Mercurial > dnsbl
diff src/context.cpp @ 451:f2bc221240e8 stable-6-0-70
add unsigned_black for enforcement of dmarc policy
| author | Carl Byington <carl@five-ten-sg.com> |
|---|---|
| date | Mon, 04 Jun 2018 16:25:06 -0700 |
| parents | d4275f26241c |
| children | 8393ce4658cc |
line wrap: on
line diff
--- a/src/context.cpp Tue Apr 10 13:00:55 2018 -0700 +++ b/src/context.cpp Mon Jun 04 16:25:06 2018 -0700 @@ -73,6 +73,7 @@ const char *token_dkim_from; const char *token_signed_white; const char *token_signed_black; +const char *token_unsigned_black; const char *token_require_signed; const char *token_myhostname; @@ -1319,6 +1320,7 @@ DKIMP dk = find_dkim_from(from); if (dk) { const char *st = dk->action; + bool dmarc = false; for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { // signed by a white listed signer if ((st == token_signed_white) && in_signing_set(*s,dk->signer)) { @@ -1337,6 +1339,22 @@ msg = string(buf); return token_black; } + if ((st == token_unsigned_black) && in_signing_set(*s,dk->signer)) { + dmarc = true; + } + } + if (st == token_unsigned_black) { + // enforce dmarc + if (!dmarc) { + dmarc = resolve_spf(from, ntohl(priv->ip), priv); + } + if (!dmarc) { + // not signed and does not pass spf, reject it + char buf[maxlen]; + snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer); + msg = string(buf); + return token_black; + } } if (st == token_signed_white) { // not signed by a white listed signer, but maybe passes strong spf check @@ -2349,6 +2367,7 @@ token_dkim_from = register_string("dkim_from"); token_signed_white = register_string("signed_white"); token_signed_black = register_string("signed_black"); + token_unsigned_black = register_string("unsigned_black"); token_require_signed = register_string("require_signed"); if (gethostname(myhostname, HOST_NAME_MAX+1) != 0) {