changeset 458:6c1c2bd9fb54 stable-6-0-73

ignore dnswl entries if the sender is <>
author Carl Byington <carl@five-ten-sg.com>
date Tue, 18 Sep 2018 09:49:21 -0700
parents 0199965a71eb
children e2c09e0c4784
files ChangeLog NEWS configure.in dnsbl.spec.in src/dnsbl.cpp xml/dnsbl.in
diffstat 6 files changed, 34 insertions(+), 20 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Wed Jun 06 07:33:44 2018 -0700
+++ b/ChangeLog	Tue Sep 18 09:49:21 2018 -0700
@@ -1,3 +1,7 @@
+6.73 2018-09-18
+    ignore dnswl entries if the sender is <>
+    allow autowhite of recipients with local parts up to 35 characters.
+
 6.72 2018-06-06
     add unsigned_black for enforcement of dmarc policy.
 
--- a/NEWS	Wed Jun 06 07:33:44 2018 -0700
+++ b/NEWS	Tue Sep 18 09:49:21 2018 -0700
@@ -1,3 +1,4 @@
+6.73 2018-09-18 ignore dnswl entries if the sender is <>
 6.72 2018-06-06 add unsigned_black for enforcement of dmarc policy
 6.69 2018-04-10 fix spf mx:domain.tld token parsing
 6.68 2018-02-19 round spamassassin scores; check >= rather than >
--- a/configure.in	Wed Jun 06 07:33:44 2018 -0700
+++ b/configure.in	Tue Sep 18 09:49:21 2018 -0700
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(dnsbl,6.72,carl@five-ten-sg.com)
+AC_INIT(dnsbl,6.73,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 AC_CONFIG_MACRO_DIR([m4])
--- a/dnsbl.spec.in	Wed Jun 06 07:33:44 2018 -0700
+++ b/dnsbl.spec.in	Tue Sep 18 09:49:21 2018 -0700
@@ -17,15 +17,12 @@
 Requires(preun):    /sbin/chkconfig
 Requires(post):     /sbin/service
 Requires(preun):    /sbin/service
-BuildRequires:      sendmail-devel >= 8.12.1
-BuildRequires:      spamassassin
-BuildRequires:      glibc-devel
-%if "%{?dist}" == ".el6"
-BuildRequires:          glibc-static
-%endif
 Requires:               sendmail >= 8.12.1
 Requires:               sendmail-cf
 Requires:               spamassassin, dcc
+BuildRequires:      sendmail-devel >= 8.12.1
+BuildRequires:      spamassassin
+BuildRequires:      glibc-devel, glibc-static
 %if "%{?dist}" == ".el7"
 Requires(pre):  systemd-sysv, shadow-utils
 Requires(post): systemd-units
@@ -34,7 +31,6 @@
 Requires:       coreutils
 Requires:       systemd-units
 BuildRequires:  systemd-units
-BuildRequires:  glibc-static
 %endif
 
 
@@ -155,6 +151,10 @@
 
 
 %changelog
+* Tue Sep 18 2018 Carl Byington <carl@five-ten-sg.com> - 6.73-1
+- ignore dnswl entries if the sender is <>
+- allow autowhite of recipients with local parts up to 35 characters.
+
 * Wed Jun 06 2018 Carl Byington <carl@five-ten-sg.com> - 6.72-1
 - add unsigned_black for enforcement of dmarc policy
 
--- a/src/dnsbl.cpp	Wed Jun 06 07:33:44 2018 -0700
+++ b/src/dnsbl.cpp	Tue Sep 18 09:49:21 2018 -0700
@@ -1435,8 +1435,8 @@
         else st = white;    // might be <>, envelope from has no @
     }
 
-    if ((st == oksofar) || (st == whitesofar)) {
-        // check the dns based whitelists
+    if (((st == oksofar) || (st == whitesofar)) && (strcmp(priv.mailaddr, "<>") != 0)) {
+        // check the dns based whitelists if the sender was not empty
         DNSWLP acceptlist = NULL;   // list that caused the whitelisting
         if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) {
             st = white;
@@ -1520,7 +1520,7 @@
     WHITELISTERP w = con2.find_autowhite(loto, priv.mailaddr);
 
     // check if local part is too big
-    const int max_local_size = 30;
+    const int max_local_size = 35;
     const char *p = strchr(loto, '@');
     int len = (p) ? p-loto : max_local_size;
     if (len >= max_local_size) w = NULL;    // too big, pretend we don't have a whitelister
--- a/xml/dnsbl.in	Wed Jun 06 07:33:44 2018 -0700
+++ b/xml/dnsbl.in	Tue Sep 18 09:49:21 2018 -0700
@@ -25,7 +25,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2018-06-04</date>
+            <date>2018-09-18</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -391,11 +391,10 @@
                 </para></listitem>
                 <listitem><para>
                     If the answer is white, the mail is not from localhost,
-                    and the envelope from domain name is
-                    listed in the current (or parents) filtering contexts dkim_from with
-                    "required_signed" or "unsigned_black", we downgrade this white answer to unknown.
-                    If the answer is still white, mail to this recipient is accepted and the dns
-                    lists are not checked.
+                    and the envelope from domain name is listed in the current (or parents)
+                    filtering contexts dkim_from with "required_signed" or "unsigned_black",
+                    we downgrade this white answer to unknown. If the answer is still white,
+                    mail to this recipient is accepted and the dns lists are not checked.
                 </para></listitem>
                 <listitem><para>
                     If the answer is unknown, we don't reject yet, but the dns lists will be
@@ -413,7 +412,8 @@
                     expression.
                 </para></listitem>
                 <listitem><para>
-                    If the mail has not been accepted or rejected yet, the dns white lists
+                    If the mail has not been accepted or rejected yet, and the envelope from
+                    email address is not empty, the dns white lists
                     specified in the filtering context are checked and the mail is accepted
                     if any list has an A record for the standard dns based lookup scheme
                     (reversed octets of the client followed by the dns suffix) with a final
@@ -458,6 +458,7 @@
             <para>
                 For each recipient that was accepted, we search for an autowhite entry
                 starting in the reply filtering context. If an autowhite entry is found,
+                and the local part of the recipient address is shorter than 35 characters,
                 we add the recipient to that auto whitelist file. This will prevent reply
                 messages from being blocked by the dnsbl or content filtering.
             </para>
@@ -494,6 +495,7 @@
                 If any of the message signers are in that list, or if
                 the source ip address passes a strong spf check for the header from
                 domain, processing continues. Otherwise, the message is rejected.
+                This is very close to enforcing DMARC for the header from domain.
             </para>
             <para>
                 If any of the message signers are blacklisted, the message is rejected.
@@ -785,7 +787,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2018-06-04</date>
+            <date>2018-09-18</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -963,6 +965,13 @@
         };
         dkim_from {
             #
+            # dmarc enforcement
+            aim.com             unsigned_black  "aim.com,mx.aim.com";
+            aol.com             unsigned_black  "aol.com,mx.aol.com";
+            yahoo.co.uk         unsigned_black  yahoo.co.uk;
+            yahoo.com           unsigned_black  yahoo.com;
+            yahoo.in            unsigned_black  yahoo.in;
+            #
             # white/blacklisting based on presence of valid signatures
             credit.paypal.com   require_signed  credit.paypal.com;
             paypal.com          require_signed  paypal.com;