Use CIDR notation for trusted_forwarder iplist

2006-02-09 20:39:43 +00:00
parent 285d4663c9
commit ce51034f69
1 changed files with 27 additions and 183 deletions
@@ -1,6 +1,9 @@
 #!/usr/bin/env python
 # A simple milter that has grown quite a bit.
 # $Log$
 # Revision 1.49  2006/01/30 23:14:48  customdesigned
 # put back eom condition
 #
 # Revision 1.48  2006/01/12 20:31:24  customdesigned
 # Accelerate training via whitelist and blacklist.
 #
@@ -149,184 +152,6 @@
 # Revision 1.2  2005/06/02 01:00:36  customdesigned
 # Support configurable templates for DSNs.
 #
 #
 # Revision 1.134  2005/05/25 15:36:43  stuart
 # Use dynip module.
 # Support smart aliasing of wiretap destination.
 # Always send DSN for SOFTFAIL.
 # Close forged bounce loophole when there are no headers.
 #
 # Revision 1.133  2005/03/16 21:58:04  stuart
 # Auto DSN feature.
 #
 # Revision 1.132  2005/02/12 02:11:10  stuart
 # Pass unit tests with python2.4.
 #
 # Revision 1.131  2005/02/11 18:34:13  stuart
 # Handle garbage after quote in boundary.
 #
 # Revision 1.130  2005/02/10 01:10:58  stuart
 # Fixed MimeMessage.ismodified()
 #
 # Revision 1.129  2005/02/10 00:56:48  stuart
 # Runs with python2.4.  Defang not working correctly - more work needed.
 #
 # Revision 1.128  2005/02/09 17:53:34  stuart
 # Optionally run dspam on internal mail.
 #
 # Revision 1.127  2004/12/03 14:26:21  stuart
 # Mark DYN PTR, REJECT softfail, log Received-SPF from trusted MTA.
 #
 # Revision 1.126  2004/11/24 14:39:38  stuart
 # Also accept softfail if valid PTR or HELO.
 #
 # Revision 1.125  2004/11/19 16:40:14  stuart
 # Block softfail except for listed domains.
 #
 # Revision 1.124  2004/11/19 06:18:04  stuart
 # block softfail for configured domains only
 #
 # Revision 1.123  2004/11/18 20:36:49  stuart
 # Recognize more dynamic hosts.  Ignore dynamic PTR for best_guess.
 #
 # Revision 1.122  2004/11/18 17:16:10  stuart
 # Recognize more dynamic ips.
 #
 # Revision 1.121  2004/11/09 22:37:48  stuart
 # Don't accept helo names which are dynamic IP addresses.
 #
 # Revision 1.120  2004/11/09 20:33:50  stuart
 # Recognize more dynamic PTR variations.
 #
 # Revision 1.118  2004/08/30 21:19:50  stuart
 # Try best guess for HELO, expand setreply for common errors
 #
 # Revision 1.117  2004/08/23 02:27:53  stuart
 # Allow multi rcpt CBV.  Add some multiline replies.
 #
 # Revision 1.116  2004/08/20 22:27:52  stuart
 # Generate TEMPFAIL for SPF softfail.
 #
 # Revision 1.115  2004/08/19 20:55:49  stuart
 # Always show reversed SRS path.
 # Check if encodings are an ASCII superset.  Some messages were encoded as
 # BIG5 and getting rejected even though chars were all in ascii subset.
 #
 # Revision 1.114  2004/07/27 00:40:12  stuart
 # Make reject on no PTR optional.
 #
 # Revision 1.113  2004/07/23 23:11:14  stuart
 # Log known malformed messages differently than general processing exceptions.
 #
 # Revision 1.112  2004/07/21 19:18:33  stuart
 # Punt on UnicodeDecodeError when decoding headers.
 # Accept a pass with default SPF for missing reverse IP.
 #
 # Revision 1.111  2004/07/18 13:13:31  stuart
 # Reject invalid SRS only for SRS domain (which is the only one we
 # know the key for).
 # Reject senders that have neither reverse IP nor SPF.
 #
 # Revision 1.110  2004/06/12 03:13:18  stuart
 # Block bounces only for SRS domain.  Also treat mail from
 # postmaster or mailer-daemon as DSN for SRS/SES checking purposes.
 #
 # Revision 1.109  2004/05/01 02:56:55  stuart
 # Let multiple screeners share work.
 #
 # Revision 1.108  2004/04/29 20:36:23  stuart
 # Require HELO name
 #
 # Revision 1.107  2004/04/24 22:55:29  stuart
 # Move some files to make the RPM more standard.
 #
 # Revision 1.106  2004/04/21 18:29:08  stuart
 # Validate hello name with SPF.
 #
 # Revision 1.105  2004/04/20 15:16:00  stuart
 # Release 0.6.9
 #
 # Revision 1.104  2004/04/19 21:56:26  stuart
 # Support SPF best_guess and get_header
 #
 # Revision 1.103  2004/04/10 02:31:01  stuart
 # Fix timeout config
 #
 # Revision 1.102  2004/04/08 20:25:11  stuart
 # Make libmilter timeout a config option
 #
 # Revision 1.101  2004/04/08 19:18:16  stuart
 # Preserve case of local part in sender
 #
 # Revision 1.100  2004/04/08 18:41:15  stuart
 # Reject numeric hello names
 #
 # Revision 1.99  2004/04/06 19:46:39  stuart
 # Reject invalid SRS immediately for benefit of CallBack Verifiers.
 #
 # Revision 1.98  2004/04/06 15:28:20  stuart
 # Release 0.6.8-2
 #
 # Revision 1.97  2004/04/06 13:07:43  stuart
 # Pass original header name to check_header
 #
 # Revision 1.96  2004/04/06 03:27:03  stuart
 # bugs from Redhat 9 testing
 #
 # Revision 1.95  2004/04/05 22:37:08  stuart
 # Include Received-SPF headers in dspam.
 #
 # Revision 1.94  2004/04/05 22:16:50  stuart
 # Separate check_header method taking decoded header.
 # Reject multiple recipients for a bounce.
 #
 # Revision 1.93  2004/04/01 20:57:45  stuart
 # Report only SRS like addresses as spoofed.
 # Return TEMPFAIL on SPF error.
 #
 # Revision 1.92  2004/03/25 17:45:53  stuart
 # Make spf_reject_neutral global in bms.py
 #
 # Revision 1.91  2004/03/25 03:38:02  stuart
 # Reject neutral SPF result for selected domains.
 #
 # Revision 1.90  2004/03/25 03:27:33  stuart
 # Support delegation of SPF records.
 #
 # Revision 1.89  2004/03/23 22:02:49  stuart
 # Header decoding bug.
 #
 # Revision 1.88  2004/03/23 05:08:45  stuart
 # Decode headers, indirect srs config.
 #
 # Revision 1.87  2004/03/18 02:21:16  stuart
 # SRS checking
 #
 # Revision 1.86  2004/03/11 05:00:37  stuart
 # Don't wipe out fail messages from SPF records.
 # Hello blacklist
 #
 # Revision 1.85  2004/03/10 01:49:22  stuart
 # Enhanced SPF support.
 #
 # Revision 1.84  2004/03/09 17:04:49  stuart
 # Received-SPF header.
 #
 # Revision 1.83  2004/03/08 20:23:26  stuart
 # SPF support
 #
 # Revision 1.82  2004/03/01 18:56:50  stuart
 # Support progress reporting.
 #
 # Revision 1.81  2004/03/01 18:36:09  stuart
 # Trusted relay.
 #
 # Revision 1.80  2004/01/12 21:10:58  stuart
 # Support wildcard user for smart_alias
 #
 # Revision 1.79  2003/12/04 23:46:06  stuart
 # Release 0.6.4
 #
 # Author: Stuart D. Gathman <stuart@bmsi.com>
 # Copyright 2001,2002,2003,2004,2005 Business Management Systems, Inc.
 # This code is under the GNU General Public License.  See COPYING for details.
@@ -343,6 +168,7 @@ import traceback
 import ConfigParser
 import time
 import re
 import gc
 import anydbm
 import Milter.dsn as dsn
 from Milter.dynip import is_dynip as dynip
@@ -723,6 +549,21 @@ class SPFPolicy(object):
      policy = 'OK'
    return policy
 def iniplist(ipaddr,iplist):
  """Return whether ip is in cidr list
  >>> iniplist('66.179.26.146',['66.179.26.128/26'])
  True
  """
  for pat in iplist:
    p = pat.split('/',1)
    if ip4re.match(p[0]):
      n = int(p[1])
      if spf.cidr(p[0],n) == spf.cidr(ipaddr,n):
        return True
    elif fnmatchcase(ipaddr,pat):
      return True
  return False
 class AddrCache(object):
  time_format = '%Y%b%d %H:%M:%S %Z'
@@ -837,10 +678,8 @@ class bmsMilter(Milter.Milter):
 	if fnmatchcase(ipaddr,pat):
 	  self.internal_connection = True
 	  break
-      for pat in trusted_relay:
+      if iniplist(ipaddr,trusted_relay):
 	if fnmatchcase(ipaddr,pat):
        self.trusted_relay = True
 	  break
    else: ipaddr = ''
    self.connectip = ipaddr
    self.missing_ptr = dynip(hostname,self.connectip)
@@ -873,6 +712,11 @@ class bmsMilter(Milter.Milter):
      self.log("REJECT: spam from self:",hostname)
      self.setreply('550','5.7.1','I hate talking to myself.')
      return Milter.REJECT
    if hostname == 'GC':
      n = gc.collect()
      self.log("gc:",n,' unreachable objects')
      self.setreply('550','5.7.1','%d unreachable objects'%n)
      return Milter.REJECT
    return Milter.CONTINUE
  def smart_alias(self,to):
@@ -1198,7 +1042,7 @@ class bmsMilter(Milter.Milter):
      users = check_user.get(domain)
      if self.discard:
        self.del_recipient(to)
-      if users and not user in users:
+      if users and not user.lower() in users:
        self.log('REJECT: RCPT TO:',to)
 	return Milter.REJECT
      if user in block_forward.get(domain,()):