Mercurial > dnsbl
comparison src/context.cpp @ 407:29d54e7028f6 stable-6-0-54
document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Thu, 30 Mar 2017 10:26:30 -0700 |
| parents | 8f3a84de3739 |
| children | e63c6b4835ef |
comparison
equal
deleted
inserted
replaced
| 406:ca4ef407588e | 407:29d54e7028f6 |
|---|---|
| 1203 return false; | 1203 return false; |
| 1204 } | 1204 } |
| 1205 | 1205 |
| 1206 | 1206 |
| 1207 const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) { | 1207 const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) { |
| 1208 DKIMP dk = find_dkim_from(from); | |
| 1209 | |
| 1210 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { | 1208 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { |
| 1211 const char *st = find_dkim_signer(*s); | 1209 const char *st = find_dkim_signer(*s); |
| 1212 // signed by a white listed signer | 1210 // signed by a white listed signer |
| 1213 if (st == token_white) { | 1211 if (st == token_white) { |
| 1214 log(queueid, "whitelisted dkim signer %s", *s); | 1212 log(queueid, "whitelisted dkim signer %s", *s); |
| 1215 return token_white; | 1213 return token_white; |
| 1216 } | 1214 } |
| 1217 } | 1215 } |
| 1218 | 1216 |
| 1217 DKIMP dk = find_dkim_from(from); | |
| 1219 if (dk) { | 1218 if (dk) { |
| 1220 const char *st = dk->action; | 1219 const char *st = dk->action; |
| 1221 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { | 1220 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { |
| 1222 // signed by a white listed signer | 1221 // signed by a white listed signer |
| 1223 if ((st == token_signed_white) && in_signing_set(*s,dk->signer)) { | 1222 if ((st == token_signed_white) && in_signing_set(*s,dk->signer)) { |
| 1244 return token_white; | 1243 return token_white; |
| 1245 } | 1244 } |
| 1246 } | 1245 } |
| 1247 if (st == token_require_signed) { | 1246 if (st == token_require_signed) { |
| 1248 // not signed by a required signer, but maybe passes strong spf check | 1247 // not signed by a required signer, but maybe passes strong spf check |
| 1249 // only check spf if the list of required signers is not a single blank. | 1248 // only check spf if the list of required signers is not a single dot. |
| 1250 if (strcmp(dk->signer, " ") && resolve_spf(from, ntohl(priv->ip), priv)) { | 1249 if (strcmp(dk->signer, ".") && resolve_spf(from, ntohl(priv->ip), priv)) { |
| 1251 log(queueid, "spf pass for %s rather than required dkim signer", from); | 1250 log(queueid, "spf pass for %s rather than required dkim signer", from); |
| 1252 return token_white; | 1251 return token_white; |
| 1253 } | 1252 } |
| 1253 // todo - we could also check spf for the rfc5321 envelope from domain, | |
| 1254 // if it is dmarc aligned (relaxed) with the rfc5322 header from domain. | |
| 1254 char buf[maxlen]; | 1255 char buf[maxlen]; |
| 1255 snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer); | 1256 snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer); |
| 1256 msg = string(buf); | 1257 msg = string(buf); |
| 1257 return token_black; | 1258 return token_black; |
| 1258 } | 1259 } |