Browse code
Added dont-blacklist=IP option
- clamav-devel/ChangeLog
- clamav-devel/clamav-milter/clamav-milter.c
- clamav-devel/docs/man/clamav-milter.8
| ... | ... |
@@ -24,9 +24,9 @@ |
| 24 | 24 |
* |
| 25 | 25 |
* For installation instructions see the file INSTALL that came with this file |
| 26 | 26 |
*/ |
| 27 |
-static char const rcsid[] = "$Id: clamav-milter.c,v 1.299 2006/11/11 20:08:36 njh Exp $"; |
|
| 27 |
+static char const rcsid[] = "$Id: clamav-milter.c,v 1.300 2006/11/28 14:31:12 njh Exp $"; |
|
| 28 | 28 |
|
| 29 |
-#define CM_VERSION "devel-101106" |
|
| 29 |
+#define CM_VERSION "devel-271106" |
|
| 30 | 30 |
|
| 31 | 31 |
#if HAVE_CONFIG_H |
| 32 | 32 |
#include "clamav-config.h" |
| ... | ... |
@@ -550,6 +550,7 @@ help(void) |
| 550 | 550 |
puts(_("\t--config-file=FILE\t-c FILE\tRead configuration from FILE."));
|
| 551 | 551 |
puts(_("\t--debug\t\t\t-D\tPrint debug messages."));
|
| 552 | 552 |
puts(_("\t--detect-forged-local-address\t-L\tReject mails that claim to be from us."));
|
| 553 |
+ puts(_("\t--dont-blacklist\t-K\tDon't blacklist a given IP."));
|
|
| 553 | 554 |
puts(_("\t--dont-scan-on-error\t-d\tPass e-mails through unscanned if a system error occurs."));
|
| 554 | 555 |
puts(_("\t--dont-wait\t\t\tAsk remote end to resend if max-children exceeded."));
|
| 555 | 556 |
puts(_("\t--external\t\t-e\tUse an external scanner (usually clamd)."));
|
| ... | ... |
@@ -593,6 +594,7 @@ main(int argc, char **argv) |
| 593 | 593 |
extern char *optarg; |
| 594 | 594 |
int i, Bflag = 0, server = 0; |
| 595 | 595 |
char *cfgfile = NULL; |
| 596 |
+ const char *wont_blacklist = NULL; |
|
| 596 | 597 |
const struct cfgstruct *cpt; |
| 597 | 598 |
char version[VERSION_LENGTH + 1]; |
| 598 | 599 |
pthread_t tid; |
| ... | ... |
@@ -652,9 +654,9 @@ main(int argc, char **argv) |
| 652 | 652 |
struct cidr_net *net; |
| 653 | 653 |
struct in_addr ignoreIP; |
| 654 | 654 |
#ifdef CL_DEBUG |
| 655 |
- const char *args = "a:AbB:c:dDefF:I:k:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
| 655 |
+ const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
| 656 | 656 |
#else |
| 657 |
- const char *args = "a:AbB:c:dDefF:I:k:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
| 657 |
+ const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
| 658 | 658 |
#endif |
| 659 | 659 |
|
| 660 | 660 |
static struct option long_options[] = {
|
| ... | ... |
@@ -677,6 +679,9 @@ main(int argc, char **argv) |
| 677 | 677 |
"detect-forged-local-address", 0, NULL, 'L' |
| 678 | 678 |
}, |
| 679 | 679 |
{
|
| 680 |
+ "dont-blacklist", 1, NULL, 'K' |
|
| 681 |
+ }, |
|
| 682 |
+ {
|
|
| 680 | 683 |
"dont-scan-on-error", 0, NULL, 'd' |
| 681 | 684 |
}, |
| 682 | 685 |
{
|
| ... | ... |
@@ -836,6 +841,9 @@ main(int argc, char **argv) |
| 836 | 836 |
case 'k': /* blacklist time */ |
| 837 | 837 |
blacklist_time = atoi(optarg); |
| 838 | 838 |
break; |
| 839 |
+ case 'K': /* don't black list given IP */ |
|
| 840 |
+ wont_blacklist = optarg; |
|
| 841 |
+ break; |
|
| 839 | 842 |
case 'I': /* --ignore, -I hostname */ |
| 840 | 843 |
/* |
| 841 | 844 |
* Based on patch by jpd@louisiana.edu |
| ... | ... |
@@ -1843,6 +1851,11 @@ main(int argc, char **argv) |
| 1843 | 1843 |
if(blacklist) |
| 1844 | 1844 |
/* We must never blacklist ourself */ |
| 1845 | 1845 |
tableInsert(blacklist, "127.0.0.1", 0); |
| 1846 |
+ |
|
| 1847 |
+ if(wont_blacklist) {
|
|
| 1848 |
+ logg(_("^Won't blacklist %s\n"), wont_blacklist);
|
|
| 1849 |
+ (void)tableInsert(blacklist, wont_blacklist, 0); |
|
| 1850 |
+ } |
|
| 1846 | 1851 |
} |
| 1847 | 1852 |
|
| 1848 | 1853 |
cli_dbgmsg("Started: %s\n", clamav_version);
|
| ... | ... |
@@ -2503,14 +2516,19 @@ clamfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr) |
| 2503 | 2503 |
} |
| 2504 | 2504 |
} |
| 2505 | 2505 |
if(isBlacklisted(remoteIP)) {
|
| 2506 |
- logg("Rejected connexion from blacklisted IP %s\n", remoteIP);
|
|
| 2506 |
+ char mess[128]; |
|
| 2507 | 2507 |
|
| 2508 | 2508 |
/* |
| 2509 | 2509 |
* TODO: Option to greylist rather than blacklist, by sending |
| 2510 | 2510 |
* a try again code |
| 2511 | 2511 |
* TODO: state *which* virus |
| 2512 |
+ * TODO: add optional list of IP addresses that won't be |
|
| 2513 |
+ * blacklisted |
|
| 2512 | 2514 |
*/ |
| 2513 |
- smfi_setreply(ctx, "550", "5.7.1", _("Your IP is blacklisted because your machine is infected with a virus"));
|
|
| 2515 |
+ logg("Rejected connexion from blacklisted IP %s\n", remoteIP);
|
|
| 2516 |
+ |
|
| 2517 |
+ snprintf(mess, sizeof(mess), _("%s is blacklisted because your machine is infected with a virus"), remoteIP);
|
|
| 2518 |
+ smfi_setreply(ctx, "550", "5.7.1", mess); |
|
| 2514 | 2519 |
broadcast(_("Blacklisted IP detected"));
|
| 2515 | 2520 |
|
| 2516 | 2521 |
/* |
| ... | ... |
@@ -111,6 +111,13 @@ The recommended value is 60. |
| 111 | 111 |
Machines on the LAN, the local host, and machines that are our MX peers are |
| 112 | 112 |
never blacklisted. |
| 113 | 113 |
.TP |
| 114 |
+\fB\f-K, \-\-dont-blacklist=IP\fR |
|
| 115 |
+Instructs clamav-milter to refrain from blacklisting an IP address. This |
|
| 116 |
+is useful for sites that receive email from upstream servers that are either |
|
| 117 |
+untrusted or have no virus. Without this option many false positives could |
|
| 118 |
+occur. This scenario often happens when the upstream server belongs to an |
|
| 119 |
+ISP that may not have AV software. |
|
| 120 |
+.TP |
|
| 114 | 121 |
\fB-l, \-\-local\fR |
| 115 | 122 |
Also scan messages sent from LAN. You probably want this especially if |
| 116 | 123 |
your LAN is populated by machines running Windows or DOS. |