Commit Graph

2386 Commits

Author SHA1 Message Date
Andreas Erhard
265672ce2b
Add missing use statement for NetAddr::IP to whitelist plugin (#310)
I forgot to add the use statement from #287 when adding the ip-range whitelist feature in 2021.
2023-09-04 09:47:24 -07:00
Kjetil Kjernsmo
4b1dc39dd6
Release 1.00 (#307)
* Update changelog
* Bump version
2023-02-16 22:33:46 -08:00
Kjetil Kjernsmo
e424d2c0e2
Use readable file test for certificate files (#304)
To make it easier to use Letsencrypt certificates with the tls plugin, I'd just like to propose to change the file test operators to `-r` as proposed in [this comment](https://community.letsencrypt.org/t/how-do-i-use-lets-encrypt-certs-in-qpsmtpd/142370/4).
2022-08-31 18:06:20 -07:00
tlavoie
dc7ac3c696
Adding IP address to logs for 535 LOGIN errors, to use with fail2ban (#301) 2021-08-19 15:17:28 -07:00
Andreas Erhard
3d40ea7280
Add support for network ranges in whitelist plugin (#298) 2021-06-10 07:16:21 -07:00
Andreas Erhard
2e4ea13639
Change GeoIP order (#297) 2021-06-10 07:13:13 -07:00
mufus
e21860f22e
Regex fix, checkip argument & updated tld list (#283)
* Regex fix, checkip argument & updated tld list

This patch include 3 fixes:

1) The plugin could match invalid URIs, eg. "www..example.com", which resulted in fatal plugin error, sending the incoming email directly into queue without any further scan. The regex has been fixed.

2) Some URIBLs trigger positive on any ip-address. Added new plugin argument: checkip [yes|no].

3) Updating the TLD list.

Co-authored-by: mufus <hello@mufus.com>
2020-06-08 15:48:39 -07:00
mufus
65fd1b2150 Support for userprefs' reject threshold (#281)
If the reject argument is set to the string 'userprefs' instead of a decimal value, the required threashold value will be taken from spamassassin userprefs required_score instead of set to a static value. This allows a per-user based threshold value.
2017-02-12 10:12:47 -08:00
Robin Bowes
226114297e Rpm build fixes (#277)
* Make sure generated spec file is deleted by `make clean`

* Change rpm release to "1"
2016-12-29 16:41:29 -08:00
Robin Bowes
14f6ece505 Add documentation for rpm packaging (#278) 2016-12-29 16:40:55 -08:00
Robin Bowes
83b6aafc1d Fix rpm packaging (#276)
* Fix rogue date in spec file Changelog

* Update rpm spec file to match changed README file names

* Don't exclude files matching pattern 'ConfigServer'

* Exclude README.selinux from apache file list - it's included explicitly in the %files section

* cosmetic fixups to bash code in rpm spec file (mostly indentation)

* Update rpm specfile changelog
2016-12-27 10:17:18 -08:00
Tom Li
d00a82d8e8 tls: fix a typo in SSL_dh_file. (#275)
In d5954ce249, dhparam has been added
to the tls plugin. But a typo was made, misspelled "sp" as "self".
This commit corrects this typo.

Signed-off-by: Tom Li <biergaizi@member.fsf.org>
2016-11-05 08:44:41 -07:00
Hans Salvisberg
4e8cb7baf5 Badmailfromto whitespace (#273)
* Fix Can't call method 'notes' on unblessed reference in plugins/logging/file.

* Allow white space rather than just a single tab character in the badmailfromto configuration file.
2016-10-02 10:40:51 -07:00
Hans Salvisberg
494dc95b72 Fix Can't call method 'notes' on unblessed reference in plugins/logging/file. (#272) 2016-09-27 14:34:03 -07:00
Daniel B
e551786a9e Use eval to get dkim policies (#268)
To prevent a fatal plugin error in case of DNS timeout
2016-06-29 08:35:51 -07:00
Daniel B
03c9d045f4 Check $addr is defined before using it (#266)
Prevent the following error if we receive an invalid RCPT TO (eg <"relaytest%nmap.scanme.org">)

Can't call method "qp" on an undefined value at /usr/share/perl5/vendor_perl/Qpsmtpd.pm line 451.
/usr/bin/qpsmtpd-forkserver[17472]: command 'rcpt' failed unexpectedly
2016-05-15 10:19:02 -07:00
Daniel B
f8c66145a1 Check for negative strikes in karma (#265)
Commit 5e157d2 introduced this bug: for negative karma, we have to check against negative strikes
2016-05-09 15:26:24 -07:00
Daniel B
a8747407be No dmarc policy (#263)
* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection

* Support spf rejects when no DMARC policy is published
When using DMARC, you have to run sender_permitted_from first, and without rejecting anything. If a DMARC policy is published, then fine, the dmarc plugin will handle this. But if there's no DMARC policy at all, then we can decide solely on SPF to reject on not. This decision must be taken after dmarc runs, so, add a hook into post_data (dmarc is evaluated in post_data_headers). A new no_dmarc_policy argument is available and you can decide the level at wich you want to reject on SPF failures

* Typo
2016-05-04 14:46:24 -07:00
Daniel B
b1b59cbfa1 Find the karma DB dir (#264)
* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection

* Use candidate_dirs to find the DB
2016-05-04 14:45:24 -07:00
Daniel B
7ff45375f1 Fix dmarc reject (#260)
* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection

* Add the dmarc_reject note on the transaction
It's probably possible to have one valid email after an invalid one using the same connection (even if not common)
2016-05-03 10:41:53 -07:00
Daniel B
9748064889 Dmarc result note (#261)
* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection

* Add a note with dmarc_result
So other plugins can easily check DMARC status.
For example, a simple plugin can be added after DMARC when SPF hard failed, but no DMARC policy is published (so no rejection by the DMARC plugin).
With this note, we can easily check the result of SPF and DMARC and reject if the first is failed, and the second is none
2016-05-03 10:35:43 -07:00
Daniel B
9f3f9db65f Update data_post_headers doc (#259)
* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection
2016-05-02 09:31:10 -07:00
Daniel B
d13eae3aec Check rua is defined before trying to parse it (#257)
Because $pol->rue returns undef is there's no rua defined, an error is printed in the logs

FATAL PLUGIN ERROR [dmarc]:  URI string is required! at /usr/share/perl5/vendor_perl/Mail/DMARC/PurePerl.pm line 295
2016-04-28 10:09:07 -07:00
Daniel B
9f599f9f47 Record the name of the original plugin (#256)
When using the naughty plugin to defer rejection, we loose the name of the original plugin which caused the reject.
Especially when we parse the logterse plugin output to build graphs. With this addition, we now can get this information back
2016-04-25 06:13:52 -10:00
Daniel B
d6be03b37e Make spammy_tlds configurable (#255)
* Make spammy_tlds configurable
The hardcoded list of spammy tlds can't fit every needs. Makes this configurable through a config file.
You can now also raise the karma for tlds you want.
The default config provided keep the same behaviour as before.

* Update tlds' karma
2016-04-25 06:13:08 -10:00
Daniel B
5e157d2344 Possibility to set the number of "strikes" for the karma plugin (#254)
The default behaviour (connection needs to have at least 3 or -3 to be considered
nice or naughty) is not always what we want, depending on the number of plugins
which adjust the karma. Lets make it configurable
2016-04-20 07:52:47 -10:00
Daniel B
260bd6cdd6 Prevent credentials being logged in plain text (#249)
* Prevent credentials being logged in plain text
except in the highest debug level

* Fix missing semicolon
2016-04-19 18:10:28 -10:00
Matt Simerson
044fff9aa8 Merge pull request #250 from dani/warn_inplicit_split
Prevent a "Use of implicit split" warning
2016-04-19 18:02:14 -10:00
Matt Simerson
5a802a036a Merge pull request #251 from dani/uribl_data_post
uribl needs to hook in data_post
2016-04-19 18:01:30 -10:00
Matt Simerson
4f27f360e9 Merge pull request #252 from dani/tls_proto
Allow setting TLS protocol versions in a config file
2016-04-19 17:55:26 -10:00
Matt Simerson
fee44d1ccf Merge pull request #253 from dani/sa_size
New size_limit param for spamassassin plugin
2016-04-19 17:53:29 -10:00
Daniel Berteaud
4a6ce830b3 New size_limit param for spamassassin plugin
Allow setting the size limit to handle by the plugin, instead of the hardcoded 500_000 value
2016-04-19 18:37:42 +02:00
Daniel Berteaud
0d2690d726 Allow setting TLS protocol versions in a config file
Some users might need to enable the old SSLv3, or others might want to disable TLSv1. Lets make this configurable.
The default value is kept, but can be overriden in the tls_protocols config file
2016-04-19 18:28:36 +02:00
Daniel Berteaud
0c41f2af06 uribl needs to hook in data_post
When hooking into data, there's no email body to check, so no URI is found
2016-04-19 18:22:43 +02:00
Daniel Berteaud
e792c11bfa Prevent a "Use of implicit split" warning
In the helo plugin. Full warn is:
Use of implicit split to @_ is deprecated at /usr/share/qpsmtpd/plugins/helo line 524
2016-04-19 18:18:03 +02:00
Matt Simerson
43020a8041 Merge pull request #248 from smtpd/release-0.96
update Changes, bump version
2016-02-16 14:52:02 -08:00
Matt Simerson
d3546f9501 update Changes, bump version 2016-02-16 14:50:16 -08:00
Matt Simerson
9de7c3778e Merge pull request #244 from priyadi/dmarc-fix
Fix DMARC authentication-result string
2016-02-16 14:39:37 -08:00
Matt Simerson
79deb8b061 Merge pull request #247 from christianeisendle/x-spam_status_outlook_hack_fix
Replace all occurances of CR in X-Spam-Status
2016-02-16 14:25:58 -08:00
Christian Eisendle
4d061dfa89 Replace all occurances of CR in X-Spam-Status
The hack for outlook (replacing CR in X-Spam-Status header) assumes
that there is only a single occurance of CR. However, if spamassassin
adds some more spam status information X-Spam-Status might be several lines
long leading to multiple occurance of CR.
This fix changes the substitute to a global subsititute, replacing all
CRs in the X-SPam-Status header.
2016-02-16 22:03:57 +01:00
Matt Simerson
66e76f5796 Merge pull request #246 from msimerson/master
check *every* regex, not just first
2015-12-20 08:53:25 -08:00
Matt Simerson
965f4fc440 check *every* regex, not just first 2015-12-17 10:47:08 -08:00
Matt Simerson
00343a48ac Merge pull request #243 from priyadi/master
Should only reject if host is not localhost but HELO claims to be one
2015-12-17 10:17:59 -08:00
Matt Simerson
8f4029481a Merge pull request #245 from msimerson/frank
badrcpt use reason, and defined-ness test
2015-07-20 13:09:22 -07:00
Matt Simerson
1143918ec9 badrcpt use reason, and defined-ness test
as reported by frank on the QP mailing list
2015-07-20 09:56:18 -07:00
Priyadi Iman Nurcahyo
feb63c95a5 According to RFC7489 authstr should be: none, pass, fail, temperror, permerror 2015-05-26 19:36:40 +00:00
Priyadi Iman Nurcahyo
0e614e8741 Fix DMARC authentication-result string 2015-05-26 16:13:08 +00:00
Priyadi Iman Nurcahyo
298b92f067 Should only reject if host is not localhost but HELO claims to be one 2015-05-26 10:27:33 +00:00
Jared Johnson
8f14cc01e4 Merge pull request #242 from analogic/patch-1
DMARC plugin: Added option to disable reporting
2015-03-13 16:16:38 -05:00
analogic
e440f8760b DMARC plugin: Added option to disable reporting 2015-03-13 14:02:05 +01:00