diff --git a/TODO b/TODO index 33341975d3e74cf102ac219b8b1a390147fccfcf..fadc5c5825986dcd12fc170f4e389e791d5139b8 100644 --- a/TODO +++ b/TODO @@ -1,3 +1,35 @@ +Configuration is problematic when handling incoming, but not outgoing mail. +The problem comes when alice@example.com sends mail to bill@example.com, +and we are the MX for example.com, but alice is sending from some other +MTA. The mail is flagged external, so we don't list example.com in +internal_domains (or we would get "spam from self"). But, if we try to do a +CBV, we get "fraudulent MX", because the MX is ourself! So we need to +avoid doing CBV on such domains. Currently, we try to make sure the SPF +policies don't do CBV. + +On the other hand, if alice is sending internally, or with SMTP AUTH, she +*does* need the domain to be in internal_domains. The solution to that +is to use the new SMTP AUTH access configuration to specify which domains +can be used by smtp AUTH (by user if desired). + +It would be cleaner if CBV would know which domains we have agreed to +be MX for. Some ideas for external connections: + +a) check access file for To:example.com RELAY +b) check mailertable +c) check mx_domains config list +d) if there is an SPF record, don't check internal_domains + (let SPF block unauthorized machines) + +But that still doesn't handle the roaming user, who won't use SMTP +AUTH, but sends through some hotel MTA. Maybe we don't want to support +him? + +When setting up pydspam, both sender and rcpt must resolve to dspam users +for falsepositive recognition. Usually, this means adding +honeypot@mail.example.com to alias list for honeypot in pymilter.cfg. +This needs to be documented. I was caught by it setting up a new site. + Add signature (x-sig=AB7485f=TS) to Received-SPF, so it can be used to blacklist sources of delayed DSNs. diff --git a/bms.py b/bms.py index 9227159f028be31c4cb49354c7836c7d33f2ad3c..c3461eb1c43c1b7fec45639e7e3d6d1f04a04401 100644 --- a/bms.py +++ b/bms.py @@ -1,6 +1,9 @@ #!/usr/bin/env python # A simple milter that has grown quite a bit. # $Log$ +# Revision 1.100 2007/03/24 00:30:24 customdesigned +# Do not CBV for internal domains. +# # Revision 1.99 2007/03/23 22:39:10 customdesigned # Get SMTP-Auth policy from access_file. # @@ -678,13 +681,13 @@ class bmsMilter(Milter.Milter): ) self.fp.write('From %s %s\n' % (self.canon_from,time.ctime())) - self.internal_domain = True + self.internal_domain = False if len(t) == 2: user,domain = t for pat in internal_domains: - if fnmatchcase(domain,pat): break - else: - self.internal_domain = False + if fnmatchcase(domain,pat): + self.internal_domain = True + break if self.internal_connection: if self.user: p = SPFPolicy('%s@%s'%(self.user,domain)) @@ -820,6 +823,11 @@ class bmsMilter(Milter.Milter): else: hres,hcode,htxt = res,code,txt ores = res + if self.internal_domain and res == 'none': + # we don't accept our own domains externally without an SPF record + self.log('REJECT: spam from self',q.o) + self.setreply('550','5.7.1',"I hate talking to myself!") + return Milter.REJECT if spf_best_guess and res == 'none': #self.log('SPF: no record published, guessing') q.set_default_explanation(