changeset 436:7b072e16bd69 stable-6-0-64

fix syslog for long messages, supress dkim checks for mail from localhost
author Carl Byington <carl@five-ten-sg.com>
date Fri, 03 Nov 2017 09:57:13 -0700
parents afd10321eb70
children f084285ceb52
files ChangeLog NEWS configure.in dnsbl.spec.in src/context.cpp src/context.h src/dnsbl.cpp xml/dnsbl.in
diffstat 8 files changed, 107 insertions(+), 76 deletions(-) [+]
line wrap: on
line diff
--- a/ChangeLog	Tue Oct 24 09:17:10 2017 -0700
+++ b/ChangeLog	Fri Nov 03 09:57:13 2017 -0700
@@ -1,3 +1,7 @@
+6.64 2017-11-03
+    fix syslog for long messages
+    supress dkim checks for mail from localhost
+
 6.63 2017-10-24
     allow syslogging of long txt records
 
--- a/NEWS	Tue Oct 24 09:17:10 2017 -0700
+++ b/NEWS	Fri Nov 03 09:57:13 2017 -0700
@@ -1,3 +1,4 @@
+6.64 2017-11-03 fix syslog for long messages, supress dkim checks for mail from localhost
 6.63 2017-10-24 allow syslogging of long txt records
 6.62 2017-10-03 include arpa/nameser.h earlier
 6.61 2017-10-02 allow 4000 byte spf txt records
--- a/configure.in	Tue Oct 24 09:17:10 2017 -0700
+++ b/configure.in	Fri Nov 03 09:57:13 2017 -0700
@@ -1,6 +1,6 @@
 
 AC_PREREQ(2.59)
-AC_INIT(dnsbl,6.63,carl@five-ten-sg.com)
+AC_INIT(dnsbl,6.64,carl@five-ten-sg.com)
 AC_CONFIG_SRCDIR([config.h.in])
 AC_CONFIG_HEADER([config.h])
 AC_CONFIG_MACRO_DIR([m4])
--- a/dnsbl.spec.in	Tue Oct 24 09:17:10 2017 -0700
+++ b/dnsbl.spec.in	Fri Nov 03 09:57:13 2017 -0700
@@ -155,6 +155,10 @@
 
 
 %changelog
+* Fri Nov 03 2017 Carl Byington <carl@five-ten-sg.com> - 6.64-1
+- fix syslog for long messages
+- supress dkim checks for mail from localhost
+
 * Tue Oct 24 2017 Carl Byington <carl@five-ten-sg.com> - 6.63-1
 - allow syslogging of long txt records
 
--- a/src/context.cpp	Tue Oct 24 09:17:10 2017 -0700
+++ b/src/context.cpp	Fri Nov 03 09:57:13 2017 -0700
@@ -1305,7 +1305,8 @@
 }
 
 
-const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) {
+const char *CONTEXT::acceptable_content(bool local_source, recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) {
+    if (!local_source) {
     for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) {
         const char *st = find_dkim_signer(*s);
         // signed by a white listed signer
@@ -1324,7 +1325,7 @@
                 log(queueid, "whitelisted dkim signer %s", *s);
                 return token_white;
             }
-            // signed by the required signer
+                // signed by a required signer
             if ((st == token_require_signed) && in_signing_set(*s,dk->signer)) {
                 log(queueid, "required dkim signer %s", *s);
                 return token_white;
@@ -1338,7 +1339,7 @@
             }
         }
         if (st == token_signed_white) {
-            // not signed by a white signer, but maybe passes strong spf check
+                // not signed by a white listed signer, but maybe passes strong spf check
             if (resolve_spf(from, ntohl(priv->ip), priv)) {
                 log(queueid, "spf pass for %s rather than whitelisted dkim signer", from);
                 return token_white;
@@ -1370,6 +1371,7 @@
             return token_black;
         }
     }
+    }
 
     if (spamassassin_limit && (score > spamassassin_limit)) {
         char buf[maxlen];
--- a/src/context.h	Tue Oct 24 09:17:10 2017 -0700
+++ b/src/context.h	Fri Nov 03 09:57:13 2017 -0700
@@ -326,7 +326,7 @@
     void        replace(char *buf, char *p, const char *what);
     bool        resolve_spf(const char *from, uint32_t ip, mlfiPriv *priv);
     bool        resolve_one_spf(const char *from, uint32_t ip, mlfiPriv *priv, int level = 0);
-    const char *acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg);
+    const char *acceptable_content(bool local_source, recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg);
     bool        ignore_host(const char *host);
 
     void        dump(bool isdefault, bool &spamass, int level = 0);
--- a/src/dnsbl.cpp	Tue Oct 24 09:17:10 2017 -0700
+++ b/src/dnsbl.cpp	Fri Nov 03 09:57:13 2017 -0700
@@ -849,23 +849,35 @@
 // syslog a message
 //
 void my_syslog(const char *queueid, const char *text) {
-    char buf[maxlen];
-    if (queueid && queueid[0]) {
+    const char* noqueue = "NOQUEUE";
+    if (!queueid || !queueid[0]) queueid = noqueue;
+
+    const int syslogmaxlen = 400;  // buffer size
+    char buf[syslogmaxlen];
+    snprintf(buf, sizeof(buf), "%s: ", queueid);
+    size_t hdrlen = strlen(buf);
+    const size_t maxsegment = syslogmaxlen - hdrlen - 1;
+    size_t msglen = strlen(text);
+    while (msglen > 0) {
         snprintf(buf, sizeof(buf), "%s: %s", queueid, text);
-        text = buf;
-    }
     if (use_syslog) {
         pthread_mutex_lock(&syslog_mutex);
             if (!syslog_opened) {
                 openlog("dnsbl", LOG_PID, LOG_MAIL);
                 syslog_opened = true;
             }
-            syslog(LOG_NOTICE, "%s", text);
+                syslog(LOG_NOTICE, "%s", buf);
         pthread_mutex_unlock(&syslog_mutex);
     }
     else {
-        printf("%s \n", text);
+            printf("%s \n", buf);
     }
+        size_t segmentlen = min(msglen, maxsegment);
+        text   += segmentlen;
+        msglen -= segmentlen;
+        // assert(msglen == strlen(text))
+    }
+
 }
 
 void my_syslog(mlfiPriv *priv, const char *text) {
@@ -1408,7 +1420,7 @@
         // whitelisting based on envelope from value, but ignore it if
         // we have a dkim requirement for the original domain
         const char *domain = strchr(priv.origaddr, '@');
-        if (domain) {
+        if (domain && !local_source) {
             DKIMP dk = con.find_dkim_from(domain+1);
             if (dk && (dk->action == token_require_signed)) {
                 my_syslog(&priv, "dkim require_signed overrides envelope from whitelist");
@@ -1716,6 +1728,8 @@
     else {
         // assert env_to not empty, it contains the
         // non-whitelisted folks that want content filtering
+        const u_char *src = (const u_char *)&priv.ip;
+        bool local_source = (src[0] == 127);
         int score = (priv.want_spamassassin) ? priv.assassin->mlfi_eom() : 0;
         bool grey = false;
         int  bulk = 0;
@@ -1748,7 +1762,7 @@
             CONTEXT    *next = (*i).second;
             if (con != next) {
                 con = next;
-                st = con->acceptable_content(*priv.memory, score, bulk, priv.queueid, priv.dkim_signers, priv.fromaddr, &priv, msg);
+                st = con->acceptable_content(local_source, *priv.memory, score, bulk, priv.queueid, priv.dkim_signers, priv.fromaddr, &priv, msg);
             }
             if (st == token_black) {
                 // bad html tags or excessive hosts or
--- a/xml/dnsbl.in	Tue Oct 24 09:17:10 2017 -0700
+++ b/xml/dnsbl.in	Fri Nov 03 09:57:13 2017 -0700
@@ -25,7 +25,7 @@
 
     <refentry id="@PACKAGE@.1">
         <refentryinfo>
-            <date>2017-08-18</date>
+            <date>2017-11-03</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>
@@ -390,7 +390,8 @@
                     user", and the dns lists are not checked.
                 </para></listitem>
                 <listitem><para>
-                    If the answer is white, and the envelope from domain name is
+                    If the answer is white, the mail is not from localhost,
+                    and the envelope from domain name is
                     listed in the current (or parents) filtering contexts dkim_from with
                     "required_signed", we downgrade this white answer to unknown.
                     If the answer is still white, mail to this recipient is accepted and the dns
@@ -461,6 +462,11 @@
                 messages from being blocked by the dnsbl or content filtering.
             </para>
             <para>
+                If the mail is from localhost we skip the following dkim checks, since
+                such mail will never be dkim signed. This is typically mail that is generated by
+                apache forms.
+            </para>
+            <para>
                 If content filtering is enabled for this body, we look for dkim_signer
                 and dkim_from sections in the current context and parents. We collect the
                 signers of this message from the header added by the dkim-milter. If any
@@ -773,7 +779,7 @@
 
     <refentry id="@PACKAGE@.conf.5">
         <refentryinfo>
-            <date>2017-08-18</date>
+            <date>2017-11-03</date>
             <author>
                 <firstname>Carl</firstname>
                 <surname>Byington</surname>