Add RequiredFrom option

If RequiredFrom is set, opendmarc will reject messages that lack a From header from which a valid domain can be extracted. This is a subset of the full RFC5322 requirements enforced by the RequiredHeaders option. While non RFC5322-compliant messages are too common to make RequiredHeaders always usable, the check on the From header remains especially valuable. It makes sure forged domain messages cannot evade the filter by just omitting the From header and relying on the MTA to fill it by a copy from the enveloppe header. Submitted upstream as https://github.com/trusteddomainproject/OpenDMARC/pull/147
author: manu <manu@pkgsrc.org> 2021-03-29 09:30:59 +0000
committer: manu <manu@pkgsrc.org> 2021-03-29 09:30:59 +0000
commit: ef429f57a0da940f5154e3d2fac54d8a18d7c486 (patch)
tree: 884cff30008fcbe53b672dc861a93f2043014194 /mail/opendmarc/patches
parent: 313a076171ec23879fd972b48b35c4b03ae84ef8 (diff)
download: pkgsrc-ef429f57a0da940f5154e3d2fac54d8a18d7c486.tar.gz
1 files changed, 116 insertions, 0 deletions
diff --git a/mail/opendmarc/patches/patch-RequiredFrom b/mail/opendmarc/patches/patch-RequiredFrom
new file mode 100644
index 00000000000..1194794d75b
--- /dev/null
+++ b/mail/opendmarc/patches/patch-RequiredFrom
@@ -0,0 +1,116 @@
+$NetBSD: patch-RequiredFrom,v 1.1 2021/03/29 09:30:59 manu Exp $
+
+Add RequiredFrom option to reject messages that lack a From header
+from which a valid domain can be extracted
+
+Submitted upstream as 
+https://github.com/trusteddomainproject/OpenDMARC/pull/147
+
+--- opendmarc/opendmarc.c.orig	2021-03-29 09:13:11.534047039 +0200
++++ opendmarc/opendmarc.c	2021-03-29 10:02:01.105977120 +0200
+@@ -163,8 +163,9 @@
+ /* DMARCF_CONFIG -- configuration object */
+ struct dmarcf_config
+ {
+ 	_Bool			conf_reqhdrs;
++	_Bool			conf_reqfrom;
+ 	_Bool			conf_afrf;
+ 	_Bool			conf_afrfnone;
+ 	_Bool			conf_rejectfail;
+ 	_Bool			conf_dolog;
+@@ -1349,8 +1350,12 @@
+ 		(void) config_get(data, "RequiredHeaders",
+ 		                  &conf->conf_reqhdrs,
+ 		                  sizeof conf->conf_reqhdrs);
+ 
++		(void) config_get(data, "RequiredFrom",
++		                  &conf->conf_reqfrom,
++		                  sizeof conf->conf_reqfrom);
++
+ 		(void) config_get(data, "FailureReports",
+ 		                  &conf->conf_afrf,
+ 		                  sizeof conf->conf_afrf);
+ 
+@@ -2367,13 +2372,17 @@
+ 	{
+ 		if (conf->conf_dolog)
+ 		{
+ 			syslog(LOG_INFO,
+-			       "%s: RFC5322 requirement error: missing From field; accepting",
+-			       dfc->mctx_jobid);
++			       "%s: RFC5322 requirement error: missing From field; %s",
++			       dfc->mctx_jobid,
++			       conf->conf_reqfrom ? "reject" : "accepting");
+ 		}
+ 
+-		return SMFIS_ACCEPT;
++		if (conf->conf_reqfrom)
++			return SMFIS_REJECT;
++		else
++			return SMFIS_ACCEPT;
+ 	}
+ 
+ 	/* extract From: domain */
+ 	memset(addrbuf, '\0', sizeof addrbuf);
+@@ -2387,9 +2396,9 @@
+ 			       "%s: unable to parse From header field",
+ 			       dfc->mctx_jobid);
+ 		}
+ 
+-		if (conf->conf_reqhdrs)
++		if (conf->conf_reqhdrs || conf->conf_reqfrom) 
+ 			return SMFIS_REJECT;
+ 		else
+ 			return SMFIS_ACCEPT;
+ 	}
+--- opendmarc/opendmarc.conf.5.in.orig	2021-03-29 09:15:03.877101090 +0200
++++ opendmarc/opendmarc.conf.5.in	2021-03-29 09:21:56.423837778 +0200
+@@ -258,8 +258,16 @@
+ failing this test are rejected without further processing.  A From:
+ field from which no domain name could be extracted will also be rejected.
+ 
+ .TP
++.I RequiredFrom (Boolean)
++If set, the filter will reject without further processing messages that lack a
++From: field from which a domain name could be extracted. This options is
++without effect if
++.I RequiredHeaders
++is set to "true".
++
++.TP
+ .I Socket (string)
+ Specifies the socket that should be established by the filter to receive
+ connections from
+ .I sendmail(8)
+--- opendmarc/opendmarc-config.h.orig	2021-03-29 09:19:21.345035861 +0200
++++ opendmarc/opendmarc-config.h	2021-03-29 09:19:34.235736167 +0200
+@@ -43,8 +43,9 @@
+ 	{ "PidFile",			CONFIG_TYPE_STRING,	FALSE },
+ 	{ "PublicSuffixList",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "RecordAllMessages",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "RequiredHeaders",		CONFIG_TYPE_BOOLEAN,	FALSE },
++	{ "RequiredFrom",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "RejectFailures",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "ReportCommand",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "Socket",			CONFIG_TYPE_STRING,	FALSE },
+ 	{ "SoftwareHeader",		CONFIG_TYPE_BOOLEAN,	FALSE },
+--- opendmarc/opendmarc.conf.sample.orig	2021-03-29 09:19:43.400961620 +0200
++++ opendmarc/opendmarc.conf.sample	2021-03-29 09:22:23.834032438 +0200
+@@ -303,8 +303,17 @@
+ ##  rejected.
+ #
+ # RequiredHeaders false
+ 
++##  RequiredFrom { true | false }
++##  	default "false"
++##
++##  If set, the filter will reject without further processing messages that 
++##  lack a From: field from which a domain name could be extracted. This 
++##  options is without effect if RequiredHeaders is set to "true".
++#
++# RequiredFrom false
++
+ ##  Socket socketspec
+ ##  	default (none)
+ ##
+ ##  Specifies the socket that should be established by the filter to receive
author	manu <manu@pkgsrc.org>	2021-03-29 09:30:59 +0000
committer	manu <manu@pkgsrc.org>	2021-03-29 09:30:59 +0000
commit	ef429f57a0da940f5154e3d2fac54d8a18d7c486 (patch)
tree	884cff30008fcbe53b672dc861a93f2043014194 /mail/opendmarc/patches
parent	313a076171ec23879fd972b48b35c4b03ae84ef8 (diff)
download	pkgsrc-ef429f57a0da940f5154e3d2fac54d8a18d7c486.tar.gz