mod_smtp_filter: Fix privacy preservation for outgoing mail submissions.

For message submissions that are addressed to external recipients, the processing for these messages was using the relay handler to prepend the Received header. This handler would not respect submission privacy configuration, which could result in the sender's IP address being leaked. A failsafe check is added here to ensure that submissions have this header added in a way that respects the current privacy setting. As part of this change, logging using smtp_filter_write will not use the calling location for this log message, rather than the location inside this function, to make tracing the source of prepends easier.
InterLinked1 · Nov 14, 2024 · be85241 · be85241
1 parent 2aa33a2
commit be85241
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 3 deletions.
diff --git a/include/net_smtp.h b/include/net_smtp.h
@@ -181,7 +181,8 @@ time_t smtp_received_time(struct smtp_session *smtp);
 const char *smtp_message_body(struct smtp_filter_data *f);
 
 /*! \brief Prepend arbitrary data to a message */
-int __attribute__ ((format (gnu_printf, 2, 3))) smtp_filter_write(struct smtp_filter_data *f, const char *fmt, ...);
+#define smtp_filter_write(f, fmt, ...) __smtp_filter_write(f, __FILE__, __LINE__, __FUNCTION__, fmt, ## __VA_ARGS__)
+int __attribute__ ((format (gnu_printf, 5, 6))) __smtp_filter_write(struct smtp_filter_data *f, const char *file, int line, const char *func, const char *fmt, ...);
 
 /*! \brief Prepend a header to a message */
 int smtp_filter_add_header(struct smtp_filter_data *f, const char *name, const char *value);

diff --git a/modules/mod_smtp_filter.c b/modules/mod_smtp_filter.c
@@ -65,6 +65,17 @@ static int relay_filter_cb(struct smtp_filter_data *f)
 	char timestamp[40];
 	char hostname[256];
 
+	/* XXX This is not the most elegant workaround, but is extremely critical!
+	 * This handles the case where a local user submits a message that is sent to an external party.
+	 * This is a submission that is leaving the system,NOT a message that is being "relayed" in the sense we care about here.
+	 * In this case, we should NOT run everything in the builtin_filter_cb (such as adding Return-Path),
+	 * but we SHOULD be adding the Received header based on smtp_should_preserve_privacy, since it's a user submission.
+	 * (Not respecting WILL result in the user's IP address being inadvertently leaked!)
+	 * Since the logic we want is exactly that in prepend_received, just call that instead here. */
+	if (smtp_is_message_submission(f->smtp)) {
+		return prepend_received(f);
+	}
+
 	prot = smtp_protname(f->smtp);
 	smtp_timestamp(smtp_received_time(f->smtp), timestamp, sizeof(timestamp));
 

diff --git a/nets/net_smtp.c b/nets/net_smtp.c
@@ -1331,7 +1331,7 @@ const char *smtp_message_body(struct smtp_filter_data *f)
 	return f->body;
 }
 
-int smtp_filter_write(struct smtp_filter_data *f, const char *fmt, ...)
+int __smtp_filter_write(struct smtp_filter_data *f, const char *file, int line, const char *func, const char *fmt, ...)
 {
 	va_list ap;
 	char *buf;
@@ -1355,7 +1355,7 @@ int smtp_filter_write(struct smtp_filter_data *f, const char *fmt, ...)
 		return -1;
 	}
 
-	bbs_debug(6, "Prepending: %s\n", buf);
+	__bbs_log(LOG_DEBUG, 6, file, line, func, "Prepending: %s\n", buf);
 	if (bbs_str_contains_bare_lf(buf)) {
 		bbs_warning("Appended data that contains bare LFs! Message is not RFC-compliant!\n");
 	}