Mercurial > dnsbl
changeset 458:6c1c2bd9fb54 stable-6-0-73
ignore dnswl entries if the sender is <>
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 18 Sep 2018 09:49:21 -0700 |
parents | 0199965a71eb |
children | e2c09e0c4784 |
files | ChangeLog NEWS configure.in dnsbl.spec.in src/dnsbl.cpp xml/dnsbl.in |
diffstat | 6 files changed, 34 insertions(+), 20 deletions(-) [+] |
line wrap: on
line diff
--- a/ChangeLog Wed Jun 06 07:33:44 2018 -0700 +++ b/ChangeLog Tue Sep 18 09:49:21 2018 -0700 @@ -1,3 +1,7 @@ +6.73 2018-09-18 + ignore dnswl entries if the sender is <> + allow autowhite of recipients with local parts up to 35 characters. + 6.72 2018-06-06 add unsigned_black for enforcement of dmarc policy.
--- a/NEWS Wed Jun 06 07:33:44 2018 -0700 +++ b/NEWS Tue Sep 18 09:49:21 2018 -0700 @@ -1,3 +1,4 @@ +6.73 2018-09-18 ignore dnswl entries if the sender is <> 6.72 2018-06-06 add unsigned_black for enforcement of dmarc policy 6.69 2018-04-10 fix spf mx:domain.tld token parsing 6.68 2018-02-19 round spamassassin scores; check >= rather than >
--- a/configure.in Wed Jun 06 07:33:44 2018 -0700 +++ b/configure.in Tue Sep 18 09:49:21 2018 -0700 @@ -1,6 +1,6 @@ AC_PREREQ(2.59) -AC_INIT(dnsbl,6.72,carl@five-ten-sg.com) +AC_INIT(dnsbl,6.73,carl@five-ten-sg.com) AC_CONFIG_SRCDIR([config.h.in]) AC_CONFIG_HEADER([config.h]) AC_CONFIG_MACRO_DIR([m4])
--- a/dnsbl.spec.in Wed Jun 06 07:33:44 2018 -0700 +++ b/dnsbl.spec.in Tue Sep 18 09:49:21 2018 -0700 @@ -17,15 +17,12 @@ Requires(preun): /sbin/chkconfig Requires(post): /sbin/service Requires(preun): /sbin/service -BuildRequires: sendmail-devel >= 8.12.1 -BuildRequires: spamassassin -BuildRequires: glibc-devel -%if "%{?dist}" == ".el6" -BuildRequires: glibc-static -%endif Requires: sendmail >= 8.12.1 Requires: sendmail-cf Requires: spamassassin, dcc +BuildRequires: sendmail-devel >= 8.12.1 +BuildRequires: spamassassin +BuildRequires: glibc-devel, glibc-static %if "%{?dist}" == ".el7" Requires(pre): systemd-sysv, shadow-utils Requires(post): systemd-units @@ -34,7 +31,6 @@ Requires: coreutils Requires: systemd-units BuildRequires: systemd-units -BuildRequires: glibc-static %endif @@ -155,6 +151,10 @@ %changelog +* Tue Sep 18 2018 Carl Byington <carl@five-ten-sg.com> - 6.73-1 +- ignore dnswl entries if the sender is <> +- allow autowhite of recipients with local parts up to 35 characters. + * Wed Jun 06 2018 Carl Byington <carl@five-ten-sg.com> - 6.72-1 - add unsigned_black for enforcement of dmarc policy
--- a/src/dnsbl.cpp Wed Jun 06 07:33:44 2018 -0700 +++ b/src/dnsbl.cpp Tue Sep 18 09:49:21 2018 -0700 @@ -1435,8 +1435,8 @@ else st = white; // might be <>, envelope from has no @ } - if ((st == oksofar) || (st == whitesofar)) { - // check the dns based whitelists + if (((st == oksofar) || (st == whitesofar)) && (strcmp(priv.mailaddr, "<>") != 0)) { + // check the dns based whitelists if the sender was not empty DNSWLP acceptlist = NULL; // list that caused the whitelisting if (check_dnswl(priv, con.get_dnswl_list(), acceptlist)) { st = white; @@ -1520,7 +1520,7 @@ WHITELISTERP w = con2.find_autowhite(loto, priv.mailaddr); // check if local part is too big - const int max_local_size = 30; + const int max_local_size = 35; const char *p = strchr(loto, '@'); int len = (p) ? p-loto : max_local_size; if (len >= max_local_size) w = NULL; // too big, pretend we don't have a whitelister
--- a/xml/dnsbl.in Wed Jun 06 07:33:44 2018 -0700 +++ b/xml/dnsbl.in Tue Sep 18 09:49:21 2018 -0700 @@ -25,7 +25,7 @@ <refentry id="@PACKAGE@.1"> <refentryinfo> - <date>2018-06-04</date> + <date>2018-09-18</date> <author> <firstname>Carl</firstname> <surname>Byington</surname> @@ -391,11 +391,10 @@ </para></listitem> <listitem><para> If the answer is white, the mail is not from localhost, - and the envelope from domain name is - listed in the current (or parents) filtering contexts dkim_from with - "required_signed" or "unsigned_black", we downgrade this white answer to unknown. - If the answer is still white, mail to this recipient is accepted and the dns - lists are not checked. + and the envelope from domain name is listed in the current (or parents) + filtering contexts dkim_from with "required_signed" or "unsigned_black", + we downgrade this white answer to unknown. If the answer is still white, + mail to this recipient is accepted and the dns lists are not checked. </para></listitem> <listitem><para> If the answer is unknown, we don't reject yet, but the dns lists will be @@ -413,7 +412,8 @@ expression. </para></listitem> <listitem><para> - If the mail has not been accepted or rejected yet, the dns white lists + If the mail has not been accepted or rejected yet, and the envelope from + email address is not empty, the dns white lists specified in the filtering context are checked and the mail is accepted if any list has an A record for the standard dns based lookup scheme (reversed octets of the client followed by the dns suffix) with a final @@ -458,6 +458,7 @@ <para> For each recipient that was accepted, we search for an autowhite entry starting in the reply filtering context. If an autowhite entry is found, + and the local part of the recipient address is shorter than 35 characters, we add the recipient to that auto whitelist file. This will prevent reply messages from being blocked by the dnsbl or content filtering. </para> @@ -494,6 +495,7 @@ If any of the message signers are in that list, or if the source ip address passes a strong spf check for the header from domain, processing continues. Otherwise, the message is rejected. + This is very close to enforcing DMARC for the header from domain. </para> <para> If any of the message signers are blacklisted, the message is rejected. @@ -785,7 +787,7 @@ <refentry id="@PACKAGE@.conf.5"> <refentryinfo> - <date>2018-06-04</date> + <date>2018-09-18</date> <author> <firstname>Carl</firstname> <surname>Byington</surname> @@ -963,6 +965,13 @@ }; dkim_from { # + # dmarc enforcement + aim.com unsigned_black "aim.com,mx.aim.com"; + aol.com unsigned_black "aol.com,mx.aol.com"; + yahoo.co.uk unsigned_black yahoo.co.uk; + yahoo.com unsigned_black yahoo.com; + yahoo.in unsigned_black yahoo.in; + # # white/blacklisting based on presence of valid signatures credit.paypal.com require_signed credit.paypal.com; paypal.com require_signed paypal.com;