This commit was manufactured by cvs2svn to create tag 'milter-0_8_3'.

Sprout from master 2005-10-12 17:21:13 UTC Stuart Gathman <stuart@gathman.org> 'Release 0.8.3'
Cherrypick from bmsi 2005-05-31 18:23:49 UTC Stuart Gathman <stuart@gathman.org> 'Development changes since 0.7.2':
    README
    cid2spf.py
    milter.rc
    milter.rc7
    rejects.py
    rhsbl.m4
    sample.py
    test.py
    test/amazon
    test/big5
    test/bounce
    test/bounce1
    test/bound
    test/honey
    test/missingboundary
    test/samp1
    test/spam44
    test/spam7
    test/spam8
    test/test1
    test/test8
    test/virus1
    test/virus13
    test/virus2
    test/virus3
    test/virus4
    test/virus5
    test/virus6
    test/virus7
    testsample.py

HOWTO

@@ -0,0 +1,136 @@
+	Step one.  Which DSPAM is right for you?
+
+The DSPAM project makes dspam part of the LDA (Local Delivery Agent).
+Pydspam puts dspam into the MTA (Mail Transfer Agent - sendmail with pymilter).
+
+The advantage of doing dspam in the LDA is that any aliasing has already been
+resolved.  You need only configure mailboxes.
+
+The advantage of doing dspam in the MTA is it can screen an entire 
+company as a gateway with multiple domains.  Unfortunately, this
+means you have to tell it about all the aliases that comprise each
+account.  (Also, pydspam is still uses dspam-2.6.5.2 - the Dspam API
+has changed for newer versions.)
+
+If the LDA is right for you, you'll want to use the official Dspam 
+package.  http://www.nuclearelephant.com/projects/dspam/
+
+If the MTA approach is what you want, then pydspam is what you want.
+
+In either case, you will still want pymilter to block forgeries, Windows 
+executables, etc.
+
+So, lets assume you want to install pymilter, and may or may not
+wish to install pydspam.
+
+	Step two.  Obtaining RPMS.
+
+For basic pymilter you'll need:
+
+python-2.4
+milter-0.8.2	(the RH9 rpm should work on Fedora Core - let me know)
+sendmail-8.13.x	(with milter support enabled)
+
+and for SPF you'll need:
+
+pydns-2.3.0-2.4
+
+and for SRS you'll need:
+
+pysrs-0.30.9-1.py24
+
+I'm pretty sure you will want to have SPF and SRS available.
+
+	Step three.  Activate basic milter.
+
+Activate the basic milter by editing /etc/mail/sendmail.mc and adding:
+
+INPUT_MAIL_FILTER(`pythonfilter', `S=local:/var/run/milter/pythonsock, F=T, T=C:5m;S:20s;R:5m;E:5m')
+
+You can then "make sendmail.cf" and restart sendmail.
+
+Tail /var/log/milter/milter.log while SMTP clients connect to your
+sendmail instance.  This should show you what the milter is doing.
+
+By default, milter-0.8.2 rejects on SPF fail, except for listed domains
+(that are known to be broken).  Some admins don't like that, and 0.8.3 will use
+the /etc/mail/access database to configure SPF responses.  For now,
+if you don't like SPF, you can disable spf by replacing "import spf"
+with "spf = None" around line 285 in /var/log/milter/bms.py.
+
+	Step four.  Tweaking the basic config.
+
+Most pymilter configuration is in /etc/mail/pymilter.cfg.
+
+By default, milter scans attachments for executable extensions.  You can
+turn this off by setting banned_exts to the empty list.  There are options
+to scan ZIP attachments and rfc822 attachments.  When it finds a banned
+file type, milter saves the original message in /var/log/milter/save,
+and replaces the attachment with a plain text warning message.
+
+Configure hello_blacklist with your own helo name and domains - which
+you know cannot legitimately be used by external MTAs.
+
+Configure trusted_relay with your secondary MX servers, if any.  These
+should also run pymilter with similar policies.  (But this isn't
+needed for initial testing.)
+
+Configure internal_connect with subnets of your internal SMTP clients.
+Internal connections skip SPF testing and other policies.
+
+Configure internal_domains with domains used by your internal SMTP clients.
+If they attempt to use any other domain, the attempt is blocked and the
+client is logged as a "zombie".  Conversely, any attempt by an external
+MTA to use one of your internal domains is treated as a forgery and
+blocked (a simplified form of local SPF).
+
+Adjust porn_words and spam_words - these block emails with a Subject
+containing the listed strings.  They can be empty to disable Subject
+string blocking.
+
+	Advanced SPF configuration.
+
+The sendmail access file, or another readonly database with that
+format, can be used for detail spf policy.  SPF access policy
+record are tagged with "SPF-{Result}:".  Results are
+Pass, Neutral, Softfail, Fail, PermError.  Currently supported
+policy keywords are OK, CBV, REJECT.  Currently, TempError always
+results in TEMPFAIL.
+
+The default policies are set in pymilter.cfg.  The defaults
+if none of the config options are set are as follows:
+
+SPF-Fail:	REJECT
+SPF-Softfail:	CBV
+SPF-Neutral:	OK
+SPF-PermError:	REJECT
+SPF-Pass:	OK
+
+The tag may be followed by a specific domain.  For instance, to
+require a Pass from aol.com:
+
+SPF-Neutral:aol.com	REJECT
+SPF-Softfail:aol.com	REJECT
+
+The CBV policy requires a valid HELO name.  If the EHLO name is 
+RFC2822 compliant, then a DSN is sent to the alleged sender.  The 
+template for the DSN is selected according to the SPF result:
+
+Fail:		softfail.txt
+SoftFail:	softfail.txt
+Neutral:	neutral.txt
+PermError:	permerror.txt
+None:		strike3.txt
+
+An SPF-Pass is always accepted by the milter.  Domains can be blacklisted 
+via sendmail in the access file or via a RHS DNS blacklist.
+
+	To be continued.
+
+Forthcoming topics:
+
+SRS config
+
+
+pydspam config
+wiretap config

MANIFEST.in

@@ -1,6 +1,7 @@
 include COPYING
 include TODO
 include NEWS
+include HOWTO
 include CREDITS
 include README
 include MANIFEST.in
@@ -23,5 +24,5 @@ include milter.rc
 include milter.rc7
 include milter.cfg
 include rhsbl.m4
-include softfail.txt
-include strike3.txt
+include *.txt
+include *.html

Milter.py

@@ -1,203 +0,0 @@
-
-# Author: Stuart D. Gathman <stuart@bmsi.com>
-# Copyright 2001 Business Management Systems, Inc.
-# This code is under GPL.  See COPYING for details.
-
-import os
-import milter
-import thread
-
-from milter import ACCEPT,CONTINUE,REJECT,DISCARD,TEMPFAIL,	\
-  set_flags, setdbg, setbacklog, settimeout, \
-  ADDHDRS, CHGBODY, ADDRCPT, DELRCPT, CHGHDRS,	\
-  V1_ACTS, V2_ACTS, CURR_ACTS
-
-try: from milter import QUARANTINE
-except: pass
-
-_seq_lock = thread.allocate_lock()
-_seq = 0
-
-def uniqueID():
-  """Return a sequence number unique to this process.
-  """
-  global _seq
-  _seq_lock.acquire()
-  seqno = _seq = _seq + 1
-  _seq_lock.release()
-  return seqno
-  
-class Milter:
-  """A simple class interface to the milter module.
-  """
-  def _setctx(self,ctx):
-    self.__ctx = ctx
-    if ctx:
-      ctx.setpriv(self)
-
-  # user replaceable callbacks
-  def log(self,*msg):
-    print 'Milter:',
-    for i in msg: print i,
-    print
-
-  def connect(self,hostname,unused,hostaddr):
-    "Called for each connection to sendmail."
-    self.log("connect from %s at %s" % (hostname,hostaddr))
-    return CONTINUE
-
-  def hello(self,hostname):
-    "Called after the HELO command."
-    self.log("hello from %s" % hostname)
-    return CONTINUE
-
-  def envfrom(self,f,*str):
-    """Called to begin each message.
-    f -> string		message sender
-    str -> tuple	additional ESMTP parameters
-    """
-    self.log("mail from",f,str)
-    return CONTINUE
-
-  def envrcpt(self,to,*str):
-    "Called for each message recipient."
-    self.log("rcpt to",to,str)
-    return CONTINUE
-
-  def header(self,field,value):
-    "Called for each message header."
-    self.log("%s: %s" % (field,value))
-    return CONTINUE
-
-  def eoh(self):
-    "Called after all headers are processed."
-    self.log("eoh")
-    return CONTINUE
-
-  def body(self,unused):
-    "Called to transfer the message body."
-    return CONTINUE
-
-  def eom(self):
-    "Called at the end of message."
-    self.log("eom")
-    return CONTINUE
-
-  def abort(self):
-    "Called if the connection is terminated abnormally."
-    self.log("abort")
-    return CONTINUE
-
-  def close(self):
-    "Called at the end of connection, even if aborted."
-    self.log("close")
-    return CONTINUE
-
-  # Milter methods which can be invoked from callbacks
-  def getsymval(self,sym):
-    return self.__ctx.getsymval(sym)
-
-  # If sendmail does not support setmlreply, then only the
-  # first msg line is used.
-  def setreply(self,rcode,xcode=None,msg=None,*ml):
-    return self.__ctx.setreply(rcode,xcode,msg,*ml)
-
-  # Milter methods which can only be called from eom callback.
-  def addheader(self,field,value):
-    return self.__ctx.addheader(field,value)
-
-  def chgheader(self,field,idx,value):
-    return self.__ctx.chgheader(field,idx,value)
-
-  def addrcpt(self,rcpt):
-    return self.__ctx.addrcpt(rcpt)
-
-  def delrcpt(self,rcpt):
-    return self.__ctx.delrcpt(rcpt)
-
-  def replacebody(self,body):
-    return self.__ctx.replacebody(body)
-
-  # When quarantined, a message goes into the mailq as if to be delivered,
-  # but delivery is deferred until the message is unquarantined.
-  def quarantine(self,reason):
-    return self.__ctx.quarantine(reason)
-
-  def progress(self):
-    return self.__ctx.progress()
-
-factory = Milter
-
-def connectcallback(ctx,hostname,family,hostaddr):
-  m = factory()
-  m._setctx(ctx)
-  return m.connect(hostname,family,hostaddr)
-
-def closecallback(ctx):
-  m = ctx.getpriv()
-  if not m: return CONTINUE
-  rc = m.close()
-  m._setctx(None)	# release milterContext
-  return rc
-
-def envcallback(c,args):
-  """Convert ESMTP parms to keyword parameters.
-  Can be used in the envfrom and/or envrcpt callbacks to process
-  ESMTP parameters as python keyword parameters."""
-  kw = {}
-  for s in args[1:]:
-    pos = s.find('=')
-    if pos > 0:
-      kw[s[:pos]] = s[pos+1:]
-  return apply(c,args,kw)
-
-def runmilter(name,socketname,timeout = 0):
-  # This bit is here on the assumption that you will be starting this filter
-  # before sendmail.  If sendmail is not running and the socket already exists,
-  # libmilter will throw a warning.  If sendmail is running, this is still
-  # safe if there are no messages currently being processed.  It's safer to
-  # shutdown sendmail, kill the filter process, restart the filter, and then
-  # restart sendmail.
-  pos = socketname.find(':')
-  if pos > 1:
-    s = socketname[:pos]
-    fname = socketname[pos+1:]
-  else:
-    s = "unix"
-    fname = socketname
-  if s == "unix" or s == "local":
-    print "Removing %s" % fname
-    try:
-      os.unlink(fname)
-    except:
-      pass
-
-  # The default flags set include everything
-  # milter.set_flags(milter.ADDHDRS)
-  milter.set_connect_callback(connectcallback)
-  milter.set_helo_callback(lambda ctx, host: ctx.getpriv().hello(host))
-  milter.set_envfrom_callback(lambda ctx,*str:
-  	ctx.getpriv().envfrom(*str))
-#  	envcallback(ctx.getpriv().envfrom,str))
-  milter.set_envrcpt_callback(lambda ctx,*str:
-  	ctx.getpriv().envrcpt(*str))
-#  	envcallback(ctx.getpriv().envrcpt,str))
-  milter.set_header_callback(lambda ctx,fld,val:
-  	ctx.getpriv().header(fld,val))
-  milter.set_eoh_callback(lambda ctx: ctx.getpriv().eoh())
-  milter.set_body_callback(lambda ctx,chunk: ctx.getpriv().body(chunk))
-  milter.set_eom_callback(lambda ctx: ctx.getpriv().eom())
-  milter.set_abort_callback(lambda ctx: ctx.getpriv().abort())
-  milter.set_close_callback(closecallback)
-
-  milter.setconn(socketname)
-  if timeout > 0: milter.settimeout(timeout)
-  # The name *must* match the X line in sendmail.cf (supposedly)
-  milter.register(name)
-  start_seq = _seq
-  try:
-    milter.main()
-  except milter.error:
-    if start_seq == _seq: raise	# couldn't start
-    # milter has been running for a while, but now it can't start new threads
-    raise milter.error("out of thread resources")

Milter/__init__.py

@@ -16,6 +16,8 @@ from milter import ACCEPT,CONTINUE,REJECT,DISCARD,TEMPFAIL,	\
 try: from milter import QUARANTINE
 except: pass
 
+__version__ = '0.8.3'
+
 _seq_lock = thread.allocate_lock()
 _seq = 0
 
@@ -215,6 +217,6 @@ def runmilter(name,socketname,timeout = 0):
     raise milter.error("out of thread resources")
 
 __all__ = globals().copy()
-for priv in ('os','milter','thread','factory','_seq','_seq_lock'):
+for priv in ('os','milter','thread','factory','_seq','_seq_lock','__version__'):
   del __all__[priv]
 __all__ = __all__.keys()

Milter/dsn.py

@@ -9,6 +9,7 @@ import smtplib
 import spf
 import socket
 from email.Message import Message
+import Milter
 
 nospf_msg = """Subject: Critical mail server configuration error
 
@@ -103,7 +104,7 @@ def send_dsn(mailfrom,receiver,msg=None):
   q = spf.query(None,None,None)
   mxlist = q.dns(domain,'MX')
   if not mxlist:
-    mxlist = (0,domain),
+    mxlist = (0,domain),	# fallback to A record when no MX
   else:
     mxlist.sort()
   smtp = smtplib.SMTP()
@@ -112,8 +113,11 @@ def send_dsn(mailfrom,receiver,msg=None):
       smtp.connect(host)
       code,resp = smtp.helo(receiver)
       # some wiley spammers have MX records that resolve to 127.0.0.1
-      if resp.split()[0] == receiver:
-        return (553,'Fraudulent MX for %s' % domain)
+      a = resp.split()
+      if not a:
+        return (553,'MX for %s has no hostname in banner: %s' % (domain,host))
+      if a[0] == receiver:
+        return (553,'Fraudulent MX for %s: %s' % (domain,host))
       if not (200 <= code <= 299):
 	raise smtplib.SMTPHeloError(code, resp)
       if msg:
@@ -151,13 +155,13 @@ def create_msg(q,rcptlist,origmsg=None,template=None):
   connectip = q.i
   receiver = q.r
   sender_domain = q.o
+  result = q.result
+  perm_error = q.perm_error
   rcpt = '\n\t'.join(rcptlist)
   try: subject = origmsg['Subject']
   except: subject = '(none)'
   try:
     spf_result = origmsg['Received-SPF']
-    if not spf_result.startswith('softfail'):
-      spf_result = None
   except: spf_result = None
 
   msg = Message()
@@ -165,11 +169,14 @@ def create_msg(q,rcptlist,origmsg=None,template=None):
   msg.add_header('To',sender)
   msg.add_header('From','postmaster@%s'%receiver)
   msg.add_header('Auto-Submitted','auto-generated (configuration error)')
+  msg.add_header('X-Mailer','PyMilter-'+Milter.__version__)
   msg.set_type('text/plain')
 
   if not template:
-    if spf_result: template = softfail_msg
-    else: template = nospf_msg
+    if spf_result and spf_result.startswith('softfail'):
+      template = softfail_msg
+    else:
+      template = nospf_msg
   hdrs,body = template.split('\n',1)
   for ln in hdrs.splitlines():
     name,val = ln.split(':',1)

NEWS

@@ -1,5 +1,14 @@
 Here is a history of user visible changes to Python milter.
 
+0.8.3   Keep screened honeypot mail, but optionally discard honeypot only mail.
+	spf_accept_fail option for braindead SPF senders 
+	  (treats fail like softfail)
+	Option to set SPF policy via sendmail access map.
+	Option to supply Sender header from MAIL FROM when missing.
+	Consider SMTP AUTH connections internal.
+	Send DSN for SPF errors corrected by extended processing.
+	Send DSN before SCREENED mail is quarantined
+	Use logging package to keep log lines atomic.
 0.8.2	Strict processing limits per SPF RFC
 	Fixed several parsing bugs under RFC 
 	Support official IANA SPF record (type99)

TODO

@@ -1,41 +1,32 @@
+Find rfc2822 policy for MFROM quoting.
+
+Use /etc/mail/access for domain specific SPF policies.
+
+SPF-Fail:	REJECT
+SPF-Softfail:	OK
+SPF-Neutral:	OK
+SPF-Neutral:aol.com	ERROR:"550 AOL mail must get SPF PASS"
+
 Defer TEMPERROR in SPF evaluation - give precedence to security
 (only defer for PASS mechanisms).
 
 Option to add Received-SPF header, but never reject on SPF.
+  I think the above will handle this.
 
 Create null config that does nothing - except maybe add Received-SPF
 headers.  Many admins would like to turn features on one at a time.
 
-Checking in mime.py;
-/bms/cvs/milter/mime.py,v  <--  mime.py
-new revision: 1.56; previous revision: 1.55
-done
-Checking in spf.py;
-/bms/cvs/milter/spf.py,v  <--  spf.py
-new revision: 1.18; previous revision: 1.17
-done
-Checking in testmime.py;
-/bms/cvs/milter/testmime.py,v  <--  testmime.py
-new revision: 1.19; previous revision: 1.18
-
 Auto whitelist based on outgoing email - perhaps with magic subject
 or recipient prefix.
 
 Can't output messages with malformed rfc822 attachments.
 
-Example malformed SPF:
-onvunvuvvx.usafisnews.org text "v=spf1 mx ptr ip4:207.44.199.970 -all"
-
 Move milter,Milter,mime,spf modules to pymilter
 milter package will have bms.py application
 
-Support SMTP AUTH and disable SPF checks when connection is authorized.
 Web admin interface
-Check valid domains allowed by internal senders to detect PCs infected
-with spam trojans.
-Do CBV (callback verification) for mail with no published SPF record.
 message log for automated stats and blacklisting
-Skip dspam when SPF pass?
+Skip dspam when SPF pass? NO
 Report 551 with rcpt on SPF fail?
 check spam keywords with character classes, e.g.
 	{a}=[a@ãä], {i}=[i1í], {e}=[eë], {o}=[o0ö]
@@ -46,9 +37,6 @@ user to give to the forwarder.  Alias only works for mail from that
 forwarder.  Milter gets forwarder domain from alias and uses it to
 SPF check forwarder.
 
-Another special dspam user, 'honeypot', can be listed in innoculations.
-All email to those addresses is treated as known spam.
-
 Framework for modular Python milter components within a single VM.
 Python milters can be already be composed through sendmail by running each in
 a separate process.  However, a significant amount of memory is wasted
@@ -57,8 +45,7 @@ is cumbersome (e.g., adding mail headers, writing external files).
 
 Backup copies for outgoing/incoming mail.
 
-Allow multiple wiretap groups, each with its own destination.  Perhaps 
-also copy incoming wiretap mail, even though sendmail alias works perfectly
+Copy incoming wiretap mail, even though sendmail alias works perfectly
 for the purpose, to avoid having to change two configs for a wiretap.
 
 Provide a way to reload milter.cfg without stopping/restarting milter.
@@ -72,10 +59,6 @@ Keep separate ismodified flag for headers and body.  This is important
 when rejecting outgoing mail with viruses removed (so as not to
 embarrass yourself), and also removing Received headers with hidepath.
 
-Wrap smfi_setbacklog(int) - but it is only available in sendmail >= 8.12.3,
-  so how can we detect whether to wrap it?
-
 Need a test module to feed sample messages to a milter though a live 
 sendmail and SMTP.  The mockup currently used is probably not very accurate,
 and doesn't test the threading code.
-

bms.py

@@ -1,6 +1,43 @@
 #!/usr/bin/env python
 # A simple milter that has grown quite a bit.
 # $Log$
+# Revision 1.29  2005/10/11 22:50:07  customdesigned
+# Always check HELO except for SPF pass, temperror.
+#
+# Revision 1.28  2005/10/10 23:50:20  customdesigned
+# Use logging module to make logging threadsafe (avoid splitting log lines)
+#
+# Revision 1.27  2005/10/10 20:15:33  customdesigned
+# Configure SPF policy via sendmail access file.
+#
+# Revision 1.26  2005/10/07 03:23:40  customdesigned
+# Banned users option.  Experimental feature to supply Sender when
+# missing and MFROM domain doesn't match From.  Log cipher bits for
+# SMTP AUTH.  Sketch access file feature.
+#
+# Revision 1.25  2005/09/08 03:55:08  customdesigned
+# Handle perverse MFROM quoting.
+#
+# Revision 1.24  2005/08/18 03:36:54  customdesigned
+# Don't innoculate with SCREENED mail.
+#
+# Revision 1.23  2005/08/17 19:35:27  customdesigned
+# Send DSN before adding message to quarantine.
+#
+# Revision 1.22  2005/08/11 22:17:58  customdesigned
+# Consider SMTP AUTH connections internal.
+#
+# Revision 1.21  2005/08/04 21:21:31  customdesigned
+# Treat fail like softfail for selected (braindead) domains.
+# Treat mail according to extended processing results, but
+# report any PermError that would officially result via DSN.
+#
+# Revision 1.20  2005/08/02 18:04:35  customdesigned
+# Keep screened honeypot mail, but optionally discard honeypot only mail.
+#
+# Revision 1.19  2005/07/20 03:30:04  customdesigned
+# Check pydspam version for honeypot, include latest pyspf changes.
+#
 # Revision 1.18  2005/07/17 01:25:44  customdesigned
 # Log as well as use extended result for best guess.
 #
@@ -246,6 +283,7 @@ import traceback
 import ConfigParser
 import time
 import re
+import anydbm
 import Milter.dsn as dsn
 from Milter.dynip import is_dynip as dynip
 
@@ -266,8 +304,7 @@ try: import spf
 except: spf = None
 
 ip4re = re.compile(r'^[1-9][0-9]*\.[1-9][0-9]*\.[1-9][0-9]*\.[1-9][0-9]*$')
-#import syslog
-#syslog.openlog('milter')
+import logging
 
 # Thanks to Chris Liechti for config parsing suggestions
 
@@ -292,6 +329,7 @@ scan_rfc822 = True
 internal_connect = ()
 trusted_relay = ()
 internal_domains = ()
+banned_users = ()
 hello_blacklist = ()
 smart_alias = {}
 dspam_dict = None
@@ -309,14 +347,24 @@ srs_reject_spoofed = False
 srs_domain = None
 spf_reject_neutral = ()
 spf_accept_softfail = ()
+spf_accept_fail = ()
 spf_best_guess = False
 spf_reject_noptr = False
-multiple_bounce_recipients = True
+supply_sender = False
+access_file = None
 time_format = '%Y%b%d %H:%M:%S %Z'
 timeout = 600
 cbv_cache = {}
+logging.basicConfig(
+	stream=sys.stdout,
+	level=logging.INFO,
+	format='%(asctime)s %(message)s',
+	datefmt='%Y%b%d %H:%M:%S'
+)
+milter_log = logging.getLogger('milter')
+
 try:
-  too_old = time.time() - 30*24*60*60	# 30 days
+  too_old = time.time() - 7*24*60*60	# 7 days
   for ln in open('send_dsn.log'):
     try:
       rcpt,ts = ln.strip().split(None,1)
@@ -388,6 +436,7 @@ def read_config(list):
     'hashlength': '8',
     'reject_spoofed': 'no',
     'reject_noptr': 'no',
+    'supply_sender': 'no',
     'best_guess': 'no',
     'dspam_internal': 'yes'
   })
@@ -441,7 +490,7 @@ def read_config(list):
   for sa in cp.getlist('wiretap','smart_alias'):
     sm = cp.getlist('wiretap',sa)
     if len(sm) < 2:
-      print 'malformed smart alias:',sa
+      milter_log.warning('malformed smart alias: %s',sa)
       continue
     if len(sm) == 2: sm.append(sa)
     key = (sm[0],sm[1])
@@ -463,18 +512,21 @@ def read_config(list):
 
   # spf section
   global spf_reject_neutral,spf_best_guess,SRS,spf_reject_noptr
-  global spf_accept_softfail
+  global spf_accept_softfail,spf_accept_fail,supply_sender,access_file
   if spf:
     spf.DELEGATE = cp.getdefault('spf','delegate')
     spf_reject_neutral = cp.getlist('spf','reject_neutral')
     spf_accept_softfail = cp.getlist('spf','accept_softfail')
+    spf_accept_fail = cp.getlist('spf','accept_fail')
     spf_best_guess = cp.getboolean('spf','best_guess')
     spf_reject_noptr = cp.getboolean('spf','reject_noptr')
+    supply_sender = cp.getboolean('spf','supply_sender')
+    access_file = cp.getdefault('spf','access_file')
   srs_config = cp.getdefault('srs','config')
   if srs_config: cp.read([srs_config])
   srs_secret = cp.getdefault('srs','secret')
   if SRS and srs_secret:
-    global ses,srs,srs_reject_spoofed,srs_domain
+    global ses,srs,srs_reject_spoofed,srs_domain,banned_users
     database = cp.getdefault('srs','database')
     srs_reject_spoofed = cp.getboolean('srs','reject_spoofed')
     maxage = cp.getint('srs','maxage')
@@ -493,13 +545,31 @@ def read_config(list):
     else:
       srs_domain = []
     srs_domain.append(cp.getdefault('srs','fwdomain'))
+    banned_users = cp.getlist('srs','banned_users')
     #print srs_domain
 
 def parse_addr(t):
+  """Split email into user,domain.
+
+  >>> parse_addr('user@example.com')
+  ['user', 'example.com']
+  >>> parse_addr('"user@example.com"')
+  ['user@example.com']
+  >>> parse_addr('"user@bar"@example.com')
+  ['user@bar', 'example.com']
+  >>> parse_addr('foo')
+  ['foo']
+  """
   if t.startswith('<') and t.endswith('>'): t = t[1:-1]
+  if t.startswith('"'):
+    if t.endswith('"'): return [t[1:-1]]
+    pos = t.find('"@')
+    if pos > 0: return [t[1:pos],t[pos+2:]]
   return t.split('@')
 
 def parse_header(val):
+  """Decode headers gratuitously encoded to hide the content.
+  """
   try:
     h = decode_header(val)
     if not len(h) or (not h[0][1] and len(h) == 1): return val
@@ -522,15 +592,83 @@ def parse_header(val):
   except email.Errors.HeaderParseError: pass
   return val
 
+class SPFPolicy(object):
+  "Get SPF policy by result, defaulting to classic policy from pymilter.cfg"
+  def __init__(self,domain):
+    self.domain = domain.lower()
+    if access_file:
+      try: acf = anydbm.open(access_file,'r')
+      except: acf = None
+    else: acf = None
+    self.acf = acf
+
+  def getPolicy(self,pfx):
+    acf = self.acf
+    if not acf: return None
+    try:
+      return acf[pfx + self.domain]
+    except KeyError:
+      try:
+	return acf[pfx]
+      except KeyError:
+        return None
+
+  def getFailPolicy(self):
+    policy = self.getPolicy('SPF-Fail:')
+    if not policy:
+      if self.domain in spf_accept_fail:
+        policy = 'CBV'
+      else:
+	policy = 'REJECT'
+    return policy
+
+  def getNonePolicy(self):
+    policy = self.getPolicy('SPF-None:')
+    if not policy:
+      if spf_reject_noptr:
+	policy = 'REJECT'
+      else:
+        policy = 'CBV'
+    return policy
+
+  def getSoftfailPolicy(self):
+    policy = self.getPolicy('SPF-Softfail:')
+    if not policy:
+      if self.domain in spf_accept_softfail:
+        policy = 'OK'
+      elif self.domain in spf_reject_neutral:
+        policy = 'REJECT'
+      else:
+        policy = 'CBV'
+    return policy
+
+  def getNeutralPolicy(self):
+    policy = self.getPolicy('SPF-Neutral:')
+    if not policy:
+      if self.domain in spf_reject_neutral:
+        policy = 'REJECT'
+      policy = 'OK'
+    return policy
+
+  def getPermErrorPolicy(self):
+    policy = self.getPolicy('SPF-PermError:')
+    if not policy:
+      policy = 'REJECT'
+    return policy
+
+  def getPassPolicy(self):
+    policy = self.getPolicy('SPF-Pass:')
+    if not policy:
+      policy = 'OK'
+    return policy
+
 class bmsMilter(Milter.Milter):
   """Milter to replace attachments poisonous to Windows with a WARNING message,
      check SPF, and other anti-forgery features, and implement wiretapping
      and smart alias redirection."""
 
   def log(self,*msg):
-    print "%s [%d]" % (time.strftime('%Y%b%d %H:%M:%S'),self.id),
-    for i in msg: print i,
-    print
+    milter_log.info('[%d] %s',self.id,' '.join([str(m) for m in msg]))
 
   def __init__(self):
     self.tempname = None
@@ -649,8 +787,41 @@ class bmsMilter(Milter.Milter):
     self.new_headers = []
     self.recipients = []
     self.cbv_needed = None
-    t = parse_addr(f.lower())
+    t = parse_addr(f)
+    if len(t) == 2: t[1] = t[1].lower()
     self.canon_from = '@'.join(t)
+    # Some braindead MTAs can't be relied upon to properly flag DSNs.
+    # This heuristic tries to recognize such.
+    self.is_bounce = (f == '<>' or t[0].lower() in banned_users
+        #and t[1] == self.hello_name
+    )
+
+    # Check SMTP AUTH, also available:
+    #   auth_authen  authenticated user
+    #   auth_author  (ESMTP AUTH= param)
+    #   auth_ssf     (connection security, 0 = unencrypted)
+    #   auth_type    (authentication method, CRAM-MD5, DIGEST-MD5, PLAIN, etc)
+    # cipher_bits  SSL encryption strength
+    # cert_subject SSL cert subject
+    # verify       SSL cert verified
+
+    self.user = self.getsymval('{auth_authen}')
+    if self.user:
+      # Very simple SMTP AUTH policy by defaul:
+      #   any successful authentication is considered INTERNAL
+      # FIXME: configure allowed MAIL FROM by user
+      self.internal_connection = True
+      self.log(
+        "SMTP AUTH:",self.user, self.getsymval('{auth_type}'),
+        "sslbits =",self.getsymval('{cipher_bits}'),
+        "ssf =",self.getsymval('{auth_ssf}'), "INTERNAL"
+      )
+      if self.getsymval('{verify}'):
+	self.log("SSL AUTH:",
+	  self.getsymval('{cert_subject}'),
+	  "verify =",self.getsymval('{verify}')
+	)
+
     self.fp.write('From %s %s\n' % (self.canon_from,time.ctime()))
     if len(t) == 2:
       user,domain = t
@@ -689,19 +860,25 @@ class bmsMilter(Milter.Milter):
     if not (self.internal_connection or self.trusted_relay)	\
     	and self.connectip and spf:
       return self.check_spf()
+    self.spf = None
     return Milter.CONTINUE
 
   def check_spf(self):
-    t = parse_addr(self.mailfrom)
-    if len(t) == 2: t[1] = t[1].lower()
     receiver = self.receiver
-    q = spf.query(self.connectip,'@'.join(t),self.hello_name,receiver=receiver)
+    q = spf.query(self.connectip,self.canon_from,self.hello_name,
+    	receiver=receiver,strict=False)
     q.set_default_explanation(
-      'SPF fail: see http://spf.pobox.com/why.html?sender=%s&ip=%s' % (q.s,q.i))
+      'SPF fail: see http://openspf.com/why.html?sender=%s&ip=%s' % (q.s,q.i))
     res,code,txt = q.check()
-    if res in ('none', 'softfail'):
+    q.result = res
+    if res in ('unknown','permerror') and q.perm_error and q.perm_error.ext:
+      self.cbv_needed = q	# report SPF syntax error to sender
+      res,code,txt = q.perm_error.ext	# extended (lax processing) result
+      txt = 'EXT: ' + txt
+    p = SPFPolicy(q.o)
+    if res not in ('pass','error','temperror'):
       if self.mailfrom != '<>':
-	# check hello name via spf
+	# check hello name via spf unless spf pass
 	h = spf.query(self.connectip,'',self.hello_name,receiver=receiver)
 	hres,hcode,htxt = h.check()
 	if hres in ('deny','fail','neutral','softfail'):
@@ -717,11 +894,11 @@ class bmsMilter(Milter.Milter):
 	  and not dynip(self.hello_name,self.connectip):
 	  hres,hcode,htxt = h.best_guess()
       else: hres = res
+      ores = res
       if spf_best_guess and res == 'none':
 	#self.log('SPF: no record published, guessing')
 	q.set_default_explanation(
 		'SPF guess: see http://spf.pobox.com/why.html')
-	q.strict = False
 	# best_guess should not result in fail
 	if self.missing_ptr:
 	  # ignore dynamic PTR for best guess
@@ -729,32 +906,43 @@ class bmsMilter(Milter.Milter):
 	else:
 	  res,code,txt = q.best_guess()
 	receiver += ': guessing'
-        if q.perm_error:
+        if q.perm_error:	# FIXME: should never happen?
           res,code,txt = q.perm_error.ext	# extended result
 	  txt = 'EXT: ' + txt
-      if self.missing_ptr and res in ('neutral', 'none') and hres != 'pass':
-	if spf_reject_noptr:
+      if self.missing_ptr and ores == 'none' and res != 'pass' \
+      		and hres != 'pass':
+	policy = p.getNonePolicy()
+	if policy == 'CBV':
+	  if self.mailfrom != '<>':
+	    q.result = ores
+	    self.cbv_needed = q	# accept, but inform sender via DSN
+	elif policy != 'OK':
 	  self.log('REJECT: no PTR, HELO or SPF')
 	  self.setreply('550','5.7.1',
-    'You must have a reverse lookup or publish SPF: http://spf.pobox.com',
-    'Contact your mail administrator IMMEDIATELY!  Your mail server is',
-    'severely misconfigured.  It has no PTR record (dynamic PTR records',
+    "You must have a reverse lookup or publish SPF: http://spf.pobox.com",
+    "Contact your mail administrator IMMEDIATELY!  Your mail server is",
+    "severely misconfigured.  It has no PTR record (dynamic PTR records",
     "that contain your IP don't count), an invalid HELO, and no SPF record."
 	  )
 	  return Milter.REJECT
-        if self.mailfrom != '<>':
-	  q.result = res
-	  self.cbv_needed = q
     if res in ('deny', 'fail'):
+      policy = p.getFailPolicy()
+      if hres == 'pass' and policy == 'CBV':
+	if self.mailfrom != '<>':
+	  self.cbv_needed = q
+      elif policy != 'OK':
 	self.log('REJECT: SPF %s %i %s' % (res,code,txt))
 	self.setreply(str(code),'5.7.1',txt)
 	# A proper SPF fail error message would read:
 	# forger.biz [1.2.3.4] is not allowed to send mail with the domain
 	# "forged.org" in the sender address.  Contact <postmaster@forged.org>.
 	return Milter.REJECT
-    if res == 'softfail' and not q.o in spf_accept_softfail:
-      if self.missing_ptr and hres != 'pass':
-        if spf_reject_noptr or q.o in spf_reject_neutral:
+    if res == 'softfail':
+      policy = p.getSoftfailPolicy()
+      if policy == 'CBV' and hres == 'pass':
+	if self.mailfrom != '<>':
+	  self.cbv_needed = q
+      elif policy != 'OK':
 	self.log('REJECT: SPF %s %i %s' % (res,code,txt))
 	self.setreply('550','5.7.1',
 	  'SPF softfail: If you get this Delivery Status Notice, your email',
@@ -764,10 +952,12 @@ class bmsMilter(Milter.Milter):
 	  'notify your administrator of the problem immediately.'
 	)
 	return Milter.REJECT
-      if self.mailfrom != '<>':
-        q.result = res
-	self.cbv_needed = q
     if res == 'neutral' and q.o in spf_reject_neutral:
+      policy = p.getNeutralPolicy()
+      if policy == 'CBV' and hres == 'pass':
+	if self.mailfrom != '<>':
+	  self.cbv_needed = q
+      elif policy != 'OK':
 	self.log('REJECT: SPF neutral for',q.s)
 	self.setreply('550','5.7.1',
 	  'mail from %s must pass SPF: http://spf.pobox.com/why.html' % q.o,
@@ -778,16 +968,25 @@ class bmsMilter(Milter.Milter):
 	  'servers for %s should accomplish this.' % q.o
 	)
 	return Milter.REJECT
-    if res == 'unknown':
+    if res in ('unknown','permerror'):
+      policy = p.getPermErrorPolicy()
+      if policy == 'CBV' and hres == 'pass':
+	if self.mailfrom != '<>':
+	  self.cbv_needed = q
+      elif policy != 'OK':
 	self.log('REJECT: SPF %s %i %s' % (res,code,txt))
 	# latest SPF draft recommends 5.5.2 instead of 5.7.1
-      self.setreply(str(code),'5.5.2',txt)
+	self.setreply(str(code),'5.5.2',txt,
+	  'There is a fatal syntax error in the SPF record for %s' % q.o,
+	  'We cannot accept mail from %s until this is corrected.' % q.o
+	)
 	return Milter.REJECT
-    if res == 'error':
+    if res in ('error','temperror'):
       self.log('TEMPFAIL: SPF %s %i %s' % (res,code,txt))
       self.setreply(str(code),'4.3.0',txt)
       return Milter.TEMPFAIL
     self.add_header('Received-SPF',q.get_header(res,receiver))
+    self.spf = q
     return Milter.CONTINUE
 
   # hide_path causes a copy of the message to be saved - until we
@@ -802,11 +1001,7 @@ class bmsMilter(Milter.Milter):
     t = parse_addr(to.lower())
     if len(t) == 2:
       user,domain = t
-      if self.mailfrom == '<>' or self.canon_from.startswith('postmaster@') \
-      	or self.canon_from.startswith('mailer-daemon@'):
-        if self.recipients and not multiple_bounce_recipients:
-	  self.data_allowed = False
-        if srs and domain in srs_domain:
+      if self.is_bounce and srs and domain in srs_domain:
 	oldaddr = '@'.join(parse_addr(to))
 	try:
 	  if ses:
@@ -830,6 +1025,7 @@ class bmsMilter(Milter.Milter):
 	      self.setreply('550','5.7.1','Invalid SES signature')
 	      return Milter.REJECT
 	    self.data_allowed = not srs_reject_spoofed
+
       # non DSN mail to SRS address will bounce due to invalid local part
       self.recipients.append('@'.join(t))
       users = check_user.get(domain)
@@ -907,14 +1103,19 @@ class bmsMilter(Milter.Milter):
     return Milter.CONTINUE
 
   def forged_bounce(self):
-    if len(self.recipients) > 1:
-      self.log('REJECT: Multiple bounce recipients')
-      self.setreply('550','5.7.1','Multiple bounce recipients')
+    if self.mailfrom != '<>':
+      self.log("REJECT: bogus DSN")
+      self.setreply('550','5.7.1',
+	"I do not accept mail from postmaster, mailer-daemon, or clamav.",
+	"All such mail has turned out to be Delivery Status Notifications",
+	"which failed to be marked as such.  Please send a real DSN if",
+	"you need to.  Use another MAIL FROM if you need to send me mail."
+      )
     else:
       self.log('REJECT: bounce with no SRS encoding')
       self.setreply('550','5.7.1',
 	"I did not send you that message. Please consider implementing SPF",
-      "(http://spf.pobox.com) to avoid bouncing mail to spoofed senders.",
+	"(http://openspf.com) to avoid bouncing mail to spoofed senders.",
 	"Thank you."
       )
     return Milter.REJECT
@@ -959,8 +1160,28 @@ class bmsMilter(Milter.Milter):
     for name,val in self.new_headers:
       self.fp.write("%s: %s\n" % (name,val))	# add new headers to buffer
     self.fp.write("\n")				# terminate headers
+    # log when neither sender nor from domains matches mail from domain
+    if supply_sender and self.mailfrom != '<>':
+      mf_domain = self.canon_from.split('@')[-1]
       self.fp.seek(0)
+      msg = rfc822.Message(self.fp)
+      for rn,hf in msg.getaddrlist('from')+msg.getaddrlist('sender'):
+	t = parse_addr(hf)
+	if len(t) == 2 and t[1].lower() == mf_domain:
+	  break
+      else:
+	for f in msg.getallmatchingheaders('from'):
+	  self.log(f)
+	sender = msg.getallmatchingheaders('sender')
+	if sender:
+	  for f in sender:
+	    self.log(f)
+	else:
+	  self.log("NOTE: Supplying MFROM as Sender");
+	  self.add_header('Sender',self.mailfrom)
+      del msg
     # copy headers to a temp file for scanning the body
+    self.fp.seek(0)
     headers = self.fp.getvalue()
     self.fp.close()
     fd,fname = tempfile.mkstemp(".defang")
@@ -1040,6 +1261,7 @@ class bmsMilter(Milter.Milter):
   #	   this will give a fast start to stats
 
   def check_spam(self):
+    "return True/False if self.fp, else return Milter.REJECT/TEMPFAIL/etc"
     if not dspam_userdir: return False
     ds = Dspam.DSpamDirectory(dspam_userdir)
     ds.log = self.log
@@ -1059,7 +1281,7 @@ class bmsMilter(Milter.Milter):
 		ds.add_spam(sender,txt)
 		txt = None
 		self.fp = None
-		return False
+		return Milter.DISCARD
 	    elif user == 'falsepositive' and self.internal_connection:
 	      sender = dspam_users.get(self.canon_from)
 	      if sender:
@@ -1075,10 +1297,24 @@ class bmsMilter(Milter.Milter):
 		self.log("Large message:",len(txt))
 		return False
 	      if user == 'honeypot' and Dspam.VERSION >= '1.1.9':
-	        ds.check_spam(user,txt,force_result=dspam.DSR_ISSPAM)
-		self.log("HONEYPOT:",rcpt)
+	        keep = False	# keep honeypot mail
 		self.fp = None
-		return False
+	        if len(self.recipients) > 1:
+		  self.log("HONEYPOT:",rcpt,'SCREENED')
+		  if self.spf:
+		    # check that sender accepts quarantine DSN
+		    msg = mime.message_from_file(StringIO.StringIO(txt))
+		    rc = self.send_dsn(self.spf,msg,'quarantine.txt')
+		    del msg
+		    if rc != Milter.CONTINUE:
+		      return rc	
+		  ds.check_spam(user,txt,self.recipients,quarantine=True,
+		  	force_result=dspam.DSR_ISSPAM)
+		else:
+		  ds.check_spam(user,txt,self.recipients,quarantine=keep,
+		  	force_result=dspam.DSR_ISSPAM)
+		  self.log("HONEYPOT:",rcpt)
+		return Milter.DISCARD
 	      txt = ds.check_spam(user,txt,self.recipients)
 	      if not txt:
 	        # DISCARD if quarrantined for any recipient.  It
@@ -1086,12 +1322,12 @@ class bmsMilter(Milter.Milter):
 		# as a false positive.
 		self.log("DSPAM:",user,rcpt)
 		self.fp = None
-		return False
+		return Milter.DISCARD
 	      self.fp = StringIO.StringIO(txt)
 	      modified = True
 	  except Exception,x:
 	    self.log("check_spam:",x)
-	    traceback.print_exc()
+	    milter_log.error("check_spam: %s",x,exc_info=True)
     # screen if no recipients are dspam_users
     if not modified and dspam_screener and not self.internal_connection \
     	and self.dspam:
@@ -1102,14 +1338,27 @@ class bmsMilter(Milter.Milter):
 	return False
       screener = dspam_screener[self.id % len(dspam_screener)]
       if not ds.check_spam(screener,txt,self.recipients,
-      	classify=True,quarantine=not self.reject_spam):
-	self.fp = None
+      	classify=True,quarantine=False):
 	if self.reject_spam:
 	  self.log("DSPAM:",screener,
 	  	'REJECT: X-DSpam-Score: %f' % ds.probability)
 	  self.setreply('550','5.7.1','Your Message looks spammy')
-	  return True
+	  self.fp = None
+	  return Milter.REJECT
 	self.log("DSPAM:",screener,"SCREENED")
+	if self.spf:
+	  # check that sender accepts quarantine DSN
+	  self.fp.seek(0)
+	  msg = mime.message_from_file(self.fp)
+	  rc = self.send_dsn(self.spf,msg,'quarantine.txt')
+	  if rc != Milter.CONTINUE:
+	    self.fp = None
+	    return rc
+	  del msg
+	if not ds.check_spam(screener,txt,self.recipients,classify=True):
+	  self.fp = None
+	  return Milter.DISCARD
+	# Message no longer looks spammy, deliver normally. We lied in the DSN.
     return modified
 
   def eom(self):
@@ -1120,8 +1369,7 @@ class bmsMilter(Milter.Milter):
       # analyze external mail for spam
       spam_checked = self.check_spam()	# tag or quarantine for spam
       if not self.fp:
-        if spam_checked: return Milter.REJECT
-	return Milter.DISCARD	# message quarantined for all recipients
+        return spam_checked
 
       # analyze all mail for dangerous attachments and scripts
       self.fp.seek(0)
@@ -1139,7 +1387,7 @@ class bmsMilter(Milter.Milter):
         if not exc_value.strerror:
 	  exc_value.strerror = exc_value.args[0]
 	if exc_value.strerror == 'Lock failed':
-	  self.log("LOCK: BUSY")	# log filename
+	  milter_log.warn("LOCK: BUSY")	# log filename
 	  self.setreply('450','4.2.0',
 		'Too busy discarding spam.  Please try again later.')
 	  return Milter.TEMPFAIL
@@ -1147,7 +1395,7 @@ class bmsMilter(Milter.Milter):
       os.rename(self.tempname,fname)
       self.tempname = None
       if exc_type == email.Errors.BoundaryError:
-	self.log("MALFORMED: %s" % fname)	# log filename
+	milter_log.warn("MALFORMED: %s",fname)	# log filename
         if self.internal_connection:
 	  # accept anyway for now
 	  return Milter.ACCEPT
@@ -1155,12 +1403,12 @@ class bmsMilter(Milter.Milter):
 		'Boundary error in your message, are you a spammer?')
         return Milter.REJECT
       if exc_type == email.Errors.HeaderParseError:
-	self.log("MALFORMED: %s" % fname)	# log filename
+	milter_log.warn("MALFORMED: %s",fname)	# log filename
 	self.setreply('554','5.7.7',
 		'Header parse error in your message, are you a spammer?')
         return Milter.REJECT
+      milter_log.error("FAIL: %s",fname)	# log filename
       # let default exception handler print traceback and return 451 code
-      self.log("FAIL: %s" % fname)	# log filename
       raise
     if rc == Milter.REJECT: return rc;
     if rc == Milter.DISCARD: return rc;
@@ -1188,39 +1436,17 @@ class bmsMilter(Milter.Milter):
 
     if self.cbv_needed:
       q = self.cbv_needed
-      sender = q.s
-      cached = cbv_cache.has_key(sender)
-      if cached:
-	self.log('CBV:',sender,'(cached)')
-        res = cbv_cache[sender]
+      if q.result in ('softfail','fail','deny'):
+	template_name = 'softfail.txt'
+      elif q.result in ('unknown','permerror'):
+	template_name = 'permerror.txt'
+      elif q.result == 'neutral':
+        template_name = 'neutral.txt'
       else:
-	self.log('CBV:',sender)
-	try:
-	  if q.result == 'softfail':
-	    template = file('softfail.txt').read()
-	  else:
-	    template = file('strike3.txt').read()
-	except IOError: template = None
-	m = dsn.create_msg(q,self.recipients,msg,template)
-        m = m.as_string()
-        print >>open('last_dsn','w'),m
-	res = dsn.send_dsn(sender,self.receiver,m)
-      if res:
-        desc = "CBV: %d %s" % res[:2]
-        if 400 <= res[0] < 500:
-	  self.log('TEMPFAIL:',desc)
-          self.setreply('450','4.2.0',*desc.splitlines())
-	  return Milter.TEMPFAIL
-	if len(res) < 3: res += time.time(),
-	cbv_cache[sender] = res
-	self.log('REJECT:',desc)
-        self.setreply('550','5.7.1',*desc.splitlines())
-	return Milter.REJECT
-      cbv_cache[sender] = res
-      if not cached:
-        s = time.strftime(time_format,time.localtime())
-	print >>open('send_dsn.log','a'),sender,s # log who we sent DSNs to
+	template_name = 'strike3.txt'
+      rc = self.send_dsn(q,msg,template_name)
       self.cbv_needed = None
+      if rc != Milter.CONTINUE: return rc
 
     if not defanged and not spam_checked:
       os.remove(self.tempname)
@@ -1254,13 +1480,44 @@ class bmsMilter(Milter.Milter):
       out.close()
     return Milter.TEMPFAIL
 
+  def send_dsn(self,q,msg,template_name):
+    sender = q.s
+    cached = cbv_cache.has_key(sender)
+    if cached:
+      self.log('CBV:',sender,'(cached)')
+      res = cbv_cache[sender]
+    else:
+      self.log('CBV:',sender)
+      try:
+	template = file(template_name).read()
+      except IOError: template = None
+      m = dsn.create_msg(q,self.recipients,msg,template)
+      m = m.as_string()
+      print >>open('last_dsn','w'),m
+      res = dsn.send_dsn(sender,self.receiver,m)
+    if res:
+      desc = "CBV: %d %s" % res[:2]
+      if 400 <= res[0] < 500:
+	self.log('TEMPFAIL:',desc)
+	self.setreply('450','4.2.0',*desc.splitlines())
+	return Milter.TEMPFAIL
+      if len(res) < 3: res += time.time(),
+      cbv_cache[sender] = res
+      self.log('REJECT:',desc)
+      self.setreply('550','5.7.1',*desc.splitlines())
+      return Milter.REJECT
+    cbv_cache[sender] = res
+    if not cached:
+      s = time.strftime(time_format,time.localtime())
+      print >>open('send_dsn.log','a'),sender,s # log who we sent DSNs to
+    return Milter.CONTINUE
+
   def close(self):
-    sys.stdout.flush()		# make log messages visible
     if self.tempname:
       os.remove(self.tempname)	# remove in case session aborted
     if self.fp:
       self.fp.close()
-    sys.stdout.flush()
+    
     return Milter.CONTINUE
 
   def abort(self):
@@ -1275,10 +1532,10 @@ def main():
   if srs or len(discard_users) > 0 or smart_alias or dspam_userdir:
     flags = flags + Milter.DELRCPT
   Milter.set_flags(flags)
-  print "%s bms milter startup" % time.strftime('%Y%b%d %H:%M:%S')
+  milter_log.info("bms milter startup")
   sys.stdout.flush()
   Milter.runmilter("pythonfilter",socketname,timeout)
-  print "%s bms milter shutdown" % time.strftime('%Y%b%d %H:%M:%S')
+  milter_log.info("bms milter shutdown")
 
 if __name__ == "__main__":
   read_config(["/etc/mail/pymilter.cfg","milter.cfg"])

faq.html

@@ -194,4 +194,5 @@ everything up for you.  For other systems:
 </ol>
 
 </ol>
+</body>
 </html>

milter.cfg

@@ -70,6 +70,10 @@ config=/etc/mail/pysrs.cfg
 ;fwdomain = mydomain.com
 # turn this on after a grace period to reject spoofed DSNs
 reject_spoofed = 0
+# Many braindead MTAs send DSNs with a non-DSN MFROM (e.g. to report that
+# some virus claiming to be sent by you).  This heuristic
+# refuses mail from user names commonly abused in that way.
+;banned_users = postmaster, mailer-daemon, clamav
 
 # See http://spf.pobox.com for more info on SPF.
 [spf]
@@ -85,6 +89,16 @@ reject_spoofed = 0
 ;reject_noptr = 0
 # always accept softfail from these domains, or send DSN otherwise
 ;accept_softfail = bounces.amazon.com
+# Treat fail from these domains like softfail: because their SPF record
+# or an important sender is screwed up.  Must have valid HELO, however.
+;accept_fail = custhelp.com
+# Use sendmail access map or similar format for detailed spf policy.
+# SPF entries in the access map will override any defaults set above.
+;access_file = /etc/mail/access.db
+# Add MAIL FROM as Sender when Sender is missing and From domain
+# doesn't match MAIL FROM.  Outlook and other email clients will then display
+# something like: "Sent by sender@domain.com on behalf of from@example.com"
+;supply_sender = 0
 
 # features intended to clean up outgoing mail
 [scrub]
@@ -101,6 +115,7 @@ blind = 1
 # (sendmail aliases let you monitor incoming mail)
 #
 ;users = disloyal@bigcorp.com, bigmouth@bigcorp.com
+# multiple destinations can use smart_alias
 ;dest = spy@bigcorp.com
 # discard outgoing mail without alerting sender
 # can be used in conjunction with wiretap to censor outgoing mail
@@ -108,7 +123,10 @@ blind = 1
 #
 # smart aliases trigger on both sender and recipient
 #
-;smart_alias = copycust,walter
+;smart_alias = copycust,walter,spy1,spy2
+# multiple wiretap monitors
+;spy1 = disloyal@bigcorp.com,spy@bigcorp.com
+;spy2 = bigmouth@bigcorp.com,spy@bigcorp.com
 # mail from client@clientcorp.com to sue@bigcorp.com is redirected to 
 # local alias copycust
 ;copycust = client@clientcorp.com,sue@bigcorp.com

milter.html

@@ -24,7 +24,7 @@ ALT="Viewable With Any Browser" BORDER="0"></A>
   Stuart D. Gathman</a><br>
 This web page is written by Stuart D. Gathman<br>and<br>sponsored by
 <a href="http://www.bmsi.com">Business Management Systems, Inc.</a> <br>
-Last updated Jun 09, 2005</h4>
+Last updated Aug 28, 2005</h4>
 
 See the <a href="faq.html">FAQ</a> | <a href="http://sourceforge.net/project/showfiles.php?group_id=139894">Download now</a> |
 <a href="/mailman/listinfo/pymilter">Subscribe to mailing list</a> |
@@ -49,7 +49,15 @@ efficient and secure.  I recommend upgrading.
 
 Python milter is being moved to 
 <a href="http://sourceforge.net/projects/pymilter/">pymilter Sourceforge
-project</a> for development.
+project</a> for development and release downloads.
+<p>
+Release 0.8.2 has changes to <a href="http://openspf.net">SPF</a> to bring it
+in line with the newly official RFC.  It adds 
+<a href="http://ses.codeshare.ca/">SES</a>
+support (the original SES without body hash) for pysrs-0.30.10, and honeypot
+support for pydspam-1.1.9.  There is a new method in the base milter module.
+milter.set_exception_policy(i) lets you choose a policy of CONTINUE, REJECT, or
+TEMPFAIL (default) for untrapped exceptions encountered in a milter callback.
 <p>
 Release 0.8.0 is the first <a href="http://sourceforge.net/">Sourceforge</a>
 release.  It supports Python-2.4, and provides an option to accept mail

milter.spec

@@ -1,6 +1,6 @@
 %define name milter
-%define version 0.8.2
-%define release 2.RH7
+%define version 0.8.3
+%define release 1.RH7
 # what version of RH are we building for?
 %define redhat9 0
 %define redhat7 1
@@ -63,7 +63,7 @@ rm -rf $RPM_BUILD_ROOT
 mkdir -p $RPM_BUILD_ROOT/var/log/milter
 mkdir -p $RPM_BUILD_ROOT/etc/mail
 mkdir $RPM_BUILD_ROOT/var/log/milter/save
-cp bms.py strike3.txt softfail.txt $RPM_BUILD_ROOT/var/log/milter
+cp bms.py *.txt $RPM_BUILD_ROOT/var/log/milter
 cp milter.cfg $RPM_BUILD_ROOT/etc/mail/pymilter.cfg
 
 # logfile rotation
@@ -146,7 +146,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files -f INSTALLED_FILES
 %defattr(-,root,root)
-%doc README NEWS TODO CREDITS sample.py
+%doc README HOWTO NEWS TODO CREDITS sample.py
 /etc/logrotate.d/milter
 /etc/cron.daily/milter
 %ifos aix4.1
@@ -160,12 +160,30 @@ rm -rf $RPM_BUILD_ROOT
 %dir /var/log/milter/save
 %config /var/log/milter/start.sh
 %config /var/log/milter/bms.py
-%config /var/log/milter/strike3.txt
-%config /var/log/milter/softfail.txt
+%config(noreplace) /var/log/milter/strike3.txt
+%config(noreplace) /var/log/milter/softfail.txt
+%config(noreplace) /var/log/milter/neutral.txt
+%config(noreplace) /var/log/milter/quarantine.txt
+%config(noreplace) /var/log/milter/permerror.txt
 %config(noreplace) /etc/mail/pymilter.cfg
 /usr/share/sendmail-cf/hack/rhsbl.m4
 
 %changelog
+* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.3-1
+- Keep screened honeypot mail, but optionally discard honeypot only mail.
+- spf_accept_fail option for braindead SPF senders (treats fail like softfail)
+- Consider SMTP AUTH connections internal.
+- Send DSN for SPF errors corrected by extended processing.
+- Send DSN before SCREENED mail is quarantined
+- Option to set SPF policy via sendmail access map.
+- Option to supply Sender header from MAIL FROM when missing.
+- Use logging package to keep log lines atomic.
+* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-4
+- Limit each CNAME chain independently like PTR and MX
+* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-3
+- Limit CNAME lookups (regression)
+* Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-2
+- Handle corrupt ZIP attachments
 * Fri Jul 15 2005 Stuart Gathman <stuart@bmsi.com> 0.8.2-1
 - Strict processing limits per SPF RFC
 - Fixed several parsing bugs under RFC 
@@ -174,7 +192,6 @@ rm -rf $RPM_BUILD_ROOT
 - Extended SPF processing results beyond strict RFC limits
 - Support original SES for local bounce protection (requires pysrs-0.30.10)
 - Callback exception processing option in milter module
-- Handle corrupt ZIP attachments
 * Thu Jun 16 2005 Stuart Gathman <stuart@bmsi.com> 0.8.1-1
 - Fix zip in zip loop in mime.py
 - Fix HeaderParseError in bms.py header callback

neutral.txt

@@ -0,0 +1,34 @@
+Subject: SPF %(result)s (POSSIBLE FORGERY)
+
+This is an automatically generated Delivery Status Notification.
+
+THIS IS A WARNING MESSAGE ONLY.
+
+YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
+
+Delivery to the following recipients has been delayed.
+
+       %(rcpt)s
+
+Subject: %(subject)s
+Received-SPF: %(spf_result)s
+
+Your sender policy (or lack thereof) indicated that the above email was not
+sent via an authorized SMTP server, but may still be legitimate.  Since there
+is no positive confirmation that the message is really from you, we have
+to give it extra scrutiny - including verifying that the sender really
+exists by sending you this DSN.  We will remember this sender and not
+bother you again for while.  You can avoid this message entirely for
+legitimate mail by using an authorized SMTP server.  Contact your mail
+administrator and ask how to configure your email client to use an
+authorized server.  
+
+If you never sent the above message, then your domain has been forged.
+Your mail admin needs to publish a strict SPF record so that I can reject
+those forgeries instead of bugging you about them.
+
+If you need further assistance, please do not hesitate to contact me.
+
+Kind regards,
+
+postmaster@%(receiver)s

permerror.txt

@@ -0,0 +1,31 @@
+Subject: Critical SPF configuration error
+
+This is an automatically generated Delivery Status Notification.
+
+THIS IS A WARNING MESSAGE ONLY.
+
+YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
+
+Delivery to the following recipients has been delayed.
+
+	%(rcpt)s
+
+Subject: %(subject)s 
+
+Your spf record has a permanent error.  The error was:
+
+	%(perm_error)s
+
+We will reinterpret your record using "lax" processing heuristics
+which may result in your mail being accepted anyway.  But you or your
+mail administrator need to fix your SPF record as soon as possible.
+
+We are sending you this message to alert you to the fact that
+you have problems with your email configuration.
+
+If you need further assistance, please do not hesitate to
+contact me again.
+
+Kind regards,
+
+postmaster@%(receiver)s

policy.html

@@ -0,0 +1,237 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
+<html>
+<head>
+<title>Python Milter Mail Policy </title>
+</head><body>
+
+<h1> Python Milter Mail Policy </h1>
+
+<h3> Classify connection </h3>
+
+When the SMTP client connects, the connection IP address is
+saved for later verification, and the connection
+is classified as INTERNAL or EXTERNAL by matching the ip
+address against the <code>internal_connect</code> configuration.
+IP addresses with no PTR, and PTR names that look like
+the kind assigned to dynamic IPs (as determined by a heuristic
+algorithm) are flagged as DYNAMIC.  IPs that match the
+<code>trusted_relay</code> configuration are flagged as TRUSTED.
+<p>
+Examples from the log file (<i>not</i> the SMTP error message returned):
+<pre>
+2005Jul29 13:56:53 [71207] connect from p50863492.dip0.t-ipconnect.de at ('80.134.52.146', 1858) EXTERNAL DYN
+2005Jul29 18:10:15 [74511] connect from foopub at ('1.2.3.4', 46513) EXTERNAL TRUSTED
+2005Jul29 14:41:00 [71805] connect from foobar at ('192.168.0.1', 41205) INTERNAL
+2005Jul29 14:41:15 [71806] connect from cncln.online.ln.cn at ('218.25.240.137', 35992) EXTERNAL
+</pre>
+<p>
+Certain obviously evil PTR names are blocked at this point:
+"localhost" (when IP is not 127.*) and ".".
+<pre>
+2005Jul29 14:49:50 [71918] connect from localhost at ('221.132.0.6', 50507) EXTERNAL
+2005Jul29 14:49:50 [71918] REJECT: PTR is localhost
+</pre>
+
+<h3> HELO Check </h3>
+
+The HELO name provided by the client is saved for later verification
+(for example by SPF).  We could validate the HELO at this point
+by verifying that an A record for the HELO name matches the connect ip.
+However, currently we only block certain obvious problems.  
+HELO names that look like an IP4 address 
+and ones that match the <code>hello_blacklist</code> configuration
+are immediately rejected.  The hello_blacklist typically contains
+the current MTAs own HELO name or email domains.
+Clients that attempt to skip HELO are immediately rejected.
+<pre>
+2005Jul29 18:10:15 [74512] hello from example.com
+2005Jul29 18:10:15 [74512] REJECT: spam from self: example.com
+2005Jul29 18:17:09 [74581] hello from 80.191.244.69
+2005Jul29 18:17:09 [74581] REJECT: numeric hello name: 80.191.244.69
+</pre>
+
+<h3> MAIL FROM Check </h3>
+
+Before calling our milter, sendmail checks a DNS blacklist to 
+block banned sender domains.  We never see a blocked domain.
+<p>
+The MAIL FROM address is saved for possible use by the smart-alias
+feature.  First, the <code>internal_domains</code> is used for
+a simple screening if defined.  If the MAIL FROM for an INTERNAL connection 
+is NOT in <code>internal_domains</code>, then it is rejected (the
+PC is most likely infected and attempting to send out spam).
+If the MAIL FROM for an EXTERNAL connection IS in
+<code>internal_domains</code>, then the message is immediately rejected.
+This is quick and effective for most small company MTAs.  For more
+complex mail networks, it is too simplistic, and should not be defined.
+SPF will handle the complex cases.
+
+<h4> wiretap </h4>
+
+The wiretap feature can screen and/or monitor mail to/from certain
+users.  If the MAIL FROM is being wiretapped, the recipients are
+altered accordingly.
+
+<h4> SPF check </h4>
+
+Finally, the MAIL FROM, connect IP, and HELO name are checked against
+any SPF records published via DNS for the alleged sender (MAIL FROM).
+If there is no SPF record, we check for a local substitute under the
+domain defined in the <code>[spf]delegate</code> configuration.
+Further checks depend on the result.
+
+<table border=1>
+<tr><th>NONE</th><td>
+If there is no SPF record (official or delegated), then we 
+initiate a "three strikes and your out" regime, which looks for
+<b>some</b> form of validated identification.
+<ol>
+<li>We try a "best guess" SPF record of "v=spf1 a/24 mx/24 ptr".  If this
+    passes, good.  
+<li> We try to validate the HELO name. First check for an SPF record.
+   Otherwise, check whether the connect IP matches any A record for
+   the HELO name, or any A record for any MX name for the HELO name,
+   or is at least in the same /24 subnet as any of the above.
+   (In other words, a HELO SPF "best guess" of "v=spf1 a/24 mx/24".)
+   If so, good.  We consider the HELO validated.  If the HELO SPF
+   check fails, we reject the email.
+</ol>
+<pre>
+2005Jul30 19:45:16 [93991] connect from [221.200.41.54] at ('221.200.41.54', 3581) EXTERNAL DYN
+2005Jul30 19:45:18 [93991] hello from adelphia.net
+2005Jul30 19:45:19 [93991] mail from <wendy.stubbsua@link-it.com> ()
+2005Jul30 19:45:19 [93991] REJECT: hello SPF: fail 550 access denied
+</pre>
+<ol>
+<li> If there is a validated PTR name, and it doesn't look
+   like a dynamic name, good.  We consider the connection validated.
+</ol>
+If any of the above can be validated, we continue on.
+If none of the above can be validated, and the <code>[SPF]reject_noptr</code>
+option is true, we reject the message immediately with the explanation
+that we need some form of valid identification before we accept an email.
+If <code>[SPF]reject_noptr</code> is false, we flag the message as
+needing Call Back Validation.  
+The Call Back Valildation sends a DSN to the purported sender informing
+them of the lack of identification.  If the message is legitimate, the
+sender needs to know that their email setup is broken and should be corrected.
+If the message is forged, the sender is informed of the forgery, 
+and their need to publish an SPF record or at least use a valid HELO name.
+If the purported sender does not accept the DSN,
+then the message is rejected.  The CBV status is cached to avoid
+annoying the purported sender with too many DSNs.  Currently, the DSN
+is repeated to the same sender once per month.
+<p>
+In this example, although 3com.com has no SPF record, we assume that 
+any legitimate mail from them will at least have a valid HELO or PTR.
+<pre>
+2005Jul30 23:52:03 [96777] connect from [222.252.233.200] at ('222.252.233.200', 29934) EXTERNAL DYN
+2005Jul30 23:52:03 [96777] hello from 3mail.3com.com
+2005Jul30 23:52:04 [96777] mail from <etec_nic_family@3mail.3com.com> ()
+2005Jul30 23:52:04 [96777] REJECT: no PTR, HELO or SPF
+</pre>
+</td></tr>
+
+<tr><th>PASS</th><td>
+A pass result normally lets the email continue on, but the domain is 
+tracked for reputation (and may be blocked), and may skip content scanning if
+it matches a whitelist.
+<pre>
+2005Jul24 17:44:26 [2104] mail from <gnucash-devel-bounces@gnucash.org> ('SIZE=4410',)
+2005Jul24 17:44:26 [2104] Received-SPF: pass (mail.bmsi.com: domain of gnucash.org
+	designates 204.107.200.65 as permitted sender)
+	client-ip=204.107.200.65; envelope-from=gnucash-devel-bounces@gnucash.org; helo=cvs.gnucash.org;
+</pre>
+</td></tr>
+
+<tr><th>NEUTRAL</th><td>
+A neutral result normally lets the email continue on, but the domain is not
+tracked for reputation or matched against any whitelists. 
+Highly forged domains listed in <code>[SPF]reject_neutral</code> are
+rejected.
+<pre>
+2005Jul24 17:41:37 [2070] connect from cp500627-a.dbsch1.nb.home.nl at ('84.27.225.3', 3465) EXTERNAL
+2005Jul24 17:41:37 [2070] hello from cp500627-a.dbsch1.nb.home.nl
+2005Jul24 17:41:38 [2070] mail from <nwarjejkw@yahoo.com> ()
+2005Jul24 17:41:38 [2070] REJECT: SPF neutral for nwarjejkw@yahoo.com
+</pre>
+</td></tr>
+
+<tr><th>SOFTFAIL</th><td>
+A softfail result normally lets the email continue on, but the domain is not
+tracked for reputation or matched against any whitelists.  Furthermore,
+the message is flagged as needing Call Back Validation,
+and the highly forged domains listed in <code>[SPF]reject_neutral</code> are
+rejected as well.  
+<p>
+At present, we also require a valid HELO or PTR to avoid rejecting 
+a softfail.  But this should probably change to only require a
+successful CBV.
+<p>
+The Call Back Valildation sends a DSN to the purported sender informing
+them of the softfail.  If the message is legitimate, the sender needs
+to know about the softfail so that their email setup can be corrected.
+If the message is forged, the sender is informed of the forgery, confirming
+that SPF is protecting their reputation and encouraging a rapid transition
+to a strict policy.  If the purported sender does not accept the DSN,
+then the message is rejected.  The CBV status is cached to avoid
+annoying the purported sender with too many DSNs.  Currently, the DSN
+is repeated to the same sender once per month.
+<pre>
+2005Jul24 15:41:33 [801] mail from <Aitp@horafeliz.com> ()
+2005Jul24 15:41:33 [801] Received-SPF: softfail (mail.bmsi.com: transitioning domain of horafeliz.com
+	does not designate 221.184.83.185 as permitted sender)
+	client-ip=221.184.83.185; envelope-from=Aitp@horafeliz.com;
+	helo=p8185-ipad30funabasi.chiba.ocn.ne.jp;
+2005Jul24 15:41:33 [801] rcpt to <david@example.com> ()
+2005Jul24 15:41:35 [801] Subject: Microsoft, Adobe, Macromedia, Corel software. Up to 80% discount.
+2005Jul24 15:41:35 [801] X-Mailer: Microsoft Outlook, Build 10.0.2605
+2005Jul24 15:41:35 [801] CBV: Aitp@horafeliz.com
+2005Jul24 15:41:38 [801] REJECT: CBV: 550 <Aitp@horafeliz.com>: User unknown
+</pre>
+</td></tr>
+
+<tr><th>FAIL</th><td>
+The message is rejected with a reference the SPF why page.
+<pre>
+2005Jul30 19:53:27 [94070] connect from [212.70.52.16] at ('212.70.52.16', 3192) EXTERNAL DYN
+2005Jul30 19:53:27 [94070] hello from winzip.com
+2005Jul30 19:53:27 [94070] mail from <dan@winzip.com> ()
+2005Jul30 19:53:27 [94070] REJECT: SPF fail 550 SPF fail:
+	see http://openspf.com/why.html?sender=dan@winzip.com&ip=212.70.52.16
+</pre>
+</td></tr>
+
+<tr><th>PERMERROR</th><td>
+Permanent errors were called "unknown", and are still show that way
+in the log.  The message is rejected.  Previously, we enabled "lax" parsing
+of the SPF record, but rejecting is better because it informs the
+sender about their problem.  The next milter version will 
+look for a local substitute SPF record (as for a missing SPF record)
+before rejecting.  This will inform the sender of their problem, but
+also let the receiver install a temporary workaround.
+<pre>
+2005Jul24 18:05:37 [2312] mail from <b-mihdbcgaacaa-becibijh-000-@msg.euxiphipops.com> () 
+2005Jul24 18:05:37 [2312] REJECT: SPF unknown 550 SPF Permanent Error:
+	include mechanism missing domain: include
+</pre>
+The SPF record for msg.euxiphipops.com looked like this at the time of the
+above error:
+<pre>
+msg.euxiphipops.com	TXT "v=spf1 mx ptr a include"
+</pre>
+</td></tr>
+
+<tr><th>TEMPERROR</th><td>
+Temporary errors result in a 451 "Try again later" response.  The sender
+should retry the message at a later time.
+<pre>
+2005Jul24 07:33:13 [29846] mail from <quickenloans@rate.quicken.com> ('SIZE=73775', 'BODY=8BITMIME')
+2005Jul24 07:33:43 [29846] TEMPFAIL: SPF error 450 SPF Temporary Error: DNS Timeout
+</pre>
+</td></tr>
+
+</table>
+
+</body>
+</html>

quarantine.txt

@@ -0,0 +1,26 @@
+Subject: DELIVERY STATUS (POSSIBLE SPAM)
+
+This is an automatically generated Delivery Status Notification.
+
+THIS IS A WARNING MESSAGE ONLY.
+
+YOU DO *NOT* NEED TO RESEND YOUR MESSAGE.
+
+Delivery to the following recipients has been delayed.
+
+       %(rcpt)s
+
+Subject: %(subject)s
+Received-SPF: %(spf_result)s
+
+A statistical analysis of your message has classified it as junk mail,
+and it has been quarantined.  Eventually, the recipients will review
+their quarantined mail and may notice your message.  If your message is
+important, please contact them via other means.  You may also try sending
+them a simple plain text message.
+
+If you need further assistance, please do not hesitate to contact me.
+
+Kind regards,
+
+postmaster@%(receiver)s

setup.cfg

@@ -1,5 +1,5 @@
 [bdist_rpm]
-python=python2
+python=python2.4
 doc_files=README NEWS TODO
 packager=Stuart D. Gathman <stuart@bmsi.com>
-release=2.4
+release=1

setup.py

@@ -1,6 +1,7 @@
 import os
 import sys
 from distutils.core import setup, Extension
+import Milter
 
 # FIXME: on some versions of sendmail, smutil is renamed to sm
 libs = ["milter", "smutil"]
@@ -12,7 +13,7 @@ if sys.version < '2.2.3':
   DistributionMetadata.classifiers = None
   DistributionMetadata.download_url = None
 
-setup(name = "milter", version = "0.8.2",
+setup(name = "milter", version = Milter.__version__,
 	description="Python interface to sendmail milter API",
 	long_description="""\
 This is a python extension module to enable python scripts to

softfail.txt

@@ -1,4 +1,4 @@
-Subject: SPF softfail (POSSIBLE FORGERY)
+Subject: SPF %(result)s (POSSIBLE FORGERY)
 
 This is an automatically generated Delivery Status Notification.
 
@@ -14,7 +14,9 @@ Subject: %(subject)s
 Received-SPF: %(spf_result)s
 
 Your sender policy indicated that the above email was likely forged and that
-feedback was desired.
+feedback was desired.  If you are sending from a foreign ISP,
+then you may need to follow your home ISPs instructions for configuring
+your outgoing mail server.
 
 If you need further assistance, please do not hesitate to contact me.
 

spf.py

@@ -47,6 +47,28 @@ For news, bugfixes, etc. visit the home page for this implementation at
 # Terrence is not responding to email.
 #
 # $Log$
+# Revision 1.13  2005/07/22 16:00:23  customdesigned
+# Limit CNAME chains independently of DNS lookup limit
+#
+# Revision 1.31  2005/07/22 02:11:50  customdesigned
+# Use dictionary to check for CNAME loops.  Check limit independently for
+# each top level name, just like for PTR.
+#
+# Revision 1.30  2005/07/21 20:07:31  customdesigned
+# Translate DNS error in DNSLookup.  This completely isolates DNS
+# dependencies to the DNSLookup method.
+#
+# Revision 1.29  2005/07/21 17:49:39  customdesigned
+# My best guess at what RFC intended for limiting CNAME loops.
+#
+# Revision 1.28  2005/07/21 17:37:08  customdesigned
+# Break out external DNSLookup method so that test suite can
+# duplicate CNAME loop bug.  Test zone data dictionary now
+# mirrors structure of real DNS.
+#
+# Revision 1.27  2005/07/21 15:26:06  customdesigned
+# First cut at updating docs.  Test suite is obsolete.
+#
 # Revision 1.26  2005/07/20 03:12:40  customdesigned
 # When not in strict mode, don't give PermErr for bad mechanism until
 # encountered during evaluation.
@@ -253,6 +275,16 @@ if not hasattr(DNS.Type,'SPF'):
   DNS.Type.typemap[99] = 'SPF'
   DNS.Lib.RRunpacker.getSPFdata = DNS.Lib.RRunpacker.getTXTdata
 
+def DNSLookup(name,qtype):
+  try:
+    req = DNS.DnsRequest(name, qtype=qtype)
+    resp = req.req()
+    #resp.show()
+    # key k: ('wayforward.net', 'A'), value v
+    return [((a['name'], a['typename']), a['data']) for a in resp.answers]
+  except DNS.DNSError,x:
+    raise TempError,'DNS ' + str(x)
+
 # 32-bit IPv4 address mask
 MASK = 0xFFFFFFFFL
 
@@ -305,6 +337,7 @@ DEFAULT_SPF = 'v=spf1 a/24 mx/24 ptr'
 MAX_LOOKUP = 10 #draft-schlitt-spf-classic-02 Para 10.1
 MAX_MX = 10 #draft-schlitt-spf-classic-02 Para 10.1
 MAX_PTR = 10 #draft-schlitt-spf-classic-02 Para 10.1
+MAX_CNAME = 10 # analogous interpretation to MAX_PTR
 MAX_RECURSION = 20
 ALL_MECHANISMS = ('a', 'mx', 'ptr', 'exists', 'include', 'ip4', 'ip6', 'all')
 COMMON_MISTAKES = { 'prt': 'ptr', 'ip': 'ip4', 'ipv4': 'ip4', 'ipv6': 'ip6' }
@@ -409,6 +442,9 @@ class query(object):
 	>>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ?all moo')
 	('unknown', 550, 'SPF Permanent Error: Unknown mechanism found: moo')
 
+	>>> q.check(spf='v=spf1 =a ?all moo')
+	('unknown', 550, 'SPF Permanent Error: Unknown qualifier, IETF draft para 4.6.1, found in: =a')
+
 	>>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ~all')
 	('pass', 250, 'sender SPF verified')
 
@@ -450,8 +486,6 @@ class query(object):
 			  self.perm_error.ext = rc
 			  raise self.perm_error
 			return rc
-		except DNS.DNSError,x:
-			return ('error', 450, 'SPF DNS Error: ' + str(x))
 		except TempError,x:
 			return ('error', 450, 'SPF Temporary Error: ' + str(x))
 		except PermError,x:
@@ -601,9 +635,15 @@ class query(object):
 		      if res == 'pass':
 			break
 		      if res == 'none':
+			try:
+			  if self.strict or not self.perm_error:
 			    raise PermError(
 			      'No valid SPF record for included domain: %s'%arg,
 			      mech)
+			except PermError,x:
+			  if self.strict:
+			    raise x
+			  self.perm_error = x
 		      continue
 		    elif m == 'all':
 			    break
@@ -844,7 +884,7 @@ class query(object):
 		"""Get a list of domain names for an IP address."""
 		return self.dns(reverse_dots(i) + ".in-addr.arpa", 'PTR')
 
-	def dns(self, name, qtype):
+	def dns(self, name, qtype, cnames=None):
 		"""DNS query.
 
 		If the result is in cache, return that.  Otherwise pull the
@@ -861,18 +901,21 @@ class query(object):
 		result = self.cache.get( (name, qtype) )
 		cname = None
 		if not result:
-			req = DNS.DnsRequest(name, qtype=qtype)
-			resp = req.req()
-			#resp.show()
-			for a in resp.answers:
-			    # key k: ('wayforward.net', 'A'), value v
-			    k, v = (a['name'], a['typename']), a['data']
+			for k,v in DNSLookup(name,qtype):
 			    if k == (name, 'CNAME'):
 				cname = v
 			    self.cache.setdefault(k, []).append(v)
 			result = self.cache.get( (name, qtype), [])
 		if not result and cname:
-			result = self.dns(cname, qtype)
+			if not cnames:
+			  cnames = {}
+			elif len(cnames) >= MAX_CNAME:
+			  raise PermError(
+			    'Length of CNAME chain exceeds %d' % MAX_CNAME)
+			cnames[name] = cname
+			if cname in cnames:
+			  raise PermError,'CNAME loop'
+			result = self.dns(cname, qtype, cnames=cnames)
 		return result
 
 	def get_header(self,res,receiver=None):

testbms.py

@@ -1,4 +1,5 @@
 import unittest
+import doctest
 import Milter
 import bms
 import mime
@@ -22,7 +23,7 @@ class TestMilter(bms.bmsMilter):
 
   def getsymval(self,name):
     if name == 'j': return 'test.milter.org'
-    return bms.bmsMilter.getsymval(self,name)
+    return ''
 
   def replacebody(self,chunk):
     if self._body:
@@ -284,7 +285,10 @@ class BMSMilterTestCase(unittest.TestCase):
 #    self.failUnless(rc == Milter.REJECT)
 #    milter.close();
 
-def suite(): return unittest.makeSuite(BMSMilterTestCase,'test')
+def suite(): 
+  s = unittest.makeSuite(BMSMilterTestCase,'test')
+  s.addTest(doctest.DocTestSuite(bms))
+  return s
 
 if __name__ == '__main__':
   if len(sys.argv) > 1:
@@ -296,4 +300,5 @@ if __name__ == '__main__':
       fp = milter._body
       sys.stdout.write(fp.getvalue())
   else:
-    unittest.main()
+    #unittest.main()
+    unittest.TextTestRunner().run(suite())