DandelionNStuff/pymilter
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Don't count DSN and unqualified MAIL FROM as internal_domain.

Browse Source
This commit is contained in:
Stuart Gathman
2007-03-29 03:06:10 +00:00
parent dbba488d58
commit bac593f05d
2 changed files with 44 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
TODO
+32
View File
@@ -1,3 +1,35 @@
Configuration is problematic when handling incoming, but not outgoing mail.
The problem comes when alice@example.com sends mail to bill@example.com,
and we are the MX for example.com, but alice is sending from some other
MTA. The mail is flagged external, so we don't list example.com in
internal_domains (or we would get "spam from self"). But, if we try to do a
CBV, we get "fraudulent MX", because the MX is ourself! So we need to
avoid doing CBV on such domains. Currently, we try to make sure the SPF
policies don't do CBV.
On the other hand, if alice is sending internally, or with SMTP AUTH, she
*does* need the domain to be in internal_domains. The solution to that
is to use the new SMTP AUTH access configuration to specify which domains
can be used by smtp AUTH (by user if desired).
It would be cleaner if CBV would know which domains we have agreed to
be MX for. Some ideas for external connections:
a) check access file for To:example.com RELAY
b) check mailertable
c) check mx_domains config list
d) if there is an SPF record, don't check internal_domains
(let SPF block unauthorized machines)
But that still doesn't handle the roaming user, who won't use SMTP
AUTH, but sends through some hotel MTA. Maybe we don't want to support
him?
When setting up pydspam, both sender and rcpt must resolve to dspam users
for falsepositive recognition. Usually, this means adding
honeypot@mail.example.com to alias list for honeypot in pymilter.cfg.
This needs to be documented. I was caught by it setting up a new site.
Add signature (x-sig=AB7485f=TS) to Received-SPF, so it can be used Add signature (x-sig=AB7485f=TS) to Received-SPF, so it can be used
to blacklist sources of delayed DSNs. to blacklist sources of delayed DSNs.
bms.py
+12 -4
View File
@@ -1,6 +1,9 @@
#!/usr/bin/env python #!/usr/bin/env python
# A simple milter that has grown quite a bit. # A simple milter that has grown quite a bit.
# $Log$ # $Log$
# Revision 1.100 2007/03/24 00:30:24 customdesigned
# Do not CBV for internal domains.
#
# Revision 1.99 2007/03/23 22:39:10 customdesigned # Revision 1.99 2007/03/23 22:39:10 customdesigned
# Get SMTP-Auth policy from access_file. # Get SMTP-Auth policy from access_file.
# #
@@ -678,13 +681,13 @@ class bmsMilter(Milter.Milter):
) )
self.fp.write('From %s %s\n' % (self.canon_from,time.ctime())) self.fp.write('From %s %s\n' % (self.canon_from,time.ctime()))
self.internal_domain = True self.internal_domain = False
if len(t) == 2: if len(t) == 2:
user,domain = t user,domain = t
for pat in internal_domains: for pat in internal_domains:
if fnmatchcase(domain,pat): break if fnmatchcase(domain,pat):
else: self.internal_domain = True
self.internal_domain = False break
if self.internal_connection: if self.internal_connection:
if self.user: if self.user:
p = SPFPolicy('%s@%s'%(self.user,domain)) p = SPFPolicy('%s@%s'%(self.user,domain))
@@ -820,6 +823,11 @@ class bmsMilter(Milter.Milter):
else: else:
hres,hcode,htxt = res,code,txt hres,hcode,htxt = res,code,txt
ores = res ores = res
if self.internal_domain and res == 'none':
# we don't accept our own domains externally without an SPF record
self.log('REJECT: spam from self',q.o)
self.setreply('550','5.7.1',"I hate talking to myself!")
return Milter.REJECT
if spf_best_guess and res == 'none': if spf_best_guess and res == 'none':
#self.log('SPF: no record published, guessing') #self.log('SPF: no record published, guessing')
q.set_default_explanation( q.set_default_explanation(