diff options
| author | jperkin <jperkin@pkgsrc.org> | 2022-05-12 13:49:28 +0000 |
|---|---|---|
| committer | jperkin <jperkin@pkgsrc.org> | 2022-05-12 13:49:28 +0000 |
| commit | a6e87d428692e8d2308a602f13a2afa4d0a41dac (patch) | |
| tree | 356c5487a0f81fca957d12bab54aa86f0da0a90b | |
| parent | 92b7ff74da57223ab7ac1768b29352fb1b22c4f7 (diff) | |
| download | pkgsrc-a6e87d428692e8d2308a602f13a2afa4d0a41dac.tar.gz | |
opendmarc: Update to 1.4.2 and overhaul package.
pkgsrc changes:
* Use PKG_SYSCONFSUBDIR, there are a number of extra files supported in
the configuration file so everything should live in a sub-directory.
HEADS-UP! Users will need to migrate over to new config file location.
* Create opendmarc user/group, not currently used in rc.d script.
* Fix build on SunOS and add SMF support.
* Split multi-file patch correctly into separate files.
* Add TEST_TARGET.
* Various pkglint and cleanup.
opendmarc changes:
1.4.2 2021/12/19
Fix issue #175: Don't reject a multi-valued From when all of the
domains match.
Fix issue #179: Don't crash when a value in a multi-valued From field
is missing a domain name. Resolves CVE-2021-34555.
| -rw-r--r-- | mail/opendmarc/Makefile | 51 | ||||
| -rw-r--r-- | mail/opendmarc/distinfo | 21 | ||||
| -rw-r--r-- | mail/opendmarc/files/smf/manifest.xml | 41 | ||||
| -rw-r--r-- | mail/opendmarc/files/smf/opendmarc.sh | 14 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-RequiredFrom | 122 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c | 10 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c | 10 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c | 10 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc-config.h | 17 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc.c | 62 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.5.in | 24 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.sample | 25 | ||||
| -rw-r--r-- | mail/opendmarc/patches/patch-opendmarc_parse.c | 13 |
13 files changed, 246 insertions, 174 deletions
diff --git a/mail/opendmarc/Makefile b/mail/opendmarc/Makefile index ec90aa3fe8f..db9fbd4ccce 100644 --- a/mail/opendmarc/Makefile +++ b/mail/opendmarc/Makefile @@ -1,13 +1,11 @@ -# $NetBSD: Makefile,v 1.26 2021/05/27 16:52:00 manu Exp $ +# $NetBSD: Makefile,v 1.27 2022/05/12 13:49:28 jperkin Exp $ -GITHUB_PROJECT= OpenDMARC -GITHUB_TAG= rel-opendmarc-1-4-1-1 -DISTNAME= rel-opendmarc-1-4-1-1 -PKGNAME= opendmarc-1.4.1.1 -#PKGREVISION= 1 +DISTNAME= rel-${PKGNAME:C/\./-/g} +PKGNAME= opendmarc-1.4.2 CATEGORIES= mail MASTER_SITES= ${MASTER_SITE_GITHUB:=trusteddomainproject/} -DIST_SUBDIR= ${GITHUB_PROJECT} +GITHUB_PROJECT= OpenDMARC +GITHUB_TAG= ${DISTNAME} MAINTAINER= pettai@NetBSD.org HOMEPAGE= http://www.trusteddomain.org/opendmarc/ @@ -15,13 +13,10 @@ COMMENT= Open source DMARC library, MTA filter implementation and tools LICENSE= modified-bsd DEPENDS+= p5-DBI-[0-9]*:../../databases/p5-DBI -DEPENDS+= p5-DBD-mysql-[0-9]*:../../databases/p5-DBD-mysql -#DEPENDS+= {perl>=5.6.1,p5-File-Temp-[0-9]*}:../../devel/p5-File-Temp +DEPENDS+= p5-DBD-{mariadb,mysql,percona}*-[0-9]*:../../databases/p5-DBD-mysql DEPENDS+= p5-Switch-[0-9]*:../../lang/p5-Switch DEPENDS+= p5-HTTP-Message-[0-9]*:../../www/p5-HTTP-Message -RCD_SCRIPTS= opendmarc - USE_LIBTOOL= yes USE_TOOLS+= perl autoconf automake @@ -30,27 +25,49 @@ CONFIGURE_ARGS+= --sysconfdir=${PKG_SYSCONFDIR} CONFIGURE_ARGS+= --with-milter=${BUILDLINK_PREFIX.libmilter} CONFIGURE_ARGS+= --with-spf CONFIGURE_ARGS+= --with-spf2-lib=${BUILDLINK_PREFIX.libspf2}/lib -CONFIGURE_ARGS+= --with-spf2-include=${BUILDLINK_PREFIX.libspf2}/include/spf2 +CONFIGURE_ARGS+= --with-spf2-include=${BUILDLINK_PREFIX.libspf2}/include/spf2 + +LDFLAGS.SunOS+= -lsocket -lnsl + +TEST_TARGET= check REPLACE_PERL= reports/opendmarc-expire.in REPLACE_PERL+= reports/opendmarc-import.in REPLACE_PERL+= reports/opendmarc-params.in REPLACE_PERL+= reports/opendmarc-reports.in +OPENDMARC_USER?= opendmarc +OPENDMARC_GROUP?= opendmarc +PKG_GROUPS= ${OPENDMARC_GROUP} +PKG_USERS= ${OPENDMARC_USER}:${OPENDMARC_GROUP} +PKG_GROUPS_VARS= OPENDMARC_GROUP +PKG_USERS_VARS= OPENDMARC_USER + +PKG_GECOS.${OPENDMARC_USER}= OpenDMARC user + EGDIR= ${PREFIX}/share/examples/${PKGBASE} +FILES_SUBST+= OPENDMARC_USER=${OPENDMARC_USER} +FILES_SUBST+= OPENDMARC_GROUP=${OPENDMARC_GROUP} + +RCD_SCRIPTS= opendmarc +SMF_METHODS= opendmarc + +PKG_SYSCONFSUBDIR= opendmarc + +CONF_FILES+= ${EGDIR}/opendmarc.conf.sample ${PKG_SYSCONFDIR}/opendmarc.conf + INSTALLATION_DIRS= ${EGDIR} pre-configure: - set -e; cd ${WRKSRC}; \ - libtoolize; aclocal; autoheader; automake -a --foreign -i; autoconf + ${RUN} cd ${WRKSRC} && autoreconf -fiv post-install: - ${INSTALL_DATA} ${WRKSRC}/opendmarc/opendmarc.conf.sample \ - ${DESTDIR}${EGDIR}/ + ${SED} -e 's,/usr/local/etc/opendmarc,${PKG_SYSCONFDIR},g' \ + ${WRKSRC}/opendmarc/opendmarc.conf.sample \ + > ${DESTDIR}${EGDIR}/opendmarc.conf.sample .include "../../security/openssl/buildlink3.mk" -BUILDLINK_API_DEPENDS.libmilter+= libmilter>=8.13.0 .include "../../mail/libmilter/buildlink3.mk" .include "../../mail/libspf2/buildlink3.mk" .include "../../mk/pthread.buildlink3.mk" diff --git a/mail/opendmarc/distinfo b/mail/opendmarc/distinfo index e66f3eeb8e3..623d3a4d4c1 100644 --- a/mail/opendmarc/distinfo +++ b/mail/opendmarc/distinfo @@ -1,10 +1,13 @@ -$NetBSD: distinfo,v 1.13 2021/10/26 10:54:11 nia Exp $ +$NetBSD: distinfo,v 1.14 2022/05/12 13:49:28 jperkin Exp $ -BLAKE2s (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = 21878b7811a533941b51eaad28b27bdd2f6cd0fe143820eb6ac55e767ad2d923 -SHA512 (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = ee034386c70c75b87ca2fce0849a1a3538e10e0aebfb0fc9dcba6817d2cf71f52aa5586ccaacdee620190c5fbb81498419fb8e8db9fac15d7c71a61a7da396a6 -Size (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = 426618 bytes -SHA1 (patch-RequiredFrom) = c89853a3fabcc48653b94169f49ea3c5923254d3 -SHA1 (patch-libopendmarc_opendmarc__dns.c) = b1f697c930808b5c5724331dead3cf29c024d69b -SHA1 (patch-opendmarc_opendmarc-arcares.c) = 0984b42e943d6a17eeb5725508dfbcf107b23169 -SHA1 (patch-opendmarc_opendmarc-arcseal.c) = 98edb0d22e7c693d327ba98ba186605060d36e2f -SHA1 (patch-opendmarc_parse.c) = c4b521a4542a4dc7db8baf088bb297493bf46a83 +BLAKE2s (rel-opendmarc-1-4-2.tar.gz) = 7b26aee1966989d89f862a8dd1771ab18c06585dcf2bba8e951d0d89d5324118 +SHA512 (rel-opendmarc-1-4-2.tar.gz) = 415278c6c09460379538ad10ea4033815a677ddad138b8a07609c287360d1739acdba5d1fe07d0e35764850af8a141c0c70a9311254104b93d2c1bbc8b6f7a69 +Size (rel-opendmarc-1-4-2.tar.gz) = 426996 bytes +SHA1 (patch-libopendmarc_opendmarc__dns.c) = 44a8edc083c922257695835dc6de3d840ee4a7ab +SHA1 (patch-opendmarc_opendmarc-arcares.c) = cd38a216b2c1b115c78044007d9480168302f5d8 +SHA1 (patch-opendmarc_opendmarc-arcseal.c) = 93e2779d7a46f163d28092ef71faf7bfe7eead39 +SHA1 (patch-opendmarc_opendmarc-config.h) = f488fcccdde9aa1151f6bf65bcadf2564a8acec2 +SHA1 (patch-opendmarc_opendmarc.c) = b23746dc57ac52813311890a569eb1ef6ad64f7e +SHA1 (patch-opendmarc_opendmarc.conf.5.in) = 86ee7fb06760f9f79cddb7f8e694a0e9fb91750f +SHA1 (patch-opendmarc_opendmarc.conf.sample) = f1a8f5d55bd6e6a14bce1d900bfd655f1b7243de +SHA1 (patch-opendmarc_parse.c) = f0dfe945792dcf072b2a34b549814464ccb1f4e9 diff --git a/mail/opendmarc/files/smf/manifest.xml b/mail/opendmarc/files/smf/manifest.xml new file mode 100644 index 00000000000..0fc0d2ee867 --- /dev/null +++ b/mail/opendmarc/files/smf/manifest.xml @@ -0,0 +1,41 @@ +<?xml version="1.0"?> +<!DOCTYPE service_bundle SYSTEM "/usr/share/lib/xml/dtd/service_bundle.dtd.1"> +<service_bundle type="manifest" name="export"> + <service name="@SMF_PREFIX@/@SMF_NAME@" type="service" version="1"> + <create_default_instance enabled="false" /> + <single_instance /> + <dependency name="network" grouping="require_all" restart_on="error" type="service"> + <service_fmri value="svc:/milestone/network:default" /> + </dependency> + <dependency name="filesystem" grouping="require_all" restart_on="error" type="service"> + <service_fmri value="svc:/system/filesystem/local" /> + </dependency> + <method_context working_directory="@VARBASE@/run/opendmarc"> + <method_credential user="@OPENDMARC_USER@" group="@OPENDMARC_USER@" /> + </method_context> + <exec_method type="method" name="start" exec="@PREFIX@/@SMF_METHOD_FILE.opendmarc@ -c %{config_file}" timeout_seconds="60" /> + <exec_method type="method" name="stop" exec=":kill" timeout_seconds="60" /> + <property_group name="startd" type="framework"> + <propval name="duration" type="astring" value="contract" /> + <propval name="ignore_error" type="astring" value="core,signal" /> + </property_group> + <property_group name="application" type="application"> + <propval name="config_file" type="astring" value="@PKG_SYSCONFDIR@/opendmarc.conf" /> + </property_group> + <template> + <common_name> + <loctext xml:lang="C">OpenDMARC daemon</loctext> + </common_name> + <documentation> + <manpage title="opendmarc.conf" section="5" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-check" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-expire" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-import" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-importstats" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-params" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc-reports" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + <manpage title="opendmarc" section="8" manpath="@PREFIX@/@PKGMANDIR@"/> + </documentation> + </template> + </service> +</service_bundle> diff --git a/mail/opendmarc/files/smf/opendmarc.sh b/mail/opendmarc/files/smf/opendmarc.sh new file mode 100644 index 00000000000..d1c50be269a --- /dev/null +++ b/mail/opendmarc/files/smf/opendmarc.sh @@ -0,0 +1,14 @@ +#!@SMF_METHOD_SHELL@ +# +# $NetBSD: opendmarc.sh,v 1.1 2022/05/12 13:49:28 jperkin Exp $ +# + +. /lib/svc/share/smf_include.sh + +if [ ! -d @VARBASE@/run/opendmarc ]; then + @MKDIR@ @VARBASE@/run/opendmarc + @CHMOD@ 0750 @VARBASE@/run/opendmarc + @CHOWN@ @OPENDMARC_USER@:@OPENDMARC_GROUP@ @VARBASE@/run/opendmarc +fi + +@PREFIX@/sbin/opendmarc "$@" diff --git a/mail/opendmarc/patches/patch-RequiredFrom b/mail/opendmarc/patches/patch-RequiredFrom deleted file mode 100644 index 54c31b74044..00000000000 --- a/mail/opendmarc/patches/patch-RequiredFrom +++ /dev/null @@ -1,122 +0,0 @@ -$NetBSD: patch-RequiredFrom,v 1.2 2021/05/27 16:52:00 manu Exp $ - -Add RequiredFrom option to reject messages that lack a From header -from which a valid domain can be extracted - -Submitted upstream as -https://github.com/trusteddomainproject/OpenDMARC/pull/147 - ---- ./opendmarc/opendmarc.c.orig 2021-04-30 18:34:43.000000000 +0200 -+++ ./opendmarc/opendmarc.c 2021-05-27 10:20:33.880652427 +0200 -@@ -163,8 +163,9 @@ - /* DMARCF_CONFIG -- configuration object */ - struct dmarcf_config - { - _Bool conf_reqhdrs; -+ _Bool conf_reqfrom; - _Bool conf_afrf; - _Bool conf_afrfnone; - _Bool conf_rejectfail; - _Bool conf_dolog; -@@ -1422,8 +1423,12 @@ - (void) config_get(data, "RequiredHeaders", - &conf->conf_reqhdrs, - sizeof conf->conf_reqhdrs); - -+ (void) config_get(data, "RequiredFrom", -+ &conf->conf_reqfrom, -+ sizeof conf->conf_reqfrom); -+ - (void) config_get(data, "FailureReports", - &conf->conf_afrf, - sizeof conf->conf_afrf); - -@@ -2453,13 +2458,17 @@ - { - if (conf->conf_dolog) - { - syslog(LOG_INFO, -- "%s: RFC5322 requirement error: missing From field; accepting", -- dfc->mctx_jobid); -+ "%s: RFC5322 requirement error: missing From field; %s", -+ dfc->mctx_jobid, -+ conf->conf_reqfrom ? "reject" : "accepting"); - } - -- return SMFIS_ACCEPT; -+ if (conf->conf_reqfrom) -+ return SMFIS_REJECT; -+ else -+ return SMFIS_ACCEPT; - } - - /* extract From: addresses */ - memset(addrbuf, '\0', sizeof addrbuf); -@@ -2495,13 +2504,13 @@ - { - if (conf->conf_dolog) - { - syslog(LOG_ERR, -- "%s: unable to parse From header field", -- dfc->mctx_jobid); -+ "%s: unable to parse From header field \"%s\"", -+ dfc->mctx_jobid, from->hdr_value); - } - -- if (conf->conf_reqhdrs) -+ if (conf->conf_reqhdrs || conf->conf_reqfrom) - return SMFIS_REJECT; - else - return SMFIS_ACCEPT; - } ---- ./opendmarc/opendmarc.conf.5.in.orig 2021-04-30 18:34:43.000000000 +0200 -+++ ./opendmarc/opendmarc.conf.5.in 2021-05-27 10:20:33.881043733 +0200 -@@ -287,8 +287,16 @@ - failing this test are rejected without further processing. A From: - field from which no domain name could be extracted will also be rejected. - - .TP -+.I RequiredFrom (Boolean) -+If set, the filter will reject without further processing messages that lack a -+From: field from which a domain name could be extracted. This options is -+without effect if -+.I RequiredHeaders -+is set to "true". -+ -+.TP - .I Socket (string) - Specifies the socket that should be established by the filter to receive - connections from - .I sendmail(8) ---- ./opendmarc/opendmarc-config.h.orig 2021-04-30 18:34:43.000000000 +0200 -+++ ./opendmarc/opendmarc-config.h 2021-05-27 10:23:12.866999966 +0200 -@@ -44,8 +44,9 @@ - { "PidFile", CONFIG_TYPE_STRING, FALSE }, - { "PublicSuffixList", CONFIG_TYPE_STRING, FALSE }, - { "RecordAllMessages", CONFIG_TYPE_BOOLEAN, FALSE }, - { "RequiredHeaders", CONFIG_TYPE_BOOLEAN, FALSE }, -+ { "RequiredFrom", CONFIG_TYPE_BOOLEAN, FALSE }, - { "RejectFailures", CONFIG_TYPE_BOOLEAN, FALSE }, - { "RejectMultiValueFrom", CONFIG_TYPE_BOOLEAN, FALSE }, - { "ReportCommand", CONFIG_TYPE_STRING, FALSE }, - { "Socket", CONFIG_TYPE_STRING, FALSE }, ---- ./opendmarc/opendmarc.conf.sample.orig 2021-04-30 18:34:43.000000000 +0200 -+++ ./opendmarc/opendmarc.conf.sample 2021-05-27 10:20:33.882715995 +0200 -@@ -343,8 +343,17 @@ - ## rejected. - # - # RequiredHeaders false - -+## RequiredFrom { true | false } -+## default "false" -+## -+## If set, the filter will reject without further processing messages that -+## lack a From: field from which a domain name could be extracted. This -+## options is without effect if RequiredHeaders is set to "true". -+# -+# RequiredFrom false -+ - ## Socket socketspec - ## default (none) - ## - ## Specifies the socket that should be established by the filter to receive diff --git a/mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c b/mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c index d8e985d30e3..92b8efc9cf2 100644 --- a/mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c +++ b/mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c @@ -1,11 +1,10 @@ -$NetBSD: patch-libopendmarc_opendmarc__dns.c,v 1.3 2021/05/27 16:52:00 manu Exp $ +$NetBSD: patch-libopendmarc_opendmarc__dns.c,v 1.4 2022/05/12 13:49:28 jperkin Exp $ Make sure res_init works on zeroed structure ---- libopendmarc/opendmarc_dns.c.orig 2021-05-27 10:27:22.653313507 +0200 -+++ libopendmarc/opendmarc_dns.c 2021-05-27 10:26:59.377412037 +0200 -@@ -202,8 +202,9 @@ - while (*bp == '.') +--- libopendmarc/opendmarc_dns.c.orig 2021-12-20 06:40:37.000000000 +0000 ++++ libopendmarc/opendmarc_dns.c +@@ -203,6 +203,7 @@ dmarc_dns_get_record(char *domain, int * ++bp; #ifdef HAVE_RES_NINIT @@ -13,4 +12,3 @@ Make sure res_init works on zeroed structure res_ninit(&resp); #ifdef RES_USE_DNSSEC resp.options |= RES_USE_DNSSEC; - #endif diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c b/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c index e4b250307e9..5567b011c79 100644 --- a/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c @@ -1,11 +1,10 @@ -$NetBSD: patch-opendmarc_opendmarc-arcares.c,v 1.2 2021/05/27 16:52:00 manu Exp $ +$NetBSD: patch-opendmarc_opendmarc-arcares.c,v 1.3 2022/05/12 13:49:28 jperkin Exp $ Avoid handling a NULL pointer when parsing a malformed header ---- opendmarc/opendmarc-arcares.c.orig 2021-04-30 18:34:43.000000000 +0200 -+++ opendmarc/opendmarc-arcares.c 2021-05-27 10:30:03.036068852 +0200 -@@ -265,8 +265,10 @@ - token_ptr = token + leading_space_len; +--- opendmarc/opendmarc-arcares.c.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc-arcares.c +@@ -266,6 +266,8 @@ opendmarc_arcares_arc_parse (u_char *hdr if (*token_ptr == '\0') return 0; tag_label = strsep(&token_ptr, "="); @@ -14,4 +13,3 @@ Avoid handling a NULL pointer when parsing a malformed header tag_value = opendmarc_arcares_strip_whitespace(token_ptr); tag_code = opendmarc_arcares_convert(aar_arc_tags, tag_label); - switch (tag_code) diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c b/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c index 67f31b76f07..6b72c8b5113 100644 --- a/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c @@ -1,11 +1,10 @@ -$NetBSD: patch-opendmarc_opendmarc-arcseal.c,v 1.2 2021/05/27 16:52:00 manu Exp $ +$NetBSD: patch-opendmarc_opendmarc-arcseal.c,v 1.3 2022/05/12 13:49:28 jperkin Exp $ Avoid handling a NULL pointer when parsing a malformed header ---- opendmarc/opendmarc-arcseal.c.orig 2021-04-30 18:34:43.000000000 +0200 -+++ opendmarc/opendmarc-arcseal.c 2021-05-27 10:31:21.308140659 +0200 -@@ -166,9 +166,13 @@ - token_ptr = token + leading_space_len; +--- opendmarc/opendmarc-arcseal.c.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc-arcseal.c +@@ -167,7 +167,11 @@ opendmarc_arcseal_parse(u_char *hdr, str if (*token_ptr == '\0') return 0; tag_label = strsep(&token_ptr, "="); @@ -17,4 +16,3 @@ Avoid handling a NULL pointer when parsing a malformed header tag_code = opendmarc_arcseal_convert(as_tags, tag_label); - switch (tag_code) diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc-config.h b/mail/opendmarc/patches/patch-opendmarc_opendmarc-config.h new file mode 100644 index 00000000000..80da2107bd5 --- /dev/null +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc-config.h @@ -0,0 +1,17 @@ +$NetBSD: patch-opendmarc_opendmarc-config.h,v 1.1 2022/05/12 13:49:28 jperkin Exp $ + +Add RequiredFrom option to reject messages that lack a From header from which +a valid domain can be extracted. + +Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/147 + +--- opendmarc/opendmarc-config.h.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc-config.h +@@ -45,6 +45,7 @@ struct configdef dmarcf_config[] = + { "PublicSuffixList", CONFIG_TYPE_STRING, FALSE }, + { "RecordAllMessages", CONFIG_TYPE_BOOLEAN, FALSE }, + { "RequiredHeaders", CONFIG_TYPE_BOOLEAN, FALSE }, ++ { "RequiredFrom", CONFIG_TYPE_BOOLEAN, FALSE }, + { "RejectFailures", CONFIG_TYPE_BOOLEAN, FALSE }, + { "RejectMultiValueFrom", CONFIG_TYPE_BOOLEAN, FALSE }, + { "ReportCommand", CONFIG_TYPE_STRING, FALSE }, diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc.c b/mail/opendmarc/patches/patch-opendmarc_opendmarc.c new file mode 100644 index 00000000000..3b3b09eac42 --- /dev/null +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc.c @@ -0,0 +1,62 @@ +$NetBSD: patch-opendmarc_opendmarc.c,v 1.1 2022/05/12 13:49:28 jperkin Exp $ + +Add RequiredFrom option to reject messages that lack a From header from which +a valid domain can be extracted. + +Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/147 + +--- opendmarc/opendmarc.c.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc.c +@@ -164,6 +164,7 @@ typedef struct dmarcf_connctx * DMARCF_C + struct dmarcf_config + { + _Bool conf_reqhdrs; ++ _Bool conf_reqfrom; + _Bool conf_afrf; + _Bool conf_afrfnone; + _Bool conf_rejectfail; +@@ -1423,6 +1424,10 @@ dmarcf_config_load(struct config *data, + &conf->conf_reqhdrs, + sizeof conf->conf_reqhdrs); + ++ (void) config_get(data, "RequiredFrom", ++ &conf->conf_reqfrom, ++ sizeof conf->conf_reqfrom); ++ + (void) config_get(data, "FailureReports", + &conf->conf_afrf, + sizeof conf->conf_afrf); +@@ -2455,11 +2460,15 @@ mlfi_eom(SMFICTX *ctx) + if (conf->conf_dolog) + { + syslog(LOG_INFO, +- "%s: RFC5322 requirement error: missing From field; accepting", +- dfc->mctx_jobid); ++ "%s: RFC5322 requirement error: missing From field; %s", ++ dfc->mctx_jobid, ++ conf->conf_reqfrom ? "reject" : "accepting"); + } + +- return SMFIS_ACCEPT; ++ if (conf->conf_reqfrom) ++ return SMFIS_REJECT; ++ else ++ return SMFIS_ACCEPT; + } + + /* extract From: addresses */ +@@ -2499,11 +2508,11 @@ mlfi_eom(SMFICTX *ctx) + if (conf->conf_dolog) + { + syslog(LOG_ERR, +- "%s: unable to parse From header field", +- dfc->mctx_jobid); ++ "%s: unable to parse From header field \"%s\"", ++ dfc->mctx_jobid, from->hdr_value); + } + +- if (conf->conf_reqhdrs) ++ if (conf->conf_reqhdrs || conf->conf_reqfrom) + return SMFIS_REJECT; + else + return SMFIS_ACCEPT; diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.5.in b/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.5.in new file mode 100644 index 00000000000..a1777e09f95 --- /dev/null +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.5.in @@ -0,0 +1,24 @@ +$NetBSD: patch-opendmarc_opendmarc.conf.5.in,v 1.1 2022/05/12 13:49:28 jperkin Exp $ + +Add RequiredFrom option to reject messages that lack a From header from which +a valid domain can be extracted. + +Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/147 + +--- opendmarc/opendmarc.conf.5.in.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc.conf.5.in +@@ -288,6 +288,14 @@ failing this test are rejected without f + field from which no domain name could be extracted will also be rejected. + + .TP ++.I RequiredFrom (Boolean) ++If set, the filter will reject without further processing messages that lack a ++From: field from which a domain name could be extracted. This options is ++without effect if ++.I RequiredHeaders ++is set to "true". ++ ++.TP + .I Socket (string) + Specifies the socket that should be established by the filter to receive + connections from diff --git a/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.sample b/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.sample new file mode 100644 index 00000000000..b9850e60d16 --- /dev/null +++ b/mail/opendmarc/patches/patch-opendmarc_opendmarc.conf.sample @@ -0,0 +1,25 @@ +$NetBSD: patch-opendmarc_opendmarc.conf.sample,v 1.1 2022/05/12 13:49:28 jperkin Exp $ + +Add RequiredFrom option to reject messages that lack a From header from which +a valid domain can be extracted. + +Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/147 + +--- opendmarc/opendmarc.conf.sample.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/opendmarc.conf.sample +@@ -344,6 +344,15 @@ + # + # RequiredHeaders false + ++## RequiredFrom { true | false } ++## default "false" ++## ++## If set, the filter will reject without further processing messages that ++## lack a From: field from which a domain name could be extracted. This ++## options is without effect if RequiredHeaders is set to "true". ++# ++# RequiredFrom false ++ + ## Socket socketspec + ## default (none) + ## diff --git a/mail/opendmarc/patches/patch-opendmarc_parse.c b/mail/opendmarc/patches/patch-opendmarc_parse.c index d029965e908..8fe7265d423 100644 --- a/mail/opendmarc/patches/patch-opendmarc_parse.c +++ b/mail/opendmarc/patches/patch-opendmarc_parse.c @@ -1,7 +1,6 @@ -$NetBSD: patch-opendmarc_parse.c,v 1.1 2021/05/27 16:52:00 manu Exp $ +$NetBSD: patch-opendmarc_parse.c,v 1.2 2022/05/12 13:49:28 jperkin Exp $ -Make sure a trailing brackets corresponds to a leading one -aaa98f5 +Make sure a trailing brackets corresponds to a leading one. This fixes the case where the sender e-mail address is user@example.net> Without this fix, OpenDMARC parses the domain as example.net> and skip @@ -12,10 +11,9 @@ own, letting forged e-mail passing through to user mailboxes. Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/174 ---- opendmarc/parse.c.orig 2021-05-27 09:45:40.873727663 +0200 -+++ opendmarc/parse.c 2021-05-27 09:45:27.545312746 +0200 -@@ -444,8 +444,13 @@ - *w++ = '\0'; +--- opendmarc/parse.c.orig 2021-12-20 06:40:37.000000000 +0000 ++++ opendmarc/parse.c +@@ -454,6 +454,11 @@ dmarcf_mail_parse(unsigned char *line, u *domain_out = w; ws = 0; } @@ -27,4 +25,3 @@ Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/174 else { - if (*user_out == NULL) |