# HG changeset patch # User Carl Byington # Date 1488908365 28800 # Node ID a8cf6a3da9077c1a3d29ae51ab0be51da4d6cc6a # Parent 619a4880a3bf065e13dbef1cd64f1637a755cdac document dkim/spf processing diff -r 619a4880a3bf -r a8cf6a3da907 ChangeLog --- a/ChangeLog Mon Mar 06 18:44:14 2017 -0800 +++ b/ChangeLog Tue Mar 07 09:39:25 2017 -0800 @@ -1,3 +1,6 @@ +6.52 2017-03-07 + document dkim/spf processing + 6.51 2017-03-06 parse spf txt records for required dkim signers diff -r 619a4880a3bf -r a8cf6a3da907 NEWS --- a/NEWS Mon Mar 06 18:44:14 2017 -0800 +++ b/NEWS Tue Mar 07 09:39:25 2017 -0800 @@ -1,3 +1,4 @@ +6.52 2017-03-07 document dkim/spf processing 6.51 2017-03-06 parse spf txt records for required dkim signers 6.50 2017-02-22 reject if dkim signer is listed on surbl 6.49 2017-02-08 RHEL7 systemd and /var/run on tmpfs diff -r 619a4880a3bf -r a8cf6a3da907 configure.in --- a/configure.in Mon Mar 06 18:44:14 2017 -0800 +++ b/configure.in Tue Mar 07 09:39:25 2017 -0800 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.51,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.52,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4]) diff -r 619a4880a3bf -r a8cf6a3da907 dnsbl.spec.in --- a/dnsbl.spec.in Mon Mar 06 18:44:14 2017 -0800 +++ b/dnsbl.spec.in Tue Mar 07 09:39:25 2017 -0800 @@ -3,7 +3,7 @@ Summary: Sendmail milter for spam control Name: @PACKAGE@ Version: @VERSION@ -Release: 2%{?dist} +Release: 1%{?dist} License: GPLv3+ Group: System Environment/Daemons Source: http://www.five-ten-sg.com/%{name}/packages/%{name}-%{version}.tar.gz @@ -155,6 +155,9 @@ %changelog +* Tue Mar 07 2017 Carl Byington - 6.52-1 +- document dkim/spf processing. + * Mon Mar 06 2017 Carl Byington - 6.51-2 - parse spf txt records. diff -r 619a4880a3bf -r a8cf6a3da907 src/context.cpp --- a/src/context.cpp Mon Mar 06 18:44:14 2017 -0800 +++ b/src/context.cpp Tue Mar 07 09:39:25 2017 -0800 @@ -1204,6 +1204,13 @@ return token_black; } } + if (st == token_signed_white) { + // not signed by a white signer, but maybe passes strong spf check + if (resolve_spf(from, priv->ip, priv)) { + log(queueid, "spf pass for %s rather than whitelisted dkim signer", from); + return token_white; + } + } if (st == token_require_signed) { // not signed by a required signer, but maybe passes strong spf check // only check spf if the list of required signers is not a single blank. diff -r 619a4880a3bf -r a8cf6a3da907 xml/dnsbl.in --- a/xml/dnsbl.in Mon Mar 06 18:44:14 2017 -0800 +++ b/xml/dnsbl.in Tue Mar 07 09:39:25 2017 -0800 @@ -25,7 +25,7 @@ - 2016-12-17 + 2017-03-07 Carl Byington @@ -390,7 +390,10 @@ If the answer is white, mail to this recipient is accepted and the dns - lists are not checked. + lists are not checked. However, if the envelope from domain name is + listed in the current filtering context (or parents) dkim_from with + "required_signed", + we downgrade this to white answer to unknown. If the answer is unknown, we don't reject yet, but the dns lists will be @@ -457,6 +460,32 @@ messages from being blocked by the dnsbl or content filtering. + If content filtering is enabled for this body, we look for dkim_signer + and dkim_from sections in the current context and parents. We collect the + signers of this message from the header added by the dkim-milter. If any + of the message signers are whitelisted, the message is accepted. + + + If the header from domain maps to required_signed then: + If any of the message signers are in that list, the message is accepted. + If the source ip address passes a strong spf check for the header from + domain, the message is accepted. Otherwise, the message is rejected. + + + If the header from domain maps to signed_white then: + If any of the message signers are in that list, the message is accepted. + If the source ip address passes a strong spf check for the header from + domain, the message is accepted. Otherwise, processing continues. + + + If the header from domain maps to signed_black then: + If any of the message signers are in that list, the message is rejected. + Otherwise, processing continues. + + + If any of the message signers is blacklisted, the message is rejected. + + If content filtering is enabled for this body, the mail text is decoded (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP and HTTPS URLs or bare host names. Hostnames must be either ip address @@ -630,11 +659,6 @@ http:// protocol header. Such references are still clickable in common mail software. - - Add spf to the white/black/unknown values in env_from blocks. This - results in whitelisting that envelope from value as long as the connection - is made from an ip address listed in the domain spf txt record. - @@ -666,7 +690,7 @@ - 2016-12-17 + 2017-03-07 Carl Byington @@ -837,13 +861,30 @@ content on { dkim_signer { + # + # anything signed by this is accepted. + accounts.google.com white; + }; + dkim_from { + # + # white/blacklisting based on presence of valid signatures credit.paypal.com require_signed credit.paypal.com; paypal.com require_signed paypal.com; dhl.com require_signed dhl.com; adp.com require_signed "adp.com,bmi.adp.com"; - }; - dkim_from { - accounts.google.com white; + # + # blacklisting based on header from value - requiring signatures + # from an impossible signer. + spammer.domain require_signed " "; + # + # whitelisting based on strong spf pass - whitelisted if signed by + # an impossible signer (which will never happen) or strong spf pass. + some.domain signed_white " "; + # + # whitelisting based on valid signature or strong spf pass. + # some paychex mail is signed, some is unsigned but passes strong spf. + paychex.com require_signed paychex.com; + # }; filter sbl-xbl.spamhaus.org "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s"; uribl multi.surbl.org "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";