From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <e@80x24.org>
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on dcvr.yhbt.net
X-Spam-Level: 
X-Spam-ASN:  
X-Spam-Status: No, score=-4.2 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,
	T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=ham autolearn_force=no
	version=3.4.6
Received: from localhost (dcvr.yhbt.net [127.0.0.1])
	by dcvr.yhbt.net (Postfix) with ESMTP id 09F541F406
	for <meta@public-inbox.org>; Sat, 25 Nov 2023 01:52:26 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=80x24.org;
	s=selector1; t=1700877146;
	bh=fovrqRRUwYtR2ckss34G4RC4VduJboG02Z7eQh4rJVc=;
	h=From:To:Subject:Date:From;
	b=xSB0/zg0tOgJhMOpLUrKmTU8C4Y/jyqLxWE20o8bg3Fh0kz8YyBfia0iEeJ9/7drz
	 2E5062B0w4ijQtadG+/To//OCQUV+CWJp0KhWuTKk30y/XZ1KSfvUTaKRuJ1ehoLVo
	 MYGNux1IHuwyE+RI8a8+u5yDT7NwBrTL/0rSyJiA=
From: Eric Wong <e@80x24.org>
To: meta@public-inbox.org
Subject: [PATCH] examples/unsubscribe.milter: limit scope of munging
Date: Sat, 25 Nov 2023 01:52:25 +0000
Message-ID: <20231125015225.4052893-1-e@80x24.org>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
List-Id: <meta.public-inbox.org>

We don't want the milter to munge List-Unsubscribe headers from
external (incoming) mlmmj lists, only lists hosted on the server
running unsubscribe.milter.

Adding support for an allow_domains file should've been enough,
but this further restricts the milter to only operating on Postfix
connections from localhost.
---
 examples/unsubscribe.milter | 38 ++++++++++++++++++++++++++++++++++++-
 1 file changed, 37 insertions(+), 1 deletion(-)

diff --git a/examples/unsubscribe.milter b/examples/unsubscribe.milter
index 216b0ddd..8c682012 100644
--- a/examples/unsubscribe.milter
+++ b/examples/unsubscribe.milter
@@ -27,6 +27,28 @@ my $crypt = Crypt::CBC->new(-key => $key,
 			-cipher => 'Blowfish');
 $fh = $iv = $key = undef;
 
+my $allow_domains = '/etc/unsubscribe-milter.allow_domains';
+my $ALLOW_DOMAINS;
+if (open my $fh, '<', $allow_domains) {
+	local $/ = "\n";
+	chomp(my @l = <$fh>);
+	die "close: $!" unless eof($fh) && close($fh);
+	my %l = map { lc($_) => 1 } @l;
+	$ALLOW_DOMAINS = \%l;
+} else {
+	warn <<EOM;
+W: open $allow_domains: $! (all domains allowed)
+W: all mlmmj-looking messages will have List-Unsubscribe added,
+W: this is probably not what you want.
+EOM
+}
+
+# only allow users hitting SMTP server locally:
+# Is a config file necessary?  Regexps are ugly for IP addresses
+# but Net::Patricia (or similar) seems like overkill.  Ugly it is:
+my @ALLOW_ADDR = (qr/\A::1\z/, qr/\A127\./);
+my $ALLOW_ADDR = join('|', @ALLOW_ADDR);
+
 my %cbs;
 $cbs{connect} = sub {
 	my ($ctx) = @_;
@@ -88,10 +110,24 @@ $cbs{eom} = sub {
 	eval {
 		my $priv = $ctx->getpriv;
 		$ctx->setpriv({ header => {}, envrcpt => {} });
-		my @rcpt = keys %{$priv->{envrcpt}};
+
+		# XXX my postfix (3.5.18-0+deb11u1) + Sendmail::PMilter
+		# instance doesn't seem to get {client_addr}, but
+		# {daemon_addr} seems to make sense since I only want it
+		# to apply to users connecting to postfix locally:
+		if ($ALLOW_ADDR) {
+			my $x = $ctx->getsymval('{daemon_addr}');
+			return SMFIS_CONTINUE if $x && $x !~ /$ALLOW_ADDR/;
+		}
 
 		# one recipient, one unique HTTP(S) URL
+		my @rcpt = keys %{$priv->{envrcpt}};
 		return SMFIS_CONTINUE if @rcpt != 1;
+		if ($ALLOW_DOMAINS) {
+			my $addr = $ctx->getsymval('{mail_addr}');
+			my (undef, $d) = split /\@/, $addr;
+			return SMFIS_CONTINUE if !$ALLOW_DOMAINS->{$d};
+		}
 		return SMFIS_CONTINUE if archive_addr(lc($rcpt[0]));
 
 		my $unsub = $priv->{header}->{'list-unsubscribe'} || [];