Mercurial > dnsbl
comparison src/dnsbl.cpp @ 451:f2bc221240e8 stable-6-0-70
add unsigned_black for enforcement of dmarc policy
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Mon, 04 Jun 2018 16:25:06 -0700 |
| parents | 0df77bbb7fc2 |
| children | 2cf7183a911c |
comparison
equal
deleted
inserted
replaced
| 450:a0293ef794a7 | 451:f2bc221240e8 |
|---|---|
| 516 uint32_t ip = ntohl(dns_interface(priv, buf, ns_t_a)); | 516 uint32_t ip = ntohl(dns_interface(priv, buf, ns_t_a)); |
| 517 if (ip and (ip != 0x7f000000)) { | 517 if (ip and (ip != 0x7f000000)) { |
| 518 if (debug_syslog > 2) { | 518 if (debug_syslog > 2) { |
| 519 char tmp[maxlen]; | 519 char tmp[maxlen]; |
| 520 snprintf(tmp, sizeof(tmp), "found %s on %s", hostname, priv.uribl_suffix); | 520 snprintf(tmp, sizeof(tmp), "found %s on %s", hostname, priv.uribl_suffix); |
| 521 my_syslog(tmp); | 521 my_syslog(&priv, tmp); |
| 522 } | 522 } |
| 523 found = register_string(hosts, hostname); | 523 found = register_string(hosts, hostname); |
| 524 return true; | 524 return true; |
| 525 } | 525 } |
| 526 return false; | 526 return false; |
| 1422 const char *domain = strchr(priv.origaddr, '@'); | 1422 const char *domain = strchr(priv.origaddr, '@'); |
| 1423 if (domain && !local_source) { | 1423 if (domain && !local_source) { |
| 1424 DKIMP dk = con.find_dkim_from(domain+1); | 1424 DKIMP dk = con.find_dkim_from(domain+1); |
| 1425 if (dk && (dk->action == token_require_signed)) { | 1425 if (dk && (dk->action == token_require_signed)) { |
| 1426 my_syslog(&priv, "dkim require_signed overrides envelope from whitelist"); | 1426 my_syslog(&priv, "dkim require_signed overrides envelope from whitelist"); |
| 1427 st = oksofar; | 1427 st = whitesofar; |
| 1428 } | |
| 1429 else if (dk && (dk->action == token_unsigned_black)) { | |
| 1430 my_syslog(&priv, "dkim unsigned_black overrides envelope from whitelist"); | |
| 1431 st = whitesofar; | |
| 1428 } | 1432 } |
| 1429 else st = white; | 1433 else st = white; |
| 1430 } | 1434 } |
| 1431 else st = white; // might be <>, envelope from has no @ | 1435 else st = white; // might be <>, envelope from has no @ |
| 1432 } | 1436 } |
| 1433 | 1437 |
| 1434 if (st == oksofar) { | 1438 if ((st == oksofar) || (st == whitesofar)) { |
| 1435 // check the dns based lists, whitelist first | 1439 // check the dns based whitelists |
| 1436 DNSWLP acceptlist = NULL; // list that caused the whitelisting | 1440 DNSWLP acceptlist = NULL; // list that caused the whitelisting |
| 1437 if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { | 1441 if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { |
| 1438 st = white; | 1442 st = white; |
| 1439 if (debug_syslog > 1) { | 1443 if (debug_syslog > 1) { |
| 1440 char msg[maxlen]; | 1444 char msg[maxlen]; |
| 1441 snprintf(msg, sizeof(msg), "whitelisted by %s", acceptlist->name); | 1445 snprintf(msg, sizeof(msg), "whitelisted by %s", acceptlist->name); |
| 1442 my_syslog(&priv, msg); | 1446 my_syslog(&priv, msg); |
| 1443 } | 1447 } |
| 1444 } | 1448 } |
| 1445 else if (check_dnsbl(priv, con.get_dnsbl_list(), rejectlist)) { | 1449 } |
| 1450 | |
| 1451 if (st == oksofar) { | |
| 1452 // check the dns based blacklists | |
| 1453 if (check_dnsbl(priv, con.get_dnsbl_list(), rejectlist)) { | |
| 1446 // reject the recipient based on some dnsbl | 1454 // reject the recipient based on some dnsbl |
| 1447 char adr[sizeof "255.255.255.255 "]; | 1455 char adr[sizeof "255.255.255.255 "]; |
| 1448 adr[0] = '\0'; | 1456 adr[0] = '\0'; |
| 1449 inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr)); | 1457 inet_ntop(AF_INET, (const u_char *)&priv.ip, adr, sizeof(adr)); |
| 1450 char buf[maxlen]; | 1458 char buf[maxlen]; |
| 1451 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr); | 1459 snprintf(buf, sizeof(buf), rejectlist->message, adr, adr); |
| 1452 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); | 1460 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); |
| 1453 return SMFIS_REJECT; | 1461 return SMFIS_REJECT; |
| 1454 } | 1462 } |
| 1455 } | |
| 1456 | |
| 1457 if (st == oksofar) { | |
| 1458 // check forged rdns | 1463 // check forged rdns |
| 1459 if (con.get_requirerdns() && (!priv.client_dns_name || priv.client_dns_forged)) { | 1464 if (con.get_requirerdns() && (!priv.client_dns_name || priv.client_dns_forged)) { |
| 1460 // reject the recipient based on forged reverse dns | 1465 // reject the recipient based on forged reverse dns |
| 1461 char buf[maxlen]; | 1466 char buf[maxlen]; |
| 1462 snprintf(buf, sizeof(buf), "%s is not acceptable", priv.client_name); | 1467 snprintf(buf, sizeof(buf), "%s is not acceptable", priv.client_name); |
| 1533 } | 1538 } |
| 1534 | 1539 |
| 1535 // accept the recipient | 1540 // accept the recipient |
| 1536 if (!con.get_content_filtering()) st = white; | 1541 if (!con.get_content_filtering()) st = white; |
| 1537 | 1542 |
| 1538 if (st == oksofar) { | 1543 if ((st == oksofar) || (st == whitesofar)) { |
| 1539 // remember first content filtering context | 1544 // remember first content filtering context |
| 1540 if (con.get_content_filtering()) { | 1545 if (con.get_content_filtering()) { |
| 1541 if (!priv.content_context) priv.content_context = &con; | 1546 if (!priv.content_context) priv.content_context = &con; |
| 1542 else if (con.get_require() && (priv.content_context != &con)) { | 1547 else if (con.get_require() && (priv.content_context != &con)) { |
| 1543 smfi_setreply(ctx, (char*)"452", (char*)"4.2.1", (char*)"incompatible filtering contexts"); | 1548 smfi_setreply(ctx, (char*)"452", (char*)"4.2.1", (char*)"incompatible filtering contexts"); |
| 1544 return SMFIS_TEMPFAIL; | 1549 return SMFIS_TEMPFAIL; |
| 1545 } | 1550 } |
| 1546 priv.need_content_filter(con); | 1551 priv.need_content_filter(con); |
| 1547 char bu[maxlen]; | 1552 if (st == oksofar) { |
| 1548 bool uri = false; | 1553 char bu[maxlen]; |
| 1549 // content filtering implies also checking helo name on uribl (if enabled) | 1554 bool uri = false; |
| 1550 if (priv.helo_uribl) { | 1555 // content filtering implies also checking helo name on uribl (if enabled) |
| 1551 snprintf(bu, sizeof(bu), "(helo %s)", priv.host_uribl); | 1556 if (priv.helo_uribl) { |
| 1552 uri = true; | 1557 snprintf(bu, sizeof(bu), "(helo %s)", priv.host_uribl); |
| 1553 } | 1558 uri = true; |
| 1554 // content filtering implies also checking client reverse dns name on uribl (if enabled) | 1559 } |
| 1555 if (priv.client_uribl) { | 1560 // content filtering implies also checking client reverse dns name on uribl (if enabled) |
| 1556 snprintf(bu, sizeof(bu), "(rdns %s)", priv.host_uribl); | 1561 if (priv.client_uribl) { |
| 1557 uri = true; | 1562 snprintf(bu, sizeof(bu), "(rdns %s)", priv.host_uribl); |
| 1558 } | 1563 uri = true; |
| 1559 // content filtering implies also checking mail from domain name on uribl (if enabled) | 1564 } |
| 1560 if (priv.from_uribl) { | 1565 // content filtering implies also checking mail from domain name on uribl (if enabled) |
| 1561 snprintf(bu, sizeof(bu), "(from %s)", priv.host_uribl); | 1566 if (priv.from_uribl) { |
| 1562 uri = true; | 1567 snprintf(bu, sizeof(bu), "(from %s)", priv.host_uribl); |
| 1563 } | 1568 uri = true; |
| 1564 if (uri) { | 1569 } |
| 1565 char buf[maxlen]; | 1570 if (uri) { |
| 1566 snprintf(buf, sizeof(buf), priv.uribl_message, bu, priv.host_uribl); | 1571 char buf[maxlen]; |
| 1567 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); | 1572 snprintf(buf, sizeof(buf), priv.uribl_message, bu, priv.host_uribl); |
| 1568 return SMFIS_REJECT; | 1573 smfi_setreply(ctx, (char*)"550", (char*)"5.7.1", buf); |
| 1574 return SMFIS_REJECT; | |
| 1575 } | |
| 1569 } | 1576 } |
| 1570 } | 1577 } |
| 1571 // remember the non-whites | 1578 // remember the non-whites |
| 1572 register_string(priv.env_to, rcptaddr, &con); | 1579 register_string(priv.env_to, rcptaddr, &con); |
| 1573 priv.only_whites = false; | 1580 priv.only_whites = false; |