On 4/12/2023 11:38 PM, Murray S. Kucherawy wrote:
On Wed, Apr 12, 2023 at 12:45 PM Steven M Jones <s...@crash.com
<mailto:s...@crash.com>> wrote:
ISTR there were some vocal and visible mailing list operators
that were rejecting messages from domains that published
"p=reject" policies, maybe around 2014-15? I also thought they
did this by checking the sending domain's published policy in
DNS, to your point about implementation.
This would be great [anec-]data to have. Do you remember where you
might have seen it?
This was initially outlined in 2006 DSAP guidelines for list servers.
It has been mentioned numerous times in the DKIM and DMARC WGs
throughout the many years. The following is a 2011 Wildcat! SMTP List
Server wcBASIC language p-code script called at DATA and it applies to
ADSP/DMARC restrictive domain list submissions. All of my Wildcat!
customers/operators managing a list have the same stock code.
//***********************************************************************
// (c) Copyright 1998-2012 Santronics Software, Inc. All Rights Reserved.
//***********************************************************************
//
// File Name : smtpfilter-listchecker.wcc
// Subsystem : wcListServer
// Date : 10/11/2011
// Author : SSI
// About : checks wcListServer list to accept delivery
//
// data\smtpfilterhookloader.ini
// config\wcmail.names
//
// Run this filter before smtpfitler-whitelist because you may have
// some auto-whitelisted users with restricted DMARC domains. If
// WCLS is not ready for DMARC checking, a major distribution problem
// will occur with DMARC checking downlink receivers.
//
// Revision History:
//
// 2.0, 454.6, 11/09/18 11:28 pm
// 2.1, 454.6, 11/12/18 10:52 am
// 3.0, 454.12, 04/11/21 01:10 pm
//
// - Added ADSP/DMARC check.
//
// ADSP/DMARC checks are not done on control messages.
//
// - Adding new support accepting extended list control messages:
//
// tmailist.name + "-subscribe";
// tmailist.name + "-unsubscribe"
// tmailist.name + "-bounces"
//
// 2.2, 454.10, 05/03/20 11:18 am
//
// - fix DMARC bug of using just the local part and not the
// the domain to see of its a valid list. The fix is
// compare the ListDomain with the address.domain
//
//***********************************************************************
#include <smtpfilterhlp.wch>
#include <maillist.wch>
#include <msgutil.wch>
#include <wcdkimlib.wch>
//----------------------------------------------------------
// GLOBALS
//----------------------------------------------------------
const FILTER_VERSION = "3.0"
Const CONTROL_NAMES = "wc:\cfg\wcmail.names"
//----------------------------------------------------------
// MAIN PROGRAM
//----------------------------------------------------------
sfInitializeHook(paramstr(1))
dim args as string = lcase(paramstr(1))
dim msgfn as string = GetParamStr(args,"psf") // prespool
dim from as string = GetParamStr(args,"from") // sender
dim rcpt as string = GetParamStr(args,"rcpt") // recipient
// strip angle brackets from addresses
rcpt = lcase(sfStripBrackets(rcpt))
from = lcase(sfStripBrackets(from))
// Parse the rcpt address to get its parts.
// We want the user id part (left hand side) of address.
// This would be the "list name".
dim eaTo as TEmailAddress
dim eaFrom as TEmailAddress
ParseEmailAddress(rcpt,eaTo)
ParseEmailAddress(from,eaFrom)
dim lname as string = eaTo.usrid
// Get the WCLS control name and compare with the list name,
// or search for a existing mailing list by list name.
// If found, then accept this email, record it in log
// and also in the session trace (meta log).
dim cname as string = lcase(ReadListControlName())
dim ml as TMailList
//-----------------------------------------------------
// 2.1
// - Added control name and list control names check
dim IsControlName as boolean
if (cname = lname) then IsControlName = true
if not IsControlName and right(lname,10) = "-subscribe" then
IsControlName = true
if not IsControlName and right(lname,12) = "-unsubscribe" then
IsControlName = true
if not IsControlName and right(lname, 8) = "-bounces" then
IsControlName = true
//-----------------------------------------------------
// 2.2 05/03/20 04:58 pm
// -- pass the domain to compare with listdomain
dim ListDomainOK as Boolean =
MailListRead(lname+".LIST",ml,eaTo.Domain)
//
if (IsControlName or ListDomainOk) then
dim s as string = "Sender: "+from
if from = "" then
s = "Bounce message"
from = "<>"
end if
//---------------------------------------------------
// 2.1, added ADSP/DMARC check
//---------------------------------------------------
if (not IsControlName) and ml.CheckADSP then
dim dmarc as string
dim adsp as string
dim policy as string
if GetDMARC(eaFrom.Domain, "", dmarc) then
policy = lcase(GetHeaderTag(dmarc,"p="))
dim fv as integer
if policy = "reject" or policy = "quarantine" then
//
// This domain can not post to the list, if the MLS is not
// prepared to do a restrictive DMARC domain check.
//
sfAppendMetaLog(msgfn,"Rejected by
smtpfilter-listchecker: "+From)
sfAppendMetaLog(msgfn,"Restricted DMARC policy for
domain: "+eaFrom.Domain):
sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)
sflog(lchReject,"Restricted DMARC policy for domain:
"+eaFrom.Domain)
sflog(lchReject,"File: "+msgfn+".policy-dmarc")
CopyFile(msgfn,msgfn+".dmarc")
sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
// create response
fv = open msgfn+".response" for output
if fv > 0 then
print #fv,"554 Restricted DMARC policy for domain:
"+eaFrom.Domain+". Can not post to list: "+lname
close #fv
end if
END
end if
end if
if GetADSP(eaFrom.Domain, adsp) then
policy = lcase(GetHeaderTag(adsp,"dkim="))
if policy = "discardable" then
//
// This domain can not post to the list, if the MLS is not
// prepared to do a restrictive ADSP domain check.
//
sfAppendMetaLog(msgfn,"Rejected by
smtpfilter-listchecker: "+From)
sfAppendMetaLog(msgfn,"Restricted ADSP policy for
domain: "+eaFrom.Domain):
sflog(lchReject,"Rejecting mail for: "+rcpt+" from: "+from)
sflog(lchReject,"Restricted ADSP policy for domain:
"+eaFrom.Domain)
sflog(lchReject,"File: "+msgfn+".policy-adsp")
CopyFile(msgfn,msgfn+".dmarc")
sfSetGlobalResult(SF_DISCARD,SF_ENDRULES,554)
// create response
fv = open msgfn+".response" for output
if fv > 0 then
print #fv,"554 Restricted ADSP policy for domain:
"+eaFrom.Domain+". Can not post to list: "+lname
close #fv
end if
END
end if
end if
end if
//-----------------------------
s = s + " accepted for WCLS address: " + rcpt
sflog(lchInfo,s)
sfAppendMetaLog(msgfn,"Accepted by smtpfilter-listchecker: "+From)
sfSetGlobalResult(SF_ACCEPT,SF_ENDRULES)
end if
END
--
Hector Santos,
https://santronics.com
https://winserver.com
_______________________________________________
dmarc mailing list
dmarc@ietf.org
https://www.ietf.org/mailman/listinfo/dmarc