# HG changeset patch # User Carl Byington # Date 1537289361 25200 # Node ID 6c1c2bd9fb5446c19bef33c0316fd93cdcab2885 # Parent 0199965a71eb46cd958393e2a4bedc5a33ef9fc6 ignore dnswl entries if the sender is <> diff -r 0199965a71eb -r 6c1c2bd9fb54 ChangeLog --- a/ChangeLog Wed Jun 06 07:33:44 2018 -0700 +++ b/ChangeLog Tue Sep 18 09:49:21 2018 -0700 @@ -1,3 +1,7 @@ +6.73 2018-09-18 + ignore dnswl entries if the sender is <> + allow autowhite of recipients with local parts up to 35 characters. + 6.72 2018-06-06 add unsigned_black for enforcement of dmarc policy. diff -r 0199965a71eb -r 6c1c2bd9fb54 NEWS --- a/NEWS Wed Jun 06 07:33:44 2018 -0700 +++ b/NEWS Tue Sep 18 09:49:21 2018 -0700 @@ -1,3 +1,4 @@ +6.73 2018-09-18 ignore dnswl entries if the sender is <> 6.72 2018-06-06 add unsigned_black for enforcement of dmarc policy 6.69 2018-04-10 fix spf mx:domain.tld token parsing 6.68 2018-02-19 round spamassassin scores; check >= rather than > diff -r 0199965a71eb -r 6c1c2bd9fb54 configure.in --- a/configure.in Wed Jun 06 07:33:44 2018 -0700 +++ b/configure.in Tue Sep 18 09:49:21 2018 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.72,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.73,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -r 0199965a71eb -r 6c1c2bd9fb54 dnsbl.spec.in --- a/dnsbl.spec.in Wed Jun 06 07:33:44 2018 -0700 +++ b/dnsbl.spec.in Tue Sep 18 09:49:21 2018 -0700 @@ -17,15 +17,12 @@ Requires(preun): /sbin/chkconfig Requires(post): /sbin/service Requires(preun): /sbin/service -BuildRequires: sendmail-devel >= 8.12.1 -BuildRequires: spamassassin -BuildRequires: glibc-devel -%if "%{?dist}" == ".el6" -BuildRequires: glibc-static -%endif Requires: sendmail >= 8.12.1 Requires: sendmail-cf Requires: spamassassin, dcc +BuildRequires: sendmail-devel >= 8.12.1 +BuildRequires: spamassassin +BuildRequires: glibc-devel, glibc-static %if "%{?dist}" == ".el7" Requires(pre): systemd-sysv, shadow-utils Requires(post): systemd-units @@ -34,7 +31,6 @@ Requires: coreutils Requires: systemd-units BuildRequires: systemd-units -BuildRequires: glibc-static %endif @@ -155,6 +151,10 @@ %changelog +* Tue Sep 18 2018 Carl Byington - 6.73-1 +- ignore dnswl entries if the sender is <> +- allow autowhite of recipients with local parts up to 35 characters. + * Wed Jun 06 2018 Carl Byington - 6.72-1 - add unsigned_black for enforcement of dmarc policy diff -r 0199965a71eb -r 6c1c2bd9fb54 src/dnsbl.cpp --- a/src/dnsbl.cpp Wed Jun 06 07:33:44 2018 -0700 +++ b/src/dnsbl.cpp Tue Sep 18 09:49:21 2018 -0700 @@ -1435,8 +1435,8 @@ else st = white; // might be <>, envelope from has no @ } - if ((st == oksofar) || (st == whitesofar)) { - // check the dns based whitelists + if (((st == oksofar) || (st == whitesofar)) && (strcmp(priv.mailaddr, "<>") != 0)) { + // check the dns based whitelists if the sender was not empty DNSWLP acceptlist = NULL; // list that caused the whitelisting if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { st = white; @@ -1520,7 +1520,7 @@ WHITELISTERP w = con2.find_autowhite(loto, priv.mailaddr); // check if local part is too big - const int max_local_size = 30; + const int max_local_size = 35; const char *p = strchr(loto, '@'); int len = (p) ? p-loto : max_local_size; if (len >= max_local_size) w = NULL; // too big, pretend we don't have a whitelister diff -r 0199965a71eb -r 6c1c2bd9fb54 xml/dnsbl.in --- a/xml/dnsbl.in Wed Jun 06 07:33:44 2018 -0700 +++ b/xml/dnsbl.in Tue Sep 18 09:49:21 2018 -0700 @@ -25,7 +25,7 @@ - 2018-06-04 + 2018-09-18 Carl Byington @@ -391,11 +391,10 @@ If the answer is white, the mail is not from localhost, - and the envelope from domain name is - listed in the current (or parents) filtering contexts dkim_from with - "required_signed" or "unsigned_black", we downgrade this white answer to unknown. - If the answer is still white, mail to this recipient is accepted and the dns - lists are not checked. + and the envelope from domain name is listed in the current (or parents) + filtering contexts dkim_from with "required_signed" or "unsigned_black", + we downgrade this white answer to unknown. If the answer is still white, + mail to this recipient is accepted and the dns lists are not checked. If the answer is unknown, we don't reject yet, but the dns lists will be @@ -413,7 +412,8 @@ expression. - If the mail has not been accepted or rejected yet, the dns white lists + If the mail has not been accepted or rejected yet, and the envelope from + email address is not empty, the dns white lists specified in the filtering context are checked and the mail is accepted if any list has an A record for the standard dns based lookup scheme (reversed octets of the client followed by the dns suffix) with a final @@ -458,6 +458,7 @@ For each recipient that was accepted, we search for an autowhite entry starting in the reply filtering context. If an autowhite entry is found, + and the local part of the recipient address is shorter than 35 characters, we add the recipient to that auto whitelist file. This will prevent reply messages from being blocked by the dnsbl or content filtering. @@ -494,6 +495,7 @@ If any of the message signers are in that list, or if the source ip address passes a strong spf check for the header from domain, processing continues. Otherwise, the message is rejected. + This is very close to enforcing DMARC for the header from domain. If any of the message signers are blacklisted, the message is rejected. @@ -785,7 +787,7 @@ - 2018-06-04 + 2018-09-18 Carl Byington @@ -963,6 +965,13 @@ }; dkim_from { # + # dmarc enforcement + aim.com unsigned_black "aim.com,mx.aim.com"; + aol.com unsigned_black "aol.com,mx.aol.com"; + yahoo.co.uk unsigned_black yahoo.co.uk; + yahoo.com unsigned_black yahoo.com; + yahoo.in unsigned_black yahoo.in; + # # white/blacklisting based on presence of valid signatures credit.paypal.com require_signed credit.paypal.com; paypal.com require_signed paypal.com;