Add RequiredFrom option

If RequiredFrom is set, opendmarc will reject messages that lack a From header from which a valid domain can be extracted. This is a subset of the full RFC5322 requirements enforced by the RequiredHeaders option. While non RFC5322-compliant messages are too common to make RequiredHeaders always usable, the check on the From header remains especially valuable. It makes sure forged domain messages cannot evade the filter by just omitting the From header and relying on the MTA to fill it by a copy from the enveloppe header. Submitted upstream as https://github.com/trusteddomainproject/OpenDMARC/pull/147
author: manu <manu@pkgsrc.org> 2021-03-29 09:30:59 +0000
committer: manu <manu@pkgsrc.org> 2021-03-29 09:30:59 +0000
commit: ef429f57a0da940f5154e3d2fac54d8a18d7c486 (patch)
tree: 884cff30008fcbe53b672dc861a93f2043014194 /mail
parent: 313a076171ec23879fd972b48b35c4b03ae84ef8 (diff)
download: pkgsrc-ef429f57a0da940f5154e3d2fac54d8a18d7c486.tar.gz
3 files changed, 120 insertions, 3 deletions
diff --git a/mail/opendmarc/Makefile b/mail/opendmarc/Makefile
index 59f09913cb5..b73b96ca20b 100644
--- a/mail/opendmarc/Makefile
+++ b/mail/opendmarc/Makefile
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2021/02/17 01:49:12 manu Exp $
+# $NetBSD: Makefile,v 1.24 2021/03/29 09:30:59 manu Exp $
 
 GITHUB_PROJECT=	OpenDMARC
 GITHUB_TAG=	rel-opendmarc-1-4-0-Beta1
 DISTNAME=	rel-opendmarc-1-4-0-Beta1
 PKGNAME=	opendmarc-1.4.0b1
-PKGREVISION=	1
+PKGREVISION=	3
 CATEGORIES=	mail
 MASTER_SITES=	${MASTER_SITE_GITHUB:=trusteddomainproject/}
 DIST_SUBDIR=	${GITHUB_PROJECT}
diff --git a/mail/opendmarc/distinfo b/mail/opendmarc/distinfo
index ba291a401c6..39cab437d70 100644
--- a/mail/opendmarc/distinfo
+++ b/mail/opendmarc/distinfo
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.9 2021/02/17 01:49:12 manu Exp $
+$NetBSD: distinfo,v 1.10 2021/03/29 09:30:59 manu Exp $
 
 SHA1 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 74ad1ef9f9a12b5fadef5919807cd55f7655d8d8
 RMD160 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = e8dda5350a734509843a04329777478d9410b796
 SHA512 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = d562050da9c4b96e7707157fbbf385ab3ac551cf07754b45deb6a010b4c47e7f478dfe35bc2c8625f6553af4fbf120820bf2a9f0ce246b26cabf81e7d1174405
 Size (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 1247386 bytes
+SHA1 (patch-RequiredFrom) = a21d77abbe93c806c6abee55e77e477c9c435c00
 SHA1 (patch-configure.ac) = d174911e4de37d3b50b525469cbe410bb7ae119f
 SHA1 (patch-libopendmarc_opendmarc__dns.c) = e76ca13707677525b72609b4a5268d77efcfba84
 SHA1 (patch-libopendmarc_opendmarc__spf__dns.c) = b6e1311be8e9ef44c333be57fef474f6b080a199
diff --git a/mail/opendmarc/patches/patch-RequiredFrom b/mail/opendmarc/patches/patch-RequiredFrom
new file mode 100644
index 00000000000..1194794d75b
--- /dev/null
+++ b/mail/opendmarc/patches/patch-RequiredFrom
@@ -0,0 +1,116 @@
+$NetBSD: patch-RequiredFrom,v 1.1 2021/03/29 09:30:59 manu Exp $
+
+Add RequiredFrom option to reject messages that lack a From header
+from which a valid domain can be extracted
+
+Submitted upstream as 
+https://github.com/trusteddomainproject/OpenDMARC/pull/147
+
+--- opendmarc/opendmarc.c.orig	2021-03-29 09:13:11.534047039 +0200
++++ opendmarc/opendmarc.c	2021-03-29 10:02:01.105977120 +0200
+@@ -163,8 +163,9 @@
+ /* DMARCF_CONFIG -- configuration object */
+ struct dmarcf_config
+ {
+ 	_Bool			conf_reqhdrs;
++	_Bool			conf_reqfrom;
+ 	_Bool			conf_afrf;
+ 	_Bool			conf_afrfnone;
+ 	_Bool			conf_rejectfail;
+ 	_Bool			conf_dolog;
+@@ -1349,8 +1350,12 @@
+ 		(void) config_get(data, "RequiredHeaders",
+ 		                  &conf->conf_reqhdrs,
+ 		                  sizeof conf->conf_reqhdrs);
+ 
++		(void) config_get(data, "RequiredFrom",
++		                  &conf->conf_reqfrom,
++		                  sizeof conf->conf_reqfrom);
++
+ 		(void) config_get(data, "FailureReports",
+ 		                  &conf->conf_afrf,
+ 		                  sizeof conf->conf_afrf);
+ 
+@@ -2367,13 +2372,17 @@
+ 	{
+ 		if (conf->conf_dolog)
+ 		{
+ 			syslog(LOG_INFO,
+-			       "%s: RFC5322 requirement error: missing From field; accepting",
+-			       dfc->mctx_jobid);
++			       "%s: RFC5322 requirement error: missing From field; %s",
++			       dfc->mctx_jobid,
++			       conf->conf_reqfrom ? "reject" : "accepting");
+ 		}
+ 
+-		return SMFIS_ACCEPT;
++		if (conf->conf_reqfrom)
++			return SMFIS_REJECT;
++		else
++			return SMFIS_ACCEPT;
+ 	}
+ 
+ 	/* extract From: domain */
+ 	memset(addrbuf, '\0', sizeof addrbuf);
+@@ -2387,9 +2396,9 @@
+ 			       "%s: unable to parse From header field",
+ 			       dfc->mctx_jobid);
+ 		}
+ 
+-		if (conf->conf_reqhdrs)
++		if (conf->conf_reqhdrs || conf->conf_reqfrom) 
+ 			return SMFIS_REJECT;
+ 		else
+ 			return SMFIS_ACCEPT;
+ 	}
+--- opendmarc/opendmarc.conf.5.in.orig	2021-03-29 09:15:03.877101090 +0200
++++ opendmarc/opendmarc.conf.5.in	2021-03-29 09:21:56.423837778 +0200
+@@ -258,8 +258,16 @@
+ failing this test are rejected without further processing.  A From:
+ field from which no domain name could be extracted will also be rejected.
+ 
+ .TP
++.I RequiredFrom (Boolean)
++If set, the filter will reject without further processing messages that lack a
++From: field from which a domain name could be extracted. This options is
++without effect if
++.I RequiredHeaders
++is set to "true".
++
++.TP
+ .I Socket (string)
+ Specifies the socket that should be established by the filter to receive
+ connections from
+ .I sendmail(8)
+--- opendmarc/opendmarc-config.h.orig	2021-03-29 09:19:21.345035861 +0200
++++ opendmarc/opendmarc-config.h	2021-03-29 09:19:34.235736167 +0200
+@@ -43,8 +43,9 @@
+ 	{ "PidFile",			CONFIG_TYPE_STRING,	FALSE },
+ 	{ "PublicSuffixList",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "RecordAllMessages",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "RequiredHeaders",		CONFIG_TYPE_BOOLEAN,	FALSE },
++	{ "RequiredFrom",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "RejectFailures",		CONFIG_TYPE_BOOLEAN,	FALSE },
+ 	{ "ReportCommand",		CONFIG_TYPE_STRING,	FALSE },
+ 	{ "Socket",			CONFIG_TYPE_STRING,	FALSE },
+ 	{ "SoftwareHeader",		CONFIG_TYPE_BOOLEAN,	FALSE },
+--- opendmarc/opendmarc.conf.sample.orig	2021-03-29 09:19:43.400961620 +0200
++++ opendmarc/opendmarc.conf.sample	2021-03-29 09:22:23.834032438 +0200
+@@ -303,8 +303,17 @@
+ ##  rejected.
+ #
+ # RequiredHeaders false
+ 
++##  RequiredFrom { true | false }
++##  	default "false"
++##
++##  If set, the filter will reject without further processing messages that 
++##  lack a From: field from which a domain name could be extracted. This 
++##  options is without effect if RequiredHeaders is set to "true".
++#
++# RequiredFrom false
++
+ ##  Socket socketspec
+ ##  	default (none)
+ ##
+ ##  Specifies the socket that should be established by the filter to receive
author	manu <manu@pkgsrc.org>	2021-03-29 09:30:59 +0000
committer	manu <manu@pkgsrc.org>	2021-03-29 09:30:59 +0000
commit	ef429f57a0da940f5154e3d2fac54d8a18d7c486 (patch)
tree	884cff30008fcbe53b672dc861a93f2043014194 /mail
parent	313a076171ec23879fd972b48b35c4b03ae84ef8 (diff)
download	pkgsrc-ef429f57a0da940f5154e3d2fac54d8a18d7c486.tar.gz