From wietse@wzv.win.tue.nl  Tue Jul  9 19:20:04 1996
Received: by wzv.win.tue.nl (8.7.4/1.45)
    id TAA03288; Tue, 9 Jul 1996 19:20:04 +0200 (MET DST)
From: wietse@wzv.win.tue.nl (Wietse Venema)
Message-Id: <199607091720.TAA03288@wzv.win.tue.nl>
Subject: tcpd support built into sendmail
To: BKnowles@aol.net
Date: Tue, 9 Jul 96 19:20:04 MET DST
Cc: wietse (Wietse Venema)
Organization: Eindhoven University of Technology, 
	      P.O. Box 513, 5600 MB Eindhoven, The Netherlands
X-Phone:      +31 40 2472989
X-Fax:        +31 40 2465995
X-Private:    +31 40 2433327
X-Mailer: ELM [version 2.3 PL11]
Status: O

I've put the message below on anonymous FTP as sendmail-tcpd.patch.

	Wietse

-----BEGIN PGP SIGNED MESSAGE-----

This is a minimal patch to sendmail 8.7.5 that adds built-in tcp
wrapper support. This should give the same functionality as running
sendmail under control of the tcp wrapper, except that you do not
incur the cost of starting sendmail from scratch for each connection.

Installation instructions:

 - Cd into the sendmail.whatever/src directory

 - Unshar this file

 - Apply the patch (patch <wrapper.diffs)

 - Sendmail has one Makefile for each supported platform. As an
   example, the wrapper.diffs file modifies only the FreeBSD Makefile.
   The changes are fairly simple, though, and easy to transfer by hand
   to the Makefile that matches your system. If you are unable to
   understand the example wrapper.diffs file you probably should not be
   editing sendmail source code. No offense intended here.

 - After patching the right Makefile you need to edit the definition
   of the WRAPDIR macro. It should specify the location of the tcp
   wrapper source directory, that is, the directory that contains the
   source code, the tcpd.h include file and (after doing a `make') the
   libwrap.a library.

 - Build (with makesendmail), install, and restart sendmail.

In the hosts.allow or deny files you use "sendmail" where you would
otherwise use "telnetd" or "ftpd". There is nothing new to learn.

The exact form of the tcp wrapper rules depends on how you built
the program. The simple version (built without -DPROCESS_OPTIONS)
goes like this:

   hosts.allow:
	sendmail: all except .bad.site

   hosts.deny:
	sendmail: all

You can use the above rules also with the "bells and whistles"
version (built with -DPROCESS_OPTIONS), but with that version you
can also say it all in one file:

   hosts.allow:
	sendmail: .bad.site: deny
	sendmail: all: allow

Building tcp wrapper support into sendmail adds a little to the
runtime cost but the cost should be negligible.

	Wietse

#! /bin/sh
# This is a shell archive.  Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file".  To overwrite existing
# files, type "sh file -c".  You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g..  If this archive is complete, you
# will see the following message at the end:
#		"End of shell archive."
# Contents:  wrapper.diff wantconn.c
# Wrapped by wietse@wzv on Tue Jul  9 19:12:46 1996
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f wrapper.diff -a "${1}" != "-c" ; then 
  echo shar: Will not over-write existing file \"wrapper.diff\"
else
echo shar: Extracting \"wrapper.diff\" \(2249 characters\)
sed "s/^X//" >wrapper.diff <<'END_OF_wrapper.diff'
X*** ./Makefiles/Makefile.FreeBSD-	Wed Sep 13 17:29:01 1995
X--- ./Makefiles/Makefile.FreeBSD	Tue Jul  9 15:30:35 1996
X***************
X*** 14,29 ****
X  # really gnarly systems, you can set this to null; it will crawl like a high
X  # spiral snail, but it will work.
X  DBMDEF=	-DNEWDB
X  
X! CFLAGS+=-I${.CURDIR} ${DBMDEF}
X  
X  SRCS=	alias.c arpadate.c clock.c collect.c conf.c convtime.c daemon.c \
X  	deliver.c domain.c envelope.c err.c headers.c macro.c main.c map.c \
X  	mci.c mime.c parseaddr.c queue.c readcf.c recipient.c savemail.c \
X  	srvrsmtp.c stab.c stats.c sysexits.c trace.c udb.c usersmtp.c \
X! 	util.c version.c
X  DPADD=	
X! LDADD=	$(LIBUTIL)
X  #
X  # FreeBSD 1.0 RELEASE has GNU man and doesn't need preformatted man pages anymore
X  #	(assuming you consider a slower "man" command a feature)
X--- 14,32 ----
X  # really gnarly systems, you can set this to null; it will crawl like a high
X  # spiral snail, but it will work.
X  DBMDEF=	-DNEWDB
X+ WRAPDIR= /home/wietse/tcp_wrappers_7.4
X+ WRAPDEF= -I$(WRAPDIR) -DHOSTS_ACCESS
X+ WRAPLIB= -L$(WRAPDIR) -lwrap
X  
X! CFLAGS+=-I${.CURDIR} ${DBMDEF} ${WRAPDEF}
X  
X  SRCS=	alias.c arpadate.c clock.c collect.c conf.c convtime.c daemon.c \
X  	deliver.c domain.c envelope.c err.c headers.c macro.c main.c map.c \
X  	mci.c mime.c parseaddr.c queue.c readcf.c recipient.c savemail.c \
X  	srvrsmtp.c stab.c stats.c sysexits.c trace.c udb.c usersmtp.c \
X! 	util.c version.c wantconn.c
X  DPADD=	
X! LDADD=	$(LIBUTIL) $(WRAPLIB)
X  #
X  # FreeBSD 1.0 RELEASE has GNU man and doesn't need preformatted man pages anymore
X  #	(assuming you consider a slower "man" command a feature)
X*** ./daemon.c-	Wed Nov 29 18:24:45 1995
X--- ./daemon.c	Tue Jul  9 19:07:33 1996
X***************
X*** 313,318 ****
X--- 313,331 ----
X  			OutChannel = outchannel;
X  			DisConnected = FALSE;
X  
X+ #ifdef HOSTS_ACCESS
X+ 			if (wantconn(t, "sendmail") == 0) {
X+ #ifdef LOG
X+ 				syslog(LOG_WARNING, "refusing connection from %s/%s",
X+ 					RealHostName, anynet_ntoa(&RealHostAddr));
X+ #endif
X+ 				message("421 %s Sendmail will not talk to %s.",
X+ 					MyHostName, RealHostName);
X+ 				sleep(1);
X+ 				exit(0);
X+ 			}
X+ #endif
X+ 
X  			/* should we check for illegal connection here? XXX */
X  #ifdef XLA
X  			if (!xla_host_ok(RealHostName))
END_OF_wrapper.diff
if test 2249 -ne `wc -c <wrapper.diff`; then
    echo shar: \"wrapper.diff\" unpacked with wrong size!
fi
# end of overwriting check
fi
if test -f wantconn.c -a "${1}" != "-c" ; then 
  echo shar: Will not over-write existing file \"wantconn.c\"
else
echo shar: Extracting \"wantconn.c\" \(1785 characters\)
sed "s/^X//" >wantconn.c <<'END_OF_wantconn.c'
X /*
X  * NAME
X  * 
X  * wantconn - build tcpd access control into any TCP or UDP application
X  * 
X  * SYNOPSIS
X  * 
X  * extern int wantconn(int sock, char *progname)
X  * 
X  * extern int allow_severity;
X  * 
X  * extern int deny_severity;
X  * 
X  * DESCRIPTION
X  * 
X  * wantconn() returns a non-zero value when the client in sock is allowed to
X  * talk to the daemon in progname. As a side effect of calling wantconn(),
X  * the syslog severity levels in the global variables allow_severity and
X  * deny_severity may be updated.
X  * 
X  * wantconn() is not "paranoid", i.e. it does not autmoatically refuse clients
X  * whose host name is inconsistent with their address.
X  * 
X  * AUTHOR
X  * 
X  * Wietse Venema, Eindhoven University of Technology, The Netherlands
X  */
X
X#include <syslog.h>
X
X#ifdef __hpux
X#define request_info tcpd_request_info
X#endif
X
X#ifndef ALLOW_SEVERITY
X#define ALLOW_SEVERITY	LOG_INFO
X#define DENY_SEVERITY	LOG_WARNING
X#endif
X
X#include "tcpd.h"
X
Xint     allow_severity;			/* run-time adjustable */
Xint     deny_severity;			/* ditto */
X
Xint     wantconn(sock, progname)
Xint     sock;
Xchar   *progname;
X{
X    struct request_info request;
X
X    /*
X     * Reset the logging level in case we are called from a program that
X     * responds to multiple clients.
X     */
X    allow_severity = ALLOW_SEVERITY;
X    deny_severity = DENY_SEVERITY;
X
X    /*
X     * The user will expect that this will work as if sendmail is run under
X     * control of the tcpd program. For perfect emulation we must be prepared
X     * to do our own username lookup and whatever else tcpd may want to do in
X     * the future. The cost is a small hit in performance.
X     */
X    request_init(&request, RQ_FILE, sock, RQ_DAEMON, progname, 0);
X    fromhost(&request);
X    return (hosts_access(&request));
X}
END_OF_wantconn.c
if test 1785 -ne `wc -c <wantconn.c`; then
    echo shar: \"wantconn.c\" unpacked with wrong size!
fi
# end of overwriting check
fi
echo shar: End of shell archive.
exit 0

-----BEGIN PGP SIGNATURE-----
Version: 2.6

iQCVAwUBMeKUetyA8qbVMny5AQFErAP9GujpFKX98xZ+miIe8erHjJCb80E7Hw0/
H9ytY4elGuLF9V5QPmwQIVIvPEoTxugBT6YjYHwOGXk10o8BH9o671Kw3PX10svn
AdUSC3udJz9IIYacf40AtRE9ocAk/0l8KS0cipSiXePZKXA+gxp04k/x/3R3HcFy
QaN7MdfJC18=
=UKFf
-----END PGP SIGNATURE-----


.