Subversion Repositories sa-exim

Compare Revisions

Ignore whitespace Rev 75 → Rev 76

/trunk/debian/README.Debian
124,13 → 124,14
loadplugin line, but fixing it is probably not worth the disruption of
existing installations.)
 
If two messages from the same /24 network (or IP address, depending on
greylistfourthbyte), with the same sender, with the same list of
recipient, and with a score below dontgreylistthreshold are seen at
least greylistsecs apart, the triplet will be whitelisted and the
GREYLIST_ISWHITE rule will be considered to match thenceforth. That
will signal to the local_scan library to raise SAtempreject to let the
message through, in addition to the negative spam score it carries.
If two messages from the same /24 IPv4 network or /64 IPv6 network (or
individual IP address, depending on greylistfourthbyte), with the same
sender, with the same list of recipient, and with a score below
dontgreylistthreshold are seen at least greylistsecs apart, the
triplet will be whitelisted and the GREYLIST_ISWHITE rule will be
considered to match thenceforth. That will signal to the local_scan
library to raise SAtempreject to let the message through, in addition
to the negative spam score it carries.
 
Notice that messages can be permanently rejected (score above
SApermreject) and still get a triplet whitelisted if the score is
219,4 → 220,4
file specifies conflicting options, it will prevent SA-Exim from
working. For now, you'll have to make sure that it doesn't.
 
-- Magnus Holmgren <holmgren@debian.org>, Sun, 18 Sep 2011 00:11:18 +0200
-- Magnus Holmgren <holmgren@debian.org>, Fri, 22 Jul 2016 09:58:32 +0200
/trunk/debian/changelog
3,8 → 3,15
* reproducible-build.patch (new): Make build reproducible by replacing
the build date with the source date via ${SOURCE_DATE_EPOCH} when
available (Closes: #831649). Thanks to Chris Lamb.
* greylisting-ipv6.patch: Finally add IPv6 support to the greylisting
plugin (Closes: #508161). Replaces grey-only-ipv4.patch. Based on
Robert Tasarz's patch, though I decided to do things a little
differently by keeping the greylistfourthbyte option for backwards
compatibility and not adding separate options for IPv4 and IPv6 at
this time. Also, with that option enabled, there will only be one
directory level for all the last 64 bits of an IPv6 address.
 
-- Magnus Holmgren <holmgren@debian.org> Thu, 21 Jul 2016 18:17:59 +0200
-- Magnus Holmgren <holmgren@debian.org> Fri, 22 Jul 2016 10:13:11 +0200
 
sa-exim (4.2.1-14) unstable; urgency=low
 
/trunk/debian/control
11,7 → 11,7
Package: sa-exim
Architecture: any
Depends: ${exim:Depends}, spamc, ${shlibs:Depends}, ${misc:Depends},
debconf (>= 1.2.0) | debconf-2.0
debconf (>= 1.2.0) | debconf-2.0, libnetaddr-ip-perl
Recommends: ${perl:Depends}
Suggests: spamassassin
Description: SpamAssassin filter for Exim
/trunk/debian/patches/grey-only-ipv4.patch
File deleted
/trunk/debian/patches/greylisting-ipv6.patch
0,0 → 1,76
Description: Add IPv6 support to the Greylisting SpamAssassin plugin.
The greylistfourthbyte option, for IPv6 addresses, means that all
addresses in the same /64 get whitelisted as a group.
Bug: https://bugs.debian.org/508161
 
--- a/Greylisting.pm
+++ b/Greylisting.pm
@@ -21,6 +21,8 @@ package Greylisting;
use strict;
use Mail::SpamAssassin::Plugin;
+use NetAddr::IP;
+use File::Path qw(mkpath);
our @ISA = qw(Mail::SpamAssassin::Plugin);
sub new
@@ -104,8 +106,12 @@ sub greylisting
}
chomp($connectip);
# Clean up input (for security, if you use files/dirs)
- $connectip =~ /([\d.:]+)/;
- $connectip = ($1 or "");
+
+ $connectip = NetAddr::IP->new($connectip);
+ if (not defined $connectip) {
+ warn "Can only handle IPv4 and IPv6 addresses; skipping greylisting call for message $mesgid\n";
+ return 0;
+ }
# Account for a null envelope from
if (not defined ($envfrom = $permsgstatus->get($option{'envfromhdr'})))
@@ -172,26 +178,27 @@ sub greylisting
# connectip is supposed to be untainted now, but I was still getting
# some insecure dependecy error messages sometimes (perl 5.8 problem apparently)
- $connectip =~ /(\d+)\.(\d+)\.(\d+)\.(\d+)/;
- my ($ipbyte1, $ipbyte2, $ipbyte3, $ipbyte4) = ($1, $2, $3, $4);
- my $ipdir1 = "$option{'dir'}/$ipbyte1";
- my $ipdir2 = "$ipdir1/$ipbyte2";
- my $ipdir3 = "$ipdir2/$ipbyte3";
- my $ipdir4;
- my $tupletdir;
-
- $ipdir4 = "$ipdir3";
- $ipdir4 .= "/$ipbyte4" if ($option{'greylistfourthbyte'});
- $tupletdir = "$ipdir4/$envfrom";
-
+ my $ipdir;
+ if ($connectip->version == 6) {
+ my @components = split ':', $connectip->full, 5;
+ if ($option{'greylistfourthbyte'}) {
+ $ipdir = join '/', @components;
+ } else {
+ $ipdir = join '/', @components[0..3];
+ }
+ } else {
+ my @components = split '\.', $connectip->addr;
+ if ($option{'greylistfourthbyte'}) {
+ $ipdir = join '/', @components;
+ } else {
+ $ipdir = join '/', @components[0..2];
+ }
+ }
+ my $tupletdir = "$option{'dir'}/$ipdir/$envfrom";
$tuplet = "$tupletdir/$rcptto";
# make directory whether it's there or not (faster than test and set)
- mkdir $ipdir1;
- mkdir $ipdir2;
- mkdir $ipdir3;
- mkdir $ipdir4;
- mkdir $tupletdir;
+ mkpath $tupletdir;
if (not -e $tuplet)
{
/trunk/debian/patches/series
1,6 → 1,5
api-limitations.patch
spamc-args.patch
grey-only-ipv4.patch
grey-clean-sender.patch
save-path.patch
improved-default-conf.patch
7,3 → 6,4
spamd-not-nobody.patch
readme.patch
reproducible-build.patch
greylisting-ipv6.patch