From 3a1c964f0d69096e080958e1eb7297fddfac18e8 Mon Sep 17 00:00:00 2001
From: Stuart Gathman <stuart@gathman.org>
Date: Thu, 20 Oct 2005 18:47:27 +0000
Subject: [PATCH] Configure auto_whitelist senders.

---
 bms.py      | 36 ++++++++++++++++++++++++------------
 milter.cfg  | 12 +++++++++---
 milter.spec |  5 ++++-
 3 files changed, 37 insertions(+), 16 deletions(-)

diff --git a/bms.py b/bms.py
index c645299..4bcb6a3 100644
--- a/bms.py
+++ b/bms.py
@@ -1,6 +1,9 @@
 #!/usr/bin/env python
 # A simple milter that has grown quite a bit.
 # $Log$
+# Revision 1.34  2005/10/19 21:07:49  customdesigned
+# access.db stores keys in lower case
+#
 # Revision 1.33  2005/10/19 19:37:50  customdesigned
 # Train screener on whitelisted messages.
 #
@@ -349,6 +352,7 @@ dspam_users = {}
 dspam_userdir = None
 dspam_exempt = {}
 dspam_whitelist = {}
+whitelist_senders = {}
 dspam_screener = ()
 dspam_internal = True	# True if internal mail should be dspammed
 dspam_reject = ()
@@ -497,6 +501,8 @@ def read_config(list):
   # dspam section
   global dspam_dict, dspam_users, dspam_userdir, dspam_exempt, dspam_internal
   global dspam_screener,dspam_whitelist,dspam_reject,dspam_sizelimit
+  global whitelist_senders
+  whitelist_senders = cp.getaddrset('dspam','whitelist_senders')
   dspam_dict = cp.getdefault('dspam','dspam_dict')
   dspam_exempt = cp.getaddrset('dspam','dspam_exempt')
   dspam_whitelist = cp.getaddrset('dspam','dspam_whitelist')
@@ -828,6 +834,7 @@ class bmsMilter(Milter.Milter):
     self.new_headers = []
     self.recipients = []
     self.cbv_needed = None
+    self.whitelist_sender = False
     t = parse_addr(f)
     if len(t) == 2: t[1] = t[1].lower()
     self.canon_from = '@'.join(t)
@@ -872,17 +879,22 @@ class bmsMilter(Milter.Milter):
 	    self.log("REJECT: spam from self",pat)
 	    self.setreply('550','5.7.1','I hate talking to myself.')
 	    return Milter.REJECT
-      elif internal_domains:
-	for pat in internal_domains:
-	  if fnmatchcase(domain,pat): break
-	else:
-	  self.log("REJECT: zombie PC at ",self.connectip," sending MAIL FROM ",
-	  	self.canon_from)
-	  self.setreply('550','5.7.1',
-	  'Your PC is using an unauthorized MAIL FROM.',
-	  'It is either badly misconfigured or controlled by organized crime.'
-	  )
-	  return Milter.REJECT
+      else:
+        if internal_domains:
+	  for pat in internal_domains:
+	    if fnmatchcase(domain,pat): break
+	  else:
+	    self.log("REJECT: zombie PC at ",self.connectip,
+	    	" sending MAIL FROM ",self.canon_from)
+	    self.setreply('550','5.7.1',
+	    'Your PC is using an unauthorized MAIL FROM.',
+	    'It is either badly misconfigured or controlled by organized crime.'
+	    )
+	    return Milter.REJECT
+	wl_users = whitelist_senders.get(domain,())
+	if user in wl_users or '' in wl_users:
+	  self.whitelist_sender = True
+	  
       self.rejectvirus = domain in reject_virus_from
       if user in wiretap_users.get(domain,()):
         self.add_recipient(wiretap_dest)
@@ -1089,7 +1101,7 @@ class bmsMilter(Milter.Milter):
         self.hidepath = True
       if not domain in dspam_reject:
         self.reject_spam = False
-      if self.internal_connection:
+      if self.internal_connection and self.whitelist_sender:
 	if internal_domains:
 	  for pat in internal_domains:
 	    if fnmatchcase(domain,pat): break
diff --git a/milter.cfg b/milter.cfg
index 51299c6..f49258d 100644
--- a/milter.cfg
+++ b/milter.cfg
@@ -8,7 +8,7 @@ tempdir = /var/log/milter/save
 log_headers = 0
 # connection ips and hostnames are matched against this glob style list
 # to recognize internal senders.
-;internal_connect = 192.168.*.*
+;internal_connect = 192.168.*.*,127.*
 
 # mail that is not an internal_connect and claims to be from an
 # internal domain is rejected.  Furthermore, internal mail that
@@ -17,7 +17,7 @@ log_headers = 0
 # flexible.  However, SPF is not currently checked for outgoing
 # (internal_connect) mail because it doesn't yet handle authorizing 
 # internal IPs locally.
-;internal_domains = mycorp.com
+;internal_domains = mycorp.com,localhost.localdomain
 
 # connections from a trusted relay can trust the first Received header
 # SPF checks are bypassed for internal connections and trusted relays.
@@ -146,7 +146,13 @@ blind = 1
 # only EXTERNAL messages are dspam filtered
 ;dspam_dict=/var/lib/dspam/moderator.dict
 
-# Opt-opt recipients from dspam screening and header triage
+# Recipients of mail sent from these senders are added to the auto_whitelist.
+# Auto_whitelisted senders with an SPF PASS are never rejected by dspam, and
+# messages from auto_whitelisted senders will be used to train screener
+# dictionaries as innocent mail.
+;whitelist_senders = @mycorp.com
+
+# Opt-out recipients entirely from dspam screening and header triage
 ;dspam_exempt=getitall@mycorp.com
 # Do not scan mail (ostensibly) from these senders
 ;dspam_whitelist=getitall@sender.com
diff --git a/milter.spec b/milter.spec
index 04ab98d..8ce6141 100644
--- a/milter.spec
+++ b/milter.spec
@@ -169,7 +169,10 @@ rm -rf $RPM_BUILD_ROOT
 /usr/share/sendmail-cf/hack/rhsbl.m4
 
 %changelog
-* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.3-1
+* Fri Oct 20 2005 Stuart Gathman <stuart@bmsi.com> 0.8.4-1
+- Fix SPF policy via sendmail access map (case insensitive keys).
+- Auto whitelist senders
+* Thu Oct 12 2005 Stuart Gathman <stuart@bmsi.com> 0.8.3-1
 - Keep screened honeypot mail, but optionally discard honeypot only mail.
 - spf_accept_fail option for braindead SPF senders (treats fail like softfail)
 - Consider SMTP AUTH connections internal.