You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by do...@apache.org on 2007/01/14 00:07:20 UTC
svn commit: r495996 -
/spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
Author: dos
Date: Sat Jan 13 15:07:20 2007
New Revision: 495996
URL: http://svn.apache.org/viewvc?view=rev&rev=495996
Log:
refactor code that determines what relays are trusted/internal to eliminate redundant if structures
Modified:
spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
Modified: spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm
URL: http://svn.apache.org/viewvc/spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm?view=diff&rev=495996&r1=495995&r2=495996
==============================================================================
--- spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm (original)
+++ spamassassin/trunk/lib/Mail/SpamAssassin/Message/Metadata/Received.pm Sat Jan 13 15:07:20 2007
@@ -152,82 +152,63 @@
#
# "mypublicnet" = first public "by" address
#
-# 1. Ignore all Received line where the "from" IP is in mypublicnet/16
+# 1. Trust all Received line where the "from" IP is in mypublicnet/16
# regardless of where they appear. (The goal is to remove any relay
# steps that involve your network, relying on /16 is good enough since
# anything on your /16 is you or at worst involves your ISP.)
#
-# 2. Ignore all Received lines that contain local (127) or private (10.1,
-# etc.) IP addresses anywhere, whether "from" or "by". (The goal
+# 2. Trust all Received lines that contain local (127) or private (10.1,
+# etc.) IP addresses anywhere, whether "from" or "by".
#
-# 3. The first Received line that you don't ignore is the one that
+# 3. The first Received line that you don't trust is the one that
# contains the "by" of your trusted relay and the "from" of the first
# untrusted relay (which is used for bondedsender testing and so on).
- if ($in_trusted && !($did_user_specify_trust || $did_user_specify_internal)) {
- my $inferred_as_trusted = 0;
-
- # if the 'from' IP addr is in a reserved net range, it's not on
- # the public internet.
- if ($relay->{ip_private}) {
- dbg("received-header: 'from' ".$relay->{ip}." has private IP");
- $inferred_as_trusted = 1;
- }
-
- # if we find authentication tokens in the received header we can extend
- # the trust boundary to that host
- if ($relay->{auth}) {
- dbg("received-header: authentication method ".$relay->{auth});
- $inferred_as_trusted = 1;
- }
-
- # Consider the first relay trusted, and all others untrusted.
- dbg("received-header: cannot use DNS, do not trust any hosts from here on");
-
- if (!$inferred_as_trusted) { $in_trusted = 0; }
- }
-
-
- # trusted_networks matches?
- # if they didn't specify trusted, but did specify internal, we use the
- # internal config for trusted, so check for either being specified
- if ($in_trusted && ($did_user_specify_trust || $did_user_specify_internal) &&
- !$relay->{auth} && !$trusted->contains_ip ($relay->{ip}))
- {
- $in_trusted = 0; # we're in deep water now
- }
-
- # internal_networks matches?
- # if they didn't specify internal, but did specify trusted, we use the
- # trusted config for internal, so check for either being specified
- if ($did_user_specify_internal || $did_user_specify_trust) {
- if (!$relay->{auth} && !$internal->contains_ip ($relay->{ip})) {
- $in_internal = 0;
+ if ($in_trusted) {
+ unless ($did_user_specify_trust || $did_user_specify_internal) {
+ my $inferred_as_trusted = 0;
+
+ # if the 'from' IP addr is in a reserved net range, it's not on
+ # the public internet.
+ if ($relay->{ip_private}) {
+ dbg("received-header: 'from' ".$relay->{ip}." has private IP");
+ $inferred_as_trusted = 1;
+ }
+
+ # if we find authentication tokens in the received header we can extend
+ # the trust boundary to that host
+ if ($relay->{auth}) {
+ dbg("received-header: authentication method ".$relay->{auth});
+ $inferred_as_trusted = 1;
+ }
+
+ # if the user didn't specify any trusted/internal config, everything
+ # we assume as trusted is also internal, just like we'd do if they
+ # specified trusted but not any internal networks or vice versa
+ if (!$inferred_as_trusted) {
+ dbg("received-header: do not trust any hosts from here on");
+ $in_trusted = 0;
+ $in_internal = 0;
+ }
+
+ } else {
+ # trusted_networks matches?
+ if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
+ $in_trusted = 0;
+ $in_internal = 0; # save checking immediately below
+ }
+ # internal_networks matches?
+ if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
+ $in_internal = 0;
+ }
}
- } else {
- # if the user didn't specify any trusted/internal config, everything
- # we assume as trusted is also internal, just like we'd do if they
- # specified trusted but not any internal networks
- $in_internal = $in_trusted;
- }
-
- # note: you can't be in internal networks, but not be in a trusted
- # net. (bug 4760)
- # dos: I don't think this can even happen any more, since we copy internal
- # to trusted above (if trusted isn't configured and internal is)
- if ($in_internal && !$in_trusted) {
- $in_trusted = 1;
}
dbg("received-header: relay ".$relay->{ip}.
" trusted? ".($in_trusted ? "yes" : "no").
" internal? ".($in_internal ? "yes" : "no"));
- if ($in_internal) {
- $relay->{internal} = 1;
- } else {
- $relay->{internal} = 0;
- }
+ $relay->{internal} = $in_internal;
# be sure to mark up the as_string version for users too
$relay->{as_string} =~ s/ intl=\d / intl=$relay->{internal} /;