In part 1 I showed how one can use tcp_wrappers to patch graymilter in order to support dns based whitelists (as opposed to IP based whitelists that it supports by default).

But what if you need something faster than having graymilter open /etc/hosts.allow for every message passed to it in order to decide whether the sending host is whitelisted or not?

Basically you need a strcmp(3) function with a twist. While the strcmp(3) family of functions compare from left to right, you need the opposite:

#ifndef _RIGHT_STRCMP_C_
#define _RIGHT_STRCMP_C_ 1

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

/* Think of this as a rightmost strcmp() */

static int
right_strcmp(char *x, char *y)
{
int xl, yl, l;
char *s;

        xl = strlen(x);
        yl = strlen(y);
        l = xl - yl;

        if (l < 0) {
                return l;
        } else {
                s = x + l;
                return (strncmp(s, y, yl));
        }
}

#endif /* _RIGHT_STRCMP_C_ */

Now you can include the file right_strcmp.c at the top of graymilter.c (remember right_strcmp() is declared as a static function). If you are using graymilter version 1.26 you then scroll down at line 680 and add this snippet of code:

$ diff graymilter.c graymilter.c-
76d75
< #include "right_strcmp.c"
680,692d678
<     if (right_strcmp(connhost, ".example.com") == 0) {
<           syslog(LOG_INFO, "accepting host %s", connhost);
<           return SMFIS_ACCEPT;
<     }
<     if (right_strcmp(connhost, ".example.org") == 0) {
<           syslog(LOG_INFO, "accepting host %s", connhost);
<           return SMFIS_ACCEPT;
<     }
<     if (right_strcmp(connhost, ".example.net") == 0) {
<           syslog(LOG_INFO, "accepting host %s", connhost);
<           return SMFIS_ACCEPT;
<     }
<

Yes, the above example hardcodes the domains into the graymilter executable. One is free to play around and write a simple function that reads a domain list from a file and wraps around right_strcmp() with the help of stdarg(3). That way you only have to write one if statement. This is left as an exercise to the reader.

(part 1) (part 3)

graymilter is an excellent (and very simple) tool to implement Greylisting. But what if you want to have whitelists not based on IP lists, but on DNS instead? Say to allow all .amazon.com machines to connect to your mail server without having to know the IP addresses range of Amazon’s outgoing mail servers?

A first attempt using tcp_wrappers:

Here comes my patch on graymilter.c (version 1.23):

Tue Jun 14 16:54 [146] > diff graymilter.c graymilter.c-
76d75
< #include <tcpd.h>
543d541
<     struct request_info req;
582,593d579
<
<     /*
<      * Check if the hostname is allowed in /etc/hosts.allow.
<      * Note 1: We are searching only for ALLOW entries.  DENY entries
<      *         are ignored
<      * Note 2: The servicename in /etc/hosts.allow is graymilter
<      */
<     request_init(&req, RQ_DAEMON, "graymilter", RQ_CLIENT_NAME, connhost, 0);
<     fromhost(&req);
<     if (hosts_access(&req)) {
<         syslog( LOG_INFO, "%s is whitelisted by /etc/hosts.allow - accepting",
<                 connhost );
<         return SMFIS_ACCEPT;
<     }

Please remember to add -lwrap at LDFLAGS in your Makefile.

Use this hack with great care. An enty like:

graymilter: .gr : ALLOW

in /etc/hosts.allow would mean that any host in the .gr domain name space is whitelisted. This includes DSL and dialup customers of all the Greek ISPs! This is definately not what you wanted whitelisted.

Drawback of this patch: On a mail server with hundred of messages per hour (the patched) graymilter crashes because it opens far too many times /etc/hosts.allow for reading. Part 2 of this post will deal with a solution to this problem.

(part 2)