[pkgsrc/trunk]: pkgsrc/mail/opendmarc Add RequiredFrom option

[manu <manu%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/f3838f9eadf2
branches:  trunk
changeset: 449383:f3838f9eadf2
user:      manu <manu%pkgsrc.org@localhost>
date:      Mon Mar 29 09:30:59 2021 +0000

description:
Add RequiredFrom option

If RequiredFrom is set, opendmarc will reject messages that lack
a From header from which a valid domain can be extracted. This
is a subset of the full RFC5322 requirements enforced by the
RequiredHeaders option.

While non RFC5322-compliant messages are too common to make
RequiredHeaders always usable, the check on the From header
remains especially valuable. It makes sure forged domain messages
cannot evade the filter by just omitting the From header and relying
on the MTA to fill it by a copy from the enveloppe header.

Submitted upstream as
https://github.com/trusteddomainproject/OpenDMARC/pull/147

diffstat:

 mail/opendmarc/Makefile                   |    4 +-
 mail/opendmarc/distinfo                   |    3 +-
 mail/opendmarc/patches/patch-RequiredFrom |  116 ++++++++++++++++++++++++++++++
 3 files changed, 120 insertions(+), 3 deletions(-)

diffs (151 lines):

diff -r dd7cad76b17e -r f3838f9eadf2 mail/opendmarc/Makefile
--- a/mail/opendmarc/Makefile   Mon Mar 29 08:45:48 2021 +0000
+++ b/mail/opendmarc/Makefile   Mon Mar 29 09:30:59 2021 +0000
@@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.23 2021/02/17 01:49:12 manu Exp $
+# $NetBSD: Makefile,v 1.24 2021/03/29 09:30:59 manu Exp $
 
 GITHUB_PROJECT=        OpenDMARC
 GITHUB_TAG=    rel-opendmarc-1-4-0-Beta1
 DISTNAME=      rel-opendmarc-1-4-0-Beta1
 PKGNAME=       opendmarc-1.4.0b1
-PKGREVISION=   1
+PKGREVISION=   3
 CATEGORIES=    mail
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=trusteddomainproject/}
 DIST_SUBDIR=   ${GITHUB_PROJECT}
diff -r dd7cad76b17e -r f3838f9eadf2 mail/opendmarc/distinfo
--- a/mail/opendmarc/distinfo   Mon Mar 29 08:45:48 2021 +0000
+++ b/mail/opendmarc/distinfo   Mon Mar 29 09:30:59 2021 +0000
@@ -1,9 +1,10 @@
-$NetBSD: distinfo,v 1.9 2021/02/17 01:49:12 manu Exp $
+$NetBSD: distinfo,v 1.10 2021/03/29 09:30:59 manu Exp $
 
 SHA1 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 74ad1ef9f9a12b5fadef5919807cd55f7655d8d8
 RMD160 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = e8dda5350a734509843a04329777478d9410b796
 SHA512 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = d562050da9c4b96e7707157fbbf385ab3ac551cf07754b45deb6a010b4c47e7f478dfe35bc2c8625f6553af4fbf120820bf2a9f0ce246b26cabf81e7d1174405
 Size (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 1247386 bytes
+SHA1 (patch-RequiredFrom) = a21d77abbe93c806c6abee55e77e477c9c435c00
 SHA1 (patch-configure.ac) = d174911e4de37d3b50b525469cbe410bb7ae119f
 SHA1 (patch-libopendmarc_opendmarc__dns.c) = e76ca13707677525b72609b4a5268d77efcfba84
 SHA1 (patch-libopendmarc_opendmarc__spf__dns.c) = b6e1311be8e9ef44c333be57fef474f6b080a199
diff -r dd7cad76b17e -r f3838f9eadf2 mail/opendmarc/patches/patch-RequiredFrom
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mail/opendmarc/patches/patch-RequiredFrom Mon Mar 29 09:30:59 2021 +0000
@@ -0,0 +1,116 @@
+$NetBSD: patch-RequiredFrom,v 1.1 2021/03/29 09:30:59 manu Exp $
+
+Add RequiredFrom option to reject messages that lack a From header
+from which a valid domain can be extracted
+
+Submitted upstream as 
+https://github.com/trusteddomainproject/OpenDMARC/pull/147
+
+--- opendmarc/opendmarc.c.orig 2021-03-29 09:13:11.534047039 +0200
++++ opendmarc/opendmarc.c      2021-03-29 10:02:01.105977120 +0200
+@@ -163,8 +163,9 @@
+ /* DMARCF_CONFIG -- configuration object */
+ struct dmarcf_config
+ {
+       _Bool                   conf_reqhdrs;
++      _Bool                   conf_reqfrom;
+       _Bool                   conf_afrf;
+       _Bool                   conf_afrfnone;
+       _Bool                   conf_rejectfail;
+       _Bool                   conf_dolog;
+@@ -1349,8 +1350,12 @@
+               (void) config_get(data, "RequiredHeaders",
+                                 &conf->conf_reqhdrs,
+                                 sizeof conf->conf_reqhdrs);
+ 
++              (void) config_get(data, "RequiredFrom",
++                                &conf->conf_reqfrom,
++                                sizeof conf->conf_reqfrom);
++
+               (void) config_get(data, "FailureReports",
+                                 &conf->conf_afrf,
+                                 sizeof conf->conf_afrf);
+ 
+@@ -2367,13 +2372,17 @@
+       {
+               if (conf->conf_dolog)
+               {
+                       syslog(LOG_INFO,
+-                             "%s: RFC5322 requirement error: missing From field; accepting",
+-                             dfc->mctx_jobid);
++                             "%s: RFC5322 requirement error: missing From field; %s",
++                             dfc->mctx_jobid,
++                             conf->conf_reqfrom ? "reject" : "accepting");
+               }
+ 
+-              return SMFIS_ACCEPT;
++              if (conf->conf_reqfrom)
++                      return SMFIS_REJECT;
++              else
++                      return SMFIS_ACCEPT;
+       }
+ 
+       /* extract From: domain */
+       memset(addrbuf, '\0', sizeof addrbuf);
+@@ -2387,9 +2396,9 @@
+                              "%s: unable to parse From header field",
+                              dfc->mctx_jobid);
+               }
+ 
+-              if (conf->conf_reqhdrs)
++              if (conf->conf_reqhdrs || conf->conf_reqfrom) 
+                       return SMFIS_REJECT;
+               else
+                       return SMFIS_ACCEPT;
+       }
+--- opendmarc/opendmarc.conf.5.in.orig 2021-03-29 09:15:03.877101090 +0200
++++ opendmarc/opendmarc.conf.5.in      2021-03-29 09:21:56.423837778 +0200
+@@ -258,8 +258,16 @@
+ failing this test are rejected without further processing.  A From:
+ field from which no domain name could be extracted will also be rejected.
+ 
+ .TP
++.I RequiredFrom (Boolean)
++If set, the filter will reject without further processing messages that lack a
++From: field from which a domain name could be extracted. This options is
++without effect if
++.I RequiredHeaders
++is set to "true".
++
++.TP
+ .I Socket (string)
+ Specifies the socket that should be established by the filter to receive
+ connections from
+ .I sendmail(8)
+--- opendmarc/opendmarc-config.h.orig  2021-03-29 09:19:21.345035861 +0200
++++ opendmarc/opendmarc-config.h       2021-03-29 09:19:34.235736167 +0200
+@@ -43,8 +43,9 @@
+       { "PidFile",                    CONFIG_TYPE_STRING,     FALSE },
+       { "PublicSuffixList",           CONFIG_TYPE_STRING,     FALSE },
+       { "RecordAllMessages",          CONFIG_TYPE_BOOLEAN,    FALSE },
+       { "RequiredHeaders",            CONFIG_TYPE_BOOLEAN,    FALSE },
++      { "RequiredFrom",               CONFIG_TYPE_BOOLEAN,    FALSE },
+       { "RejectFailures",             CONFIG_TYPE_BOOLEAN,    FALSE },
+       { "ReportCommand",              CONFIG_TYPE_STRING,     FALSE },
+       { "Socket",                     CONFIG_TYPE_STRING,     FALSE },
+       { "SoftwareHeader",             CONFIG_TYPE_BOOLEAN,    FALSE },
+--- opendmarc/opendmarc.conf.sample.orig       2021-03-29 09:19:43.400961620 +0200
++++ opendmarc/opendmarc.conf.sample    2021-03-29 09:22:23.834032438 +0200
+@@ -303,8 +303,17 @@
+ ##  rejected.
+ #
+ # RequiredHeaders false
+ 
++##  RequiredFrom { true | false }
++##    default "false"
++##
++##  If set, the filter will reject without further processing messages that 
++##  lack a From: field from which a domain name could be extracted. This 
++##  options is without effect if RequiredHeaders is set to "true".
++#
++# RequiredFrom false
++
+ ##  Socket socketspec
+ ##    default (none)
+ ##
+ ##  Specifies the socket that should be established by the filter to receive