Handler corner case better: signed message relayed by listserv which adds

Sender: but does not resign message or strip DomainKeys-Signature.  Add
config option to prevent badly signed message from being DENY'd.

git-svn-id: https://svn.perl.org/qpsmtpd/branches/0.3x@654 958fd67b-6ff1-0310-b445-bb7760255be9
This commit is contained in:
John Peacock 2006-07-12 18:10:00 +00:00
parent 66f2f9354b
commit de620a4c22

View File

@ -1,3 +1,11 @@
sub init {
my ($self, %args) = @_;
foreach my $key ( %args ) {
$self->{$key} = $args{$key};
}
}
sub hook_data_post { sub hook_data_post {
use Mail::DomainKeys::Message; use Mail::DomainKeys::Message;
use Mail::DomainKeys::Policy; use Mail::DomainKeys::Policy;
@ -35,17 +43,11 @@ sub hook_data_post {
# Don't do anything else # Don't do anything else
$status = "testing"; $status = "testing";
} }
elsif ( $message->signed ) { elsif ( $message->signed and $message->verify ) {
if ( $message->verify ) {
# verified: add good header # verified: add good header
$status = $message->signature->status; $status = $message->signature->status;
} }
else { else { # not signed or not verified
# not verified, i.e. forged signature
$status = undef;
}
}
else { # not signed
my $policy = fetch Mail::DomainKeys::Policy( my $policy = fetch Mail::DomainKeys::Policy(
Protocol => "dns", Protocol => "dns",
Domain => $message->senderdomain Domain => $message->senderdomain
@ -65,44 +67,48 @@ sub hook_data_post {
} }
} }
else { else {
$status = "no signature"; $status = $message->signed ? "non-participant" : "no signature";
} }
} }
if ( defined $status ) { if ( defined $status ) {
$transaction->header->replace("DomainKey-Status", $status); $transaction->header->replace("DomainKey-Status", $status);
$self->log(LOGWARN, "DomainKeys-Status: $status");
return DECLINED; return DECLINED;
} }
else { else {
$self->log(LOGWARN, "DomainKeys signature failed to verify"); $self->log(LOGERROR, "DomainKeys signature failed to verify");
if ( $self->{warn_only} ) {
return DECLINED; return DECLINED;
} }
else {
return (DENY, "DomainKeys signature failed to verify");
}
}
} }
# Leave this in place until Mail::DomainKeys is patched
eval
q/
*Mail::DomainKeys::Message::header = sub {
my $self = shift;
$self->signed or
return new Mail::DomainKeys::Header(
Line => "DomainKey-Status: no signature");
$self->signature->status and
return new Mail::DomainKeys::Header(
Line => "DomainKey-Status: " . $self->signature->status);
};
/
unless Mail::DomainKeys::Message->can('header');
=cut =cut
=head1 NAME =head1 NAME
domainkeys: validate a DomainKeys signature on an incoming mail domainkeys: validate a DomainKeys signature on an incoming mail
=head1 SYNOPSIS
domainkeys [warn_only 1]
Performs a DomainKeys validation on the message. Takes a single
configuration
warn_only 1
which means that messages which are not correctly signed (i.e. signed but
modified or deliberately forged) will not be DENY'd, but an error will still
be issued to the logfile.
=head1 COPYRIGHT
Copyright (C) 2005-2006 John Peacock. Copyright (C) 2005-2006 John Peacock.
Portions Copyright (C) 2004 Anthony D. Urso. All rights reserved. This Portions Copyright (C) 2004 Anthony D. Urso. All rights reserved. This