DandelionNStuff/pymilter
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Split off milter applications.

Browse Source
This commit is contained in:
Stuart Gathman
2008-12-13 20:29:56 +00:00
parent 67cb78ded5
commit 30f4c27c45
21 changed files with 12 additions and 3830 deletions
Download Patch File Download Diff File Expand all files Collapse all files
MANIFEST.in
+1 -15
View File
@@ -9,28 +9,14 @@ include MANIFEST.in
include testsample.py include testsample.py
include testmime.py include testmime.py
include testutils.py include testutils.py
include testbms.py
include rejects.py include rejects.py
include report.py include report.py
include bms.py
include spf.py
include cid2spf.py
include spfquery.py
include ban2zone.py
include test.py include test.py
include sample.py include sample.py
include milter-template.py include milter-template.py
include spfmilter.py
include spfmilter.rc
include spfmilter.cfg
include test/* include test/*
include doc/* include doc/*
include Milter/*.py include Milter/*.py
include *.spec include *.spec
include start.sh
include milter.rc
include milter.rc7
include milter.cfg
include rhsbl.m4
include *.txt
include *.html include *.html
include start.sh
ban2zone.py
-14
View File
@@ -1,14 +0,0 @@
#!/usr/bin/python2.4
import socket
import sys
banned_ips = set(socket.inet_aton(ip)
for fn in sys.argv[1:]
for ip in open(fn))
banned_ips = list(banned_ips)
banned_ips.sort()
for ip in banned_ips:
a = socket.inet_ntoa(ip).split('.')
a.reverse()
print "%s\tIN A 127.0.0.2"%('.'.join(a))
bms.py
-2029
View File
File diff suppressed because it is too large Load Diff
fail.txt
-35
View File
@@ -1,35 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: SPF fail (EMAIL FORGERY)
Auto-Submitted: auto-generated (configuration error)
This is an automatically generated Delivery Status Notification.
*** WARNING! YOU ARE SENDING FROM AN UNAUTHORIZED LOCATION ***
The email administrator for '%(sender_domain)' (YOUR administrator)
has FORBIDDEN you to send email from this location. IMMEDIATELY contact your
email administrator and follow his instructions to properly send mail.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
Your sender policy indicated that the above email was forged.
Because we believe your policy is in error, we have accepted the
email anyway. Please ask your email administrator to review
your SPF policy. You may also have neglected to follow your
postmaster's instructions for configuring outgoing email.
If you need further assistance, please do not hesitate to contact me.
Kind regards,
Stuart D Gathman
postmaster@%(receiver)s
milter-template.py
+1 -18
View File
@@ -12,25 +12,8 @@ import StringIO
import time import time
import email import email
from socket import AF_INET, AF_INET6 from socket import AF_INET, AF_INET6
from Milter import parse_addr
def parse_addr(t):
"""Split email into user,domain.
>>> parse_addr('user@example.com')
['user', 'example.com']
>>> parse_addr('"user@example.com"')
['user@example.com']
>>> parse_addr('"user@bar"@example.com')
['user@bar', 'example.com']
>>> parse_addr('foo')
['foo']
"""
if t.startswith('<') and t.endswith('>'): t = t[1:-1]
if t.startswith('"'):
if t.endswith('"'): return [t[1:-1]]
pos = t.find('"@')
if pos > 0: return [t[1:pos],t[pos+2:]]
return t.split('@')
class myMilter(Milter.Milter): class myMilter(Milter.Milter):
milter.cfg
-238
View File
@@ -1,238 +0,0 @@
[milter]
# the directory with log and data files
datadir = /var/log/milter
# the socket used to communicate with sendmail. Must match sendmail.cf
socket=/var/run/milter/pythonsock
# where to save original copies of defanged and failed messages
tempdir = /var/log/milter/save
# how long to wait for a response from sendmail before giving up
;timeout=600
log_headers = 0
# Connection ips and hostnames are matched against this glob style list
# to recognize internal senders. You probably need to change this.
# The default is a good guess to try and prevent newbie frustration.
internal_connect = 192.168.0.0/16,127.*
# mail that is not an internal_connect and claims to be from an
# internal domain is rejected. Furthermore, internal mail that
# does not claim to be from an internal domain is rejected.
# You should enable SPF instead if you can. SPF is much more comprehensive and
# flexible. However, SPF is not currently checked for outgoing
# (internal_connect) mail because it doesn't yet handle authorizing
# internal IPs locally.
;internal_domains = mycorp.com,localhost.localdomain
# connections from a trusted relay can trust the first Received header
# SPF checks are bypassed for internal connections and trusted relays.
;trusted_relay = 1.2.3.4, 66.12.34.56
# Relaying to these domains is allowed from internal connections only.
# You might want to restrict aol.com, for instance, so that stupid
# users don't forward their spam to aol for filtering and get your MTA
# blacklisted by aol.
;private_relay = aol.com, yahoo.com
# Reject external senders with hello names no legit external sender would use.
# SPF will do this also, but listing your own domain and mailserver here
# will save some DNS lookups when rejecting certain viruses.
;hello_blacklist = mycorp.com, 66.12.34.56
# Reject mail for domains mentioned unless user is mentioned here also
;check_user = joe@mycorp.com, mary@mycorp.com, file:bigcorp.com
# Treat localparts in milter.cfg as case-insensitive
case_sensitive_localpart = true
# features intended to filter or block incoming mail
[defang]
# do virus scanning on attached messages also
scan_rfc822 = 0
# do virus scanning on attached zipfiles also
scan_zip = 0
# Comment out scripts in HTML attachments. Can be CPU intensive.
scan_html = 0
# reject messages with asian fonts because we can't read them
block_chinese = 0
# list users who hate forwarded mail
;block_forward = egghead@mycorp.com, busybee@mycorp.com
# reject mail with these case insensitive strings in the subject
porn_words = penis, breast, pussy, horse cock, porn, xenical, diet pill, d1ck,
vi*gra, vi-a-gra, viag, tits, p0rn, hunza, horny, sexy, c0ck, xanaax,
p-e-n-i-s, hydrocodone, vicodin, xanax, vicod1n, x@nax, diazepam,
v1@gra, xan@x, cialis, ci@lis, frëe, xãnax, valíum, vãlium, via-gra,
x@n3x, vicod3n, penís, c0d1n, phentermine, en1arge, dip1oma, v1codin,
valium, rolex, sexual, fuck, adv1t, vgaira, medz, acai berry
# reject mail with these case sensitive strings in the subject
spam_words = $$$, !!!, XXX, FREE, HGH
# attachments with these extensions will be replaced with a warning
# message. A copy of the original will be saved.
banned_exts = ade,adp,asd,asx,asp,bas,bat,chm,cmd,com,cpl,crt,dll,exe,hlp,hta,
inf,ins,isp,js,jse,lnk,mdb,mde,msc,msi,msp,mst,ocx,pcd,pif,reg,scr,sct,
shs,url,vb,vbe,vbs,wsc,wsf,wsh
# See http://bmsi.com/python/pysrs.html for details
[srs]
config=/etc/mail/pysrs.cfg
# SRS options can be set here also, but must match the sendmail plugin
;secret="shhhh!"
;maxage=21
;hashlength=4
;database=/var/log/milter/srsdata
;fwdomain = mydomain.com
# turn this on after a grace period to reject spoofed DSNs
reject_spoofed = 0
# Many braindead MTAs send DSNs with a non-DSN MFROM (e.g. to report that
# some virus claiming to be sent by you). This heuristic
# refuses mail from user names commonly abused in that way.
;banned_users = postmaster, mailer-daemon, clamav
# See http://www.openspf.com for more info on SPF.
[spf]
# namespace where SPF records can be supplied for domains without one
# records are searched for under _spf.domain.com
;delegate = domain.com
# domains where a neutral SPF result should cause mail to be rejected
;reject_neutral = aol.com
# use a default (v=spf1 a/24 mx/24 ptr) when no SPF records are published
;best_guess = 0
# Reject senders that have neither PTR nor valid HELO nor SPF records, or send
# DSN otherwise
;reject_noptr = 0
# always accept softfail from these domains, or send DSN otherwise
;accept_softfail = bounces.amazon.com
# Treat fail from these domains like softfail: because their SPF record
# or an important sender is screwed up. Must have valid HELO, however.
;accept_fail = custhelp.com
# Use sendmail access map or similar format for detailed spf policy.
# SPF entries in the access map will override any defaults set above.
;access_file = /etc/mail/access.db
# Add MAIL FROM as Sender when Sender is missing and From domain
# doesn't match MAIL FROM. Outlook and other email clients will then display
# something like: "Sent by sender@domain.com on behalf of from@example.com"
;supply_sender = 0
# Connections that get an SPF pass for a pretend MAIL FROM of
# postmaster@sometrustedforwarder.com skip SPF checks for the real MAIL FROM.
# This is for non-SRS forwarders. It is a simple implementation that
# is inefficient for more than a few entries.
;trusted_forwarder = careerbuilder.com
# features intended to clean up outgoing mail
[scrub]
# domains that block visible private nodes
;hide_path = jcpenney.com
# reject, don't just replace with warning, viruses from these domains
;reject_virus_from = mycorp.com
# features intended for spying on users and coworkers
[wiretap]
blind = 1
#
# wiretap lets you surreptitiously monitor a users outgoing email
# (sendmail aliases let you monitor incoming mail)
#
;users = disloyal@bigcorp.com, bigmouth@bigcorp.com
# multiple destinations can use smart_alias
;dest = spy@bigcorp.com
# discard outgoing mail without alerting sender
# can be used in conjunction with wiretap to censor outgoing mail
;discard_users = canned@bigcorp.com
# archive copies all delivered mail to a file
;mail_archive = /var/log/mail_archive
#
# smart aliases trigger on both sender and recipient
# alias = sender, recipient[, destination]
#
[smart_alias]
# multiple wiretap monitors. Smart aliases are applied after wiretap.
;spy1 = disloyal@bigcorp.com,spy@bigcorp.com
;spy2 = bigmouth@bigcorp.com,spy@bigcorp.com
# mail from client@clientcorp.com to sue@bigcorp.com is redirected to
# local alias copycust
;copycust = client@clientcorp.com,sue@bigcorp.com
# mail from cust@othercorp.com to walter@bigcorp.com is redirected to
# boss@bigcorp.com
;walter = cust@othercorp.com,walter@bigcorp.com,boss@bigcorp.com
# additional copies can be added
;walter1 = cust@othercorp.com,walter@bigcorp.com,boss@bigcorp.com,
; walter@bigcorp.com
;bulk = soruce@telex.com,bob@jsconnor.com
;bulk1 = soruce@telex.com,larry@jsconnor.com,bulk
# See http://bmsi.com/python/dspam.html
[dspam]
# Select a well moderated dspam dictionary to reject spammy headers.
# To filter on the entire message, use the full setup below.
# only EXTERNAL messages are dspam filtered
;dspam_dict=/var/lib/dspam/moderator.dict
# Recipients of mail sent from these senders are added to the auto_whitelist.
# Auto_whitelisted senders with an SPF PASS are never rejected by dspam, and
# messages from auto_whitelisted senders will be used to train screener
# dictionaries as innocent mail.
;whitelist_senders = @mycorp.com
# Opt-out recipients entirely from dspam screening and header triage
;dspam_exempt=getitall@mycorp.com
# Do not scan mail (ostensibly) from these senders
;dspam_whitelist=getitall@sender.com
# Reject spam to these domains instead of quarantining it.
;dspam_reject=othercorp.com
# Scan internal mail - often a good source of stats on legit mail.
;dspam_internal=1
# directory for dspam user quarantine, signature db, and dictionaries
# defining this activates the dspam application
# dspam and dspam-python must be installed
;dspam_userdir=/var/lib/dspam
# do not dspam messages larger than this
;dspam_sizelimit=180000
# Map email addresses and aliases to dspam users
;dspam_users=david,goliath,spam,falsepositive
# List dspam users which train on all delivered messages, as opposed to
# "train on error" which trains only when a spam or falsepositive is reported.
# Training mode will build the dictionary faster, but requires close attention
# so as not to miss any spam or false positives.
;dspam_train=goliath
;david=david@foocorp.com,david.yelnetz@foocorp.com,david@bar.foocorp.com
;goliath=giant@foocorp.com,goliath.philistine@foocorp.com
# address to forward spam to. milter will process these and not deliver
;spam=spam@foocorp.com
# address to forward false positives to. milter will process and not deliver
;falsepositive=ham@foocorp.com
# account which receives only spam: all received messages are marked as spam.
;honeypot=spam-me@example.com
# the dspam_screener is a list of dspam users who screen mail for all
# recipients who are not dspam_users. Spam goes to the screeners quarantine,
# and the original recipients are saved so that false positives can be properly
# delivered.
;dspam_screener=david,goliath
# The dspam CGI can also be used: logins must match dspam users
# Optional pygossip interface
#
# GOSSiP tracks reputation of domain:qualifier pairs. For instance,
# the reputation of example.com:SPF is tracked separately from
# example.com:neutral. Currently qualifiers are
# SPF,neutral,softfail,fail,permerror,GUESS,HELO
[gossip]
# Use a dedicated GOSSiP server. If not specified, a local database
# will be used.
;server=host:11900
# To include peers of a peer in reputation, set ttl=2
;ttl=1
# If a local database is used, also consult these GOSSiP servers about
# domains. Peer reputation is also tracked as to how often they
# agree with us, and weighted accordingly.
;peers=host1:port,host2
[greylist]
dbfile=greylist.db
# mins (Google retries in 5 mins)
time=5
# hours (some legit sites don't retry for 6 hours)
expire=6
# days (keep "first monday" type mailings on file)
retain=36
milter.rc
-109
View File
@@ -1,109 +0,0 @@
#!/bin/bash
#
# milter This shell script takes care of starting and stopping milter.
#
# chkconfig: 2345 80 30
# description: Milter is a process that filters messages sent through sendmail.
# processname: milter
# config: /etc/mail/pymilter.cfg
# pidfile: /var/run/milter/milter.pid
python="python2.4"
pidof() {
set - ""
if set - `ps -e -o pid,cmd | grep "${python} bms.py"` &&
[ "$2" != "grep" ]; then
echo $1
return 0
fi
return 1
}
# Source function library.
. /etc/rc.d/init.d/functions
[ -x /usr/lib/pymilter/start.sh ] || exit 0
RETVAL=0
prog="milter"
start() {
# Start daemons.
echo -n "Starting $prog: "
if ! test -d /var/run/milter; then
mkdir -p /var/run/milter
chown mail:mail /var/run/milter
fi
daemon --check milter --user mail /usr/lib/pymilter/start.sh milter bms
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/milter
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down $prog: "
# Find pid.
pid=
base="milter"
if [ -f /var/run/milter/milter.pid ]; then
local line p
read line < /var/run/milter/milter.pid
for p in $line ; do
[ -z "${p//[0-9]/}" -a -d "/proc/$p" ] && pid="$pid $p"
done
fi
if test -n "$pid"; then
checkpid $pid && kill "$pid"
for i in 1 2 3 4 5 6 7 8 9 0; do
checkpid $pid && sleep 2 || break
done
if checkpid $pid; then
failure $"$base shutdown"
RETVAL=1
else
success $"$base shutdown"
RETVAL=0
fi
else
killproc -d 9 milter
RETVAL=$?
fi
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/milter
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/milter ]; then
stop
start
RETVAL=$?
fi
;;
status)
status milter
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
milter.rc7
-85
View File
@@ -1,85 +0,0 @@
#!/bin/bash
#
# milter This shell script takes care of starting and stopping milter.
#
# chkconfig: 2345 80 30
# description: Milter is a process that filters messages sent through sendmail.
# processname: milter
# config: /etc/mail/pymilter.cfg
# pidfile: /var/run/milter/milter.pid
python="python2.4"
pidof() {
set - ""
if set - `ps -e -o pid,wchan,cmd | grep "rt_sig ${python} bms.py"` &&
[ "$3" != "grep" ]; then
echo $1
return 0
fi
return 1
}
# Source function library.
. /etc/rc.d/init.d/functions
[ -x /usr/lib/pymilter/start.sh ] || exit 0
RETVAL=0
prog="milter"
start() {
# Start daemons.
echo -n "Starting $prog: "
if ! test -d /var/run/milter; then
mkdir -p /var/run/milter
chown mail:mail /var/run/milter
fi
daemon --check milter --user mail /usr/lib/pymilter/start.sh milter bms
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/milter
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down $prog: "
killproc milter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/milter
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/milter ]; then
stop
start
RETVAL=$?
fi
;;
status)
status milter
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
miltermodule.c
+7 -4
View File
@@ -35,6 +35,9 @@ $ python setup.py help
libraries=["milter","smutil","resolv"] libraries=["milter","smutil","resolv"]
* $Log$ * $Log$
* Revision 1.14 2008/12/04 19:43:00 customdesigned
* Doc updates.
*
* Revision 1.13 2008/11/23 03:06:47 customdesigned * Revision 1.13 2008/11/23 03:06:47 customdesigned
* Milter support for chgfrom. * Milter support for chgfrom.
* *
@@ -188,10 +191,10 @@ $ python setup.py help
#endif #endif
#define _FFR_MULTILINE (MAX_ML_REPLY > 1) #define _FFR_MULTILINE (MAX_ML_REPLY > 1)
#include <pthread.h> //#include <pthread.h> // shouldn't be needed - use Python API
#include <netinet/in.h> #include <Python.h> // Python C API
#include <Python.h> #include <libmilter/mfapi.h> // libmilter API
#include <libmilter/mfapi.h> #include <netinet/in.h> // socket API
/* See if we have IPv4 and/or IPv6 support in this OS and in /* See if we have IPv4 and/or IPv6 support in this OS and in
neutral.txt
-39
View File
@@ -1,39 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: SPF %(result)s (POSSIBLE FORGERY)
Auto-Submitted: auto-generated (sender verification)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
Your sender policy (or lack thereof) indicated that the above email was not
sent via an authorized SMTP server, but may still be legitimate. Since there
is no positive confirmation that the message is really from you, we have
to give it extra scrutiny - including verifying that the sender really
exists by sending you this DSN. We will remember this sender and not
bother you again for a while. You can avoid this message entirely for
legitimate mail by using an authorized SMTP server. Contact your mail
administrator and ask how to configure your email client to use an
authorized server.
If you never sent the above message, then your domain has been forged.
Your mail admin needs to publish a strict SPF record so that I can reject
those forgeries instead of bugging you about them.
See http://openspf.org for details.
If you need further assistance, please do not hesitate to contact me.
Kind regards,
postmaster@%(receiver)s
permerror.txt
-35
View File
@@ -1,35 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: Critical SPF configuration error
Auto-Submitted: auto-generated (configuration error)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
Your spf record has a permanent error. The error was:
%(perm_error)s
We will reinterpret your record using "lax" processing heuristics
which may result in your mail being accepted anyway. But you or your
mail administrator need to fix your SPF record as soon as possible.
We are sending you this message to alert you to the fact that
you have problems with your email configuration.
If you need further assistance, please do not hesitate to
contact me again.
Kind regards,
postmaster@%(receiver)s
pymilter.spec
+3 -367
View File
@@ -1,198 +1,10 @@
# This spec file contains 2 noarch packages in addition to the pymilter
# module. To compile all three on 32-bit Intel, use:
# rpmbuild -ba --target=i386,noarch pymilter.spec
%define __python python2.4 %define __python python2.4
%define version 0.8.12 %define version 0.8.12
%define release 1%{?dist}.py24 %define release 1%{?dist}.py24
# what version of RH are we building for? %define libdir %{_libdir}/pymilter
%define name pymilter
%define redhat7 0 %define redhat7 0
# Options for Redhat version 6.x:
# rpm -ba|--rebuild --define "rh7 1"
%{?rh7:%define redhat7 1}
# some systems dont have initrddir defined
%{?_initrddir:%define _initrddir /etc/rc.d/init.d}
%if %{redhat7}
# Redhat 7.x and earlier (multiple ps lines per thread)
%define sysvinit milter.rc7
%else
%define sysvinit milter.rc
%endif
# RH9, other systems (single ps line per process)
%ifos aix4.1
%define libdir /var/log/milter
%else
%define libdir %{_libdir}/pymilter
%endif
%ifarch noarch
Name: milter
Group: Applications/System
Summary: BMS spam and reputation milter
Version: %{version}
Release: %{release}
Source: pymilter-%{version}.tar.gz
#Patch: %{name}-%{version}.patch
License: GPLv2+
Group: Development/Libraries
BuildRoot: %{_tmppath}/%{name}-buildroot
Vendor: Stuart D. Gathman <stuart@bmsi.com>
Url: http://www.bmsi.com/python/milter.html
Requires: %{__python} >= 2.4, pyspf >= 2.0.4, pymilter
%ifos Linux
Requires: chkconfig
%endif
%description -n milter
A complex but effective spam filtering, SPF checking, greylisting,
and reputation tracking mail application. It uses pydspam if installed for
bayesian filtering.
%package spf
Group: Applications/System
Summary: BMS spam and reputation milter
Requires: pyspf >= 2.0.4, pymilter
Obsoletes: pymilter-spf < 0.8.10
%description spf
A simple mail filter to add Received-SPF headers and reject forged mail.
Rejection policy is configured via sendmail access file and can be
tailored by domain.
%prep
%setup -q -n pymilter-%{version}
#patch -p0 -b .bms
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/var/log/milter
mkdir -p $RPM_BUILD_ROOT/etc/mail
mkdir $RPM_BUILD_ROOT/var/log/milter/save
mkdir -p $RPM_BUILD_ROOT%{libdir}
cp *.txt $RPM_BUILD_ROOT/var/log/milter
cp -p bms.py spfmilter.py ban2zone.py $RPM_BUILD_ROOT%{libdir}
cp milter.cfg $RPM_BUILD_ROOT/etc/mail/pymilter.cfg
cp spfmilter.cfg $RPM_BUILD_ROOT/etc/mail
# logfile rotation
mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
cat >$RPM_BUILD_ROOT/etc/logrotate.d/milter <<'EOF'
/var/log/milter/milter.log {
copytruncate
compress
}
/var/log/milter/banned_ips {
rotate 7
daily
copytruncate
}
EOF
# purge saved defanged message copies
mkdir -p $RPM_BUILD_ROOT/etc/cron.daily
%ifos aix4.1
R=
%else
R='-r'
%endif
cat >$RPM_BUILD_ROOT/etc/cron.daily/milter <<'EOF'
#!/bin/sh
find /var/log/milter/save -mtime +7 | xargs $R rm
# work around memory leak
/etc/init.d/milter condrestart
EOF
chmod a+x $RPM_BUILD_ROOT/etc/cron.daily/milter
%ifnos aix4.1
mkdir -p $RPM_BUILD_ROOT/etc/rc.d/init.d
cp %{sysvinit} $RPM_BUILD_ROOT/etc/rc.d/init.d/milter
cp spfmilter.rc $RPM_BUILD_ROOT/etc/rc.d/init.d/spfmilter
ed $RPM_BUILD_ROOT/etc/rc.d/init.d/milter <<'EOF'
/^python=/
c
python="%{__python}"
.
w
q
EOF
ed $RPM_BUILD_ROOT/etc/rc.d/init.d/spfmilter <<'EOF'
/^python=/
c
python="%{__python}"
.
w
q
EOF
%endif # aix4.1
mkdir -p $RPM_BUILD_ROOT/usr/share/sendmail-cf/hack
cp -p rhsbl.m4 $RPM_BUILD_ROOT/usr/share/sendmail-cf/hack
%ifos aix4.1
%post
mkssys -s milter -p %{libdir}/start.sh -u 25 -S -n 15 -f 9 -G mail || :
%preun
if [ $1 = 0 ]; then
rmssys -s milter || :
fi
%else # not aix4.1
%post -n milter
#echo "pythonsock has moved to /var/run/milter, update /etc/mail/sendmail.cf"
/sbin/chkconfig --add milter
%preun -n milter
if [ $1 = 0 ]; then
/sbin/chkconfig --del milter
fi
%post spf
#echo "pythonsock has moved to /var/run/milter, update /etc/mail/sendmail.cf"
/sbin/chkconfig --add spfmilter
%preun spf
if [ $1 = 0 ]; then
/sbin/chkconfig --del spfmilter
fi
%endif # aix4.1
%files
%defattr(-,root,root)
/etc/logrotate.d/milter
/etc/cron.daily/milter
%ifos aix4.1
%defattr(-,smmsp,mail)
%else
/etc/rc.d/init.d/milter
%defattr(-,mail,mail)
%endif
%dir /var/log/milter
%dir /var/log/milter/save
%{libdir}/bms.py
%{libdir}/ban2zone.py
%config(noreplace) /var/log/milter/strike3.txt
%config(noreplace) /var/log/milter/softfail.txt
%config(noreplace) /var/log/milter/fail.txt
%config(noreplace) /var/log/milter/neutral.txt
%config(noreplace) /var/log/milter/quarantine.txt
%config(noreplace) /var/log/milter/permerror.txt
%config(noreplace) /var/log/milter/temperror.txt
%config(noreplace) /etc/mail/pymilter.cfg
/usr/share/sendmail-cf/hack/rhsbl.m4
%files spf
%defattr(-,root,root)
%dir /var/log/milter
%{libdir}/spfmilter.py*
%config(noreplace) /etc/mail/spfmilter.cfg
/etc/rc.d/init.d/spfmilter
%else # not noarch
%define name pymilter
Summary: Python interface to sendmail milter API Summary: Python interface to sendmail milter API
Name: %{name} Name: %{name}
Version: %{version} Version: %{version}
@@ -260,37 +72,19 @@ chmod a+x $RPM_BUILD_ROOT%{libdir}/start.sh
%config %{libdir}/start.sh %config %{libdir}/start.sh
%dir %attr(0755,mail,mail) /var/run/milter %dir %attr(0755,mail,mail) /var/run/milter
%endif # noarch
%clean %clean
rm -rf $RPM_BUILD_ROOT rm -rf $RPM_BUILD_ROOT
%changelog %changelog
* Mon Nov 24 2008 Stuart Gathman <stuart@bmsi.com> 0.8.12-1 * Mon Nov 24 2008 Stuart Gathman <stuart@bmsi.com> 0.8.12-1
- Split pymilter into its own CVS module
- Support chgfrom and addrcpt_par - Support chgfrom and addrcpt_par
- 2 demerits for HELO after MAIL FROM
- Support NS records in Milter.dns - Support NS records in Milter.dns
- Make initscript use pid file.
- Fix greylist config
- SPF Pass policy
* Sat Oct 11 2008 Stuart Gathman <stuart@bmsi.com> 0.8.11-1
- Support greylisting
- Recognize vacation messages as autoreplies.
- Never ban a trusted relay.
- Missing global reading banned_ips
- ban2zone.py
* Mon Aug 25 2008 Stuart Gathman <stuart@bmsi.com> 0.8.10-2 * Mon Aug 25 2008 Stuart Gathman <stuart@bmsi.com> 0.8.10-2
- /var/run/milter directory must be owned by mail - /var/run/milter directory must be owned by mail
* Mon Aug 25 2008 Stuart Gathman <stuart@bmsi.com> 0.8.10-1 * Mon Aug 25 2008 Stuart Gathman <stuart@bmsi.com> 0.8.10-1
- log rcpt for SRS rejections
- improved parsing into email and fullname (still 2 self test failures) - improved parsing into email and fullname (still 2 self test failures)
- implement no-DSN CBV, reduce full DSNs - implement no-DSN CBV, reduce full DSNs
- check for porn words in MAIL FROM fullname
- ban IP for too many bad MAIL FROMs or RCPT TOs
- temperror policy in access
- no CBV for whitelisted MAIL FROM except permerror, softfail
- Allow explicitly whitelisted email from banned_users.
- configure gossip TTL
* Mon Sep 24 2007 Stuart Gathman <stuart@bmsi.com> 0.8.9-1 * Mon Sep 24 2007 Stuart Gathman <stuart@bmsi.com> 0.8.9-1
- Use ifarch hack to build milter and milter-spf packages as noarch - Use ifarch hack to build milter and milter-spf packages as noarch
- Remove spf dependency from dsn.py, add dns.py - Remove spf dependency from dsn.py, add dns.py
@@ -298,167 +92,9 @@ rm -rf $RPM_BUILD_ROOT
- move AddrCache, parse_addr, iniplist to Milter package - move AddrCache, parse_addr, iniplist to Milter package
- move parse_header to Milter.utils - move parse_header to Milter.utils
- fix plock for missing source and can't change owner/group - fix plock for missing source and can't change owner/group
- add sample spfmilter.py milter
- private_relay config option
- persist delayed DSN blacklisting
- handle gossip server restart without disabling gossip
- split out pymilter and pymilter-spf packages - split out pymilter and pymilter-spf packages
- move milter apps to /usr/lib/pymilter - move milter apps to /usr/lib/pymilter
* Sat Nov 04 2006 Stuart Gathman <stuart@bmsi.com> 0.8.7-1 * Sat Nov 04 2006 Stuart Gathman <stuart@bmsi.com> 0.8.7-1
- More lame bounce heuristics
- SPF moved to pyspf RPM - SPF moved to pyspf RPM
- wiretap archive option
- Do plain CBV if missing template
- SMTP AUTH policy in access
* Tue May 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-2 * Tue May 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-2
- Support CBV timeout - Support CBV timeout
- Support fail template, headers in templates
- Create GOSSiP record only when connection will procede to DATA.
- More SPF lax heuristics
- Don't require SPF pass for white/black listing mail from trusted relay.
- Support localpart wildcard for white and black lists.
* Thu Feb 23 2006 Stuart Gathman <stuart@bmsi.com> 0.8.6-1
- Delay reject of unsigned RCPT for postmaster and abuse only
- Fix dsn reporting of hard permerror
- Resolve FIXME for wrap_close in miltermodule.c
- Add Message-ID to DSNs
- Use signed Message-ID in delayed reject to blacklist senders
- Auto-train via blacklist and auto-whitelist
- Don't check userlist for signed MFROM
- Accept but skip DSPAM and training for whitelisted senders without SPF PASS
- Report GC stats
- Support CIDR matching for IP lists
- Support pysrs sign feature
- Support localpart specific SPF policy in access file
* Thu Dec 29 2005 Stuart Gathman <stuart@bmsi.com> 0.8.5-1
- Simple trusted_forwarder implementation.
- Fix access_file neutral policy
- Move Received-SPF header to beginning of headers
- Supply keyword info for all results in Received-SPF header.
- Move guessed SPF result to separate header
- Activate smfi_insheader only when SMFIR_INSHEADER defined
- Handle NULL MX in spf.py
- in-process GOSSiP server support (to be extended later)
- Expire CBV cache and renew auto-whitelist entries
* Fri Oct 21 2005 Stuart Gathman <stuart@bmsi.com> 0.8.4-2
- Don't supply sender when MFROM is subdomain of header from/sender.
- Don't send quarantine DSN for DSNs
- Skip dspam for replies/DSNs to signed MFROM
* Thu Oct 20 2005 Stuart Gathman <stuart@bmsi.com> 0.8.4-1
- Fix SPF policy via sendmail access map (case insensitive keys).
- Auto whitelist senders, train screener on whitelisted messages
- Optional idx parameter to addheader to invoke smfi_insheader
- Activate progress when SMFIR_PROGRESS defined
* Wed Oct 12 2005 Stuart Gathman <stuart@bmsi.com> 0.8.3-1
- Keep screened honeypot mail, but optionally discard honeypot only mail.
- spf_accept_fail option for braindead SPF senders (treats fail like softfail)
- Consider SMTP AUTH connections internal.
- Send DSN for SPF errors corrected by extended processing.
- Send DSN before SCREENED mail is quarantined
- Option to set SPF policy via sendmail access map.
- Option to supply Sender header from MAIL FROM when missing.
- Use logging package to keep log lines atomic.
* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-4
- Limit each CNAME chain independently like PTR and MX
* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-3
- Limit CNAME lookups (regression)
* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-2
- Handle corrupt ZIP attachments
* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-1
- Strict processing limits per SPF RFC
- Fixed several parsing bugs under RFC
- Support official IANA SPF record (type99)
- Honeypot support (requires pydspam-1.1.9)
- Extended SPF processing results beyond strict RFC limits
- Support original SES for local bounce protection (requires pysrs-0.30.10)
- Callback exception processing option in milter module
* Thu Jun 16 2005 Stuart Gathman <stuart@bmsi.com> 0.8.1-1
- Fix zip in zip loop in mime.py
- Fix HeaderParseError in bms.py header callback
- Check internal_domains for outgoing mail
- Fix inconsistent results from send_dsn
* Mon Jun 06 2005 Stuart Gathman <stuart@bmsi.com> 0.8.0-3
- properly log pydspam exceptions
* Sat Jun 04 2005 Stuart Gathman <stuart@bmsi.com> 0.8.0-2
- Include default softfail, strike3 templates
* Wed May 25 2005 Stuart Gathman <stuart@bmsi.com> 0.8.0-1
- Move Milter module to subpackage.
- DSN support for Three strikes rule and SPF SOFTFAIL
- Move /*mime*/ and dynip to Milter subpackage
- Fix SPF unknown mechanism list not cleared
- Make banned extensions configurable.
- Option to scan zipfiles for bad extensions.
* Tue Feb 08 2005 Stuart Gathman <stuart@bmsi.com> 0.7.3-1.EL3
- Support EL3 and Python2.4 (some scanning/defang support broken)
* Mon Aug 30 2004 Stuart Gathman <stuart@bmsi.com> 0.7.2-1
- Fix various SPF bugs
- Recognize dynamic PTR names, and don't count them as authentication.
- Three strikes and yer out rule.
- Block softfail by default unless valid PTR or HELO
- Return unknown for null mechanism
- Return unknown for invalid ip address in mechanism
- Try best guess on HELO also
- Expand setreply for common errors
- make rhsbl.m4 hack available for sendmail.mc
* Sun Aug 22 2004 Stuart Gathman <stuart@bmsi.com> 0.7.1-1
- Handle modifying mislabeled multipart messages without an exception
- Support setbacklog, setmlreply
- allow multi-recipient CBV
- return TEMPFAIL for SPF softfail
* Fri Jul 23 2004 Stuart Gathman <stuart@bmsi.com> 0.7.0-1
- SPF check hello name
- Move pythonsock to /var/run/milter
- Move milter.cfg to /etc/mail/pymilter.cfg
- Check M$ style XML CID records by converting to SPF
- Recognize, but never match ip6 until we properly support it.
- Option to reject when no PTR and no SPF
* Fri Apr 09 2004 Stuart Gathman <stuart@bmsi.com> 0.6.9-1
- Validate spf.py against test suite, and add Received-SPF support to spf.py
- Support best_guess for SPF
- Reject numeric hello names
- Preserve case of local part in sender
- Make libmilter timeout a config option
- Fix setup.py to work with python < 2.2.3
* Tue Apr 06 2004 Stuart Gathman <stuart@bmsi.com> 0.6.8-3
- Reject invalid SRS immediately for benefit of callback verifiers
- Fix include bug in spf.py
* Tue Apr 06 2004 Stuart Gathman <stuart@bmsi.com> 0.6.8-2
- Bug in check_header
* Mon Apr 05 2004 Stuart Gathman <stuart@bmsi.com> 0.6.8-1
- Don't report spoofed unless rcpt looks like SRS
- Check for bounce with multiple rcpts
- Make dspam see Received-SPF headers
- Make sysv init work with RH9
* Thu Mar 25 2004 Stuart Gathman <stuart@bmsi.com> 0.6.7-3
- Forgot to make spf_reject_neutral global in bms.py
* Wed Mar 24 2004 Stuart Gathman <stuart@bmsi.com> 0.6.7-2
- Defang message/rfc822 content_type with boundary
- Support SPF delegation
- Reject neutral SPF result for selected domains
* Tue Mar 23 2004 Stuart Gathman <stuart@bmsi.com> 0.6.7-1
- SRS forgery check. Detect thread resource starvation.
- Properly remove local socket with explicit type.
- Decode obfuscated subject headers.
* Wed Mar 11 2004 Stuart Gathman <stuart@bmsi.com> 0.6.6-2
- init script bug with python2.3
* Wed Mar 10 2004 Stuart Gathman <stuart@bmsi.com> 0.6.6-1
- SPF checking, hello blacklist
* Mon Mar 08 2004 Stuart Gathman <stuart@bmsi.com> 0.6.5-2
- memory leak in envfrom and envrcpt
* Mon Mar 01 2004 Stuart Gathman <stuart@bmsi.com> 0.6.5-1
- progress notification
- memory leak in connect
- trusted relay
* Thu Feb 19 2004 Stuart Gathman <stuart@bmsi.com> 0.6.4-2
- smart alias wildcard patch, compile for sendmail-8.12
* Thu Dec 04 2003 Stuart Gathman <stuart@bmsi.com> 0.6.4-1
- many fixes for dspam support
* Wed Oct 22 2003 Stuart Gathman <stuart@bmsi.com> 0.6.3
- dspam SCREEN feature
- streamline dspam false positive handling
* Mon Sep 01 2003 Stuart Gathman <stuart@bmsi.com> 0.6.1
- Full dspam support added
* Mon Aug 26 2003 Stuart Gathman <stuart@bmsi.com>
- Use New email module
* Fri Jun 27 2003 Stuart Gathman <stuart@bmsi.com>
- Add dspam module
quarantine.txt
-29
View File
@@ -1,29 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: DELIVERY STATUS (POSSIBLE SPAM)
Auto-Submitted: auto-generated (content analysis)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
A statistical analysis of your message has classified it as junk mail,
and it has been quarantined. Eventually, the recipients will review
their quarantined mail and may notice your message. If your message is
important, please contact them via other means. You may also try sending
them a simple plain text message.
If you need further assistance, please do not hesitate to contact me.
Kind regards,
postmaster@%(receiver)s
softfail.txt
-28
View File
@@ -1,28 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: SPF %(result)s (POSSIBLE FORGERY)
Auto-Submitted: auto-generated (configuration error)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
Your sender policy indicated that the above email was likely forged and that
feedback was desired for debugging. If you are sending from a foreign ISP,
then you may need to follow your home ISPs instructions for configuring
your outgoing mail server.
If you need further assistance, please do not hesitate to contact me.
Kind regards,
postmaster@%(receiver)s
spfmilter.cfg
-20
View File
@@ -1,20 +0,0 @@
[milter]
# The socket used to communicate with sendmail
socketname = /var/run/milter/spfmiltersock
# Name of the milter given to sendmail
name = pyspffilter
# Trusted relays such as secondary MXes that should not have SPF checked.
;trusted_relay =
# Internal networks that should not have SPF checked.
internal_connect = 127.0.0.1,192.168.0.0/16,10.0.0.0/8
# See http://www.openspf.com for more info on SPF.
[spf]
# Use sendmail access map or similar format for detailed spf policy.
# SPF entries in the access map will override defaults.
access_file = /etc/mail/access.db
# Connections that get an SPF pass for a pretend MAIL FROM of
# postmaster@sometrustedforwarder.com skip SPF checks for the real MAIL FROM.
# This is for non-SRS forwarders. It is a simple implementation that
# is inefficient for more than a few entries.
;trusted_forwarder = careerbuilder.com
spfmilter.py
-253
View File
@@ -1,253 +0,0 @@
# A simple SPF milter.
# You must install pyspf for this to work.
# http://www.sendmail.org/doc/sendmail-current/libmilter/docs/installation.html
# Author: Stuart D. Gathman <stuart@bmsi.com>
# Copyright 2007 Business Management Systems, Inc.
# This code is under GPL. See COPYING for details.
import sys
import Milter
import spf
import syslog
import anydbm
from Milter.config import MilterConfigParser
from Milter.utils import iniplist,parse_addr
syslog.openlog('spfmilter',0,syslog.LOG_MAIL)
class Config(object):
"Hold configuration options."
pass
def read_config(list):
"Return new config object."
cp = MilterConfigParser()
cp.read(list)
if cp.has_option('milter','datadir'):
os.chdir(cp.get('milter','datadir'))
conf = Config()
conf.socketname = cp.getdefault('milter','socketname', '/tmp/spfmiltersock')
conf.miltername = cp.getdefault('milter','name','pyspffilter')
conf.trusted_relay = cp.getlist('milter','trusted_relay')
conf.internal_connect = cp.getlist('milter','internal_connect')
conf.trusted_forwarder = cp.getlist('spf','trusted_relay')
conf.access_file = cp.getdefault('spf','access_file',None)
return conf
class SPFPolicy(object):
"Get SPF policy by result from sendmail style access file."
def __init__(self,sender,access_file=None):
self.sender = sender
self.domain = sender.split('@')[-1].lower()
if access_file:
try: acf = anydbm.open(access_file,'r')
except: acf = None
else: acf = None
self.acf = acf
def getPolicy(self,pfx):
acf = self.acf
if not acf: return None
try:
return acf[pfx + self.sender]
except KeyError:
try:
return acf[pfx + self.domain]
except KeyError:
try:
return acf[pfx]
except KeyError:
return None
class spfMilter(Milter.Milter):
"Milter to check SPF. Each connection gets its own instance."
def log(self,*msg):
syslog.syslog('[%d] %s' % (self.id,' '.join([str(m) for m in msg])))
def __init__(self):
self.mailfrom = None
self.id = Milter.uniqueID()
# we don't want config used to change during a connection
self.conf = config
# addheader can only be called from eom(). This accumulates added headers
# which can then be applied by alter_headers()
def add_header(self,name,val,idx=-1):
self.new_headers.append((name,val,idx))
self.log('%s: %s' % (name,val))
def connect(self,hostname,unused,hostaddr):
self.internal_connection = False
self.trusted_relay = False
self.hello_name = None
# sometimes people put extra space in sendmail config, so we strip
self.receiver = self.getsymval('j').strip()
if hostaddr and len(hostaddr) > 0:
ipaddr = hostaddr[0]
if iniplist(ipaddr,self.conf.internal_connect):
self.internal_connection = True
if iniplist(ipaddr,self.conf.trusted_relay):
self.trusted_relay = True
else: ipaddr = ''
self.connectip = ipaddr
if self.internal_connection:
connecttype = 'INTERNAL'
else:
connecttype = 'EXTERNAL'
if self.trusted_relay:
connecttype += ' TRUSTED'
self.log("connect from %s at %s %s" % (hostname,hostaddr,connecttype))
return Milter.CONTINUE
def hello(self,hostname):
self.hello_name = hostname
self.log("hello from %s" % hostname)
return Milter.CONTINUE
# multiple messages can be received on a single connection
# envfrom (MAIL FROM in the SMTP protocol) seems to mark the start
# of each message.
def envfrom(self,f,*str):
self.log("mail from",f,str)
if not self.hello_name:
self.log('REJECT: missing HELO')
self.setreply('550','5.7.1',"It's polite to say helo first.")
return Milter.REJECT
self.mailfrom = f
self.new_headers = []
t = parse_addr(f)
if len(t) == 2: t[1] = t[1].lower()
self.canon_from = '@'.join(t)
if not (self.internal_connection or self.trusted_relay) and self.connectip:
rc = self.check_spf()
if rc != Milter.CONTINUE: return rc
return Milter.CONTINUE
def envrcpt(self,f,*str):
return Milter.CONTINUE
def header(self,name,hval):
return Milter.CONTINUE
def eoh(self):
return Milter.CONTINUE
def eom(self):
for name,val,idx in self.new_headers:
try:
self.addheader(name,val,idx)
except:
self.addheader(name,val) # older sendmail can't insheader
return Milter.CONTINUE
def close(self):
return Milter.CONTINUE
def check_spf(self):
receiver = self.receiver
for tf in self.conf.trusted_forwarder:
q = spf.query(self.connectip,'',tf,receiver=receiver,strict=False)
res,code,txt = q.check()
if res == 'pass':
self.log("TRUSTED_FORWARDER:",tf)
break
else:
q = spf.query(self.connectip,self.canon_from,self.hello_name,
receiver=receiver,strict=False)
q.set_default_explanation(
'SPF fail: see http://openspf.org/why.html?sender=%s&ip=%s' % (q.s,q.i))
res,code,txt = q.check()
if res not in ('pass','temperror'):
if self.mailfrom != '<>':
# check hello name via spf unless spf pass
h = spf.query(self.connectip,'',self.hello_name,receiver=receiver)
hres,hcode,htxt = h.check()
if hres in ('deny','fail','neutral','softfail'):
self.log('REJECT: hello SPF: %s 550 %s' % (hres,htxt))
self.setreply('550','5.7.1',htxt,
"The hostname given in your MTA's HELO response is not listed",
"as a legitimate MTA in the SPF records for your domain. If you",
"get this bounce, the message was not in fact a forgery, and you",
"should IMMEDIATELY notify your email administrator of the problem."
)
return Milter.REJECT
else:
hres,hcode,htxt = res,code,txt
else: hres = None
p = SPFPolicy(q.s,self.conf.access_file)
if res == 'fail':
policy = p.getPolicy('spf-fail:')
if not policy or policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'5.7.1',txt)
# A proper SPF fail error message would read:
# forger.biz [1.2.3.4] is not allowed to send mail with the domain
# "forged.org" in the sender address. Contact <postmaster@forged.org>.
return Milter.REJECT
if res == 'softfail':
policy = p.getPolicy('spf-softfail:')
if policy and policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'5.7.1',txt)
# A proper SPF fail error message would read:
# forger.biz [1.2.3.4] is not allowed to send mail with the domain
# "forged.org" in the sender address. Contact <postmaster@forged.org>.
return Milter.REJECT
elif res == 'permerror':
policy = p.getPolicy('spf-permerror:')
if not policy or policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
# latest SPF draft recommends 5.5.2 instead of 5.7.1
self.setreply(str(code),'5.5.2',txt,
'There is a fatal syntax error in the SPF record for %s' % q.o,
'We cannot accept mail from %s until this is corrected.' % q.o
)
return Milter.REJECT
elif res == 'temperror':
policy = p.getPolicy('spf-temperror:')
if not policy or policy == 'REJECT':
self.log('TEMPFAIL: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'4.3.0',txt)
return Milter.TEMPFAIL
elif res == 'neutral' or res == 'none':
policy = p.getPolicy('spf-neutral:')
if policy and policy == 'REJECT':
self.log('REJECT NEUTRAL:',q.s)
self.setreply('550','5.7.1',
"%s requires and SPF PASS to accept mail from %s. [http://openspf.org]"
% (receiver,q.s))
return Milter.REJECT
elif res == 'pass':
policy = p.getPolicy('spf-pass:')
if policy and policy == 'REJECT':
self.log('REJECT PASS:',q.s)
self.setreply('550','5.7.1',
"%s has been blacklisted by %s." % (q.s,receiver))
return Milter.REJECT
self.add_header('Received-SPF',q.get_header(res,receiver),0)
if hres and q.h != q.o:
self.add_header('X-Hello-SPF',hres,0)
return Milter.CONTINUE
if __name__ == "__main__":
Milter.factory = spfMilter
Milter.set_flags(Milter.CHGHDRS + Milter.ADDHDRS)
global config
config = read_config(['spfmilter.cfg','/etc/mail/spfmilter.cfg'])
miltername = config.miltername
socketname = config.socketname
print """To use this with sendmail, add the following to sendmail.cf:
O InputMailFilters=%s
X%s, S=local:%s
See the sendmail README for libmilter.
sample spfmilter startup""" % (miltername,miltername,socketname)
sys.stdout.flush()
Milter.runmilter("pyspffilter",socketname,240)
print "sample spfmilter shutdown"
spfmilter.rc
-85
View File
@@ -1,85 +0,0 @@
#!/bin/bash
#
# spfmilter This shell script takes care of starting and stopping spfmilter.
#
# chkconfig: 2345 80 30
# description: a process that checks SPF for messages sent through sendmail.
# processname: spfmilter
# config: /etc/mail/spfmilter.cfg
# pidfile: /var/run/milter/spfmilter.pid
python="python2.4"
pidof() {
set - ""
if set - `ps -e -o pid,cmd | grep "${python} spfmilter.py"` &&
[ "$2" != "grep" ]; then
echo $1
return 0
fi
return 1
}
# Source function library.
. /etc/rc.d/init.d/functions
[ -x /usr/lib/pymilter/start.sh ] || exit 0
RETVAL=0
prog="spfmilter"
start() {
# Start daemons.
echo -n "Starting $prog: "
if ! test -d /var/run/milter; then
mkdir -p /var/run/milter
chown mail:mail /var/run/milter
fi
daemon --check milter --user mail /usr/lib/pymilter/start.sh spfmilter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/spfmilter
return $RETVAL
}
stop() {
# Stop daemons.
echo -n "Shutting down $prog: "
killproc milter
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/spfmilter
return $RETVAL
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart|reload)
stop
start
RETVAL=$?
;;
condrestart)
if [ -f /var/lock/subsys/spfmilter ]; then
stop
start
RETVAL=$?
fi
;;
status)
status spfmilter
RETVAL=$?
;;
*)
echo "Usage: $0 {start|stop|restart|condrestart|status}"
exit 1
esac
exit $RETVAL
strike3.txt
-69
View File
@@ -1,69 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: Critical mail server configuration error
Auto-Submitted: auto-generated (configuration error)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Someone at IP address %(connectip)s sent an email claiming
to be from %(sender)s.
If that wasn't you, then your domain, %(sender_domain)s,
was forged - i.e. used without your knowlege or authorization by
someone attempting to steal your mail identity. This is a very
serious problem, and you need to provide authentication for your
SMTP (email) servers to prevent criminals from forging your
domain. The simplest step is usually to publish an SPF record
with your Sender Policy.
For more information, see: http://openspf.org
I hate to annoy you with a DSN (Delivery Status
Notification) from a possibly forged email, but since you
have not published a sender policy, there is no other way
of bringing this to your attention.
If it *was* you that sent the email, then your email domain
or configuration is in error. If you don't know anything
about mail servers, then pass this on to your SMTP (mail)
server administrator. We have accepted the email anyway, in
case it is important, but we couldn't find anything about
the mail submitter at %(connectip)s to distinguish it from a
zombie (compromised/infected computer - usually a Windows
PC). There was no PTR record for its IP address (PTR names
that contain the IP address don't count). RFC2821 requires
that your hello name be a FQN (Fully Qualified domain Name,
i.e. at least one dot) that resolves to the IP address of
the mail sender. In addition, just like for PTR, we don't
accept a helo name that contains the IP, since this doesn't
help to identify you. The hello name you used,
%(heloname)s, was invalid.
Furthermore, there was no SPF record for the sending domain
%(sender_domain)s. We even tried to find its IP in any A or
MX records for your domain, but that failed also. We really
should reject mail from anonymous mail clients, but in case
it is important, we are accepting it anyway.
We are sending you this message to alert you to the fact that
Either - Someone is forging your domain.
Or - You have problems with your email configuration.
Or - Possibly both.
If you need further assistance, please do not hesitate to
contact me again.
Kind regards,
postmaster@%(receiver)s
temperror.txt
-33
View File
@@ -1,33 +0,0 @@
To: %(sender)s
From: postmaster@%(receiver)s
Subject: Critical DNS configuration error
Auto-Submitted: auto-generated (configuration error)
This is an automatically generated Delivery Status Notification.
THIS IS A WARNING MESSAGE ONLY.
YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
Delivery to the following recipients has been delayed.
%(rcpt)s
Subject: %(subject)s
Received-SPF: %(spf_result)s
Your DNS server is not responding to TXT queries. In other words,
it is BROKEN. You need to get somebody to fix it ASAP. We
are attempting to do TXT queries to see if you have an SPF record.
See http://openspf.org
We are sending you this message to alert you to the fact that
you have problems with your DNS.
If you need further assistance, please do not hesitate to
contact me again.
Kind regards,
postmaster@%(receiver)s
test.py
-2
View File
@@ -1,5 +1,4 @@
import unittest import unittest
import testbms
import testmime import testmime
import testsample import testsample
import testutils import testutils
@@ -7,7 +6,6 @@ import os
def suite(): def suite():
s = unittest.TestSuite() s = unittest.TestSuite()
s.addTest(testbms.suite())
s.addTest(testmime.suite()) s.addTest(testmime.suite())
s.addTest(testsample.suite()) s.addTest(testsample.suite())
s.addTest(testutils.suite()) s.addTest(testutils.suite())
testbms.py
-323
View File
@@ -1,323 +0,0 @@
import unittest
import doctest
import Milter
import bms
import mime
import rfc822
import StringIO
import email
import sys
#import pdb
class TestMilter(bms.bmsMilter):
def __init__(self):
bms.bmsMilter.__init__(self)
self.logfp = open("test/milter.log","a")
self._delrcpt = [] # record deleted rcpts for testing
self._addrcpt = [] # record added rcpts for testing
def log(self,*msg):
for i in msg: print >>self.logfp, i,
print >>self.logfp
def getsymval(self,name):
if name == 'j': return 'test.milter.org'
return ''
def replacebody(self,chunk):
if self._body:
self._body.write(chunk)
self.bodyreplaced = True
else:
raise IOError,"replacebody not called from eom()"
# FIXME: rfc822 indexing does not really reflect the way chg/add header
# work for a milter
def chgheader(self,field,idx,value):
if not self._body:
raise IOError,"chgheader not called from eom()"
self.log('chgheader: %s[%d]=%s' % (field,idx,value))
if value == '':
del self._msg[field]
else:
self._msg[field] = value
self.headerschanged = True
def addheader(self,field,value,idx=-1):
if not self._body:
raise IOError,"addheader not called from eom()"
self.log('addheader: %s=%s' % (field,value))
self._msg[field] = value
self.headerschanged = True
def delrcpt(self,rcpt):
if not self._body:
raise IOError,"delrcpt not called from eom()"
self._delrcpt.append(rcpt)
def addrcpt(self,rcpt):
if not self._body:
raise IOError,"addrcpt not called from eom()"
self._addrcpt.append(rcpt)
def setreply(self,rcode,xcode,msg):
self.reply = (rcode,xcode,msg)
def feedFile(self,fp,sender="spam@adv.com",rcpt="victim@lamb.com"):
self._body = None
self.bodyreplaced = False
self.headerschanged = False
self.reply = None
msg = rfc822.Message(fp)
rc = self.envfrom('<%s>'%sender)
if rc != Milter.CONTINUE: return rc
rc = self.envrcpt('<%s>'%rcpt)
if rc != Milter.CONTINUE: return rc
line = None
for h in msg.headers:
if h[:1].isspace():
line = line + h
continue
if not line:
line = h
continue
s = line.split(': ',1)
if len(s) > 1: val = s[1].strip()
else: val = ''
rc = self.header(s[0],val)
if rc != Milter.CONTINUE: return rc
line = h
if line:
s = line.split(': ',1)
rc = self.header(s[0],s[1])
if rc != Milter.CONTINUE: return rc
rc = self.eoh()
if rc != Milter.CONTINUE: return rc
while 1:
buf = fp.read(8192)
if len(buf) == 0: break
rc = self.body(buf)
if rc != Milter.CONTINUE: return rc
self._msg = msg
self._body = StringIO.StringIO()
rc = self.eom()
if self.bodyreplaced:
body = self._body.getvalue()
else:
msg.rewindbody()
body = msg.fp.read()
self._body = StringIO.StringIO()
self._body.writelines(msg.headers)
self._body.write('\n')
self._body.write(body)
return rc
def feedMsg(self,fname,sender="spam@adv.com",rcpt="victim@lamb.com"):
fp = open('test/'+fname,'r')
rc = self.feedFile(fp,sender,rcpt)
fp.close()
return rc
def connect(self,host='localhost'):
self._body = None
self.bodyreplaced = False
rc = bms.bmsMilter.connect(self,host,1,('1.2.3.4',1234))
if rc != Milter.CONTINUE and rc != Milter.ACCEPT:
self.close()
return rc
rc = self.hello('spamrelay')
if rc != Milter.CONTINUE:
self.close()
return rc
class BMSMilterTestCase(unittest.TestCase):
def testDefang(self,fname='virus1'):
milter = TestMilter()
rc = milter.connect('testDefang')
self.assertEqual(rc,Milter.CONTINUE)
rc = milter.feedMsg(fname)
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
fp = milter._body
open('test/'+fname+".tstout","w").write(fp.getvalue())
#self.failUnless(fp.getvalue() == open("test/virus1.out","r").read())
fp.seek(0)
msg = mime.message_from_file(fp)
str = msg.get_payload(1).get_payload()
milter.log(str)
milter.close()
# test some spams that crashed our parser
def testParse(self,fname='spam7'):
milter = TestMilter()
milter.connect('testParse')
rc = milter.feedMsg(fname)
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Milter needlessly replaced body.")
fp = milter._body
open('test/'+fname+".tstout","w").write(fp.getvalue())
milter.connect('pro-send.com')
rc = milter.feedMsg('spam8')
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Milter needlessly replaced body.")
rc = milter.feedMsg('bounce')
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Milter needlessly replaced body.")
rc = milter.feedMsg('bounce1')
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Milter needlessly replaced body.")
milter.close()
def testDefang2(self):
milter = TestMilter()
milter.connect('testDefang2')
rc = milter.feedMsg('samp1')
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Milter needlessly replaced body.")
rc = milter.feedMsg("virus3")
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
fp = milter._body
open("test/virus3.tstout","w").write(fp.getvalue())
#self.failUnless(fp.getvalue() == open("test/virus3.out","r").read())
rc = milter.feedMsg("virus6")
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
self.failUnless(milter.headerschanged,"Message headers not adjusted")
fp = milter._body
open("test/virus6.tstout","w").write(fp.getvalue())
milter.close()
def testDefang3(self):
milter = TestMilter()
milter.connect('testDefang3')
# test script removal on complex HTML attachment
rc = milter.feedMsg('amazon')
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
fp = milter._body
open("test/amazon.tstout","w").write(fp.getvalue())
# test defanging Klez virus
rc = milter.feedMsg("virus13")
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
fp = milter._body
open("test/virus13.tstout","w").write(fp.getvalue())
# test script removal on quoted-printable HTML attachment
# sgmllib can't handle the <![if cond]> syntax
rc = milter.feedMsg('spam44')
self.assertEqual(rc,Milter.ACCEPT)
self.failIf(milter.bodyreplaced,"Message body replaced")
fp = milter._body
open("test/spam44.tstout","w").write(fp.getvalue())
milter.close()
def testRFC822(self):
milter = TestMilter()
milter.connect('testRFC822')
# test encoded rfc822 attachment
#pdb.set_trace()
rc = milter.feedMsg('test8')
self.assertEqual(rc,Milter.ACCEPT)
# python2.4 doesn't scan encoded message attachments
if sys.hexversion < 0x02040000:
self.failUnless(milter.bodyreplaced,"Message body not replaced")
#self.failIf(milter.bodyreplaced,"Message body replaced")
fp = milter._body
open("test/test8.tstout","w").write(fp.getvalue())
rc = milter.feedMsg('virus7')
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter.bodyreplaced,"Message body not replaced")
#self.failIf(milter.bodyreplaced,"Message body replaced")
fp = milter._body
open("test/virus7.tstout","w").write(fp.getvalue())
def testSmartAlias(self):
milter = TestMilter()
milter.connect('testSmartAlias')
# test smart alias feature
key = ('foo@example.com','baz@bat.com')
bms.smart_alias[key] = ['ham@eggs.com']
rc = milter.feedMsg('test8',key[0],key[1])
self.assertEqual(rc,Milter.ACCEPT)
self.failUnless(milter._delrcpt == ['<baz@bat.com>'])
self.failUnless(milter._addrcpt == ['<ham@eggs.com>'])
# python2.4 email does not decode message attachments, so script
# is not replaced
if sys.hexversion < 0x02040000:
self.failUnless(milter.bodyreplaced,"Message body not replaced")
def testBadBoundary(self):
milter = TestMilter()
milter.connect('testBadBoundary')
# test rfc822 attachment with invalid boundaries
#pdb.set_trace()
rc = milter.feedMsg('bound')
if sys.hexversion < 0x02040000:
# python2.4 adds invalid boundaries to decects list and makes
# payload a str
self.assertEqual(rc,Milter.REJECT)
self.assertEqual(milter.reply[0],'554')
#self.failUnless(milter.bodyreplaced,"Message body not replaced")
self.failIf(milter.bodyreplaced,"Message body replaced")
fp = milter._body
open("test/bound.tstout","w").write(fp.getvalue())
def testCompoundFilename(self):
milter = TestMilter()
milter.connect('testCompoundFilename')
# test rfc822 attachment with invalid boundaries
#pdb.set_trace()
rc = milter.feedMsg('test1')
self.assertEqual(rc,Milter.ACCEPT)
#self.failUnless(milter.bodyreplaced,"Message body not replaced")
self.failIf(milter.bodyreplaced,"Message body replaced")
fp = milter._body
open("test/test1.tstout","w").write(fp.getvalue())
def testFindsrs(self):
if not bms.srs:
import SRS
bms.srs = SRS.new(secret='test')
sender = bms.srs.forward('foo@bar.com','mail.example.com')
sndr = bms.findsrs(StringIO.StringIO(
"""Received: from [1.16.33.86] (helo=mail.example.com)
by bastion4.mail.zen.co.uk with smtp (Exim 4.50) id 1H3IBC-00013b-O9
for foo@bar.com; Sat, 06 Jan 2007 20:30:17 +0000
X-Mailer: "PyMilter-0.8.5"
<%s> foo
MIME-Version: 1.0
Content-Type: text/plain
To: foo@bar.com
From: postmaster@mail.example.com
""" % sender
))
self.assertEqual(sndr,'foo@bar.com')
# def testReject(self):
# "Test content based spam rejection."
# milter = TestMilter()
# milter.connect('gogo-china.com')
# rc = milter.feedMsg('big5');
# self.failUnless(rc == Milter.REJECT)
# milter.close();
def suite():
s = unittest.makeSuite(BMSMilterTestCase,'test')
s.addTest(doctest.DocTestSuite(bms))
return s
if __name__ == '__main__':
if len(sys.argv) > 1:
for fname in sys.argv[1:]:
milter = TestMilter()
milter.connect('main')
fp = open(fname,'r')
rc = milter.feedFile(fp)
fp = milter._body
sys.stdout.write(fp.getvalue())
else:
#unittest.main()
unittest.TextTestRunner().run(suite())