ACL to deny access to catchalls

sendmail/CHANGELOG

@@ -33,3 +33,5 @@ Added access control for the Spam Control page.
 Added a Module Config option to support ~/Maildir mailboxes (even though Sendmail doesn't support this natively).
 Added an option to show the directory queued messages are in, which is useful on systems with several queues.
 Network ports and addresses used by Sendmail can now be more easily edited on the new Network Ports page, which updates both sendmail.cf and any .mc file.
+---- Changes since 1.400 ----
+Added an access control page option to prevent creation and editing of catchall address mappings.

sendmail/acl_security.pl

@@ -132,13 +132,17 @@ for($n=0; $n<3; $n++) {
 print "</td> </tr>\n";
 
 print "<tr> <td><b>$text{'acl_vmax'}</b></td>\n";
-printf "<td colspan=3><input type=radio name=vmax_def value=1 %s> %s\n",
+printf "<td><input type=radio name=vmax_def value=1 %s> %s\n",
 	$_[0]->{'vmax'} ? "" : "checked", $text{'acl_unlimited'};
 printf "<input type=radio name=vmax_def value=0 %s>\n",
 	$_[0]->{'vmax'} ? "checked" : "";
-printf "<input name=vmax size=5 value='%s'></td> </tr>\n",
+printf "<input name=vmax size=5 value='%s'></td>\n",
 	$_[0]->{'vmax'};
 
+print "<td><b>$text{'acl_vcatchall'}</b></td>\n";
+print "<td>",&ui_yesno_radio("vcatchall",
+			     int($_[0]->{'vcatchall'})),"</td> </tr>\n";
+
 # Aliases
 print "<tr> <td colspan=4><hr></td> </tr>\n";
 
@@ -224,6 +228,7 @@ $_[0]->{'vmax'} = $in{'vmax_def'} ? undef : $in{'vmax'};
 foreach $i (0..2) {
 	$_[0]->{"vedit_$i"} = $in{"vedit_$i"};
 	}
+$_[0]->{'vcatchall'} = $in{'vcatchall'};
 $_[0]->{'amode'} = $in{'amode'};
 $_[0]->{'aliases'} = $in{'amode'} == 2 ? $in{'aliases'} : "";
 $_[0]->{'amax'} = $in{'amax_def'} ? undef : $in{'amax'};

sendmail/defaultacl

@@ -29,3 +29,4 @@ qdomsmode=2
 flushq=1
 smode=1
 ports=1
+vcatchall=1

sendmail/lang/en

@@ -618,6 +618,7 @@ acl_flushq=Can flush the mail queue?
 acl_mailq=Can manage mail queue?
 acl_viewdel=View and delete
 acl_view=View only
+acl_vcatchall=Can create catchall mappings?
 acl_qdoms=Addresses visible in queue
 acl_qdomsmode=Queue address to match
 acl_qdomsmode0=From: address

sendmail/list_virtusers.cgi

@@ -34,6 +34,9 @@ elsif ($access{'vmode'} == 3) {
 	@virts = grep { $_->{'from'} =~ /^$remote_user\@/ } @virts;
 	}
 @virts = grep { $access{"vedit_".&virt_type($_->{'to'})} } @virts; 
+if (!$access{'vcatchall'}) {
+	@virts = grep { $_->{'from'} !~ /^\@/ } @virts;
+	}
 
 &virtuser_form();
 

sendmail/save_virtuser.cgi

@@ -37,7 +37,7 @@ if ($in{'delete'}) {
 else {
 	# Saving or creating.. check inputs
 	&error_setup($text{'vsave_err'});
-	if ($in{'from_type'} == 0) {
+	if ($in{'from_type'} == 0 || !$access{'vcatchall'}) {
 		$in{'from_addr'} =~ /^(\S+)\@(\S+)$/ ||
 			&error(&text('vsave_efrom', $in{'from_addr'}));
 		$from = $in{'from_addr'};

sendmail/virtusers-lib.pl

@@ -166,13 +166,22 @@ print &ui_table_row($text{'vform_cmt'},
 
 # Source address
 $addr = !$v || $v->{'from'} =~ /^(\S+)\@(\S+)$/;
-print &ui_table_row($text{'vform_for'},
-	&ui_radio_table("from_type", $addr ? 0 : 1,
-	  [ [ 0, $text{'vform_address'},
-		 &ui_textbox("from_addr", $addr ? $v->{'from'} : "", 20) ],
-	    [ 1, $text{'vform_domain'},
-		 &ui_textbox("from_dom",
+if ($access{'vcatchall'}) {
+	# Can be address or whole domain
+	print &ui_table_row($text{'vform_for'},
+		&ui_radio_table("from_type", $addr ? 0 : 1,
+		  [ [ 0, $text{'vform_address'},
+			 &ui_textbox("from_addr",
+			     $addr ? $v->{'from'} : "", 20) ],
+		    [ 1, $text{'vform_domain'},
+			 &ui_textbox("from_dom",
 			     $addr ? "" : substr($v->{'from'}, 1), 20) ] ]));
+	}
+else {
+	# Just address
+	print &ui_table_row($text{'vform_for'},
+		&ui_textbox("from_addr", $addr ? $v->{'from'} : "", 40));
+	}
 		
 # Virtuser destination
 $mode = !$v ? 2 :
@@ -230,6 +239,9 @@ return wantarray ? @rv : $rv[0];
 sub can_edit_virtuser
 {
 local ($v) = @_;
+if ($v->{'from'} =~ /^\@/ && !$access{'vcatchall'}) {
+	return 0;
+	}
 return $access{'vmode'} == 1 ||
        $access{'vmode'} == 2 && $v->{'from'} =~ /$access{'vaddrs'}/ ||
        $access{'vmode'} == 3 && $v->{'from'} =~ /^$remote_user\@/;