# HG changeset patch
# User Carl Byington <carl@five-ten-sg.com>
# Date 1487459192 28800
# Node ID 7fd39f02993657240d9ea376341f18c7f4332bfb
# Parent  7ad7acf60758e2f4f9059c16502ec29ce1c0e6ab
reject if dkim signer is listed on surbl

diff -r 7ad7acf60758 -r 7fd39f029936 ChangeLog
--- a/ChangeLog	Wed Feb 08 11:40:44 2017 -0800
+++ b/ChangeLog	Sat Feb 18 15:06:32 2017 -0800
@@ -1,3 +1,6 @@
+6.50 2017-02-18
+    reject if dkim signer is listed on surbl
+
 6.49 2017-02-07
     RHEL7 systemd and /var/run on tmpfs.
 
diff -r 7ad7acf60758 -r 7fd39f029936 NEWS
--- a/NEWS	Wed Feb 08 11:40:44 2017 -0800
+++ b/NEWS	Sat Feb 18 15:06:32 2017 -0800
@@ -1,3 +1,4 @@
+6.50 2017-02-18 reject if dkim signer is listed on surbl
 6.49 2017-02-07 RHEL7 systemd and /var/run on tmpfs
 6.48 2016-12-17 Add dkim white/black listing
 6.47 2016-09-21 Better smtp verify logging
diff -r 7ad7acf60758 -r 7fd39f029936 configure.in
--- a/configure.in	Wed Feb 08 11:40:44 2017 -0800
+++ b/configure.in	Sat Feb 18 15:06:32 2017 -0800
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(dnsbl,6.49,carl@five-ten-sg.com)
+AC_INIT(dnsbl,6.50,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 AC_CONFIG_MACRO_DIR([m4])
diff -r 7ad7acf60758 -r 7fd39f029936 dnsbl.spec.in
--- a/dnsbl.spec.in	Wed Feb 08 11:40:44 2017 -0800
+++ b/dnsbl.spec.in	Sat Feb 18 15:06:32 2017 -0800
@@ -13,8 +13,10 @@
 Requires(pre):          /usr/sbin/useradd
 Requires(pre):          /usr/bin/getent
 Requires(postun):       /usr/sbin/userdel
-Requires(post,preun):   /sbin/chkconfig
-Requires(post,preun):   /sbin/service
+Requires(post):     /sbin/chkconfig
+Requires(preun):    /sbin/chkconfig
+Requires(post):     /sbin/service
+Requires(preun):    /sbin/service
 BuildRequires:          sendmail-devel >= 8.12.1
 BuildRequires:          spamassassin
 BuildRequires:          glibc-devel
@@ -152,6 +154,9 @@
 
 
 %changelog
+* Sat Feb 18 2017 Carl Byington <carl@five-ten-sg.com> - 6.50-1
+- reject if dkim signer is listed on surbl
+
 * Wed Feb 08 2017 Carl Byington <carl@five-ten-sg.com> - 6.49-1
 - RHEL7 systemd and /var/run is on tmpfs
 - install dnsblnogrey/whiteclnt for dccifd
diff -r 7ad7acf60758 -r 7fd39f029936 src/dnsbl.cpp
--- a/src/dnsbl.cpp	Wed Feb 08 11:40:44 2017 -0800
+++ b/src/dnsbl.cpp	Sat Feb 18 15:06:32 2017 -0800
@@ -720,6 +720,16 @@
     return rs;
 }
 
+const char *mlfiPriv::check_uribl_signers() {
+    const char *st;
+    if (uribl_suffix) {
+        for (string_set::iterator s=dkim_signers.begin(); s!=dkim_signers.end(); s++) {
+            if (check_uribl(*this, hosts_uribl, *s, host_uribl)) return host_uribl;
+        }
+    }
+    return NULL;
+}
+
 void mlfiPriv::need_content_filter(CONTEXT &con) {
     if (!memory) {
         // first recipient that needs content filtering sets
@@ -1628,6 +1638,8 @@
         string_set whites;
         bool random = false;
         int  limit  = 0;
+        const char   *signer = NULL;
+        bool checked_signers = false;
         if (priv.dkim_signers.empty()) {
             snprintf(buf, sizeof(buf), "acceptable content from %s signer *",
                 (priv.fromaddr) ? priv.fromaddr : token_asterisk);
@@ -1653,10 +1665,27 @@
                 smfi_delrcpt(ctx, (char*)rcpt);
             }
             else if (st == token_unknown) {
+                if (!checked_signers) {
+                    signer = priv.check_uribl_signers();
+                    checked_signers = true;
+                    if (signer) {
+                        snprintf(buf, sizeof(buf), "dkim signer %s on uribl", signer);
+                        my_syslog(&priv, buf);
+                        snprintf(buf, sizeof(buf), "Mail rejected - dkim signed by %s", signer);
+                        msg = string(buf);
+                    }
+                }
+                if (signer) {
+                    // dkim signer is on the uribl
+                    smfi_delrcpt(ctx, (char*)rcpt);
+                }
+                else {
+                    // still unknown
                 unknowns.insert(rcpt);
                 random |= con.get_host_random();
                 limit   = max(limit, con.get_host_limit());
             }
+            }
             else if (st == token_white) {
                 whites.insert(rcpt);
             }
diff -r 7ad7acf60758 -r 7fd39f029936 src/dnsbl.h
--- a/src/dnsbl.h	Wed Feb 08 11:40:44 2017 -0800
+++ b/src/dnsbl.h	Sat Feb 18 15:06:32 2017 -0800
@@ -49,8 +49,8 @@
     const char      *client_name;           // fully qualified host name of the smtp client xxx [ip.ad.dr.es] (may be forged)
           char      *client_dns_name;       // fully qualified host name of the smtp client xxx
     bool            client_dns_forged;      // rdns mismatch
-    const char      *host_uribl;            // pointer to helo/client/from host name if found on uribl
-    string_set      hosts_uribl;            // string set to hold the helo/client/from host name if found on uribl
+    const char      *host_uribl;            // pointer to helo/client/from/signer host name if found on uribl
+    string_set      hosts_uribl;            // string set to hold the helo/client/from/signer host name if found on uribl
     bool            helo_uribl;             // helo value on uribl
     bool            client_uribl;           // client_name on uribl
     bool            from_uribl;             // envelope from value on uribl
@@ -81,6 +81,7 @@
     void return_fd();
     size_t my_read(char *buf, size_t len);
     size_t my_write(const char *buf, size_t len);
+    const char *check_uribl_signers();
     void need_content_filter(CONTEXT &con);
 };