[Spambayes-checkins] spambayes/scripts sb_server.py,1.20,1.21

Tony Meyer anadelonbrin at users.sourceforge.net
Tue Mar 16 00:08:33 EST 2004 

Update of /cvsroot/spambayes/spambayes/scripts
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv32222/scripts

Modified Files:
	sb_server.py 
Log Message:
Fix the potential open relay problem with smtpproxy.

Fix 1:  The listening_ports option for smtproxy is now of type SERVER rather
than type PORT, as the pop3proxy one already was.  This means that you
can set the listening port to be (for example) localhost:25, and only localhost
connections will be accepted.

Fix 2:

There are two new options, one in each of the pop3proxy and smtpproxy
sections, both called allow_remote_connections.  These do the same thing
as the option of the same name in the html_ui section (it's basically the same
code!).

By default, connections from outside localhost will return a POP3/SMTP
error message and close.  You can explicitly open this up to certain IPs or
to anyone, if you really want to.

Fix 3:

I've added to the smtpproxy option documentation to point out that entering
in your smtp server details isn't necessary if you're not going to use it to train
(although it does also allow the bug report to be sent...)

---

I've tested this as much as I can, using my machine and another machine on
my network.  I'm behind a firewall I don't control, so can't test anything more
remote than that, or use one of the available testing websites to check if this
works properly.  Given that this is a major concern, it would be great if someone
else was able to test this.

This also closes [ 797579 ] Disable connections to POP3 and SMTP from remote hosts

Index: sb_server.py
===================================================================
RCS file: /cvsroot/spambayes/spambayes/scripts/sb_server.py,v
retrieving revision 1.20
retrieving revision 1.21
diff -C2 -d -r1.20 -r1.21
*** sb_server.py	5 Feb 2004 08:13:26 -0000	1.20
--- sb_server.py	16 Mar 2004 05:08:31 -0000	1.21
***************
*** 188,194 ****
--- 188,219 ----
          self.seenAllHeaders = False # For the current RETR or TOP
          self.startTime = 0          # (ditto)
+ 
+         if not self.onIncomingConnection(clientSocket):
+             # We must refuse this connection, so pass an error back
+             # to the mail client.
+             self.push("-ERR Connection not allowed\r\n")
+             self.close_when_done()
+             return
+ 
          self.serverSocket = ServerLineReader(serverName, serverPort,
                                               self.onServerLine)
  
+     def onIncomingConnection(self, clientSocket):
+         """Checks the security settings."""
+         # Stolen from UserInterface.py
+ 
+         remoteIP = clientSocket.getpeername()[0]
+         trustedIPs = options["pop3proxy", "allow_remote_connections"]
+ 
+         if trustedIPs == "*" or remoteIP == clientSocket.getsockname()[0]:
+             return True
+ 
+         trustedIPs = trustedIPs.replace('.', '\.').replace('*', '([01]?\d\d?|2[04]\d|25[0-5])')
+         for trusted in trustedIPs.split(','):
+             if re.search("^" + trusted + "$", remoteIP):
+                 return True
+ 
+         return False
+ 
      def onTransaction(self, command, args, response):
          """Overide this.  Takes the raw request and the response, and

More information about the Spambayes-checkins mailing list