# HG changeset patch # User carl # Date 1144515969 25200 # Node ID 2b1a4701e85661a3cae66c91079f4d7c8959225c # Parent 05ae49d378965e38f9a179a324430b8e0eacc530 sendmail no longer guarantees <> wrapper on envelopes diff -r 05ae49d37896 -r 2b1a4701e856 ChangeLog --- a/ChangeLog Sat Mar 25 09:47:08 2006 -0800 +++ b/ChangeLog Sat Apr 08 10:06:09 2006 -0700 @@ -1,18 +1,26 @@ $Id$ +5.18 2006-04-08 + Bug fix - newer sendmail versions don't guarantee envelope addresses + enclosed in <> wrapper. + + Document backscatter prevention configuration for systems that are + used to mainly spam filter and then forward to mail to the internal + server. + 5.17 2006-03-25 - never ask dns blacklists about rfc1918 address space. + Never ask dns blacklists about rfc1918 address space. 5.16 2006-03-16 - bug fix - the smtp error message for uribl filtering needs to + Bug fix - the smtp error message for uribl filtering needs to reference the host name, not the ip address. 5.15 2006-03-15 - bug fix - we failed to properly set the return code to indicate the + Bug fix - we failed to properly set the return code to indicate the reason when rejecting mail for content filtering. 5.14 2006-03-13 - fix typo in the default config file and documentation for using + Fix a typo in the default config file and documentation for using multi.surbl.org 5.13 2006-03-12 diff -r 05ae49d37896 -r 2b1a4701e856 NEWS --- a/NEWS Sat Mar 25 09:47:08 2006 -0800 +++ b/NEWS Sat Apr 08 10:06:09 2006 -0700 @@ -1,5 +1,6 @@ $Id$ +5.18 2006-04-08 sendmail no longer guarantees <> wrapper on envelopes 5.17 2006-03-25 never ask dns blacklists about rfc1918 address space 5.16 2006-03-16 bug fix, smtp error message for uribl filtering needs host name, not ip address 5.15 2006-03-15 bug fix, failed to set reason code when rejecting mail from content filtering diff -r 05ae49d37896 -r 2b1a4701e856 configure.in --- a/configure.in Sat Mar 25 09:47:08 2006 -0800 +++ b/configure.in Sat Apr 08 10:06:09 2006 -0700 @@ -1,7 +1,7 @@ AC_INIT(configure.in) AM_CONFIG_HEADER(config.h) -AM_INIT_AUTOMAKE(dnsbl,5.17) +AM_INIT_AUTOMAKE(dnsbl,5.18) AC_PATH_PROGS(BASH, bash) AC_LANG_CPLUSPLUS diff -r 05ae49d37896 -r 2b1a4701e856 dnsbl.conf --- a/dnsbl.conf Sat Mar 25 09:47:08 2006 -0800 +++ b/dnsbl.conf Sat Apr 08 10:06:09 2006 -0700 @@ -1,3 +1,32 @@ +context main-default { + // outbound dnsbl filtering to catch our own customers that end up on the sbl + dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; + dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + dnsbl dul dul.dnsbl.sorbs.net "Mail from %s rejected - dul; see http://www.sorbs.net/lookup.shtml?%s"; + dnsbl_list local sbl dul; + + // outbound content filtering to prevent our own customers from sending spam + content on { + filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; + uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.rulesemporium.com/cgi-bin/uribl.cgi?bl0=1&domain0=%s"; + #uribl black.uribl.com "Mail containing %s rejected - uribl; see http://l.uribl.com/?d=%s"; + ignore { include "hosts-ignore.conf"; }; + tld { include "tld.conf"; }; + cctld { include "cctld.conf"; }; + html_tags { include "html-tags.conf"; }; + html_limit on 20 "Mail containing excessive bad html tags rejected"; + html_limit off; + host_limit on 20 "Mail containing excessive host names rejected"; + host_limit soft 20; + }; + + // backscatter prevention - don't send bounces for mail that we accepted but could not forward + // we only send bounces to our own customers + env_from unknown { + "<>" black; + }; +}; + context main { dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; diff -r 05ae49d37896 -r 2b1a4701e856 src/dnsbl.cpp --- a/src/dnsbl.cpp Sat Mar 25 09:47:08 2006 -0800 +++ b/src/dnsbl.cpp Sat Apr 08 10:06:09 2006 -0700 @@ -855,16 +855,24 @@ } //////////////////////////////////////////////// -// this email address is passed in from sendmail, and will -// always be enclosed in <>. It may have mixed case, just -// as the mail client sent it. We dup the string and convert -// the duplicate to lower case. +// +// this email address is passed in from sendmail, and will normally be +// enclosed in <>. I think older versions of sendmail supplied the <> +// wrapper if the mail client did not, but the current version does not do +// that. So the <> wrapper is now optional. It may have mixed case, just +// as the mail client sent it. We dup the string and convert the duplicate +// to lower case. // char *to_lower_string(char *email); char *to_lower_string(char *email) { - int n = strlen(email)-2; - if (n < 1) return strdup(email); - char *key = strdup(email+1); + int n = strlen(email); + if (*email == '<') { + // assume it also ends with > + n -= 2; + if (n < 1) return strdup(email); // return "<>" + email++; + } + char *key = strdup(email); key[n] = '\0'; for (int i=0; i This milter will also decode (uuencode, base64, mime, html entity, url @@ -449,6 +449,11 @@ The following ideas are under consideration. + Add mail volume limits based on smtp auth accounts, to prevent + customers from sending too much mail. This should catch customers + that get infected with malware that knows about smtp auth. + + Add a per-context option to reject mail if the number of digits in the reverse dns client name exceeds some threshold. @@ -563,6 +568,35 @@ Sample " black; + }; +}; + context sample { dnsbl local blackholes.five-ten-sg.com "Mail from %s rejected - local; see http://www.five-ten-sg.com/blackhole.php?%s"; dnsbl sbl sbl-xbl.spamhaus.org "Mail from %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";