Mercurial > dnsbl

changeset 395:a8cf6a3da907 stable-6-0-52

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
document dkim/spf processing
author Carl Byington <carl@five-ten-sg.com>
date Tue, 07 Mar 2017 09:39:25 -0800
parents 619a4880a3bf
children c889524e92e4
files ChangeLog NEWS configure.in dnsbl.spec.in src/context.cpp xml/dnsbl.in
diffstat 6 files changed, 68 insertions(+), 13 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Mon Mar 06 18:44:14 2017 -0800
+++ b/ChangeLog	Tue Mar 07 09:39:25 2017 -0800
@@ -1,3 +1,6 @@
+6.52 2017-03-07
+    document dkim/spf processing
+
 6.51 2017-03-06
     parse spf txt records for required dkim signers
 
--- a/NEWS	Mon Mar 06 18:44:14 2017 -0800
+++ b/NEWS	Tue Mar 07 09:39:25 2017 -0800
@@ -1,3 +1,4 @@
+6.52 2017-03-07 document dkim/spf processing
 6.51 2017-03-06 parse spf txt records for required dkim signers
 6.50 2017-02-22 reject if dkim signer is listed on surbl
 6.49 2017-02-08 RHEL7 systemd and /var/run on tmpfs
--- a/configure.in	Mon Mar 06 18:44:14 2017 -0800
+++ b/configure.in	Tue Mar 07 09:39:25 2017 -0800
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(dnsbl,6.51,carl@five-ten-sg.com)
+AC_INIT(dnsbl,6.52,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 AC_CONFIG_MACRO_DIR([m4])
--- a/dnsbl.spec.in	Mon Mar 06 18:44:14 2017 -0800
+++ b/dnsbl.spec.in	Tue Mar 07 09:39:25 2017 -0800
@@ -3,7 +3,7 @@
 Summary:            Sendmail milter for spam control
 Name:               @PACKAGE@
 Version:            @VERSION@
-Release:            2%{?dist}
+Release:            1%{?dist}
 License:            GPLv3+
 Group:              System Environment/Daemons
 Source:             http://www.five-ten-sg.com/%{name}/packages/%{name}-%{version}.tar.gz
@@ -155,6 +155,9 @@
 
 
 %changelog
+* Tue Mar 07 2017 Carl Byington <carl@five-ten-sg.com> - 6.52-1
+- document dkim/spf processing.
+
 * Mon Mar 06 2017 Carl Byington <carl@five-ten-sg.com> - 6.51-2
 - parse spf txt records.
 
--- a/src/context.cpp	Mon Mar 06 18:44:14 2017 -0800
+++ b/src/context.cpp	Tue Mar 07 09:39:25 2017 -0800
@@ -1204,6 +1204,13 @@
                 return token_black;
             }
         }
+        if (st == token_signed_white) {
+            // not signed by a white signer, but maybe passes strong spf check
+            if (resolve_spf(from, priv->ip, priv)) {
+                log(queueid, "spf pass for %s rather than whitelisted dkim signer", from);
+                return token_white;
+            }
+        }
         if (st == token_require_signed) {
             // not signed by a required signer, but maybe passes strong spf check
             // only check spf if the list of required signers is not a single blank.
--- a/xml/dnsbl.in	Mon Mar 06 18:44:14 2017 -0800
+++ b/xml/dnsbl.in	Tue Mar 07 09:39:25 2017 -0800
@@ -25,7 +25,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2016-12-17</date>
+            <date>2017-03-07</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -390,7 +390,10 @@
                 </para></listitem>
                 <listitem><para>
                     If the answer is white, mail to this recipient is accepted and the dns
-                    lists are not checked.
+                    lists are not checked. However, if the envelope from domain name is
+                    listed in the current filtering context (or parents) dkim_from with
+                    "required_signed",
+                    we downgrade this to white answer to unknown.
                 </para></listitem>
                 <listitem><para>
                     If the answer is unknown, we don't reject yet, but the dns lists will be
@@ -457,6 +460,32 @@
                 messages from being blocked by the dnsbl or content filtering.
             </para>
             <para>
+                If content filtering is enabled for this body, we look for dkim_signer
+                and dkim_from sections in the current context and parents. We collect the
+                signers of this message from the header added by the dkim-milter. If any
+                of the message signers are whitelisted, the message is accepted.
+            </para>
+            <para>
+                If the header from domain maps to required_signed then:
+                If any of the message signers are in that list, the message is accepted.
+                If the source ip address passes a strong spf check for the header from
+                domain, the message is accepted. Otherwise, the message is rejected.
+            </para>
+            <para>
+                If the header from domain maps to signed_white then:
+                If any of the message signers are in that list, the message is accepted.
+                If the source ip address passes a strong spf check for the header from
+                domain, the message is accepted. Otherwise, processing continues.
+            </para>
+            <para>
+                If the header from domain maps to signed_black then:
+                If any of the message signers are in that list, the message is rejected.
+                Otherwise, processing continues.
+            </para>
+            <para>
+                If any of the message signers is blacklisted, the message is rejected.
+            </para>
+            <para>
                 If content filtering is enabled for this body, the mail text is decoded
                 (uuencode, base64, mime, html entity, url encodings), and scanned for HTTP
                 and HTTPS URLs or bare host names.  Hostnames must be either ip address
@@ -630,11 +659,6 @@
                 http:// protocol header. Such references are still clickable in common
                 mail software.
             </para>
-            <para>
-                Add spf to the white/black/unknown values in env_from blocks. This
-                results in whitelisting that envelope from value as long as the connection
-                is made from an ip address listed in the domain spf txt record.
-            </para>
         </refsect1>
 
         <refsect1 id='copyright.1'>
@@ -666,7 +690,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2016-12-17</date>
+            <date>2017-03-07</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -837,13 +861,30 @@
 
     content on {
         dkim_signer {
+            #
+            # anything signed by this is accepted.
+            accounts.google.com     white;
+        };
+        dkim_from {
+            #
+            # white/blacklisting based on presence of valid signatures
             credit.paypal.com   require_signed  credit.paypal.com;
             paypal.com          require_signed  paypal.com;
             dhl.com             require_signed  dhl.com;
             adp.com             require_signed  "adp.com,bmi.adp.com";
-        };
-        dkim_from {
-            accounts.google.com     white;
+            #
+            # blacklisting based on header from value - requiring signatures
+            # from an impossible signer.
+            spammer.domain      require_signed  " ";
+            #
+            # whitelisting based on strong spf pass - whitelisted if signed by
+            # an impossible signer (which will never happen) or strong spf pass.
+            some.domain         signed_white    " ";
+            #
+            # whitelisting based on valid signature or strong spf pass.
+            # some paychex mail is signed, some is unsigned but passes strong spf.
+            paychex.com         require_signed  paychex.com;
+            #
         };
         filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
         uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";