this script saves the database as # $database_name.time(), so that the mail system does not get stuck. # $database_name="/var/mta/greylist.db"; $greylist_delay=60; # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # $syslog_socktype = 'unix'; # inet, unix, stream, console $syslog_facility="mail"; $syslog_options="pid"; $syslog_priority="info"; # # You should run p0f like this # # p0f -i any -u user -Q /path/to/p0f/socket -0 'tcp dst port 25' # # -i any <- listen on any interface # # -u user <- user under p0f will run # please note that this script should be run with sufficient privileges to query p0f # # -Q /path/to/p0f/socket <- self explanatory ;-) # # -0 <- accept wildcard queries (i.e. src=1.2.3.4:*) # # 'tcp dst port 25' <- we are intereseted in TCP connections on 25'th port # $p0f_socket="/var/mta/p0f-socket"; sub p0f_query { my $QUERY_MAGIC = 0x0defaced; my $QTYPE_FINGERPRINT = 1; my $src = new Net::IP ($attr{"client_address"}) or die (Net::IP::Error()); # # This is TODO -> how to get all interfaces MTA listens on? # my $dst = new Net::IP ("1.2.3.4") or die (Net::IP::Error()); my $query = pack("L L L N N S S", $QUERY_MAGIC, $QTYPE_FINGERPRINT, 0x12345678, $src->intip(), $dst->intip(), 0, 25); my $sock = new IO::Socket::UNIX (Peer => $p0f_socket, Type => SOCK_STREAM); if (!$sock) { syslog $syslog_priority, "Could not create p0f socket: $!\n"; return "unknown"; } # Ask p0f print $sock $query; my $response = <$sock>; close $sock; # Extract the response from p0f my ($magic, $id, $type, $genre, $detail, $dist, $link, $tos, $fw, $nat, $real, $score, $mflags, $uptime) = unpack ("L L C Z20 Z40 c Z30 Z30 C C C s S N", $response); if ($magic != $QUERY_MAGIC) { syslog $syslog_priority, "bad p0f query magic"; return "unknown"; } if ($type == 1) { syslog $syslog_priority, "malformed p0f query"; return "unknown"; } if ($type == 2) { syslog $syslog_priority, "connection is not (no longer?) in the p0f cache" if $verbose; return "unknown"; } if ($genre eq "") { $genre = "unknown"; } if ($verbose) { syslog $syslog_priority, "OS detected: %s", $genre; } return $genre; } # # Demo SMTPD access policy routine. The result is an action just like # it would be specified on the right-hand side of a Postfix access # table. Request attributes are available via the %attr hash. # sub smtpd_access_policy { my($key, $time_stamp, $now); my $genre = p0f_query(); # Here the OS we want to graylist if ($genre ne "Windows") { if ($genre eq "unknown") { syslog $syslog_priority, "OS unknown: not graylisting", $genre; } else { syslog $syslog_priority, "%s OS detected: not graylisting", $genre; } return "dunno"; } # Open the database on the fly. open_database() unless $database_obj; # Lookup the time stamp for this client/sender/recipient. $key = lc $attr{"client_address"}."/".$attr{"sender"}."/".$attr{"recipient"}; $time_stamp = read_database($key); $now = time(); # If this is a new request add this client/sender/recipient to the database. if ($time_stamp == 0) { $time_stamp = $now; update_database($key, $time_stamp); } # The result can be any action that is allowed in a Postfix access(5) map. # # To label mail, return ``PREPEND'' headername: headertext # # In case of success, return ``DUNNO'' instead of ``OK'' so that the # check_policy_service restriction can be followed by other restrictions. # # In case of failure, specify ``DEFER_IF_PERMIT optional text...'' # so that mail can still be blocked by other access restrictions. # syslog $syslog_priority, "request age %d", $now - $time_stamp if $verbose; if ($now - $time_stamp > $greylist_delay) { return "dunno"; } else { syslog $syslog_priority, "%s OS detected: gralisted", $genre; return "defer_if_permit Service is unavailable"; } } # # You should not have to make changes below this point. # sub LOCK_SH { 1 }; # Shared lock (used for reading). sub LOCK_EX { 2 }; # Exclusive lock (used for writing). sub LOCK_NB { 4 }; # Don't block (for testing). sub LOCK_UN { 8 }; # Release lock. # # Log an error and abort. # sub fatal_exit { my($first) = shift(@_); syslog "err", "fatal: $first", @_; exit 1; } # # Open hash database. # sub open_database { my($database_fd); # Use tied database to make complex manipulations easier to express. $database_obj = tie(%db_hash, 'DB_File', $database_name, O_CREAT|O_RDWR, 0644, $DB_BTREE) || fatal_exit "Cannot open database %s: $!", $database_name; $database_fd = $database_obj->fd; open DATABASE_HANDLE, "+<&=$database_fd" || fatal_exit "Cannot fdopen database %s: $!", $database_name; syslog $syslog_priority, "open %s", $database_name if $verbose; } # # Read database. Use a shared lock to avoid reading the database # while it is being changed. XXX There should be a way to synchronize # our cache from the on-file database before looking up the key. # sub read_database { my($key) = @_; my($value); flock DATABASE_HANDLE, LOCK_SH || fatal_exit "Can't get shared lock on %s: $!", $database_name; # XXX Synchronize our cache from the on-disk copy before lookup. $value = $db_hash{$key}; syslog $syslog_priority, "lookup %s: %s", $key, $value if $verbose; flock DATABASE_HANDLE, LOCK_UN || fatal_exit "Can't unlock %s: $!", $database_name; return $value; } # # Update database. Use an exclusive lock to avoid collisions with # other updaters, and to avoid surprises in database readers. XXX # There should be a way to synchronize our cache from the on-file # database before updating the database. # sub update_database { my($key, $value) = @_; syslog $syslog_priority, "store %s: %s", $key, $value if $verbose; flock DATABASE_HANDLE, LOCK_EX || fatal_exit "Can't exclusively lock %s: $!", $database_name; # XXX Synchronize our cache from the on-disk copy before update. $db_hash{$key} = $value; $database_obj->sync() && fatal_exit "Can't update %s: $!", $database_name; flock DATABASE_HANDLE, LOCK_UN || fatal_exit "Can't unlock %s: $!", $database_name; } # # Signal 11 means that we have some kind of database corruption (yes # Berkeley DB should handle this better). Move the corrupted database # out of the way, and start with a new database. # sub sigsegv_handler { my $backup = $database_name . "." . time(); rename $database_name, $backup || fatal_exit "Can't save %s as %s: $!", $database_name, $backup; fatal_exit "Caught signal 11; the corrupted database is saved as $backup"; } $SIG{'SEGV'} = 'sigsegv_handler'; # # This process runs as a daemon, so it can't log to a terminal. Use # syslog so that people can actually see our messages. # setlogsock $syslog_socktype; openlog $0, $syslog_options, $syslog_facility; # # We don't need getopt() for now. # while ($option = shift(@ARGV)) { if ($option eq "-v") { $verbose = 1; } else { syslog $syslog_priority, "Invalid option: %s. Usage: %s [-v]", $option, $0; exit 1; } } # # Unbuffer standard output. # select((select(STDOUT), $| = 1)[0]); # # Receive a bunch of attributes, evaluate the policy, send the result. # while () { if (/([^=]+)=(.*)\n/) { $attr{substr($1, 0, 512)} = substr($2, 0, 512); } elsif ($_ eq "\n") { if ($verbose) { for (keys %attr) { syslog $syslog_priority, "Attribute: %s=%s", $_, $attr{$_}; } } fatal_exit "unrecognized request type: '%s'", $attr{request} unless $attr{"request"} eq "smtpd_access_policy"; $action = smtpd_access_policy(); syslog $syslog_priority, "Action: %s", $action if $verbose; print STDOUT "action=$action\n\n"; %attr = (); } else { chop; syslog $syslog_priority, "warning: ignoring garbage: %.100s", $_; } }