changeset 330:b5b93a7e1e6d

ignore envelope-from based whitelisting if we have a dkim requirement for that domain
author Carl Byington <carl@five-ten-sg.com>
date Mon, 19 Dec 2016 12:05:06 -0800
parents c9932c4d8053
children 9800776436b9
files dnsbl.conf src/context.cpp src/dnsbl.cpp
diffstat 3 files changed, 37 insertions(+), 9 deletions(-) [+]
line wrap: on
line diff
--- a/dnsbl.conf	Mon Dec 19 08:29:16 2016 -0800
+++ b/dnsbl.conf	Mon Dec 19 12:05:06 2016 -0800
@@ -54,14 +54,30 @@
 
     content on {
         dkim_signer {
-            sendgrid.me     black;
-            weather.com     white;
+            // we could add consumer facing domains like yahoo.com, aol.com, etc
+            // here, IF you really want to accept all the mail from such folks.
+            five-ten-sg.com         white;
+            some.spammer            black;      // reject if signed by them
         };
 
         dkim_from {
-            yahoo.com        require_signed   yahoo.com;
-            gmail.com        signed_white     gmail.com;
-            girlscoutsla.org signed_white     girlscoutsla.ccsend.com;
+            // cannot really add consumer facing domains like yahoo.com, aol.com, etc
+            // here, since such messages from humans might be sent via mailing lists
+            // that will break the dkim signature. But this works well for commonly
+            // forged bulk senders like ebay and paypal.
+            some.spammer                require_signed  some.spammer    // reject if not signed
+
+            billpay.bankofamerica.com   require_signed  billpay.bankofamerica.com;
+            ealerts.bankofamerica.com   require_signed  ealerts.bankofamerica.com;
+            ebay.com                    require_signed  ebay.com;
+            facebookmail.com            require_signed  facebookmail.com;
+            healthcare.gov              require_signed  healthcare.gov;
+            linkedin.com                require_signed  linkedin.com;
+            paypal.com                  require_signed  paypal.com;
+            service.capitalone.com      require_signed  capitalone.com;
+            support.facebook.com        require_signed  support.facebook.com;
+            ups.com                     require_signed  ups.com;
+            wellsfargo.com              require_signed  wellsfargo.com;
         };
         filter    sbl-xbl.spamhaus.org        "Mail containing %s rejected - sbl; see http://www.spamhaus.org/query/bl?ip=%s";
         uribl     multi.surbl.org             "Mail containing %s rejected - surbl; see http://www.surbl.org/surbl-analysis?d=%s";
--- a/src/context.cpp	Mon Dec 19 08:29:16 2016 -0800
+++ b/src/context.cpp	Mon Dec 19 12:05:06 2016 -0800
@@ -1100,10 +1100,12 @@
 
 
 void CONTEXT::log(const char *queueid, const char *msg, const char *v) {
+    if (debug_syslog > 1) {
     char buf[maxlen];
     snprintf(buf, maxlen, msg, v);
     my_syslog(queueid, buf);
 }
+}
 
 
 bool CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, string& msg) {
--- a/src/dnsbl.cpp	Mon Dec 19 08:29:16 2016 -0800
+++ b/src/dnsbl.cpp	Mon Dec 19 12:05:06 2016 -0800
@@ -1292,7 +1292,17 @@
         st = black;
     }
     else if ((fromvalue == token_white) && !self) {
-        st = white;
+        // whitelisting based on envelope from value, but ignore it if
+        // we have a dkim requirement for that domain.
+        const char *domain = strchr(priv.mailaddr, '@');
+        if (domain) {
+            DKIMP dk = con.find_dkim_from(domain);
+            if (dk && (dk->action == token_require_signed)) {
+                my_syslog(&priv, "dkim require_signed overrides envelope from whitelist");
+            }
+            else st = white;
+        }
+        else st = white;    // might be <>, envelope from has no @
     }
     else {
         // check the dns based lists, whitelist first