From 42f639244bcadf9978299ae5c55034b32fa463f7 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Tue, 11 Jun 2019 16:45:26 +0200
Subject: SMTP: limit max errors to 20

---
 qmail-smtpd.c | 64 +++++++++++++++++++++++++++++++++++++----------------------
 1 file changed, 40 insertions(+), 24 deletions(-)

diff --git a/qmail-smtpd.c b/qmail-smtpd.c
index 245949d..0b78265 100644
--- a/qmail-smtpd.c
+++ b/qmail-smtpd.c
@@ -160,29 +160,39 @@ void straynewline()
 }
 void die_pre_greet() { out("554 SMTP protocol violation\r\n"); flush(); _exit(1); }
 
-void err_size() { out("552 sorry, that message size exceeds my databytes limit (#5.3.4)\r\n"); }
-void err_bmf() { out("553 sorry, your envelope sender has been denied (#5.7.1)\r\n"); }
-void err_bmt() { out("553 sorry, your envelope recipient has been denied (#5.7.1)\r\n"); }
-void err_hmf() { out("553 sorry, your envelope sender domain must exist (#5.7.1)\r\n"); }
+int hard_errors = 0;
+unsigned int max_hard_errors = 20;
+void do_hard_errors() {
+  if (++hard_errors < max_hard_errors)
+    return;
+  enew(); eout("Maximum errors for "); eout(remoteip); eout(" reached. Closing connection\n");
+  out("421 too many errors (#4.7.0)\r\n"); flush();
+  eflush();
+  _exit(1);
+}
+
+void err_size() { out("552 sorry, that message size exceeds my databytes limit (#5.3.4)\r\n"); do_hard_errors(); }
+void err_bmf() { out("553 sorry, your envelope sender has been denied (#5.7.1)\r\n"); do_hard_errors(); }
+void err_bmt() { out("553 sorry, your envelope recipient has been denied (#5.7.1)\r\n"); do_hard_errors(); }
+void err_hmf() { out("553 sorry, your envelope sender domain must exist (#5.7.1)\r\n"); do_hard_errors(); }
 void err_smf() { out("451 DNS temporary failure (#4.3.0)\r\n"); }
-void err_brt() { out("550 sorry, this message is not deliverable (#5.7.1)\r\n"); }
-void err_bhelo() { out("553 sorry, your HELO host name has been denied (#5.7.1)\r\n"); }
-#ifndef TLS
-void err_nogateway() { out("553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)\r\n"); }
-#else
+void err_brt() { out("550 sorry, this message is not deliverable (#5.7.1)\r\n"); do_hard_errors(); }
+void err_bhelo() { out("553 sorry, your HELO host name has been denied (#5.7.1)\r\n"); do_hard_errors(); }
 void err_nogateway()
 {
   out("553 sorry, that domain isn't in my list of allowed rcpthosts");
+#ifdef TLS
   tls_nogateway();
+#endif
   out(" (#5.7.1)\r\n");
+  do_hard_errors();
 }
-#endif
-void err_badbounce() { out("550 sorry, bounce messages should have a single envelope recipient (#5.7.1)\r\n"); }
-void err_unimpl(arg) char *arg; { out("502 unimplemented (#5.5.1)\r\n"); }
-void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); }
-void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); }
-void err_wantmail() { out("503 MAIL first (#5.5.1)\r\n"); }
-void err_wantrcpt() { out("503 RCPT first (#5.5.1)\r\n"); }
+void err_badbounce() { out("550 sorry, bounce messages should have a single envelope recipient (#5.7.1)\r\n"); do_hard_errors(); }
+void err_unimpl(arg) char *arg; { out("502 unimplemented (#5.5.1)\r\n"); do_hard_errors(); }
+void err_syntax() { out("555 syntax error (#5.5.4)\r\n"); do_hard_errors(); }
+void err_relay() { out("553 we don't relay (#5.7.1)\r\n"); do_hard_errors(); }
+void err_wantmail() { out("503 MAIL first (#5.5.1)\r\n"); do_hard_errors(); }
+void err_wantrcpt() { out("503 RCPT first (#5.5.1)\r\n"); do_hard_errors(); }
 void err_noop(arg) char *arg; { out("250 ok\r\n"); }
 void err_vrfy(arg) char *arg; { out("252 send some mail, i'll try my best\r\n"); }
 void err_qqt() { out("451 qqt failure (#4.3.0)\r\n"); }
@@ -192,12 +202,15 @@ int err_fork() { out("454 oops, child won't start and I can't auth (#4.3.0)\r\n"
 int err_pipe() { out("454 oops, unable to open pipe and I can't auth (#4.3.0)\r\n"); return -1; }
 int err_write() { out("454 oops, unable to write pipe and I can't auth (#4.3.0)\r\n"); return -1; }
 void err_authd() { out("503 you're already authenticated (#5.5.0)\r\n"); }
-void err_authmail() { out("503 no auth during mail transaction (#5.5.0)\r\n"); }
-int err_noauth() { out("504 auth type unimplemented (#5.5.1)\r\n"); return -1; }
+void err_authmail() { out("503 no auth during mail transaction (#5.5.0)\r\n"); do_hard_errors(); }
+int err_noauth() { out("504 auth type unimplemented (#5.5.1)\r\n"); do_hard_errors(); return -1; }
+int err_noauth2() { out("503 auth not available (#5.3.3)\r\n"); do_hard_errors(); }
 int err_authabrt() { out("501 auth exchange canceled (#5.0.0)\r\n"); return -1; }
 int err_input() { out("501 malformed auth input (#5.5.4)\r\n"); return -1; }
 int err_wantstarttls() { out("530 Must issue a STARTTLS command first (#5.7.0)\r\n"); return -1; };
-void err_authfail() { out("535 authentication failed (#5.7.1)\r\n"); }
+void err_authfail() { out("535 authentication failed (#5.7.1)\r\n"); do_hard_errors(); }
+void err_nomailbox() { out("554 sorry, no mailbox here by that name (#5.1.1)\r\n"); do_hard_errors(); }
+void err_maxrcpt() { out("450 too many recipients (#4.7.1)\r\n"); do_hard_errors(); }
 
 extern void realrcptto_init();
 extern void realrcptto_start();
@@ -736,8 +749,8 @@ void smtp_rcpt(arg) char *arg; {
   if (!addrparse(arg)) { err_syntax(); return; }
   if (!relayclient && addrrelay()) { err_relay(); return; }
   if (recipcount >= max_recipcount) {
-    out("450 too many recipients. (#4.7.1)\r\n");
-    strerr_warn2("qmail-smtpd: too many recipients at ",remoteip,0);
+    enew(); eout("Too many recipients for "); eout(remoteip); eout(".\n");
+    err_maxrcpt();
     return;
   }
   if (flagbarfbhelo) {
@@ -786,7 +799,7 @@ void smtp_rcpt(arg) char *arg; {
     log_deny("BAD RCPT TO", mailfrom.s,addr.s);
   }
   if (!flagauth && !relayclient && !realrcptto(addr.s,1)) {
-    out("554 sorry, no mailbox here by that name. (#5.1.1)\r\n");
+    err_nomailbox();
     return;
   }
   if (!(spp_val = spp_rcpt(allowed))) return;
@@ -924,7 +937,10 @@ void smtp_data(arg) char *arg; {
   if (mailfrom.len == 1 && recipcount > 1) { err_badbounce(); return; }
   if (flagbrt) { err_brt(); return; }
   if (!spp_data()) return;
-  if (!relayclient && realrcptto_deny()) { out("550 sorry, no mailbox here by that name. (#5.1.1)\r\n"); return; }
+  if (!relayclient && realrcptto_deny()) {
+    err_nomailbox();
+    return;
+  }
   seenmail = 0;
   if (databytes) bytestooverflow = databytes + 1;
   if (qmail_open(&qqt) == -1) { err_qqt(); return; }
@@ -1207,7 +1223,7 @@ char *arg;
   int i;
   char *cmd = arg;
 
-  if (!*childargs) { out("503 auth not available (#5.3.3)\r\n"); return; }
+  if (!*childargs) { err_noauth2(); return; }
   if (flagauth) { err_authd(); return; }
   if (seenmail) { err_authmail(); return; }
 
-- 
cgit v1.2.3