Re: [PATCH] Domain address implementation

Tue, 02 Sep 2003 00:31:38 +0000 

Jason R. Mastaler wrote:
> Ed Blackman <[EMAIL PROTECTED]> writes:
>> The patch I posted yesterday was comprehensive for the code changes.
>> The documentation still needs to be updated to reflect the new
>> behavior.  I'll do that in the next day or so, and post an
>> all-comprehensive patch.
> 
> If you can do this by today, I can release TMDA 0.84 with your
> changes.  Otherwise, it will have to wait for a week or so when I get
> back from my trip.

Just saw this, hope this is not too late...

Ed


diff -ur tmda.orig/CRYPTO tmda-cvs-0.83/CRYPTO
--- tmda.orig/CRYPTO    Thu Jun  6 21:42:10 2002
+++ tmda-cvs-0.83/CRYPTO        Mon Sep  1 19:44:11 2003
@@ -47,6 +47,11 @@
 
     1.  SENDERMAC is verified by matching it with a new HMAC generated
         against the sender's e-mail address.
+    2.  If the new HMAC does not match, a new HMAC is generated against
+       the sender's fully qualified domain.  If there is still no
+       match, one level of qualification is stripped (eg, 'DOMAIN.DOM'
+       -> 'DOM') and a new HMAC is generated and compared.  The process
+       repeats until a match is found or no more domain parts remain.
 
 Keyword Addresses:
 ------------------
diff -ur tmda.orig/TMDA/Address.py tmda-cvs-0.83/TMDA/Address.py
--- tmda.orig/TMDA/Address.py   Wed Jun 25 01:29:13 2003
+++ tmda-cvs-0.83/TMDA/Address.py       Sun Aug 31 13:54:50 2003
@@ -201,11 +201,24 @@
         self.address = tagged_local + '@' + domain
         return self
 
+    # Try to match against the HMAC generated from the full sender first.
+    # If that doesn't match, try to match against the full domain, removing
+    # domain parts (eg, 'foo.example.com' => 'example.com') until there's a
+    # match or there are no more parts left.
     def verify(self, sender):
+        sender = str(sender).lower()
         hmac = self.local_parts[-1]
-        try_hmac = Cookie.make_sender_cookie(str(sender).lower())
+        try_hmac = Cookie.make_sender_cookie(sender)
         if try_hmac != hmac:
-            raise BadCryptoError, "Invalid cryptographic tag."
+            domain = sender.split('@')[-1]
+            dot = '.'
+            domain_parts = domain.split(dot)
+
+            while try_hmac != hmac and domain_parts:
+              try_hmac = Cookie.make_sender_cookie(dot.join(domain_parts))
+              del domain_parts[0]
+            if try_hmac != hmac:
+              raise BadCryptoError, "Invalid cryptographic tag."
 
     def hmac(self):
         return self.local_parts[-1]
diff -ur tmda.orig/TMDA/FilterParser.py tmda-cvs-0.83/TMDA/FilterParser.py
--- tmda.orig/TMDA/FilterParser.py      Tue Aug 19 20:28:03 2003
+++ tmda-cvs-0.83/TMDA/FilterParser.py  Sun Aug 31 13:54:50 2003
@@ -251,7 +251,7 @@
     """, re.VERBOSE | re.IGNORECASE)
     
     out_action = re.compile(r"""
-    ( (?:(?:bare|sender|dated)(?:=\S+)?)
+    ( (?:(?:bare|sender|domain|dated)(?:=\S+)?)
     | (?:(?:exp(?:licit)?|as|ext(?:ension)?|kw|keyword)=\S+)
     | default )""", re.VERBOSE | re.IGNORECASE)
     
diff -ur tmda.orig/bin/tmda-inject tmda-cvs-0.83/bin/tmda-inject
--- tmda.orig/bin/tmda-inject   Fri Jul 11 19:02:59 2003
+++ tmda-cvs-0.83/bin/tmda-inject       Sun Aug 31 13:54:50 2003
@@ -186,6 +186,11 @@
        # Send a message with a tagged (sender) address
        sender_cookie_address = cookie_option or to_address
        field = Cookie.make_sender_address (from_address, sender_cookie_address)
+    elif cookie_type == 'domain':
+       # Send a message with a tagged (sender) address using only the
+       # domain portion of the address
+       domain_cookie_address = (cookie_option or to_address).split('@')[-1]
+       field = Cookie.make_sender_address (from_address, domain_cookie_address)
     elif cookie_type in ('as','exp','explicit') and cookie_option:
        # Send a message with an explicitly defined address.
        field = cookie_option
diff -ur tmda.orig/bin/tmda-rfilter tmda-cvs-0.83/bin/tmda-rfilter
--- tmda.orig/bin/tmda-rfilter  Wed Aug 20 19:47:55 2003
+++ tmda-cvs-0.83/bin/tmda-rfilter      Sun Aug 31 13:54:50 2003
@@ -173,6 +173,7 @@
 
 
 from TMDA import Defaults
+from TMDA import Address
 from TMDA import Cookie
 from TMDA import Errors
 from TMDA import FilterParser
@@ -636,12 +637,12 @@
 
 def verify_sender_cookie(sender_address,sender_cookie):
     """Verify a sender cookie."""
-    sender_address_cookie = Cookie.make_sender_cookie(sender_address)
-    # Accept the message only if the HMAC can be verified.
-    if (sender_cookie == sender_address_cookie):
+    try:
+        addr = Address.Factory(envelope_recipient)
+        addr.verify(sender_address)
         logit("OK", "good_sender_cookie")
         mta.deliver(msgin)
-    else:
+    except Address.AddressError, msg:
         defact = Defaults.ACTION_FAIL_SENDER.lower()
         bouncetext = Defaults.BOUNCE_TEXT_FAIL_SENDER
         do_default_action(defact, 'action_fail_sender', bouncetext)
--- tmda.orig/htdocs/config-client.ht   Tue Aug  5 16:36:18 2003
+++ tmda-cvs-0.83/htdocs/config-client.ht       Mon Sep  1 19:51:29 2003
@@ -43,7 +43,8 @@
 
 This particular sender address will only accept messages from
 <em>[EMAIL PROTECTED]</em>.  Other messages must go through
-the confirmation process.
+the confirmation process.  Sender addresses can also be generated to
+accept mail from any senders at a given domain.
 <br><br>
 
 Sender addresses are often used to subscribe to mailing lists.  This
@@ -185,6 +186,26 @@
 </td>
 </tr>
 
+<tr>
+<td><code>
+X-TMDA: sender=xemacs.org
+</td></code>
+<td>
+Send the message to all recipients with a sender cookie based on
+xemacs.org instead of the recipient address.
+</td>
+</tr>
+
+<tr>
+<td><code>
+X-TMDA: domain
+</td></code>
+<td>
+Send the message to all recipients with a sender cookie that is based
+on the domain of the recipient address.
+</td>
+</tr>
+
 <tr>
 <td><code>
 X-TMDA: keyword=promos
diff -ur tmda.orig/htdocs/config-filter.ht tmda-cvs-0.83/htdocs/config-filter.ht
--- tmda.orig/htdocs/config-filter.ht   Tue Aug 19 20:28:03 2003
+++ tmda-cvs-0.83/htdocs/config-filter.ht       Mon Sep  1 19:56:44 2003
@@ -263,6 +263,8 @@
 bare=append (don't tag, and also add recipient to your BARE_APPEND file)
 sender (tag with a sender address based on recipient)
 sender=address (tag with a sender address based on address instead)
+domain (tag with a sender address based on recipient's domain)
+domain=address (tag with a sender address based on the domain of address instead)
 dated (tag with a dated address)
 dated=timeout_interval 
 exp,explicit,as=full_address (use an explicit address)
@@ -531,6 +533,9 @@
 to [EMAIL PROTECTED] dated
 to-dbm /var/dbm/slowpokes.db dated=6M
 
+# Allow anyone at whitehouse.gov to reply
+to [EMAIL PROTECTED] domain
+
 # Majordomo and Mailman check the From: header for membership
 to [EMAIL PROTECTED] tag
    from      [EMAIL PROTECTED]

Reply via email to