From 14a77f26469051d174e98ea1143d4475ee5adcf6 Mon Sep 17 00:00:00 2001 From: "Murray S. Kucherawy" Date: Fri, 30 Apr 2021 09:12:46 -0700 Subject: [PATCH] Repair botched merge from "develop". --- opendmarc/README | 10 ++++++++-- opendmarc/opendmarc-config.h | 1 + opendmarc/opendmarc.c | 8 +++++++- opendmarc/opendmarc.conf.5.in | 22 ++++++++++++++++++++++ opendmarc/opendmarc.conf.sample | 27 +++++++++++++++++++++++++++ 5 files changed, 65 insertions(+), 3 deletions(-) diff --git a/opendmarc/README b/opendmarc/README index 028816bf..30ba5e9a 100644 --- a/opendmarc/README +++ b/opendmarc/README @@ -91,6 +91,12 @@ CONFIGURING OPENDMARC /etc/init.d/postfix restart +(9) Depending on your settings, mail sent with a policy of p=quarantine + may wind up in your MTA's "Hold" or "Quarantine" queue. + + The setting "HoldQuarantinedMessages" (defaults to false) can be used + to control this feature. + TESTING AND DEBUGGING ===================== @@ -220,5 +226,5 @@ subscribe to one or both of the following: These can be accessed via http://www.trusteddomain.org/mailman/listinfo. -To report bugs and feature requests, you can access the SourceForge "tracker" -facilities at http://sourceforge.net/projects/opendmarc. +To report bugs and feature requests, you can access the GitHub "tracker" +facilities at https://github.com/trusteddomainproject/OpenDMARC/issues. diff --git a/opendmarc/opendmarc-config.h b/opendmarc/opendmarc-config.h index 73d5a614..1b781df4 100644 --- a/opendmarc/opendmarc-config.h +++ b/opendmarc/opendmarc-config.h @@ -36,6 +36,7 @@ struct configdef dmarcf_config[] = { "FailureReportsOnNone", CONFIG_TYPE_BOOLEAN, FALSE }, { "FailureReportsSentBy", CONFIG_TYPE_STRING, FALSE }, { "HistoryFile", CONFIG_TYPE_STRING, FALSE }, + { "HoldQuarantinedMessages", CONFIG_TYPE_BOOLEAN, FALSE }, { "IgnoreAuthenticatedClients", CONFIG_TYPE_BOOLEAN, FALSE }, { "IgnoreHosts", CONFIG_TYPE_STRING, FALSE }, { "IgnoreMailFrom", CONFIG_TYPE_STRING, FALSE }, diff --git a/opendmarc/opendmarc.c b/opendmarc/opendmarc.c index 10cdb970..a1e49ec3 100644 --- a/opendmarc/opendmarc.c +++ b/opendmarc/opendmarc.c @@ -177,6 +177,7 @@ struct dmarcf_config _Bool conf_spfselfvalidate; #endif /* WITH_SPF */ _Bool conf_ignoreauthclients; + _Bool conf_holdquarantinedmessages; _Bool conf_reject_multi_from; unsigned int conf_refcnt; unsigned int conf_dnstimeout; @@ -1454,6 +1455,10 @@ dmarcf_config_load(struct config *data, struct dmarcf_config *conf, &conf->conf_recordall, sizeof conf->conf_recordall); + (void) config_get(data, "HoldQuarantinedMessages", + &conf->conf_holdquarantinedmessages, + sizeof conf->conf_holdquarantinedmessages); + (void) config_get(data, "IgnoreAuthenticatedClients", &conf->conf_ignoreauthclients, sizeof conf->conf_ignoreauthclients); @@ -3557,7 +3562,8 @@ mlfi_eom(SMFICTX *ctx) aresult = "fail"; ret = SMFIS_CONTINUE; - if (conf->conf_rejectfail && random() % 100 < pct) + if (conf->conf_rejectfail && + random() % 100 < pct) { snprintf(replybuf, sizeof replybuf, "rejected by DMARC policy for %s", pdomain); diff --git a/opendmarc/opendmarc.conf.5.in b/opendmarc/opendmarc.conf.5.in index b455613a..f7cea9a5 100644 --- a/opendmarc/opendmarc.conf.5.in +++ b/opendmarc/opendmarc.conf.5.in @@ -191,6 +191,28 @@ rather periodically imported into a relational database from which the aggregate reports can be extracted using .B opendmarc-importstats(8). +.TP +.I HoldQuarantinedMessages (Boolean) +If set, the milter will signal to the mta that messages with +p=quarantine, which fail dmarc authentication, should be held in +the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. +If false, messsages will be accepted and passed along with the +regular mail flow, and the quarantine will be left up to downstream +MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, +including the Authentication-Results header added by this filter. +The default is "false". + +.TP +.I HoldQuarantinedMessages (Boolean) +If set, the milter will signal to the mta that messages with +p=quarantine, which fail dmarc authentication, should be held in +the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. +If false, messsages will be accepted and passed along with the +regular mail flow, and the quarantine will be left up to downstream +MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, +including the Authentication-Results header added by this filter. +The default is "false". + .TP .I IgnoreAuthenticatedClients (Boolean) If set, causes mail from authenticated clients (i.e., those that used diff --git a/opendmarc/opendmarc.conf.sample b/opendmarc/opendmarc.conf.sample index 2a1a7ec6..69c9afbb 100644 --- a/opendmarc/opendmarc.conf.sample +++ b/opendmarc/opendmarc.conf.sample @@ -213,6 +213,19 @@ # # HistoryFile /var/run/opendmarc.dat +## HoldQuarantinedMessages { true | false } +## default "false" +## +## If set, the milter will signal to the mta that messages with +## p=quarantine, which fail dmarc authentication, should be held in +## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. +## If false, messsages will be accepted and passed along with the +## regular mail flow, and the quarantine will be left up to downstream +## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, +## including the Authentication-Results header added by OpenDMARC +# +# HoldQuarantinedMessages false + ## IgnoreAuthenticatedClients { true | false } ## default "false" ## @@ -221,6 +234,20 @@ # # IgnoreAuthenticatedClients false +## HoldQuarantinedMessages { true | false } +## default "false" +## +## If set, the milter will signal to the mta that messages with +## p=quarantine, which fail dmarc authentication, should be held in +## the MTA's "Hold" or "Quarantine" queue. The name varies by MTA. +## If false, messsages will be accepted and passed along with the +## regular mail flow, and the quarantine will be left up to downstream +## MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers, +## including the Authentication-Results header added by OpenDMARC +# +# HoldQuarantinedMessages false + + ## IgnoreHosts path ## default (internal) ##