comparison src/context.cpp @ 451:f2bc221240e8 stable-6-0-70

add unsigned_black for enforcement of dmarc policy
author Carl Byington <carl@five-ten-sg.com>
date Mon, 04 Jun 2018 16:25:06 -0700
parents d4275f26241c
children 8393ce4658cc
comparison
equal deleted inserted replaced
450:a0293ef794a7 451:f2bc221240e8
71 const char *token_yes; 71 const char *token_yes;
72 const char *token_dkim_signer; 72 const char *token_dkim_signer;
73 const char *token_dkim_from; 73 const char *token_dkim_from;
74 const char *token_signed_white; 74 const char *token_signed_white;
75 const char *token_signed_black; 75 const char *token_signed_black;
76 const char *token_unsigned_black;
76 const char *token_require_signed; 77 const char *token_require_signed;
77 const char *token_myhostname; 78 const char *token_myhostname;
78 79
79 #ifndef HOST_NAME_MAX 80 #ifndef HOST_NAME_MAX
80 #define HOST_NAME_MAX 255 81 #define HOST_NAME_MAX 255
1317 } 1318 }
1318 1319
1319 DKIMP dk = find_dkim_from(from); 1320 DKIMP dk = find_dkim_from(from);
1320 if (dk) { 1321 if (dk) {
1321 const char *st = dk->action; 1322 const char *st = dk->action;
1323 bool dmarc = false;
1322 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { 1324 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) {
1323 // signed by a white listed signer 1325 // signed by a white listed signer
1324 if ((st == token_signed_white) && in_signing_set(*s,dk->signer)) { 1326 if ((st == token_signed_white) && in_signing_set(*s,dk->signer)) {
1325 log(queueid, "whitelisted dkim signer %s", *s); 1327 log(queueid, "whitelisted dkim signer %s", *s);
1326 return token_white; 1328 return token_white;
1332 } 1334 }
1333 // signed by a black listed signer 1335 // signed by a black listed signer
1334 if ((st == token_signed_black) && in_signing_set(*s,dk->signer)) { 1336 if ((st == token_signed_black) && in_signing_set(*s,dk->signer)) {
1335 char buf[maxlen]; 1337 char buf[maxlen];
1336 snprintf(buf, sizeof(buf), "Mail rejected - dkim signed by %s", *s); 1338 snprintf(buf, sizeof(buf), "Mail rejected - dkim signed by %s", *s);
1339 msg = string(buf);
1340 return token_black;
1341 }
1342 if ((st == token_unsigned_black) && in_signing_set(*s,dk->signer)) {
1343 dmarc = true;
1344 }
1345 }
1346 if (st == token_unsigned_black) {
1347 // enforce dmarc
1348 if (!dmarc) {
1349 dmarc = resolve_spf(from, ntohl(priv->ip), priv);
1350 }
1351 if (!dmarc) {
1352 // not signed and does not pass spf, reject it
1353 char buf[maxlen];
1354 snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer);
1337 msg = string(buf); 1355 msg = string(buf);
1338 return token_black; 1356 return token_black;
1339 } 1357 }
1340 } 1358 }
1341 if (st == token_signed_white) { 1359 if (st == token_signed_white) {
2347 token_yes = register_string("yes"); 2365 token_yes = register_string("yes");
2348 token_dkim_signer = register_string("dkim_signer"); 2366 token_dkim_signer = register_string("dkim_signer");
2349 token_dkim_from = register_string("dkim_from"); 2367 token_dkim_from = register_string("dkim_from");
2350 token_signed_white = register_string("signed_white"); 2368 token_signed_white = register_string("signed_white");
2351 token_signed_black = register_string("signed_black"); 2369 token_signed_black = register_string("signed_black");
2370 token_unsigned_black = register_string("unsigned_black");
2352 token_require_signed = register_string("require_signed"); 2371 token_require_signed = register_string("require_signed");
2353 2372
2354 if (gethostname(myhostname, HOST_NAME_MAX+1) != 0) { 2373 if (gethostname(myhostname, HOST_NAME_MAX+1) != 0) {
2355 strncpy(myhostname, "localhost", HOST_NAME_MAX+1); 2374 strncpy(myhostname, "localhost", HOST_NAME_MAX+1);
2356 } 2375 }