debian/patches/dkim_subdomains

   1 Description: Support signer subdomain matching in whitelist_from_dkim
   2 Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1693414
   3 Bug: https://bz.apache.org/SpamAssassin/show_bug.cgi?id=7226
   4 Index: spamassassin-3.4.1/lib/Mail/SpamAssassin/Plugin/DKIM.pm
   5 ===================================================================
   6 --- spamassassin-3.4.1.orig/lib/Mail/SpamAssassin/Plugin/DKIM.pm
   7 +++ spamassassin-3.4.1/lib/Mail/SpamAssassin/Plugin/DKIM.pm
   8 @@ -178,13 +178,18 @@ sub set_config {
   9
  10  Works similarly to whitelist_from, except that in addition to matching
  11  an author address (From) to the pattern in the first parameter, the message
  12 -must also carry a Domain Keys Identified Mail (DKIM) signature made by a
  13 -signing domain (SDID, i.e. the d= tag) that is acceptable to us.
  14 +must also carry a valid Domain Keys Identified Mail (DKIM) signature made by
  15 +a signing domain (SDID, i.e. the d= tag) that is acceptable to us.
  16
  17  Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>.
  18  Multiple C<whitelist_from_dkim> lines are allowed. File-glob style characters
  19  are allowed for the From address (the first parameter), just like with
  20 -C<whitelist_from_rcvd>. The second parameter does not accept wildcards.
  21 +C<whitelist_from_rcvd>.
  22 +
  23 +The second parameter (the signing-domain) does not accept full file-glob style
  24 +wildcards, although a simple '*.' (or just a '.') prefix to a domain name
  25 +is recognized and implies any subdomain of the specified domain (but not
  26 +the domain itself).
  27
  28  If no signing-domain parameter is specified, the only acceptable signature
  29  will be an Author Domain Signature (sometimes called first-party signature)
  30 @@ -205,7 +210,8 @@ Examples of whitelisting based on third-
  31    whitelist_from_dkim jane@example.net      example.org
  32    whitelist_from_dkim rick@info.example.net example.net
  33    whitelist_from_dkim *@info.example.net    example.net
  34 -  whitelist_from_dkim *@*                   remailer.example.com
  35 +  whitelist_from_dkim *@*                   mail7.remailer.example.com
  36 +  whitelist_from_dkim *@*                   *.remailer.example.com
  37
  38  =item def_whitelist_from_dkim author@example.com [signing-domain]
  39
  40 @@ -376,7 +382,8 @@ some valid signature on a message has no
  41  associated with a particular domain), regardless of its key size - anyone can
  42  prepend its own signature on a copy of some third party mail and re-send it,
  43  which makes it no more trustworthy than without such signature. This is also
  44 -a reason for a rule DKIM_VALID to have a near-zero score.
  45 +a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit
  46 +is only informational.
  47
  48  =cut
  49
  50 @@ -1257,8 +1264,12 @@ sub _wlcheck_list {
  51          # identity (AUID). Nevertheless, be prepared to accept the full e-mail
  52          # address there for compatibility, and just ignore its local-part.
  53
  54 -        $acceptable_sdid = $1  if $acceptable_sdid =~ /\@([^\@]*)\z/;
  55 -        $matches = 1  if $sdid eq lc $acceptable_sdid;
  56 +        $acceptable_sdid = $1  if $acceptable_sdid =~ /\@([^\@]*)\z/s;
  57 +        if ($acceptable_sdid =~ s/^\*?\.//s) {
  58 +          $matches = 1  if $sdid =~ /\.\Q$acceptable_sdid\E\z/si;
  59 +        } else {
  60 +          $matches = 1  if $sdid eq lc $acceptable_sdid;
  61 +        }
  62        }
  63        if ($matches) {
  64          if (would_log("dbg","dkim")) {