Skip to content

Commit

Permalink
Update mail/opendmarc to 1.4.1.1
Browse files Browse the repository at this point in the history
Changes since 1.4.0 from the RELEASE_NOTES file
        NOTE: In response to CVE-2019-20790, opendmarc has changed
                how it evaluates headers added by previous
                SPF milters.  Users are encouraged to read the
                CVE-2019-20790 file in the "SECURITY" folder
                for more details. (#49, #158).  Originally reported by
                Jianjun Chen, feedback by Simon Wilson and
                David Bürgin <dbuergin@gluet.ch>.
        NOTE: OpenDMARC's internal SPF handling will be removed
                in a future version.  Users are encouraged to
                build linked against libspf2.  Many pre-built
                packages provided by OS packagers already do this.
                (See https://www.libspf2.org)
        Addition of defines for MUSL C Library. (#129/#133).  Patches by
                Marco Rebhan.
        Updated opendmarc.conf manpage and opendmarc.conf.sample to point to
                https://publicsuffix.org/list/.
        Added a CONTRIBUTING document.
        Fix two #ifdefs in arc functions for strlcpy. (#138).  Reported by
                Leo Bicknell.
        Fixes to MySQL Schema (#98/#99).  Patch by Bond Keevil.
        LIBSPF2 calls would not compile on OpenBSD due to OpenBSD not
                having the ns_type definition in arpa/resolv.h.
                Added detection to configure script.  (#134)
        Reworked hcreate_r calls to use hcreate, to compile natively on
                OpenBSD and MacOS. (Part of #94)  Reported by Rupert
                Gallagher.
        Add compatibility with AutoConf 2.70. (#95)
        Documentation updates about SourceForge being deprecated.  (#101)
        Only accept results from Received-SPF fields that indicate clearly
                which identifier was being evaluated, since DMARC specifically
                only wants results based on MAIL FROM.
        Many build-time fixes (#100, #91, #90, #86, #85, #84, #83, #82, #81)
                Patches provided by Rupert Gallagher (ruga@protonmail.com)
        Added config option HoldQuarantinedMessages (default false), which
                controls if messages with p=quarantine will be passed on to
                the mail stream (if False) or placed in the MTA's "hold"
                queue (if True).  Issue #105.  Patch by Marcos Moraes, on
                the OpenDMARC mailing list.
        Remove "--with-wall" from "configure".  Suggested by Leo Bicknell.
        LIBOPENDMARC: Fix bug #50: Ignore all RRTYPEs other than TXT.
                Problem reported by Jan Bouwhuis.
        LIBOPENDMARC: Fix bug #89: Repair absurd RRTYPE test in SPF code.
        LIBOPENDMARC: Fix bug #104: Fix bogus header field parsing code.
        LIBOPENDMARC: Fix bug #161: Don't pass the client IP address through
                htonl() since it's already in network byte order.  This
                was causing SPF errors when the internal SPF
                implementation was in use.
        LIBOPENDMARC: Fix numerous problems with the internal SPF
                implementation.
  • Loading branch information
manu committed May 27, 2021
1 parent 400b528 commit 473b25f
Show file tree
Hide file tree
Showing 10 changed files with 85 additions and 173 deletions.
3 changes: 2 additions & 1 deletion doc/CHANGES-2021
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
$NetBSD: CHANGES-2021,v 1.2998 2021/05/27 15:25:34 bsiegert Exp $
$NetBSD: CHANGES-2021,v 1.2999 2021/05/27 16:51:59 manu Exp $

Changes to the packages collection and infrastructure in 2021:

Expand Down Expand Up @@ -4631,3 +4631,4 @@ Changes to the packages collection and infrastructure in 2021:
Removed graphics/go-smartcrop [bsiegert 2021-05-27]
Removed graphics/go-resize [bsiegert 2021-05-27]
Removed graphics/go-imaging [bsiegert 2021-05-27]
Updated mail/opendmarc to 1.4.1.1 [manu 2021-05-27]
10 changes: 5 additions & 5 deletions mail/opendmarc/Makefile
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
# $NetBSD: Makefile,v 1.25 2021/05/24 19:52:43 wiz Exp $
# $NetBSD: Makefile,v 1.26 2021/05/27 16:52:00 manu Exp $

GITHUB_PROJECT= OpenDMARC
GITHUB_TAG= rel-opendmarc-1-4-0-Beta1
DISTNAME= rel-opendmarc-1-4-0-Beta1
PKGNAME= opendmarc-1.4.0b1
PKGREVISION= 4
GITHUB_TAG= rel-opendmarc-1-4-1-1
DISTNAME= rel-opendmarc-1-4-1-1
PKGNAME= opendmarc-1.4.1.1
#PKGREVISION= 1
CATEGORIES= mail
MASTER_SITES= ${MASTER_SITE_GITHUB:=trusteddomainproject/}
DIST_SUBDIR= ${GITHUB_PROJECT}
Expand Down
21 changes: 10 additions & 11 deletions mail/opendmarc/distinfo
Original file line number Diff line number Diff line change
@@ -1,12 +1,11 @@
$NetBSD: distinfo,v 1.10 2021/03/29 09:30:59 manu Exp $
$NetBSD: distinfo,v 1.11 2021/05/27 16:52:00 manu Exp $

SHA1 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 74ad1ef9f9a12b5fadef5919807cd55f7655d8d8
RMD160 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = e8dda5350a734509843a04329777478d9410b796
SHA512 (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = d562050da9c4b96e7707157fbbf385ab3ac551cf07754b45deb6a010b4c47e7f478dfe35bc2c8625f6553af4fbf120820bf2a9f0ce246b26cabf81e7d1174405
Size (OpenDMARC/rel-opendmarc-1-4-0-Beta1.tar.gz) = 1247386 bytes
SHA1 (patch-RequiredFrom) = a21d77abbe93c806c6abee55e77e477c9c435c00
SHA1 (patch-configure.ac) = d174911e4de37d3b50b525469cbe410bb7ae119f
SHA1 (patch-libopendmarc_opendmarc__dns.c) = e76ca13707677525b72609b4a5268d77efcfba84
SHA1 (patch-libopendmarc_opendmarc__spf__dns.c) = b6e1311be8e9ef44c333be57fef474f6b080a199
SHA1 (patch-opendmarc_opendmarc-arcares.c) = 6bf207d9984341fe13120ff8d25a77ff7f6ae1e5
SHA1 (patch-opendmarc_opendmarc-arcseal.c) = a2ace25f687736876ea4299a0177d3c3ed1e247b
SHA1 (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = 2983653fa076f3843f3ef064d58f35d39e21a3fe
RMD160 (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = 6bb61ad0e1e1a8cb3ce23cbe4eb61fb02be26610
SHA512 (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = ee034386c70c75b87ca2fce0849a1a3538e10e0aebfb0fc9dcba6817d2cf71f52aa5586ccaacdee620190c5fbb81498419fb8e8db9fac15d7c71a61a7da396a6
Size (OpenDMARC/rel-opendmarc-1-4-1-1.tar.gz) = 426618 bytes
SHA1 (patch-RequiredFrom) = c89853a3fabcc48653b94169f49ea3c5923254d3
SHA1 (patch-libopendmarc_opendmarc__dns.c) = b1f697c930808b5c5724331dead3cf29c024d69b
SHA1 (patch-opendmarc_opendmarc-arcares.c) = 0984b42e943d6a17eeb5725508dfbcf107b23169
SHA1 (patch-opendmarc_opendmarc-arcseal.c) = 98edb0d22e7c693d327ba98ba186605060d36e2f
SHA1 (patch-opendmarc_parse.c) = c4b521a4542a4dc7db8baf088bb297493bf46a83
44 changes: 25 additions & 19 deletions mail/opendmarc/patches/patch-RequiredFrom
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
$NetBSD: patch-RequiredFrom,v 1.1 2021/03/29 09:30:59 manu Exp $
$NetBSD: patch-RequiredFrom,v 1.2 2021/05/27 16:52:00 manu Exp $

Add RequiredFrom option to reject messages that lack a From header
from which a valid domain can be extracted

Submitted upstream as
https://github.com/trusteddomainproject/OpenDMARC/pull/147

--- opendmarc/opendmarc.c.orig 2021-03-29 09:13:11.534047039 +0200
+++ opendmarc/opendmarc.c 2021-03-29 10:02:01.105977120 +0200
--- ./opendmarc/opendmarc.c.orig 2021-04-30 18:34:43.000000000 +0200
+++ ./opendmarc/opendmarc.c 2021-05-27 10:20:33.880652427 +0200
@@ -163,8 +163,9 @@
/* DMARCF_CONFIG -- configuration object */
struct dmarcf_config
Expand All @@ -18,7 +18,7 @@ https://github.com/trusteddomainproject/OpenDMARC/pull/147
_Bool conf_afrfnone;
_Bool conf_rejectfail;
_Bool conf_dolog;
@@ -1349,8 +1350,12 @@
@@ -1422,8 +1423,12 @@
(void) config_get(data, "RequiredHeaders",
&conf->conf_reqhdrs,
sizeof conf->conf_reqhdrs);
Expand All @@ -31,7 +31,7 @@ https://github.com/trusteddomainproject/OpenDMARC/pull/147
&conf->conf_afrf,
sizeof conf->conf_afrf);

@@ -2367,13 +2372,17 @@
@@ -2453,13 +2458,17 @@
{
if (conf->conf_dolog)
{
Expand All @@ -50,11 +50,17 @@ https://github.com/trusteddomainproject/OpenDMARC/pull/147
+ return SMFIS_ACCEPT;
}

/* extract From: domain */
/* extract From: addresses */
memset(addrbuf, '\0', sizeof addrbuf);
@@ -2387,9 +2396,9 @@
"%s: unable to parse From header field",
dfc->mctx_jobid);
@@ -2495,13 +2504,13 @@
{
if (conf->conf_dolog)
{
syslog(LOG_ERR,
- "%s: unable to parse From header field",
- dfc->mctx_jobid);
+ "%s: unable to parse From header field \"%s\"",
+ dfc->mctx_jobid, from->hdr_value);
}

- if (conf->conf_reqhdrs)
Expand All @@ -63,9 +69,9 @@ https://github.com/trusteddomainproject/OpenDMARC/pull/147
else
return SMFIS_ACCEPT;
}
--- opendmarc/opendmarc.conf.5.in.orig 2021-03-29 09:15:03.877101090 +0200
+++ opendmarc/opendmarc.conf.5.in 2021-03-29 09:21:56.423837778 +0200
@@ -258,8 +258,16 @@
--- ./opendmarc/opendmarc.conf.5.in.orig 2021-04-30 18:34:43.000000000 +0200
+++ ./opendmarc/opendmarc.conf.5.in 2021-05-27 10:20:33.881043733 +0200
@@ -287,8 +287,16 @@
failing this test are rejected without further processing. A From:
field from which no domain name could be extracted will also be rejected.

Expand All @@ -82,21 +88,21 @@ https://github.com/trusteddomainproject/OpenDMARC/pull/147
Specifies the socket that should be established by the filter to receive
connections from
.I sendmail(8)
--- opendmarc/opendmarc-config.h.orig 2021-03-29 09:19:21.345035861 +0200
+++ opendmarc/opendmarc-config.h 2021-03-29 09:19:34.235736167 +0200
@@ -43,8 +43,9 @@
--- ./opendmarc/opendmarc-config.h.orig 2021-04-30 18:34:43.000000000 +0200
+++ ./opendmarc/opendmarc-config.h 2021-05-27 10:23:12.866999966 +0200
@@ -44,8 +44,9 @@
{ "PidFile", CONFIG_TYPE_STRING, FALSE },
{ "PublicSuffixList", CONFIG_TYPE_STRING, FALSE },
{ "RecordAllMessages", CONFIG_TYPE_BOOLEAN, FALSE },
{ "RequiredHeaders", CONFIG_TYPE_BOOLEAN, FALSE },
+ { "RequiredFrom", CONFIG_TYPE_BOOLEAN, FALSE },
{ "RejectFailures", CONFIG_TYPE_BOOLEAN, FALSE },
{ "RejectMultiValueFrom", CONFIG_TYPE_BOOLEAN, FALSE },
{ "ReportCommand", CONFIG_TYPE_STRING, FALSE },
{ "Socket", CONFIG_TYPE_STRING, FALSE },
{ "SoftwareHeader", CONFIG_TYPE_BOOLEAN, FALSE },
--- opendmarc/opendmarc.conf.sample.orig 2021-03-29 09:19:43.400961620 +0200
+++ opendmarc/opendmarc.conf.sample 2021-03-29 09:22:23.834032438 +0200
@@ -303,8 +303,17 @@
--- ./opendmarc/opendmarc.conf.sample.orig 2021-04-30 18:34:43.000000000 +0200
+++ ./opendmarc/opendmarc.conf.sample 2021-05-27 10:20:33.882715995 +0200
@@ -343,8 +343,17 @@
## rejected.
#
# RequiredHeaders false
Expand Down
29 changes: 0 additions & 29 deletions mail/opendmarc/patches/patch-configure.ac

This file was deleted.

21 changes: 4 additions & 17 deletions mail/opendmarc/patches/patch-libopendmarc_opendmarc__dns.c
Original file line number Diff line number Diff line change
@@ -1,11 +1,10 @@
$NetBSD: patch-libopendmarc_opendmarc__dns.c,v 1.2 2020/12/24 01:10:23 manu Exp $
$NetBSD: patch-libopendmarc_opendmarc__dns.c,v 1.3 2021/05/27 16:52:00 manu Exp $

Make sure res_init works on zeroed structure
Search for res_ndestroy and use it instead of res_nclose if available

--- libopendmarc/opendmarc_dns.c.orig 2018-11-15 01:58:31.000000000 +0100
+++ libopendmarc/opendmarc_dns.c 2020-12-23 15:57:30.488718786 +0100
@@ -201,16 +201,21 @@
--- libopendmarc/opendmarc_dns.c.orig 2021-05-27 10:27:22.653313507 +0200
+++ libopendmarc/opendmarc_dns.c 2021-05-27 10:26:59.377412037 +0200
@@ -202,8 +202,9 @@
while (*bp == '.')
++bp;

Expand All @@ -15,15 +14,3 @@ Search for res_ndestroy and use it instead of res_nclose if available
#ifdef RES_USE_DNSSEC
resp.options |= RES_USE_DNSSEC;
#endif
(void) opendmarc_policy_library_dns_hook(&resp.nscount,
&resp.nsaddr_list);
answer_len = res_nquery(&resp, bp, C_IN, T_TXT, answer_buf, sizeof answer_buf);
+#ifdef HAVE_RES_NDESTROY
+ res_ndestroy(&resp);
+#else /* HAVE_RES_NDESTROY */
res_nclose(&resp);
+#endif /* HAVE_RES_NDESTROY */
#else /* HAVE_RES_NINIT */
res_init();
#ifdef RES_USE_DNSSEC
_res.options |= RES_USE_DNSSEC;
82 changes: 0 additions & 82 deletions mail/opendmarc/patches/patch-libopendmarc_opendmarc__spf__dns.c

This file was deleted.

10 changes: 5 additions & 5 deletions mail/opendmarc/patches/patch-opendmarc_opendmarc-arcares.c
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
$NetBSD: patch-opendmarc_opendmarc-arcares.c,v 1.1 2021/02/17 01:49:12 manu Exp $
$NetBSD: patch-opendmarc_opendmarc-arcares.c,v 1.2 2021/05/27 16:52:00 manu Exp $

Avoid handling a NULL pointer when parsing a malformed header

--- opendmarc/opendmarc-arcares.c.orig 2021-02-16 16:33:34.454279528 +0000
+++ opendmarc/opendmarc-arcares.c 2021-02-16 16:35:14.240570993 +0000
@@ -324,8 +324,10 @@
--- opendmarc/opendmarc-arcares.c.orig 2021-04-30 18:34:43.000000000 +0200
+++ opendmarc/opendmarc-arcares.c 2021-05-27 10:30:03.036068852 +0200
@@ -265,8 +265,10 @@
token_ptr = token + leading_space_len;
if (*token_ptr == '\0')
return 0;
tag_label = strsep(&token_ptr, "=");
Expand All @@ -14,4 +15,3 @@ Avoid handling a NULL pointer when parsing a malformed header
tag_code = opendmarc_arcares_convert(aar_arc_tags, tag_label);

switch (tag_code)
{
8 changes: 4 additions & 4 deletions mail/opendmarc/patches/patch-opendmarc_opendmarc-arcseal.c
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
$NetBSD: patch-opendmarc_opendmarc-arcseal.c,v 1.1 2021/02/17 01:49:12 manu Exp $
$NetBSD: patch-opendmarc_opendmarc-arcseal.c,v 1.2 2021/05/27 16:52:00 manu Exp $

Avoid handling a NULL pointer when parsing a malformed header

--- opendmarc/opendmarc-arcseal.c.orig 2021-02-16 23:42:14.132748160 +0100
+++ opendmarc/opendmarc-arcseal.c 2021-02-16 23:43:43.400895411 +0100
@@ -222,9 +222,13 @@
--- opendmarc/opendmarc-arcseal.c.orig 2021-04-30 18:34:43.000000000 +0200
+++ opendmarc/opendmarc-arcseal.c 2021-05-27 10:31:21.308140659 +0200
@@ -166,9 +166,13 @@
token_ptr = token + leading_space_len;
if (*token_ptr == '\0')
return 0;
Expand Down
30 changes: 30 additions & 0 deletions mail/opendmarc/patches/patch-opendmarc_parse.c
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
$NetBSD: patch-opendmarc_parse.c,v 1.1 2021/05/27 16:52:00 manu Exp $

Make sure a trailing brackets corresponds to a leading one
aaa98f5

This fixes the case where the sender e-mail address is user@example.net>
Without this fix, OpenDMARC parses the domain as example.net> and skip
DMARC processing since there is no policy for the domain.

Unfortunately, the MTA or MUA tend to fix the trailing bracket on their
own, letting forged e-mail passing through to user mailboxes.

Submitted upstream https://github.com/trusteddomainproject/OpenDMARC/pull/174

--- opendmarc/parse.c.orig 2021-05-27 09:45:40.873727663 +0200
+++ opendmarc/parse.c 2021-05-27 09:45:27.545312746 +0200
@@ -444,8 +444,13 @@
*w++ = '\0';
*domain_out = w;
ws = 0;
}
+ else if (type == '>')
+ {
+ err = MAILPARSE_ERR_SUNBALANCED;
+ return err;
+ }
else
{

if (*user_out == NULL)

0 comments on commit 473b25f

Please sign in to comment.