You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by mm...@apache.org on 2011/02/21 18:46:36 UTC
svn commit: r1073088 - in /spamassassin/trunk/lib/Mail/SpamAssassin: Conf.pm
Plugin/WLBLEval.pm
Author: mmartinec
Date: Mon Feb 21 17:46:36 2011
New Revision: 1073088
URL: http://svn.apache.org/viewvc?rev=1073088&view=rev
Log:
Bug 6544: Extend whitelist_from_rcvd with matching on an IP address
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm?rev=1073088&r1=1073087&r2=1073088&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Conf.pm Mon Feb 21 17:46:36 2011
@@ -352,29 +352,43 @@ e.g.
=item whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
Works similarly to whitelist_from, except that in addition to matching
-a sender address, a relay's rDNS name must match too for the whitelisting
-rule to fire. The first parameter is an address to whitelist, and the
-second is a string to match the relay's rDNS. Matching is case-insensitive.
-
-This string is matched against the reverse DNS lookup used during the handover
-from the internet to your internal network's mail exchangers. It can
-either be the full hostname, or the domain component of that hostname. In
-other words, if the host that connected to your MX had an IP address that
-mapped to 'sendinghost.spamassassin.org', you should specify
-C<sendinghost.spamassassin.org> or just C<spamassassin.org> here.
-
-Note that this requires that C<internal_networks> be correct. For simple cases,
-it will be, but for a complex network you may get better results by setting that
-parameter.
+a sender address, a relay's rDNS name or its IP address must match too
+for the whitelisting rule to fire. The first parameter is a sender's e-mail
+address to whitelist, and the second is a string to match the relay's rDNS,
+or its IP address. Matching is case-insensitive.
+
+This second parameter is matched against the TCP-info information field as
+provided in a FROM clause of a trace information (i.e. the Received header
+field, see RFC 5321). Only the Received header fields inserted by trusted
+hosts are considered. This parameter can either be a full hostname, or the
+domain component of that hostname, or an IP address in square brackets.
+The reverse DNS lookup is done by a MTA, not by SpamAssassin.
+
+In case of an IPv4 address in brackets, it may be truncated on classful
+boundaries to cover whole subnets, e.g. C<[10.1.2.3]>, C<[10.1.2]>,
+C<[10.1]>, C<[10]>. CIDR notation is currently not supported, nor is
+IPv6. The matching on IP address is mainly provided to cover rare cases
+where whitelisting of a sending MTA is desired which does not have a
+correct reverse DNS configured.
+
+In other words, if the host that connected to your MX had an IP address
+192.0.2.123 that mapped to 'sendinghost.example.org', you should specify
+C<sendinghost.example.org>, or C<example.org>, or C<[192.0.2.123]> or
+C<[192.0.2]> here.
+
+Note that this requires that C<internal_networks> be correct. For simple
+cases, it will be, but for a complex network you may get better results
+by setting that parameter.
It also requires that your mail exchangers be configured to perform DNS
reverse lookups on the connecting host's IP address, and to record the
-result in the generated Received: header.
+result in the generated Received header field according to RFC 5321.
e.g.
whitelist_from_rcvd joe@example.com example.com
whitelist_from_rcvd *@axkit.org sergeant.org
+ whitelist_from_rcvd *@axkit.org [192.0.2.123]
=item def_whitelist_from_rcvd addr@lists.sourceforge.net sourceforge.net
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm?rev=1073088&r1=1073087&r2=1073088&view=diff
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Plugin/WLBLEval.pm Mon Feb 21 17:46:36 2011
@@ -315,13 +315,30 @@ sub _check_whitelist_rcvd {
foreach my $domain (@{$list->{$white_addr}{domain}}) {
if ($addr =~ $regexp) {
+ my $match;
foreach my $lastunt (@relays) {
- my $rdns = $lastunt->{lc_rdns};
- if ($rdns =~ /(?:^|\.)\Q${domain}\E$/i) {
- dbg("rules: address $addr matches (def_)whitelist_from_rcvd $list->{$white_addr}{re} ${domain}");
- return 1;
+ local $1;
+ if ($domain =~ m{^ \[ (.*) \] \z}sx) { # matching by IP address
+ my($wl_ip, $rly_ip) = ($1, $lastunt->{ip});
+ if (!defined $rly_ip || $rly_ip eq '') {
+ # relay's IP address not provided or unparseable
+ } elsif ($wl_ip =~ /^\d+\.\d+\.\d+\.\d+\z/) {
+ if ($wl_ip eq $rly_ip) { $match = 1; last } # exact match
+ } elsif ($wl_ip =~ /^[\d\.]+\z/) { # assume IPv4 classful subnet
+ $wl_ip =~ s/\.*\z/./; # enforce trailing dot
+ if ($rly_ip =~ /^\Q$wl_ip\E/i) { $match = 1; last } # subnet
+ }
+ # todo: handle IPv6 and CIDR notation
+ } else { # match by a rdns name
+ my $rdns = $lastunt->{lc_rdns};
+ if ($rdns =~ /(?:^|\.)\Q${domain}\E$/i) { $match=1; last }
}
}
+ if ($match) {
+ dbg("rules: address %s matches (def_)whitelist_from_rcvd %s %s",
+ $addr, $list->{$white_addr}{re}, $domain);
+ return 1;
+ }
# found address match but no relay match. note as possible forgery
$found_forged = -1;
}