From 19de0e69fb62db39ea5e069da75b945929be2400 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Sat, 25 Nov 2023 01:52:25 +0000
Subject: examples/unsubscribe.milter: limit scope of munging

We don't want the milter to munge List-Unsubscribe headers from
external (incoming) mlmmj lists, only lists hosted on the server
running unsubscribe.milter.

Adding support for an allow_domains file should've been enough,
but this further restricts the milter to only operating on Postfix
connections from localhost.
---
 examples/unsubscribe.milter | 38 +++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

(limited to 'examples/unsubscribe.milter')

diff --git a/examples/unsubscribe.milter b/examples/unsubscribe.milter
index 216b0ddd..8c682012 100644
--- a/examples/unsubscribe.milter
+++ b/examples/unsubscribe.milter
@@ -27,6 +27,28 @@ my $crypt = Crypt::CBC->new(-key => $key,
 			-cipher => 'Blowfish');
 $fh = $iv = $key = undef;
 
+my $allow_domains = '/etc/unsubscribe-milter.allow_domains';
+my $ALLOW_DOMAINS;
+if (open my $fh, '<', $allow_domains) {
+	local $/ = "\n";
+	chomp(my @l = <$fh>);
+	die "close: $!" unless eof($fh) && close($fh);
+	my %l = map { lc($_) => 1 } @l;
+	$ALLOW_DOMAINS = \%l;
+} else {
+	warn <<EOM;
+W: open $allow_domains: $! (all domains allowed)
+W: all mlmmj-looking messages will have List-Unsubscribe added,
+W: this is probably not what you want.
+EOM
+}
+
+# only allow users hitting SMTP server locally:
+# Is a config file necessary?  Regexps are ugly for IP addresses
+# but Net::Patricia (or similar) seems like overkill.  Ugly it is:
+my @ALLOW_ADDR = (qr/\A::1\z/, qr/\A127\./);
+my $ALLOW_ADDR = join('|', @ALLOW_ADDR);
+
 my %cbs;
 $cbs{connect} = sub {
 	my ($ctx) = @_;
@@ -88,10 +110,24 @@ $cbs{eom} = sub {
 	eval {
 		my $priv = $ctx->getpriv;
 		$ctx->setpriv({ header => {}, envrcpt => {} });
-		my @rcpt = keys %{$priv->{envrcpt}};
+
+		# XXX my postfix (3.5.18-0+deb11u1) + Sendmail::PMilter
+		# instance doesn't seem to get {client_addr}, but
+		# {daemon_addr} seems to make sense since I only want it
+		# to apply to users connecting to postfix locally:
+		if ($ALLOW_ADDR) {
+			my $x = $ctx->getsymval('{daemon_addr}');
+			return SMFIS_CONTINUE if $x && $x !~ /$ALLOW_ADDR/;
+		}
 
 		# one recipient, one unique HTTP(S) URL
+		my @rcpt = keys %{$priv->{envrcpt}};
 		return SMFIS_CONTINUE if @rcpt != 1;
+		if ($ALLOW_DOMAINS) {
+			my $addr = $ctx->getsymval('{mail_addr}');
+			my (undef, $d) = split /\@/, $addr;
+			return SMFIS_CONTINUE if !$ALLOW_DOMAINS->{$d};
+		}
 		return SMFIS_CONTINUE if archive_addr(lc($rcpt[0]));
 
 		my $unsub = $priv->{header}->{'list-unsubscribe'} || [];
-- 
cgit v1.2.3-24-ge0c7