# HG changeset patch # User Carl Byington # Date 1482177906 28800 # Node ID b5b93a7e1e6dd75d37a2f46503d88aeccfec349c # Parent c9932c4d80534883940ad4468b1f4f7610e53685 ignore envelope-from based whitelisting if we have a dkim requirement for that domain diff -r c9932c4d8053 -r b5b93a7e1e6d dnsbl.conf --- a/dnsbl.conf Mon Dec 19 08:29:16 2016 -0800 +++ b/dnsbl.conf Mon Dec 19 12:05:06 2016 -0800 @@ -54,14 +54,30 @@ content on { dkim_signer { - sendgrid.me black; - weather.com white; + // we could add consumer facing domains like yahoo.com, aol.com, etc + // here, IF you really want to accept all the mail from such folks. + five-ten-sg.com white; + some.spammer black; // reject if signed by them }; dkim_from { - yahoo.com require_signed yahoo.com; - gmail.com signed_white gmail.com; - girlscoutsla.org signed_white girlscoutsla.ccsend.com; + // cannot really add consumer facing domains like yahoo.com, aol.com, etc + // here, since such messages from humans might be sent via mailing lists + // that will break the dkim signature. But this works well for commonly + // forged bulk senders like ebay and paypal. + some.spammer require_signed some.spammer // reject if not signed + + billpay.bankofamerica.com require_signed billpay.bankofamerica.com; + ealerts.bankofamerica.com require_signed ealerts.bankofamerica.com; + ebay.com require_signed ebay.com; + facebookmail.com require_signed facebookmail.com; + healthcare.gov require_signed healthcare.gov; + linkedin.com require_signed linkedin.com; + paypal.com require_signed paypal.com; + service.capitalone.com require_signed capitalone.com; + support.facebook.com require_signed support.facebook.com; + ups.com require_signed ups.com; + wellsfargo.com require_signed wellsfargo.com; }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s"; diff -r c9932c4d8053 -r b5b93a7e1e6d src/context.cpp --- a/src/context.cpp Mon Dec 19 08:29:16 2016 -0800 +++ b/src/context.cpp Mon Dec 19 12:05:06 2016 -0800 @@ -1100,10 +1100,12 @@ void CONTEXT::log(const char *queueid, const char *msg, const char *v) { + if (debug_syslog > 1) { char buf[maxlen]; snprintf(buf, maxlen, msg, v); my_syslog(queueid, buf); } +} bool CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, string& msg) { diff -r c9932c4d8053 -r b5b93a7e1e6d src/dnsbl.cpp --- a/src/dnsbl.cpp Mon Dec 19 08:29:16 2016 -0800 +++ b/src/dnsbl.cpp Mon Dec 19 12:05:06 2016 -0800 @@ -1292,7 +1292,17 @@ st = black; } else if ((fromvalue == token_white) && !self) { - st = white; + // whitelisting based on envelope from value, but ignore it if + // we have a dkim requirement for that domain. + const char *domain = strchr(priv.mailaddr, '@'); + if (domain) { + DKIMP dk = con.find_dkim_from(domain); + if (dk && (dk->action == token_require_signed)) { + my_syslog(&priv, "dkim require_signed overrides envelope from whitelist"); + } + else st = white; + } + else st = white; // might be <>, envelope from has no @ } else { // check the dns based lists, whitelist first