Przeglądaj źródła

Support for multiple secrets

The secrets file is now parsed line by line, and
each line (excluding CR and/or LF) is used as a secret.
Only the first secret is used for signing, but all
secrets are used for verification.
tags/1.0
Timo Röhling 12 lat temu
rodzic
commit
ff33d043b9
2 zmienionych plików z 15 dodań i 15 usunięć
  1. 4
    2
      README.md
  2. 11
    13
      postsrsd.c

+ 4
- 2
README.md Wyświetl plik

@@ -33,10 +33,12 @@ files.
33 33
 
34 34
 Configuration
35 35
 =============
36
-The configuration is located in `/etc/default/postsrsd`. You must store 
37
-a secret key in `/etc/postsrsd.secret`. The installer tries to generate 
36
+The configuration is located in `/etc/default/postsrsd`. You must store
37
+at least one secret key in `/etc/postsrsd.secret`. The installer tries to generate
38 38
 one from `/dev/urandom`. Be careful that no one can guess your secret,
39 39
 because anyone who knows it can use your mail server as open relay!
40
+Each line of `/etc/postsrsd.secret` is used as secret. The first secret is
41
+used for signing and verification, the others for verification only.
40 42
 
41 43
 PostSRSd exposes its functionality via two TCP lookup tables. The
42 44
 recommended Postfix configuration is to add the following fragment to

+ 11
- 13
postsrsd.c Wyświetl plik

@@ -189,7 +189,7 @@ static void show_help ()
189 189
     "\n"
190 190
     "Usage: %s -s<file> -d<domain> [other options]\n"
191 191
     "Options:\n"
192
-    "   -s<file>       read secret from file (required)\n"
192
+    "   -s<file>       read secrets from file (required)\n"
193 193
     "   -d<domain>     set domain name for rewrite (required)\n"
194 194
     "   -f<port>       set port for the forward SRS lookup (default: 10001)\n"
195 195
     "   -r<port>       set port for the reverse SRS lookup (default: 10002)\n"
@@ -217,9 +217,9 @@ int main (int argc, char **argv)
217 217
        *user = NULL, *domain = NULL, *chroot_dir = NULL;
218 218
   int forward_sock, reverse_sock;
219 219
   char *secret_file = NULL, *pid_file = NULL;
220
-  FILE *pf = NULL;
220
+  FILE *pf = NULL, *sf = NULL;
221 221
   struct passwd *pwd = NULL;
222
-  char secret[1024];
222
+  char secretbuf[1024], *secret = NULL;
223 223
   char *tmp;
224 224
   srs_t *srs;
225 225
   struct pollfd fds[3];
@@ -292,18 +292,11 @@ int main (int argc, char **argv)
292 292
   /* Read secret. The default installation makes this root accessible only. */
293 293
   if (secret_file != NULL) {
294 294
     size_t len;
295
-    FILE *fp = fopen(secret_file, "rb");
296
-    if (fp == NULL) {
295
+    sf = fopen(secret_file, "rb");
296
+    if (sf == NULL) {
297 297
       fprintf (stderr, "%s: Cannot open file with secret: %s\n", self, secret_file);
298 298
       return EXIT_FAILURE;
299 299
     }
300
-    len = fread(secret, 1, sizeof(secret) - 1, fp);
301
-    if (len == 0 || len > sizeof(secret) - 1) {
302
-      fprintf (stderr, "%s: Cannot read secret from file: %s\n", self, secret_file);
303
-      return EXIT_FAILURE;
304
-    }
305
-    secret[len] = 0;
306
-    fclose (fp);
307 300
   } else {
308 301
     fprintf (stderr, "%s: You must set a secret (-s)\n", self);
309 302
     show_help();
@@ -371,7 +364,12 @@ int main (int argc, char **argv)
371 364
   }
372 365
 
373 366
   srs = srs_new();
374
-  srs_add_secret (srs, secret);
367
+  while ((secret = fgets(secretbuf, sizeof(secretbuf), sf))) {
368
+    secret = strtok(secret, "\r\n");
369
+    if (secret)
370
+      srs_add_secret (srs, secret);
371
+  }
372
+  fclose (sf);
375 373
   srs_set_separator (srs, '+');
376 374
 
377 375
   fds[0].fd = forward_sock;

Ładowanie…
Anuluj
Zapisz