Created attachment 598524 [details] Patch to add STARTTLS support Description of problem: Assume the following rule set: local1 = connect // /127\.0\.0\.1/ local2 = connect // /192\.168\.1\./ secure = macro /tls_version/ /TLSv/ trusted = $local1 or $local2 or $secure reject "Sender domain policy violation" envfrom /<(.*@mydomain\.com)>/ei and not $trusted It should reject any attempt to forge a local domain sender from an untrusted client. However, the TLS-specific part does not work, because those macros are evaluated too early (at the initial greeting phase). The result is that external clients using STARTTLS (which is pretty common) are still rejected. Furthermore, even if using an untrusted cert, old-style clients (using SMTPS) *are* permitted to send. The attached patch fixes this by 1. Re-evaluating TLS-related macros at a later point (cb_envfrom) 2. Adding support for sendmail's {verify} like milter-greylist) Having the patch applied, one can use a slightly modified rule set: -secure = macro /tls_version/ /TLSv/ +secure = macro /verify/ /^OK$/ which works as expected even when using STARTTLS. Version-Release number of selected component (if applicable): 1.9-2.fc17 How reproducible: always Steps to Reproduce: See above. Additional info:
Have you sent this upstream too?
Yes
and just got a response: It's applied in upstream.
Yes, I see it's included in the current upstream development tarball. Updates for Rawhide and F-17 on the way.
milter-regex-1.9-3.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/milter-regex-1.9-3.fc17
Package milter-regex-1.9-3.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing milter-regex-1.9-3.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-10810/milter-regex-1.9-3.fc17 then log in and leave karma (feedback).
milter-regex-1.9-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.