Jason R. Mastaler wrote:
> It doesn't seem to be working for me. Regular sender addresses
> continue to work, but not when I try a domain. Am I using it wrong?
No, I missed a bit. I assumed that tmda-rfilter used the same address
validation methods as tmda-check-address, and used the latter to do my
testing. Is there a reason you use Address.verify() in check-address
but not in rfilter?
Rather than implement the fallback algorithm twice, I changed rfilter
to use Address.verify() for sender cookies, and tested it directly.
The updated patch is attached. Sorry for the inconvenience.
Ed
diff -ur tmda/TMDA/Address.py tmda-cvs-0.83/TMDA/Address.py
--- tmda/TMDA/Address.py Wed Jun 25 01:29:13 2003
+++ tmda-cvs-0.83/TMDA/Address.py Sat Aug 30 18:57:17 2003
@@ -201,11 +201,24 @@
self.address = tagged_local + '@' + domain
return self
+ # Try to match against the HMAC generated from the full sender first.
+ # If that doesn't match, try to match against the full domain, removing
+ # domain parts (eg, 'foo.example.com' => 'example.com') until there's a
+ # match or there are no more parts left.
def verify(self, sender):
+ sender = str(sender).lower()
hmac = self.local_parts[-1]
- try_hmac = Cookie.make_sender_cookie(str(sender).lower())
+ try_hmac = Cookie.make_sender_cookie(sender)
if try_hmac != hmac:
- raise BadCryptoError, "Invalid cryptographic tag."
+ domain = sender.split('@')[-1]
+ dot = '.'
+ domain_parts = domain.split(dot)
+
+ while try_hmac != hmac and domain_parts:
+ try_hmac = Cookie.make_sender_cookie(dot.join(domain_parts))
+ del domain_parts[0]
+ if try_hmac != hmac:
+ raise BadCryptoError, "Invalid cryptographic tag."
def hmac(self):
return self.local_parts[-1]
diff -ur tmda/TMDA/FilterParser.py tmda-cvs-0.83/TMDA/FilterParser.py
--- tmda/TMDA/FilterParser.py Tue Aug 19 20:28:03 2003
+++ tmda-cvs-0.83/TMDA/FilterParser.py Thu Aug 28 16:16:54 2003
@@ -251,7 +251,7 @@
""", re.VERBOSE | re.IGNORECASE)
out_action = re.compile(r"""
- ( (?:(?:bare|sender|dated)(?:=\S+)?)
+ ( (?:(?:bare|sender|domain|dated)(?:=\S+)?)
| (?:(?:exp(?:licit)?|as|ext(?:ension)?|kw|keyword)=\S+)
| default )""", re.VERBOSE | re.IGNORECASE)
diff -ur tmda/bin/tmda-inject tmda-cvs-0.83/bin/tmda-inject
--- tmda/bin/tmda-inject Fri Jul 11 19:02:59 2003
+++ tmda-cvs-0.83/bin/tmda-inject Thu Aug 28 16:29:36 2003
@@ -186,6 +186,11 @@
# Send a message with a tagged (sender) address
sender_cookie_address = cookie_option or to_address
field = Cookie.make_sender_address (from_address, sender_cookie_address)
+ elif cookie_type == 'domain':
+ # Send a message with a tagged (sender) address using only the
+ # domain portion of the address
+ domain_cookie_address = (cookie_option or to_address).split('@')[-1]
+ field = Cookie.make_sender_address (from_address, domain_cookie_address)
elif cookie_type in ('as','exp','explicit') and cookie_option:
# Send a message with an explicitly defined address.
field = cookie_option
diff -ur tmda/bin/tmda-rfilter tmda-cvs-0.83/bin/tmda-rfilter
--- tmda/bin/tmda-rfilter Wed Aug 20 19:47:55 2003
+++ tmda-cvs-0.83/bin/tmda-rfilter Sat Aug 30 19:01:19 2003
@@ -173,6 +173,7 @@
from TMDA import Defaults
+from TMDA import Address
from TMDA import Cookie
from TMDA import Errors
from TMDA import FilterParser
@@ -636,12 +637,12 @@
def verify_sender_cookie(sender_address,sender_cookie):
"""Verify a sender cookie."""
- sender_address_cookie = Cookie.make_sender_cookie(sender_address)
- # Accept the message only if the HMAC can be verified.
- if (sender_cookie == sender_address_cookie):
+ try:
+ addr = Address.Factory(envelope_recipient)
+ addr.verify(sender_address)
logit("OK", "good_sender_cookie")
mta.deliver(msgin)
- else:
+ except Address.AddressError, msg:
defact = Defaults.ACTION_FAIL_SENDER.lower()
bouncetext = Defaults.BOUNCE_TEXT_FAIL_SENDER
do_default_action(defact, 'action_fail_sender', bouncetext)
