Re: [dmarc-ietf] Signaling MLMs

Thu, 13 Apr 2023 05:19:38 -0700 

On 4/12/2023 11:38 PM, Murray S. Kucherawy wrote:
On Wed, Apr 12, 2023 at 12:45 PM Steven M Jones <s...@crash.com <mailto:s...@crash.com>> wrote: 

    ISTR there were some vocal and visible mailing list operators
    that were rejecting messages from domains that published
    "p=reject" policies, maybe around 2014-15? I also thought they
    did this by checking the sending domain's published policy in
    DNS, to your point about implementation.


This would be great [anec-]data to have.  Do you remember where you 
might have seen it?



This was initially outlined in 2006 DSAP guidelines for list servers.  
It has been mentioned numerous times in the DKIM and DMARC WGs 
throughout the many years.  The following is a 2011 Wildcat! SMTP List 
Server wcBASIC language p-code script called at DATA and it applies to 
ADSP/DMARC restrictive domain list submissions.  All of my Wildcat! 
customers/operators managing a list have the same stock code.


//***********************************************************************
// (c) Copyright 1998-2012 Santronics Software, Inc. All Rights Reserved.
//***********************************************************************
//
// File Name : smtpfilter-listchecker.wcc
// Subsystem : wcListServer
// Date      : 10/11/2011
// Author    : SSI
// About     : checks wcListServer list to accept delivery
//
//    data\smtpfilterhookloader.ini
//    config\wcmail.names
//
// Run this filter before smtpfitler-whitelist because you may have
// some auto-whitelisted users with restricted DMARC domains.  If
// WCLS is not ready for DMARC checking, a major distribution problem
// will occur with DMARC checking downlink receivers.
//
// Revision History:
//
// 2.0, 454.6, 11/09/18 11:28 pm
// 2.1, 454.6, 11/12/18 10:52 am
// 3.0, 454.12, 04/11/21 01:10 pm
//
// - Added ADSP/DMARC check.
//
//   ADSP/DMARC checks are not done on control messages.
//
// - Adding new support accepting extended list control messages:
//
//     tmailist.name + "-subscribe";
//     tmailist.name + "-unsubscribe"
//     tmailist.name + "-bounces"
//
// 2.2, 454.10, 05/03/20 11:18 am
//
// - fix DMARC bug of using just the local part and not the
//   the domain to see of its a valid list.  The fix is
//   compare the ListDomain with the address.domain
//
//***********************************************************************

#include <smtpfilterhlp.wch>
#include <maillist.wch>
#include <msgutil.wch>
#include <wcdkimlib.wch>

//----------------------------------------------------------
// GLOBALS
//----------------------------------------------------------

const FILTER_VERSION = "3.0"
Const CONTROL_NAMES  = "wc:\cfg\wcmail.names"

//----------------------------------------------------------
// MAIN PROGRAM
//----------------------------------------------------------


  sfInitializeHook(paramstr(1))

  dim args  as string  = lcase(paramstr(1))
  dim msgfn as string  = GetParamStr(args,"psf")  // prespool
  dim from  as string  = GetParamStr(args,"from") // sender
  dim rcpt  as string  = GetParamStr(args,"rcpt") // recipient

  // strip angle brackets from addresses

  rcpt = lcase(sfStripBrackets(rcpt))
  from = lcase(sfStripBrackets(from))

  // Parse the rcpt address to get its parts.
  // We want the user id part (left hand side) of address.
  // This would be the "list name".

  dim eaTo    as TEmailAddress
  dim eaFrom  as TEmailAddress
  ParseEmailAddress(rcpt,eaTo)
  ParseEmailAddress(from,eaFrom)

  dim lname as string = eaTo.usrid

  // Get the WCLS control name and compare with the list name,
  // or search for a existing mailing list by list name.
  // If found, then accept this email, record it in log
  // and also in the session trace (meta log).

  dim cname as string = lcase(ReadListControlName())

  dim ml as TMailList

  //-----------------------------------------------------
  // 2.1
  // - Added control name and list control names check
  dim IsControlName as boolean
  if (cname = lname) then IsControlName = true

  if not IsControlName and right(lname,10) = "-subscribe"   then 
IsControlName = true
  if not IsControlName and right(lname,12) = "-unsubscribe" then 
IsControlName = true
  if not IsControlName and right(lname, 8) = "-bounces"     then 
IsControlName = true

  //-----------------------------------------------------

  // 2.2 05/03/20 04:58 pm
  // -- pass the domain to compare with listdomain

  dim ListDomainOK as Boolean = 
MailListRead(lname+".LIST",ml,eaTo.Domain)

  //
  if (IsControlName or ListDomainOk) then
     dim s as string = "Sender: "+from
     if from = "" then
         s = "Bounce message"
         from = "<>"
     end if
     //---------------------------------------------------
     // 2.1, added ADSP/DMARC check
     //---------------------------------------------------
     if (not IsControlName) and ml.CheckADSP then
        dim dmarc  as string
        dim adsp  as string
        dim policy as string
        if GetDMARC(eaFrom.Domain, "", dmarc) then
           policy = lcase(GetHeaderTag(dmarc,"p="))
           dim fv as integer
           if policy = "reject" or policy = "quarantine" then
              //
              // This domain can not post to the list, if the MLS is not
              // prepared to do a restrictive DMARC domain check.
              //

              sfAppendMetaLog(msgfn,"Rejected by 
smtpfilter-listchecker: "+From)
              sfAppendMetaLog(msgfn,"Restricted DMARC policy for 
domain: "+eaFrom.Domain):

              sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)

              sflog(lchReject,"Restricted DMARC policy for domain: 
"+eaFrom.Domain)

              sflog(lchReject,"File: "+msgfn+".policy-dmarc")
              CopyFile(msgfn,msgfn+".dmarc")
              sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
              // create response
              fv = open msgfn+".response" for output
              if fv > 0 then

                print #fv,"554 Restricted DMARC policy for domain: 
"+eaFrom.Domain+". Can not post to list: "+lname

                close #fv
              end if
              END
           end if
        end if
        if GetADSP(eaFrom.Domain, adsp) then
           policy = lcase(GetHeaderTag(adsp,"dkim="))
           if policy = "discardable" then
              //
              // This domain can not post to the list, if the MLS is not
              // prepared to do a restrictive ADSP domain check.
              //

              sfAppendMetaLog(msgfn,"Rejected by 
smtpfilter-listchecker: "+From)
              sfAppendMetaLog(msgfn,"Restricted ADSP policy for 
domain: "+eaFrom.Domain):

              sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)

              sflog(lchReject,"Restricted ADSP policy for domain: 
"+eaFrom.Domain)

              sflog(lchReject,"File: "+msgfn+".policy-adsp")
              CopyFile(msgfn,msgfn+".dmarc")
              sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
              // create response
              fv = open msgfn+".response" for output
              if fv > 0 then

                print #fv,"554 Restricted ADSP policy for domain: 
"+eaFrom.Domain+". Can not post to list: "+lname

                close #fv
              end if
              END
           end if
        end if
     end if

     //-----------------------------
     s = s + " accepted for WCLS address: " + rcpt
     sflog(lchInfo,s)
     sfAppendMetaLog(msgfn,"Accepted by smtpfilter-listchecker: "+From)
     sfSetGlobalResult(SF_ACCEPT,SF_ENDRULES)
  end if

  END


--
Hector Santos,
https://santronics.com
https://winserver.com



_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc























					Reply via email to