# HG changeset patch # User Carl Byington # Date 1204695771 28800 # Node ID 92a5c866bdfab4a332c2066d26de6aeb46a7ccdc # Parent ae0585d64dd2310cfcce3dba056cba1d1812abfc Verify from/to pairs even if they might be explicitly whitelisted. Document DCC greylisting and bulk detection usage. Fix DCC bulk thresholds of many. Update spec file for fedora packaging. diff -r ae0585d64dd2 -r 92a5c866bdfa ChangeLog --- a/ChangeLog Sat Feb 02 12:32:59 2008 -0800 +++ b/ChangeLog Tue Mar 04 21:42:51 2008 -0800 @@ -1,3 +1,8 @@ +6.17 2008-03-04 + Verify from/to pairs even if they might be explicitly whitelisted. + Document DCC greylisting and bulk detection usage. Fix DCC bulk + thresholds of many. Update spec file for fedora packaging. + 6.16 2008-02-02 Switch to Mercurial source control. diff -r ae0585d64dd2 -r 92a5c866bdfa NEWS --- a/NEWS Sat Feb 02 12:32:59 2008 -0800 +++ b/NEWS Tue Mar 04 21:42:51 2008 -0800 @@ -1,3 +1,4 @@ +6.17 2008-03-04 Verify all from/to pairs, fix dcc bulk thresholds of many. 6.16 2008-02-02 Switch to Mercurial source control. 6.15 2007-12-07 Fix null pointer dereference if macro _ not passed to this milter. 6.14 2007-11-10 Don't autowhitelist due to out of office reply bots. diff -r ae0585d64dd2 -r 92a5c866bdfa README --- a/README Sat Feb 02 12:32:59 2008 -0800 +++ b/README Tue Mar 04 21:42:51 2008 -0800 @@ -1,6 +1,4 @@ - $Id$ - -Try this: +Starting with an unpacked tarball, try this: ./configure make @@ -10,3 +8,12 @@ The last step sets up the linux runlevels for this package and starts the daemon. + + +Starting with a mercurial working directory, try this: + + make -f *cvs + ./configure >/dev/null + (cd xml; make; make distclean) + make distcheck + diff -r ae0585d64dd2 -r 92a5c866bdfa configure.in --- a/configure.in Sat Feb 02 12:32:59 2008 -0800 +++ b/configure.in Tue Mar 04 21:42:51 2008 -0800 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.16,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.17,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) diff -r ae0585d64dd2 -r 92a5c866bdfa dnsbl.spec.in --- a/dnsbl.spec.in Sat Feb 02 12:32:59 2008 -0800 +++ b/dnsbl.spec.in Tue Mar 04 21:42:51 2008 -0800 @@ -1,17 +1,14 @@ %define localstatedir /var/lib -Summary: @PACKAGE@ Sendmail Milter +Summary: Sendmail milter for spam control Name: @PACKAGE@ Version: @VERSION@ -Release: %{?custom_release}%{!?custom_release:1} -License: GPL +Release: 1%{?dist} +License: GPLv3+ Group: System Environment/Daemons -Source: http://www.five-ten-sg.com/@PACKAGE@/packages/@PACKAGE@-@VERSION@.tar.gz -BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot -URL: http://www.five-ten-sg.com/@PACKAGE@/ -Vendor: 510 Software Group -Packager: 510 Software Group -AutoReqProv: no +Source: http://www.five-ten-sg.com/%{name}/packages/%{name}-%{version}.tar.gz +BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) +URL: http://www.five-ten-sg.com/%{name}/ Requires(pre): /usr/sbin/useradd Requires(pre): /usr/bin/getent @@ -22,124 +19,122 @@ Requires: sendmail >= 8.12.1 Requires: sendmail-cf Requires: spamassassin -Requires: libc.so.6, libgcc_s.so.1, libm.so.6, libpthread.so.0, libstdc++.so.6 %description -We present here a mechanism whereby the backup mail server can use the correct set of DNSBLs for each recipient for each message. As a side-effect, it gives us the ability to customize the set of DNSBLs on a per-recipient basis, so that fred@example.com could use LOCAL and the SBL, where all other users @example.com use only the SBL. +We present here a mechanism whereby the backup mail server can use the +correct set of DNSBLs for each recipient for each message. As a +side-effect, it gives us the ability to customize the set of DNSBLs on +a per-recipient basis, so that fred@example.com could use LOCAL and +the SBL, where all other users @example.com use only the SBL. -This milter will also decode (base64, mime, html entity, url encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the body of the mail. If any of those host names have A or NS records on the SBL (or a single configurable DNSBL), the mail will be rejected unless previously whitelisted. This milter also counts the number of invalid HTML tags, and can reject mail if that count exceeds your specified limit. +This milter will also decode (base64, mime, html entity, url +encodings) and scan for HTTP and HTTPS URLs and bare hostnames in the +body of the mail. If any of those host names have A or NS records on +the SBL (or a single configurable DNSBL), the mail will be rejected +unless previously whitelisted. This milter also counts the number of +invalid HTML tags, and can reject mail if that count exceeds your +specified limit. -The DNSBL milter reads a text configuration file (dnsbl.conf) on startup, and whenever the config file (or any of the referenced include files) is changed. The entire configuration file is case insensitive. +The DNSBL milter reads a text configuration file (dnsbl.conf) on +startup, and whenever the config file (or any of the referenced +include files) is changed. The entire configuration file is case +insensitive. %prep - - -%setup - +%setup -q %build -./configure --prefix=%{_prefix} \ - --bindir=%{_bindir} --mandir=%{_mandir} \ - --localstatedir=%{localstatedir} --libdir=%{_libdir} \ - --datadir=%{_datadir} --includedir=%{_includedir} \ - --sysconfdir=%{_sysconfdir} -make - +%configure +make %{?_smp_mflags} %install -if [ "$RPM_BUILD_ROOT" = "/" -o -z "$RPM_BUILD_ROOT" ] ; then - echo sorry, you probably do not want me to delete the old buildroot at $RPM_BUILD_ROOT - exit 1 -fi rm -rf $RPM_BUILD_ROOT -make prefix=$RPM_BUILD_ROOT%{_prefix} bindir=$RPM_BUILD_ROOT%{_bindir} \ - mandir=$RPM_BUILD_ROOT%{_mandir} libdir=$RPM_BUILD_ROOT%{_libdir} \ - localstatedir=$RPM_BUILD_ROOT%{localstatedir} \ - datadir=$RPM_BUILD_ROOT%{_datadir} \ - includedir=$RPM_BUILD_ROOT%{_includedir} \ - sysconfdir=$RPM_BUILD_ROOT%{_sysconfdir} install +make DESTDIR=$RPM_BUILD_ROOT install mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d -mkdir -p $RPM_BUILD_ROOT%{_datadir}/doc/@PACKAGE@-@VERSION@ -mv -f $RPM_BUILD_ROOT%{_sysconfdir}/@PACKAGE@/@PACKAGE@ $RPM_BUILD_ROOT/etc/rc.d/init.d -mv AUTHORS COPYING ChangeLog NEWS README $RPM_BUILD_ROOT%{_datadir}/doc/@PACKAGE@-@VERSION@ -mkdir -p %{buildroot}/var/run/@PACKAGE@ -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/@PACKAGE@/autowhite -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/@PACKAGE@/.spamassassin +mv -f $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/%{name} $RPM_BUILD_ROOT/etc/rc.d/init.d +mkdir -p %{buildroot}/var/run/%{name} +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/autowhite +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/%{name}/.spamassassin %pre -/usr/bin/getent passwd @PACKAGE@ >/dev/null || /usr/sbin/useradd -r -d %{_sysconfdir}/@PACKAGE@ -M -c "@PACKAGE@ pseudo-user" -s /sbin/nologin @PACKAGE@ >/dev/null +/usr/bin/getent passwd %{name} >/dev/null || /usr/sbin/useradd -r -d %{_sysconfdir}/%{name} -M -c "%{name} pseudo-user" -s /sbin/nologin %{name} >/dev/null %post -/sbin/chkconfig --add @PACKAGE@ -echo Remember to edit %{_sysconfdir}/@PACKAGE@/@PACKAGE@.conf and add the following line to your sendmail.mc: +/sbin/chkconfig --add %{name} +echo Remember to edit %{_sysconfdir}/%{name}/%{name}.conf and add the following line to your sendmail.mc: echo "INPUT_MAIL_FILTER(\`dnsbl', \`S=local:/var/run/dnsbl/dnsbl.sock, F=T, T=C:30s;S:5m;R:5m;E:5m')" echo %preun -[ $1 = 0 ] && /sbin/service @PACKAGE@ stop || : +[ $1 = 0 ] && /sbin/service %{name} stop || : %postun -[ $1 = 0 ] && /sbin/chkconfig --del @PACKAGE@ -[ $1 = 0 ] && userdel @PACKAGE@ || : +[ $1 = 0 ] && /sbin/chkconfig --del %{name} +[ $1 = 0 ] && userdel %{name} || : %clean %files -%defattr(-,root,root) +%defattr(-,root,root,-) %{_sbindir}/* -%doc %{_mandir}/* -%docdir %{_datadir}/doc/@PACKAGE@-@VERSION@ -%{_datadir}/doc/@PACKAGE@-@VERSION@ -%config(noreplace) %{_sysconfdir}/@PACKAGE@ -/etc/rc.d/init.d/@PACKAGE@ -%dir %attr(0750,@PACKAGE@,root) /var/run/@PACKAGE@ -%dir %attr(0750,@PACKAGE@,root) %{_sysconfdir}/@PACKAGE@/autowhite -%dir %attr(0750,@PACKAGE@,root) %{_sysconfdir}/@PACKAGE@/.spamassassin +%{_mandir}/man1/* +%{_mandir}/man5/* +%doc AUTHORS COPYING ChangeLog NEWS README +%docdir %{_datadir}/doc/%{name}-%{version} +%{_datadir}/doc/%{name}-%{version} +%config(noreplace) %{_sysconfdir}/%{name} +/etc/rc.d/init.d/%{name} +%dir %attr(0750,%{name},root) /var/run/%{name} +%dir %attr(0750,%{name},root) %{_sysconfdir}/%{name}/autowhite +%dir %attr(0750,%{name},root) %{_sysconfdir}/%{name}/.spamassassin %changelog -* Thu Aug 30 2007 Carl Byington 6.07 +* Tue Mar 04 2008 Carl Byington - 6.17 +- changes for Fedora packaging guidelines + +* Thu Aug 30 2007 Carl Byington - 6.07 - Add generic rdns filtering, fix pre/post scripts -* Sun Aug 26 2007 Carl Byington 6.04 +* Sun Aug 26 2007 Carl Byington - 6.04 - require spamassassin -* Sat Jul 07 2007 Carl Byington 6.01 +* Sat Jul 07 2007 Carl Byington - 6.01 - GPL3, auto whitelisting -* Wed Aug 02 2006 Carl Byington 5.20 +* Wed Aug 02 2006 Carl Byington - 5.20 - http://www.rpm.org/max-rpm/s1-rpm-inside-scripts.html help with postun -* Thu Mar 16 2006 Carl Byington 5.16 -- use @PACKAGE@ in more places +* Thu Mar 16 2006 Carl Byington - 5.16 +- use %{name} in more places -* Fri Mar 10 2006 Carl Byington 5.13 +* Fri Mar 10 2006 Carl Byington - 5.13 - remove redundant entry in files section -* Sun Dec 18 2005 Carl Byington 5.11 +* Sun Dec 18 2005 Carl Byington - 5.11 - use autoconf and http://www.fedora.us/docs/rpm-packaging-guidelines.html -* Tue Jan 03 2005 Carl Byington 4.0 +* Tue Jan 03 2005 Carl Byington - 4.0 - added hosts-ignore conf file - see RELEASE_NOTES -* Thu Jul 15 2004 John Gunkel 1.3 +* Thu Jul 15 2004 John Gunkel - 1.3 - patch to rc file no longer needed - see RELEASE_NOTES -* Mon Jul 05 2004 John Gunkel 1.2 +* Mon Jul 05 2004 John Gunkel - 1.2 - Fixed some typos - removed patch into separate file - added config migration as suggested by Carl - Added reminder to edit sendmail.mc -* Wed Jun 30 2004 John Gunkel 1.1 +* Wed Jun 30 2004 John Gunkel - 1.1 - Initial revision of spec file. Need to add a better description, docs and a sendmail.mc message diff -r ae0585d64dd2 -r 92a5c866bdfa package --- a/package Sat Feb 02 12:32:59 2008 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,99 +0,0 @@ -#!/bin/bash - -find . -name '*~' | while read a; do rm -f "$a"; done - -# check for uncommitted changes -a=$(hg status) -if [ -n "$a" ]; then - hg status - echo "fix those first with 'hg commit'" - exit 0 -fi - -# check for changesets pending push to global repository -hg outgoing /usr/hg*/dnsbl | grep 'no changes found' >/dev/null -if [ $? -ne 0 ]; then - hg outgoing /usr/hg*/dnsbl - echo "fix those first with 'hg push /usr/hg*/dnsbl'" - exit 0 -fi - -# get a new clean copy from source control -orig=$(pwd) -pack=$orig/../dnsbl-package -[ -d "$pack" ] && rm -rf "$pack" -mkdir "$pack" -cd "$pack" -hg clone /usr/hg-repository/dnsbl -cd dnsbl - -# build the dnsbl package -T=`grep AC_INIT configure.in | cut -d'(' -f2` -NAME=`echo $T | cut -d, -f1` -VER=`echo $T | cut -d, -f2` -BALL=$NAME-$VER.tar.gz -web=/home/httpd/html/510sg/$NAME -distlog=/tmp/distcheck - -mkdir -p $web -chown --recursive root:root * -make -f *cvs -./configure >/dev/null -(cd xml; make; make distclean) -cp -a html/*html $web -make distcheck >$distlog 2>&1 -if [ $? -eq 0 ]; then - if [ -f $BALL ]; then - # expand locally to see the tarball - rm -rf junk - mkdir junk - cd junk - tar xfz ../$BALL - cd $NAME-$VER - ./configure >/dev/null - make >/dev/null - ## make install >/dev/null - ## if [ -f /etc/rc.d/init.d/$NAME ]; then - ## /etc/rc.d/init.d/$NAME stop - ## fi - ## make chkconfig - ## if [ -f /etc/rc.d/init.d/$NAME ]; then - ## chkconfig $NAME on - ## /etc/rc.d/init.d/$NAME start - ## fi - cd .. - cd .. - - # build rpm on target - target5=pmg2 - scp $BALL $target5:/tmp - ssh $target5 "cd /tmp; rpmbuild -ta $BALL" - - # build rpm on target - target4=host62 - scp $BALL $target4:/tmp - ssh $target4 "cd /tmp; rpmbuild -ta $BALL" - - # add packages to the web site - wp=$web/packages - wp4=$wp/centos4 - wp5=$wp/centos5 - mkdir -p $wp4 $wp5 - rp=/usr/src/redhat - mv -f $BALL $wp - scp $target4:$rp/SRPMS/$NAME-$VER*rpm $wp - scp $target4:$rp/RPMS/i386/$NAME-$VER*rpm $wp4 - scp $target5:$rp/RPMS/i386/$NAME-$VER*rpm $wp5 - (cd $web; chown --recursive web:web *; ls -alR) - rpm -ql -p $wp4/$NAME-$VER*6.rpm - rpm -ql -p $wp5/$NAME-$VER*6.rpm - fi -else - tail -10 $distlog -fi -chown --recursive carl:carl * - -# throw away the packaging directory -cd "$pack/.." -rm -rf dnsbl-package -cd "$orig" diff -r ae0585d64dd2 -r 92a5c866bdfa src/context.cpp --- a/src/context.cpp Sat Feb 02 12:32:59 2008 -0800 +++ b/src/context.cpp Tue Mar 04 21:42:51 2008 -0800 @@ -937,7 +937,7 @@ msg = string(buf); return false; } - if (dcc_bulk_threshold && (bulk > dcc_bulk_threshold)) { + if (dcc_bulk_threshold && (bulk >= dcc_bulk_threshold)) { char buf[maxlen]; snprintf(buf, sizeof(buf), "Mail rejected - dcc score %d", bulk); msg = string(buf); diff -r ae0585d64dd2 -r 92a5c866bdfa src/dccifd.cpp --- a/src/dccifd.cpp Sat Feb 02 12:32:59 2008 -0800 +++ b/src/dccifd.cpp Tue Mar 04 21:42:51 2008 -0800 @@ -27,9 +27,6 @@ #include - -static const char Id[] = "$Id$"; - const int maxlen = 1000; // used for snprintf buffers extern int NULL_SOCKET; const char *options = "header\n"; diff -r ae0585d64dd2 -r 92a5c866bdfa src/dnsbl.cpp --- a/src/dnsbl.cpp Sat Feb 02 12:32:59 2008 -0800 +++ b/src/dnsbl.cpp Tue Mar 04 21:42:51 2008 -0800 @@ -1109,8 +1109,8 @@ smfi_setreply(ctx, "550", "5.7.1", "no such user"); return SMFIS_REJECT; } - if (ver && (st != white)) { - // try to verify this from/to pair of addresses since it is not explicitly whitelisted + if (ver) { + // try to verify this from/to pair of addresses even if it might be explicitly whitelisted char *loto = to_lower_string(rcptaddr); bool rc = ver->ok(priv.mailaddr, loto); free(loto); diff -r ae0585d64dd2 -r 92a5c866bdfa src/spamass.cpp.in --- a/src/spamass.cpp.in Sat Feb 02 12:32:59 2008 -0800 +++ b/src/spamass.cpp.in Tue Mar 04 21:42:51 2008 -0800 @@ -19,8 +19,6 @@ #include -static const char Id[] = "$Id$"; - char *spamc = "@SPAMC@"; char *spamc_empty = ""; static bool warnedmacro = false; // have we logged that we couldn't fetch a macro? diff -r ae0585d64dd2 -r 92a5c866bdfa xml/dnsbl.in --- a/xml/dnsbl.in Sat Feb 02 12:32:59 2008 -0800 +++ b/xml/dnsbl.in Tue Mar 04 21:42:51 2008 -0800 @@ -423,7 +423,21 @@ If any non-whitelisted recipient has a filtering context with a non-zero spamassassin limit, then the message is passed thru spamassassin (via spamc), and the message is rejected for those recipients with spamassassin - limits less than the resulting spamassassin score. + limits less than the resulting spamassassin score. For example, a + spamassassin limit of three will reject messages with spamassassin scores + of four or greater. + + + If any non-whitelisted recipient has a filtering context that specifies + DCC greylisting, then the message is passed thru the DCC bulk detector, + and the message is greylisted (for all recipients) if the DCC says this + message should be delayed. + + + If any non-whitelisted recipient has a filtering context with a non-zero + DCC bulk threshold, then the message is passed thru the DCC bulk detector, + and the message is rejected for those recipients with DCC thresholds less + than or equal to the DCC bulk score. We also scan for excessive bad html tags, and if a <configurable>