Development changes since 0.7.2

Milter/__init__.py

@@ -0,0 +1,208 @@
+
+# Author: Stuart D. Gathman <stuart@bmsi.com>
+# Copyright 2001 Business Management Systems, Inc.
+# This code is under GPL.  See COPYING for details.
+
+import os
+import milter
+import thread
+
+from milter import ACCEPT,CONTINUE,REJECT,DISCARD,TEMPFAIL,	\
+  set_flags, setdbg, setbacklog, settimeout, \
+  ADDHDRS, CHGBODY, ADDRCPT, DELRCPT, CHGHDRS,	\
+  V1_ACTS, V2_ACTS, CURR_ACTS
+
+try: from milter import QUARANTINE
+except: pass
+
+_seq_lock = thread.allocate_lock()
+_seq = 0
+
+def uniqueID():
+  """Return a sequence number unique to this process.
+  """
+  global _seq
+  _seq_lock.acquire()
+  seqno = _seq = _seq + 1
+  _seq_lock.release()
+  return seqno
+  
+class Milter:
+  """A simple class interface to the milter module.
+  """
+  def _setctx(self,ctx):
+    self.__ctx = ctx
+    if ctx:
+      ctx.setpriv(self)
+
+  # user replaceable callbacks
+  def log(self,*msg):
+    print 'Milter:',
+    for i in msg: print i,
+    print
+
+  def connect(self,hostname,unused,hostaddr):
+    "Called for each connection to sendmail."
+    self.log("connect from %s at %s" % (hostname,hostaddr))
+    return CONTINUE
+
+  def hello(self,hostname):
+    "Called after the HELO command."
+    self.log("hello from %s" % hostname)
+    return CONTINUE
+
+  def envfrom(self,f,*str):
+    """Called to begin each message.
+    f -> string		message sender
+    str -> tuple	additional ESMTP parameters
+    """
+    self.log("mail from",f,str)
+    return CONTINUE
+
+  def envrcpt(self,to,*str):
+    "Called for each message recipient."
+    self.log("rcpt to",to,str)
+    return CONTINUE
+
+  def header(self,field,value):
+    "Called for each message header."
+    self.log("%s: %s" % (field,value))
+    return CONTINUE
+
+  def eoh(self):
+    "Called after all headers are processed."
+    self.log("eoh")
+    return CONTINUE
+
+  def body(self,unused):
+    "Called to transfer the message body."
+    return CONTINUE
+
+  def eom(self):
+    "Called at the end of message."
+    self.log("eom")
+    return CONTINUE
+
+  def abort(self):
+    "Called if the connection is terminated abnormally."
+    self.log("abort")
+    return CONTINUE
+
+  def close(self):
+    "Called at the end of connection, even if aborted."
+    self.log("close")
+    return CONTINUE
+
+  # Milter methods which can be invoked from callbacks
+  def getsymval(self,sym):
+    return self.__ctx.getsymval(sym)
+
+  # If sendmail does not support setmlreply, then only the
+  # first msg line is used.
+  def setreply(self,rcode,xcode=None,msg=None,*ml):
+    return self.__ctx.setreply(rcode,xcode,msg,*ml)
+
+  # Milter methods which can only be called from eom callback.
+  def addheader(self,field,value):
+    return self.__ctx.addheader(field,value)
+
+  def chgheader(self,field,idx,value):
+    return self.__ctx.chgheader(field,idx,value)
+
+  def addrcpt(self,rcpt):
+    return self.__ctx.addrcpt(rcpt)
+
+  def delrcpt(self,rcpt):
+    return self.__ctx.delrcpt(rcpt)
+
+  def replacebody(self,body):
+    return self.__ctx.replacebody(body)
+
+  # When quarantined, a message goes into the mailq as if to be delivered,
+  # but delivery is deferred until the message is unquarantined.
+  def quarantine(self,reason):
+    return self.__ctx.quarantine(reason)
+
+  def progress(self):
+    return self.__ctx.progress()
+
+factory = Milter
+
+def connectcallback(ctx,hostname,family,hostaddr):
+  m = factory()
+  m._setctx(ctx)
+  return m.connect(hostname,family,hostaddr)
+
+def closecallback(ctx):
+  m = ctx.getpriv()
+  if not m: return CONTINUE
+  rc = m.close()
+  m._setctx(None)	# release milterContext
+  return rc
+
+def envcallback(c,args):
+  """Convert ESMTP parms to keyword parameters.
+  Can be used in the envfrom and/or envrcpt callbacks to process
+  ESMTP parameters as python keyword parameters."""
+  kw = {}
+  for s in args[1:]:
+    pos = s.find('=')
+    if pos > 0:
+      kw[s[:pos]] = s[pos+1:]
+  return apply(c,args,kw)
+
+def runmilter(name,socketname,timeout = 0):
+  # This bit is here on the assumption that you will be starting this filter
+  # before sendmail.  If sendmail is not running and the socket already exists,
+  # libmilter will throw a warning.  If sendmail is running, this is still
+  # safe if there are no messages currently being processed.  It's safer to
+  # shutdown sendmail, kill the filter process, restart the filter, and then
+  # restart sendmail.
+  pos = socketname.find(':')
+  if pos > 1:
+    s = socketname[:pos]
+    fname = socketname[pos+1:]
+  else:
+    s = "unix"
+    fname = socketname
+  if s == "unix" or s == "local":
+    print "Removing %s" % fname
+    try:
+      os.unlink(fname)
+    except:
+      pass
+
+  # The default flags set include everything
+  # milter.set_flags(milter.ADDHDRS)
+  milter.set_connect_callback(connectcallback)
+  milter.set_helo_callback(lambda ctx, host: ctx.getpriv().hello(host))
+  milter.set_envfrom_callback(lambda ctx,*str:
+  	ctx.getpriv().envfrom(*str))
+#  	envcallback(ctx.getpriv().envfrom,str))
+  milter.set_envrcpt_callback(lambda ctx,*str:
+  	ctx.getpriv().envrcpt(*str))
+#  	envcallback(ctx.getpriv().envrcpt,str))
+  milter.set_header_callback(lambda ctx,fld,val:
+  	ctx.getpriv().header(fld,val))
+  milter.set_eoh_callback(lambda ctx: ctx.getpriv().eoh())
+  milter.set_body_callback(lambda ctx,chunk: ctx.getpriv().body(chunk))
+  milter.set_eom_callback(lambda ctx: ctx.getpriv().eom())
+  milter.set_abort_callback(lambda ctx: ctx.getpriv().abort())
+  milter.set_close_callback(closecallback)
+
+  milter.setconn(socketname)
+  if timeout > 0: milter.settimeout(timeout)
+  # The name *must* match the X line in sendmail.cf (supposedly)
+  milter.register(name)
+  start_seq = _seq
+  try:
+    milter.main()
+  except milter.error:
+    if start_seq == _seq: raise	# couldn't start
+    # milter has been running for a while, but now it can't start new threads
+    raise milter.error("out of thread resources")
+
+__all__ = globals().copy()
+for priv in ('os','milter','thread','factory','_seq','_seq_lock'):
+  del __all__[priv]
+__all__ = __all__.keys()

Milter/dsn.py

@@ -0,0 +1,168 @@
+import smtplib
+import spf
+import socket
+from email.Message import Message
+
+nospf_msg = """This is an automatically generated Delivery Status Notification.
+
+THIS IS A WARNING MESSAGE ONLY.
+
+YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
+
+Delivery to the following recipients has been delayed.
+
+	%(rcpt)s
+
+Subject: %(subject)s 
+
+Someone at IP address %(connectip)s sent an email claiming
+to be from %(sender)s.  
+
+If that wasn't you, then your domain, %(sender_domain)s,
+was forged - i.e. used without your knowlege or authorization by
+someone attempting to steal your mail identity.  This is a very
+serious problem, and you need to provide authentication for your
+SMTP (email) servers to prevent criminals from forging your
+domain.  The simplest step is usually to publish an SPF record
+with your Sender Policy.  
+
+For more information, see: http://spfhelp.net
+
+I hate to annoy you with a DSN (Delivery Status
+Notification) from a possibly forged email, but since you
+have not published a sender policy, there is no other way
+of bringing this to your attention.
+
+If it *was* you that sent the email, then your email domain
+or configuration is in error.  If you don't know anything
+about mail servers, then pass this on to your SMTP (mail)
+server administrator.  We have accepted the email anyway, in
+case it is important, but we couldn't find anything about
+the mail submitter at %(connectip)s to distinguish it from a
+zombie (compromised/infected computer - usually a Windows
+PC).  There was no PTR record for its IP address (PTR names
+that contain the IP address don't count).  RFC2821 requires
+that your hello name be a FQN (Fully Qualified domain Name,
+i.e. at least one dot) that resolves to the IP address of
+the mail sender.  In addition, just like for PTR, we don't
+accept a helo name that contains the IP, since this doesn't
+help to identify you.  The hello name you used,
+%(heloname)s, was invalid.
+
+Furthermore, there was no SPF record for the sending domain
+%(sender_domain)s.  We even tried to find its IP in any A or
+MX records for your domain, but that failed also.  We really
+should reject mail from anonymous mail clients, but in case
+it is important, we are accepting it anyway.
+
+We are sending you this message to alert you to the fact that
+
+Either - Someone is forging your domain.
+Or - You have problems with your email configuration.
+Or - Possibly both.
+
+If you need further assistance, please do not hesitate to
+contact me again.
+
+Kind regards,
+Stuart D. Gathman
+postmaster@%(receiver)s
+"""
+
+softfail_msg = """
+This is an automatically generated Delivery Status Notification.
+
+THIS IS A WARNING MESSAGE ONLY.
+
+YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
+
+Delivery to the following recipients has been delayed.
+
+       %(rcpt)s
+
+Subject: %(subject)s
+Received-SPF: %(spf_result)s
+"""
+
+def send_dsn(mailfrom,receiver,msg=None):
+  "Send DSN.  If msg is None, do callback verification."
+  user,domain = mailfrom.split('@')
+  q = spf.query(None,None,None)
+  mxlist = q.dns(domain,'MX')
+  if not mxlist:
+    mxlist = (0,domain),
+  else:
+    mxlist.sort()
+  smtp = smtplib.SMTP()
+  for prior,host in mxlist:
+    try:
+      smtp.connect(host)
+      code,resp = smtp.helo(receiver)
+      # some wiley spammers have MX records that resolve to 127.0.0.1
+      if resp.split()[0] == receiver:
+        return (553,'Fraudulent MX for %s' % domain)
+      if not (200 <= code <= 299):
+	raise SMTPHeloError(code, resp)
+      if msg:
+        try:
+	  smtp.sendmail('<>',mailfrom,msg)
+	except smtplib.SMTPSenderRefused:
+	  # does not accept DSN, try postmaster (at the risk of mail loops)
+	  smtp.sendmail('<postmaster@%s>'%receiver,mailfrom,msg)
+      else:	# CBV
+	code,resp = smtp.docmd('MAIL FROM: <>')
+	if code != 250:
+	  raise SMTPSenderRefused(code, resp, '<>')
+	code,resp = smtp.rcpt(mailfrom)
+	if code not in (250,251):
+	  return (code,resp)		# permanent error
+	smtp.quit()
+      return None			# success
+    except smtplib.SMTPRecipientsRefused,x:
+      return x.recipients[mailfrom]	# permanent error
+    except smtplib.SMTPSenderRefused,x:
+      return x		# does not accept DSN
+    except smtplib.SMTPDataError,x:
+      return x				# permanent error
+    except smtplib.SMTPException:
+      pass		# any other error, try next MX
+    except socket.error:
+      pass		# MX didn't accept connections, try next one
+    smtp.close()
+  return (450,'No MX servers available')	# temp error
+
+def create_msg(q,rcptlist,origmsg):
+  heloname = q.h
+  sender = q.s
+  connectip = q.i
+  receiver = q.r
+  sender_domain = q.o
+  rcpt = '\n\t'.join(rcptlist)
+  try: subject = origmsg['Subject']
+  except: subject = '(none)'
+  try:
+    spf_result = origmsg['Received-SPF']
+    if not spf_result.startswith('softfail'):
+      spf_result = None
+  except: spf_result = None
+  msg = Message()
+  msg.add_header('To',sender)
+  msg.add_header('From','postmaster@%s'%receiver)
+  msg.add_header('Auto-Submitted','auto-generated (configuration error)')
+  msg.set_type('text/plain')
+  if spf_result:
+    msg.add_header('Subject','SPF softfail (POSSIBLE FORGERY)')
+    msg.set_payload(softfail_msg % locals())
+  else:
+    msg.add_header('Subject','Critical mail server configuration error')
+    msg.set_payload(nospf_msg % locals())
+  return msg
+
+if __name__ == '__main__':
+  q = spf.query('192.168.9.50',
+  'SRS0=pmeHL=RH=bmsi.com=stuart@bmsi.com',
+  'bmsred.bmsi.com',receiver='mail.bmsi.com')
+  msg = create_msg(q,'charlie@jsconnor.com')
+  #print msg.as_string()
+  # print send_dsn(f,msg.as_string())
+  print send_dsn(q.s,'mail.bmsi.com',msg.as_string())

Milter/dynip.py

@@ -0,0 +1,87 @@
+# examples we don't yet recognize:
+#
+# wiley-268-8196.roadrunner.nf.net at ('205.251.174.46', 4810)
+# cbl-sd-02-79.aster.com.do at ('200.88.62.79', 4153)
+
+import re
+
+ip3 = re.compile('[0-9]{1,3}')
+hpats = (
+ 'h[0-9a-f]{12}[.]',
+ 'h\d*n\d*c\d*o\d*\.',
+ 'pcp\d{6,10}pcs[.]',
+ 'no-reverse',
+ 'S[0-9a-f]{16}[.][a-z]{2}[.]',
+ 'user<3>\.',
+ '[Cc]ust<3>\.',
+ '^<3>\.',
+ 'ppp[^.]*<3>\.',
+ '-ppp\d*\.',
+ '\d*-<3>\.',
+ '[0-9a-f]{1,3}-<3>\.',
+ 'p<3>\.pool',
+ 'h<3>\.',
+ 'xdsl-\d*\.',
+ '-\d*-\d*\.',
+ '\.adsl\.',
+ '\.cable\.'
+)
+rehmac = re.compile('|'.join(hpats))
+
+def is_dynip(host,addr):
+  """Return True if hostname is for a dynamic ip.
+  Examples:
+
+  >>> is_dynip('post3.fabulousdealz.com','69.60.99.112')
+  False
+  >>> is_dynip('adsl-69-208-201-177.dsl.emhril.ameritech.net','69.208.201.177')
+  True
+  >>> is_dynip('[1.2.3.4]','1.2.3.4')
+  True
+  """
+  if host.startswith('[') and host.endswith(']'):
+    return True
+  if addr:
+    if host.find(addr) >= 0: return True
+    a = addr.split('.')
+    ia = map(int,a)
+    h = host
+    m = ip3.findall(host)
+    if m:
+      g = map(int,m)
+      ia3 = (ia[1:],ia[:3])
+      if g[-3:] in ia3: return True
+      if g[0] == ia[3] and g[1:3] == ia[:2]: return True
+      if g[-2:] == ia[2:]: return True
+      g.reverse()
+      if g[:3] in ia3: return True
+      if g[:2] == ia[2:]: return True
+      if ia[2:] in (g[:2],g[-2:]): return True
+      for m in ip3.finditer(host):
+        if int(m.group()) == ia[3]:
+	  h = host[:m.start()] + '<3>' + host[m.end():]
+	  break
+    if rehmac.search(h): return True
+    if host.find(''.join(a[:3])) >= 0: return True
+    if host.find(''.join(a[1:])) >= 0: return True
+    x = "%02x%02x%02x%02x" % tuple(ia)
+    if host.lower().find(x) >= 0: return True
+  return False
+
+if __name__ == '__main__':
+  import fileinput
+  import sets
+  seen = sets.Set()
+  for ln in fileinput.input():
+    a = ln.split()
+    if a[3:5] == ['connect','from']:
+      host = a[5]
+      if host.startswith('[') and host.endswith(']'):
+	continue	# no PTR
+      ip = a[7][2:-2]
+      if ip in seen: continue
+      seen.add(ip)
+      if is_dynip(host,ip):
+        print '%s\t%s DYN' % (ip,host)
+      else:
+        print '%s\t%s' % (ip,host)