git-svn: trunk@2525
Nigel Horne authored on 2006/11/28 23:33:21... | ... |
@@ -24,9 +24,9 @@ |
24 | 24 |
* |
25 | 25 |
* For installation instructions see the file INSTALL that came with this file |
26 | 26 |
*/ |
27 |
-static char const rcsid[] = "$Id: clamav-milter.c,v 1.299 2006/11/11 20:08:36 njh Exp $"; |
|
27 |
+static char const rcsid[] = "$Id: clamav-milter.c,v 1.300 2006/11/28 14:31:12 njh Exp $"; |
|
28 | 28 |
|
29 |
-#define CM_VERSION "devel-101106" |
|
29 |
+#define CM_VERSION "devel-271106" |
|
30 | 30 |
|
31 | 31 |
#if HAVE_CONFIG_H |
32 | 32 |
#include "clamav-config.h" |
... | ... |
@@ -550,6 +550,7 @@ help(void) |
550 | 550 |
puts(_("\t--config-file=FILE\t-c FILE\tRead configuration from FILE.")); |
551 | 551 |
puts(_("\t--debug\t\t\t-D\tPrint debug messages.")); |
552 | 552 |
puts(_("\t--detect-forged-local-address\t-L\tReject mails that claim to be from us.")); |
553 |
+ puts(_("\t--dont-blacklist\t-K\tDon't blacklist a given IP.")); |
|
553 | 554 |
puts(_("\t--dont-scan-on-error\t-d\tPass e-mails through unscanned if a system error occurs.")); |
554 | 555 |
puts(_("\t--dont-wait\t\t\tAsk remote end to resend if max-children exceeded.")); |
555 | 556 |
puts(_("\t--external\t\t-e\tUse an external scanner (usually clamd).")); |
... | ... |
@@ -593,6 +594,7 @@ main(int argc, char **argv) |
593 | 593 |
extern char *optarg; |
594 | 594 |
int i, Bflag = 0, server = 0; |
595 | 595 |
char *cfgfile = NULL; |
596 |
+ const char *wont_blacklist = NULL; |
|
596 | 597 |
const struct cfgstruct *cpt; |
597 | 598 |
char version[VERSION_LENGTH + 1]; |
598 | 599 |
pthread_t tid; |
... | ... |
@@ -652,9 +654,9 @@ main(int argc, char **argv) |
652 | 652 |
struct cidr_net *net; |
653 | 653 |
struct in_addr ignoreIP; |
654 | 654 |
#ifdef CL_DEBUG |
655 |
- const char *args = "a:AbB:c:dDefF:I:k:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
655 |
+ const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:x:0:1:2"; |
|
656 | 656 |
#else |
657 |
- const char *args = "a:AbB:c:dDefF:I:k:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
657 |
+ const char *args = "a:AbB:c:dDefF:I:k:K:lLm:M:nNop:PqQ:r:hHs:St:T:U:VwW:0:1:2"; |
|
658 | 658 |
#endif |
659 | 659 |
|
660 | 660 |
static struct option long_options[] = { |
... | ... |
@@ -677,6 +679,9 @@ main(int argc, char **argv) |
677 | 677 |
"detect-forged-local-address", 0, NULL, 'L' |
678 | 678 |
}, |
679 | 679 |
{ |
680 |
+ "dont-blacklist", 1, NULL, 'K' |
|
681 |
+ }, |
|
682 |
+ { |
|
680 | 683 |
"dont-scan-on-error", 0, NULL, 'd' |
681 | 684 |
}, |
682 | 685 |
{ |
... | ... |
@@ -836,6 +841,9 @@ main(int argc, char **argv) |
836 | 836 |
case 'k': /* blacklist time */ |
837 | 837 |
blacklist_time = atoi(optarg); |
838 | 838 |
break; |
839 |
+ case 'K': /* don't black list given IP */ |
|
840 |
+ wont_blacklist = optarg; |
|
841 |
+ break; |
|
839 | 842 |
case 'I': /* --ignore, -I hostname */ |
840 | 843 |
/* |
841 | 844 |
* Based on patch by jpd@louisiana.edu |
... | ... |
@@ -1843,6 +1851,11 @@ main(int argc, char **argv) |
1843 | 1843 |
if(blacklist) |
1844 | 1844 |
/* We must never blacklist ourself */ |
1845 | 1845 |
tableInsert(blacklist, "127.0.0.1", 0); |
1846 |
+ |
|
1847 |
+ if(wont_blacklist) { |
|
1848 |
+ logg(_("^Won't blacklist %s\n"), wont_blacklist); |
|
1849 |
+ (void)tableInsert(blacklist, wont_blacklist, 0); |
|
1850 |
+ } |
|
1846 | 1851 |
} |
1847 | 1852 |
|
1848 | 1853 |
cli_dbgmsg("Started: %s\n", clamav_version); |
... | ... |
@@ -2503,14 +2516,19 @@ clamfi_connect(SMFICTX *ctx, char *hostname, _SOCK_ADDR *hostaddr) |
2503 | 2503 |
} |
2504 | 2504 |
} |
2505 | 2505 |
if(isBlacklisted(remoteIP)) { |
2506 |
- logg("Rejected connexion from blacklisted IP %s\n", remoteIP); |
|
2506 |
+ char mess[128]; |
|
2507 | 2507 |
|
2508 | 2508 |
/* |
2509 | 2509 |
* TODO: Option to greylist rather than blacklist, by sending |
2510 | 2510 |
* a try again code |
2511 | 2511 |
* TODO: state *which* virus |
2512 |
+ * TODO: add optional list of IP addresses that won't be |
|
2513 |
+ * blacklisted |
|
2512 | 2514 |
*/ |
2513 |
- smfi_setreply(ctx, "550", "5.7.1", _("Your IP is blacklisted because your machine is infected with a virus")); |
|
2515 |
+ logg("Rejected connexion from blacklisted IP %s\n", remoteIP); |
|
2516 |
+ |
|
2517 |
+ snprintf(mess, sizeof(mess), _("%s is blacklisted because your machine is infected with a virus"), remoteIP); |
|
2518 |
+ smfi_setreply(ctx, "550", "5.7.1", mess); |
|
2514 | 2519 |
broadcast(_("Blacklisted IP detected")); |
2515 | 2520 |
|
2516 | 2521 |
/* |
... | ... |
@@ -111,6 +111,13 @@ The recommended value is 60. |
111 | 111 |
Machines on the LAN, the local host, and machines that are our MX peers are |
112 | 112 |
never blacklisted. |
113 | 113 |
.TP |
114 |
+\fB\f-K, \-\-dont-blacklist=IP\fR |
|
115 |
+Instructs clamav-milter to refrain from blacklisting an IP address. This |
|
116 |
+is useful for sites that receive email from upstream servers that are either |
|
117 |
+untrusted or have no virus. Without this option many false positives could |
|
118 |
+occur. This scenario often happens when the upstream server belongs to an |
|
119 |
+ISP that may not have AV software. |
|
120 |
+.TP |
|
114 | 121 |
\fB-l, \-\-local\fR |
115 | 122 |
Also scan messages sent from LAN. You probably want this especially if |
116 | 123 |
your LAN is populated by machines running Windows or DOS. |