Properly bypass SMTP checks using the bypass_addr setting.

6 files changed, 29 insertions, 6 deletions

diff --git a/check/magma/users/users_check.c b/check/magma/users/users_check.c
index e1c167d3..85850ced 100644
--- a/check/magma/users/users_check.c
+++ b/check/magma/users/users_check.c
@@ -11,8 +11,8 @@ START_TEST (check_users_register_s) {
 
 	log_disable();
 	uint16_t plan;
-	connection_t con;
 	time_t stamp;
+	connection_t con;
 	uint64_t usernum = 0;
 	bool_t outcome = true;
 	int64_t transaction = -1;
diff --git a/sandbox/etc/magma.sandbox.config b/sandbox/etc/magma.sandbox.config
index 1f53033f..a52dcd34 100755
--- a/sandbox/etc/magma.sandbox.config
+++ b/sandbox/etc/magma.sandbox.config
@@ -21,6 +21,7 @@ magma.log.stack = false
 magma.log.time = false
 
 magma.system.domain = lavabit.com
+magma.smtp.bypass_addr = 127.0.0.1
 
 magma.web.tls_redirect = 127.0.0.1:10500
 magma.web.statistics = true
diff --git a/src/core/host/ip.c b/src/core/host/ip.c
index 4258a675..06ab1fe0 100644
--- a/src/core/host/ip.c
+++ b/src/core/host/ip.c
@@ -567,7 +567,8 @@ bool_t ip_subnet_st(chr_t *substr, subnet_t *out) {
 
 	if (!i || i > 2) {
 		return false;
-	} else if (i == 1) {
+	}
+	else if (i == 1) {
 
 		if (!ip_addr_st(substr, &addr)) {
 			return false;
diff --git a/src/network/addresses.c b/src/network/addresses.c
index 9ec452e3..0d51b6f5 100644
--- a/src/network/addresses.c
+++ b/src/network/addresses.c
@@ -46,8 +46,20 @@ ip_t * con_addr(connection_t *con, ip_t *output) {
 
 	ip_t *result = NULL;
 
-	if (con) {
-		result = con->network.reverse.ip;
+	// We only attempt the copy if a valid IP address is available.
+	if (con && con->network.reverse.ip) {
+
+		// If the output pointer is NULL, we need to allocate a buffer.
+		if (!output && (result = mm_alloc(sizeof(ip_t)))) {
+			ip_copy(result, con->network.reverse.ip);
+		}
+		// Otherwise, if the output buffer is valid, we use that instead. We could also end up
+		// here if the allocation attempt, fails. So we check that output isn't NULL to avoid an error.
+		else if (output) {
+			result = ip_copy(output, con->network.reverse.ip);
+		}
+
+
 	}
 
 	return result;
diff --git a/src/servers/smtp/checkers.c b/src/servers/smtp/checkers.c
index 726a0c0f..13cf1a43 100644
--- a/src/servers/smtp/checkers.c
+++ b/src/servers/smtp/checkers.c
@@ -301,7 +301,16 @@ bool_t smtp_bypass_check(connection_t *con) {
 	}
 
 	while (!result && (subnet = inx_cursor_value_next(cursor))) {
-		if (ip_matches_subnet(subnet, &remote)) result = true;
+
+		// If the subnet mask is 32 for a v4 address, or 128 for v6 address, do a straight comparison.
+		if (((subnet->address.family == AF_INET && subnet->mask == 32) ||
+			(subnet->address.family == AF_INET6 && subnet->mask == 128)) &&
+			ip_addr_eq(&(subnet->address), &remote)) result = true;
+
+		// Otherwise do a subnet comparison.
+		else if (((subnet->address.family == AF_INET && subnet->mask != 32) ||
+			(subnet->address.family == AF_INET6 && subnet->mask != 128)) &&
+			ip_matches_subnet(subnet, &remote)) result = true;
 	}
 
 	inx_cursor_free(cursor);
diff --git a/src/servers/smtp/smtp.c b/src/servers/smtp/smtp.c
index 25343587..be2297da 100644
--- a/src/servers/smtp/smtp.c
+++ b/src/servers/smtp/smtp.c
@@ -772,7 +772,7 @@ void smtp_rcpt_to(connection_t *con) {
 	// If this user is enforcing SPF.
 	if (result->spf == 1) {
 		// Perform the SPF check.
-		if (con->smtp.checked.spf == 0) {
+		if (!con->smtp.bypass && con->smtp.checked.spf == 0) {
 			con->smtp.checked.spf = spf_check(con_addr(con, MEMORYBUF(sizeof(ip_t))), con->smtp.helo, con->smtp.mailfrom);
 		}