# HG changeset patch # User Carl Byington # Date 1509728233 25200 # Node ID 7b072e16bd69c0f25eb6fa3258267782c582147a # Parent afd10321eb7025b9e9fa5f8e452b6de424c7f79f fix syslog for long messages, supress dkim checks for mail from localhost diff -r afd10321eb70 -r 7b072e16bd69 ChangeLog --- a/ChangeLog Tue Oct 24 09:17:10 2017 -0700 +++ b/ChangeLog Fri Nov 03 09:57:13 2017 -0700 @@ -1,3 +1,7 @@ +6.64 2017-11-03 + fix syslog for long messages + supress dkim checks for mail from localhost + 6.63 2017-10-24 allow syslogging of long txt records diff -r afd10321eb70 -r 7b072e16bd69 NEWS --- a/NEWS Tue Oct 24 09:17:10 2017 -0700 +++ b/NEWS Fri Nov 03 09:57:13 2017 -0700 @@ -1,3 +1,4 @@ +6.64 2017-11-03 fix syslog for long messages, supress dkim checks for mail from localhost 6.63 2017-10-24 allow syslogging of long txt records 6.62 2017-10-03 include arpa/nameser.h earlier 6.61 2017-10-02 allow 4000 byte spf txt records diff -r afd10321eb70 -r 7b072e16bd69 configure.in --- a/configure.in Tue Oct 24 09:17:10 2017 -0700 +++ b/configure.in Fri Nov 03 09:57:13 2017 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.63,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.64,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -r afd10321eb70 -r 7b072e16bd69 dnsbl.spec.in --- a/dnsbl.spec.in Tue Oct 24 09:17:10 2017 -0700 +++ b/dnsbl.spec.in Fri Nov 03 09:57:13 2017 -0700 @@ -155,6 +155,10 @@ %changelog +* Fri Nov 03 2017 Carl Byington - 6.64-1 +- fix syslog for long messages +- supress dkim checks for mail from localhost + * Tue Oct 24 2017 Carl Byington - 6.63-1 - allow syslogging of long txt records diff -r afd10321eb70 -r 7b072e16bd69 src/context.cpp --- a/src/context.cpp Tue Oct 24 09:17:10 2017 -0700 +++ b/src/context.cpp Fri Nov 03 09:57:13 2017 -0700 @@ -1305,7 +1305,8 @@ } -const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) { +const char *CONTEXT::acceptable_content(bool local_source, recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) { + if (!local_source) { for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) { const char *st = find_dkim_signer(*s); // signed by a white listed signer @@ -1324,7 +1325,7 @@ log(queueid, "whitelisted dkim signer %s", *s); return token_white; } - // signed by the required signer + // signed by a required signer if ((st == token_require_signed) && in_signing_set(*s,dk->signer)) { log(queueid, "required dkim signer %s", *s); return token_white; @@ -1338,7 +1339,7 @@ } } if (st == token_signed_white) { - // not signed by a white signer, but maybe passes strong spf check + // not signed by a white listed signer, but maybe passes strong spf check if (resolve_spf(from, ntohl(priv->ip), priv)) { log(queueid, "spf pass for %s rather than whitelisted dkim signer", from); return token_white; @@ -1370,6 +1371,7 @@ return token_black; } } + } if (spamassassin_limit && (score > spamassassin_limit)) { char buf[maxlen]; diff -r afd10321eb70 -r 7b072e16bd69 src/context.h --- a/src/context.h Tue Oct 24 09:17:10 2017 -0700 +++ b/src/context.h Fri Nov 03 09:57:13 2017 -0700 @@ -326,7 +326,7 @@ void replace(char *buf, char *p, const char *what); bool resolve_spf(const char *from, uint32_t ip, mlfiPriv *priv); bool resolve_one_spf(const char *from, uint32_t ip, mlfiPriv *priv, int level = 0); - const char *acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg); + const char *acceptable_content(bool local_source, recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg); bool ignore_host(const char *host); void dump(bool isdefault, bool &spamass, int level = 0); diff -r afd10321eb70 -r 7b072e16bd69 src/dnsbl.cpp --- a/src/dnsbl.cpp Tue Oct 24 09:17:10 2017 -0700 +++ b/src/dnsbl.cpp Fri Nov 03 09:57:13 2017 -0700 @@ -849,23 +849,35 @@ // syslog a message // void my_syslog(const char *queueid, const char *text) { - char buf[maxlen]; - if (queueid && queueid[0]) { + const char* noqueue = "NOQUEUE"; + if (!queueid || !queueid[0]) queueid = noqueue; + + const int syslogmaxlen = 400; // buffer size + char buf[syslogmaxlen]; + snprintf(buf, sizeof(buf), "%s: ", queueid); + size_t hdrlen = strlen(buf); + const size_t maxsegment = syslogmaxlen - hdrlen - 1; + size_t msglen = strlen(text); + while (msglen > 0) { snprintf(buf, sizeof(buf), "%s: %s", queueid, text); - text = buf; - } if (use_syslog) { pthread_mutex_lock(&syslog_mutex); if (!syslog_opened) { openlog("dnsbl", LOG_PID, LOG_MAIL); syslog_opened = true; } - syslog(LOG_NOTICE, "%s", text); + syslog(LOG_NOTICE, "%s", buf); pthread_mutex_unlock(&syslog_mutex); } else { - printf("%s \n", text); + printf("%s \n", buf); } + size_t segmentlen = min(msglen, maxsegment); + text += segmentlen; + msglen -= segmentlen; + // assert(msglen == strlen(text)) + } + } void my_syslog(mlfiPriv *priv, const char *text) { @@ -1408,7 +1420,7 @@ // whitelisting based on envelope from value, but ignore it if // we have a dkim requirement for the original domain const char *domain = strchr(priv.origaddr, '@'); - if (domain) { + if (domain && !local_source) { DKIMP dk = con.find_dkim_from(domain+1); if (dk && (dk->action == token_require_signed)) { my_syslog(&priv, "dkim require_signed overrides envelope from whitelist"); @@ -1716,6 +1728,8 @@ else { // assert env_to not empty, it contains the // non-whitelisted folks that want content filtering + const u_char *src = (const u_char *)&priv.ip; + bool local_source = (src[0] == 127); int score = (priv.want_spamassassin) ? priv.assassin->mlfi_eom() : 0; bool grey = false; int bulk = 0; @@ -1748,7 +1762,7 @@ CONTEXT *next = (*i).second; if (con != next) { con = next; - st = con->acceptable_content(*priv.memory, score, bulk, priv.queueid, priv.dkim_signers, priv.fromaddr, &priv, msg); + st = con->acceptable_content(local_source, *priv.memory, score, bulk, priv.queueid, priv.dkim_signers, priv.fromaddr, &priv, msg); } if (st == token_black) { // bad html tags or excessive hosts or diff -r afd10321eb70 -r 7b072e16bd69 xml/dnsbl.in --- a/xml/dnsbl.in Tue Oct 24 09:17:10 2017 -0700 +++ b/xml/dnsbl.in Fri Nov 03 09:57:13 2017 -0700 @@ -25,7 +25,7 @@ - 2017-08-18 + 2017-11-03 Carl Byington @@ -390,7 +390,8 @@ user", and the dns lists are not checked. - If the answer is white, and the envelope from domain name is + If the answer is white, the mail is not from localhost, + and the envelope from domain name is listed in the current (or parents) filtering contexts dkim_from with "required_signed", we downgrade this white answer to unknown. If the answer is still white, mail to this recipient is accepted and the dns @@ -461,6 +462,11 @@ messages from being blocked by the dnsbl or content filtering. + If the mail is from localhost we skip the following dkim checks, since + such mail will never be dkim signed. This is typically mail that is generated by + apache forms. + + If content filtering is enabled for this body, we look for dkim_signer and dkim_from sections in the current context and parents. We collect the signers of this message from the header added by the dkim-milter. If any @@ -773,7 +779,7 @@ - 2017-08-18 + 2017-11-03 Carl Byington