Attachment #4760 for bug #6430

View | Details | Raw Unified | Return to bug 6430
Collapse All | Expand All

Lines 1042-1048 Link Here

(-)/var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf/Parser.pm (-2 / +7 lines)
1042	# validate trusted_networks and internal_networks, bug 4760.	1042	# validate trusted_networks and internal_networks, bug 4760.
1043	# check that all internal_networks are listed in trusted_networks	1043	# check that all internal_networks are listed in trusted_networks
1044	# too. do the same for msa_networks, but check msa_networks against	1044	# too. do the same for msa_networks, but check msa_networks against
1045	# internal_networks if trusted_networks aren't defined	1045	# internal_networks if trusted_networks aren't defined.
		1046	# extend similar validation to msa_on_auth_networks, bug 6430.
		1047	# TODO: we could go further by checking that msa_on_auth_networks and
		1048	# msa_networks do not overlap, since this may cause problems for
		1049	# internal relays that use some kind of authentication. Unfortunately,
		1050	# NetSet doesn't (yet?) avails of a suitable method to do this
1046		1051
1047	my ($nt, $matching_against);	1052	my ($nt, $matching_against);
1048	if ($conf->{trusted_networks_configured}) {	1053	if ($conf->{trusted_networks_configured}) {
Lines 1055-1061 Link Here
1055	return;	1060	return;
1056	}	1061	}
1057		1062
1058	foreach my $net_type ('internal_networks', 'msa_networks') {	1063	foreach my $net_type ('internal_networks', 'msa_networks', 'msa_on_auth_networks') {
1059	next unless $conf->{"${net_type}_configured"};	1064	next unless $conf->{"${net_type}_configured"};
1060	next if $net_type eq $matching_against;	1065	next if $net_type eq $matching_against;
1061		1066




    }
  });

=item msa_on_auth_networks ip.add.re.ss[/mask] ...   (default: none)

The networks or hosts which SA should treat like MSAs when relaying
messages from an authenticated source.
Unlike the hosts in msa_networks, these relays may accept mail from
hosts that aren't authenticated in some way and SA will not trust the
whole relay chain.

When instead one of these relays is dispatching a message from an
authenticated source, all relays found in the message headers after the
relay itself will take on the same trusted and internal classifications
as the MSA relay itself, as defined by your I<trusted_networks> and
I<internal_networks> configuration.

SA detects that a relay in this list is acting like an MSA when its
received header contains some kind of authenticated protocol in the
'via' or 'with' value. Examples of such authenticated protocols
include SMTPA, ESMTPA, LMTPA.

=cut

  push (@cmds, {
    setting => 'msa_on_auth_networks',
    type => $CONF_TYPE_IPADDRLIST,
  });

=item clear_msa_on_auth_networks

Empty the list of msa-on-auth networks.

=cut

  push (@cmds, {
    setting => 'clear_msa_on_auth_networks',
    type => $CONF_TYPE_NOARGS,
    code => sub {
      my ($self, $key, $value, $line) = @_;
      unless (!defined $value || $value eq '') {
        return $INVALID_VALUE;
      }
      $self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
      $self->{msa_on_auth_networks} = 0;
    }
  });

=item originating_ip_headers header ...   (default: X-Yahoo-Post-IP X-Originating-IP X-Apparently-From X-SenderIP)

A list of header field names from which an originating IP address can

  $self->{trusted_networks} = $self->new_netset();
  $self->{internal_networks} = $self->new_netset();
  $self->{msa_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
  $self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new();
  $self->{trusted_networks_configured} = 0;
  $self->{internal_networks_configured} = 0;



  # keys that should can be copied using a ->clone() method, in ->clone()
  my @CLONABLE_KEYS = qw(
    internal_networks trusted_networks msa_networks msa_on_auth_networks
  );

  my %done;




  my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};
  my $internal = $permsgstatus->{main}->{conf}->{internal_networks};
  my $msa = $permsgstatus->{main}->{conf}->{msa_networks};
  my $msa_on_auth = $permsgstatus->{main}->{conf}->{msa_on_auth_networks};
  my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};
  my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};
  my $in_trusted = 1;
  my $in_internal = 1;
  my $found_msa = 0;
  my $found_on_auth_msa = 0;

  unless ($did_user_specify_trust && $did_user_specify_internal) {
    if (!$did_user_specify_trust && !$did_user_specify_internal) {

	  if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
	    $in_internal = 0;
	  }
	  # msa[_on_auth]_networks matches?
	  if ($msa->contains_ip($relay->{ip})) {
	    dbg('received-header: found MSA relay, remaining relays will be'.
		' considered trusted: yes'.
		' internal: '.($in_internal ? 'yes' : 'no'));
	    $found_msa = 1;
	    $relay->{msa} = 1;
	  } else {
	    if ($found_on_auth_msa && $relay->{auth}) {
	      dbg('received-header: relay '.$found_on_auth_msa->{ip}.' detected as on-auth MSA.'.
		  ' remaining relayes will be'.
		  ' considered trusted: yes'.
		  ' internal: '.($in_internal ? 'yes' : 'no'));
	      $found_msa = 1;
	      $found_on_auth_msa->{msa} = 1;
	      $found_on_auth_msa = 0;
	    } else {
	      $found_on_auth_msa = 0;
	      if ($msa_on_auth->contains_ip($relay->{ip})) {
		dbg('received-header: found on-auth MSA relay. Will be considered MSA'.
		    ' if it will auth the sender');
		$found_on_auth_msa = $relay;
	      }
	    }
	  }
	}
      }

Return to bug 6430

Lines 1199-1204 Link Here

(-)/var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Conf.pm (-1 / +47 lines)
1199	}	1199	}
1200	});	1200	});
1201		1201
		1202	=item msa_on_auth_networks ip.add.re.ss[/mask] ... (default: none)
		1203
		1204	The networks or hosts which SA should treat like MSAs when relaying
		1205	messages from an authenticated source.
		1206	Unlike the hosts in msa_networks, these relays may accept mail from
		1207	hosts that aren't authenticated in some way and SA will not trust the
		1208	whole relay chain.
		1209
		1210	When instead one of these relays is dispatching a message from an
		1211	authenticated source, all relays found in the message headers after the
		1212	relay itself will take on the same trusted and internal classifications
		1213	as the MSA relay itself, as defined by your I<trusted_networks> and
		1214	I<internal_networks> configuration.
		1215
		1216	SA detects that a relay in this list is acting like an MSA when its
		1217	received header contains some kind of authenticated protocol in the
		1218	'via' or 'with' value. Examples of such authenticated protocols
		1219	include SMTPA, ESMTPA, LMTPA.
		1220
		1221	=cut
		1222
		1223	push (@cmds, {
		1224	setting => 'msa_on_auth_networks',
		1225	type => $CONF_TYPE_IPADDRLIST,
		1226	});
		1227
		1228	=item clear_msa_on_auth_networks
		1229
		1230	Empty the list of msa-on-auth networks.
		1231
		1232	=cut
		1233
		1234	push (@cmds, {
		1235	setting => 'clear_msa_on_auth_networks',
		1236	type => $CONF_TYPE_NOARGS,
		1237	code => sub {
		1238	my ($self, $key, $value, $line) = @_;
		1239	unless (!defined $value \|\| $value eq '') {
		1240	return $INVALID_VALUE;
		1241	}
		1242	$self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
		1243	$self->{msa_on_auth_networks} = 0;
		1244	}
		1245	});
		1246
1202	=item originating_ip_headers header ... (default: X-Yahoo-Post-IP X-Originating-IP X-Apparently-From X-SenderIP)	1247	=item originating_ip_headers header ... (default: X-Yahoo-Post-IP X-Originating-IP X-Apparently-From X-SenderIP)
1203		1248
1204	A list of header field names from which an originating IP address can	1249	A list of header field names from which an originating IP address can
Lines 3506-3511 Link Here
3506	$self->{trusted_networks} = $self->new_netset();	3551	$self->{trusted_networks} = $self->new_netset();
3507	$self->{internal_networks} = $self->new_netset();	3552	$self->{internal_networks} = $self->new_netset();
3508	$self->{msa_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset	3553	$self->{msa_networks} = Mail::SpamAssassin::NetSet->new(); # not new_netset
		3554	$self->{msa_on_auth_networks} = Mail::SpamAssassin::NetSet->new();
3509	$self->{trusted_networks_configured} = 0;	3555	$self->{trusted_networks_configured} = 0;
3510	$self->{internal_networks_configured} = 0;	3556	$self->{internal_networks_configured} = 0;
3511		3557
Lines 3870-3876 Link Here
3870		3916
3871	# keys that should can be copied using a ->clone() method, in ->clone()	3917	# keys that should can be copied using a ->clone() method, in ->clone()
3872	my @CLONABLE_KEYS = qw(	3918	my @CLONABLE_KEYS = qw(
3873	internal_networks trusted_networks msa_networks	3919	internal_networks trusted_networks msa_networks msa_on_auth_networks
3874	);	3920	);
3875		3921
3876	my %done;	3922	my %done;

Lines 81-91 Link Here

(-)/var/tmp/portage/mail-filter/spamassassin-3.3.1-r2/work/Mail-SpamAssassin-3.3.1/lib/Mail/SpamAssassin/Message/Metadata/Received.pm (-2 / +21 lines)
81	my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};	81	my $trusted = $permsgstatus->{main}->{conf}->{trusted_networks};
82	my $internal = $permsgstatus->{main}->{conf}->{internal_networks};	82	my $internal = $permsgstatus->{main}->{conf}->{internal_networks};
83	my $msa = $permsgstatus->{main}->{conf}->{msa_networks};	83	my $msa = $permsgstatus->{main}->{conf}->{msa_networks};
		84	my $msa_on_auth = $permsgstatus->{main}->{conf}->{msa_on_auth_networks};
84	my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};	85	my $did_user_specify_trust = $permsgstatus->{main}->{conf}->{trusted_networks_configured};
85	my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};	86	my $did_user_specify_internal = $permsgstatus->{main}->{conf}->{internal_networks_configured};
86	my $in_trusted = 1;	87	my $in_trusted = 1;
87	my $in_internal = 1;	88	my $in_internal = 1;
88	my $found_msa = 0;	89	my $found_msa = 0;
		90	my $found_on_auth_msa = 0;
89		91
90	unless ($did_user_specify_trust && $did_user_specify_internal) {	92	unless ($did_user_specify_trust && $did_user_specify_internal) {
91	if (!$did_user_specify_trust && !$did_user_specify_internal) {	93	if (!$did_user_specify_trust && !$did_user_specify_internal) {
Lines 198-210 Link Here
198	if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {	200	if ($in_internal && !$relay->{auth} && !$internal->contains_ip($relay->{ip})) {
199	$in_internal = 0;	201	$in_internal = 0;
200	}	202	}
201	# msa_networks matches?	203	# msa[_on_auth]_networks matches?
202	if ($msa->contains_ip($relay->{ip})) {	204	if ($msa->contains_ip($relay->{ip})) {
203	dbg('received-header: found MSA relay, remaining relays will be'.	205	dbg('received-header: found MSA relay, remaining relays will be'.
204	' considered trusted: '.($in_trusted ? 'yes' : 'no').	206	' considered trusted: yes'.
205	' internal: '.($in_internal ? 'yes' : 'no'));	207	' internal: '.($in_internal ? 'yes' : 'no'));
206	$found_msa = 1;	208	$found_msa = 1;
207	$relay->{msa} = 1;	209	$relay->{msa} = 1;
		210	} else {
		211	if ($found_on_auth_msa && $relay->{auth}) {
		212	dbg('received-header: relay '.$found_on_auth_msa->{ip}.' detected as on-auth MSA.'.
		213	' remaining relayes will be'.
		214	' considered trusted: yes'.
		215	' internal: '.($in_internal ? 'yes' : 'no'));
		216	$found_msa = 1;
		217	$found_on_auth_msa->{msa} = 1;
		218	$found_on_auth_msa = 0;
		219	} else {
		220	$found_on_auth_msa = 0;
		221	if ($msa_on_auth->contains_ip($relay->{ip})) {
		222	dbg('received-header: found on-auth MSA relay. Will be considered MSA'.
		223	' if it will auth the sender');
		224	$found_on_auth_msa = $relay;
		225	}
		226	}
208	}	227	}
209	}	228	}
210	}	229	}