# HG changeset patch # User Carl Byington # Date 1490894790 25200 # Node ID 29d54e7028f658bc9443111ac9a9fff72da0d93f # Parent ca4ef407588e3c1ad44dc7746587ea25a1966b34 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer diff -r ca4ef407588e -r 29d54e7028f6 ChangeLog --- a/ChangeLog Fri Mar 17 15:29:40 2017 -0700 +++ b/ChangeLog Thu Mar 30 10:26:30 2017 -0700 @@ -1,3 +1,7 @@ +6.54 2017-03-30 + document dmarc vs dnsbl dkim/spf. switch to . rather than + " " for dkim impossible signer. + 6.53 2017-03-17 suppress duplicate calls to acceptable_content for messages with multiple recipients using the same filtering diff -r ca4ef407588e -r 29d54e7028f6 NEWS --- a/NEWS Fri Mar 17 15:29:40 2017 -0700 +++ b/NEWS Thu Mar 30 10:26:30 2017 -0700 @@ -1,3 +1,4 @@ +6.54 2017-03-30 document dmarc vs dnsbl dkim/spf; switch to . rather than " " for dkim impossible signer 6.53 2017-03-17 suppress duplicate calls to acceptable_content(); redirect= in spf 6.52 2017-03-09 document dkim/spf processing, handle a and a: elements 6.51 2017-03-06 parse spf txt records for required dkim signers diff -r ca4ef407588e -r 29d54e7028f6 configure.in --- a/configure.in Fri Mar 17 15:29:40 2017 -0700 +++ b/configure.in Thu Mar 30 10:26:30 2017 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.53,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.54,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -r ca4ef407588e -r 29d54e7028f6 dnsbl.spec.in --- a/dnsbl.spec.in Fri Mar 17 15:29:40 2017 -0700 +++ b/dnsbl.spec.in Thu Mar 30 10:26:30 2017 -0700 @@ -3,7 +3,7 @@ Summary: Sendmail milter for spam control Name: @PACKAGE@ Version: @VERSION@ -Release: 2%{?dist} +Release: 1%{?dist} License: GPLv3+ Group: System Environment/Daemons Source: http://www.five-ten-sg.com/%{name}/packages/%{name}-%{version}.tar.gz @@ -155,6 +155,10 @@ %changelog +* Thu Mar 30 2017 Carl Byington - 6.54-1 +- document dmarc vs dnsbl dkim/spf; switch to . rather than + " " for dkim impossible signer. + * Fri Mar 17 2017 Carl Byington - 6.53-2 - handle redirect= elements in spf txt records. diff -r ca4ef407588e -r 29d54e7028f6 src/context.cpp --- a/src/context.cpp Fri Mar 17 15:29:40 2017 -0700 +++ b/src/context.cpp Thu Mar 30 10:26:30 2017 -0700 @@ -1205,8 +1205,6 @@ const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) { - DKIMP dk = find_dkim_from(from); - for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { const char *st = find_dkim_signer(*s); // signed by a white listed signer @@ -1216,6 +1214,7 @@ } } + DKIMP dk = find_dkim_from(from); if (dk) { const char *st = dk->action; for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { @@ -1246,11 +1245,13 @@ } if (st == token_require_signed) { // not signed by a required signer, but maybe passes strong spf check - // only check spf if the list of required signers is not a single blank. - if (strcmp(dk->signer, " ") && resolve_spf(from, ntohl(priv->ip), priv)) { + // only check spf if the list of required signers is not a single dot. + if (strcmp(dk->signer, ".") && resolve_spf(from, ntohl(priv->ip), priv)) { log(queueid, "spf pass for %s rather than required dkim signer", from); return token_white; } + // todo - we could also check spf for the rfc5321 envelope from domain, + // if it is dmarc aligned (relaxed) with the rfc5322 header from domain. char buf[maxlen]; snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer); msg = string(buf); diff -r ca4ef407588e -r 29d54e7028f6 xml/Makefile.am --- a/xml/Makefile.am Fri Mar 17 15:29:40 2017 -0700 +++ b/xml/Makefile.am Thu Mar 30 10:26:30 2017 -0700 @@ -1,6 +1,6 @@ all: dnsbl cat header.xml dnsbl >dnsbl.xml - cat header.sgml dnsbl >dnsbl.sgml + cat header.sgml dnsbl | grep -v personblurb >dnsbl.sgml rm -f ../html/*html rm -f ../html/*pdf xmlto -o ../man man dnsbl.xml diff -r ca4ef407588e -r 29d54e7028f6 xml/dnsbl.in --- a/xml/dnsbl.in Fri Mar 17 15:29:40 2017 -0700 +++ b/xml/dnsbl.in Thu Mar 30 10:26:30 2017 -0700 @@ -25,11 +25,12 @@ - 2017-03-07 + 2017-03-30 Carl Byington 510 Software Group + @@ -297,7 +298,7 @@ milter, then connections from clients that use SMTP AUTH are never subject to greylisting. As part of this per-user greylisting, you need to move the dnsblnogrey file from the config directory to something - like /var/dcc/userdirs/local/dnsblnogrey/whiteclnt so the dccifd will + like /var/dcc/userdirs/dnsblnogrey/whiteclnt so the dccifd will properly ignore greylisting for those recipients that don't want it. @@ -389,11 +390,11 @@ user", and the dns lists are not checked. - If the answer is white, mail to this recipient is accepted and the dns - lists are not checked. However, if the envelope from domain name is - listed in the current filtering context (or parents) dkim_from with - "required_signed", - we downgrade this to white answer to unknown. + If the answer is white, and the envelope from domain name is + listed in the current (or parents) filtering contexts dkim_from with + "required_signed", we downgrade this white answer to unknown. + If the answer is still white, mail to this recipient is accepted and the dns + lists are not checked. If the answer is unknown, we don't reject yet, but the dns lists will be @@ -533,6 +534,84 @@ + + DMARC vs dkim_from require_signed + + Note that DNSBL does not implement rfc7489 DMARC. We do not look for + _dmarc.$DOMAIN txt records. + + + The restrictions imposed by require_signed are similar but not + identical to a DMARC reject policy with strict identifier alignment. + When doing SPF fallback, DMARC checks SPF based on the rfc5321 + envelope from domain. DNSBL checks SPF based on the rfc5322 header + from domain. DMARC does not allow mail from good.example.com to be + signed by trusted.example.net - which is a common case. Both Microsoft + Office365 and Google run mail for customer domains, but use DKIM + signing domains in onmicrosoft.com and gappssmtp.com, which are + unrelated to the customer domain. DMARC in the default relaxed + alignment mode allows evil.example.com to sign mail from + good.example.com. DNSBL specifies the exact list of acceptable signing + domains, rather than inferring it from child/parent relationships, or + using public + suffix lists to find the organizational domain. We can block mail + from marketing.example.com while accepting mail from + billing.example.com, even if both are DKIM signed by example.com. + + + Suppose we have: + + DMARC would fail the strict identifier alignment. DNSBL allows + us to require DKIM signatures that are unrelated + to the rfc5322 header from, so we accept this message. + + + Suppose we have: + + DMARC would pass the relaxed spf identifier alignments, + and would check the evil.example.com spf record. If that + allowed the source ip, DMARC would accept the message. + DMARC would not check DKIM since example.com and example.net + do not pass even the relaxed identifer alignment requirement. + DNSBL allows us to require DKIM signatures that are not + related to the rfc5322 header from domain, so we accept + the message based on the DKIM signature and don't need to + fall back to SPF. + + + Suppose we have: + + DNSBL allows us to require DKIM signatures that are not + related to the rfc5322 header from domain. In this case + the signature fails, so we fall back to an SPF check. + We check SPF based on the rfc5322 header from, and + good.example.com does not allow the source ip, so we reject + this message. + DMARC would accept that message based on the SPF check + for evil.example.com + + + Sendmail access vs. DNSBL @@ -690,11 +769,12 @@ - 2017-03-07 + 2017-03-30 Carl Byington 510 Software Group +