From 8857302347afacff6673fcabadde713126c012ca Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 4 Jun 2014 14:41:18 -0700 Subject: [PATCH 001/256] check-starttls and process-google-starttls-domains.py --- check-starttls.py | 94 ++++++++++++++++++++++++++++++ process-google-starttls-domains.py | 18 ++++++ 2 files changed, 112 insertions(+) create mode 100755 check-starttls.py create mode 100755 process-google-starttls-domains.py diff --git a/check-starttls.py b/check-starttls.py new file mode 100755 index 000000000..15bc7ce64 --- /dev/null +++ b/check-starttls.py @@ -0,0 +1,94 @@ +#!/usr/bin/python +import sys +import os +import errno +import smtplib +import socket +import subprocess +import re + +import dns.resolver +from M2Crypto import X509 + +def mkdirp(path): + try: + os.makedirs(path) + except OSError as exc: + if exc.errno == errno.EEXIST and os.path.isdir(path): + pass + else: raise + +def extract_names(pem): + leaf = X509.load_cert_string(pem, X509.FORMAT_PEM) + + """Extracts a list of DNS names associated with the leaf cert.""" + subj = leaf.get_subject() + # Certs have a "subject" identified by a Distingushed Name (DN). + # Host certs should also have a Common Name (CN) with a DNS name. + common_names = subj.get_entries_by_nid(subj.nid['CN']) + common_names = [name.get_data().as_text() for name in common_names] + try: + # The SAN extension allows one cert to cover multiple domains + # and permits DNS wildcards. + # http://www.digicert.com/subject-alternative-name.htm + # The field is a comma delimited list, e.g.: + # >>> twitter_cert.get_ext('subjectAltName').get_value() + # 'DNS:www.twitter.com, DNS:twitter.com' + alt_names = leaf.get_ext('subjectAltName').get_value() + alt_names = alt_names.split(',') + alt_names = [name.partition(':') for name in alt_names] + alt_names = [name for prot, _, name in alt_names if prot == 'DNS'] + except: + alt_names = [] + return set(common_names + alt_names) + +def tls_connect(mx_host, mail_domain): + # smtplib doesn't let us access certificate information, + # so shell out to openssl. + output = subprocess.check_output( + """openssl s_client \ + -CApath /usr/share/ca-certificates/mozilla/ \ + -starttls smtp -connect %s:25 -showcerts 0: + print "iiii ", len(cert) + print extract_names(cert[0]) + #lines = output.split("\n") + #for i in range(0, len(lines)): + #line = lines[i] + #if re.search("Subject:.* CN=(.*)", line): + #m = re.search("Subject:.* CN=(.*)", line) + #print "CN=", m.group(1) + #elif re.search("Subject Alternative Name:", line): + #dns = re.findall("DNS:([^,]*),", lines[i+1]) + #for d in dns: + #print d + +# try: +# smtpserver = smtplib.SMTP(mx_host, 25, timeout = 2) +# smtpserver.ehlo() +# smtpserver.starttls() +# print "Success: %s" % mx_host +# except socket.error as e: +# print "Connection to %s failed: %s" % (mx_host, e.strerror) +# pass + +def check(mail_domain): + mkdirp(mail_domain) + answers = dns.resolver.query(mail_domain, 'MX') + for rdata in answers: + mx_host = str(rdata.exchange) + print 'Host', rdata.exchange, 'has preference', rdata.preference + tls_connect(mx_host, mail_domain) + +if len(sys.argv) == 1: + print("Please pass at least one mail domain as an argument") + +for domain in sys.argv[1:]: + check(domain) diff --git a/process-google-starttls-domains.py b/process-google-starttls-domains.py new file mode 100755 index 000000000..0a0201875 --- /dev/null +++ b/process-google-starttls-domains.py @@ -0,0 +1,18 @@ +#!/usr/bin/python +import csv +import codecs +import sys +from collections import defaultdict + +csvreader = csv.reader(codecs.open(sys.argv[1], "rU", "utf-8"), delimiter=',', quotechar='"') +d = defaultdict(set) +for (address_suffix, hostname_suffix, direction, region, fraction_encrypted) in csvreader: + if direction == "outbound": + try: + d[address_suffix].add(float(fraction_encrypted)) + except ValueError: + pass + +for address_suffix, fraction_encrypted in d.iteritems(): + if min(fraction_encrypted) >= 0.50: + print min(fraction_encrypted), address_suffix From f0b9ef2716f356dbf033f4aec71c365103429a8d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 5 Jun 2014 10:43:01 -0700 Subject: [PATCH 002/256] Add a Vagrantfile and the list of golden domains. --- Vagrantfile | 27 +++++++++++++++++++++++++++ golden-domains.txt | 22 ++++++++++++++++++++++ vagrant-bootstrap.sh | 10 ++++++++++ 3 files changed, 59 insertions(+) create mode 100644 Vagrantfile create mode 100644 golden-domains.txt create mode 100755 vagrant-bootstrap.sh diff --git a/Vagrantfile b/Vagrantfile new file mode 100644 index 000000000..e485988f1 --- /dev/null +++ b/Vagrantfile @@ -0,0 +1,27 @@ +# -*- mode: ruby -*- +# vi: set ft=ruby : + +# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! +VAGRANTFILE_API_VERSION = "2" + +Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| + # All Vagrant configuration is done here. The most common configuration + # options are documented and commented below. For a complete reference, + # please see the online documentation at vagrantup.com. + + # Every Vagrant virtual environment requires a box to build off of. + config.vm.box = "hashicorp/precise32" + + config.vm.define "sender" do |sender| + sender.vm.network "private_network", ip: "192.168.33.5" + end + config.vm.define "valid" do |valid| + valid.vm.network "private_network", ip: "192.168.33.7" + end + config.vm.provision :shell, path: "vagrant-bootstrap.sh" + + config.vm.provider "virtualbox" do |vb| + # vb.gui = true + vb.customize ["modifyvm", :id, "--memory", "256"] + end +end diff --git a/golden-domains.txt b/golden-domains.txt new file mode 100644 index 000000000..9a0c95948 --- /dev/null +++ b/golden-domains.txt @@ -0,0 +1,22 @@ +ymail.com +yandex.ru +yahoo.co.uk +wp.pl +web.de +vtext.com +ukr.net +t-online.de +sompo-japan.co.jp +sbcglobal.net +salesforce.com +rogers.com +rocketmail.com +rambler.ru +marktplaats.nl +interia.pl +gmx.net +gmx.de +facebook.com +craigslist.org +bigpond.com +aol.com diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh new file mode 100755 index 000000000..ac9837198 --- /dev/null +++ b/vagrant-bootstrap.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +export DEBIAN_FRONTEND=noninteractive + +apt-get update -q +apt-get install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" postfix +cat > /etc/hosts << Date: Thu, 5 Jun 2014 11:05:08 -0700 Subject: [PATCH 003/256] Add design doc --- README.md | 188 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 188 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 000000000..4728ea352 --- /dev/null +++ b/README.md @@ -0,0 +1,188 @@ +# STARTTLS Everywhere + +## Authors + +Jacob Hoffman-Andrews , Peter Eckersley + +## Background + +Most email transferred between SMTP servers (aka MTAs) is transmitted in the clear and trivially interceptable. Encryption of SMTP traffic is possible using the STARTTLS mechanism, which encrypts traffic but is vulnerable to a trivial downgrade attack. + +To illustrate an easy version of this attack, suppose a network-based attacker Mallory notices that Alice has just uploaded message to her mail server. Mallory can inject a TCP reset (RST) packet during the mail server's next TLS negotiation with another mail server. Nearly all mail servers that implement STARTTLS do so in opportunistic mode, which means that they will retry without encryption if there is any problem with a TLS connection. So Alice's message will be transmitted in the clear. + +Opportunistic TLS in SMTP also extends to certificate validation. Mail servers commonly provide self-signed certificates or certificates with non-validatable hostnames, and senders commonly accept these. This means that if we say 'require TLS for this mail domain,' the domain may still be vulnerable to a man-in-the-middle using any key and certificate chosen by the attacker. + +Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. + +STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently deployed, it allows either bulk or semi-targeted attacks that are very unlikely to be detected. We would like to deploy both detection and prevention for such semi-targeted attacks. + +## Goals + +* Prevent RST attacks from revealing email contents in transit between major MTAs that support STARTTLS. +* Prevent MITM attacks at the DNS, SMTP, TLS, or other layers from revealing same. +* Zero or minimal decrease to deliverability rates unless network attacks are actually occurring + +## Non-goals + +* Prevent fully-targeted exploits of vulnerabilities on endpoints or on mail hosts. +* Refuse delivery on the recipient side if sender does not negotiate TLS (this may be a future project). +* Develop a fully-decentralized solution. +* Initially we are not engineering to scale to all mail domains on the Internet, though we believe this design can be scaled as required if large numbers of domains publish policies to it. + +## Threat model + +Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. + +## Detailed design + +Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: + + (a) a configuration file format to convey STARTTLS support for recipient domains, + + (b) Python code (config-generator) to transform (a) into configuration files for popular MTAs., and + + (c) a method to create and securely distribute files of type (a) for major email domains that that agree to be included, plus any other domains that proactively request to be included. + +## File Format + +The basic file format will be JSON with comments ([](http://blog.getify.com/json-comments/))http://blog.getify.com/json-comments/). Example: + +* { +* // Canonical URL [](https://eff.org/starttls-everywhere/config)[https://eff.org/s](https://eff.org/that-email-thing)tarttls-everywhere/config -- redirects to latest version +* "timestamp": 1401093333 +* "author": "Electronic Frontier Foundation [](https://eff.org)https://eff.org", +* "expires": 1401414363, // epoch seconds +* "nexthop-domains": { +* "gmail.com": { +* "accept-mx-domains": ["google.com", "gmail.com"] +* } +* "yahoo.com": { +* "accept-mx-domains": ["yahoodns.net"] +* } +* "eff.org": { +* "accept-mx-domains": ["eff.org"] +* } +* } +* "mx-domains": { +* "eff.org": { +* "require-tls": true, +* "min-tls-version": "TLSv1.1", +* "enforce-mode": "enforce" +* } +* "google.com": { +* "require-valid-certificate": true, +* "min-tls-version": "TLSv1.1", +* "accept-pinset": "google", +* "enforce-mode": "log-only", +* // error-notification domains * +* "error-notification": "[](https://googlemail.com/post/reports/here)https://g[o](https://g)[o](https://go)[g](https://goo)[l](https://goog)[e](https://googl)[m](https://google)[a](https://googlem)[il](https://googlema)[.co](https://googlemail)[m](https://googlemail.co)[/](https://googlemail.com)post/[r](https://googlemail.com/xhr/)[e](https://googlemail.com/xhr/r)[por](https://googlemail.com/xhr/re)[t](https://googlemail.com/xhr/repor)[s](https://googlemail.com/xhr/report)[/](https://googlemail.com/xhr/reports/go)[he](https://googlemail.com/xhr/reports/go/)[r](https://googlemail.com/xhr/reports/go/he)[e](https://googlemail.com/xhr/reports/go/her)["](https://googlemail.com/xhr/reports/go/here) +* }, +* "yahoodns.net": { +* "require-valid-certificate": true, +* } +* } +* // Similar to +* // [](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json)https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json +* "pinsets": [ +* { +* "name": "google", +* "static_spki_hashes": [ +* "GoogleBackup2048", +* "GoogleG2" +* ] +* } +* ], +* "spki_hashes": { + +* Are base64 encoded hashes already widely used/defined? If not, I'd lean towards hex here in this JSON file, since we hopefully have gzip to reduce the encoding overhead anyway, and this file should optimize for admin ease of use. +* These are what's used for certificate pinning in Chrome. Most likely we'll have people use the same tooling to generate these SPKI hashes for us, so I think using the same format and encoding makes sense. It's also easy on admins: "We'll just use the same set of pins we use for HTTPS." +* The other thing I forgot to mention: There isn't, AFAIK, a good way to get the SPKI hash other than using the Chrome tool. It's not one of the fields output by openssl x509, for example. + +* "GoogleBackup2048": "sha1/vq7OyjSnqOco9nyMCDGdy77eijM=", +* "GoogleG2": "sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=" +* } +* } + +A user of this file format may choose to accept multiple files. For instance, the EFF might provide an overall configuration covering major mail providers, and another organization might produce an overlay for mail providers in a specific country. If so, they override each other on a per-domain basis. + +The _timestamp_ field is an integer number of epoch seconds. When retrieving a fresh configuration file, config-generator should validate that the timestamp is greater than or equal to the version number of the file it already has. + +There is no inline signature field. The configuration file should be distributed with authentication using an offline signing key. + +Option 1: Plain JSON distributed with a signature using gpg --clearsign. Config-generator should validate the signature against a known GPG public key before extracting. The public key is part of the permanent system configuration, like the fetch URL. + +Option 2: Git is a revision control system built on top of an authenticated, history-preserving file system. Let's use it as an authenticated, history preserving file system: valid versions of recipient policy files may be fetched and verified via signed git tags. [Here's an example shell recipe to do this.](https://gist.github.com/jsha/6230206e89759cc6e00d) + +Config-generator should attempt to fetch the configuration file daily and transform it into MTA configs. If there is a retrieval failure, and the cached configuration file has an 'expires' time past the current date, an alert should be raised to the system operator and all existing configs from config-generator should be removed, reverting the MTA configuration to use opportunistic TLS for all domains. + +**nexthop-domains** + +The _nexthop-domains _field maps from mail domains (the part of an address after the "@") onto a list of properties for that domain. Matching of mail domains is on an exact-match basis, not a subdomain basis. For instance, eff.org would be listed separately from lists.eff.org in the _nexthop-domains _section. + +Currently the only property defined for _nexthop-domains _is _accept-mx-domains_, a list. If an MX lookup for a listed nexthop domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains _list must correspond to an exactly matching field in the _mx-domains_ config section. + +The _accept-mx-domains_ mechanism partially solves the problem of DNS MITM. It doesn't completely solve the problem, since an attacker might somehow control a different hostname under an acceptable domain, e.g. evil.yahoodns.net. But it strikes a balance between improving security and allowing mail operators to change configuration as needed. Some mail operators delegate their MX handling to a third-party provider (i.e. Google Apps for Your Domain). If those operators are included in STARTTLS Everywhere and wish to change providers, they will have to first send an update to their _accept-mx-domains_ to include their new provider. + +**mx-domains** + +The keys of this section are MX domains as described above for the _accept-mx-domains_ property. Each _mx-domain_ entry must be an exact match with an entry in one of the _accept-mx-domains_ lists provided. No _mx-domain _can be a subdomain of any other _mx-domain _in the configuration file. Fields in this section specify minimum security requirements that should be applied when connecting to any MX hostname that is a subdomain of the specified _mx-domain_. + +Implicitly each _mx-domain_ listed has a property _require-tls: true_. MX domains that do not support TLS will not be listed. The only required property is _enforce-mode_, which must be either _log-only_ or _enforce_. If _enforce-mode_ is _log-only_, the generated configs will not stop mail delivery on policy failures, but will produce logging information. + +If the _min-tls-version_ property is present, sending mail to domains under this policy should fail if the sending MTA cannot negotiate a TLS version equal to or greater than the listed version. Valid values are _TLSv1, TLSv1.1, and TLSv1.2._ + +_Require-valid-certificate _defaults to false. If the _require-valid-certificate_ property is 'true' for a given _mx-domain_ the certificate presented must be valid for a hostname that is subdomain of the _mx-domain_. Validity means all of these must be true: + +1. The CN or a DNS entry under subjectAltName matches an appropriate hostname. +2. The certificate is unexpired. +3. There is a valid chain from the certificate to a root certificate included in [Mozilla's trust store](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/) (available as [Debian package ca-certificates](https://packages.debian.org/sid/ca-certificates)). + +The _accept-pinset_ field references an entry in the pinsets list, which has the same format and semantics as [Chrome's pinning list](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json). Most _mx-domain_s should specify a pinset that describes trust roots rather than leaf certificates, but both are possible. Pinning will only be added at the request of mail operators because it requires operators be careful when issuing new leaf certificates. + +## Pinning and hostname verification + +Like Chrome (and soon Firefox) we want to encourage pinning to a trusted root or intermediate rather than a leaf cert, to minimize spurious pinning failures when hosts rotate keys. + +The other option is to automatically pin leaf certs as observed in the wild. This would be one solution to the hostname verification and self-signed certificate problem. However, it is a non-starter. Even if we expect mail operators to auto-update configuration on a daily basis, this approach cannot add new certs until they are observed in the wild. That means that any time an operator rotates keys on a mail server, there would be a significant window of time in which the new keys would be rejected. + +We do not attempt to solve the self-signed certificate problem. For mail hosts with self-signed certificates, we can require TLS but will not require validation of the certificates. Such hosts should be encouraged to upgrade to a CA-signed certificate that can be validated by senders. + +## Creating configuration + +We have three options for creating the configuration file: + +1. Ask mail operators to submit policies for their domains which we incorporate. +2. Manually curate a set of policies for the top N mail domains. +3. Programmatically create a set of policies by connecting to the top N mail domains. + +For option (1), there's a bootstrapping problem: No one will opt in until it's useful; It won't be useful until people opt in. Option (1) does have the advantage that it's the only good way to get pinning directives. + +For option (3) we'd be likely to pull in bad policies that could result in failed delivery. + +We'll initially launch a demo using option (2), do some initial deployments to prove viability and delivery rate impact, and then start reaching out to operators to do option (1). + +## Distribution + +The configuration file will be provided at a long-term maintained URL. It will be signed using a key held offline on an airgapped machine or smartcard. + +Since recipient mail servers may abruptly stop supporting TLS, we will request that mail operators set up auto-updating of the configuration file, with signature verification. This allows us to minimize the delivery impact of such events. However, config-generator should not auto-update its own code, since that would amount to auto-deployment of third party code, which some operators may not wish to do. + +We may choose to implement a form of immutable log along the lines of certificate transparency. This would be appealing if we chose to use this mechanism to distribute expected leaf keys as a primary authentication mechanism, but as described in "Pinning and hostname verification," that's not a viable option. Instead we will rely on the CA ecosystem to do primary authentication, so an immutable log for this system is probably overkill, engineering-wise. + +## Python code + +Config-generator should parse input JSON and produce output configs for various mail servers. It should not be possible for any input JSON to cause arbitrary code execution or even any MTA config directives beyond the ones that specifically impact the decision to deliver or bounce based on TLS support. For instance, it must not be possible for config-generator to output a directive to forward mail from one domain to another. Config-generator will have the option to directly pull the latest config from a URL, or from a file on local disk distributed regularly from another system that has outside network access. + +Config-generator will be manually updated by mail operators. + +## Testing + +We will create a reproducible test configuration that can be run locally and exercises each of the major cases: Enforce mode vs log mode; Enforced TLS negotiation, enforced MX hostname match, and enforced valid certificates. + +Additionally, for ongoing monitoring of third-party deployments, we will create a canary mail domain that intentionally fails one of the tests but is included in the configuration file. For instance, starttls-canary.org would be listed in the configuration as requiring STARTTLS, but would not actually offer STARTTLS. Each time a mail operator commits to configuring STARTTLS Everywhere, we would request an account on their email domain from which to send automated daily email to starttls-canary.org. We should expect bounces. If such mail is successfully delivered to starttls-canary.org, that would indicate a configuration failure on the sending host, and we would manually notify the operator. + +## Failure reporting + +For the mail operator deploying STARTTLS Everywhere, we will provide log analysis scripts that can be used out-of-the-box to monitor how many delivery failures or would-be failures are due to STARTTLS Everywhere policies. These would be designed to run in a cron job and send notices only when STARTTLS Everywhere-related failures exceed 0.1% for any given recipient domains. For very high-volume mail operators, it would likely be necessary to adapt the analysis scripts to their own logging and analysis infrastructure. + +For recipient domains who are listed in the STARTTLS Everywhere configuration, we would provide a configuration field to specify an email address or HTTPS URL to which that sender domains could send failure information. This would provide a mechanism for recipient domains to identify problems with their TLS deployment and fix them. The reported information should not contain any personal information, including email addresses. Example fields for failure reports: timestamps at minute granularity, target MX hostname, resolved MX IP address, failure type, certificate. Since failures are likely to come in batches, the error sending mechanism should batch them up and summarize as necessary to avoid flooding the recipient. From aa417eec15ab6e9442e33cf687238fbc48041d1c Mon Sep 17 00:00:00 2001 From: jsha Date: Thu, 5 Jun 2014 11:10:07 -0700 Subject: [PATCH 004/256] Formatting issue in design doc --- README.md | 106 ++++++++++++++++++++++++++---------------------------- 1 file changed, 51 insertions(+), 55 deletions(-) diff --git a/README.md b/README.md index 4728ea352..4686d5baf 100644 --- a/README.md +++ b/README.md @@ -45,63 +45,59 @@ Senders need to know which target hosts are known to support STARTTLS, and how t ## File Format -The basic file format will be JSON with comments ([](http://blog.getify.com/json-comments/))http://blog.getify.com/json-comments/). Example: +The basic file format will be JSON with comments (http://blog.getify.com/json-comments/). Example: -* { -* // Canonical URL [](https://eff.org/starttls-everywhere/config)[https://eff.org/s](https://eff.org/that-email-thing)tarttls-everywhere/config -- redirects to latest version -* "timestamp": 1401093333 -* "author": "Electronic Frontier Foundation [](https://eff.org)https://eff.org", -* "expires": 1401414363, // epoch seconds -* "nexthop-domains": { -* "gmail.com": { -* "accept-mx-domains": ["google.com", "gmail.com"] -* } -* "yahoo.com": { -* "accept-mx-domains": ["yahoodns.net"] -* } -* "eff.org": { -* "accept-mx-domains": ["eff.org"] -* } -* } -* "mx-domains": { -* "eff.org": { -* "require-tls": true, -* "min-tls-version": "TLSv1.1", -* "enforce-mode": "enforce" -* } -* "google.com": { -* "require-valid-certificate": true, -* "min-tls-version": "TLSv1.1", -* "accept-pinset": "google", -* "enforce-mode": "log-only", -* // error-notification domains * -* "error-notification": "[](https://googlemail.com/post/reports/here)https://g[o](https://g)[o](https://go)[g](https://goo)[l](https://goog)[e](https://googl)[m](https://google)[a](https://googlem)[il](https://googlema)[.co](https://googlemail)[m](https://googlemail.co)[/](https://googlemail.com)post/[r](https://googlemail.com/xhr/)[e](https://googlemail.com/xhr/r)[por](https://googlemail.com/xhr/re)[t](https://googlemail.com/xhr/repor)[s](https://googlemail.com/xhr/report)[/](https://googlemail.com/xhr/reports/go)[he](https://googlemail.com/xhr/reports/go/)[r](https://googlemail.com/xhr/reports/go/he)[e](https://googlemail.com/xhr/reports/go/her)["](https://googlemail.com/xhr/reports/go/here) -* }, -* "yahoodns.net": { -* "require-valid-certificate": true, -* } -* } -* // Similar to -* // [](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json)https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json -* "pinsets": [ -* { -* "name": "google", -* "static_spki_hashes": [ -* "GoogleBackup2048", -* "GoogleG2" -* ] -* } -* ], -* "spki_hashes": { + { + // Canonical URL https://eff.org/starttls-everywhere/config -- redirects to latest version + "timestamp": 1401093333 + "author": "Electronic Frontier Foundation https://eff.org", + "expires": 1401414363, // epoch seconds + "nexthop-domains": { + "gmail.com": { + "accept-mx-domains": ["google.com", "gmail.com"] + } + "yahoo.com": { + "accept-mx-domains": ["yahoodns.net"] + } + "eff.org": { + "accept-mx-domains": ["eff.org"] + } + } + "mx-domains": { + "eff.org": { + "require-tls": true, + "min-tls-version": "TLSv1.1", + "enforce-mode": "enforce" + } + "google.com": { + "require-valid-certificate": true, + "min-tls-version": "TLSv1.1", + "accept-pinset": "google", + "enforce-mode": "log-only", + // error-notification domains * + "error-notification": "https://google.com/post/reports/here" + }, + "yahoodns.net": { + "require-valid-certificate": true, + } + } + // Similar to + // [](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json)https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json + "pinsets": [ + { + "name": "google", + "static_spki_hashes": [ + "GoogleBackup2048", + "GoogleG2" + ] + } + ], + "spki_hashes": { + "GoogleBackup2048": "sha1/vq7OyjSnqOco9nyMCDGdy77eijM=", + "GoogleG2": "sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=" + } + } -* Are base64 encoded hashes already widely used/defined? If not, I'd lean towards hex here in this JSON file, since we hopefully have gzip to reduce the encoding overhead anyway, and this file should optimize for admin ease of use. -* These are what's used for certificate pinning in Chrome. Most likely we'll have people use the same tooling to generate these SPKI hashes for us, so I think using the same format and encoding makes sense. It's also easy on admins: "We'll just use the same set of pins we use for HTTPS." -* The other thing I forgot to mention: There isn't, AFAIK, a good way to get the SPKI hash other than using the Chrome tool. It's not one of the fields output by openssl x509, for example. - -* "GoogleBackup2048": "sha1/vq7OyjSnqOco9nyMCDGdy77eijM=", -* "GoogleG2": "sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=" -* } -* } A user of this file format may choose to accept multiple files. For instance, the EFF might provide an overall configuration covering major mail providers, and another organization might produce an overlay for mail providers in a specific country. If so, they override each other on a per-domain basis. From 3d9d5607bd51caca2202d3c79f418fcb4c0554c9 Mon Sep 17 00:00:00 2001 From: jsha Date: Thu, 5 Jun 2014 11:34:12 -0700 Subject: [PATCH 005/256] Formatting issue #2 in design doc --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4686d5baf..d47ba0f70 100644 --- a/README.md +++ b/README.md @@ -82,7 +82,7 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co } } // Similar to - // [](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json)https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json + // https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json "pinsets": [ { "name": "google", From 4b5b9f164fcab8cb2ee4601cef804211d74bbdc8 Mon Sep 17 00:00:00 2001 From: jsha Date: Thu, 5 Jun 2014 11:51:19 -0700 Subject: [PATCH 006/256] nexthop-domains -> address-domains --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d47ba0f70..cc510ecfa 100644 --- a/README.md +++ b/README.md @@ -10,9 +10,9 @@ Most email transferred between SMTP servers (aka MTAs) is transmitted in the cle To illustrate an easy version of this attack, suppose a network-based attacker Mallory notices that Alice has just uploaded message to her mail server. Mallory can inject a TCP reset (RST) packet during the mail server's next TLS negotiation with another mail server. Nearly all mail servers that implement STARTTLS do so in opportunistic mode, which means that they will retry without encryption if there is any problem with a TLS connection. So Alice's message will be transmitted in the clear. -Opportunistic TLS in SMTP also extends to certificate validation. Mail servers commonly provide self-signed certificates or certificates with non-validatable hostnames, and senders commonly accept these. This means that if we say 'require TLS for this mail domain,' the domain may still be vulnerable to a man-in-the-middle using any key and certificate chosen by the attacker. +Opportunistic TLS in SMTP also extends to certificate validation. Mail servers commonly provide self-signed certificates or certificates with non-validatable hostnames, and senders commonly accept these. This means that if we say 'require TLS for this mail domain,' the domain may still be vulnerable to a man-in-the-middle using any key and certificate chosen by the attacker. -Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. +Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently deployed, it allows either bulk or semi-targeted attacks that are very unlikely to be detected. We would like to deploy both detection and prevention for such semi-targeted attacks. @@ -52,7 +52,7 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "timestamp": 1401093333 "author": "Electronic Frontier Foundation https://eff.org", "expires": 1401414363, // epoch seconds - "nexthop-domains": { + "address-domains": { "gmail.com": { "accept-mx-domains": ["google.com", "gmail.com"] } @@ -111,11 +111,11 @@ Option 2: Git is a revision control system built on top of an authenticated, his Config-generator should attempt to fetch the configuration file daily and transform it into MTA configs. If there is a retrieval failure, and the cached configuration file has an 'expires' time past the current date, an alert should be raised to the system operator and all existing configs from config-generator should be removed, reverting the MTA configuration to use opportunistic TLS for all domains. -**nexthop-domains** +**address-domains** -The _nexthop-domains _field maps from mail domains (the part of an address after the "@") onto a list of properties for that domain. Matching of mail domains is on an exact-match basis, not a subdomain basis. For instance, eff.org would be listed separately from lists.eff.org in the _nexthop-domains _section. +The _address-domains_ field maps from mail domains (the part of an address after the "@") onto a list of properties for that domain. Matching of mail domains is on an exact-match basis, not a subdomain basis. For instance, eff.org would be listed separately from lists.eff.org in the _address-domains_ section. -Currently the only property defined for _nexthop-domains _is _accept-mx-domains_, a list. If an MX lookup for a listed nexthop domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains _list must correspond to an exactly matching field in the _mx-domains_ config section. +Currently the only property defined for _address-domains_ is _accept-mx-domains_, a list. If an MX lookup for a listed address domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains _list must correspond to an exactly matching field in the _mx-domains_ config section. The _accept-mx-domains_ mechanism partially solves the problem of DNS MITM. It doesn't completely solve the problem, since an attacker might somehow control a different hostname under an acceptable domain, e.g. evil.yahoodns.net. But it strikes a balance between improving security and allowing mail operators to change configuration as needed. Some mail operators delegate their MX handling to a third-party provider (i.e. Google Apps for Your Domain). If those operators are included in STARTTLS Everywhere and wish to change providers, they will have to first send an update to their _accept-mx-domains_ to include their new provider. From 6fb51d54227554445ef0772eb66e8d945d4d13e8 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 5 Jun 2014 14:11:08 -0700 Subject: [PATCH 007/256] Example shouldn't include hashes from Chrome source. --- README.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index cc510ecfa..3ba644d7f 100644 --- a/README.md +++ b/README.md @@ -68,11 +68,11 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" + "accept-pinset": "eff", } "google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", - "accept-pinset": "google", "enforce-mode": "log-only", // error-notification domains * "error-notification": "https://google.com/post/reports/here" @@ -85,16 +85,16 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co // https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json "pinsets": [ { - "name": "google", + "name": "eff", "static_spki_hashes": [ - "GoogleBackup2048", - "GoogleG2" + "EFFBackup2048", + "EFF" ] } ], "spki_hashes": { - "GoogleBackup2048": "sha1/vq7OyjSnqOco9nyMCDGdy77eijM=", - "GoogleG2": "sha1/Q9rWMO5T+KmAym79hfRqo3mQ4Oo=" + "EFFBackup2048": "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", + "EFF": "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" } } From 714cb17dcb8a7f5aa1c78f52e7a1ebec4928fcb1 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 5 Jun 2014 14:26:45 -0700 Subject: [PATCH 008/256] Clarify example usage of pinsets by including a CA --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 3ba644d7f..604d2dad0 100644 --- a/README.md +++ b/README.md @@ -88,13 +88,14 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "name": "eff", "static_spki_hashes": [ "EFFBackup2048", - "EFF" + "StartCom Class 2 Primary Intermediate Server CA" ] } ], "spki_hashes": { + // Not real SPKI hashes, just examples "EFFBackup2048": "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", - "EFF": "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" + "StartCom Class 2 Primary Intermediate Server CA": "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" } } From ed0c024209a243cf4759647b93dff7281d000293 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 5 Jun 2014 16:01:07 -0700 Subject: [PATCH 009/256] Improved provisioning and certificate checking. --- Vagrantfile | 7 ++--- check-starttls.py | 74 +++++++++++++++++++++++--------------------- vagrant-bootstrap.sh | 21 +++++++++++-- 3 files changed, 60 insertions(+), 42 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index e485988f1..b990d1311 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -5,18 +5,15 @@ VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - # All Vagrant configuration is done here. The most common configuration - # options are documented and commented below. For a complete reference, - # please see the online documentation at vagrantup.com. - - # Every Vagrant virtual environment requires a box to build off of. config.vm.box = "hashicorp/precise32" config.vm.define "sender" do |sender| sender.vm.network "private_network", ip: "192.168.33.5" + sender.vm.hostname = "sender.example.com" end config.vm.define "valid" do |valid| valid.vm.network "private_network", ip: "192.168.33.7" + valid.vm.hostname = "valid-example-recipient.com" end config.vm.provision :shell, path: "vagrant-bootstrap.sh" diff --git a/check-starttls.py b/check-starttls.py index 15bc7ce64..72f0d3430 100755 --- a/check-starttls.py +++ b/check-starttls.py @@ -35,7 +35,7 @@ def extract_names(pem): # >>> twitter_cert.get_ext('subjectAltName').get_value() # 'DNS:www.twitter.com, DNS:twitter.com' alt_names = leaf.get_ext('subjectAltName').get_value() - alt_names = alt_names.split(',') + alt_names = alt_names.split(', ') alt_names = [name.partition(':') for name in alt_names] alt_names = [name for prot, _, name in alt_names if prot == 'DNS'] except: @@ -43,48 +43,52 @@ def extract_names(pem): return set(common_names + alt_names) def tls_connect(mx_host, mail_domain): - # smtplib doesn't let us access certificate information, - # so shell out to openssl. - output = subprocess.check_output( - """openssl s_client \ - -CApath /usr/share/ca-certificates/mozilla/ \ - -starttls smtp -connect %s:25 -showcerts /dev/null + """ % mx_host, shell=True) + except subprocess.CalledProcessError: + print "Failed s_client" + return - # Save a copy of the certificate for later analysis - with open(os.path.join(mail_domain, mx_host), "w") as f: - f.write(output) + # Save a copy of the certificate for later analysis + with open(os.path.join(mail_domain, mx_host), "w") as f: + f.write(output) - cert = re.findall("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", output, flags = re.DOTALL) - if len(cert) > 0: - print "iiii ", len(cert) - print extract_names(cert[0]) - #lines = output.split("\n") - #for i in range(0, len(lines)): - #line = lines[i] - #if re.search("Subject:.* CN=(.*)", line): - #m = re.search("Subject:.* CN=(.*)", line) - #print "CN=", m.group(1) - #elif re.search("Subject Alternative Name:", line): - #dns = re.findall("DNS:([^,]*),", lines[i+1]) - #for d in dns: - #print d + cert = re.findall("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", output, flags = re.DOTALL) + if len(cert) > 0: + names = extract_names(cert[0]) + print "%s certificate -> %s" % (mx_host, ", ".join(names)) + if mx_host in names: + print " MATCH" + else: + print " NOMATCH" -# try: -# smtpserver = smtplib.SMTP(mx_host, 25, timeout = 2) -# smtpserver.ehlo() -# smtpserver.starttls() -# print "Success: %s" % mx_host -# except socket.error as e: -# print "Connection to %s failed: %s" % (mx_host, e.strerror) -# pass +def supports_starttls(mx_host): + try: + smtpserver = smtplib.SMTP(mx_host, 25, timeout = 2) + smtpserver.ehlo() + smtpserver.starttls() + return True + print "Success: %s" % mx_host + except socket.error as e: + print "Connection to %s failed: %s" % (mx_host, e.strerror) + return False + except smtplib.SMTPException: + print "No STARTTLS support on %s" % mx_host + return False def check(mail_domain): mkdirp(mail_domain) answers = dns.resolver.query(mail_domain, 'MX') for rdata in answers: - mx_host = str(rdata.exchange) - print 'Host', rdata.exchange, 'has preference', rdata.preference + mx_host = str(rdata.exchange).rstrip(".") tls_connect(mx_host, mail_domain) if len(sys.argv) == 1: diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh index ac9837198..215abacfd 100755 --- a/vagrant-bootstrap.sh +++ b/vagrant-bootstrap.sh @@ -3,8 +3,25 @@ export DEBIAN_FRONTEND=noninteractive apt-get update -q -apt-get install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" postfix -cat > /etc/hosts <<> /etc/hosts < /etc/dnsmasq.conf +# Not sure why restart is necessary, but otherwise dnsmasq doesn't use +# /etc/hosts to answer queries. +/etc/init.d/dnsmasq restart + +if [ "`hostname`" = "sender" ]; then + crontab < Date: Thu, 5 Jun 2014 16:51:38 -0700 Subject: [PATCH 010/256] Start work on forcing TLS to valid --- Vagrantfile | 2 + vagrant-bootstrap.sh | 2 +- vm-postfix-config/dynamicmaps.cf | 6 ++ vm-postfix-config/main.cf | 39 ++++++++ vm-postfix-config/master.cf | 113 +++++++++++++++++++++++ vm-postfix-config/starttls-everywhere.cf | 1 + vm-postfix-config/tls_policy | 1 + 7 files changed, 163 insertions(+), 1 deletion(-) create mode 100644 vm-postfix-config/dynamicmaps.cf create mode 100644 vm-postfix-config/main.cf create mode 100644 vm-postfix-config/master.cf create mode 100644 vm-postfix-config/starttls-everywhere.cf create mode 100644 vm-postfix-config/tls_policy diff --git a/Vagrantfile b/Vagrantfile index b990d1311..ab5d43307 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -21,4 +21,6 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| # vb.gui = true vb.customize ["modifyvm", :id, "--memory", "256"] end + + config.vm.synced_folder "vm-postfix-config", "/etc/postfix" end diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh index 215abacfd..9ec1e3d11 100755 --- a/vagrant-bootstrap.sh +++ b/vagrant-bootstrap.sh @@ -4,7 +4,7 @@ export DEBIAN_FRONTEND=noninteractive apt-get update -q apt-get install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ - postfix dnsmasq mutt + postfix dnsmasq mutt vim # Provide hostnames so the boxes can talk to each other. DNSMasq will also serve # results to each box based on these contents. diff --git a/vm-postfix-config/dynamicmaps.cf b/vm-postfix-config/dynamicmaps.cf new file mode 100644 index 000000000..1c48bdcde --- /dev/null +++ b/vm-postfix-config/dynamicmaps.cf @@ -0,0 +1,6 @@ +# Postfix dynamic maps configuration file. +# +#type location of .so file open function (mkmap func) +#==== ================================ ============= ============ +tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open +sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open diff --git a/vm-postfix-config/main.cf b/vm-postfix-config/main.cf new file mode 100644 index 000000000..b9f265058 --- /dev/null +++ b/vm-postfix-config/main.cf @@ -0,0 +1,39 @@ +# See /usr/share/postfix/main.cf.dist for a commented, more complete version + + +# Debian specific: Specifying a file name will cause the first +# line of that file to be used as the name. The Debian default +# is /etc/mailname. +#myorigin = /etc/mailname + +smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) +biff = no + +# appending .domain is the MUA's job. +append_dot_mydomain = no + +# Uncomment the next line to generate "delayed mail" warnings +#delay_warning_time = 4h + +readme_directory = no + +# TLS parameters +smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem +smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key +smtpd_use_tls=yes +smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache +smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache + +# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for +# information on enabling SSL in the smtp client. + +myhostname = sender.example.com +alias_maps = hash:/etc/aliases +alias_database = hash:/etc/aliases +myorigin = /etc/mailname +mydestination = sender.example.com, localhost.example.com, , localhost +relayhost = +mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 +mailbox_size_limit = 0 +recipient_delimiter = + +inet_interfaces = all diff --git a/vm-postfix-config/master.cf b/vm-postfix-config/master.cf new file mode 100644 index 000000000..3df29d8a9 --- /dev/null +++ b/vm-postfix-config/master.cf @@ -0,0 +1,113 @@ +# +# Postfix master process configuration file. For details on the format +# of the file, see the master(5) manual page (command: "man 5 master"). +# +# Do not forget to execute "postfix reload" after editing this file. +# +# ========================================================================== +# service type private unpriv chroot wakeup maxproc command + args +# (yes) (yes) (yes) (never) (100) +# ========================================================================== +smtp inet n - - - - smtpd +#smtp inet n - - - 1 postscreen +#smtpd pass - - - - - smtpd +#dnsblog unix - - - - 0 dnsblog +#tlsproxy unix - - - - 0 tlsproxy +#submission inet n - - - - smtpd +# -o syslog_name=postfix/submission +# -o smtpd_tls_security_level=encrypt +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#smtps inet n - - - - smtpd +# -o syslog_name=postfix/smtps +# -o smtpd_tls_wrappermode=yes +# -o smtpd_sasl_auth_enable=yes +# -o smtpd_client_restrictions=permit_sasl_authenticated,reject +# -o milter_macro_daemon_name=ORIGINATING +#628 inet n - - - - qmqpd +pickup fifo n - - 60 1 pickup +cleanup unix n - - - 0 cleanup +qmgr fifo n - n 300 1 qmgr +#qmgr fifo n - n 300 1 oqmgr +tlsmgr unix - - - 1000? 1 tlsmgr +rewrite unix - - - - - trivial-rewrite +bounce unix - - - - 0 bounce +defer unix - - - - 0 bounce +trace unix - - - - 0 bounce +verify unix - - - - 1 verify +flush unix n - - 1000? 0 flush +proxymap unix - - n - - proxymap +proxywrite unix - - n - 1 proxymap +smtp unix - - - - - smtp +relay unix - - - - - smtp +# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 +showq unix n - - - - showq +error unix - - - - - error +retry unix - - - - - error +discard unix - - - - - discard +local unix - n n - - local +virtual unix - n n - - virtual +lmtp unix - - - - - lmtp +anvil unix - - - - 1 anvil +scache unix - - - - 1 scache +# +# ==================================================================== +# Interfaces to non-Postfix software. Be sure to examine the manual +# pages of the non-Postfix software to find out what options it wants. +# +# Many of the following services use the Postfix pipe(8) delivery +# agent. See the pipe(8) man page for information about ${recipient} +# and other message envelope options. +# ==================================================================== +# +# maildrop. See the Postfix MAILDROP_README file for details. +# Also specify in main.cf: maildrop_destination_recipient_limit=1 +# +maildrop unix - n n - - pipe + flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} +# +# ==================================================================== +# +# Recent Cyrus versions can use the existing "lmtp" master.cf entry. +# +# Specify in cyrus.conf: +# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 +# +# Specify in main.cf one or more of the following: +# mailbox_transport = lmtp:inet:localhost +# virtual_transport = lmtp:inet:localhost +# +# ==================================================================== +# +# Cyrus 2.1.5 (Amos Gouaux) +# Also specify in main.cf: cyrus_destination_recipient_limit=1 +# +#cyrus unix - n n - - pipe +# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} +# +# ==================================================================== +# Old example of delivery via Cyrus. +# +#old-cyrus unix - n n - - pipe +# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} +# +# ==================================================================== +# +# See the Postfix UUCP_README file for configuration details. +# +uucp unix - n n - - pipe + flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) +# +# Other external delivery methods. +# +ifmail unix - n n - - pipe + flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) +bsmtp unix - n n - - pipe + flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient +scalemail-backend unix - n n - 2 pipe + flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} +mailman unix - n n - - pipe + flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py + ${nexthop} ${user} + diff --git a/vm-postfix-config/starttls-everywhere.cf b/vm-postfix-config/starttls-everywhere.cf new file mode 100644 index 000000000..98b1bfb3a --- /dev/null +++ b/vm-postfix-config/starttls-everywhere.cf @@ -0,0 +1 @@ +smtp_tls_policy_maps = hash:/etc/postfix/tls_policy diff --git a/vm-postfix-config/tls_policy b/vm-postfix-config/tls_policy new file mode 100644 index 000000000..a40e02ffd --- /dev/null +++ b/vm-postfix-config/tls_policy @@ -0,0 +1 @@ +valid-example-recipient.com encrypt From 7bd06a4d353400307c22672fe54127d034219451 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 5 Jun 2014 17:04:28 -0700 Subject: [PATCH 011/256] Work in progress --- vm-postfix-config/main.cf | 3 +++ vm-postfix-config/starttls-everywhere.cf | 1 - 2 files changed, 3 insertions(+), 1 deletion(-) delete mode 100644 vm-postfix-config/starttls-everywhere.cf diff --git a/vm-postfix-config/main.cf b/vm-postfix-config/main.cf index b9f265058..d21969005 100644 --- a/vm-postfix-config/main.cf +++ b/vm-postfix-config/main.cf @@ -37,3 +37,6 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all + +#STARTTLS EVERYWHERE MAGIC STARTS HERE +smtp_tls_policy_maps = hash:/etc/postfix/tls_policy diff --git a/vm-postfix-config/starttls-everywhere.cf b/vm-postfix-config/starttls-everywhere.cf deleted file mode 100644 index 98b1bfb3a..000000000 --- a/vm-postfix-config/starttls-everywhere.cf +++ /dev/null @@ -1 +0,0 @@ -smtp_tls_policy_maps = hash:/etc/postfix/tls_policy From 30938260d4a4c586da082bc44193bb270d86443f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 5 Jun 2014 19:45:21 -0700 Subject: [PATCH 012/256] Split postfix configs across the VMs, and start making them do things --- Vagrantfile | 3 ++- {vm-postfix-config => vm-postfix-config-sender}/dynamicmaps.cf | 0 {vm-postfix-config => vm-postfix-config-sender}/main.cf | 2 +- {vm-postfix-config => vm-postfix-config-sender}/master.cf | 0 vm-postfix-config-sender/tls_policy | 1 + vm-postfix-config/tls_policy | 1 - 6 files changed, 4 insertions(+), 3 deletions(-) rename {vm-postfix-config => vm-postfix-config-sender}/dynamicmaps.cf (100%) rename {vm-postfix-config => vm-postfix-config-sender}/main.cf (95%) rename {vm-postfix-config => vm-postfix-config-sender}/master.cf (100%) create mode 100644 vm-postfix-config-sender/tls_policy delete mode 100644 vm-postfix-config/tls_policy diff --git a/Vagrantfile b/Vagrantfile index ab5d43307..c919f16a0 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -10,10 +10,12 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| config.vm.define "sender" do |sender| sender.vm.network "private_network", ip: "192.168.33.5" sender.vm.hostname = "sender.example.com" + config.vm.synced_folder "vm-postfix-config-sender", "/etc/postfix" end config.vm.define "valid" do |valid| valid.vm.network "private_network", ip: "192.168.33.7" valid.vm.hostname = "valid-example-recipient.com" + config.vm.synced_folder "vm-postfix-config-valid", "/etc/postfix" end config.vm.provision :shell, path: "vagrant-bootstrap.sh" @@ -22,5 +24,4 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| vb.customize ["modifyvm", :id, "--memory", "256"] end - config.vm.synced_folder "vm-postfix-config", "/etc/postfix" end diff --git a/vm-postfix-config/dynamicmaps.cf b/vm-postfix-config-sender/dynamicmaps.cf similarity index 100% rename from vm-postfix-config/dynamicmaps.cf rename to vm-postfix-config-sender/dynamicmaps.cf diff --git a/vm-postfix-config/main.cf b/vm-postfix-config-sender/main.cf similarity index 95% rename from vm-postfix-config/main.cf rename to vm-postfix-config-sender/main.cf index d21969005..2d926a657 100644 --- a/vm-postfix-config/main.cf +++ b/vm-postfix-config-sender/main.cf @@ -39,4 +39,4 @@ recipient_delimiter = + inet_interfaces = all #STARTTLS EVERYWHERE MAGIC STARTS HERE -smtp_tls_policy_maps = hash:/etc/postfix/tls_policy +smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy diff --git a/vm-postfix-config/master.cf b/vm-postfix-config-sender/master.cf similarity index 100% rename from vm-postfix-config/master.cf rename to vm-postfix-config-sender/master.cf diff --git a/vm-postfix-config-sender/tls_policy b/vm-postfix-config-sender/tls_policy new file mode 100644 index 000000000..7792bad7f --- /dev/null +++ b/vm-postfix-config-sender/tls_policy @@ -0,0 +1 @@ +valid-example-recipient.com encrypt protocols=TLSv1.2 diff --git a/vm-postfix-config/tls_policy b/vm-postfix-config/tls_policy deleted file mode 100644 index a40e02ffd..000000000 --- a/vm-postfix-config/tls_policy +++ /dev/null @@ -1 +0,0 @@ -valid-example-recipient.com encrypt From fa5acdf674f36c211927fe1695e68d8dfd5ec785 Mon Sep 17 00:00:00 2001 From: jsha Date: Fri, 6 Jun 2014 13:44:03 -0700 Subject: [PATCH 013/256] Simplify SPKI hash usage --- README.md | 22 ++++------------------ 1 file changed, 4 insertions(+), 18 deletions(-) diff --git a/README.md b/README.md index 604d2dad0..0cc4f5f05 100644 --- a/README.md +++ b/README.md @@ -68,35 +68,21 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" - "accept-pinset": "eff", + "accept-spki-hashes": [ + "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", + "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" + ] } "google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", "enforce-mode": "log-only", - // error-notification domains * "error-notification": "https://google.com/post/reports/here" }, "yahoodns.net": { "require-valid-certificate": true, } } - // Similar to - // https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json - "pinsets": [ - { - "name": "eff", - "static_spki_hashes": [ - "EFFBackup2048", - "StartCom Class 2 Primary Intermediate Server CA" - ] - } - ], - "spki_hashes": { - // Not real SPKI hashes, just examples - "EFFBackup2048": "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", - "StartCom Class 2 Primary Intermediate Server CA": "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" - } } From ce0a6a1814ba1f0d222088a5a569e8a9bd945e16 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 6 Jun 2014 14:04:38 -0700 Subject: [PATCH 014/256] Add example config.json --- config.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 config.json diff --git a/config.json b/config.json new file mode 100644 index 000000000..d660587f1 --- /dev/null +++ b/config.json @@ -0,0 +1,17 @@ +{ + // Canonical URL https://eff.org/starttls-everywhere/config -- redirects to + // latest version + "timestamp": 1401093333 + "author": "Electronic Frontier Foundation https://eff.org", + "expires": 1404677353, // epoch seconds + "address-domains": { + "valid-example-recipient.com": { + "accept-mx-domains": [ "valid-example-recipient.com" ] + } + } + "mx-domains": { + "valid-example-recipient.com": { + "min-tls-version": "TLSv1.1" + } + } +} From 372c96d9fd4fc529ab82804d79904118a3d582e2 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 6 Jun 2014 14:06:08 -0700 Subject: [PATCH 015/256] Update Postfix configuration and mail-send-loop --- vagrant-bootstrap.sh | 6 +- vm-postfix-config-sender/main.cf | 4 + vm-postfix-config-sender/tls_policy | 2 +- vm-postfix-config-valid/dynamicmaps.cf | 6 ++ vm-postfix-config-valid/main.cf | 42 +++++++++ vm-postfix-config-valid/master.cf | 113 +++++++++++++++++++++++++ vm-postfix-config-valid/tls_policy | 1 + 7 files changed, 170 insertions(+), 4 deletions(-) create mode 100644 vm-postfix-config-valid/dynamicmaps.cf create mode 100644 vm-postfix-config-valid/main.cf create mode 100644 vm-postfix-config-valid/master.cf create mode 100644 vm-postfix-config-valid/tls_policy diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh index 9ec1e3d11..1df09a9a6 100755 --- a/vagrant-bootstrap.sh +++ b/vagrant-bootstrap.sh @@ -20,8 +20,8 @@ echo selfmx > /etc/dnsmasq.conf /etc/init.d/dnsmasq restart if [ "`hostname`" = "sender" ]; then - crontab < Date: Fri, 6 Jun 2014 15:54:22 -0700 Subject: [PATCH 016/256] Some tweaks to the config format --- README.md | 21 +++++++++++---------- config.json | 22 +++++++++++----------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/README.md b/README.md index 0cc4f5f05..31495a8f5 100644 --- a/README.md +++ b/README.md @@ -49,22 +49,23 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co { // Canonical URL https://eff.org/starttls-everywhere/config -- redirects to latest version - "timestamp": 1401093333 + "timestamp": "2014-06-06T14:30:16+00:00", + // "timestamp": 1401414363, : also acceptable "author": "Electronic Frontier Foundation https://eff.org", - "expires": 1401414363, // epoch seconds - "address-domains": { + "expires": "2014-06-06T14:30:16+00:00", + "acceptable-mxs": { "gmail.com": { - "accept-mx-domains": ["google.com", "gmail.com"] + "accept-mx-domains": ["*.google.com", "*.gmail.com"] } "yahoo.com": { - "accept-mx-domains": ["yahoodns.net"] + "accept-mx-domains": ["*.yahoodns.net"] } "eff.org": { - "accept-mx-domains": ["eff.org"] + "accept-mx-domains": ["*.eff.org"] } } - "mx-domains": { - "eff.org": { + "security-policies": { + "*.eff.org": { "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" @@ -73,13 +74,13 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" ] } - "google.com": { + "*.google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", "enforce-mode": "log-only", "error-notification": "https://google.com/post/reports/here" }, - "yahoodns.net": { + "*.yahoodns.net": { "require-valid-certificate": true, } } diff --git a/config.json b/config.json index d660587f1..8d6a73d63 100644 --- a/config.json +++ b/config.json @@ -1,17 +1,17 @@ { - // Canonical URL https://eff.org/starttls-everywhere/config -- redirects to - // latest version - "timestamp": 1401093333 + "comment": "Canonical URL https://eff.org/starttls-everywhere/config -- redirects to latest version", + "timestamp": 1401093333, "author": "Electronic Frontier Foundation https://eff.org", - "expires": 1404677353, // epoch seconds - "address-domains": { - "valid-example-recipient.com": { - "accept-mx-domains": [ "valid-example-recipient.com" ] - } - } - "mx-domains": { - "valid-example-recipient.com": { + "expires": 1404677353, "comment 2:": "epoch seconds", + "tls-policies": { + "*.valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } } + "acceptable-mxs": { + "valid-example-recipient.com": { + "accept-mx-domains": [ "*.valid-example-recipient.com" ] + } + }, + } From fcd1a982010ff6fdba113ae208aad4b93750f83e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 6 Jun 2014 15:54:33 -0700 Subject: [PATCH 017/256] Break ground on a config parser --- config-parser.py | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100755 config-parser.py diff --git a/config-parser.py b/config-parser.py new file mode 100755 index 000000000..69a09a745 --- /dev/null +++ b/config-parser.py @@ -0,0 +1,39 @@ +#!/usr/bin/env python + +import sys +import json +from datetime import datetime + +def parse_timestamp(ts): + try: + int(ts) + dt = datetime.fromtimestamp(ts) + return dt + except: + raise ValueError, "Invalid timestamp integer: " + `ts` + + +class Config: + def __init__(self, cfg_file_name = "config.json"): + f = open(cfg_file_name) + cfg = json.loads(f.read()) + for atr, val in cfg.items(): + #print atr,val + # Parse and verify each attribute of the structure + if atr.startswith("comment"): + continue + if atr == "author": + if type(val) not in [str, unicode]: + raise TypeError, "Author must be a string: " + `val` + elif atr == "timestamp": + self.timestamp = parse_timestamp(val) + elif atr == "expires": + self.expires = parse_timestamp(val) + elif atr == "address-domains": + if type(val) != dict: + raise TypeError, "address-domains " + `val` + else: + sys.stderr.write("Uknown attribute: " + `atr` + "\n") + +if __name__ == "__main__": + c = Config() From e534a43d1ad2d9a75a5d585034383077997d6e2d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 6 Jun 2014 16:07:38 -0700 Subject: [PATCH 018/256] Make sender actually attempt TLS on outbound connections. --- vm-postfix-config-sender/main.cf | 3 +-- vm-postfix-config-sender/tls_policy | 2 +- vm-postfix-config-valid/main.cf | 4 ++++ 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/vm-postfix-config-sender/main.cf b/vm-postfix-config-sender/main.cf index c4e994063..cf74d122f 100644 --- a/vm-postfix-config-sender/main.cf +++ b/vm-postfix-config-sender/main.cf @@ -40,7 +40,6 @@ inet_interfaces = all #STARTTLS EVERYWHERE MAGIC STARTS HERE smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy -smtpd_tls_loglevel = 1 -smtpd_tls_received_header = yes smtp_tls_loglevel = 1 +smtp_tls_security_level = may diff --git a/vm-postfix-config-sender/tls_policy b/vm-postfix-config-sender/tls_policy index f8d6a4968..af948c5e7 100644 --- a/vm-postfix-config-sender/tls_policy +++ b/vm-postfix-config-sender/tls_policy @@ -1 +1 @@ -valid-example-recipient.com encrypt protocols=TLSv1.1 +#valid-example-recipient.com encrypt protocols=TLSv1.1 diff --git a/vm-postfix-config-valid/main.cf b/vm-postfix-config-valid/main.cf index 140b6f35d..a5f7ce575 100644 --- a/vm-postfix-config-valid/main.cf +++ b/vm-postfix-config-valid/main.cf @@ -38,5 +38,9 @@ mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all +# STARTLS Everywhere recommended best-practice settings +smtpd_tls_session_cache_timeout = 3600s +smtpd_tls_received_header = yes + #STARTTLS EVERYWHERE MAGIC STARTS HERE smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy From 839c5230483cff26b31ed689ff0408f1b7ad7b01 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 8 Jun 2014 06:22:22 -0700 Subject: [PATCH 019/256] Fix typos --- config.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config.json b/config.json index 8d6a73d63..1a9034545 100644 --- a/config.json +++ b/config.json @@ -7,11 +7,11 @@ "*.valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } - } + }, "acceptable-mxs": { "valid-example-recipient.com": { "accept-mx-domains": [ "*.valid-example-recipient.com" ] } - }, + } } From c033905b162650e41995bec30c9e79bf66642945 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Sun, 8 Jun 2014 06:22:32 -0700 Subject: [PATCH 020/256] Now validating most of the config json --- config-parser.py | 58 +++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 52 insertions(+), 6 deletions(-) diff --git a/config-parser.py b/config-parser.py index 69a09a745..dbc244b25 100755 --- a/config-parser.py +++ b/config-parser.py @@ -3,6 +3,8 @@ import sys import json from datetime import datetime +import string + def parse_timestamp(ts): try: @@ -12,14 +14,30 @@ def parse_timestamp(ts): except: raise ValueError, "Invalid timestamp integer: " + `ts` +legal = string.letters + string.digits + ".-" +known_tlds =["com","org","net","biz","info",] # xxx make me from an ICANN list +def looks_like_a_domain(s): + "Return true if string looks like a domain, as best we can tell..." + global known_tlds + try: + domain = s.lower() + assert domain[0].islower() + assert all([c in legal for c in domain]) + tld = s.split(".")[-1] + if tld not in known_tlds: + # XXX perform DNS query to determine that this TLD exists + pass + return True + except: + return False class Config: def __init__(self, cfg_file_name = "config.json"): f = open(cfg_file_name) - cfg = json.loads(f.read()) - for atr, val in cfg.items(): + self.cfg = json.loads(f.read()) + for atr, val in self.cfg.items(): #print atr,val - # Parse and verify each attribute of the structure + # Verify each attribute of the structure if atr.startswith("comment"): continue if atr == "author": @@ -29,11 +47,39 @@ class Config: self.timestamp = parse_timestamp(val) elif atr == "expires": self.expires = parse_timestamp(val) - elif atr == "address-domains": - if type(val) != dict: - raise TypeError, "address-domains " + `val` + elif atr == "tls-policies": + self.tls_policies = {} + for domain,policies in self.check_tls_policy_domains(val): + if type(policies) != dict: + raise TypeError, domain + "'s policies should be a dict: " + `policies` + self.tls_policies[domain] = {} # being here enforces TLS at all + for policy, value in policies.items(): + if policy == "min-tls-version": + reasonable = ["TLS", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + if not value in reasonable: + raise ValueError, "Not a valid TLS version string: " + `value` + self.tls_policies[domain]["min-tls-version"] = str(value) + elif atr == "acceptable-mxs": + pass else: sys.stderr.write("Uknown attribute: " + `atr` + "\n") + print self.tls_policies + + def check_tls_policy_domains(self, val): + if type(val) != dict: + raise TypeError, "tls-policies should be a dict" + `val` + for domain, policies in val.items(): + try: + assert type(domain) == unicode + d = str(domain) # convert from unicode + except: + raise TypeError, "tls-policy domain not a string" + `domain` + if not d.startswith("*."): + raise ValueError, "tls-policy domains must start with *.; try *."+d + d = d.partition("*.")[2] + if not looks_like_a_domain(d): + raise ValueError, "tls-policy for something that a domain? " + d + yield (d, policies) if __name__ == "__main__": c = Config() From 79924108c7beae6c513215d102d4fffba511d794 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 9 Jun 2014 10:12:09 -0700 Subject: [PATCH 021/256] Reorder JSON file to emphasize MX policies over address-domain -> MX domain mapping. --- README.md | 34 ++++++++++++++++++---------------- 1 file changed, 18 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 0cc4f5f05..e252681fc 100644 --- a/README.md +++ b/README.md @@ -52,19 +52,11 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "timestamp": 1401093333 "author": "Electronic Frontier Foundation https://eff.org", "expires": 1401414363, // epoch seconds - "address-domains": { - "gmail.com": { - "accept-mx-domains": ["google.com", "gmail.com"] - } - "yahoo.com": { - "accept-mx-domains": ["yahoodns.net"] - } - "eff.org": { - "accept-mx-domains": ["eff.org"] - } - } "mx-domains": { - "eff.org": { + "*.yahoodns.net": { + "require-valid-certificate": true, + } + "*.eff.org": { "require-tls": true, "min-tls-version": "TLSv1.1", "enforce-mode": "enforce" @@ -73,15 +65,25 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" ] } - "google.com": { + "*.google.com": { "require-valid-certificate": true, "min-tls-version": "TLSv1.1", "enforce-mode": "log-only", "error-notification": "https://google.com/post/reports/here" }, - "yahoodns.net": { - "require-valid-certificate": true, - } + } + // Since the MX lookup is not secure, we list valid responses to protect + // against DNS spoofing. + "address-domains": { + "yahoo.com": { + "accept-mx-domains": ["*.yahoodns.net"] + } + "gmail.com": { + "accept-mx-domains": ["*.google.com"] + } + "eff.org": { + "accept-mx-domains": ["*.eff.org"] + } } } From 0d43d2988a062d819663b282668dc81bff440be6 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 9 Jun 2014 13:08:01 -0700 Subject: [PATCH 022/256] Update check-starttls.py to generate starttls everywhere config. --- check-starttls.py | 104 +++++++++++++++++++++++++++++++++++++++------- 1 file changed, 88 insertions(+), 16 deletions(-) diff --git a/check-starttls.py b/check-starttls.py index 72f0d3430..042d2e50d 100755 --- a/check-starttls.py +++ b/check-starttls.py @@ -6,6 +6,7 @@ import smtplib import socket import subprocess import re +import json import dns.resolver from M2Crypto import X509 @@ -19,9 +20,9 @@ def mkdirp(path): else: raise def extract_names(pem): + """Return a list of DNS subject names from PEM-encoded leaf cert.""" leaf = X509.load_cert_string(pem, X509.FORMAT_PEM) - """Extracts a list of DNS names associated with the leaf cert.""" subj = leaf.get_subject() # Certs have a "subject" identified by a Distingushed Name (DN). # Host certs should also have a Common Name (CN) with a DNS name. @@ -43,16 +44,16 @@ def extract_names(pem): return set(common_names + alt_names) def tls_connect(mx_host, mail_domain): + """Attempt a STARTTLS connection with openssl and save the output.""" if supports_starttls(mx_host): # smtplib doesn't let us access certificate information, # so shell out to openssl. try: output = subprocess.check_output( """openssl s_client \ - -CApath /usr/share/ca-certificates/mozilla/ \ -starttls smtp -connect %s:25 -showcerts /dev/null - """ % mx_host, shell=True) + """ % mx_host, shell = True) except subprocess.CalledProcessError: print "Failed s_client" return @@ -61,14 +62,53 @@ def tls_connect(mx_host, mail_domain): with open(os.path.join(mail_domain, mx_host), "w") as f: f.write(output) - cert = re.findall("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", output, flags = re.DOTALL) - if len(cert) > 0: - names = extract_names(cert[0]) - print "%s certificate -> %s" % (mx_host, ", ".join(names)) - if mx_host in names: - print " MATCH" - else: - print " NOMATCH" +def valid_cert(filename): + """Return true if the certificate is valid. + + Note: CApath must have hashed symlinks to the trust roots. + TODO: Include the -attime flag based on file modification time.""" + + if open(filename).read().find("-----BEGIN CERTIFICATE-----") == -1: + return False + try: + output = subprocess.check_output("""openssl verify -CApath /home/jsha/mozilla/ -purpose sslserver \ + -untrusted "%s" \ + "%s" + """ % (filename, filename), shell = True) + return True + except subprocess.CalledProcessError: + return False + +def check_certs(mail_domain): + names = set() + for mx_hostname in os.listdir(mail_domain): + filename = os.path.join(mail_domain, mx_hostname) + if not valid_cert(filename): + return "" + else: + new_names = extract_names_from_openssl_output(filename) + names.update(new_names) + names.add(filename.rstrip(".")) + if len(names) >= 1: + return common_suffix(names) + else: + return "" + +def common_suffix(hosts): + num_components = min(len(h.split(".")) for h in hosts) + longest_suffix = "" + for i in range(1, num_components + 1): + suffixes = set(".".join(h.split(".")[-i:]) for h in hosts) + if len(suffixes) == 1: + longest_suffix = suffixes.pop() + else: + return longest_suffix + return longest_suffix + +def extract_names_from_openssl_output(certificates_file): + openssl_output = open(certificates_file, "r").read() + cert = re.findall("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", openssl_output, flags = re.DOTALL) + return extract_names(cert[0]) def supports_starttls(mx_host): try: @@ -84,15 +124,47 @@ def supports_starttls(mx_host): print "No STARTTLS support on %s" % mx_host return False -def check(mail_domain): +def min_tls_version(mail_domain): + protocols = [] + for mx_hostname in os.listdir(mail_domain): + filename = os.path.join(mail_domain, mx_hostname) + contents = open(filename).read() + protocol = re.findall("Protocol : (.*)", contents)[0] + protocols.append(protocol) + return min(protocols) + +def collect(mail_domain): mkdirp(mail_domain) answers = dns.resolver.query(mail_domain, 'MX') for rdata in answers: mx_host = str(rdata.exchange).rstrip(".") tls_connect(mx_host, mail_domain) -if len(sys.argv) == 1: - print("Please pass at least one mail domain as an argument") +if __name__ == '__main__': + """Consume a target list of domains and output a configuration file for those domains.""" + if len(sys.argv) == 1: + print("Please pass at least one mail domain as an argument") -for domain in sys.argv[1:]: - check(domain) + config = { + "address-domains": { + }, + "mx-domains": { + } + } + for domain in sys.argv[1:]: + #collect(domain) + if len(os.listdir(domain)) == 0: + continue + suffix = check_certs(domain) + min_version = min_tls_version(domain) + if suffix != "": + suffix_match = "*." + suffix + config["address-domains"][domain] = { + "accept-mx-domains": [suffix_match] + } + config["mx-domains"][suffix_match] = { + "require-tls": True, + "min-tls-version": min_version + } + + print json.dumps(config, indent=2) From bdbc46fc84599dd141b9bb8585f11b2d168aac1a Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 9 Jun 2014 13:10:43 -0700 Subject: [PATCH 023/256] Add candidate starttls-everywhere config json --- starttls-everywhere.json | 144 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 144 insertions(+) create mode 100644 starttls-everywhere.json diff --git a/starttls-everywhere.json b/starttls-everywhere.json new file mode 100644 index 000000000..4c91866d5 --- /dev/null +++ b/starttls-everywhere.json @@ -0,0 +1,144 @@ +{ + "mx-domains": { + "*.mx.aol.com": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + "*.psmtp.com": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + "*.ukr.net": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.interia.pl": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + "*.gmx.net": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.web.de": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.marktplaats.nl": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.wp.pl": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.yahoodns.net": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + "*.t-online.de": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.rambler.ru": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + "*.t.facebook.com": { + "min-tls-version": "TLSv1", + "require-tls": true + } + }, + "address-domains": { + "wp.pl": { + "accept-mx-domains": [ + "*.wp.pl" + ] + }, + "yahoo.co.uk": { + "accept-mx-domains": [ + "*.yahoodns.net" + ] + }, + "rocketmail.com": { + "accept-mx-domains": [ + "*.yahoodns.net" + ] + }, + "web.de": { + "accept-mx-domains": [ + "*.web.de" + ] + }, + "sbcglobal.net": { + "accept-mx-domains": [ + "*.yahoodns.net" + ] + }, + "aol.com": { + "accept-mx-domains": [ + "*.mx.aol.com" + ] + }, + "facebook.com": { + "accept-mx-domains": [ + "*.t.facebook.com" + ] + }, + "sompo-japan.co.jp": { + "accept-mx-domains": [ + "*.psmtp.com" + ] + }, + "salesforce.com": { + "accept-mx-domains": [ + "*.psmtp.com" + ] + }, + "rambler.ru": { + "accept-mx-domains": [ + "*.rambler.ru" + ] + }, + "t-online.de": { + "accept-mx-domains": [ + "*.t-online.de" + ] + }, + "gmx.net": { + "accept-mx-domains": [ + "*.gmx.net" + ] + }, + "gmx.de": { + "accept-mx-domains": [ + "*.gmx.net" + ] + }, + "ukr.net": { + "accept-mx-domains": [ + "*.ukr.net" + ] + }, + "rogers.com": { + "accept-mx-domains": [ + "*.yahoodns.net" + ] + }, + "ymail.com": { + "accept-mx-domains": [ + "*.yahoodns.net" + ] + }, + "marktplaats.nl": { + "accept-mx-domains": [ + "*.marktplaats.nl" + ] + }, + "interia.pl": { + "accept-mx-domains": [ + "*.interia.pl" + ] + } + } +} From d0bcc1305964ad8e756d85c9c50a007f0ffe0933 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 10 Jun 2014 08:08:17 -0700 Subject: [PATCH 024/256] Break ground on an postfix config wrangling engine --- mta-config-generator.py | 80 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 mta-config-generator.py diff --git a/mta-config-generator.py b/mta-config-generator.py new file mode 100644 index 000000000..0444c1e73 --- /dev/null +++ b/mta-config-generator.py @@ -0,0 +1,80 @@ +#!/usr/bin/env python + +import string + +DEFAULT_POLICY_FILE = "texthash:/etc/postfix/starttls_everywhere_policy" + +def parse_line(self, line): + "return the and right hand sides of stripped, non-comment postfix config line" + # lines are like: + # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + left, sep, right = line.partition("=") + if not sep: + return None + return (left.strip(), right.strip()) + +#def get_cf_values(lines, var): + +class MTAConfigGenerator: + def __init__(self, stlse_config): + self.c = stlse_config + +class ExistingConfigError(ValueError): pass + +class PostfixConfigGenerator(MTAConfigGenerator): + def __init__(self, stlse_config): + MTAConfigGenerator.__init__(self, stlse_config) + this.postfix_cf_file = this.find_postfix_cf() + this.wrangle_existing_config() + + def ensure_cf_var(self, var, ideal, also_acceptable): + """ + Ensure that existing postfix config @var is in the list of @acceptable + values; if not, set it to the ideal value. """ + + acceptable = [ideal] + also_acceptable + + l = [line for line in cf if line.startswith("stmpd_use_tls")] + if not any(l): + this.additions.append("smtpd_use_tls = yes") + else: + values = [right for left, right in map(parse_line, l)] + if len(set(values)) > 1: + raise ExistingConfigError, "Conflicting existing config values " + `l` + if values[0] != "yes": + + def wrangle_existing_config(self): + "Try to ensure/mutate that the config file is in a sane state." + this.additions = [] + fn = find_postfix_cf() + raw_cf = open(fn).readlines() + cf = map(string.strip, raw_cf) + this.cf = [line for line in cf if line and not line.startswith("#")] + + # Check we're currently accepting inbound STARTTLS sensibly + this.ensure_cf_var("smtpd_use_tls", "yes", []) + # Ideally we use it opportunistically in the outbound direction + this.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"]) + # Maximum verbosity lets us collect failure information + this.ensure_cf_var("smtp_tls_loglevel", "1", []) + # Inject a reference to our per-domain policy map + this.ensure_cf_var("smtp_tls_policy_maps", DEFAULT_POLICY_FILE, []) + + this.maybe_add_config_lines() + + def maybe_add_config_lines(self): + if not this.additions: + return + this.additions[:0]=["","# New config lines added by STARTTLS Everywhere",""] + new_cf_lines = "\n".join(this.additions) + print "Adding to %s:" % fn + print new_cf_lines + if raw_cf[-1][-1] == "\n": sep = "" + else: sep = "\n" + new_cf = "".join(raw_cf) + sep + new_cf_lines + f = open(fn, "w").write(new_cf) + f.close() + + def find_postfix_cf(self): + "Search far and wide for the correct postfix configuration file" + return "/etc/postfix/main.cf" From a03db04ff44335e1911e4a79787cdff025bb711f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 10 Jun 2014 08:08:40 -0700 Subject: [PATCH 025/256] WIP implementing deletion of existing cf lines --- mta-config-generator.py | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/mta-config-generator.py b/mta-config-generator.py index 0444c1e73..5d79423ef 100644 --- a/mta-config-generator.py +++ b/mta-config-generator.py @@ -4,10 +4,11 @@ import string DEFAULT_POLICY_FILE = "texthash:/etc/postfix/starttls_everywhere_policy" -def parse_line(self, line): +def parse_line(self, line_data): "return the and right hand sides of stripped, non-comment postfix config line" # lines are like: # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + num,line = line_data left, sep, right = line.partition("=") if not sep: return None @@ -34,22 +35,28 @@ class PostfixConfigGenerator(MTAConfigGenerator): acceptable = [ideal] + also_acceptable - l = [line for line in cf if line.startswith("stmpd_use_tls")] + l = [num,line for num,line in enumerate(cf) if line.startswith(var)] if not any(l): this.additions.append("smtpd_use_tls = yes") else: values = [right for left, right in map(parse_line, l)] if len(set(values)) > 1: + if this.fixup: + this.deletions.append( raise ExistingConfigError, "Conflicting existing config values " + `l` if values[0] != "yes": - def wrangle_existing_config(self): - "Try to ensure/mutate that the config file is in a sane state." + def wrangle_existing_config(self, fixup=false): + """ + Try to ensure/mutate that the config file is in a sane state. + Fixup means we'll delete existing lines if necessary to get there. + """ this.additions = [] fn = find_postfix_cf() raw_cf = open(fn).readlines() - cf = map(string.strip, raw_cf) - this.cf = [line for line in cf if line and not line.startswith("#")] + this.cf = map(string.strip, raw_cf) + #this.cf = [line for line in cf if line and not line.startswith("#")] + this.fixup = fixup # Check we're currently accepting inbound STARTTLS sensibly this.ensure_cf_var("smtpd_use_tls", "yes", []) From 21e841fd13c028e1db9443ae962b53353ae59dde Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Tue, 10 Jun 2014 15:08:52 -0400 Subject: [PATCH 026/256] Move synced folders into a common one. Also, create certificates. --- Vagrantfile | 3 +- check-starttls.py | 2 +- vagrant-bootstrap.sh | 6 +- vagrant-shared/certificates/ca.crt | 22 ++++ vagrant-shared/certificates/ca.key | 27 +++++ vagrant-shared/certificates/certificates | 1 + vagrant-shared/certificates/valid.crt | 21 ++++ vagrant-shared/certificates/valid.csr | 18 +++ vagrant-shared/certificates/valid.key | 27 +++++ .../postfix-config-sender-tls_policy | 0 .../postfix-config-sender.cf | 0 .../postfix-config-valid-example-recipient.cf | 0 vm-postfix-config-sender/dynamicmaps.cf | 6 - vm-postfix-config-sender/master.cf | 113 ------------------ vm-postfix-config-valid/dynamicmaps.cf | 6 - vm-postfix-config-valid/master.cf | 113 ------------------ vm-postfix-config-valid/tls_policy | 1 - 17 files changed, 123 insertions(+), 243 deletions(-) create mode 100644 vagrant-shared/certificates/ca.crt create mode 100644 vagrant-shared/certificates/ca.key create mode 120000 vagrant-shared/certificates/certificates create mode 100644 vagrant-shared/certificates/valid.crt create mode 100644 vagrant-shared/certificates/valid.csr create mode 100644 vagrant-shared/certificates/valid.key rename vm-postfix-config-sender/tls_policy => vagrant-shared/postfix-config-sender-tls_policy (100%) rename vm-postfix-config-sender/main.cf => vagrant-shared/postfix-config-sender.cf (100%) rename vm-postfix-config-valid/main.cf => vagrant-shared/postfix-config-valid-example-recipient.cf (100%) delete mode 100644 vm-postfix-config-sender/dynamicmaps.cf delete mode 100644 vm-postfix-config-sender/master.cf delete mode 100644 vm-postfix-config-valid/dynamicmaps.cf delete mode 100644 vm-postfix-config-valid/master.cf delete mode 100644 vm-postfix-config-valid/tls_policy diff --git a/Vagrantfile b/Vagrantfile index c919f16a0..3ce93c917 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -10,13 +10,12 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| config.vm.define "sender" do |sender| sender.vm.network "private_network", ip: "192.168.33.5" sender.vm.hostname = "sender.example.com" - config.vm.synced_folder "vm-postfix-config-sender", "/etc/postfix" end config.vm.define "valid" do |valid| valid.vm.network "private_network", ip: "192.168.33.7" valid.vm.hostname = "valid-example-recipient.com" - config.vm.synced_folder "vm-postfix-config-valid", "/etc/postfix" end + config.vm.synced_folder "vagrant-shared", "/vagrant" config.vm.provision :shell, path: "vagrant-bootstrap.sh" config.vm.provider "virtualbox" do |vb| diff --git a/check-starttls.py b/check-starttls.py index 042d2e50d..cd8dfea42 100755 --- a/check-starttls.py +++ b/check-starttls.py @@ -152,7 +152,7 @@ if __name__ == '__main__': } } for domain in sys.argv[1:]: - #collect(domain) + collect(domain) if len(os.listdir(domain)) == 0: continue suffix = check_certs(domain) diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh index 1df09a9a6..13593a0cc 100755 --- a/vagrant-bootstrap.sh +++ b/vagrant-bootstrap.sh @@ -23,5 +23,9 @@ if [ "`hostname`" = "sender" ]; then (while sleep 10; do echo -e 'Subject: hi\n\nhi' | sendmail vagrant@valid-example-recipient.com done) & -EOF + ln -sf "/vagrant/postfix-config-sender-tls_policy.cf" /etc/postfix/tls_policy fi + +ln -sf "/vagrant/postfix-config-`hostname`.cf" /etc/postfix/main.cf +ln -sf "/vagrant/certificates" /etc/certificates +postfix reload diff --git a/vagrant-shared/certificates/ca.crt b/vagrant-shared/certificates/ca.crt new file mode 100644 index 000000000..dce966d32 --- /dev/null +++ b/vagrant-shared/certificates/ca.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDmzCCAoOgAwIBAgIJAIheS+k2UDobMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV +BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDDAKBgNVBAoMA0VGRjEt +MCsGA1UECwwkU1RBUlRUTFMgRXZlcnl3aGVyZSB0ZXN0IGNlcnRpZmljYXRlMB4X +DTE0MDYxMDE4MDg0OVoXDTE5MDYxMDE4MDg1MFowZDELMAkGA1UEBhMCVVMxCzAJ +BgNVBAgMAkNBMQswCQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMS0wKwYDVQQLDCRT +VEFSVFRMUyBFdmVyeXdoZXJlIHRlc3QgY2VydGlmaWNhdGUwggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQDDYmUQUjaX6L3n9fNks2yQUFhKUBR1NYenx3w2 +DnaZiwpLzI3igJPMQfBdyJGLM1jXZZcpvpgt6yN4OMOLNS2QKBY20gDoQIh0Jmaj +KCoXUbX30H1FfTn+pyU02UpuFsFN3TAk5bQ/BQUYOlMouCowyZ25mnEzzHLeRHKH +Gi2uCH59T53rcgDwjq88pKMVUlndixkOKpeXZkTL++Edg0b5SUpRuzMs6kFmwLoQ +x4xG5lgaAHyu2/9KXhcqielE95s5FNGfi9U2q3nkmpa4dM266DWfkibfvCBP3hiO +Ks+IN+Hyohi2SY7NoDN6hMKcuUNlAK/xD+foA4Ck3R45HII3AgMBAAGjUDBOMB0G +A1UdDgQWBBRPlrBeFMPb27oWESmXykOW1XWLLDAfBgNVHSMEGDAWgBRPlrBeFMPb +27oWESmXykOW1XWLLDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBY +lBQEuRKo927jJFzgvdTKJGIAzxBnC5vg+qKeZkduwxeVEwB13HPP1syvdpAK5dkl +JGuHCF/Yc39HX1OZv7huVRMnyrSKpMt25uqUHirH6Db17HRCS4ZA6rARJfxS6RWu +J31lfXvGRr0hI4yw3XpKGM/c8Gkzji6PsYn4TCPnXjJbRj1GjHFaAuIeyoO0zQjo +OuHnzxs4bIDaV32NHNetuDKSO1GNbenxRiiN1HvQ1vfhzpqerRRaPCHrW4eUcynQ +AAeuC+Ek925t9mH7Ni/kZ0eN7XUwvg3c2lm+LeV+ICP+NWv9r92kfXDZNMhlhNsf +Y8+m1Y9WL3CLj99voNQS +-----END CERTIFICATE----- diff --git a/vagrant-shared/certificates/ca.key b/vagrant-shared/certificates/ca.key new file mode 100644 index 000000000..3ebf4159e --- /dev/null +++ b/vagrant-shared/certificates/ca.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAw2JlEFI2l+i95/XzZLNskFBYSlAUdTWHp8d8Ng52mYsKS8yN +4oCTzEHwXciRizNY12WXKb6YLesjeDjDizUtkCgWNtIA6ECIdCZmoygqF1G199B9 +RX05/qclNNlKbhbBTd0wJOW0PwUFGDpTKLgqMMmduZpxM8xy3kRyhxotrgh+fU+d +63IA8I6vPKSjFVJZ3YsZDiqXl2ZEy/vhHYNG+UlKUbszLOpBZsC6EMeMRuZYGgB8 +rtv/Sl4XKonpRPebORTRn4vVNqt55JqWuHTNuug1n5Im37wgT94YjirPiDfh8qIY +tkmOzaAzeoTCnLlDZQCv8Q/n6AOApN0eORyCNwIDAQABAoIBAQCwNXASDSNBU1zZ +8v3kZtDVQjCuLJSWtIU4cnd6RQb/KN9LRxr7GJyyzREbc4SXduJ7uBphQov6daMS +jJcGWBpUdWK7ZB//Vhv6LJvKL7HuP/oNmhEwd2SzXkj25bTznkANmhsOW794Sm2y +0P8orRcX0u0Vc8z+Ozepby+e2qQx29FXznberRv2rXmMeeQqF+sc2MBu34SlcLnK +KVSe7SmDc+DhWJ3XiPoEpiOTbv4EynndXC85owdse/eN/EahFtrfzqm6jDWVga8A +xA/7RD/Urc2L2IsZOB92xOk/tGs5Df8ZrHavzbSo+i0pzYAKvIxr+G2Krl1Tl/Lh +IXwjWPLZAoGBAOsbdxeZUHH6pk497ICIcmW/NDhAY/mSA6vBWZWLcYF7OU/wMzZ6 +Wlx9v6oz8tBTzQj/Xkpv0ZLIeQqGTuSQzQ7EcrOiTz4PIpM5y/nf/S0oSXwJ7mJw +Sx8w3XHqHEPCT9G83o7EV7xHuRy8/zQzJ9dkFxznA9sRcO7RhE/tsrMNAoGBANS/ +Ql140oyDqyABIlxswyvfJ8Ll4kmb52yNGaCJPSfrAVmSoN15AkbDkpVKFb6hsL6u +xqVPyeVxard4twddrV3GSvTibkGw4fZ8x0FDgDGvCgJ36e4NHb7jQVwwGfNXKMAP +qvYtnE28eAM+zrDHryEhgp4k59zApphr+IU7JQlTAoGAc1h5ODm+rvzTBMX6tyC6 +R1Lkcsicg//wDx8ALY9JM8ZZ2u80oQCsPn5vPzjXYwAKMuTexNRRVJtITzKPmDG2 +eQ1GXP0/tWnFg8eyXDhZRQNj8hgJPYBsSrQ1oMLD9TZq5LKt2gtYJAZoOkI7Tsfe +Px1a/ZIVYTAQYQqnyHMM3i0CgYAQNirWeJiCwJ3PqIZ3yInu0+hxv5bIySqPaQkk +5JBWdF/79WJwvgHgZpLK8YRKrIONZEAa5MObylK5fGdmFktZs/yOQJrqQpJVeBiu +7nfcUVxP59dZnoI/w419euTfWCrwx8DdVYhtnAkBJk4VxoGf4q/TYTiR59RKFSAw +9trRpQKBgDjFQ9mXJUUKoc61P3PIrSYOlnx89c0sznrwm2eeLLAwr/VQ+vNDGRkC +6kXbVLuTxRaFnLSZTlUd0nSXPbJEM5GII48zbGZ7t/ysPtA9390xk1efTO/ryf/j +pn4FBvpgXaneRs4ExyknLgFfJRUEu17fRbyRPZr0bUlTkKg/ZS5M +-----END RSA PRIVATE KEY----- diff --git a/vagrant-shared/certificates/certificates b/vagrant-shared/certificates/certificates new file mode 120000 index 000000000..d162b42af --- /dev/null +++ b/vagrant-shared/certificates/certificates @@ -0,0 +1 @@ +/vagrant/certificates \ No newline at end of file diff --git a/vagrant-shared/certificates/valid.crt b/vagrant-shared/certificates/valid.crt new file mode 100644 index 000000000..f5fe4c213 --- /dev/null +++ b/vagrant-shared/certificates/valid.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDbTCCAlUCAQEwDQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMQswCQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMS0wKwYDVQQLDCRTVEFS +VFRMUyBFdmVyeXdoZXJlIHRlc3QgY2VydGlmaWNhdGUwHhcNMTQwNjEwMTgxMTQ3 +WhcNMTkwNjEwMTgxMTQ3WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQsw +CQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMTQwMgYDVQQLDCtTVEFSVFRMUyBFdmVy +eXdoZXJlIHRlc3QgY2VydGlmaWNhdGUgKGxlYWYpMScwJQYDVQQDDB5teC52YWxp +ZC1leGFtcGxlLXJlY2lwaWVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw +ggEKAoIBAQDZ2NdAwI0LUmXrV7bItKhP8NRzypkYHgApXaoZ6iB6TJnYb1FZyv2Y +wyBdsQQ8zcIgKRyl0rKvNPgHt3riM7nSoB16II6fIQDuR2UnXkhtDOfUd7Ye0wKX +l3A+qoEge42/TfRvzPC6IMa1KH7+dwayprIjLxFUzfMl6GqA/5auLZZtSsV6Pix3 +jXZYFPUHPoBJEyNo/bizcdvSZS/7Kwzfc64l7JLA/OGtRbQpcMAOpRRXCx32nt3N +2L1OXz8Q4It+J20oN8Vfin1a7GbAGdktRbz2bV8bmb0ux1NOnddigPUHRRYMIaKN +W7Nrxp2YQpqmsqBmVEVPA903yRc0ZvuRAgMBAAEwDQYJKoZIhvcNAQEFBQADggEB +AMJ3neFM+to/tFhTiAfUnIrQOKyfk+zYN8gC99HD2SUVbu+Cu1qCNJWxbE3bdxxX +y960yX+Or8E4nG9sWbFbzlGEzz0F8DAPEh4UCtb/5MRkhW158Y9LtbheQAQpZolQ +Sma6lnngCmSDr/OpDW34oM8S7+3VOawYv1e1ruCMqizBwilgcsGq2hY1hWca6LMP +X2FHQ+m4mYBV9wJ9WuKMs9uADz9cfMYuA/wMzNeMZyM82w+nSQGZ+mX7YPu+WBJM +k9OcFrUWxrC/uOQfsyqdjLvFjg4/b49jnusn9mZ/KbtLVmkz5P+5kwSn4kcd5Rlw +LLmEGiXiyEjo8UmEVyumrIQ= +-----END CERTIFICATE----- diff --git a/vagrant-shared/certificates/valid.csr b/vagrant-shared/certificates/valid.csr new file mode 100644 index 000000000..a58aab677 --- /dev/null +++ b/vagrant-shared/certificates/valid.csr @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UE +BwwCU0YxDDAKBgNVBAoMA0VGRjE0MDIGA1UECwwrU1RBUlRUTFMgRXZlcnl3aGVy +ZSB0ZXN0IGNlcnRpZmljYXRlIChsZWFmKTEnMCUGA1UEAwwebXgudmFsaWQtZXhh +bXBsZS1yZWNpcGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC +AQEA2djXQMCNC1Jl61e2yLSoT/DUc8qZGB4AKV2qGeogekyZ2G9RWcr9mMMgXbEE +PM3CICkcpdKyrzT4B7d64jO50qAdeiCOnyEA7kdlJ15IbQzn1He2HtMCl5dwPqqB +IHuNv030b8zwuiDGtSh+/ncGsqayIy8RVM3zJehqgP+Wri2WbUrFej4sd412WBT1 +Bz6ASRMjaP24s3Hb0mUv+ysM33OuJeySwPzhrUW0KXDADqUUVwsd9p7dzdi9Tl8/ +EOCLfidtKDfFX4p9WuxmwBnZLUW89m1fG5m9LsdTTp3XYoD1B0UWDCGijVuza8ad +mEKaprKgZlRFTwPdN8kXNGb7kQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAhe +pMLNDAaA9fXZ/yqW4ov1pBKYZL1R1RX+YgZqUPoAlrTCiJ0UGIuPcTDGJDMdpZ7x +9gSqwsXrvzXafuHI4GuFjnbY5SIv8zvc+nMXib7IMlyMUcuSBZP8W0sl3ZGWnnpk +legC10c3+I9TfQ7Tl0mpdyf/6yLhM1plxLcIy5bguLJjbBK9JhKNfc84rivqrxUI ++cUqWU13WjMzWdKS6rK5m/Bfleg+jyZ11xYY0QfwNGwuPjfiEBjCs2iqJvdLFRem +FoDq3XBsrH5XohSwWZ6UrZY7wARkmHsYJeYTHulb3MkDPCQKlbU+2SMIpbNk43+/ +fN/ctxWXg3vd/q6eJiE= +-----END CERTIFICATE REQUEST----- diff --git a/vagrant-shared/certificates/valid.key b/vagrant-shared/certificates/valid.key new file mode 100644 index 000000000..b5e8371cd --- /dev/null +++ b/vagrant-shared/certificates/valid.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA2djXQMCNC1Jl61e2yLSoT/DUc8qZGB4AKV2qGeogekyZ2G9R +Wcr9mMMgXbEEPM3CICkcpdKyrzT4B7d64jO50qAdeiCOnyEA7kdlJ15IbQzn1He2 +HtMCl5dwPqqBIHuNv030b8zwuiDGtSh+/ncGsqayIy8RVM3zJehqgP+Wri2WbUrF +ej4sd412WBT1Bz6ASRMjaP24s3Hb0mUv+ysM33OuJeySwPzhrUW0KXDADqUUVwsd +9p7dzdi9Tl8/EOCLfidtKDfFX4p9WuxmwBnZLUW89m1fG5m9LsdTTp3XYoD1B0UW +DCGijVuza8admEKaprKgZlRFTwPdN8kXNGb7kQIDAQABAoIBAHAZgUq0yt+UmxWr +oUdOj33zc5/SFU2vwm2G4U1MiUHlwRT602Xdavn9Dt6nhIK1bruV7EP4VDKMk0WF +SRq1e13DPuflcP65wPzciFTl02cqSPGwWGssMh1HtF7K5n+MlLhoqOwPDaD51MbL +++192lh8Jxar1cNJ52EOZB/VZfhiUZ88JAITWam6clId8KS4cy7SvQ9haptcPlfl +wIeCti2eI4nvC0IR0SCEqWAax6XqypA5k2fjQJklcnBK1R+H1muc00J5lMIz4U8q +qFb5RgxIDMcEeQZWmzfBjU5hO0q/51QyWFFFuBL00MkT4djCHjO/IPYc6DQoAoZR +TbMCWwECgYEA+i3W44tSY96Fdn1gDyYhDor9GPN0XwmRBHpl44TxBLG48I6cGLYI +l0InEh7pu7/0fw+cWylx2OLrl2HeGlWilEOpP2ucJcswcNibATtgSdnu7PjC4eAW +46a5+2hbFk/NONU5VTGClJHCvKzYPWMrAIkRT//WdkIVs23i7bRcOjkCgYEA3upr +cnMhnwVmZrGAIm+DtiDJCc4uVXeqLD2j9csCVNCw/CQAjJ3/5VlQDSjzerjijw/V +uoA+Su8xMoMCg6mAihqdxBMrbwdlh7vje23RaxbeQkIY5JIVAsdDr+UtwofaX3Zx +j3RW5jNeouVlvtExyKZZhyMwuh8d59m4V65/rBkCgYBH+f40EvZOQ0v0jhef5CFo +lLZCgnB9kzwEpM5BihLpfdQuaWkhduW71s102i321UAbejtKwv69HnQXZpHG09Jl +g53i4CvZd77lCHx3+0Q1mxyxUtSGtbkAIAyr9xcVsTni2v2WtBrUcacsLzI7XxeV +HNo9QObLuTGTIM9EAjryiQKBgQCIZEBX56/jn6c3IFX5O+gH8OlxEXFyI+TAavq+ +Mnd7s7EGpXSclTP0fYAofSz0otkklZi9Iyh6Kv4cHOLV8klOtthfFyeVKJ5rvX+D +jv76miRlwBGBEQzABXIZ1oz4IK1xiYQUNSfSdA3sd5WYemEOlxHiSJrQ1qcyrBlJ +tOAzSQKBgQDjLQIZ0rmSAMUCGi7WlDle/pnf6sUEFUPWUqzHOJbJk/CZIIf1IT6o +Evep9eeP6QjiupusY/uSlgjjjj7yxZU5q3VV/0cQl6QhwxG9wqpa8x32wwaM1WBZ +rJgsuSjcEoluAqfX/bqRtumNtQ213DSADzSCpOetlJb+ARANk7YULg== +-----END RSA PRIVATE KEY----- diff --git a/vm-postfix-config-sender/tls_policy b/vagrant-shared/postfix-config-sender-tls_policy similarity index 100% rename from vm-postfix-config-sender/tls_policy rename to vagrant-shared/postfix-config-sender-tls_policy diff --git a/vm-postfix-config-sender/main.cf b/vagrant-shared/postfix-config-sender.cf similarity index 100% rename from vm-postfix-config-sender/main.cf rename to vagrant-shared/postfix-config-sender.cf diff --git a/vm-postfix-config-valid/main.cf b/vagrant-shared/postfix-config-valid-example-recipient.cf similarity index 100% rename from vm-postfix-config-valid/main.cf rename to vagrant-shared/postfix-config-valid-example-recipient.cf diff --git a/vm-postfix-config-sender/dynamicmaps.cf b/vm-postfix-config-sender/dynamicmaps.cf deleted file mode 100644 index 1c48bdcde..000000000 --- a/vm-postfix-config-sender/dynamicmaps.cf +++ /dev/null @@ -1,6 +0,0 @@ -# Postfix dynamic maps configuration file. -# -#type location of .so file open function (mkmap func) -#==== ================================ ============= ============ -tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open -sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open diff --git a/vm-postfix-config-sender/master.cf b/vm-postfix-config-sender/master.cf deleted file mode 100644 index 3df29d8a9..000000000 --- a/vm-postfix-config-sender/master.cf +++ /dev/null @@ -1,113 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) -# ========================================================================== -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - - - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - - - - qmqpd -pickup fifo n - - 60 1 pickup -cleanup unix n - - - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - n 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# Other external delivery methods. -# -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} - diff --git a/vm-postfix-config-valid/dynamicmaps.cf b/vm-postfix-config-valid/dynamicmaps.cf deleted file mode 100644 index 1c48bdcde..000000000 --- a/vm-postfix-config-valid/dynamicmaps.cf +++ /dev/null @@ -1,6 +0,0 @@ -# Postfix dynamic maps configuration file. -# -#type location of .so file open function (mkmap func) -#==== ================================ ============= ============ -tcp /usr/lib/postfix/dict_tcp.so dict_tcp_open -sqlite /usr/lib/postfix/dict_sqlite.so dict_sqlite_open diff --git a/vm-postfix-config-valid/master.cf b/vm-postfix-config-valid/master.cf deleted file mode 100644 index 3df29d8a9..000000000 --- a/vm-postfix-config-valid/master.cf +++ /dev/null @@ -1,113 +0,0 @@ -# -# Postfix master process configuration file. For details on the format -# of the file, see the master(5) manual page (command: "man 5 master"). -# -# Do not forget to execute "postfix reload" after editing this file. -# -# ========================================================================== -# service type private unpriv chroot wakeup maxproc command + args -# (yes) (yes) (yes) (never) (100) -# ========================================================================== -smtp inet n - - - - smtpd -#smtp inet n - - - 1 postscreen -#smtpd pass - - - - - smtpd -#dnsblog unix - - - - 0 dnsblog -#tlsproxy unix - - - - 0 tlsproxy -#submission inet n - - - - smtpd -# -o syslog_name=postfix/submission -# -o smtpd_tls_security_level=encrypt -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#smtps inet n - - - - smtpd -# -o syslog_name=postfix/smtps -# -o smtpd_tls_wrappermode=yes -# -o smtpd_sasl_auth_enable=yes -# -o smtpd_client_restrictions=permit_sasl_authenticated,reject -# -o milter_macro_daemon_name=ORIGINATING -#628 inet n - - - - qmqpd -pickup fifo n - - 60 1 pickup -cleanup unix n - - - 0 cleanup -qmgr fifo n - n 300 1 qmgr -#qmgr fifo n - n 300 1 oqmgr -tlsmgr unix - - - 1000? 1 tlsmgr -rewrite unix - - - - - trivial-rewrite -bounce unix - - - - 0 bounce -defer unix - - - - 0 bounce -trace unix - - - - 0 bounce -verify unix - - - - 1 verify -flush unix n - - 1000? 0 flush -proxymap unix - - n - - proxymap -proxywrite unix - - n - 1 proxymap -smtp unix - - - - - smtp -relay unix - - - - - smtp -# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5 -showq unix n - - - - showq -error unix - - - - - error -retry unix - - - - - error -discard unix - - - - - discard -local unix - n n - - local -virtual unix - n n - - virtual -lmtp unix - - - - - lmtp -anvil unix - - - - 1 anvil -scache unix - - - - 1 scache -# -# ==================================================================== -# Interfaces to non-Postfix software. Be sure to examine the manual -# pages of the non-Postfix software to find out what options it wants. -# -# Many of the following services use the Postfix pipe(8) delivery -# agent. See the pipe(8) man page for information about ${recipient} -# and other message envelope options. -# ==================================================================== -# -# maildrop. See the Postfix MAILDROP_README file for details. -# Also specify in main.cf: maildrop_destination_recipient_limit=1 -# -maildrop unix - n n - - pipe - flags=DRhu user=vmail argv=/usr/bin/maildrop -d ${recipient} -# -# ==================================================================== -# -# Recent Cyrus versions can use the existing "lmtp" master.cf entry. -# -# Specify in cyrus.conf: -# lmtp cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4 -# -# Specify in main.cf one or more of the following: -# mailbox_transport = lmtp:inet:localhost -# virtual_transport = lmtp:inet:localhost -# -# ==================================================================== -# -# Cyrus 2.1.5 (Amos Gouaux) -# Also specify in main.cf: cyrus_destination_recipient_limit=1 -# -#cyrus unix - n n - - pipe -# user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user} -# -# ==================================================================== -# Old example of delivery via Cyrus. -# -#old-cyrus unix - n n - - pipe -# flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user} -# -# ==================================================================== -# -# See the Postfix UUCP_README file for configuration details. -# -uucp unix - n n - - pipe - flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient) -# -# Other external delivery methods. -# -ifmail unix - n n - - pipe - flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient) -bsmtp unix - n n - - pipe - flags=Fq. user=bsmtp argv=/usr/lib/bsmtp/bsmtp -t$nexthop -f$sender $recipient -scalemail-backend unix - n n - 2 pipe - flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store ${nexthop} ${user} ${extension} -mailman unix - n n - - pipe - flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py - ${nexthop} ${user} - diff --git a/vm-postfix-config-valid/tls_policy b/vm-postfix-config-valid/tls_policy deleted file mode 100644 index f8d6a4968..000000000 --- a/vm-postfix-config-valid/tls_policy +++ /dev/null @@ -1 +0,0 @@ -valid-example-recipient.com encrypt protocols=TLSv1.1 From 46ce09d36d0b15113fd0ea1f61b4db842fb8e948 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 05:01:46 -0700 Subject: [PATCH 027/256] MTA config wrangling seems to work --- mta-config-generator.py | 91 ++++++++++++++++++++++++++--------------- 1 file changed, 58 insertions(+), 33 deletions(-) mode change 100644 => 100755 mta-config-generator.py diff --git a/mta-config-generator.py b/mta-config-generator.py old mode 100644 new mode 100755 index 5d79423ef..1346d37dd --- a/mta-config-generator.py +++ b/mta-config-generator.py @@ -4,7 +4,7 @@ import string DEFAULT_POLICY_FILE = "texthash:/etc/postfix/starttls_everywhere_policy" -def parse_line(self, line_data): +def parse_line(line_data): "return the and right hand sides of stripped, non-comment postfix config line" # lines are like: # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache @@ -12,7 +12,7 @@ def parse_line(self, line_data): left, sep, right = line.partition("=") if not sep: return None - return (left.strip(), right.strip()) + return (num, left.strip(), right.strip()) #def get_cf_values(lines, var): @@ -23,10 +23,11 @@ class MTAConfigGenerator: class ExistingConfigError(ValueError): pass class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, stlse_config): + def __init__(self, stlse_config, fixup=False): + self.fixup = fixup MTAConfigGenerator.__init__(self, stlse_config) - this.postfix_cf_file = this.find_postfix_cf() - this.wrangle_existing_config() + self.postfix_cf_file = self.find_postfix_cf() + self.wrangle_existing_config() def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -35,53 +36,77 @@ class PostfixConfigGenerator(MTAConfigGenerator): acceptable = [ideal] + also_acceptable - l = [num,line for num,line in enumerate(cf) if line.startswith(var)] + l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] if not any(l): - this.additions.append("smtpd_use_tls = yes") + self.additions.append(var + " = " + ideal) else: - values = [right for left, right in map(parse_line, l)] + values = map(parse_line, l) if len(set(values)) > 1: - if this.fixup: - this.deletions.append( - raise ExistingConfigError, "Conflicting existing config values " + `l` - if values[0] != "yes": + if self.fixup: + #print "Scheduling deletions:" + `values` + conflicting_lines = [num for num,_var,val in values] + self.deletions.extend(conflicting_lines) + self.additions.append(var + " = " + ideal) + else: + raise ExistingConfigError, "Conflicting existing config values " + `l` + val = values[0][2] + if val not in acceptable: + #print "Scheduling deletions:" + `values` + if self.fixup: + self.deletions.append(values[0][0]) + self.additions.append(var + " = " + ideal) + else: + raise ExistingConfigError, "Existing config has %s=%s"%(var,val) - def wrangle_existing_config(self, fixup=false): + def wrangle_existing_config(self): """ Try to ensure/mutate that the config file is in a sane state. Fixup means we'll delete existing lines if necessary to get there. """ - this.additions = [] - fn = find_postfix_cf() - raw_cf = open(fn).readlines() - this.cf = map(string.strip, raw_cf) - #this.cf = [line for line in cf if line and not line.startswith("#")] - this.fixup = fixup + self.additions = [] + self.deletions = [] + self.fn = self.find_postfix_cf() + self.raw_cf = open(self.fn).readlines() + self.cf = map(string.strip, self.raw_cf) + #self.cf = [line for line in cf if line and not line.startswith("#")] # Check we're currently accepting inbound STARTTLS sensibly - this.ensure_cf_var("smtpd_use_tls", "yes", []) + self.ensure_cf_var("smtpd_use_tls", "yes", []) # Ideally we use it opportunistically in the outbound direction - this.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"]) + self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"]) # Maximum verbosity lets us collect failure information - this.ensure_cf_var("smtp_tls_loglevel", "1", []) + self.ensure_cf_var("smtp_tls_loglevel", "1", []) # Inject a reference to our per-domain policy map - this.ensure_cf_var("smtp_tls_policy_maps", DEFAULT_POLICY_FILE, []) + self.ensure_cf_var("smtp_tls_policy_maps", DEFAULT_POLICY_FILE, []) - this.maybe_add_config_lines() + self.maybe_add_config_lines() def maybe_add_config_lines(self): - if not this.additions: + if not self.additions: return - this.additions[:0]=["","# New config lines added by STARTTLS Everywhere",""] - new_cf_lines = "\n".join(this.additions) - print "Adding to %s:" % fn + if self.fixup: + print "Deleting lines:", self.deletions + self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] + new_cf_lines = "\n".join(self.additions) + print "Adding to %s:" % self.fn print new_cf_lines - if raw_cf[-1][-1] == "\n": sep = "" - else: sep = "\n" - new_cf = "".join(raw_cf) + sep + new_cf_lines - f = open(fn, "w").write(new_cf) - f.close() + if self.raw_cf[-1][-1] == "\n": sep = "" + else: sep = "\n" + + self.new_cf = "" + for num, line in enumerate(self.raw_cf): + if self.fixup and num in self.deletions: + self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line + else: + self.new_cf += line + self.new_cf += sep + new_cf_lines + + print self.new_cf + f = open(self.fn, "w").write(self.new_cf) def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return "/etc/postfix/main.cf" + +if __name__ == "__main__": + pcgen = PostfixConfigGenerator(None, fixup=True) From 0c4e33281184c489378758d70ccd0cec129c6293 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 11 Jun 2014 11:45:28 -0400 Subject: [PATCH 028/256] Set up test CA and valid signed cert by that CA. Also require valid cert for host 'valid'. --- vagrant-shared/postfix-config-sender-tls_policy | 2 +- vagrant-shared/postfix-config-sender.cf | 1 + vagrant-shared/postfix-config-valid-example-recipient.cf | 4 ++-- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/vagrant-shared/postfix-config-sender-tls_policy b/vagrant-shared/postfix-config-sender-tls_policy index af948c5e7..f4f1e80c5 100644 --- a/vagrant-shared/postfix-config-sender-tls_policy +++ b/vagrant-shared/postfix-config-sender-tls_policy @@ -1 +1 @@ -#valid-example-recipient.com encrypt protocols=TLSv1.1 +valid-example-recipient.com secure match=valid-example-recipient.com:.valid-example-recipient.com diff --git a/vagrant-shared/postfix-config-sender.cf b/vagrant-shared/postfix-config-sender.cf index cf74d122f..6fc9435c6 100644 --- a/vagrant-shared/postfix-config-sender.cf +++ b/vagrant-shared/postfix-config-sender.cf @@ -43,3 +43,4 @@ smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy smtp_tls_loglevel = 1 smtp_tls_security_level = may +smtp_tls_CAfile = /etc/certificates/ca.crt diff --git a/vagrant-shared/postfix-config-valid-example-recipient.cf b/vagrant-shared/postfix-config-valid-example-recipient.cf index a5f7ce575..1d08a20cd 100644 --- a/vagrant-shared/postfix-config-valid-example-recipient.cf +++ b/vagrant-shared/postfix-config-valid-example-recipient.cf @@ -18,8 +18,6 @@ append_dot_mydomain = no readme_directory = no # TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key smtpd_use_tls=yes smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache @@ -44,3 +42,5 @@ smtpd_tls_received_header = yes #STARTTLS EVERYWHERE MAGIC STARTS HERE smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy +smtpd_tls_cert_file=/etc/certificates/valid.crt +smtpd_tls_key_file=/etc/certificates/valid.key From 6e1bcfdb2a7ebe34511c5bc92265ceebe373b47f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:17:50 -0700 Subject: [PATCH 029/256] WIP implementing domain-wise TLS policies --- mta-config-generator.py | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/mta-config-generator.py b/mta-config-generator.py index 1346d37dd..1b98e7e96 100755 --- a/mta-config-generator.py +++ b/mta-config-generator.py @@ -2,7 +2,9 @@ import string -DEFAULT_POLICY_FILE = "texthash:/etc/postfix/starttls_everywhere_policy" + +DEFAULT_POLICY_FILE = "/etc/postfix/starttls_everywhere_policy" +POLICY_CF_ENTRY="texthash:" + DEFAULT_POLICY_FILE def parse_line(line_data): "return the and right hand sides of stripped, non-comment postfix config line" @@ -17,17 +19,18 @@ def parse_line(line_data): #def get_cf_values(lines, var): class MTAConfigGenerator: - def __init__(self, stlse_config): - self.c = stlse_config + def __init__(self, policy_config): + self.policy_config = policy_config class ExistingConfigError(ValueError): pass class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, stlse_config, fixup=False): + def __init__(self, policy_config, fixup=False): self.fixup = fixup - MTAConfigGenerator.__init__(self, stlse_config) + MTAConfigGenerator.__init__(self, policy_config) self.postfix_cf_file = self.find_postfix_cf() self.wrangle_existing_config() + self.set_domainwise_tls_policies() def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -77,7 +80,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): # Maximum verbosity lets us collect failure information self.ensure_cf_var("smtp_tls_loglevel", "1", []) # Inject a reference to our per-domain policy map - self.ensure_cf_var("smtp_tls_policy_maps", DEFAULT_POLICY_FILE, []) + self.ensure_cf_var("smtp_tls_policy_maps", POLICY_CF_ENTRY, []) self.maybe_add_config_lines() @@ -87,7 +90,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): if self.fixup: print "Deleting lines:", self.deletions self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] - new_cf_lines = "\n".join(self.additions) + new_cf_lines = "\n".join(self.additions) + "\n" print "Adding to %s:" % self.fn print new_cf_lines if self.raw_cf[-1][-1] == "\n": sep = "" @@ -108,5 +111,18 @@ class PostfixConfigGenerator(MTAConfigGenerator): "Search far and wide for the correct postfix configuration file" return "/etc/postfix/main.cf" + def set_domainwise_tls_policies(self): + self.policy_lines = [] + for domain, policy in self.policy_config.tls_policies: + entry = domain + " encrypt " + if "min-tls-version" in policy: + entry += " " + policy["min-tls-version"] + self.policy_lines.append(entry) + + f = open(DEFAULT_POLICY_FILE, "w") + f.write("\n".join(self.policy_lines)) + if __name__ == "__main__": - pcgen = PostfixConfigGenerator(None, fixup=True) + import config-parser + c = config-parser.Config() + pcgen = PostfixConfigGenerator(c, fixup=True) From eea1b0d8c5cf5367dcb91099ac7331443ad8a631 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:18:56 -0700 Subject: [PATCH 030/256] Switch naming conventions so that modules are importable :) It turns out that python won't import modules with hyphens in their names. It seems that CamelCase is most consistent with our Class naming. However feel free to do something different instead :) --- check-starttls.py => CheckSTARTTLS.py | 0 config-parser.py => ConfigParser.py | 0 mta-config-generator.py => MTAConfigGenerator.py | 0 ...-google-starttls-domains.py => ProcessGoogleSTARTTLSDomains.py | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename check-starttls.py => CheckSTARTTLS.py (100%) rename config-parser.py => ConfigParser.py (100%) rename mta-config-generator.py => MTAConfigGenerator.py (100%) rename process-google-starttls-domains.py => ProcessGoogleSTARTTLSDomains.py (100%) diff --git a/check-starttls.py b/CheckSTARTTLS.py similarity index 100% rename from check-starttls.py rename to CheckSTARTTLS.py diff --git a/config-parser.py b/ConfigParser.py similarity index 100% rename from config-parser.py rename to ConfigParser.py diff --git a/mta-config-generator.py b/MTAConfigGenerator.py similarity index 100% rename from mta-config-generator.py rename to MTAConfigGenerator.py diff --git a/process-google-starttls-domains.py b/ProcessGoogleSTARTTLSDomains.py similarity index 100% rename from process-google-starttls-domains.py rename to ProcessGoogleSTARTTLSDomains.py From 2540f1f1e8f924d50b629a682986d5973715a968 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:31:41 -0700 Subject: [PATCH 031/256] Writing to the domain-wise policy file actually works now. --- MTAConfigGenerator.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 1b98e7e96..27a714361 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -113,16 +113,16 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - for domain, policy in self.policy_config.tls_policies: - entry = domain + " encrypt " + for domain, policy in self.policy_config.tls_policies.items(): + entry = domain + " encrypt" if "min-tls-version" in policy: entry += " " + policy["min-tls-version"] self.policy_lines.append(entry) f = open(DEFAULT_POLICY_FILE, "w") - f.write("\n".join(self.policy_lines)) + f.write("\n".join(self.policy_lines) + "\n") if __name__ == "__main__": - import config-parser - c = config-parser.Config() + import ConfigParser + c = ConfigParser.Config() pcgen = PostfixConfigGenerator(c, fixup=True) From 182e9b29e4353a64a910a86edd6adb1d25976882 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:42:17 -0700 Subject: [PATCH 032/256] Trying to standardize JSON terms --- ConfigParser.py | 10 +++++----- MTAConfigGenerator.py | 7 +++++-- config.json | 2 +- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index dbc244b25..aba4eb23f 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -47,7 +47,7 @@ class Config: self.timestamp = parse_timestamp(val) elif atr == "expires": self.expires = parse_timestamp(val) - elif atr == "tls-policies": + elif atr == "security-policies": self.tls_policies = {} for domain,policies in self.check_tls_policy_domains(val): if type(policies) != dict: @@ -67,18 +67,18 @@ class Config: def check_tls_policy_domains(self, val): if type(val) != dict: - raise TypeError, "tls-policies should be a dict" + `val` + raise TypeError, "security-policies should be a dict" + `val` for domain, policies in val.items(): try: assert type(domain) == unicode d = str(domain) # convert from unicode except: - raise TypeError, "tls-policy domain not a string" + `domain` + raise TypeError, "security-policy domain not a string" + `domain` if not d.startswith("*."): - raise ValueError, "tls-policy domains must start with *.; try *."+d + raise ValueError, "security-policy domains must start with *.; try *."+d d = d.partition("*.")[2] if not looks_like_a_domain(d): - raise ValueError, "tls-policy for something that a domain? " + d + raise ValueError, "security-policy for something that a domain? " + d yield (d, policies) if __name__ == "__main__": diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 27a714361..bee518e05 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -105,7 +105,9 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.new_cf += sep + new_cf_lines print self.new_cf - f = open(self.fn, "w").write(self.new_cf) + f = open(self.fn, "w") + f.write(self.new_cf) + f.close() def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" @@ -121,8 +123,9 @@ class PostfixConfigGenerator(MTAConfigGenerator): f = open(DEFAULT_POLICY_FILE, "w") f.write("\n".join(self.policy_lines) + "\n") + f.close() if __name__ == "__main__": import ConfigParser - c = ConfigParser.Config() + c = ConfigParser.Config("starttls-everywhere.json") pcgen = PostfixConfigGenerator(c, fixup=True) diff --git a/config.json b/config.json index 1a9034545..8d38696ff 100644 --- a/config.json +++ b/config.json @@ -3,7 +3,7 @@ "timestamp": 1401093333, "author": "Electronic Frontier Foundation https://eff.org", "expires": 1404677353, "comment 2:": "epoch seconds", - "tls-policies": { + "security-policies": { "*.valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } From 3712a4539907a05a98e289cfc48a6c62adccd686 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:48:43 -0700 Subject: [PATCH 033/256] Further (and different, and better) standardisation --- ConfigParser.py | 10 +++++----- README.md | 2 +- starttls-everywhere.json | 4 ++-- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index aba4eb23f..dbc244b25 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -47,7 +47,7 @@ class Config: self.timestamp = parse_timestamp(val) elif atr == "expires": self.expires = parse_timestamp(val) - elif atr == "security-policies": + elif atr == "tls-policies": self.tls_policies = {} for domain,policies in self.check_tls_policy_domains(val): if type(policies) != dict: @@ -67,18 +67,18 @@ class Config: def check_tls_policy_domains(self, val): if type(val) != dict: - raise TypeError, "security-policies should be a dict" + `val` + raise TypeError, "tls-policies should be a dict" + `val` for domain, policies in val.items(): try: assert type(domain) == unicode d = str(domain) # convert from unicode except: - raise TypeError, "security-policy domain not a string" + `domain` + raise TypeError, "tls-policy domain not a string" + `domain` if not d.startswith("*."): - raise ValueError, "security-policy domains must start with *.; try *."+d + raise ValueError, "tls-policy domains must start with *.; try *."+d d = d.partition("*.")[2] if not looks_like_a_domain(d): - raise ValueError, "security-policy for something that a domain? " + d + raise ValueError, "tls-policy for something that a domain? " + d yield (d, policies) if __name__ == "__main__": diff --git a/README.md b/README.md index 79e0ed30d..2f0a410a1 100644 --- a/README.md +++ b/README.md @@ -53,7 +53,7 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co // "timestamp": 1401414363, : also acceptable "author": "Electronic Frontier Foundation https://eff.org", "expires": "2014-06-06T14:30:16+00:00", - "security-policies": { + "tls-policies": { // These match on the MX domain. "*.yahoodns.net": { "require-valid-certificate": true, diff --git a/starttls-everywhere.json b/starttls-everywhere.json index 4c91866d5..d0e656186 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,5 +1,5 @@ { - "mx-domains": { + "tls-policies": { "*.mx.aol.com": { "min-tls-version": "TLSv1", "require-tls": true @@ -49,7 +49,7 @@ "require-tls": true } }, - "address-domains": { + "acceptable-mxs": { "wp.pl": { "accept-mx-domains": [ "*.wp.pl" From 34cba3accfe2da92846cdf6a427724f60999a96a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 09:51:56 -0700 Subject: [PATCH 034/256] Now successfully parsing the larger policy set --- ConfigParser.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ConfigParser.py b/ConfigParser.py index dbc244b25..8bc7e708f 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -55,7 +55,7 @@ class Config: self.tls_policies[domain] = {} # being here enforces TLS at all for policy, value in policies.items(): if policy == "min-tls-version": - reasonable = ["TLS", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] if not value in reasonable: raise ValueError, "Not a valid TLS version string: " + `value` self.tls_policies[domain]["min-tls-version"] = str(value) From a2ee328bc0dc3e384f9d1ecf6567aa16afbeb7ef Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 11 Jun 2014 10:32:52 -0700 Subject: [PATCH 035/256] Paramaterise "/etc/postfix" --- MTAConfigGenerator.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index bee518e05..3b69ba37a 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -1,9 +1,10 @@ #!/usr/bin/env python import string +import os.path - -DEFAULT_POLICY_FILE = "/etc/postfix/starttls_everywhere_policy" +POSTFIX_DIR = "/etc/postfix" +DEFAULT_POLICY_FILE = os.path.join(POSTFIX_DIR, "starttls_everywhere_policy") POLICY_CF_ENTRY="texthash:" + DEFAULT_POLICY_FILE def parse_line(line_data): @@ -111,7 +112,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" - return "/etc/postfix/main.cf" + return os.path.join(POSTFIX_DIR,"main.cf") def set_domainwise_tls_policies(self): self.policy_lines = [] From e99abfacfd40c4f7c1f404c7225d5d3ad4792ef8 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 12 Jun 2014 05:22:30 -0700 Subject: [PATCH 036/256] Include the demo example with the real stuff, temporarily --- starttls-everywhere.json | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/starttls-everywhere.json b/starttls-everywhere.json index d0e656186..4b47ea0c3 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,5 +1,9 @@ { "tls-policies": { + "*.valid-example-recipient.com": { + "min-tls-version": "TLSv1.1", + "force-tls" : true + }, "*.mx.aol.com": { "min-tls-version": "TLSv1", "require-tls": true @@ -50,6 +54,9 @@ } }, "acceptable-mxs": { + "valid-example-recipient.com": { + "accept-mx-domains": [ "*.valid-example-recipient.com" ] + }, "wp.pl": { "accept-mx-domains": [ "*.wp.pl" From 3d7b53daf19c4f47e34e1fb74b57367462968142 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 12 Jun 2014 05:24:05 -0700 Subject: [PATCH 037/256] Tune verbosity; reload postfix conf if we can --- MTAConfigGenerator.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 3b69ba37a..d78fa55e5 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -1,14 +1,16 @@ #!/usr/bin/env python import string -import os.path +import os, os.path POSTFIX_DIR = "/etc/postfix" DEFAULT_POLICY_FILE = os.path.join(POSTFIX_DIR, "starttls_everywhere_policy") POLICY_CF_ENTRY="texthash:" + DEFAULT_POLICY_FILE def parse_line(line_data): - "return the and right hand sides of stripped, non-comment postfix config line" + """ + return the (line number, left hand side, right hand side) + of a stripped postfix config line""" # lines are like: # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache num,line = line_data @@ -32,6 +34,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.postfix_cf_file = self.find_postfix_cf() self.wrangle_existing_config() self.set_domainwise_tls_policies() + os.system("sudo service postfix reload") def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -105,7 +108,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.new_cf += line self.new_cf += sep + new_cf_lines - print self.new_cf + #print self.new_cf f = open(self.fn, "w") f.write(self.new_cf) f.close() From 02abaf57bd0cd67cabb8e1cdaefe1dabbb269776 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 12 Jun 2014 05:24:51 -0700 Subject: [PATCH 038/256] Remove stray conf entry from README --- README.md | 3 --- 1 file changed, 3 deletions(-) diff --git a/README.md b/README.md index 2f0a410a1..7a08c3ecf 100644 --- a/README.md +++ b/README.md @@ -86,9 +86,6 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co "eff.org": { "accept-mx-domains": ["*.eff.org"] } - "*.yahoodns.net": { - "require-valid-certificate": true, - } } } From 9ce047980a991129de1bfc6b56a8bd133f798942 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 12 Jun 2014 11:40:17 -0400 Subject: [PATCH 039/256] Add .gitignore --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 .gitignore diff --git a/.gitignore b/.gitignore new file mode 100644 index 000000000..94c6f7089 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.* +*.orig From 9cd71642fb13688565a2b245eac06089eaad8dcb Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 12 Jun 2014 11:50:39 -0400 Subject: [PATCH 040/256] Fix italicization boundaries --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2f0a410a1..6717f8b72 100644 --- a/README.md +++ b/README.md @@ -109,19 +109,19 @@ Config-generator should attempt to fetch the configuration file daily and transf The _address-domains_ field maps from mail domains (the part of an address after the "@") onto a list of properties for that domain. Matching of mail domains is on an exact-match basis, not a subdomain basis. For instance, eff.org would be listed separately from lists.eff.org in the _address-domains_ section. -Currently the only property defined for _address-domains_ is _accept-mx-domains_, a list. If an MX lookup for a listed address domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains _list must correspond to an exactly matching field in the _mx-domains_ config section. +Currently the only property defined for _address-domains_ is _accept-mx-domains_, a list. If an MX lookup for a listed address domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains_ list must correspond to an exactly matching field in the _mx-domains_ config section. The _accept-mx-domains_ mechanism partially solves the problem of DNS MITM. It doesn't completely solve the problem, since an attacker might somehow control a different hostname under an acceptable domain, e.g. evil.yahoodns.net. But it strikes a balance between improving security and allowing mail operators to change configuration as needed. Some mail operators delegate their MX handling to a third-party provider (i.e. Google Apps for Your Domain). If those operators are included in STARTTLS Everywhere and wish to change providers, they will have to first send an update to their _accept-mx-domains_ to include their new provider. **mx-domains** -The keys of this section are MX domains as described above for the _accept-mx-domains_ property. Each _mx-domain_ entry must be an exact match with an entry in one of the _accept-mx-domains_ lists provided. No _mx-domain _can be a subdomain of any other _mx-domain _in the configuration file. Fields in this section specify minimum security requirements that should be applied when connecting to any MX hostname that is a subdomain of the specified _mx-domain_. +The keys of this section are MX domains as described above for the _accept-mx-domains_ property. Each _mx-domain_ entry must be an exact match with an entry in one of the _accept-mx-domains_ lists provided. No _mx-domain_can be a subdomain of any other _mx-domain_in the configuration file. Fields in this section specify minimum security requirements that should be applied when connecting to any MX hostname that is a subdomain of the specified _mx-domain_. Implicitly each _mx-domain_ listed has a property _require-tls: true_. MX domains that do not support TLS will not be listed. The only required property is _enforce-mode_, which must be either _log-only_ or _enforce_. If _enforce-mode_ is _log-only_, the generated configs will not stop mail delivery on policy failures, but will produce logging information. If the _min-tls-version_ property is present, sending mail to domains under this policy should fail if the sending MTA cannot negotiate a TLS version equal to or greater than the listed version. Valid values are _TLSv1, TLSv1.1, and TLSv1.2._ -_Require-valid-certificate _defaults to false. If the _require-valid-certificate_ property is 'true' for a given _mx-domain_ the certificate presented must be valid for a hostname that is subdomain of the _mx-domain_. Validity means all of these must be true: +_Require-valid-certificate_defaults to false. If the _require-valid-certificate_ property is 'true' for a given _mx-domain_ the certificate presented must be valid for a hostname that is subdomain of the _mx-domain_. Validity means all of these must be true: 1. The CN or a DNS entry under subjectAltName matches an appropriate hostname. 2. The certificate is unexpired. From 499f6c2fad62fe4d793cfee727576f399012a1b2 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 12 Jun 2014 11:53:02 -0400 Subject: [PATCH 041/256] Add comment to ProcessgoogleSTARTTLSDomains.py --- ProcessGoogleSTARTTLSDomains.py | 11 ++++++++++- config.json | 2 +- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/ProcessGoogleSTARTTLSDomains.py b/ProcessGoogleSTARTTLSDomains.py index 0a0201875..abb2b3495 100755 --- a/ProcessGoogleSTARTTLSDomains.py +++ b/ProcessGoogleSTARTTLSDomains.py @@ -1,4 +1,13 @@ #!/usr/bin/python +""" +Process Google's TLS delivery data from +https://www.google.com/transparencyreport/saferemail/data/?hl=en +to look for outbound domains that can negotiate an encrypted +connection >99% of the time. + +Usage: + ./ProcessGoogleSTARTTLSDomains.py google-starttls-domains.csv +""" import csv import codecs import sys @@ -14,5 +23,5 @@ for (address_suffix, hostname_suffix, direction, region, fraction_encrypted) in pass for address_suffix, fraction_encrypted in d.iteritems(): - if min(fraction_encrypted) >= 0.50: + if min(fraction_encrypted) >= 0.99: print min(fraction_encrypted), address_suffix diff --git a/config.json b/config.json index 8d38696ff..1a9034545 100644 --- a/config.json +++ b/config.json @@ -3,7 +3,7 @@ "timestamp": 1401093333, "author": "Electronic Frontier Foundation https://eff.org", "expires": 1404677353, "comment 2:": "epoch seconds", - "security-policies": { + "tls-policies": { "*.valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } From 43d457aa771e663a7c15886fbc81db081947d9cf Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 12 Jun 2014 13:18:20 -0400 Subject: [PATCH 042/256] Typo cleanup in MTAConfigGenerator --- ConfigParser.py | 1 - MTAConfigGenerator.py | 10 ++++------ 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 8bc7e708f..206132293 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -36,7 +36,6 @@ class Config: f = open(cfg_file_name) self.cfg = json.loads(f.read()) for atr, val in self.cfg.items(): - #print atr,val # Verify each attribute of the structure if atr.startswith("comment"): continue diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 3b69ba37a..d5ec334ec 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -3,12 +3,12 @@ import string import os.path -POSTFIX_DIR = "/etc/postfix" +POSTFIX_DIR = "postfix-copy" DEFAULT_POLICY_FILE = os.path.join(POSTFIX_DIR, "starttls_everywhere_policy") POLICY_CF_ENTRY="texthash:" + DEFAULT_POLICY_FILE def parse_line(line_data): - "return the and right hand sides of stripped, non-comment postfix config line" + "return the left and right hand sides of stripped, non-comment postfix config line" # lines are like: # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache num,line = line_data @@ -17,8 +17,6 @@ def parse_line(line_data): return None return (num, left.strip(), right.strip()) -#def get_cf_values(lines, var): - class MTAConfigGenerator: def __init__(self, policy_config): self.policy_config = policy_config @@ -36,8 +34,8 @@ class PostfixConfigGenerator(MTAConfigGenerator): def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable - values; if not, set it to the ideal value. """ - + values; if not, set it to the ideal value. + """ acceptable = [ideal] + also_acceptable l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] From 3cf61a54b7ce08389a85f5282fd86ca958b121b7 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 13 Jun 2014 13:57:05 -0400 Subject: [PATCH 043/256] Add alternatives section --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index 6717f8b72..6e3d4212b 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,10 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. +## Alternatives + +Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier. + ## Detailed design Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: From 9da4f93ae587156d4f9be5829a32a4201e5f1588 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 16 Jun 2014 02:46:46 -0700 Subject: [PATCH 044/256] Changes for live demo --- Vagrantfile | 1 + starttls-everywhere.json | 1 - vagrant-bootstrap.sh | 6 +++--- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index 3ce93c917..b7153a7b8 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -16,6 +16,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| valid.vm.hostname = "valid-example-recipient.com" end config.vm.synced_folder "vagrant-shared", "/vagrant" + config.vm.synced_folder "vagrant-shared/starttls-everywhere", "/vagrant/starttls-everywhere" config.vm.provision :shell, path: "vagrant-bootstrap.sh" config.vm.provider "virtualbox" do |vb| diff --git a/starttls-everywhere.json b/starttls-everywhere.json index 4b47ea0c3..df3ff41ab 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,7 +1,6 @@ { "tls-policies": { "*.valid-example-recipient.com": { - "min-tls-version": "TLSv1.1", "force-tls" : true }, "*.mx.aol.com": { diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh index 13593a0cc..82622edea 100755 --- a/vagrant-bootstrap.sh +++ b/vagrant-bootstrap.sh @@ -23,9 +23,9 @@ if [ "`hostname`" = "sender" ]; then (while sleep 10; do echo -e 'Subject: hi\n\nhi' | sendmail vagrant@valid-example-recipient.com done) & - ln -sf "/vagrant/postfix-config-sender-tls_policy.cf" /etc/postfix/tls_policy + #ln -sf "/vagrant/postfix-config-sender-tls_policy.cf" /etc/postfix/tls_policy fi -ln -sf "/vagrant/postfix-config-`hostname`.cf" /etc/postfix/main.cf -ln -sf "/vagrant/certificates" /etc/certificates +#ln -sf "/vagrant/postfix-config-`hostname`.cf" /etc/postfix/main.cf +#ln -sf "/vagrant/certificates" /etc/certificates postfix reload From 51f90ffafb3e74406e24eb63e7f359ed0483b461 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 16 Jun 2014 18:26:56 +0000 Subject: [PATCH 045/256] Write policies based on address domain, not stripped mx-domain --- ConfigParser.py | 9 ++------- MTAConfigGenerator.py | 13 +++++++++---- starttls-everywhere.json | 5 ----- 3 files changed, 11 insertions(+), 16 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 206132293..072c7e8ff 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -59,10 +59,10 @@ class Config: raise ValueError, "Not a valid TLS version string: " + `value` self.tls_policies[domain]["min-tls-version"] = str(value) elif atr == "acceptable-mxs": + self.acceptable_mxs = val pass else: - sys.stderr.write("Uknown attribute: " + `atr` + "\n") - print self.tls_policies + sys.stderr.write("Unknown attribute: " + `atr` + "\n") def check_tls_policy_domains(self, val): if type(val) != dict: @@ -73,11 +73,6 @@ class Config: d = str(domain) # convert from unicode except: raise TypeError, "tls-policy domain not a string" + `domain` - if not d.startswith("*."): - raise ValueError, "tls-policy domains must start with *.; try *."+d - d = d.partition("*.")[2] - if not looks_like_a_domain(d): - raise ValueError, "tls-policy for something that a domain? " + d yield (d, policies) if __name__ == "__main__": diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index d5ec334ec..859095acc 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -114,10 +114,15 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - for domain, policy in self.policy_config.tls_policies.items(): - entry = domain + " encrypt" - if "min-tls-version" in policy: - entry += " " + policy["min-tls-version"] + for address_domain, properties in self.policy_config.acceptable_mxs.items(): + mx_list = properties["accept-mx-domains"] + if len(mx_list) > 1: + print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain + mx_domain = mx_list[0] + mx_policy = self.policy_config.tls_policies[mx_domain] + entry = address_domain + " encrypt" + if "min-tls-version" in mx_policy: + entry += " " + mx_policy["min-tls-version"] self.policy_lines.append(entry) f = open(DEFAULT_POLICY_FILE, "w") diff --git a/starttls-everywhere.json b/starttls-everywhere.json index d0e656186..a98a2293f 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -50,11 +50,6 @@ } }, "acceptable-mxs": { - "wp.pl": { - "accept-mx-domains": [ - "*.wp.pl" - ] - }, "yahoo.co.uk": { "accept-mx-domains": [ "*.yahoodns.net" From 2eba47a716956bdcfc99c466b617ecc2e5b9c32a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Mon, 16 Jun 2014 14:23:33 -0700 Subject: [PATCH 046/256] Verify more of the policy language --- ConfigParser.py | 28 ++++++++++++++++++++++++---- MTAConfigGenerator.py | 2 +- 2 files changed, 25 insertions(+), 5 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 206132293..541ff3f30 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -35,6 +35,8 @@ class Config: def __init__(self, cfg_file_name = "config.json"): f = open(cfg_file_name) self.cfg = json.loads(f.read()) + self.tls_policies = {} + self.mx_map = {} for atr, val in self.cfg.items(): # Verify each attribute of the structure if atr.startswith("comment"): @@ -47,21 +49,39 @@ class Config: elif atr == "expires": self.expires = parse_timestamp(val) elif atr == "tls-policies": - self.tls_policies = {} for domain,policies in self.check_tls_policy_domains(val): if type(policies) != dict: raise TypeError, domain + "'s policies should be a dict: " + `policies` self.tls_policies[domain] = {} # being here enforces TLS at all - for policy, value in policies.items(): - if policy == "min-tls-version": + for policy, v in policies.items(): + value = lower(str(v)) + if policy == "require-tls": + if value in ("true", "1", "yes"): + self.tls_policies[domain]["required"] = True + elif value in ("false", "0", "no"): + self.tls_policies[domain]["required"] = False + else: + raise ValueError, "Unknown require-tls value " + `value` + elif policy == "min-tls-version": reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] if not value in reasonable: raise ValueError, "Not a valid TLS version string: " + `value` self.tls_policies[domain]["min-tls-version"] = str(value) + elif policy == "enforce-mode": + if value == "enforce": + self.tls_policies[domain]["enforce"] = True + elif value == "log-only": + self.tls_policies[domain]["enforce"] = False + else: + raise ValueError, "Not a known enoforcement policy " + `value` elif atr == "acceptable-mxs": - pass + for domain, mxball in acceptable_mx: + pass else: sys.stderr.write("Uknown attribute: " + `atr` + "\n") + # XXX is it ever permissible to have a domain with an acceptable-mx + # that does not point to a TLS security policy? If not, check/warn/fail + # here print self.tls_policies def check_tls_policy_domains(self, val): diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 875624e57..1d322c8e9 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -78,7 +78,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): # Check we're currently accepting inbound STARTTLS sensibly self.ensure_cf_var("smtpd_use_tls", "yes", []) # Ideally we use it opportunistically in the outbound direction - self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt"]) + self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) # Maximum verbosity lets us collect failure information self.ensure_cf_var("smtp_tls_loglevel", "1", []) # Inject a reference to our per-domain policy map From 67ee3b048876d1e27cdc21d29139afc1bb812b68 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 18 Jun 2014 12:32:17 -0400 Subject: [PATCH 047/256] Config format change - don't use * as it's misleading. --- config.json | 4 +-- starttls-everywhere.json | 58 ++++++++++++++++++++-------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/config.json b/config.json index 1a9034545..05fc237bf 100644 --- a/config.json +++ b/config.json @@ -4,13 +4,13 @@ "author": "Electronic Frontier Foundation https://eff.org", "expires": 1404677353, "comment 2:": "epoch seconds", "tls-policies": { - "*.valid-example-recipient.com": { + ".valid-example-recipient.com": { "min-tls-version": "TLSv1.1" } }, "acceptable-mxs": { "valid-example-recipient.com": { - "accept-mx-domains": [ "*.valid-example-recipient.com" ] + "accept-mx-domains": [ ".valid-example-recipient.com" ] } } diff --git a/starttls-everywhere.json b/starttls-everywhere.json index a98a2293f..d00859d8c 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,50 +1,50 @@ { "tls-policies": { - "*.mx.aol.com": { + ".mx.aol.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.psmtp.com": { + ".psmtp.com": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.ukr.net": { + ".ukr.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.interia.pl": { + ".interia.pl": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.gmx.net": { + ".gmx.net": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.web.de": { + ".web.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.marktplaats.nl": { + ".marktplaats.nl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.wp.pl": { + ".wp.pl": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.yahoodns.net": { + ".yahoodns.net": { "min-tls-version": "TLSv1", "require-tls": true }, - "*.t-online.de": { + ".t-online.de": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.rambler.ru": { + ".rambler.ru": { "min-tls-version": "TLSv1.1", "require-tls": true }, - "*.t.facebook.com": { + ".t.facebook.com": { "min-tls-version": "TLSv1", "require-tls": true } @@ -52,87 +52,87 @@ "acceptable-mxs": { "yahoo.co.uk": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "rocketmail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "web.de": { "accept-mx-domains": [ - "*.web.de" + ".web.de" ] }, "sbcglobal.net": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "aol.com": { "accept-mx-domains": [ - "*.mx.aol.com" + ".mx.aol.com" ] }, "facebook.com": { "accept-mx-domains": [ - "*.t.facebook.com" + ".t.facebook.com" ] }, "sompo-japan.co.jp": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "salesforce.com": { "accept-mx-domains": [ - "*.psmtp.com" + ".psmtp.com" ] }, "rambler.ru": { "accept-mx-domains": [ - "*.rambler.ru" + ".rambler.ru" ] }, "t-online.de": { "accept-mx-domains": [ - "*.t-online.de" + ".t-online.de" ] }, "gmx.net": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "gmx.de": { "accept-mx-domains": [ - "*.gmx.net" + ".gmx.net" ] }, "ukr.net": { "accept-mx-domains": [ - "*.ukr.net" + ".ukr.net" ] }, "rogers.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "ymail.com": { "accept-mx-domains": [ - "*.yahoodns.net" + ".yahoodns.net" ] }, "marktplaats.nl": { "accept-mx-domains": [ - "*.marktplaats.nl" + ".marktplaats.nl" ] }, "interia.pl": { "accept-mx-domains": [ - "*.interia.pl" + ".interia.pl" ] } } From 3df343495e2ac81d5ceb501b43240a68cbbca54c Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 18 Jun 2014 10:58:53 -0700 Subject: [PATCH 048/256] Various fixups --- ConfigParser.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 85b704d93..4fb69b6b2 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -54,7 +54,7 @@ class Config: raise TypeError, domain + "'s policies should be a dict: " + `policies` self.tls_policies[domain] = {} # being here enforces TLS at all for policy, v in policies.items(): - value = lower(str(v)) + value = str(v).lower() if policy == "require-tls": if value in ("true", "1", "yes"): self.tls_policies[domain]["required"] = True @@ -64,6 +64,7 @@ class Config: raise ValueError, "Unknown require-tls value " + `value` elif policy == "min-tls-version": reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] + reasonable = map(string.lower, reasonable) if not value in reasonable: raise ValueError, "Not a valid TLS version string: " + `value` self.tls_policies[domain]["min-tls-version"] = str(value) @@ -76,7 +77,7 @@ class Config: raise ValueError, "Not a known enoforcement policy " + `value` elif atr == "acceptable-mxs": self.acceptable_mxs = val - for domain, mxball in selg.acceptable_mxs: + for domain, mxball in self.acceptable_mxs.items(): pass else: sys.stderr.write("Unknown attribute: " + `atr` + "\n") From 51980e212f7ea46fc584ebc8e7938f337d2e666c Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 18 Jun 2014 17:50:41 -0400 Subject: [PATCH 049/256] First pass at logs analysis --- ConfigParser.py | 19 +++++++++++++++++-- PostfixLogSummary.py | 33 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 2 deletions(-) create mode 100755 PostfixLogSummary.py diff --git a/ConfigParser.py b/ConfigParser.py index 072c7e8ff..69779548f 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -4,7 +4,7 @@ import sys import json from datetime import datetime import string - +import collections def parse_timestamp(ts): try: @@ -48,7 +48,7 @@ class Config: self.expires = parse_timestamp(val) elif atr == "tls-policies": self.tls_policies = {} - for domain,policies in self.check_tls_policy_domains(val): + for domain, policies in self.check_tls_policy_domains(val): if type(policies) != dict: raise TypeError, domain + "'s policies should be a dict: " + `policies` self.tls_policies[domain] = {} # being here enforces TLS at all @@ -60,10 +60,25 @@ class Config: self.tls_policies[domain]["min-tls-version"] = str(value) elif atr == "acceptable-mxs": self.acceptable_mxs = val + self.mx_domain_to_address_domains = collections.defaultdict(set) + for address_domain, properties in self.acceptable_mxs.items(): + mx_list = properties["accept-mx-domains"] + if len(mx_list) > 1: + print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain + mx_domain = mx_list[0] + self.mx_domain_to_address_domains[mx_domain].add(address_domain) pass else: sys.stderr.write("Unknown attribute: " + `atr` + "\n") + def get_address_domains(self, mx_hostname): + for mx_domain, address_domains in self.mx_domain_to_address_domains.items(): + # TODO: write this better + if (mx_hostname.find(mx_domain) > 0 and + mx_hostname.find(mx_domain) == len(mx_hostname) - len(mx_domain)): + return address_domains + return None + def check_tls_policy_domains(self, val): if type(val) != dict: raise TypeError, "tls-policies should be a dict" + `val` diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py new file mode 100755 index 000000000..e13c230aa --- /dev/null +++ b/PostfixLogSummary.py @@ -0,0 +1,33 @@ +#!/usr/bin/python2.7 +import re +import sys +import collections + +import ConfigParser + +def get_counts(input, config): + counts = collections.defaultdict(lambda: collections.defaultdict(int)) + r = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") + for line in sys.stdin: + result = r.search(line) + if result: + validation = result.group(1) + mx_hostname = result.group(2) + address_domains = config.get_address_domains(mx_hostname) + if address_domains: + for d in address_domains: + counts[d][validation] += 1 + counts[d]["all"] += 1 + return counts + +def print_summary(counts): + for mx_hostname, validations in counts.items(): + for validation, validation_count in validations.items(): + if validation == "all": + continue + print mx_hostname, validation, validation_count / validations["all"] + +if __name__ == "__main__": + config = ConfigParser.Config("starttls-everywhere.json") + counts = get_counts(sys.stdin, config) + print_summary(counts) From 3de8c2a65152a9985b04f11a64c6568c93a70dbf Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 6 Aug 2014 17:08:30 -0400 Subject: [PATCH 050/256] Do a better job finding address domain from mx doman. --- ConfigParser.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ConfigParser.py b/ConfigParser.py index 69779548f..eff4d3557 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -72,11 +72,11 @@ class Config: sys.stderr.write("Unknown attribute: " + `atr` + "\n") def get_address_domains(self, mx_hostname): - for mx_domain, address_domains in self.mx_domain_to_address_domains.items(): - # TODO: write this better - if (mx_hostname.find(mx_domain) > 0 and - mx_hostname.find(mx_domain) == len(mx_hostname) - len(mx_domain)): - return address_domains + labels = mx_hostname.split(".") + for n in range(1, len(labels)): + parent = "." + ".".join(labels[n:]) + if parent in self.mx_domain_to_address_domains: + return self.mx_domain_to_address_domains[parent] return None def check_tls_policy_domains(self, val): From 1c3c69aaad9477988e48f1a3c5080f1d1b201e2d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 6 Aug 2014 17:08:49 -0400 Subject: [PATCH 051/256] Allow parameters to MTAConfigGenerator. --- MTAConfigGenerator.py | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 859095acc..15bc017ab 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -1,16 +1,17 @@ #!/usr/bin/env python +import sys import string import os.path -POSTFIX_DIR = "postfix-copy" -DEFAULT_POLICY_FILE = os.path.join(POSTFIX_DIR, "starttls_everywhere_policy") -POLICY_CF_ENTRY="texthash:" + DEFAULT_POLICY_FILE - def parse_line(line_data): - "return the left and right hand sides of stripped, non-comment postfix config line" - # lines are like: - # smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + """ + Return the left and right hand sides of stripped, non-comment postfix + config line. + + Lines are like: + smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + """ num,line = line_data left, sep, right = line.partition("=") if not sep: @@ -24,12 +25,15 @@ class MTAConfigGenerator: class ExistingConfigError(ValueError): pass class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, policy_config, fixup=False): + def __init__(self, policy_config, postfix_dir, fixup=False): self.fixup = fixup + self.postfix_dir = postfix_dir + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") MTAConfigGenerator.__init__(self, policy_config) self.postfix_cf_file = self.find_postfix_cf() self.wrangle_existing_config() self.set_domainwise_tls_policies() + print "Configuration complete. Now run `sudo service postfix reload'." def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -59,7 +63,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.additions.append(var + " = " + ideal) else: raise ExistingConfigError, "Existing config has %s=%s"%(var,val) - + def wrangle_existing_config(self): """ Try to ensure/mutate that the config file is in a sane state. @@ -79,7 +83,9 @@ class PostfixConfigGenerator(MTAConfigGenerator): # Maximum verbosity lets us collect failure information self.ensure_cf_var("smtp_tls_loglevel", "1", []) # Inject a reference to our per-domain policy map - self.ensure_cf_var("smtp_tls_policy_maps", POLICY_CF_ENTRY, []) + policy_cf_entry = "texthash:" + self.policy_file + + self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) self.maybe_add_config_lines() @@ -110,7 +116,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" - return os.path.join(POSTFIX_DIR,"main.cf") + return os.path.join(self.postfix_dir, "main.cf") def set_domainwise_tls_policies(self): self.policy_lines = [] @@ -122,14 +128,18 @@ class PostfixConfigGenerator(MTAConfigGenerator): mx_policy = self.policy_config.tls_policies[mx_domain] entry = address_domain + " encrypt" if "min-tls-version" in mx_policy: - entry += " " + mx_policy["min-tls-version"] + entry += " protocols=" + mx_policy["min-tls-version"] self.policy_lines.append(entry) - f = open(DEFAULT_POLICY_FILE, "w") + f = open(self.policy_file, "w") f.write("\n".join(self.policy_lines) + "\n") f.close() if __name__ == "__main__": import ConfigParser - c = ConfigParser.Config("starttls-everywhere.json") - pcgen = PostfixConfigGenerator(c, fixup=True) + if len(sys.argv) != 3: + print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" + sys.exit(1) + c = ConfigParser.Config(sys.argv[1]) + postfix_dir = sys.argv[2] + pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) From a85fad98c0be1c5494090486c476608c4951032f Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 6 Aug 2014 18:22:08 -0400 Subject: [PATCH 052/256] Restore default config --- vagrant-shared/postfix-config-sender.cf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/vagrant-shared/postfix-config-sender.cf b/vagrant-shared/postfix-config-sender.cf index 6fc9435c6..b9f265058 100644 --- a/vagrant-shared/postfix-config-sender.cf +++ b/vagrant-shared/postfix-config-sender.cf @@ -37,10 +37,3 @@ mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 mailbox_size_limit = 0 recipient_delimiter = + inet_interfaces = all - -#STARTTLS EVERYWHERE MAGIC STARTS HERE -smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy - -smtp_tls_loglevel = 1 -smtp_tls_security_level = may -smtp_tls_CAfile = /etc/certificates/ca.crt From 127d49e837d2fa8713bf1932ccecad11607b58e3 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 6 Aug 2014 18:22:32 -0400 Subject: [PATCH 053/256] Manually add a couple known-good domains. These were skipped because in the Google data they are represented as, e.g. 'gmail.{..}'. --- golden-domains.txt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/golden-domains.txt b/golden-domains.txt index 9a0c95948..d340f23e4 100644 --- a/golden-domains.txt +++ b/golden-domains.txt @@ -20,3 +20,5 @@ facebook.com craigslist.org bigpond.com aol.com +gmail.com +yahoo.com From dd4f9d35ae8fd21a8593cd232177f6550b2a63e8 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 6 Aug 2014 18:23:13 -0400 Subject: [PATCH 054/256] Improve checker and starttls-everywhere.json. Now we alphabetize keys on output for more useful diffs. --- CheckSTARTTLS.py | 23 ++-- starttls-everywhere.json | 225 ++++++++++++++++++--------------------- 2 files changed, 122 insertions(+), 126 deletions(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index cd8dfea42..205a4a779 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -10,6 +10,9 @@ import json import dns.resolver from M2Crypto import X509 +from publicsuffix import PublicSuffixList + +public_suffix_list = PublicSuffixList() def mkdirp(path): try: @@ -71,6 +74,8 @@ def valid_cert(filename): if open(filename).read().find("-----BEGIN CERTIFICATE-----") == -1: return False try: + # The file contains both the leaf cert and any intermediates, so we pass it + # as both the cert to validate and as the "untrusted" chain. output = subprocess.check_output("""openssl verify -CApath /home/jsha/mozilla/ -purpose sslserver \ -untrusted "%s" \ "%s" @@ -87,10 +92,11 @@ def check_certs(mail_domain): return "" else: new_names = extract_names_from_openssl_output(filename) + new_names = map(lambda n: public_suffix_list.get_public_suffix(n), new_names) names.update(new_names) - names.add(filename.rstrip(".")) if len(names) >= 1: - return common_suffix(names) + # Hack: Just pick an arbitrary suffix for now. Do something cleverer later. + return names.pop() else: return "" @@ -134,6 +140,7 @@ def min_tls_version(mail_domain): return min(protocols) def collect(mail_domain): + print "Checking domain %s" % mail_domain mkdirp(mail_domain) answers = dns.resolver.query(mail_domain, 'MX') for rdata in answers: @@ -143,7 +150,7 @@ def collect(mail_domain): if __name__ == '__main__': """Consume a target list of domains and output a configuration file for those domains.""" if len(sys.argv) == 1: - print("Please pass at least one mail domain as an argument") + print("Usage: CheckSTARTTLS.py list-of-domains.txt > output.json") config = { "address-domains": { @@ -151,14 +158,16 @@ if __name__ == '__main__': "mx-domains": { } } - for domain in sys.argv[1:]: - collect(domain) + for domain in open(sys.argv[1]).readlines(): + domain = domain.strip() + if not os.path.exists(domain): + collect(domain) if len(os.listdir(domain)) == 0: continue suffix = check_certs(domain) min_version = min_tls_version(domain) if suffix != "": - suffix_match = "*." + suffix + suffix_match = "." + suffix config["address-domains"][domain] = { "accept-mx-domains": [suffix_match] } @@ -167,4 +176,4 @@ if __name__ == '__main__': "min-tls-version": min_version } - print json.dumps(config, indent=2) + print json.dumps(config, indent=2, sort_keys=True) diff --git a/starttls-everywhere.json b/starttls-everywhere.json index d00859d8c..5dd487f9a 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,128 +1,18 @@ { - "tls-policies": { - ".mx.aol.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".psmtp.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".ukr.net": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".interia.pl": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".gmx.net": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".web.de": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".marktplaats.nl": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".wp.pl": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".yahoodns.net": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".t-online.de": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".rambler.ru": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".t.facebook.com": { - "min-tls-version": "TLSv1", - "require-tls": true - } - }, - "acceptable-mxs": { - "yahoo.co.uk": { + "address-domains": { + "craigslist.org": { "accept-mx-domains": [ - ".yahoodns.net" + ".craigslist.org" ] }, - "rocketmail.com": { + "gmail.com": { "accept-mx-domains": [ - ".yahoodns.net" + ".google.com" ] }, - "web.de": { + "interia.pl": { "accept-mx-domains": [ - ".web.de" - ] - }, - "sbcglobal.net": { - "accept-mx-domains": [ - ".yahoodns.net" - ] - }, - "aol.com": { - "accept-mx-domains": [ - ".mx.aol.com" - ] - }, - "facebook.com": { - "accept-mx-domains": [ - ".t.facebook.com" - ] - }, - "sompo-japan.co.jp": { - "accept-mx-domains": [ - ".psmtp.com" - ] - }, - "salesforce.com": { - "accept-mx-domains": [ - ".psmtp.com" - ] - }, - "rambler.ru": { - "accept-mx-domains": [ - ".rambler.ru" - ] - }, - "t-online.de": { - "accept-mx-domains": [ - ".t-online.de" - ] - }, - "gmx.net": { - "accept-mx-domains": [ - ".gmx.net" - ] - }, - "gmx.de": { - "accept-mx-domains": [ - ".gmx.net" - ] - }, - "ukr.net": { - "accept-mx-domains": [ - ".ukr.net" - ] - }, - "rogers.com": { - "accept-mx-domains": [ - ".yahoodns.net" - ] - }, - "ymail.com": { - "accept-mx-domains": [ - ".yahoodns.net" + ".interia.pl" ] }, "marktplaats.nl": { @@ -130,10 +20,107 @@ ".marktplaats.nl" ] }, - "interia.pl": { + "rambler.ru": { "accept-mx-domains": [ - ".interia.pl" + ".rambler.ru" ] + }, + "rocketmail.com": { + "accept-mx-domains": [ + ".yahoo.com" + ] + }, + "rogers.com": { + "accept-mx-domains": [ + ".yahoo.com" + ] + }, + "salesforce.com": { + "accept-mx-domains": [ + ".psmtp.com" + ] + }, + "sbcglobal.net": { + "accept-mx-domains": [ + ".yahoo.com" + ] + }, + "sompo-japan.co.jp": { + "accept-mx-domains": [ + ".psmtp.com" + ] + }, + "t-online.de": { + "accept-mx-domains": [ + ".t-online.de" + ] + }, + "wp.pl": { + "accept-mx-domains": [ + ".wp.pl" + ] + }, + "yahoo.co.uk": { + "accept-mx-domains": [ + ".yahoo.com" + ] + }, + "yahoo.com": { + "accept-mx-domains": [ + ".yahoo.com" + ] + }, + "yandex.ru": { + "accept-mx-domains": [ + ".yandex.ru" + ] + }, + "ymail.com": { + "accept-mx-domains": [ + ".yahoo.com" + ] + } + }, + "mx-domains": { + ".craigslist.org": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".google.com": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".interia.pl": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + ".marktplaats.nl": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".psmtp.com": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + ".rambler.ru": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".t-online.de": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".wp.pl": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".yahoo.com": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".yandex.ru": { + "min-tls-version": "TLSv1.1", + "require-tls": true } } } From 6a40e1964b98ba19709055600278807718bac899 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 7 Aug 2014 15:05:10 -0400 Subject: [PATCH 055/256] Notice if there are no "Trusted" entries. --- PostfixLogSummary.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index e13c230aa..daec93db0 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -6,18 +6,24 @@ import collections import ConfigParser def get_counts(input, config): + seen_trusted = False + counts = collections.defaultdict(lambda: collections.defaultdict(int)) r = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") for line in sys.stdin: result = r.search(line) if result: validation = result.group(1) - mx_hostname = result.group(2) + mx_hostname = result.group(2).lower() + if validation == "Trusted" or validation == "Verified": + seen_trusted = True address_domains = config.get_address_domains(mx_hostname) if address_domains: for d in address_domains: counts[d][validation] += 1 counts[d]["all"] += 1 + if not seen_trusted: + print "Didn't see any trusted connections. Need to install some certs?" return counts def print_summary(counts): @@ -25,7 +31,7 @@ def print_summary(counts): for validation, validation_count in validations.items(): if validation == "all": continue - print mx_hostname, validation, validation_count / validations["all"] + print mx_hostname, validation, validation_count / validations["all"], "of", validations["all"] if __name__ == "__main__": config = ConfigParser.Config("starttls-everywhere.json") From bdd4d01dc73f6c91af07531304584348dbf0d22d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 7 Aug 2014 16:57:51 -0400 Subject: [PATCH 056/256] Update and sort golden-domains.txt, commit google-starttls-domains.csv --- golden-domains.txt | 50 +- google-starttls-domains.csv | 6734 +++++++++++++++++++++++++++++++++++ 2 files changed, 6763 insertions(+), 21 deletions(-) create mode 100644 google-starttls-domains.csv diff --git a/golden-domains.txt b/golden-domains.txt index d340f23e4..bca6d2f89 100644 --- a/golden-domains.txt +++ b/golden-domains.txt @@ -1,24 +1,32 @@ -ymail.com -yandex.ru -yahoo.co.uk -wp.pl -web.de -vtext.com -ukr.net -t-online.de -sompo-japan.co.jp -sbcglobal.net -salesforce.com -rogers.com -rocketmail.com -rambler.ru -marktplaats.nl -interia.pl -gmx.net -gmx.de -facebook.com -craigslist.org -bigpond.com +163.com aol.com +bigpond.com +comcast.net +craigslist.org +facebook.com gmail.com +gmx.de +hotmail.com +icloud.com +live.com +mac.com +me.com +msn.com +naver.com +outlook.com +qq.com +rocketmail.com +rogers.com +salesforce.com +sbcglobal.net +shaw.ca +sympatico.ca +t-online.de +ukr.net +vtext.com +web.de +wp.pl yahoo.com +yahoogroups.com +yandex.ru +ymail.com diff --git a/google-starttls-domains.csv b/google-starttls-domains.csv new file mode 100644 index 000000000..5d6a00f17 --- /dev/null +++ b/google-starttls-domains.csv @@ -0,0 +1,6734 @@ +Address Suffix,Hostname Suffix,Direction,UN M.49 Region Code,Region Name,Fraction Encrypted +0101.co.jp,0101.co.jp,inbound,001,World,0 +04auto.biz,01auto.biz,inbound,001,World,0 +0bz.biz,hmts.jp,inbound,001,World,0 +1-day.co.nz,1-day.co.nz,inbound,001,World,0 +104.com.tw,104.com.tw,inbound,001,World,0.091112 +1105info.com,1105info.com,inbound,001,World,0 +1111.com.tw,1111.com.tw,inbound,001,World,0 +123.com.tw,123.com.tw,inbound,001,World,0 +12manage.com,netarrest.com,inbound,001,World,0.99998 +160by2.us,160by2.us,inbound,001,World,0 +160by2inbox.com,160by2inbox.com,inbound,001,World,0 +160by2invite.com,160by2invite.com,inbound,001,World,0 +160by2mail.com,160by2mail.com,inbound,001,World,0 +163.com,163.com,inbound,001,World,0.711306 +163.com,netease.com,outbound,001,World,1 +17life.com.tw,17life.com.tw,inbound,001,World,0 +1800flowersinc.com,1800flowersinc.com,inbound,001,World,0 +1800petmeds.com,1800petmeds.com,inbound,001,World,0.00599 +1lejend.com,asumeru.com,inbound,001,World,0 +1lejend.com,asumeru001.com,inbound,001,World,0 +1sale.com,1sale.com,inbound,001,World,0 +1v1y.com,euromsg.net,inbound,001,World,0 +2touchbase.com,infimail.com,inbound,001,World,0 +33go.com.tw,33go.com.tw,inbound,001,World,0 +3suisses.be,3suisses.be,inbound,001,World,0 +3suisses.fr,3suisses.fr,inbound,001,World,0 +4shared.com,4shared.com,inbound,001,World,0.999946 +4wheelparts.com,4wheelparts.com,inbound,001,World,0 +518.com.tw,518.com.tw,inbound,001,World,0 +6pm.com,6pm.com,inbound,001,World,1 +6pm.com,zappos.com,inbound,001,World,0.782581 +7net.com.tw,7net.com.tw,inbound,001,World,0 +99acres.com,99acres.com,inbound,001,World,0 +9dot9digital.in,emce2.in,inbound,001,World,0 +a8.net,a8.net,inbound,001,World,0 +aaa.com,nextjump.com,inbound,001,World,0 +aaas-science.org,aaas-science.org,inbound,001,World,0 +aafes.com,aafes.com,inbound,001,World,0 +aanotifier.nl,aanotifier.nl,inbound,001,World,0 +aarp.org,aarp.org,inbound,001,World,0.006249 +ab0.jp,altovision.co.jp,inbound,001,World,0 +abercrombie-email.com,abercrombie-email.com,inbound,001,World,0 +abercrombiekids-email.com,abercrombie-email.com,inbound,001,World,0 +about.com,about.com,inbound,001,World,2.4e-05 +about.com,sailthru.com,inbound,001,World,0 +academy-enews.com,academy-enews.com,inbound,001,World,0 +accenture.com,outlook.com,inbound,001,World,1 +accountonline.com,accountonline.com,inbound,001,World,0.348991 +acehelpfulemails.com,teradatadmc.com,inbound,001,World,0 +acemserv.com,acemserv.com,inbound,001,World,0 +activesafelist.com,zoothost.com,inbound,001,World,0 +activetrail.com,atmailsvr.net,inbound,001,World,0 +activetrail.com,mymarketing.co.il,inbound,001,World,0 +actorsaccess.com,nonfatmedia.com,inbound,001,World,0 +adchiever.com,kinder-rash-marketing.com,inbound,001,World,0 +adidas.com,neolane.net,inbound,001,World,0 +adidasusnews.com,adidasusnews.com,inbound,001,World,0 +adityabirla.com,adityabirla.com,inbound,001,World,0.006468 +adjockeys.com,thomas-j-brown.com,inbound,001,World,0 +admail.hu,sanomaonline.hu,inbound,001,World,0 +admastersafelist.com,zoothost.com,inbound,001,World,0 +adminforfree.com,adminforfree.com,inbound,001,World,1 +adminforfree.net,adminforfree.com,inbound,001,World,1 +administrativejobinsider.com,administrativejobinsider.com,inbound,001,World,0 +adobe.com,obsmtp.com,inbound,001,World,0.999986 +adobesystems.com,adobesystems.com,inbound,001,World,0 +adorama.com,adorama.com,inbound,001,World,0 +adoreme.com,exacttarget.com,inbound,001,World,0 +adp.com,adp.com,inbound,001,World,1 +adpirate.net,thomas-j-brown.com,inbound,001,World,0 +adsender.us,adsender.us,inbound,001,World,0 +adsolutionline.com,adsolutionline.com,inbound,001,World,0 +adtpulse.com,adtpulse.com,inbound,001,World,0 +adultfriendfinder.com,friendfinder.com,inbound,001,World,0 +advanceauto.com,bigfootinteractive.com,inbound,001,World,0 +advantagebusinessmedia.com,advantagebusinessmedia.com,inbound,001,World,0 +adverts.ie,adverts.ie,inbound,001,World,1 +advfn.com,advfn.com,inbound,001,World,0.635382 +ae.com,ae.com,inbound,001,World,0 +aexp.com,aexp.com,inbound,001,World,1 +af.mil,af.mil,inbound,001,World,0.996166 +affairalert.com,iverificationsystems.com,inbound,001,World,0 +agnitas.de,agnitas.de,inbound,001,World,0.999277 +agoda-emails.com,agoda-emails.com,inbound,001,World,0 +agora.co.il,1host.co.il,inbound,001,World,0 +agorafinancial.com,agorafinancial.com,inbound,001,World,0 +agrupemonos.cl,agrupemonos.cl,inbound,001,World,1 +airbnb.com,airbnb.com,inbound,001,World,0.867975 +airbrake.io,mailgun.net,inbound,001,World,1 +airfarewatchdog.com,smartertravelmedia.com,inbound,001,World,0.011961 +airliquide.com,airliquide.com,inbound,001,World,1 +airmiles.ca,bigfootinteractive.com,inbound,001,World,0 +airtel.com,airtel.in,inbound,001,World,0.064377 +akcijatau.lt,akcijatau.lt,inbound,001,World,0 +alarm.com,alarm.com,inbound,001,World,0 +alarmnet.com,alarmnet.com,inbound,001,World,0 +alaskaair.com,alaskaair.com,inbound,001,World,0 +albertsonsemail.com,email4-mywebgrocer.com,inbound,001,World,0 +alerteimmo.com,alerteimmo.com,inbound,001,World,0 +alertid.com,alertid.com,inbound,001,World,0 +alertsindia.in,alertsindia.in,inbound,001,World,1 +alibaba.com,alibaba.com,inbound,001,World,0 +alice.it,alice.it,inbound,001,World,0 +alice.it,aliceposta.it,outbound,001,World,0 +aliexpress.com,alibaba.com,inbound,001,World,0 +alinea.fr,bp06.net,inbound,001,World,0 +alipay.com,alipay.com,inbound,001,World,1 +allegro.pl,allegro.pl,inbound,001,World,0 +allegrogroup.ua,allegrogroup.ua,inbound,001,World,0 +allegroup.hu,allegroup.hu,inbound,001,World,0 +allheart.com,allheart.com,inbound,001,World,0 +alljob.co.il,alljob.co.il,inbound,001,World,0 +allmodern.com,allmodern.com,inbound,001,World,0 +allout.org,allout.org,inbound,001,World,1 +allrecipes.com,allrecipes.com,inbound,001,World,0 +allsaints.com,allsaints.com,inbound,001,World,0 +allstate.com,rsys1.com,inbound,001,World,0 +alm.com,sailthru.com,inbound,001,World,0 +alumniclass.com,alumniclass.com,inbound,001,World,0 +alumniconnections.com,alumniconnections.com,inbound,001,World,0 +alza.cz,alza.cz,inbound,001,World,0.039449 +alza.sk,alza.cz,inbound,001,World,0.027725 +ama-assn.org,elabs10.com,inbound,001,World,0 +amadeus.com,amadeus.net,inbound,001,World,0 +amazon.{...},amazon.{...},inbound,001,World,0.020886 +amazon.{...},amazonses.com,inbound,001,World,0.999971 +amazon.{...},postini.com,inbound,001,World,0.7325 +amazon.{...},yahoo.{...},inbound,001,World,0.995995 +amazonses.com,amazonses.com,inbound,001,World,0.997919 +amazonses.com,postini.com,inbound,001,World,0.843221 +amctheatres.com,amctheatres.com,inbound,001,World,0 +americanas.com,americanas.com,inbound,001,World,0 +americanbar.org,abanet.org,inbound,001,World,0.00574 +americanexpress.com,americanexpress.com,inbound,001,World,0.000688 +americanpublicmediagroup.org,americanpublicmediagroup.org,inbound,001,World,0 +amubm.com,amubm.com,inbound,001,World,1 +amwayemail.com,mailrouter.net,inbound,001,World,1 +ana.co.jp,ana.co.jp,inbound,001,World,0.534416 +ancestry.com,ancestry.com,inbound,001,World,0 +andrewchristian.com,emv8.com,inbound,001,World,0 +angelbroking.in,infimail.com,inbound,001,World,0 +anghami.com,mailgun.net,inbound,001,World,1 +angieslist.com,angieslist.com,inbound,001,World,0.014064 +anntaylor.com,anntaylor.com,inbound,001,World,0 +anpasia.com,anpasia.com,inbound,001,World,0 +anpdm.com,anpdm.com,inbound,001,World,6e-06 +anthropologie.com,freepeople.com,inbound,001,World,0 +aol.com,aol.com,inbound,001,World,0.999529 +aol.com,aol.com,outbound,001,World,0.999992 +aol.com,sailthru.com,inbound,001,World,0 +aol.net,aol.com,inbound,001,World,1 +apache.org,apache.org,inbound,001,World,0 +apnacomplex.com,apnacomplex.com,inbound,001,World,0.999981 +apple.com,apple.com,inbound,001,World,0.974422 +apply-4-jobs.com,apply-4-jobs.com,inbound,001,World,0 +aprovaconcursos.com.br,eadunicid.com.br,inbound,001,World,0 +aptmail.in,mailurja.com,inbound,001,World,0 +ara.cat,ara.cat,inbound,001,World,0.997709 +arcamax.com,arcamax.com,inbound,001,World,1.4e-05 +argos.co.uk,argos.co.uk,inbound,001,World,1 +argos.co.uk,exacttarget.com,inbound,001,World,1 +aritzia.com,aritzia.com,inbound,001,World,0 +armaniexchange.com,bronto.com,inbound,001,World,0 +artists-hub.com,artists-hub.com,inbound,001,World,0 +artscow.com,dyxnet.com,inbound,001,World,0.00062 +aruba.it,aruba.it,inbound,001,World,0.055666 +asadventure.com,asadventure.com,inbound,001,World,0 +asana.com,asana.com,inbound,001,World,1 +asda.com,ec-cluster.com,inbound,001,World,0 +ashampoo.com,ashampoo.com,inbound,001,World,1 +ashleymadison.com,ashleymadison.com,inbound,001,World,1 +ask.fm,ask.fm,inbound,001,World,1e-05 +askmen.com,askmen.com,inbound,001,World,0 +asos.com,asos.com,inbound,001,World,0 +assembla.com,assembla.com,inbound,001,World,1 +astrocenter.com,center.com,inbound,001,World,0 +astrology.com,astrology.com,inbound,001,World,0 +astrology.com,hsnlmailsvc.com,inbound,001,World,0 +astrology.com,webstakes.com,inbound,001,World,0 +astrology.com,wsafmailsvc.com,inbound,001,World,0 +asus.com,asus.com,inbound,001,World,0 +aswatson.com,emarsys.net,inbound,001,World,0 +athleta.com,athleta.com,inbound,001,World,0 +atlassian.net,uc-inf.net,inbound,001,World,1 +atrapalo.cl,atrapalo.com,inbound,001,World,0 +atrapalo.com,atrapalo.com,inbound,001,World,0 +att-mail.com,att-mail.com,inbound,001,World,2.2e-05 +att-mail.com,att.com,inbound,001,World,0.999966 +att.net,att.net,outbound,001,World,0.204629 +att.net,mycingular.net,inbound,001,World,0.00021 +att.net,yahoo.{...},inbound,001,World,0.99997 +auctionzip-email.com,email-auctionholdings.com,inbound,001,World,0 +auinmeio.com.br,fnac.com.br,inbound,001,World,0 +australiagsm.net,australiagsm.net,inbound,001,World,0 +authorize.net,authorize.net,inbound,001,World,0 +authorize.net,visa.com,inbound,001,World,0.993558 +autoloop.us,loop28.com,inbound,001,World,0 +autoreply.com,autoreply.com,inbound,001,World,0 +avaaz.org,avaaz.org,inbound,001,World,0 +avalanchesafelist.com,zoothost.com,inbound,001,World,0 +avast.com,avast.com,inbound,001,World,0.007867 +aveda.com,esteelauder.com,inbound,001,World,0 +avenue.com,avenue.com,inbound,001,World,0 +avg.com,avg.com,inbound,001,World,0.015703 +avira.com,avira.com,inbound,001,World,0.042528 +avito.ru,avito.ru,inbound,001,World,0.002677 +avomail.com,avomail.com,inbound,001,World,0 +avon.com,email-avonglobal.com,inbound,001,World,0 +avon.com,postdirect.com,inbound,001,World,0 +aweber.com,aweber.com,inbound,001,World,3e-06 +ayi.com,ayi.com,inbound,001,World,0 +b2b-mail.net,b2b-mail.net,inbound,001,World,0 +b2b-mail.net,contact-list.net,inbound,001,World,0 +babycenter.com,rsys3.com,inbound,001,World,0 +babyoye.com,babyoye.com,inbound,001,World,0.011564 +backcountry.com,backcountry.com,inbound,001,World,0 +backlog.jp,backlog.jp,inbound,001,World,0 +badoo.com,monopost.com,inbound,001,World,1 +bagitgetitmailer.in,emce2.in,inbound,001,World,0 +baligam.co.il,baligam.co.il,inbound,001,World,1 +balsamik.fr,balsamik.fr,inbound,001,World,0 +banamex.com,citi.com,inbound,001,World,0.999958 +banamex.com,ibrands.es,inbound,001,World,0 +bananarepublic.com,bananarepublic.com,inbound,001,World,3.48869418874254e-07 +bancoahorrofamsa.com,avantel.net.mx,inbound,001,World,1 +bancochile.cl,bancochile.cl,inbound,001,World,0.999504 +bancofalabella.com,bancofalabella.com,inbound,001,World,0 +bancomer.com,postini.com,inbound,001,World,5.9e-05 +bancomercorreo.com,bancomercorreo.com,inbound,001,World,0 +bandsintown.com,bandsintown.com,inbound,001,World,1 +banesco.com,banesco.com,inbound,001,World,0 +bankofamerica.com,bankofamerica.com,inbound,001,World,0.97133 +banorte.com,gfnorte.com.mx,inbound,001,World,0.994999 +barclaycard.co.uk,barclays.co.uk,inbound,001,World,0 +barclaycardus.com,bigfootinteractive.com,inbound,001,World,0 +barenecessities.com,barenecessities.com,inbound,001,World,0 +barleyment.ca,barleyment.ca,inbound,001,World,0 +barneys.com,barneys.com,inbound,001,World,0 +baseballsavings.com,baseballsavings.com,inbound,001,World,0 +basecamp.com,basecamp.com,inbound,001,World,1 +basecamphq.com,basecamphq.com,inbound,001,World,1 +baskinrobbins.com,baskinrobbins.com,inbound,001,World,0 +basspronews.com,basspronews.com,inbound,001,World,0 +bathandbodyworks.com,bathandbodyworks.com,inbound,001,World,0 +baublebar.com,baublebar.com,inbound,001,World,0.011219 +baycrews.co.jp,webcas.net,inbound,001,World,0 +bayt.com,bayt.com,inbound,001,World,2e-06 +bazarchic-invitations.com,bazarchic-emstech.com,inbound,001,World,0 +bbvacompass.com,postini.com,inbound,001,World,0.996402 +bcbg.com,bcbg.com,inbound,001,World,0 +bci.cl,bci.cl,inbound,001,World,0.999963 +bcp.com.pe,bcp.com.pe,inbound,001,World,1 +be2.com,nmp1.net,inbound,001,World,0 +beamtele.com,beamtele.com,inbound,001,World,0 +beanfun.com,beanfun.com,inbound,001,World,1 +beatport-email.com,beatport-email.com,inbound,001,World,0 +beautylish.com,beautylish.com,inbound,001,World,1 +bebe.com,ed10.com,inbound,001,World,0 +befrugal.com,befrugal.com,inbound,001,World,0.050462 +belkemail.com,belkemail.com,inbound,001,World,0 +bellsouth.net,att.net,outbound,001,World,0 +bellsouth.net,yahoo.{...},inbound,001,World,0.999967 +belluna.net,belluna.net,inbound,001,World,0 +benihana-news.com,benihana-news.com,inbound,001,World,0 +bergdorfgoodmanemail.com,neimanmarcusemail.com,inbound,001,World,0 +bespokeoffers.co.uk,chtah.net,inbound,001,World,0 +bestbuy.ca,bestbuy.ca,inbound,001,World,0 +bestbuy.com,bestbuy.com,inbound,001,World,0.003289 +bestdealsforyou.in,elabs5.com,inbound,001,World,0 +beta.lt,mailersend3.com,inbound,001,World,0 +betrend.com,betrend.com,inbound,001,World,0 +bevmo.com,bevmo.com,inbound,001,World,0.000967 +beyondtherack.com,beyondtherack.com,inbound,001,World,0 +bharatmatrimony.com,bharatmatrimony.com,inbound,001,World,1 +bhcosmetics.com,bronto.com,inbound,001,World,0 +bhg.com,meredith.com,inbound,001,World,0 +bigfishgames.com,bigfishgames.com,inbound,001,World,0 +biglion.ru,biglion.ru,inbound,001,World,0.999775 +biglist.com,biglist.com,inbound,001,World,0 +biglots.com,biglots.com,inbound,001,World,0.00029 +bigmailsender.com,bigmailsender.com,inbound,001,World,0 +bigpond.com,bigpond.com,inbound,001,World,0 +bigpond.com,bigpond.com,outbound,001,World,1 +bigtent.com,carezen.net,inbound,001,World,0 +bioagri.com.br,postini.com,inbound,001,World,0.991765 +biomedcentral.com,emv5.com,inbound,001,World,0 +bionexo.com,bionexo.com.br,inbound,001,World,0.999594 +birthdayalarm.com,monkeyinferno.net,inbound,001,World,0 +bitbucket.org,bitbucket.org,inbound,001,World,0 +bitlysupport.com,mailgun.info,inbound,001,World,1 +bitlysupport.com,mailgun.us,inbound,001,World,1 +bitslane.email,bitslane.email,inbound,001,World,0 +bitstatement.org,bitstatement.org,inbound,001,World,1 +bizjournals.com,bizjournals.com,inbound,001,World,0 +bizmailtoday.com,bizmailtoday.com,inbound,001,World,0 +bjs.com,bjs.com,inbound,001,World,0 +bjsrestaurants.com,bjsrestaurants.com,inbound,001,World,0 +bk.ru,mail.ru,inbound,001,World,0.992498 +blablacar.com,blablacar.com,inbound,001,World,1 +blackberry.com,blackberry.com,inbound,001,World,0 +blackboard.com,blackboard.com,inbound,001,World,0.998206 +blackboard.com,notification.com,inbound,001,World,0 +blackpeoplemeet.com,blackpeoplemeet.com,inbound,001,World,0 +blayn.jp,bserver.jp,inbound,001,World,0 +blinkboxmusic.com,mediagraft.com,inbound,001,World,1 +blissworld.com,lstrk.net,inbound,001,World,1 +blizzard.com,battle.net,inbound,001,World,0.11977 +bloglovin.com,bloglovin.com,inbound,001,World,0.000154 +blogtrottr.com,blogtrottr.com,inbound,001,World,0 +bloomberg.com,bloomberg.com,inbound,001,World,0.00501 +bloomberg.net,bloomberg.net,inbound,001,World,1 +bloomingdales.com,bloomingdales.com,inbound,001,World,0 +bloomingdalesoutlets.com,bloomingdalesoutlets.com,inbound,001,World,0 +blue-compass.com,blue-compass.com,inbound,001,World,0 +bluediamondhost3.com,web-hosting.com,inbound,001,World,1 +bluehornet.com,bluehornet.com,inbound,001,World,0 +bluehost.com,bluehost.com,inbound,001,World,0.000943 +bluehost.com,hostmonster.com,inbound,001,World,0 +bluehost.com,unifiedlayer.com,inbound,001,World,1.6e-05 +bluenile.com,bluenile.com,inbound,001,World,0 +blueshellgames.com,blueshellgames.com,inbound,001,World,0 +bluestatedigital.com,bluestatedigital.com,inbound,001,World,0 +bluestonemx.com,bluestonemx.com,inbound,001,World,1 +bm05.net,bm05.net,inbound,001,World,0 +bm23.com,bronto.com,inbound,001,World,0 +bm324.com,bronto.com,inbound,001,World,0 +bmdeda99.com,bmdeda99.com,inbound,001,World,0 +bme.jp,bserver.jp,inbound,001,World,0 +bmnt.jp,bmnt.jp,inbound,001,World,0 +bmsend.com,bmsend.com,inbound,001,World,0 +bn.com,bn.com,inbound,001,World,0 +bncollegemail.com,bncollegemail.com,inbound,001,World,0 +bnetmail.com,bnetmail.com,inbound,001,World,0 +bol.com.br,bol.com.br,inbound,001,World,0 +bol.com.br,bol.com.br,outbound,001,World,0 +boletinrenuevo.com,boletinrenuevo.com,inbound,001,World,0 +bolsfr.fr,colt.net,inbound,001,World,0 +bomnegocio.com,bomnegocio.com,inbound,001,World,0.687113 +bonobos.com,bronto.com,inbound,001,World,0 +bonuszbrigad.hu,bonuszbrigad.hu,inbound,001,World,0 +boohooemail.com,smartfocusdigital.net,inbound,001,World,0 +bookbub.com,bookbub.com,inbound,001,World,1 +booking.com,booking.com,inbound,001,World,1 +bookingbuddy.com,smartertravelmedia.com,inbound,001,World,0.000486 +bookmyshow.com,eccluster.com,inbound,001,World,0 +bookoffonline.co.jp,bookoffonline.co.jp,inbound,001,World,0 +boomtownroi.com,boomtownroi.com,inbound,001,World,0 +boots.com,boots.com,inbound,001,World,0 +boscovs.com,boscovs.com,inbound,001,World,0 +bostonproper.com,bostonproper.com,inbound,001,World,0 +bouncemanager.it,musvc.com,inbound,001,World,0.362026 +boutiquesecret.com,chtah.net,inbound,001,World,0 +box.com,box.com,inbound,001,World,0.955607 +br.com,cmailsys.com,inbound,001,World,0 +bradfordexchange.com,bradfordexchange.com,inbound,001,World,0 +bradsdeals.com,bradsdeals.com,inbound,001,World,0 +brandalley.com,brandalley.com,inbound,001,World,0 +brands4friends.de,emv5.com,inbound,001,World,0 +brands4friends.jp,webcas.net,inbound,001,World,0 +brandsfever.com,mailgun.net,inbound,001,World,1 +brandsvillage.net,brandsvillage.net,inbound,001,World,0 +brassring.com,brassring.com,inbound,001,World,0.999989 +briantracyintl.com,briantracyintl.com,inbound,001,World,0 +brierleycrm.com,brierleycrm.com,inbound,001,World,0 +brijj.com,brijj.com,inbound,001,World,0 +brincltd.com,brincltd.com,inbound,001,World,0 +bronto.com,bronto.com,inbound,001,World,0 +brooksbrothers.com,brooksbrothers.com,inbound,001,World,0 +bsf01.com,bsftransmit33.com,inbound,001,World,0 +bt.com,bt.com,inbound,001,World,0.409404 +btinternet.com,cpcloud.co.uk,inbound,001,World,0 +btinternet.com,cpcloud.co.uk,outbound,001,World,0 +btinternet.com,yahoo.{...},inbound,001,World,0.99998 +budgettravel.com,email-budgettravel.com,inbound,001,World,0 +buffalo.edu,buffalo.edu,inbound,001,World,0.001059 +bumeran.com,bumeran.com,inbound,001,World,0 +burlingtoncoatfactory.com,burlingtoncoatfactory.com,inbound,001,World,0 +burton.co.uk,burton.co.uk,inbound,001,World,0 +buscojobs.com,amazonaws.com,inbound,001,World,0 +buy123.com.tw,buy123.com.tw,inbound,001,World,1 +buyinvite.com.au,buyinvite.com.au,inbound,001,World,0 +buyma.com,buyma.com,inbound,001,World,0 +bv.com.br,bv.com.br,inbound,001,World,0 +bweeble.com,adlabsinc.com,inbound,001,World,0 +byway.it,byway.it,inbound,001,World,0 +bzm.mobi,nmsrv.com,inbound,001,World,1 +c21stores.com,c21stores.com,inbound,001,World,0 +ca.gov,ca.gov,inbound,001,World,0.694242 +cabelas.com,cabelas.com,inbound,001,World,0 +cabestan.com,cab07.net,inbound,001,World,0 +cadremploi.fr,cadremploi.fr,inbound,001,World,0 +cafepress.com,cafepress.com,inbound,001,World,0.000778 +caixa.gov.br,caixa.gov.br,inbound,001,World,0 +californiajobdepartment.com,californiajobdepartment.com,inbound,001,World,0 +californiapsychicsemail.com,californiapsychicsemail.com,inbound,001,World,0 +callcommand.com,callcommand.com,inbound,001,World,0 +calottery.com,calottery.com,inbound,001,World,0.999517 +cam2life.com,hinet.net,inbound,001,World,0 +camel.com,rjrsignup.com,inbound,001,World,0 +camsonline.com,camsonline.com,inbound,001,World,0.136261 +canadiantire.ca,canadiantire.ca,inbound,001,World,0 +canadianvisaexpert.net,canadianvisaexpert.net,inbound,001,World,0 +canalplus.es,canalplus.es,inbound,001,World,0 +cancer.org,delivery.net,inbound,001,World,0 +capillary.co.in,capillary.co.in,inbound,001,World,1 +capitalone.com,bigfootinteractive.com,inbound,001,World,0 +capitalone360.com,ingdirect.com,inbound,001,World,0 +capitaloneemail.com,capitaloneemail.com,inbound,001,World,0 +cardsys.at,cardsys.at,inbound,001,World,1 +care.com,care.com,inbound,001,World,0 +care2.com,care2.com,inbound,001,World,0 +career-hub.net,career-hub.net,inbound,001,World,1 +careerage.com,careerage.com,inbound,001,World,0 +careerbuilder-email.com,careerbuilder-email.com,inbound,001,World,0 +careerbuilder.com,careerbuilder.com,inbound,001,World,0.000449 +careerflash.net,careerflash.net,inbound,001,World,1 +careers24.com,careers24.com,inbound,001,World,0 +careesma.in,careesma.in,inbound,001,World,0 +carmamail.com,carmamail.com,inbound,001,World,0 +carnivalfunmail.com,carnivalfunmail.com,inbound,001,World,0 +carolsdaughter.com,carolsdaughter.com,inbound,001,World,0 +carrefour.fr,carrefour.fr,inbound,001,World,0 +carters.com,carters.com,inbound,001,World,0.003931 +cartrade.com,cartrade.com,inbound,001,World,0.006389 +carwale.com,carwale.com,inbound,001,World,0 +casasbahia.com.br,casasbahia.com.br,inbound,001,World,0 +case.edu,cwru.edu,inbound,001,World,0.999942 +caseyresearch.com,caseyresearch.com,inbound,001,World,1 +castingnetworks.com,castingnetworks.com,inbound,001,World,0.000102 +catchoftheday.com.au,inxserver.de,inbound,001,World,1 +catchyfreebies.net,mmsend53.com,inbound,001,World,0 +catererglobal.com,madgexjb.com,inbound,001,World,0 +caterermail.com,totaljobsmail.co.uk,inbound,001,World,0 +cathkidston.com,cathkidston.co.uk,inbound,001,World,0 +causes.com,causes.com,inbound,001,World,1 +cb2.com,cb2.com,inbound,001,World,0 +cbsig.net,cbsig.net,inbound,001,World,1 +ccavenue.com,avenues.info,inbound,001,World,1 +ccbchurch.com,ccbchurch.com,inbound,001,World,1 +cccampaigns.com,emv5.com,inbound,001,World,0 +cccampaigns.com,emv8.com,inbound,001,World,0 +cccampaigns.net,01net.com,inbound,001,World,0 +cccampaigns.net,cccampaigns.net,inbound,001,World,0 +cccampaigns.net,emv4.net,inbound,001,World,0 +cccampaigns.net,emv9.net,inbound,001,World,0 +ccialerts.com,ccialerts.com,inbound,001,World,0 +ccmbg.com,benchmark.fr,inbound,001,World,0 +ccs.com,footlocker.com,inbound,001,World,2.5e-05 +cdongroup.com,cdongroup.com,inbound,001,World,0.000147 +cecentertainment.com,cecentertainment.com,inbound,001,World,0 +celebritycruises.com,celebritycruises.com,inbound,001,World,0 +cenlat.com,cenlat.com,inbound,001,World,0.064459 +centaur.co.uk,centaur.co.uk,inbound,001,World,0 +centauro.com.br,centauro.com.br,inbound,001,World,0 +centerparcs.co.uk,ec-cluster.com,inbound,001,World,0 +cerberusapp.com,cerberusapp.com,inbound,001,World,1 +cfmailer.com,elabs11.com,inbound,001,World,0 +cfmvmail.com,cfmvmail.com,inbound,001,World,0 +chabad.org,chabad.org,inbound,001,World,0 +champssports.com,footlocker.com,inbound,001,World,0.000131 +chance.com,data-hotel.net,inbound,001,World,0 +change.org,change.org,inbound,001,World,1 +channel4.com,channel4.com,inbound,001,World,0.000613 +charlestyrwhitt.com,charlestyrwhitt.com,inbound,001,World,0 +charter.net,charter.net,inbound,001,World,0 +charter.net,charter.net,outbound,001,World,0 +chase.com,bigfootinteractive.com,inbound,001,World,0 +chase.com,jpmchase.com,inbound,001,World,0.999999 +chatcitynotifications.com,chatcitynotifications.com,inbound,001,World,0 +chaturbate.com,chaturbate.com,inbound,001,World,1 +cheapairmailer.com,cheapairmailer.com,inbound,001,World,0 +cheaperthandirt.com,cheaperthandirt.com,inbound,001,World,2.2e-05 +cheapflights.co.uk,cheapflights.co.uk,inbound,001,World,0 +cheapflights.com,cheapflights.com,inbound,001,World,0 +check.me,check.me,inbound,001,World,0 +cheekylovers.com,ropot.net,inbound,001,World,0 +chefscatalog.com,chefscatalog.com,inbound,001,World,0 +chelseafc.com,chelseafc.com,inbound,001,World,0.003566 +chemistdirect.co.uk,ec-cluster.com,inbound,001,World,0 +chemistry.com,chemistry.com,inbound,001,World,0 +chess.com,chess.com,inbound,001,World,1 +chiangcn.com,chiangcn.com,inbound,001,World,0 +chicagotribune.com,latimes.com,inbound,001,World,0 +chick-fil-ainsiders.com,chick-fil-ainsiders.com,inbound,001,World,0 +chicos.com,chicos.com,inbound,001,World,0.000156 +childrensplace.com,childrensplace.com,inbound,001,World,0 +chinatrust.com.tw,chinatrust.com.tw,inbound,001,World,0.001272 +chopra.com,chopra.com,inbound,001,World,1 +christianbook.com,christianbook.com,inbound,001,World,1 +christianmingle.com,christianmingle.com,inbound,001,World,0 +christianmingle.com,postdirect.com,inbound,001,World,0 +chtah.com,chtah.net,inbound,001,World,0 +chtah.net,chtah.net,inbound,001,World,0 +cincghq.com,searchhomesingta.com,inbound,001,World,1 +cinesa.es,cccampaigns.com,inbound,001,World,0 +cipherzone.com,infimail.com,inbound,001,World,0 +cir.ca,cir.ca,inbound,001,World,1 +circleofmomsmail.com,circleofmomsmail.com,inbound,001,World,0 +citi.com,citi.com,inbound,001,World,0.999941 +citibank.com,bigfootinteractive.com,inbound,001,World,0 +citibank.com,citi.com,inbound,001,World,0.999997 +citicorp.com,citi.com,inbound,001,World,0.999999 +citruslane.com,citruslane.com,inbound,001,World,5e-06 +citybrands.hu,webinform.hu,inbound,001,World,1 +cityheaven.net,cityheaven.net,inbound,001,World,0 +ck.com,ck.com,inbound,001,World,0 +clarisonic.com,clarisonic.com,inbound,001,World,0 +clarks.com,clarks.com,inbound,001,World,0 +classmates.com,classmates.com,inbound,001,World,0 +clickdimensions.com,clickdimensions.com,inbound,001,World,0 +clickexperts.net,clickexperts.net,inbound,001,World,0 +clickmailer.jp,clickmailer.jp,inbound,001,World,9e-05 +clickon.com.ar,clickon.com.ar,inbound,001,World,0 +clickon.com.br,clickon.com.br,inbound,001,World,0 +clicktoviewthisurl.org,clicktoviewthisurl.org,inbound,001,World,0 +clicplan.com,dmdelivery.com,inbound,001,World,0 +climber.com,climber.com,inbound,001,World,0 +clinique.com,esteelauder.com,inbound,001,World,0 +clubcupon.com.ar,clubcupon.com.ar,inbound,001,World,0 +cmail1.com,createsend.com,inbound,001,World,0 +cmail2.com,createsend.com,inbound,001,World,0 +cmm01.com,coremotivesmarketing.com,inbound,001,World,0 +cmrfalabella.com,cmrfalabella.com,inbound,001,World,0 +coach.com,delivery.net,inbound,001,World,0 +cobone.com,emarsys.net,inbound,001,World,0 +cocacola.co.jp,cocacola.co.jp,inbound,001,World,0 +codebreak.info,codebreak.info,inbound,001,World,1 +codeproject.com,codeproject.com,inbound,001,World,0 +coldwatercreek.com,coldwatercreek.com,inbound,001,World,0 +collectionsetc.com,collectionsetc.com,inbound,001,World,0 +columbia.edu,columbia.edu,inbound,001,World,0.762355 +combzmail.jp,combzmail.jp,inbound,001,World,0 +comcast.net,comcast.net,inbound,001,World,0.888399 +comcast.net,comcast.net,outbound,001,World,0.999999 +comenity.net,alldata.net,inbound,001,World,1 +comenity.net,bigfootinteractive.com,inbound,001,World,0 +commonfloor.com,commonfloor.com,inbound,001,World,1 +communicatoremail.com,communicatoremail.com,inbound,001,World,0 +communitymatrimony.com,communitymatrimony.com,inbound,001,World,1 +compute.internal,amazonaws.com,inbound,001,World,0.858276 +computerworld.com,computerworld.com,inbound,001,World,0 +comunicacaodemkt.com,locaweb.com.br,inbound,001,World,0 +confirmedoptin.com,confirmedoptin.com,inbound,001,World,0 +confirmsignup.com,mmsend53.com,inbound,001,World,0 +conrepmail.com,conrepmail.com,inbound,001,World,0 +constantcontact.com,confirmedcc.com,inbound,001,World,0 +constantcontact.com,constantcontact.com,inbound,001,World,5.3e-05 +constantcontact.com,postini.com,inbound,001,World,0.078144 +constantcontact.com,yahoo.{...},inbound,001,World,0.999724 +contact-darty.com,mm-send.com,inbound,001,World,0 +contactlab.it,contactlab.it,inbound,001,World,0 +containerstore.com,containerstore.com,inbound,001,World,0 +continente.pt,1-hostingservice.com,inbound,001,World,0 +converse.com,converse.com,inbound,001,World,1 +convio.net,convio.net,inbound,001,World,0 +cookingchanneltv.com,cookingchanneltv.com,inbound,001,World,0 +cookpad.com,cookpad.com,inbound,001,World,0 +copernica.nl,picsrv.net,inbound,001,World,0.011507 +copernica.nl,vicinity.nl,inbound,001,World,0.011753 +coppel.com,coppel.com,inbound,001,World,0 +coremotivesmarketing.com,coremotivesmarketing.com,inbound,001,World,0 +cornell.edu,cornell.edu,inbound,001,World,0.195104 +corporateperks.com,nextjump.com,inbound,001,World,0 +correosocc.com,correosocc.com,inbound,001,World,1 +costco.co.uk,costco.com,inbound,001,World,0 +costco.com,costco.com,inbound,001,World,7e-06 +costcophotocenter.com,wc09.net,inbound,001,World,0 +costcoservices.com,costco.com,inbound,001,World,0 +cotswoldoutdoor.com,cotswoldoutdoor.com,inbound,001,World,0 +couchsurfing.org,couchsurfing.com,inbound,001,World,0 +countrycurtainscatalog.com,countrycurtainscatalog.com,inbound,001,World,0 +couponamama.com,couponamama.com,inbound,001,World,1 +coupondunia.in,coupondunia.in,inbound,001,World,1 +cox.com,cox.com,inbound,001,World,0.001665 +cox.net,cox.net,inbound,001,World,0.009187 +cox.net,cox.net,outbound,001,World,0 +coyotelogistics.com,postini.com,inbound,001,World,0 +cp20.com,cp20.com,inbound,001,World,0 +cpbnc.com,cpbnc.com,inbound,001,World,0 +cpbnc.com,fye.com,inbound,001,World,0 +cpc.gov.in,cpc.gov.in,inbound,001,World,0 +cpm.co.ma,cpm.co.ma,inbound,001,World,0 +crabtree-evelyn.com,crabtree-evelyn.com,inbound,001,World,0.000566 +crackle.com,crackle.com,inbound,001,World,0 +craigslist.org,craigslist.org,inbound,001,World,0 +craigslist.org,craigslist.org,outbound,001,World,1 +crainnewsalerts.com,crainnewsalerts.com,inbound,001,World,0 +crashlytics.com,crashlytics.com,inbound,001,World,1 +crashlytics.com,sendgrid.net,inbound,001,World,1 +crateandbarrel.com,crateandbarrel.com,inbound,001,World,0 +cratusservices.in,ramcorp.in,inbound,001,World,0 +creationsrewards.net,creationsrewards.net,inbound,001,World,0 +creditkarma.com,creditkarma.com,inbound,001,World,1 +credoaction.com,credoaction.com,inbound,001,World,1 +cricinfo.com,cricinfo.com,inbound,001,World,0 +cricut.com,elabs12.com,inbound,001,World,0 +criticalimpactinc.com,criticalimpactinc.com,inbound,001,World,0 +critsend.com,critsend.com,inbound,001,World,0 +crmstyle.com,crmstyle.com,inbound,001,World,0 +crocos.jp,crocos.jp,inbound,001,World,0 +crocs-email.com,crocs-email.com,inbound,001,World,0 +crosswalkmail.com,crosswalkmail.com,inbound,001,World,0 +crowdcut.com,crowdcut.com,inbound,001,World,1 +crsend.com,crsend.com,inbound,001,World,0.008688 +crunchyroll.com,crunchyroll.com,inbound,001,World,0 +csas.cz,csas.cz,inbound,001,World,0.999971 +ctrip.com,ctrip.com,inbound,001,World,0.01917 +cudo.com.au,exacttarget.com,inbound,001,World,0 +cuenote.jp,cuenote.jp,inbound,001,World,0 +cumulusdist.net,cumulusdist.net,inbound,001,World,0 +cupomturbinado.com.br,cupomnaweb.com.br,inbound,001,World,1 +cuponatic.com.pe,cuponatic.com.pe,inbound,001,World,1 +cuponicamail.com,fnbox.com,inbound,001,World,0 +cuppon.pl,cuppon.pl,inbound,001,World,0 +curbednetwork.com,curbednetwork.com,inbound,001,World,1 +curriculum.com.br,curriculum.com.br,inbound,001,World,0 +currys.co.uk,currys.co.uk,inbound,001,World,0 +cuspemail.com,neimanmarcusemail.com,inbound,001,World,0 +custom-emailing.com,elabs12.com,inbound,001,World,0 +custombriefings.com,custombriefings.com,inbound,001,World,0 +customercenter.net,customercenter.net,inbound,001,World,0.996453 +customeriomail.com,customeriomail.com,inbound,001,World,1 +cv-library.co.uk,cv-library.co.uk,inbound,001,World,0 +cvbankas.lt,efadm.eu,inbound,001,World,0 +cvent-planner.com,cvent-planner.com,inbound,001,World,0 +cw.com.tw,cw.com.tw,inbound,001,World,0.002535 +cwjobsmail.co.uk,totaljobsmail.co.uk,inbound,001,World,0 +cxomedia.com,cxomedia.com,inbound,001,World,0 +cybercoders.com,cybercoders.com,inbound,001,World,0 +cyberdiet.com.br,allinmedia.com.br,inbound,001,World,0 +cyberlinkmember.com,cyberlinkmember.com,inbound,001,World,0 +d-reizen.nl,dmdelivery.com,inbound,001,World,0 +dabmail.com,iaires.com,inbound,001,World,0 +dabmail.com,mailurja.com,inbound,001,World,0 +dafiti.cl,dafiti.cl,inbound,001,World,0 +dafiti.com.br,fagms.de,inbound,001,World,0 +dailyhoroscope.com,tarot.com,inbound,001,World,0 +dailyom.com,dailyom.com,inbound,001,World,1 +dairyqueen.com,dairyqueen.com,inbound,001,World,0 +datadrivenemail.com,datadrivenemail.com,inbound,001,World,0 +datehookup.com,datehookup.com,inbound,001,World,0 +datingfactory.com,caerussolutions.net,inbound,001,World,0 +datingvipnotifications.com,datingvipnotifications.com,inbound,001,World,0 +daveramsey.com,daveramsey.com,inbound,001,World,0.025924 +daviacalendar.com,daviacalendar.com,inbound,001,World,1 +davidsbridal.com,davidsbridal.com,inbound,001,World,0 +davidstea.com,bronto.com,inbound,001,World,0 +daz3d.com,bronto.com,inbound,001,World,0 +dbgi.co.uk,emc1.co.uk,inbound,001,World,0 +ddc-emails.com,ddc-emails.com,inbound,001,World,0 +deal.com.sg,emarsys.net,inbound,001,World,0 +dealchicken.com,dealchicken.com,inbound,001,World,0 +dealchicken.com,exacttarget.com,inbound,001,World,0 +dealersocket.com,dealersocket.com,inbound,001,World,4e-06 +dealfind.com,dealfind.com,inbound,001,World,0 +dealnews.com,dealnews.com,inbound,001,World,0 +dealsaver.com,secondstreetmedia.com,inbound,001,World,0.999823 +dealsdirect.com.au,dealsdirect.com.au,inbound,001,World,0 +dealspl.us,dealspl.us,inbound,001,World,0 +debian.org,debian.org,inbound,001,World,1 +debshops.com,lstrk.net,inbound,001,World,1 +deezer.com,dms30.com,inbound,001,World,0 +deliasshopemail.com,deliasshopemail.com,inbound,001,World,0 +delivery.net,delivery.net,inbound,001,World,0 +delivery.net,m0.net,inbound,001,World,0 +dell.com,bfi0.com,inbound,001,World,0 +dell.com,dell.com,inbound,001,World,0.969277 +delta.com,delta.com,inbound,001,World,0.092496 +dena.ne.jp,dena.ne.jp,inbound,001,World,0.000249 +dentalsenders.com,dentalsenders.com,inbound,001,World,0 +dermstore.com,exacttarget.com,inbound,001,World,0 +descontos.pt,descontos.pt,inbound,001,World,0 +designerapparel.com,myperfectsale.com,inbound,001,World,1 +despegar.com,despegar.com,inbound,001,World,0 +dhgate.com,chtah.net,inbound,001,World,0 +dhl.com,dhl.com,inbound,001,World,0.994107 +dice.com,dice.com,inbound,001,World,0 +dietaesaude.com.br,dietaesaude.com.br,inbound,001,World,0 +dietnavi.com,data-hotel.net,inbound,001,World,0 +digitalmailer.com,digitalmailer.com,inbound,001,World,0 +digitalmedia-comunicacion.es,chtah.net,inbound,001,World,0 +digitalromanceinc.com,digitalromanceinc.com,inbound,001,World,1 +dinda.com.br,dinda.com.br,inbound,001,World,0.017061 +dip-net.co.jp,dip-net.co.jp,inbound,001,World,0 +directcrm.ru,directcrm.ru,inbound,001,World,0 +directresponsemanager.com,wide.ne.jp,inbound,001,World,0 +directv.com,directv.com,inbound,001,World,0.050604 +directvla.com,directvla.com,inbound,001,World,0 +disc.co.jp,disc.co.jp,inbound,001,World,0.001051 +discover.com,discover.com,inbound,001,World,0 +discover.com,discoverfinancial.com,inbound,001,World,1 +dishtv.co.in,dishtv.co.in,inbound,001,World,0.047664 +disney.co.uk,emv9.com,inbound,001,World,0 +disneydestinations.com,disneyparks.com,inbound,001,World,0 +disneydestinations.com,disneyworld.com,inbound,001,World,0 +disparadordeemails.com,locaweb.com.br,inbound,001,World,0 +disqus.net,disqus.net,inbound,001,World,0 +diynetwork.com,diynetwork.com,inbound,001,World,0 +dks.com.tw,dks.com.tw,inbound,001,World,0.018134 +dmm.com,dmm.com,inbound,001,World,0 +dn.net,naukri.com,inbound,001,World,0 +docomo.ne.jp,docomo.ne.jp,inbound,001,World,0 +docomo.ne.jp,docomo.ne.jp,outbound,001,World,0 +doctoroz.com,email-sharecare2.com,inbound,001,World,0 +docusign.net,docusign.net,inbound,001,World,0.985435 +dollartree.com,email-dollartree.com,inbound,001,World,0 +dominos.com,dominos.com,inbound,001,World,0.011684 +dominos.com.au,dominos.com.au,inbound,001,World,0 +dominosemail.co.uk,dominosemail.co.uk,inbound,001,World,0 +donationnet.net,donationnet.net,inbound,001,World,0 +donuts.ne.jp,dnuts.jp,inbound,001,World,0 +doodle.com,doodle.com,inbound,001,World,1 +dorothyperkins.com,dorothyperkins.com,inbound,001,World,0 +dotmailer-email.com,dotmailer.com,inbound,001,World,0 +dotmailer.co.uk,dotmailer.com,inbound,001,World,0 +dotz.com.br,dotz.com.br,inbound,001,World,0 +doubletakeoffers.com,doubletakeoffers.com,inbound,001,World,0 +dowjones.info,dowjones.info,inbound,001,World,0 +downlinebuilderdirect.com,downlinebuilderdirect.com,inbound,001,World,0 +dpapp.nl,prikbordmailer.nl,inbound,001,World,0 +dpapp.nl,sslsecuref.nl,inbound,001,World,0 +dptagent.biz,dptagent.biz,inbound,001,World,0 +dptagent.net,dptagent.net,inbound,001,World,0 +draftkings.com,draftkings.com,inbound,001,World,0 +dreamhost.com,dreamhost.com,inbound,001,World,0 +dreammail.ne.jp,dreammail.jp,inbound,001,World,0 +dreamwidth.org,dreamwidth.org,inbound,001,World,0 +dreivip.com,dreivip.com,inbound,001,World,0.000301 +dress-for-less.de,privalia.com,inbound,001,World,0 +drhinternet.net,drhinternet.net,inbound,001,World,0 +driftem.com,emce2.in,inbound,001,World,0 +driftem.com,mailurja.com,inbound,001,World,0 +drjays-mail.com,drjays-mail.com,inbound,001,World,0 +dromadaire-news.com,ecmcluster.com,inbound,001,World,0 +dropbox.com,dropbox.com,inbound,001,World,1 +dropboxmail.com,dropbox.com,inbound,001,World,1 +drushim.co.il,drushim.co.il,inbound,001,World,0 +drweb.com,drweb.com,inbound,001,World,0.969315 +dstyleweb.com,dstyleweb.com,inbound,001,World,0.001099 +dsw.com,dsw.com,inbound,001,World,0 +ducks.org,uptilt.com,inbound,001,World,0 +duke.edu,duke.edu,inbound,001,World,0.308101 +dukecareers.com,dukecareers.com,inbound,001,World,1 +duluthtradingemail.com,email-duluthtrading.com,inbound,001,World,0 +dvor.com,dvor.com,inbound,001,World,0 +dynamite-safelist.com,thomas-j-brown.com,inbound,001,World,0 +dynect-mailer.net,dynect.net,inbound,001,World,0 +dynect-mailer.net,sendlabs.com,inbound,001,World,0 +e-activist.com,e-activist.com,inbound,001,World,0 +e-beallsonline.com,e-stagestores.com,inbound,001,World,0 +e-bodyc.com,email-bodycentral.com,inbound,001,World,0 +e-boks.dk,e-boks.dk,inbound,001,World,1 +e-costco.mx,costco.com,inbound,001,World,0 +e-ebuyer.com,e-ebuyer.com,inbound,001,World,0 +e-goodysonline.com,e-stagestores.com,inbound,001,World,0 +e-jobs-ville.com,e-jobs-ville.com,inbound,001,World,1 +e-leclerc.com,e-leclerc.com,inbound,001,World,0.000248 +e-mark.nl,e-mark.nl,inbound,001,World,0 +e-ngine.nl,e-ngine.nl,inbound,001,World,0 +e-peebles.com,e-stagestores.com,inbound,001,World,0 +e-rewards.net,e-rewards.net,inbound,001,World,1 +e-stagestores.com,e-stagestores.com,inbound,001,World,0 +e-travelclub.es,e-travelclub.es,inbound,001,World,0 +e2ma.net,e2ma.net,inbound,001,World,1 +ea.com,ea.com,inbound,001,World,0.001314 +eaccess.net,postini.com,inbound,001,World,0 +earn-e-miles.com,earn-e-miles.com,inbound,001,World,0 +earnerslist.com,traxweb.net,inbound,001,World,9e-06 +earthfare-email.com,edclient2.com,inbound,001,World,0 +earthlink.net,earthlink.net,inbound,001,World,0.031678 +earthlink.net,earthlink.net,outbound,001,World,0 +eastbay.com,footlocker.com,inbound,001,World,0 +easycanvasprints.com,easycanvasprints.com,inbound,001,World,0 +easyhealthoptions.com,easyhealthoptions.com,inbound,001,World,1 +easyhits4u.com,easyhits4u.com,inbound,001,World,1 +easyhits4u.com,relmax.net,inbound,001,World,0 +easyroommate.com,easyroommate.com,inbound,001,World,0.108483 +ebags.com,ebags.com,inbound,001,World,0 +ebates.com,bfi0.com,inbound,001,World,0 +ebay-kleinanzeigen.de,mobile.de,inbound,001,World,1 +ebay.{...},ebay.{...},inbound,001,World,0.99953 +ebay.{...},emarsys.net,inbound,001,World,0 +ebay.{...},postdirect.com,inbound,001,World,0 +ebizac2.com,ebizac2.com,inbound,001,World,0 +ebizac3.com,ebizac3.com,inbound,001,World,0 +eblastengine.com,secondstreetmedia.com,inbound,001,World,0.999827 +ebuildabear.com,ebuildabear.com,inbound,001,World,8e-06 +ec2.internal,amazonaws.com,inbound,001,World,0.769117 +ec21.com,ec21.com,inbound,001,World,0.002261 +ecasend.com,ecasend.com,inbound,001,World,0 +ecnavi.jp,ecnavi.jp,inbound,001,World,0 +ecommzone.com,ecommzone.com,inbound,001,World,0 +ed.gov,leepfrog.com,inbound,001,World,0.106381 +ed10.net,ed10.com,inbound,001,World,0 +ed10.net,postini.com,inbound,001,World,0.083658 +edarling.fr,fagms.de,inbound,001,World,0 +eddiebauer.com,eddiebauer.com,inbound,001,World,0 +edima.hu,edima.hu,inbound,001,World,0 +edirect1.com,ivytech.edu,inbound,001,World,0 +edmodo.com,edmodo.com,inbound,001,World,1.1e-05 +educationzone.co.in,iaires.com,inbound,001,World,0 +eduk.com,eduk.com,inbound,001,World,0 +efamilydollar.com,efamilydollar.com,inbound,001,World,0 +effectivesafelist.com,zoothost.com,inbound,001,World,0 +efox-shop.com,dmdelivery.com,inbound,001,World,0 +eharmony.com,eharmony.com,inbound,001,World,1e-06 +eigbox.net,eigbox.net,inbound,001,World,0 +ejobs.ro,ejobs.ro,inbound,001,World,8.4e-05 +elabs10.com,elabs10.com,inbound,001,World,0 +elabs12.com,elabs12.com,inbound,001,World,0 +elabs3.com,elabs3.com,inbound,001,World,0 +elabs3.com,meritline.com,inbound,001,World,0 +elabs5.com,elabs5.com,inbound,001,World,0 +elabs6.com,elabs6.com,inbound,001,World,0 +elaine-asp.de,artegic.net,inbound,001,World,0.999997 +elanceonline.com,elanceonline.com,inbound,001,World,0 +elcorteingles.es,elcorteingles.es,inbound,001,World,0 +eleadtrack.net,eleadtrack.net,inbound,001,World,0 +elektronskaposta.si,eprvak.si,inbound,001,World,0 +elettershop.de,servicemail24.de,inbound,001,World,1 +elistas.net,elistas.net,inbound,001,World,0 +elitesafelist.com,elitesafelist.com,inbound,001,World,0 +elkjop.no,ec-cluster.com,inbound,001,World,0 +elkjop.no,eccluster.com,inbound,001,World,0 +elo7.com.br,elo7.com.br,inbound,001,World,0 +emag.ro,emag.ro,inbound,001,World,0.005013 +email-1800contacts.com,email-1800contacts.com,inbound,001,World,0 +email-aaa.com,email-aaa.com,inbound,001,World,0 +email-aeriagames.com,email-aeriagames.com,inbound,001,World,0 +email-comparethemarket.com,smartfocusdigital.net,inbound,001,World,0 +email-cooking.com,email-cooking.com,inbound,001,World,0 +email-dressbarn.com,email-dressbarn.com,inbound,001,World,0 +email-firestone.com,reminder-firestone.com,inbound,001,World,0 +email-galls.com,email-galls.com,inbound,001,World,1 +email-honest.com,email-honest.com,inbound,001,World,0 +email-od.com,email-od.com,inbound,001,World,0.999652 +email-od.com,smtprelayserver.com,inbound,001,World,0.999779 +email-petsmart.com,email-petsmart.com,inbound,001,World,0 +email-sportchalet.com,email-sportchalet.com,inbound,001,World,0 +email-telekom.de,ecm-cluster.com,inbound,001,World,0 +email-ticketdada.com,email-ticketdada.com,inbound,001,World,1 +email-totalwine.com,email-totalwine.com,inbound,001,World,0 +email-wildstar-online.com,email-carbine.com,inbound,001,World,0 +email2-beyond.com,messagebus.com,inbound,001,World,0 +email360api.com,email360api.com,inbound,001,World,0 +email365inc.com,email365inc.com,inbound,001,World,0 +email3m.com,email3m.com,inbound,001,World,0 +email4-beyond.com,email4-beyond.com,inbound,001,World,0 +emailcounts.com,secureserver.net,inbound,001,World,0 +emaildir2.com,emaildirect.net,inbound,001,World,0 +emaildir2.com,espsnd.com,inbound,001,World,0 +emailnotify.net,emailnotify.net,inbound,001,World,0.961424 +emailrestaurant.com,emailrestaurant.com,inbound,001,World,0 +emailsbancoestado.cl,emailsbancoestado.cl,inbound,001,World,0 +emailsripley.cl,etarget.cl,inbound,001,World,0 +emailtoryburch.com,emailtoryburch.com,inbound,001,World,0 +emarsys.net,emarsys.net,inbound,001,World,0.092041 +embarqmail.com,centurylink.net,inbound,001,World,0.999918 +embluejet.com,embluejet.com,inbound,001,World,0 +embluejet.com,emblueuser.com,inbound,001,World,0 +emcsend.com,emcsend.com,inbound,001,World,0 +emergencyemail.org,emergencyemail.org,inbound,001,World,0 +eminentinc.com,eminentinc.com,inbound,001,World,0 +emktsender.net,locaweb.com.br,inbound,001,World,0 +emktviajarbarato.com.br,splio.com.br,inbound,001,World,0.875902 +emma.cl,emma.cl,inbound,001,World,0.996895 +emobile.ad.jp,postini.com,inbound,001,World,0 +employboard.com,employboard.com,inbound,001,World,1 +empoweredcomms.com.au,empoweredcomms.com.au,inbound,001,World,0 +emsecure.net,emsecure.net,inbound,001,World,0 +emsmtp.com,emsmtp.com,inbound,001,World,0.175797 +en-japan.com,en-japan.com,inbound,001,World,0.000204 +en25.com,kqed.org,inbound,001,World,0 +enewscartes.net,bp06.net,inbound,001,World,0 +enewsletter.pl,enewsletter.pl,inbound,001,World,0.005395 +enewsletter.pl,mydeal.pl,inbound,001,World,0 +enewsletter.pl,sare25.com,inbound,001,World,0 +enplenitud.com,enplenitud.com,inbound,001,World,0 +entregadeemails.com,locaweb.com.br,inbound,001,World,0 +entregadordecampanhas.net,locaweb.com.br,inbound,001,World,0 +entrepreneur.com,entrepreneur.com,inbound,001,World,0 +enviodecampanhas.net,locaweb.com.br,inbound,001,World,0 +enviodemkt.com.br,locaweb.com.br,inbound,001,World,0 +eonet.ne.jp,eonet.ne.jp,inbound,001,World,0.99955 +epaper.com.tw,epaper.com.tw,inbound,001,World,0 +eplus.jp,eplus.jp,inbound,001,World,0 +epriority.com,epriority.com,inbound,001,World,0 +equifax.com,equifax.com,inbound,001,World,0.936013 +equussafelist.com,equussafelist.com,inbound,001,World,0.000265 +eslitebooks.com,eslitebooks.com,inbound,001,World,0 +espmp-agfr.net,bp06.net,inbound,001,World,0 +esprit-friends.com,esprit-friends.com,inbound,001,World,0 +esri.com,esri.com,inbound,001,World,0.983104 +esteelauder.com,esteelauder.com,inbound,001,World,0 +ethingsremembered.com,ethingsremembered.com,inbound,001,World,0 +etrade.com,etrade.com,inbound,001,World,0.021422 +etransmail.com,etransmail.com,inbound,001,World,0 +etransmail.com,ptransmail.com,inbound,001,World,0 +etrmailbox.com,etrmailbox.com,inbound,001,World,0 +etsy.com,etsy.com,inbound,001,World,0.020844 +euromsg.net,euromsg.net,inbound,001,World,0 +evaair.com,evaair.com,inbound,001,World,0.007363 +evanguard.com,evanguard.com,inbound,001,World,0 +evanscycles.com,msgfocus.com,inbound,001,World,0 +eventbrite.com,eventbrite.com,inbound,001,World,0 +evernote.com,evernote.com,inbound,001,World,1 +eversavelocal.com,eversavelocal.com,inbound,001,World,0 +everydayfamily.com,everydayfamily.com,inbound,001,World,0 +everydayhealthinc.com,waterfrontmedia.net,inbound,001,World,0 +everyjobforme.com,everyjobforme.com,inbound,001,World,0 +everytown.org,everytown.org,inbound,001,World,1 +exacttarget.com,bazaarvoice.com,inbound,001,World,0 +exacttarget.com,booksamillion.com,inbound,001,World,0 +exacttarget.com,exacttarget.com,inbound,001,World,0.000325 +exacttarget.com,msg.com,inbound,001,World,0 +exacttarget.com,redboxinstant.com,inbound,001,World,0 +exacttarget.com,skylinetechnologies.com,inbound,001,World,0 +exchangesolutions.com,exchangesolutions.com,inbound,001,World,0.000143 +exec-u-net-mail.com,exec-u-net-mail.com,inbound,001,World,0 +expediamail.com,airasiago.com,inbound,001,World,1 +expediamail.com,exacttarget.com,inbound,001,World,1 +expediamail.com,expediamail.com,inbound,001,World,0.839662 +expediamail.com,quotitmail.com,inbound,001,World,0 +experteer.com,experteer.com,inbound,001,World,0 +express.com,expressfashion.com,inbound,001,World,0 +exprpt.com,exprpt.com,inbound,001,World,0 +expvtinboxhub.net,expvtinboxhub.net,inbound,001,World,0 +extra.com.br,emv8.com,inbound,001,World,0 +eyepin.com,eyepin.com,inbound,001,World,0 +ezweb.ne.jp,ezweb.ne.jp,inbound,001,World,0.282076 +ezweb.ne.jp,ezweb.ne.jp,outbound,001,World,0 +fabfurnish.com,fagms.de,inbound,001,World,0 +fabletics.com,bronto.com,inbound,001,World,0 +facebook.com,facebook.com,inbound,001,World,0.553197 +facebook.com,facebook.com,outbound,001,World,1 +facebookappmail.com,facebook.com,inbound,001,World,1 +facebookmail.com,facebook.com,inbound,001,World,1 +facebookmail.com,postini.com,inbound,001,World,0.726315 +facebookmail.com,yahoo.{...},inbound,001,World,0.999904 +facilisimo.com,facilisimo.com,inbound,001,World,1 +fagms.net,fagms.de,inbound,001,World,0 +falabella.com,falabella.com,inbound,001,World,0 +familychristianmail.com,familychristianmail.com,inbound,001,World,0 +famousfootwear.com,famousfootwear.com,inbound,001,World,0 +fanatics.com,fanatics.com,inbound,001,World,0 +fanaticsretailgroup.com,fanaticsretailgroup.com,inbound,001,World,0 +fanbridge.com,fanbridge.com,inbound,001,World,0.000198 +fanfiction.com,fictionpress.com,inbound,001,World,1 +fanofannas.com,fanofannas.com,inbound,001,World,0 +fansedge.com,fansedge.com,inbound,001,World,0 +farmers.com,farmers.com,inbound,001,World,0.999984 +farmersonly.com,mailgun.net,inbound,001,World,1 +farmersonly.com,mailgun.us,inbound,001,World,1 +fashion2hub.in,mgenie.in,inbound,001,World,0 +fastcompany.com,fastcompany.com,inbound,001,World,0 +fastgb.com,fastgb.com,inbound,001,World,0 +fastlistmailer.com,zoothost.com,inbound,001,World,0 +fastweb.com,fastweb.com,inbound,001,World,0 +fbi.gov,fbi.gov,inbound,001,World,0 +fbmta.com,fbmta.com,inbound,001,World,0 +fc2.com,fc2.com,inbound,001,World,0.000798 +fedex.com,fedex.com,inbound,001,World,0.921011 +fedoraproject.org,fedoraproject.org,inbound,001,World,5e-06 +feedblitz.com,feedblitz.com,inbound,001,World,0 +feld-ent.com,postdirect.com,inbound,001,World,0 +felissimo.jp,felissimo.jp,inbound,001,World,0 +fellowshiponemail.com,fellowshiponemail.com,inbound,001,World,0 +fetlifemail.com,fetlifemail.com,inbound,001,World,0 +fibertel.com.ar,fibertel.com.ar,inbound,001,World,0.003897 +fidelity.com,fidelity.com,inbound,001,World,1 +fidelizador.org,fidelizador.org,inbound,001,World,0 +financialfreedommail.com,financialfreedommail.com,inbound,001,World,0 +finansbank.com.tr,finansbank.com.tr,inbound,001,World,0.927 +findexpvtinbox.com,findexpvtinbox.com,inbound,001,World,0 +fingerhut.com,fingerhut.com,inbound,001,World,0.020664 +finishline.com,finishline.com,inbound,001,World,0 +finn.no,schibsted-it.no,inbound,001,World,0.002893 +firemountaingems.com,firemountaingems.com,inbound,001,World,0 +fiscosoft.com.br,fiscosoft.com.br,inbound,001,World,0 +fisher-price.com,fisher-price.com,inbound,001,World,0 +fitbit.com,fitbit.com,inbound,001,World,1 +fitnessmagazine.com,meredith.com,inbound,001,World,0 +fiverr.com,fiverr.com,inbound,001,World,0 +fixeads.com,fixeads.com,inbound,001,World,0 +flets.com,flets.com,inbound,001,World,0 +flexmls.com,flexmls.com,inbound,001,World,0.999992 +flightaware.com,flightaware.com,inbound,001,World,0.020698 +flipkart.com,flipkart.com,inbound,001,World,1 +flirchi.com,flirchi.com,inbound,001,World,1.0 +flirt.com,ropot.net,inbound,001,World,0 +flirthookup.com,flirthookup.com,inbound,001,World,1 +flirtlocal.com,flirtlocal.com,inbound,001,World,1 +flmsecure.com,fling.com,inbound,001,World,0 +flmsecure.com,flmsecure.com,inbound,001,World,0 +floridajobdepartment.com,floridajobdepartment.com,inbound,001,World,0 +flyceb.com,flyceb.com,inbound,001,World,0 +flyfrontier.com,flyfrontier.com,inbound,001,World,0 +flymonarchemail.com,flymonarchemail.com,inbound,001,World,0 +fmworld.net,fmworld.net,inbound,001,World,0 +fnac.com,fnac.com,inbound,001,World,0.021985 +fnb.co.za,fnb.co.za,inbound,001,World,0.104983 +fofa.jp,mpme.jp,inbound,001,World,0 +follow-up.se,follow-up.se,inbound,001,World,1 +foodnetwork.com,foodnetwork.com,inbound,001,World,0 +foolsubs.com,foolcs.com,inbound,001,World,0 +foolsubs.com,foolsubs.com,inbound,001,World,0 +footaction.com,footlocker.com,inbound,001,World,0 +footlocker.com,footlocker.com,inbound,001,World,0.000605 +forcemail.in,iaires.com,inbound,001,World,0 +foreseegame.com,iaires.com,inbound,001,World,0 +forever21.com,forever21.com,inbound,001,World,0 +fortisbusinessmedia.com,fortisbusinessmedia.com,inbound,001,World,0 +fotffamily.com,fotffamily.com,inbound,001,World,0 +fotocasa.es,fotocasa.es,inbound,001,World,0 +fotolivro.com.br,fotolivro.com.br,inbound,001,World,0 +fotostrana.ru,fotocdn.net,inbound,001,World,3.4e-05 +foursquare.com,foursquare.com,inbound,001,World,1 +foxnews.com,foxnews.com,inbound,001,World,0.0139 +fpmailerbr.com,fpmailerbr.com,inbound,001,World,0 +fragrancenet.com,fragrancenet.com,inbound,001,World,0.000427 +francescas.com,bronto.com,inbound,001,World,0 +free-lance.ru,free-lance.ru,inbound,001,World,0 +free.fr,free.fr,inbound,001,World,0.984012 +free.fr,free.fr,outbound,001,World,6.9e-05 +freeadsmailer.com,zoothost.com,inbound,001,World,0 +freebeesafelist.com,zoothost.com,inbound,001,World,0 +freebizmag.com,delivery.net,inbound,001,World,0 +freebsd.org,freebsd.org,inbound,001,World,0.999835 +freecycle.org,freecycle.org,inbound,001,World,0.999927 +freedesktop.org,freedesktop.org,inbound,001,World,0 +freeflys.com,freeflys.com,inbound,001,World,0 +freelancer.com,freelancer.com,inbound,001,World,0 +freelancer.com,freelancernotify.com,inbound,001,World,0 +freelancer.com,getafreelancer.com,inbound,001,World,0 +freelists.org,iquest.net,inbound,001,World,0 +freelotto.com,plasmanetinc.com,inbound,001,World,0 +freemail.hu,freemail.hu,outbound,001,World,0 +freeml.com,gmo-media.jp,inbound,001,World,0 +freepeople.com,freepeople.com,inbound,001,World,0 +freesafelistking.com,zoothost.com,inbound,001,World,0 +freesafelistmailer.com,waters-advertising.com,inbound,001,World,0 +freshdesk.com,freshdesk.com,inbound,001,World,1 +freshers2015.com,secureserver.net,inbound,001,World,0 +freshlatesave.com,freshlatesave.com,inbound,001,World,1 +freshmail.pl,freshmail.pl,inbound,001,World,0 +fridays.com,fridays.com,inbound,001,World,0 +friskone.com,mailurja.com,inbound,001,World,0 +frk.com,frk.com,inbound,001,World,0.999995 +frontdoor.com,frontdoor.com,inbound,001,World,0 +frontgate-email.com,frontgate-email.com,inbound,001,World,0 +frontsight.com,frontsight.com,inbound,001,World,0 +frys.com,frys.com,inbound,001,World,0.00388 +frysmail.com,frysmail.com,inbound,001,World,0 +fspeletters.com,agorapub.co.uk,inbound,001,World,0 +ftchinese.com,ftchinese.com,inbound,001,World,0 +fubonshop.com,fubonshop.com,inbound,001,World,0 +fuckbooknet.net,infinitypersonals.com,inbound,001,World,0 +fuelrewards.com,britecast.com,inbound,001,World,0 +fundplaza.co.in,arrowsignindia.com,inbound,001,World,0 +fundplaza.in,fundplaza.in,inbound,001,World,0 +funonthenet.in,funonthenet.in,inbound,001,World,1 +futureshop.com,futureshop.com,inbound,001,World,0 +futurmailer.pt,futurmailer.pt,inbound,001,World,0 +gabbar.info,gabbar.info,inbound,001,World,1 +gaiaonline.com,gaiaonline.com,inbound,001,World,0 +gamecity.ne.jp,gamecity.ne.jp,inbound,001,World,0 +gamefly.com,gamefly.com,inbound,001,World,0.013381 +gamehouse.com,gamehouse.com,inbound,001,World,0 +gamingmails.com,gamingmails.com,inbound,001,World,0 +gap.com,gap.com,inbound,001,World,0 +gap.eu,gap.eu,inbound,001,World,0 +gapcanada.ca,gapcanada.ca,inbound,001,World,0 +garanti.com.tr,euromsg.net,inbound,001,World,0 +garanti.com.tr,garanti.com.tr,inbound,001,World,0.421936 +gardeningclubmail.co.uk,msgfocus.com,inbound,001,World,0 +garnethill-email.com,garnethill-email.com,inbound,001,World,0 +gaylordalert.com,gaylordalert.com,inbound,001,World,0 +gbyguess.com,guess.com,inbound,001,World,0.001787 +gcast.com.au,systemsserver.net,inbound,001,World,0 +gdtsuccess.com,groupdealtools.com,inbound,001,World,1 +geico.com,geico.com,inbound,001,World,0.096879 +gemoney.com,rsys1.com,inbound,001,World,0 +gene.com,roche.com,inbound,001,World,1 +generalmills.com,boxtops4education.com,inbound,001,World,0 +generalmills.com,pillsbury.com,inbound,001,World,0 +gentoo.org,gentoo.org,inbound,001,World,1 +geocaching.com,groundspeak.com,inbound,001,World,1 +geojit.com,geojit.com,inbound,001,World,0.203748 +get-me-jobs.com,get-me-jobs.com,inbound,001,World,0 +gethired.com,gethired.com,inbound,001,World,1 +getinbox.net,getinbox.net,inbound,001,World,0 +getitfree.us,getitfree.us,inbound,001,World,0 +getkeepsafe.com,getkeepsafe.com,inbound,001,World,1 +getmein.com,getmein.com,inbound,001,World,0 +getpaidsolutions.com,getpaidsolutions.com,inbound,001,World,1 +getpocket.com,bronto.com,inbound,001,World,0 +getresponse.com,getresponse.com,inbound,001,World,0 +gfsmarketplace-email.com,gfsmarketplace-email.com,inbound,001,World,0 +ghin.com,ghinconnect.com,inbound,001,World,0 +ghup.in,mgenie.in,inbound,001,World,0 +giffgaff.com,giffgaff.com,inbound,001,World,0 +gillyhicks-email.com,abercrombie-email.com,inbound,001,World,0 +gilt.com,gilt.com,inbound,001,World,1e-06 +gilt.jp,gilt.jp,inbound,001,World,0 +github.com,github.com,inbound,001,World,1 +github.com,github.net,inbound,001,World,1 +github.com,postini.com,inbound,001,World,0.872186 +glassdoor.com,glassdoor.com,inbound,001,World,0.662834 +glasses.com,glasses.com,inbound,001,World,0 +gliq.com,gliq.com,inbound,001,World,0.99852 +globalmembersupport.com,globalmembersupport.com,inbound,001,World,0 +globalsafelist.com,globalsafelist.com,inbound,001,World,0 +globalsources.com,globalsources.com,inbound,001,World,0.007546 +globalspec.com,globalspec.com,inbound,001,World,0 +globaltestmarket.com,globaltestmarket.com,inbound,001,World,0 +globasemail.com,globasemail.com,inbound,001,World,0.951088 +globetel.com.ph,globetel.com.ph,inbound,001,World,1 +gmail.com,02.net,inbound,001,World,0.998007 +gmail.com,amazonaws.com,inbound,001,World,0.988441 +gmail.com,anteldata.net.uy,inbound,001,World,0.998653 +gmail.com,as13285.net,inbound,001,World,0.999943 +gmail.com,asianet.co.th,inbound,001,World,0.998473 +gmail.com,au-net.ne.jp,inbound,001,World,1 +gmail.com,bbox.fr,inbound,001,World,0.919868 +gmail.com,bbtec.net,inbound,001,World,1 +gmail.com,belgacom.be,inbound,001,World,0.822281 +gmail.com,bell.ca,inbound,001,World,0.992482 +gmail.com,bellsouth.net,inbound,001,World,0.9996 +gmail.com,bezeqint.net,inbound,001,World,0.974444 +gmail.com,bigpond.net.au,inbound,001,World,0.999907 +gmail.com,blackberry.com,inbound,001,World,0.996337 +gmail.com,bluewin.ch,inbound,001,World,0.9337 +gmail.com,brasiltelecom.net.br,inbound,001,World,0.99995 +gmail.com,btcentralplus.com,inbound,001,World,0.999969 +gmail.com,centurytel.net,inbound,001,World,0.999415 +gmail.com,cgocable.net,inbound,001,World,0.998291 +gmail.com,charter.com,inbound,001,World,0.999111 +gmail.com,chello.nl,inbound,001,World,0.999951 +gmail.com,claro.net.br,inbound,001,World,1 +gmail.com,comcast.net,inbound,001,World,0.999616 +gmail.com,comcastbusiness.net,inbound,001,World,0.985464 +gmail.com,cox.net,inbound,001,World,0.962636 +gmail.com,data-hotel.net,inbound,001,World,0.000605 +gmail.com,emailsrvr.com,inbound,001,World,1 +gmail.com,embarqhsd.net,inbound,001,World,0.999554 +gmail.com,fastwebnet.it,inbound,001,World,0.984708 +gmail.com,franchiseindia.com,inbound,001,World,1 +gmail.com,frontiernet.net,inbound,001,World,0.995233 +gmail.com,gvt.net.br,inbound,001,World,0.999513 +gmail.com,hinet.net,inbound,001,World,0.97312 +gmail.com,iinet.net.au,inbound,001,World,0.966984 +gmail.com,jazztel.es,inbound,001,World,0.999701 +gmail.com,lorexddns.net,inbound,001,World,0 +gmail.com,majesticmoneymailer.com,inbound,001,World,1 +gmail.com,mchsi.com,inbound,001,World,0.999951 +gmail.com,movistar.cl,inbound,001,World,0.999361 +gmail.com,mtnl.net.in,inbound,001,World,0.999527 +gmail.com,mycingular.net,inbound,001,World,0.999918 +gmail.com,myvzw.com,inbound,001,World,0.999889 +gmail.com,naukri.com,inbound,001,World,0.000998 +gmail.com,net24.it,inbound,001,World,0.999964 +gmail.com,netcabo.pt,inbound,001,World,0.998164 +gmail.com,netvigator.com,inbound,001,World,0.818637 +gmail.com,numericable.fr,inbound,001,World,0.999726 +gmail.com,ocn.ne.jp,inbound,001,World,0.99466 +gmail.com,ono.com,inbound,001,World,0.995991 +gmail.com,optonline.net,inbound,001,World,0.999776 +gmail.com,optusnet.com.au,inbound,001,World,0.992856 +gmail.com,orange.es,inbound,001,World,0.998743 +gmail.com,orange.fr,inbound,001,World,0 +gmail.com,otenet.gr,inbound,001,World,0.957964 +gmail.com,panda-world.ne.jp,inbound,001,World,1 +gmail.com,postini.com,inbound,001,World,0.776029 +gmail.com,proxad.net,inbound,001,World,0.998094 +gmail.com,qwest.net,inbound,001,World,0.997575 +gmail.com,rcn.com,inbound,001,World,0.986768 +gmail.com,rima-tde.net,inbound,001,World,0.99915 +gmail.com,rogers.com,inbound,001,World,0.999917 +gmail.com,rr.com,inbound,001,World,0.967896 +gmail.com,sbcglobal.net,inbound,001,World,0.998817 +gmail.com,secureserver.net,inbound,001,World,0.272513 +gmail.com,seed.net.tw,inbound,001,World,0.992252 +gmail.com,sfr.net,inbound,001,World,0.999878 +gmail.com,shawcable.net,inbound,001,World,0.999998 +gmail.com,singnet.com.sg,inbound,001,World,0.955461 +gmail.com,skybroadband.com,inbound,001,World,0.999854 +gmail.com,spcsdns.net,inbound,001,World,0.999998 +gmail.com,suddenlink.net,inbound,001,World,0.961594 +gmail.com,t-ipconnect.de,inbound,001,World,0.999841 +gmail.com,tdc.net,inbound,001,World,0.999591 +gmail.com,telecom.net.ar,inbound,001,World,0.999664 +gmail.com,telecomitalia.it,inbound,001,World,0.996998 +gmail.com,telekom.hu,inbound,001,World,0.999977 +gmail.com,telenet.be,inbound,001,World,1 +gmail.com,telepac.pt,inbound,001,World,0.999584 +gmail.com,telesp.net.br,inbound,001,World,0.999743 +gmail.com,telia.com,inbound,001,World,1 +gmail.com,telkomadsl.co.za,inbound,001,World,0.999989 +gmail.com,telus.com,inbound,001,World,1 +gmail.com,telus.net,inbound,001,World,0.974677 +gmail.com,threembb.co.uk,inbound,001,World,1 +gmail.com,tmodns.net,inbound,001,World,0.999979 +gmail.com,totbb.net,inbound,001,World,0.999876 +gmail.com,tpgi.com.au,inbound,001,World,0.999649 +gmail.com,tpnet.pl,inbound,001,World,0.999761 +gmail.com,veloxzone.com.br,inbound,001,World,0.999969 +gmail.com,verizon.net,inbound,001,World,0.990214 +gmail.com,videotron.ca,inbound,001,World,0.967213 +gmail.com,virginm.net,inbound,001,World,0.996611 +gmail.com,vodacom.co.za,inbound,001,World,1 +gmail.com,vodafone-ip.de,inbound,001,World,1 +gmail.com,vodafone.pt,inbound,001,World,0.999563 +gmail.com,vodafonedsl.it,inbound,001,World,0.999006 +gmail.com,vtr.net,inbound,001,World,0.999072 +gmail.com,wanadoo.fr,inbound,001,World,0.999753 +gmail.com,websitewelcome.com,inbound,001,World,1 +gmail.com,wideopenwest.com,inbound,001,World,0.999729 +gmail.com,windstream.net,inbound,001,World,0.951847 +gmail.com,yahoo.{...},inbound,001,World,0.999147 +gmail.com,ziggo.nl,inbound,001,World,1 +gmail.com,zoothost.com,inbound,001,World,0.033858 +gmo.jp,gmo-media.jp,inbound,001,World,0 +gmoes.jp,gmoes.jp,inbound,001,World,0 +gmsend.com,gmsend.com,inbound,001,World,0 +gmt.ne.jp,gmt.ne.jp,inbound,001,World,0 +gmx.de,gmx.net,inbound,001,World,1 +gmx.de,gmx.net,outbound,001,World,1 +gmx.net,gmx.net,inbound,001,World,1 +gnavi.co.jp,gnavi.co.jp,inbound,001,World,0.002441 +go.com,starwave.com,inbound,001,World,0.006276 +go4worldbusiness.com,go4worldbusiness.com,inbound,001,World,1 +goalunited.org,ccmdcampaigns.net,inbound,001,World,0 +gob.ar,gob.ar,inbound,001,World,0.159673 +gob.ec,gob.ec,inbound,001,World,0.618006 +godaddy.com,secureserver.net,inbound,001,World,0 +godtubemail.com,godtubemail.com,inbound,001,World,0 +godvinemail.com,godvinemail.com,inbound,001,World,0 +gog.com,gog.com,inbound,001,World,0 +gogecapital.com,rsys1.com,inbound,001,World,0 +gogroopie.com,gogroopie.com,inbound,001,World,0.000283 +gohappy.com.tw,gohappy.com.tw,inbound,001,World,0.000104 +goldenbrands.gr,goldenbrands.gr,inbound,001,World,1 +goldenline.pl,goldenline.pl,inbound,001,World,1 +goldenopsafelist.com,zoothost.com,inbound,001,World,0 +goldstar.com,goldstar.com,inbound,001,World,1 +golfmnb.com,golfmnb.com,inbound,001,World,0 +golfnow.com,email-golfnow.com,inbound,001,World,0 +gomaji.com,gomaji.com,inbound,001,World,0 +goodgame.com,emsmtp.com,inbound,001,World,0 +goodlife.pt,emv8.com,inbound,001,World,0 +google.com,postini.com,inbound,001,World,0.703706 +googlegroups.com,postini.com,inbound,001,World,0.674075 +googlemail.com,t-ipconnect.de,inbound,001,World,0.999957 +gop.com,gop.com,inbound,001,World,0 +gopusamedia.com,gopusamedia.com,inbound,001,World,0 +govdelivery.com,govdelivery.com,inbound,001,World,0 +govdelivery.com,postini.com,inbound,001,World,0.089736 +governmentjobs.com,governmentjobs.com,inbound,001,World,0 +gpmailer.com.br,parperfeito.com,inbound,001,World,0 +grabone-mail-ie.com,grabone-mail-ie.com,inbound,001,World,0 +grabone-mail.com,grabone-mail.com,inbound,001,World,0 +grassrootsaction.com,grassfire.net,inbound,001,World,0 +gratka.pl,gratka.pl,inbound,001,World,0 +greatergood.com,greatergood.com,inbound,001,World,0 +gree.jp,gree.jp,inbound,001,World,0 +grocerycouponnetwork.com,grocerycouponnetwork.com,inbound,001,World,0 +groopdealz.com,groopdealz.com,inbound,001,World,1 +groupalia.es,groupalia.es,inbound,001,World,0 +groupalia.it,groupalia.it,inbound,001,World,0 +groupon.jp,data-hotel.net,inbound,001,World,1e-06 +groupon.{...},chtah.net,inbound,001,World,0 +groupon.{...},groupon.{...},inbound,001,World,0.989844 +groupon.{...},postini.com,inbound,001,World,0.887392 +grouponmail.{...},grouponmail.{...},inbound,001,World,0 +grubhubmail.com,grubhubmail.com,inbound,001,World,0 +grupanya.com,euromsg.net,inbound,001,World,0 +grupos.com.br,grupos.com.br,inbound,001,World,0 +gtbank.com,gtbank.com,inbound,001,World,0.056121 +guess.ca,guess.com,inbound,001,World,0.000807 +guess.com,guess.com,inbound,001,World,0.003805 +guessfactory.com,guess.com,inbound,001,World,0.00164 +gumtree.com,marktplaats.nl,inbound,001,World,0 +gumtree.com.au,kijiji.com,inbound,001,World,0 +gunosy.com,gunosy.com,inbound,001,World,0.998682 +guruin.info,guru.net.in,inbound,001,World,1 +gurunavi.jp,gurunavi.jp,inbound,001,World,0 +gustazos.com,cityoferta.com,inbound,001,World,1 +gymglish.com,gymglish.com,inbound,001,World,0.000788 +habitaclia.com,splio.es,inbound,001,World,0.951406 +hallmark.com,hallmark.com,inbound,001,World,0 +hannaandersson.com,hannaandersson.com,inbound,001,World,0.013533 +harborfreightemail.com,harborfreightemail.com,inbound,001,World,0 +harristeetermail.com,harristeetermail.com,inbound,001,World,0.99673 +harvard.edu,harvard.edu,inbound,001,World,0.1751 +haskell.org,haskell.org,inbound,001,World,0.000703 +hautelook.com,hautelook.com,inbound,001,World,0.000459 +hayneedle.com,hayneedle.com,inbound,001,World,0 +hazteoir.org,hazteoir.org,inbound,001,World,0.31478 +hdfcbank.com,powerelay.com,inbound,001,World,1 +hdfcbank.net,powerelay.com,inbound,001,World,1 +hdfcbank.net,quickvmail.com,inbound,001,World,0 +helpareporter.net,helpareporter.com,inbound,001,World,0 +hepsiburada.com,euromsg.net,inbound,001,World,0 +herbalifemail.com,herbalifemail.com,inbound,001,World,0 +herculist.com,herculist.com,inbound,001,World,0 +heteml.jp,heteml.jp,inbound,001,World,0.950766 +hgtv.com,hgtv.com,inbound,001,World,0 +hh.ru,hh.ru,inbound,001,World,0.996236 +hhgreggemail.com,hhgreggemail.com,inbound,001,World,0 +hilton.com,hiltonemail.com,inbound,001,World,0 +hinet.net,hinet.net,inbound,001,World,0.007093 +hinet.net,hinet.net,outbound,001,World,0.00565 +hipchat.com,hipchat.com,inbound,001,World,1 +hipmunk.com,hipmunk.com,inbound,001,World,0 +hispavista.com,hispavista.com,inbound,001,World,0 +hln.be,persgroep-ops.net,inbound,001,World,0 +hm-f.jp,hm-f.jp,inbound,001,World,0 +hobsonsmail.com,hobsonsmail.com,inbound,001,World,0 +hollister-email.com,abercrombie-email.com,inbound,001,World,0 +home.ne.jp,zaq.ne.jp,inbound,001,World,9e-06 +homeaway.com,haspf.com,inbound,001,World,0 +homebaselife.com,ec-cluster.com,inbound,001,World,0 +homechoice.co.za,homechoice.co.za,inbound,001,World,0 +homedecorators.com,homedecorators.com,inbound,001,World,0 +homedepot.com,homedepot.com,inbound,001,World,1 +homedepotemail.com,homedepotemail.com,inbound,001,World,0 +honto.jp,honto.jp,inbound,001,World,0 +hootsuite.com,hootsuite.com,inbound,001,World,1 +horchowemail.com,horchowemail.com,inbound,001,World,0 +horoscope.com,center.com,inbound,001,World,2e-06 +hostelworld.com,bronto.com,inbound,001,World,0 +hostgator.com,hostgator.com,inbound,001,World,0.976131 +hostgator.com,websitewelcome.com,inbound,001,World,0.999822 +hotel.de,emp-mail.de,inbound,001,World,0 +hotels.com,hotels.com,inbound,001,World,0 +hotelurbano.com.br,allin.com.br,inbound,001,World,0 +hotmail.{...},hotmail.{...},inbound,001,World,0.999968 +hotmail.{...},hotmail.{...},outbound,001,World,1 +hotmail.{...},postini.com,inbound,001,World,0.837967 +hotornot.com,monopost.com,inbound,001,World,0.99472 +hotschedules.com,hotschedules.com,inbound,001,World,0 +hotspotmailer.com,hotspotmailer.com,inbound,001,World,1 +hotukdeals.com,hotukdeals.com,inbound,001,World,1 +hotwire.com,hotwire.com,inbound,001,World,0 +house.gov,house.gov,inbound,001,World,0.999966 +houseoffraser.co.uk,houseoffraser.co.uk,inbound,001,World,0 +houzz.com,houzz.com,inbound,001,World,1 +hp.com,hp.com,inbound,001,World,0.202841 +hpnotifier.nl,hpnotifier.nl,inbound,001,World,0 +hsbc.co.in,hsbc.com.hk,inbound,001,World,1 +hsbc.com.hk,hsbc.com.hk,inbound,001,World,1 +hsn.com,hsn.com,inbound,001,World,0 +htcampusmailer.com,eccluster.com,inbound,001,World,0 +hubspot.com,hubspot.com,inbound,001,World,1 +huinforma.com.br,huinforma.com.br,inbound,001,World,0 +hulumail.com,hulumail.com,inbound,001,World,0 +hungry-girl.com,hungry-girl.com,inbound,001,World,0 +hungryhouse.co.uk,mxmfb.com,inbound,001,World,0 +huntington.com,huntington.com,inbound,001,World,0.987351 +i-part.com.tw,i-part.com.tw,inbound,001,World,0.001865 +i-say.com,ipsos-interactive.com,inbound,001,World,1 +iamlgnd2.com,iamlgnd2.com,inbound,001,World,1 +ibm.com,ibm.com,inbound,001,World,0.94413 +ibps.in,sify.net,inbound,001,World,0 +ibpsorg.org,sify.net,inbound,001,World,0 +ibsys.com,ibsys.com,inbound,001,World,9e-05 +icbc.com.ar,clickexperts.net,inbound,001,World,0 +icbc.com.ar,standardbank.com.ar,inbound,001,World,0 +icelandmail.co.uk,emsg-live.co.uk,inbound,001,World,0 +icicibank.com,icicibank.com,inbound,001,World,0.009835 +icicisecurities.com,icicibank.com,inbound,001,World,0.000803 +icims.com,icims.com,inbound,001,World,0.999939 +icloud.com,apple.com,inbound,001,World,1 +icloud.com,icloud.com,outbound,001,World,1 +icloud.com,mac.com,inbound,001,World,1 +icloud.com,me.com,inbound,001,World,0.999995 +icors.org,lsoft.us,inbound,001,World,0 +icpbounce.com,icpbounce.com,inbound,001,World,0 +idc.email,nmsrv.com,inbound,001,World,1 +idealista.com,idealista.com,inbound,001,World,0.001627 +ideascost.com,ramcorp.in,inbound,001,World,0 +idgconnect-resources.com,idgconnect-resources.com,inbound,001,World,0 +ieee.org,ieee.org,inbound,001,World,0.999912 +ifttt.com,ifttt.com,inbound,001,World,1 +ig.com.br,ig.com.br,inbound,001,World,0 +ig.com.br,ig.com.br,outbound,001,World,0 +ign.com,ign.com,inbound,001,World,0 +ignitionsender.com,ignitionsender.com,inbound,001,World,0 +igot-mails.com,zoothost.com,inbound,001,World,0 +iheart.com,iheart.com,inbound,001,World,0 +iimjobs.com,iimjobs.com,inbound,001,World,1 +ikmultimedianews.com,ikmultimedianews.com,inbound,001,World,0.993319 +illinois.edu,illinois.edu,inbound,001,World,0.866481 +imageshost.ca,imageshost.ca,inbound,001,World,0 +imakenews.net,imakenews.com,inbound,001,World,0 +imi.ne.jp,lifemedia.jp,inbound,001,World,0 +immobilienscout24.de,immobilienscout24.de,inbound,001,World,1 +imo.im,imo.im,inbound,001,World,1 +imodules.com,imodules.com,inbound,001,World,0 +imvu.com,imvu.com,inbound,001,World,7e-06 +in-boxpays.com,in-boxpays.com,inbound,001,World,0 +inboxair.com,inboxair.com,inbound,001,World,0 +inboxdollars.com,inboxdollars.com,inbound,001,World,0 +inboxfirst.com,inboxfirst.com,inbound,001,World,0 +inboxmarketer-mail.com,inboxmarketer-mail.com,inbound,001,World,0.999877 +inboxpays.com,inboxpays.com,inbound,001,World,0 +inboxpounds.co.uk,inboxpounds.co.uk,inbound,001,World,0 +indeed.com,indeed.com,inbound,001,World,0.000121 +indeedemail.com,indeedemail.com,inbound,001,World,0 +independentlivingbullion.com,independentlivingbullion.com,inbound,001,World,0 +indiamart.com,indiamart.com,inbound,001,World,1 +indiaproperty.com,indiaproperty.com,inbound,001,World,0 +indiatimes.com,speakingtree.in,inbound,001,World,0 +indiatimeshop.com,sendpal.in,inbound,001,World,0 +indieroyale.com,desura.com,inbound,001,World,1 +infibeam.com,eccluster.com,inbound,001,World,0 +infobradesco.com.br,infobradesco.com.br,inbound,001,World,0 +infoempleo.com,infoempleo.com,inbound,001,World,0 +infojobs.com.br,anuntis.com,inbound,001,World,0 +infojobs.it,infojobs.it,inbound,001,World,0 +infojobs.net,infojobs.net,inbound,001,World,0 +infomoney.com.br,infomoney.com.br,inbound,001,World,1 +infopanel.jp,mailds.jp,inbound,001,World,0 +infopraca.pl,careesma.com,inbound,001,World,0 +informz.net,informz.net,inbound,001,World,0 +infos-micromania.com,infos-micromania.com,inbound,001,World,0 +infosephora.com,splio.com,inbound,001,World,0.962167 +infoworld.com,infoworld.com,inbound,001,World,0 +infradead.org,infradead.org,inbound,001,World,1 +infusionmail.com,infusionmail.com,inbound,001,World,0 +ingdirect.es,ingdirect.es,inbound,001,World,1 +inman.com,inman.com,inbound,001,World,0 +inmotionhosting.com,inmotionhosting.com,inbound,001,World,0.990051 +innovyx.net,innovyx.net,inbound,001,World,0 +ino.com,ino.com,inbound,001,World,0.999981 +insidehook.com,sailthru.com,inbound,001,World,0 +instagram.com,facebook.com,inbound,001,World,1 +instantprofitlist.com,screenshotads.com,inbound,001,World,0 +intage.co.jp,intage.co.jp,inbound,001,World,0.00557 +inter-chat.com,inter-chat.com,inbound,001,World,0 +interac.ca,certapay.com,inbound,001,World,0 +interactivebrokers.com,interactivebrokers.com,inbound,001,World,1 +interactiverealtyservices.com,interactiverealtyservices.com,inbound,001,World,0 +intercom.io,mailgun.info,inbound,001,World,1 +interdatesa.com,fagms.net,inbound,001,World,0 +interealty.net,interealty.net,inbound,001,World,1 +internations.org,internations.org,inbound,001,World,1 +interweave.com,interweave.com,inbound,001,World,0 +interwell.gr,interwell.gr,inbound,001,World,0 +intliv2.net,internationalliving.com,inbound,001,World,0 +intuit.com,intuit.com,inbound,001,World,0.89114 +invalidemail.com,taleo.net,inbound,001,World,1 +investopedia.com,vclk.net,inbound,001,World,0.999999 +investorplace.com,investorplace.com,inbound,001,World,0.995093 +inx1and1.de,1and1.com,inbound,001,World,1 +inxserver.com,inxserver.de,inbound,001,World,0.952863 +inxserver.de,inxserver.de,inbound,001,World,0.980838 +ipcmedia.co.uk,ipcmedia.co.uk,inbound,001,World,0 +iqelite.com,iqelite.com,inbound,001,World,0 +irctcshopping.com,chtah.net,inbound,001,World,0 +iridium.com,iridium.com,inbound,001,World,0.997882 +isbank.com.tr,isbank.com.tr,inbound,001,World,0.009655 +isendservice.com.br,isendservice.com.br,inbound,001,World,0 +itau-unibanco.com.br,itau.com.br,inbound,001,World,0 +itms.in.ua,itms.in.ua,inbound,001,World,0 +itsmyascent.com,itsmyascent.com,inbound,001,World,0 +ittoolbox.com,ittoolbox.com,inbound,001,World,0 +ittoolbox.com,toolbox.com,inbound,001,World,0 +itunes.com,apple.com,inbound,001,World,0.082921 +itwhitepapers.com,itwhitepapers.com,inbound,001,World,0 +iwantoneofthose.com,thehut.com,inbound,001,World,0 +ixs1.net,ixs1.net,inbound,001,World,0.005131 +jackwills.com,jackwills.com,inbound,001,World,0 +jalag.de,jalag.de,inbound,001,World,1 +jane.com,jane.com,inbound,001,World,1 +jango.com,jango.com,inbound,001,World,0 +jared.com,jared.com,inbound,001,World,0 +jcity.com,jcity.com,inbound,001,World,0 +jcpenney.com,jcpenney.com,inbound,001,World,9e-06 +jdate.com,postdirect.com,inbound,001,World,0 +jeevansathi.com,jeevansathi.com,inbound,001,World,0 +jetprivilege.com,jetprivilege.com,inbound,001,World,0 +jetsetter.com,smartertravelmedia.com,inbound,001,World,0.041362 +jeuxvideo.com,jeuxvideo.com,inbound,001,World,0.148921 +jeweloscoemail.com,email-mywebgrocer2.com,inbound,001,World,0 +jibjab.com,storybots.com,inbound,001,World,0 +jira.com,uc-inf.net,inbound,001,World,1 +jiscmail.ac.uk,lsoft.se,inbound,001,World,0 +joann-mail.com,joann-mail.com,inbound,001,World,0 +jobinsider.com,jobinsider.com,inbound,001,World,0 +jobinthailand.com,jobinthailand.com,inbound,001,World,1 +jobisjob.com,jobisjob.com,inbound,001,World,0 +jobmaster.co.il,jobmaster1.co.il,inbound,001,World,0 +jobomas.com,jobomas.com,inbound,001,World,1 +jobrapidoalert.com,jobrapidoalert.com,inbound,001,World,0 +jobs2web.com,ondemand.com,inbound,001,World,1 +jobscentral.com.sg,mailgun.net,inbound,001,World,1 +jobsdbalert.co.id,jobsdbalert.co.id,inbound,001,World,0 +jobsdbalert.com,jobsdbalert.com,inbound,001,World,0 +jobsdbalert.com.hk,jobsdbalert.com.hk,inbound,001,World,0 +jobsdbalert.com.sg,jobsdbalert.com.sg,inbound,001,World,0 +jobserve.com,jobserve.com,inbound,001,World,0 +jobsindubai.com,jobsindubai.ca,inbound,001,World,0 +jobsite.co.uk,jobsite.co.uk,inbound,001,World,0.000509 +jobson.com,jobsonmail.com,inbound,001,World,0 +jobsradar.com,jobsradar.com,inbound,001,World,0 +jobstreet.com,jobstreet.com,inbound,001,World,0 +jockeycomfort.com,jockeycomfort.com,inbound,001,World,0 +johnstonandmurphy-email.com,johnstonandmurphy-email.com,inbound,001,World,0 +jomashop.com,lstrk.net,inbound,001,World,1 +joobmailer.com,joobmailer.com,inbound,001,World,0 +josbank.com,josbank.com,inbound,001,World,0 +joshin.co.jp,joshin.co.jp,inbound,001,World,8e-06 +jossandmain.com,jossandmain.com,inbound,001,World,0 +jpcycles.com,jpcycles.com,inbound,001,World,0.001716 +jtv.com,jtv.com,inbound,001,World,0 +jumia.com.ng,fagms.de,inbound,001,World,0 +jungleerummy.com,jungleerummy.com,inbound,001,World,1 +juno.com,untd.com,inbound,001,World,0 +juno.com,untd.com,outbound,001,World,0 +jusbrasil.com.br,jusbrasil.com.br,inbound,001,World,0 +just-eat.co.uk,ec-cluster.com,inbound,001,World,0 +justclick.ru,justclick.ru,inbound,001,World,0 +justdial.com,iaires.com,inbound,001,World,0 +justdial.com,mailurja.com,inbound,001,World,0 +justfab.com,bronto.com,inbound,001,World,0 +justfab.fr,bronto.com,inbound,001,World,0 +k1speed.com,k1speed.com,inbound,001,World,1 +kagoya.net,kagoya.net,inbound,001,World,0.013097 +kalunga.com.br,kalunga.com.br,inbound,001,World,0 +karvy.com,karvy.com,inbound,001,World,0.045186 +kasikornbank.com,kasikornbank.com,inbound,001,World,0 +kaskusnetworks.com,kaskus.com,inbound,001,World,0 +kay.com,kay.com,inbound,001,World,0 +keek.com,keek.com,inbound,001,World,1 +kernel.org,kernel.org,inbound,001,World,0 +kgbdeals.co.uk,email1-kgbdeals.com,inbound,001,World,0 +kgstores.com,kgstores.com,inbound,001,World,0 +kiabi.com,dms-02.net,inbound,001,World,0 +kickstarter.com,kickstarter.com,inbound,001,World,1 +kidsfootlocker.com,footlocker.com,inbound,001,World,0 +kijiji.ca,kijiji.com,inbound,001,World,0 +kik.com,kik.com,inbound,001,World,1 +kimblegroup.com,kimblegroup.com,inbound,001,World,1 +kintera.com,kintera.com,inbound,001,World,0 +kismia.com,kismia.com,inbound,001,World,1 +kiwari.com,kiwari.com,inbound,001,World,9e-06 +klaviyomail.com,klaviyomail.com,inbound,001,World,1 +kliksa.net,euromsg.net,inbound,001,World,0 +kliktoday.com,kliktoday.com,inbound,001,World,0 +klm-mail.com,klm-mail.com,inbound,001,World,0 +klove.com,emfbroadcasting.com,inbound,001,World,0 +kohls.com,kohls.com,inbound,001,World,0 +komando.com,komando.com,inbound,001,World,0 +kongregate.com,kongregate.com,inbound,001,World,0 +kotak.com,kotak.com,inbound,001,World,0.115651 +kp.org,kp.org,inbound,001,World,0.999975 +krogermail.com,bigfootinteractive.com,inbound,001,World,0 +krs.bz,tricorn.net,inbound,001,World,0 +kubra.com,kubra.com,inbound,001,World,1.8e-05 +kundenserver.de,kundenserver.de,inbound,001,World,1 +kvbmail.com,kvbmail.com,inbound,001,World,0 +la-meteo-mail.fr,splio.com,inbound,001,World,1 +laaptuemail.com,laaptuemail.com,inbound,001,World,0 +lakewoodchurch.com,lakewoodchurch.com,inbound,001,World,0 +lancers.jp,lancers.jp,inbound,001,World,0 +landmarketingmailer.com,zoothost.com,inbound,001,World,0 +landofnod.com,landofnod.com,inbound,001,World,0.002525 +landsend.com,email-landsend.com,inbound,001,World,0 +landsend.com,postdirect.com,inbound,001,World,0 +languagepod101.com,eclient10.com,inbound,001,World,0 +languagepod101.com,eddlvr.com,inbound,001,World,0 +languagepod101.com,ednwsltr3.com,inbound,001,World,0 +languagepod101.com,ednwsltr8.com,inbound,001,World,0 +languagepod101.com,emaildirect.net,inbound,001,World,0 +laposte.net,laposte.net,inbound,001,World,0.271722 +laposte.net,laposte.net,outbound,001,World,0 +laptuinvite.com,laptuinvite.com,inbound,001,World,0 +laredoute.fr,laredoute.fr,inbound,001,World,0 +lasenza.com,lasenza.com,inbound,001,World,0 +lastcallemail.com,lastcallemail.com,inbound,001,World,0 +lastminute.com,lastminute.com,inbound,001,World,0.00831 +laterooms.com,laterooms.com,inbound,001,World,0.014746 +latimes.com,latimes.com,inbound,001,World,0 +lauraashley.com,lauraashley.com,inbound,001,World,0 +lazerhits.com,lazerhits.com,inbound,001,World,1 +leadercontato.com.br,leadercontato.com.br,inbound,001,World,0 +leboncoin.fr,leboncoin.fr,inbound,001,World,0 +lefigaro.fr,splio.com,inbound,001,World,1 +leftlanesports.com,auspient.com,inbound,001,World,0.00705 +leftlanesports.com,leftlanesports.com,inbound,001,World,0 +legalshieldassociate.com,legalshield.com,inbound,001,World,0 +lelong.my,lelong.com.my,inbound,001,World,1 +lelong.my,lelong.net.my,inbound,001,World,1 +lemonde.fr,lemonde.fr,inbound,001,World,0.000111 +leparisien.fr,leparisien.fr,inbound,001,World,0 +lexico.com,lexico.com,inbound,001,World,0 +lexpress.fr,bp06.net,inbound,001,World,0 +libero.it,libero.it,inbound,001,World,0.00024 +libero.it,libero.it,outbound,001,World,0 +life360.com,life360.com,inbound,001,World,1 +lifecare-news.com,email-lifecare.com,inbound,001,World,0 +lifecooler.com,1-hostingservice.com,inbound,001,World,0 +lifemiles.com,bigfootinteractive.com,inbound,001,World,0 +lifescript.com,ilinkmd.com,inbound,001,World,0 +lindenlab.com,lindenlab.com,inbound,001,World,0.999444 +line.me,naver.com,inbound,001,World,1 +line6.com,line6.com,inbound,001,World,2.7e-05 +linkedin.com,linkedin.com,inbound,001,World,0.998882 +linkedin.com,postini.com,inbound,001,World,0.835872 +linkedin.com,yahoo.{...},inbound,001,World,0.999927 +linkshare.com,linksynergy.com,inbound,001,World,0 +liquidation.com,liquidation.com,inbound,001,World,6e-06 +listadventure.com,adlabsinc.com,inbound,001,World,0 +listbuildingmaximizer.com,listbuildingmaximizer.com,inbound,001,World,0.00023 +listeneremail.net,listeneremail.net,inbound,001,World,0 +listia.com,listia.com,inbound,001,World,1 +listjoe.com,adlabsinc.com,inbound,001,World,0 +listnerds.com,listnerds.com,inbound,001,World,0 +listreturn.com,zoothost.com,inbound,001,World,0 +listserve.com,listserve.com,inbound,001,World,0 +listvolta.com,listvolta.com,inbound,001,World,0 +listwire.com,listwire.com,inbound,001,World,0 +litres.ru,litres.ru,inbound,001,World,1 +live.{...},hotmail.{...},inbound,001,World,0.999954 +live.{...},hotmail.{...},outbound,001,World,1 +livedoor.com,livedoor.com,inbound,001,World,0 +livefyre.com,andbit.net,inbound,001,World,1 +livejournal.com,livejournal.com,inbound,001,World,0 +livemailservice.com,livemailservice.com,inbound,001,World,0 +livenation.com,exacttarget.com,inbound,001,World,0 +livescribe.com,bronto.com,inbound,001,World,0 +livingsocial.com,livingsocial.com,inbound,001,World,0 +livrariasaraiva.com.br,livrariasaraiva.com.br,inbound,001,World,0 +lmlmgv.com.br,gvarev.com.br,inbound,001,World,0 +localhires.com,localhires.com,inbound,001,World,1 +loccitane.com,neolane.net,inbound,001,World,0 +loft.com,anntaylor.com,inbound,001,World,0 +logentries.com,logentries.com,inbound,001,World,0 +logitech.com,dvsops.com,inbound,001,World,0 +logmein.com,logmein.com,inbound,001,World,0.031467 +lojasmarisa.com.br,lojasmarisa.com.br,inbound,001,World,0 +lolsolos.com,ultimateadsites.net,inbound,001,World,0.999996 +lombardipublishing.com,lombardipublishing.com,inbound,001,World,0 +lonelywifehookup.com,iverificationsystems.com,inbound,001,World,0 +lookout.com,lookout.com,inbound,001,World,1 +lordandtaylor.com,lordandtaylor.com,inbound,001,World,0 +loveaholics.com,ropot.net,inbound,001,World,0 +lovelywholesale.com,lovelywholesale.com,inbound,001,World,1 +loveplanet.ru,pochta.ru,inbound,001,World,0.640035 +lowcostholidays.co.uk,communicatoremail.com,inbound,001,World,0 +lrsmail.com,lrsmail.com,inbound,001,World,0 +lsi.com,postini.com,inbound,001,World,0.981121 +lt02.net,listrak.com,inbound,001,World,1 +lt02.net,lstrk.net,inbound,001,World,1 +ltdcommodities.com,ltdcomm.net,inbound,001,World,0 +lua.org,pepperfish.net,inbound,001,World,1 +luckymag.com,mkt4500.com,inbound,001,World,0 +ludokados.com,ludokado.com,inbound,001,World,0 +lulu.com,bronto.com,inbound,001,World,0 +lulus.com,lstrk.net,inbound,001,World,1 +lumosity.com,lumosity.com,inbound,001,World,1 +luxa.jp,luxa.jp,inbound,001,World,0 +lynxmail.in,iaires.com,inbound,001,World,0 +lyris.net,lyris.net,inbound,001,World,0 +lyst.com,lyst.com,inbound,001,World,1 +m1e.net,m1e.net,inbound,001,World,0.000342 +m3.com,m3.com,inbound,001,World,0 +mac.com,icloud.com,outbound,001,World,1 +mac.com,mac.com,inbound,001,World,1 +maccosmetics.com,esteelauder.com,inbound,001,World,0 +macromill.com,macromill.com,inbound,001,World,1e-06 +macupdate.com,mailgun.info,inbound,001,World,1 +macys.com,macys.com,inbound,001,World,0 +madmels.info,ultimateadsites.net,inbound,001,World,1 +madmimi.com,madmimi.com,inbound,001,World,0 +mag2.com,tandem-m.com,inbound,001,World,0 +magicbricks.com,tbsl.in,inbound,001,World,0 +magicjack.com,magicjack.com,inbound,001,World,1 +magix.net,magix.net,inbound,001,World,0.673176 +magnetdev.com,magnetmail.net,inbound,001,World,0 +mail-backcountry.com,email-bcmarketing.com,inbound,001,World,0 +mail-boss.com,mail-boss.com,inbound,001,World,0 +mail-cdiscount.com,mail-cdiscount.com,inbound,001,World,0 +mail-mbank.pl,mail-mbank.pl,inbound,001,World,0 +mail-route.com,mail-route.com,inbound,001,World,0 +mail-thestreet.com,mail-thestreet.com,inbound,001,World,0 +mail.mil,mail.mil,inbound,001,World,0 +mail.ru,mail.ru,inbound,001,World,0.987506 +mail.ru,mail.ru,outbound,001,World,0.00674 +mailaccurate.com,mgenie.in,inbound,001,World,0 +mailchimp.com,mailchimp.com,inbound,001,World,0.967415 +maileclipse.com,emce2.in,inbound,001,World,0 +mailengine1.com,mailengine1.com,inbound,001,World,0 +mailer-service.de,mailer-service.de,inbound,001,World,4.9e-05 +mailer4u.in,elabs10.com,inbound,001,World,0 +mailersend.com,mailersend.com,inbound,001,World,0 +mailfacil.com.br,md02.com,inbound,001,World,0 +mailfeast.com,mgenie.in,inbound,001,World,0 +mailgun.org,mailgun.info,inbound,001,World,1 +mailgun.org,mailgun.net,inbound,001,World,1 +mailgun.org,mailgun.us,inbound,001,World,1 +mailing-list.it,mailing-list.it,inbound,001,World,0 +mailingathome.net,mailingathome.net,inbound,001,World,0.999995 +mailjayde.com,mailjayde.com,inbound,001,World,0 +mailjet.com,mailjet.com,inbound,001,World,0.436025 +mailmachine1050.com,mailmachine1050.com,inbound,001,World,0 +mailmailmail.net,mailmailmail.net,inbound,001,World,0 +mailoct.in,tcmailer14.in,inbound,001,World,0 +mailoct1.in,mailoct1.in,inbound,001,World,0 +mailoct1.in,myntramail2.in,inbound,001,World,0 +mailorama.fr,mailorama.fr,inbound,001,World,0 +mailplus.nl,brightbase.net,inbound,001,World,1 +mailpost.in,iaires.com,inbound,001,World,0 +mailpv.net,pvmailer.net,inbound,001,World,1 +mailquant.com,iaires.com,inbound,001,World,0 +mailsend1.com,mailsend6.com,inbound,001,World,0 +mailsender.com.br,mailsender.com.br,inbound,001,World,0 +maisonsdumonde.com,bp06.net,inbound,001,World,0 +makro.nl,srv2.de,inbound,001,World,0.88256 +manager.com.br,manager.com.br,inbound,001,World,0 +mandrillapp.com,backpage.com,inbound,001,World,1 +mandrillapp.com,mandrillapp.com,inbound,001,World,1 +mandrillapp.com,mcsignup.com,inbound,001,World,1 +mandrillapp.com,myjobhelperalerts.com,inbound,001,World,1 +mango.com,emstechnology2.net,inbound,001,World,0 +manipal.edu,iaires.com,inbound,001,World,0 +manta.com,exacttarget.com,inbound,001,World,0 +mapfre.com,emv5.com,inbound,001,World,0 +mar0.net,mar0.net,inbound,001,World,0.976409 +marcustheatres.com,movio.co,inbound,001,World,0 +markandgraham.com,markandgraham.com,inbound,001,World,0 +markavip.com,markavip.com,inbound,001,World,0 +marketer-safelist.com,jsalfianmarketing.com,inbound,001,World,1 +marketinghq.net,elabs8.com,inbound,001,World,0 +marketingprofs.com,marketingprofs.com,inbound,001,World,0.004412 +marketingstudio.com,marketingstudio.com,inbound,001,World,0 +marksandspencer.com,marksandspencer.com,inbound,001,World,0 +marktplaats.nl,marktplaats.nl,inbound,001,World,0 +marlboro.com,marlboro.com,inbound,001,World,0 +maropost.com,biotrustnews.com,inbound,001,World,0 +maropost.com,mailing-truthaboutabs.com,inbound,001,World,0 +maropost.com,maropost.com,inbound,001,World,0 +maropost.com,mp2200.com,inbound,001,World,0 +maropost.com,mp2201.com,inbound,001,World,0 +maropost.com,survivallife.com,inbound,001,World,0 +marykay.com,marykay.com,inbound,001,World,0 +masivapp.com,masivapp.com,inbound,001,World,1 +massageenvyclinics.com,massageenvyclinics.com,inbound,001,World,0 +masterbase.com,masterbase.com,inbound,001,World,0 +mastercard-email.com,mastercard-email.com,inbound,001,World,0 +match.com,match.com,inbound,001,World,0 +matchwereld.nl,matchwereld.nl,inbound,001,World,0 +mate1.net,mate1.net,inbound,001,World,0 +matrixemailer.com,matrixemailer.com,inbound,001,World,0 +maxpark.com,gidepark.ru,inbound,001,World,1 +mbga.jp,mbga.jp,inbound,001,World,0 +mbna.co.uk,ec-cluster.com,inbound,001,World,0 +mbounces.com,emdbms.com,inbound,001,World,0 +mbstrm.com,mobilestorm.com,inbound,001,World,0 +mcafee.com,mcafee.com,inbound,001,World,0.963535 +mcarthurglen.com,mcarthurglen.com,inbound,001,World,0 +mcdlv.net,mcdlv.net,inbound,001,World,0 +mcdlv.net,postini.com,inbound,001,World,0.082163 +mckinsey.com,bigfootinteractive.com,inbound,001,World,0 +mcsv.net,mcsv.net,inbound,001,World,0 +mcsv.net,postini.com,inbound,001,World,0.101883 +mdirector.com,mdrctr.com,inbound,001,World,0 +mdlinx.com,mdlinx.com,inbound,001,World,0 +me.com,icloud.com,outbound,001,World,1 +me.com,mac.com,inbound,001,World,1 +mec.gov.br,mec.gov.br,inbound,001,World,0 +mecumauction.com,mecumauction.com,inbound,001,World,0 +medallia.com,medallia.com,inbound,001,World,0.999682 +mediabistro.com,iworld.com,inbound,001,World,0.006428 +mediapost.com,mediapost.com,inbound,001,World,0 +medium.com,messagebus.com,inbound,001,World,0 +medpagetoday.com,wc09.net,inbound,001,World,0 +medscape.com,medscape.com,inbound,001,World,0 +meetic.com,meetic.com,inbound,001,World,0 +meetmemail.com,meetmemail.com,inbound,001,World,0 +meetup.com,meetup.com,inbound,001,World,5e-06 +megasenders.com,megasenders.com,inbound,001,World,0.07662 +melaleuca.com,melaleuca.com,inbound,001,World,0.003493 +memberdealsusa.com,memberdealsusa.com,inbound,001,World,0 +menswearhouse.com,menswearhouse.com,inbound,001,World,0 +mequedouno.com,mequedouno.com,inbound,001,World,0 +mercadojobs.com,sendgrid.net,inbound,001,World,1 +mercadolibre.com,mercadolibre.com,inbound,001,World,0 +mercadolivre.com,mercadolibre.com,inbound,001,World,0 +merceworld.com,merceworld.com,inbound,001,World,0.996738 +mercola.com,mercola.com,inbound,001,World,0.000369 +merodea.me,sendgrid.net,inbound,001,World,1 +messagegears.net,messagegears.net,inbound,001,World,0 +met-art.com,hydentra.com,inbound,001,World,1 +metro.co.in,srv2.de,inbound,001,World,0.966947 +metrodeal.com,fagms.de,inbound,001,World,0 +mgmresorts.com,mgmresorts.com,inbound,001,World,0 +mgo.com,bronto.com,inbound,001,World,0 +michaels.com,chtah.net,inbound,001,World,0 +michaels.com,michaels.com,inbound,001,World,0 +microcentermedia.com,bfi0.com,inbound,001,World,0 +microsoft.com,hotmail.{...},inbound,001,World,1 +microsoft.com,msn.com,inbound,001,World,1 +microsoftemail.com,microsoftemail.com,inbound,001,World,0 +microsoftemail.com,microsoftstoreemail.com,inbound,001,World,0 +midnightsunsafelist.com,zoothost.com,inbound,001,World,0 +mightydeals.co.uk,mightydeals.co.uk,inbound,001,World,0 +mileageplusshoppingnews.com,mail-skymilesshoppingsupport.com,inbound,001,World,0 +milfaholic.com,iverificationsystems.com,inbound,001,World,0 +miltnews.com,miltnews.com,inbound,001,World,0 +mindbodyonline.com,mindbodyonline.com,inbound,001,World,1 +mindfieldonline.com,mindfieldonline.com,inbound,001,World,0 +mindmoviesmail.com,mindmoviesmail.com,inbound,001,World,0.004239 +mindvalleymail3.com,mindvalleymail3.com,inbound,001,World,0 +minhavida.com.br,minhavida.com.br,inbound,001,World,0 +mint.com,mint.com,inbound,001,World,0 +minted.com,messagelabs.com,inbound,001,World,0.999669 +mirtesen.ru,mtml.ru,inbound,001,World,0 +missselfridge.com,wallis-fashion.com,inbound,001,World,0 +mistersafelist.com,zoothost.com,inbound,001,World,0 +mit.edu,mit.edu,inbound,001,World,0.868705 +mitula.net,mitula.org,inbound,001,World,0 +mitula.org,mitula.org,inbound,001,World,0 +mixcloudmail.com,mixcloudmail.com,inbound,001,World,0.995482 +mixi.jp,mixi.jp,inbound,001,World,0 +mjinn.com,mailurja.com,inbound,001,World,0 +mkt015.com,mkt015.com,inbound,001,World,0 +mkt022.com,mkt022.com,inbound,001,World,0 +mkt063.com,mkt063.com,inbound,001,World,0 +mkt1136.com,mkt1136.com,inbound,001,World,0 +mkt1985.com,fmlinks.net,inbound,001,World,0 +mkt2010.com,mkt2010.com,inbound,001,World,0 +mkt2106.com,mkt2106.com,inbound,001,World,0 +mkt2170.com,mkt2170.com,inbound,001,World,0 +mkt2181.com,mkt2181.com,inbound,001,World,0 +mkt2615.com,mkt2615.com,inbound,001,World,0 +mkt2813.com,mkt2813.com,inbound,001,World,0 +mkt2944.com,mkt2944.com,inbound,001,World,0 +mkt3134.com,mkt3134.com,inbound,001,World,0 +mkt3142.com,mkt3142.com,inbound,001,World,0 +mkt3156.com,mkt3156.com,inbound,001,World,0 +mkt3203.com,mkt3203.com,inbound,001,World,0 +mkt346.com,mkt346.com,inbound,001,World,0 +mkt3544.com,mkt3544.com,inbound,001,World,0 +mkt3622.com,mkt3622.com,inbound,001,World,0 +mkt3682.com,mkt3682.com,inbound,001,World,0 +mkt3690.com,mkt3690.com,inbound,001,World,0 +mkt3695.com,mkt3695.com,inbound,001,World,0 +mkt3804.com,mkt3804.com,inbound,001,World,0 +mkt3815.com,mkt3815.com,inbound,001,World,0 +mkt3952.com,xoom.com,inbound,001,World,0 +mkt4355.com,mkt4355.com,inbound,001,World,0 +mkt4364.com,mkt4364.com,inbound,001,World,0 +mkt459.com,mkt459.com,inbound,001,World,0 +mkt4701.com,mkt4701.com,inbound,001,World,0 +mkt4728.com,mkt4728.com,inbound,001,World,0 +mkt4731.com,mkt4731.com,inbound,001,World,0 +mkt4738.com,mkt4738.com,inbound,001,World,0 +mkt5071.com,mkt5071.com,inbound,001,World,0 +mkt5098.com,mkt5098.com,inbound,001,World,0 +mkt5131.com,mkt5131.com,inbound,001,World,0 +mkt5144.com,mkt5144.com,inbound,001,World,0 +mkt5144.com,mkt5980.com,inbound,001,World,0 +mkt5144.com,mkt5981.com,inbound,001,World,0 +mkt5181.com,mkt5181.com,inbound,001,World,0 +mkt5269.com,mkt5269.com,inbound,001,World,0 +mkt529.com,mkt529.com,inbound,001,World,0 +mkt5297.com,mkt5297.com,inbound,001,World,0 +mkt5297.com,mkt5309.com,inbound,001,World,0 +mkt5371.com,mkt5371.com,inbound,001,World,0 +mkt5806.com,mkt5806.com,inbound,001,World,0 +mkt5934.com,mkt5934.com,inbound,001,World,0 +mkt5937.com,mkt5937.com,inbound,001,World,0 +mkt5970.com,mkt5970.com,inbound,001,World,0 +mkt6100.com,mkt6098.com,inbound,001,World,0 +mkt6276.com,mkt6276.com,inbound,001,World,0 +mkt6323.com,mkt6323.com,inbound,001,World,0 +mkt746.com,mkt746.com,inbound,001,World,0 +mkt824.com,mkt869.com,inbound,001,World,0 +mktdillards.com,mktdillards.com,inbound,001,World,0 +mktid10.com,1-hostingservice.com,inbound,001,World,0 +mktomail.com,mktdns.com,inbound,001,World,0 +mktomail.com,mktomail.com,inbound,001,World,0 +mktomail.com,mktroute.com,inbound,001,World,0 +ml.com,bankofamerica.com,inbound,001,World,1 +mlgns.com,mlgns.com,inbound,001,World,0 +mlgnserv.com,mlgnserv.com,inbound,001,World,0 +mlsend.com,mlsend.com,inbound,001,World,0 +mlsend2.com,mlsend2.com,inbound,001,World,0 +mlssoccer.com,mlssoccer.com,inbound,001,World,0 +mmaco.net,mmaco.net,inbound,001,World,0.999998 +mmagic.jp,mmagic.jp,inbound,001,World,0.000531 +mmks.it,mail-maker.it,inbound,001,World,0 +mmorpg.com,mmorpg.com,inbound,001,World,0.002979 +mmsecure.nl,donenad.nl,inbound,001,World,0 +mo1send.com,mo1send.com,inbound,001,World,0 +mobile01.com,mobile01.com,inbound,001,World,0 +mobly.com.br,mobly.com.br,inbound,001,World,0 +mocospace.com,mocospace.com,inbound,001,World,0 +modellsemail.com,n-email.net,inbound,001,World,0 +modnakasta.ua,emv5.com,inbound,001,World,0 +monex.co.jp,monex.co.jp,inbound,001,World,0.019424 +moneycontrol.com,active18.com,inbound,001,World,0 +moneyforward.com,moneyforward.com,inbound,001,World,0 +moneymorning.com,moneymappress.com,inbound,001,World,0 +moneysupermarketmail.com,moneysupermarketmail.com,inbound,001,World,0 +monipla.jp,aainc.co.jp,inbound,001,World,0 +monografias.com,elistas.net,inbound,001,World,0 +monster.co.in,monster.co.in,inbound,001,World,0 +monster.com,monster.com,inbound,001,World,0.000231 +monster.com,tmpw.net,inbound,001,World,0.000503 +monsterindia.com,monster.co.in,inbound,001,World,0 +moon-ray.com,moon-ray.com,inbound,001,World,0.001892 +mooply.co,mailendo.com,inbound,001,World,0 +mooresclothing.com,mooresclothing.com,inbound,001,World,0 +morhipo.com,euromsg.net,inbound,001,World,0 +morningstar.net,morningstar.net,inbound,001,World,0 +mothercaregroup.com,neolane.net,inbound,001,World,0 +motosnap.com,motosnap.com,inbound,001,World,0.994795 +moveon.org,moveon.org,inbound,001,World,0.99577 +moviestarplanet.com,moviestarplanet.com,inbound,001,World,0 +mozilla.org,mozilla.com,inbound,001,World,0.633237 +mpme.jp,mpme.jp,inbound,001,World,0 +mpse.jp,emsaqua.jp,inbound,001,World,0 +mpse.jp,emsbeige.jp,inbound,001,World,0 +mpse.jp,emsbrown.jp,inbound,001,World,0 +mpse.jp,emscyan.jp,inbound,001,World,0 +mpse.jp,emsgold.jp,inbound,001,World,0 +mpse.jp,emslime.jp,inbound,001,World,0 +mpse.jp,emsnavy.jp,inbound,001,World,0 +mpse.jp,emspink.jp,inbound,001,World,0 +mpse.jp,emssnow.jp,inbound,001,World,0 +mpse.jp,mpme.jp,inbound,001,World,0 +mpse.jp,yahoo.co.jp,inbound,001,World,0 +mpsnd.ch,agenceweb.net,inbound,001,World,0 +mrc.org,msgfocus.com,inbound,001,World,0 +mrmlsmatrix.com,mrmlsmatrix.com,inbound,001,World,0 +ms.com,ms.com,inbound,001,World,1 +ms00.net,ms00.net,inbound,001,World,0 +msdp1.com,msdp1.com,inbound,001,World,0 +msgfocus.com,msgfocus.com,inbound,001,World,0.011658 +msn.com,hotmail.{...},inbound,001,World,0.999964 +msn.com,hotmail.{...},outbound,001,World,1 +mta.info,ealert.com,inbound,001,World,0 +mtasv.net,mtasv.net,inbound,001,World,0.999999 +musiciansfriend.com,musiciansfriend.com,inbound,001,World,0 +musicnotes-alerts.com,mybuys.com,inbound,001,World,0 +mustanglist.com,mustanglist.com,inbound,001,World,0 +mxmfb.com,mxmfb.com,inbound,001,World,0 +mycheapoair.com,mycheapoair.com,inbound,001,World,0.957931 +mycolorscreen.com,mta4.net,inbound,001,World,0 +mydailymoment.biz,mydailymoment.biz,inbound,001,World,0 +mydailymoment.info,mydailymoment.info,inbound,001,World,0 +mydailymoment.net,mydailymoment.net,inbound,001,World,0 +mydailymoment.us,mydailymoment.us,inbound,001,World,0 +myfedloan.org,aessuccess.org,inbound,001,World,0.328917 +myfitnesspal.com,messagebus.com,inbound,001,World,0 +myfxbook.com,myfxbook.com,inbound,001,World,0 +mygreatlakes.org,glhec.org,inbound,001,World,0.000247 +mygroupon.co.th,grouponmail.{...},inbound,001,World,0 +myhealthwealthandhappiness.com,myhealthwealthandhappiness.com,inbound,001,World,0 +myheritage.com,myheritage.com,inbound,001,World,0 +myideeli.com,myideeli.com,inbound,001,World,0 +mymeijer.com,mymeijer.com,inbound,001,World,0 +mymms.com,fagms.de,inbound,001,World,0 +mynavi.jp,mynavi.jp,inbound,001,World,3.5e-05 +myngp.com,ngpweb.com,inbound,001,World,0 +myntramail.com,iaires.com,inbound,001,World,0 +myntramail.com,myntramail.com,inbound,001,World,0 +myntramails.in,icubes.in,inbound,001,World,0 +myoutlets.in,trustmailer.com,inbound,001,World,0 +myperfectsale.com,myperfectsale.com,inbound,001,World,0.999988 +mypoints.com,mypoints.com,inbound,001,World,0 +myprotein.com,thehut.com,inbound,001,World,0 +mysafelistmailer.com,mysafelistmailer.com,inbound,001,World,0.00033 +mysale.my,mysale.my,inbound,001,World,0 +mysale.ph,mysale.ph,inbound,001,World,0 +mysmartprice.com,itzwow.com,inbound,001,World,1 +mysupermarket.co.uk,mysupermarket.co.uk,inbound,001,World,0 +mysurvey.com,mysurvey.com,inbound,001,World,0 +mysurvey.eu,mysurvey.com,inbound,001,World,0 +myvegas.com,myvegas.com,inbound,001,World,1 +myzamanamail.com,myzamanamail.com,inbound,001,World,0 +n-email.net,n-email.net,inbound,001,World,0 +n-email1.net,n-email1.net,inbound,001,World,0 +n-email4.net,n-email4.net,inbound,001,World,0 +naaptoldeals.com,eccluster.com,inbound,001,World,0 +namorico.me,namorico.me,inbound,001,World,1 +nanomail.com.br,araie.com.br,inbound,001,World,1 +napitipp.hu,napitipp.hu,inbound,001,World,0 +nasa.gov,nasa.gov,inbound,001,World,0.082443 +nascar.com,nascar.com,inbound,001,World,0 +nastygal.com,bronto.com,inbound,001,World,0 +nasza-klasa.pl,nasza-klasa.pl,inbound,001,World,0 +nationalexpress.com,nationalexpress.com,inbound,001,World,0 +nationbuilder.com,nationbuilder.com,inbound,001,World,1 +nationwide-communications.co.uk,nationwide-communications.co.uk,inbound,001,World,0 +nature.com,nature.com,inbound,001,World,0 +naukri.com,naukri.com,inbound,001,World,0.002488 +nauta.cu,etecsa.net,inbound,001,World,0 +naver.com,naver.com,inbound,001,World,1 +naver.com,naver.com,outbound,001,World,1 +navy.mil,navy.mil,inbound,001,World,0.152107 +nba.com,nba.com,inbound,001,World,0.005828 +nbaa.org,nbaa.org,inbound,001,World,0 +ncl.com,ncl.com,inbound,001,World,0 +neimanmarcusemail.com,neimanmarcusemail.com,inbound,001,World,0 +nend.net,postini.com,inbound,001,World,0 +neolane.net,neolane.net,inbound,001,World,0.01682 +nesinemail.com,euromsg.net,inbound,001,World,0 +net-a-porter.com,net-a-porter.com,inbound,001,World,0 +net-empregos.com,net-empregos.com,inbound,001,World,0 +net-survey.jp,net-survey.jp,inbound,001,World,0 +netatlantic.com,netatlantic.com,inbound,001,World,0.001085 +netbk.co.jp,netbk.co.jp,inbound,001,World,0.010994 +netcommunity1.com,blackbaud.com,inbound,001,World,0 +netflix.com,amazonses.com,inbound,001,World,0.999999 +netflix.com,netflix.com,inbound,001,World,1 +netlogmail.com,netlogmail.com,inbound,001,World,0 +netopia.pt,netopia.pt,inbound,001,World,0.017294 +netprosoftmail.com,netprosoftmail.com,inbound,001,World,0 +netshoes.com.br,netshoes.com.br,inbound,001,World,0.078768 +netsuite.com,netsuite.com,inbound,001,World,0.57723 +networkworld.com,networkworld.com,inbound,001,World,0 +newegg.com,newegg.com,inbound,001,World,1e-06 +newgrounds.com,newgrounds.com,inbound,001,World,0 +newmarkethealth.com,newmarkethealth.com,inbound,001,World,0 +newrelic.com,sendlabs.com,inbound,001,World,0 +news-h5g.com,news-h5g.com,inbound,001,World,0 +newsletter-verychic.com,splio.es,inbound,001,World,0.9804 +newsmax.com,newsmax.com,inbound,001,World,0.004105 +newspaperdirect.com,newspaperdirect.com,inbound,001,World,0.000177 +newyorktimesinfo.com,newyorktimesinfo.com,inbound,001,World,0 +nexcess.net,nexcess.net,inbound,001,World,0.214803 +next-engine.org,next-engine.org,inbound,001,World,1 +nextdoor.com,mailgun.info,inbound,001,World,1 +nextdoor.com,mailgun.net,inbound,001,World,1 +nextdoor.com,nextdoor.com,inbound,001,World,1 +nfl.com,bfi0.com,inbound,001,World,0 +nflshop.com,nflshop.com,inbound,001,World,0 +nhs.jobs,nhscareersjobs.co.uk,inbound,001,World,0 +nic.in,relayout.nic.in,inbound,001,World,0 +nicovideo.jp,nicovideo.jp,inbound,001,World,0 +nieuwsblad.be,vummail.be,inbound,001,World,0 +nifty.com,nifty.com,inbound,001,World,0.762068 +nih.gov,nih.gov,inbound,001,World,8.8e-05 +nike.com,nike.com,inbound,001,World,0 +nikkei.com,nikkei.co.jp,inbound,001,World,0 +nikkeibp.co.jp,nikkeibp.co.jp,inbound,001,World,4.9e-05 +ninewestmail.com,ninewestmail.com,inbound,001,World,0 +ning.com,ning.com,inbound,001,World,0 +nissen.jp,nissen.jp,inbound,001,World,0 +nixle.com,nixle.com,inbound,001,World,0 +nl00.net,netline.com,inbound,001,World,5e-06 +nl00.net,nl00.net,inbound,001,World,0 +nmp1.com,nmp1.net,inbound,001,World,0 +nokia.com,nokia.com,inbound,001,World,0.001256 +nongnu.org,gnu.org,inbound,001,World,1 +nordstrom.com,taleo.net,inbound,001,World,1 +nortonfromsymantec.com,rsys1.com,inbound,001,World,0 +nos.pt,netcabo.pt,inbound,001,World,6.3e-05 +noticiasaominuto.com,ccmdcampaigns.net,inbound,001,World,0 +noticiasaominuto.com,noticiasaominuto.com,inbound,001,World,0 +novidadeslojasrenner.com.br,novidadeslojasrenner.com.br,inbound,001,World,0 +npr.org,npr.org,inbound,001,World,0 +nrholding.net,nrholding.net,inbound,001,World,0 +ns.nl,tripolis.com,inbound,001,World,0 +nsandi.com,mxmfb.com,inbound,001,World,0 +numbersusa.com,numbersusa.com,inbound,001,World,0 +nyandcompany.com,nyandcompany.com,inbound,001,World,0 +nytimes.com,nytimes.com,inbound,001,World,0.00472 +nzsale.co.nz,nzsale.co.nz,inbound,001,World,0 +oakley.com,oakley.com,inbound,001,World,0.000904 +ocadomail.com,ocadomail.com,inbound,001,World,0 +ocmail1.in,tcmail.in,inbound,001,World,0 +ocmail14.in,tcmailer5.in,inbound,001,World,0 +ocmail22.in,tcmailer15.in,inbound,001,World,0 +ocmail22.in,tcmailer4.in,inbound,001,World,0 +ocmail40.in,tcmailer15.in,inbound,001,World,0 +ocmail40.in,tcmailer4.in,inbound,001,World,0 +ocn.ad.jp,ocn.ad.jp,inbound,001,World,0 +ocn.ne.jp,ocn.ad.jp,inbound,001,World,0 +ocnmail.in,ocmail6.in,inbound,001,World,0 +ocnmail.in,tcmail3.in,inbound,001,World,0 +odisseias.com,emv4.net,inbound,001,World,0 +odnoklassniki.ru,odnoklassniki.ru,inbound,001,World,0 +ofertasbmc.com.br,ofertasbmc.com.br,inbound,001,World,0 +ofertasefacil.com.br,ofertasefacil.com.br,inbound,001,World,0 +ofertix.com,ofertix.com,inbound,001,World,0 +ofertop.pe,icommarketing.com,inbound,001,World,0 +offers.com,offers.com,inbound,001,World,1 +offerum.com,cccampaigns.com,inbound,001,World,0 +offerum.com,ccemails.com,inbound,001,World,0 +officedepot.com,officedepot.com,inbound,001,World,0.012483 +officemax.com,officemax.com,inbound,001,World,0 +officemax.com,officemaxworkplace.com,inbound,001,World,0 +ofsys.com,bulletin-metro.ca,inbound,001,World,0 +oknotify2.com,oknotify2.com,inbound,001,World,0 +oldnavy.ca,oldnavy.ca,inbound,001,World,0 +oldnavy.com,oldnavy.com,inbound,001,World,0 +olx.pt,fixeads.com,inbound,001,World,0 +olympiaedge.net,olympiaedge.net,inbound,001,World,0 +omahasteaks.com,omahasteaks.com,inbound,001,World,0.006139 +oneindia.in,infimail.com,inbound,001,World,0 +oneindia.in,mailurja.com,inbound,001,World,0 +onekingslane.com,onekingslane.com,inbound,001,World,0 +onepatriotplace.com,britecast.com,inbound,001,World,0 +onestopplus.com,neolane.net,inbound,001,World,0 +onetravelspecials.com,onetravelspecials.com,inbound,001,World,0.365386 +online.com,cnet.com,inbound,001,World,0 +onlive.com,ipost.com,inbound,001,World,0 +onmicrosoft.com,outlook.com,inbound,001,World,1 +onthecitymail.org,onthecitymail.org,inbound,001,World,1 +oo155.com,bsftransmit7.com,inbound,001,World,0 +oo155.com,oo155.com,inbound,001,World,0 +openstack.org,openstack.org,inbound,001,World,0.996884 +openstackmail.com,infimail.com,inbound,001,World,0 +opentable.com,opentable.com,inbound,001,World,0.000662 +opinionoutpost.com,opinionoutpost.com,inbound,001,World,0 +opinionsquare.com,opinionsquare.com,inbound,001,World,0 +oprah.com,oprah.com,inbound,001,World,0 +opticsplanet.com,opticsplanet.com,inbound,001,World,0 +optimusmail.in,iaires.com,inbound,001,World,0 +optonline.net,cv.net,inbound,001,World,0 +optonline.net,optonline.net,outbound,001,World,0 +orange.fr,orange.fr,inbound,001,World,0 +orange.fr,orange.fr,outbound,001,World,0 +orderscatalog.com,orderscatalog.com,inbound,001,World,0 +oriental-trading.com,oriental-trading.com,inbound,001,World,0 +oroscopofree.com,adsender.us,inbound,001,World,0 +oroscopofree.com,oroscopofree.com,inbound,001,World,0 +orsay.com,emp-mail.de,inbound,001,World,0 +os-email.com,os-email.com,inbound,001,World,0 +oshkoshbgosh.com,oshkoshbgosh.com,inbound,001,World,6e-06 +osu.edu,outlook.com,inbound,001,World,1 +otto.de,eccluster.com,inbound,001,World,1 +ouffer.com,ouffer.com,inbound,001,World,0.01022 +ourtime.com,seniorpeoplemeet.com,inbound,001,World,0 +outback.com,outback.com,inbound,001,World,0 +outlook.com,hotmail.{...},inbound,001,World,0.999929 +outlook.com,hotmail.{...},outbound,001,World,1 +outspot.be,teneo.be,inbound,001,World,0 +outspot.nl,teneo.be,inbound,001,World,0 +ovenmail.com,iaires.com,inbound,001,World,0 +overnightprints.com,chtah.net,inbound,001,World,0 +overstock.com,overstock.com,inbound,001,World,0 +ovh.net,ovh.net,inbound,001,World,0.207527 +ovuline.com,ovuline.com,inbound,001,World,1 +oxfam.org.uk,msgfocus.com,inbound,001,World,0 +ozsale.com.au,ozsale.com.au,inbound,001,World,0.000192 +p-world.co.jp,p-world.co.jp,inbound,001,World,0 +pagoda.com,zales.com,inbound,001,World,0 +pagseguro.com.br,uol.com.br,inbound,001,World,0 +pair.com,pair.com,inbound,001,World,0.880779 +palmscasinoresort.com,palmscasinoresort.com,inbound,001,World,0 +pampers.com,bfi0.com,inbound,001,World,0 +panasonic.jp,panasonic.jp,inbound,001,World,0 +pandaresearch.com,pandaresearch.com,inbound,001,World,0 +pandora.com,pandora.com,inbound,001,World,1 +pandora.net,pandora.net,inbound,001,World,0.999666 +panelplace.com,smtp.com,inbound,001,World,0 +panerabreadnews.com,panerabreadnews.com,inbound,001,World,0 +pantaloondirect.net,iaires.com,inbound,001,World,0 +papajohns-specials.com,papajohns-specials.com,inbound,001,World,0 +paradisepublishers.com,paradisepublishers.com,inbound,001,World,0.999626 +parents.com,meredith.com,inbound,001,World,0 +parkmobileglobal.com,parkmobile.us,inbound,001,World,0 +path.com,path.com,inbound,001,World,1 +patriotupdate.com,inboxfirst.com,inbound,001,World,0 +payback.de,artegic.net,inbound,001,World,0.999986 +payback.in,chtah.net,inbound,001,World,0 +payback.in,eccluster.com,inbound,001,World,0 +payback.in,ecm-cluster.com,inbound,001,World,0 +payback.in,ecmcluster.com,inbound,001,World,0 +paypal.co.uk,paypal.com,inbound,001,World,1 +paypal.com,paypal.com,inbound,001,World,0.608856 +paypal.com.au,paypal.com,inbound,001,World,1 +paypal.de,paypal.com,inbound,001,World,1 +paytm.com,paytm.com,inbound,001,World,1 +pbteen.com,pbteen.com,inbound,001,World,0 +pccomponentes.com,pccomponentes.com,inbound,001,World,0 +pch.com,ed10.com,inbound,001,World,0 +pchfrontpage.com,ed10.com,inbound,001,World,0 +pchlotto.com,ed10.com,inbound,001,World,0 +pchplayandwin.com,ed10.com,inbound,001,World,0 +pchsearch.com,ed10.com,inbound,001,World,0 +pcmag.com,ittoolbox.com,inbound,001,World,0 +pcworld.com,pcworld.com,inbound,001,World,0 +pd25.com,pd25.com,inbound,001,World,1 +pd25.com,pd27.com,inbound,001,World,1 +peanuthome.info,adopterc.info,inbound,001,World,0 +peanuthome.info,aguitytr.info,inbound,001,World,0 +peanuthome.info,bevest.info,inbound,001,World,0 +peanuthome.info,bluester.info,inbound,001,World,0 +peanuthome.info,burror.info,inbound,001,World,0 +peanuthome.info,bursion.info,inbound,001,World,0 +peanuthome.info,cantexi.info,inbound,001,World,0 +peanuthome.info,caserhi.info,inbound,001,World,0 +peanuthome.info,celect.info,inbound,001,World,0 +peanuthome.info,chintone.info,inbound,001,World,0 +peanuthome.info,citery.info,inbound,001,World,0 +peanuthome.info,cleathal.info,inbound,001,World,0 +peanuthome.info,coherentrequittal.info,inbound,001,World,0 +peanuthome.info,colicom.info,inbound,001,World,0 +peanuthome.info,complec.info,inbound,001,World,0 +peanuthome.info,cyprinoidkaiserdom.info,inbound,001,World,0 +peanuthome.info,deciarc.info,inbound,001,World,0 +peanuthome.info,declaws.info,inbound,001,World,0 +peanuthome.info,dewest.info,inbound,001,World,0 +peanuthome.info,epconce.info,inbound,001,World,0 +peanuthome.info,fnotec.info,inbound,001,World,0 +peanuthome.info,folkswor.info,inbound,001,World,0 +peanuthome.info,forepert.info,inbound,001,World,0 +peanuthome.info,gurgaro.info,inbound,001,World,0 +peanuthome.info,heallyps.info,inbound,001,World,0 +peanuthome.info,holeph.info,inbound,001,World,0 +peanuthome.info,homewor.info,inbound,001,World,0 +peanuthome.info,hydroni.info,inbound,001,World,0 +peanuthome.info,ingenbu.info,inbound,001,World,0 +peanuthome.info,kinklybotaurus.info,inbound,001,World,0 +peanuthome.info,ninetiethwhiffet.info,inbound,001,World,0 +peanuthome.info,unglibshudder.info,inbound,001,World,0 +peanutwebmaster.info,adcrent.info,inbound,001,World,0 +peanutwebmaster.info,addmiel.info,inbound,001,World,0 +peanutwebmaster.info,agilhe.info,inbound,001,World,0 +peanutwebmaster.info,allegap.info,inbound,001,World,0 +peanutwebmaster.info,andvore.info,inbound,001,World,0 +peanutwebmaster.info,angogl.info,inbound,001,World,0 +peanutwebmaster.info,animass.info,inbound,001,World,0 +peanutwebmaster.info,arettery.info,inbound,001,World,0 +peanutwebmaster.info,aribank.info,inbound,001,World,0 +peanutwebmaster.info,arkefoc.info,inbound,001,World,0 +peanutwebmaster.info,avenog.info,inbound,001,World,0 +peanutwebmaster.info,barrave.info,inbound,001,World,0 +peanutwebmaster.info,bindowmo.info,inbound,001,World,0 +peanutwebmaster.info,bitravit.info,inbound,001,World,0 +peanutwebmaster.info,borsand.info,inbound,001,World,0 +peanutwebmaster.info,branti.info,inbound,001,World,0 +peanutwebmaster.info,breaserp.info,inbound,001,World,0 +peanutwebmaster.info,bredogly.info,inbound,001,World,0 +peanutwebmaster.info,briantra.info,inbound,001,World,0 +peanutwebmaster.info,bridea.info,inbound,001,World,0 +peanutwebmaster.info,carial.info,inbound,001,World,0 +peanutwebmaster.info,castac.info,inbound,001,World,0 +peanutwebmaster.info,chedoner.info,inbound,001,World,0 +peanutwebmaster.info,chiquent.info,inbound,001,World,0 +peanutwebmaster.info,cinchoi.info,inbound,001,World,0 +peanutwebmaster.info,cliate.info,inbound,001,World,0 +peanutwebmaster.info,cognn.info,inbound,001,World,0 +peanutwebsite.info,abjibbin.info,inbound,001,World,0 +peanutwebsite.info,audiette.info,inbound,001,World,0 +peanutwebsite.info,blancer.info,inbound,001,World,0 +peanutwebsite.info,bluester.info,inbound,001,World,0 +peanutwebsite.info,burror.info,inbound,001,World,0 +peanutwebsite.info,bursion.info,inbound,001,World,0 +peanutwebsite.info,caserhi.info,inbound,001,World,0 +peanutwebsite.info,celect.info,inbound,001,World,0 +peanutwebsite.info,cleathal.info,inbound,001,World,0 +peanutwebsite.info,coherentrequittal.info,inbound,001,World,0 +peanutwebsite.info,complec.info,inbound,001,World,0 +peanutwebsite.info,condost.info,inbound,001,World,0 +peanutwebsite.info,cyprinoidkaiserdom.info,inbound,001,World,0 +peanutwebsite.info,deciarc.info,inbound,001,World,0 +peanutwebsite.info,declaws.info,inbound,001,World,0 +peanutwebsite.info,epconce.info,inbound,001,World,0 +peanutwebsite.info,ferrayer.info,inbound,001,World,0 +peanutwebsite.info,fnotec.info,inbound,001,World,0 +peanutwebsite.info,folkswor.info,inbound,001,World,0 +peanutwebsite.info,forepert.info,inbound,001,World,0 +peanutwebsite.info,gurgaro.info,inbound,001,World,0 +peanutwebsite.info,holeph.info,inbound,001,World,0 +peanutwebsite.info,homewor.info,inbound,001,World,0 +peanutwebsite.info,hydroni.info,inbound,001,World,0 +peanutwebsite.info,ingenbu.info,inbound,001,World,0 +peanutwebsite.info,kinklybotaurus.info,inbound,001,World,0 +peanutwebsite.info,ninetiethwhiffet.info,inbound,001,World,0 +pearlsofwealth.com,pearlsofwealth.com,inbound,001,World,1 +peartreegreetings.com,rexcraft.com,inbound,001,World,0 +peixeurbano.com.br,peixeurbano.com.br,inbound,001,World,0 +pennwell.com,pennwell.com,inbound,001,World,0 +pepabo.com,pepabo.com,inbound,001,World,0 +pepboys.com,pepboys.com,inbound,001,World,0 +peperoni.de,peperoni.de,inbound,001,World,1 +pepperfry.com,epidm.net,inbound,001,World,0 +perfectpriceindia.com,infimail.com,inbound,001,World,0 +perfectworld.com,perfectworld.com,inbound,001,World,0.000162 +perfora.net,perfora.net,inbound,001,World,0.920896 +permissionresearch.com,permissionresearch.com,inbound,001,World,0 +personalliberty.com,personalliberty.com,inbound,001,World,1 +personare.com.br,personare.com.br,inbound,001,World,0 +peytz.dk,peytz.dk,inbound,001,World,4e-06 +pga.com,pga.com,inbound,001,World,0 +pge.com,pge.com,inbound,001,World,0.149792 +pgeveryday.com,bfi0.com,inbound,001,World,0 +philosophy.com,philosophy.com,inbound,001,World,0 +phoenix.edu,phoenix.edu,inbound,001,World,0 +photobox.com,photobox.com,inbound,001,World,0 +photoprintit.com,photoprintit.com,inbound,001,World,0 +phpclasses.org,phpclasses.org,inbound,001,World,0 +phsmtpbox.com,phsmtpbox.com,inbound,001,World,0 +pia.jp,pia.jp,inbound,001,World,0 +pinger.com,pinger.com,inbound,001,World,0 +pinterest.com,pinterest.com,inbound,001,World,1 +pivotaltracker.com,pivotaltracker.com,inbound,001,World,1 +pixable.com,pixable.com,inbound,001,World,1 +pixum.com,pixum.com,inbound,001,World,0 +pizzahut.com,quikorder.com,inbound,001,World,0 +pizzahutoffers.com,pizzahutoffers.com,inbound,001,World,0 +placedestendances.com,placedestendances.com,inbound,001,World,0 +plaisio.gr,fagms.de,inbound,001,World,0 +planeo.com,planeo.com,inbound,001,World,0 +planeo.pt,planeo.pt,inbound,001,World,0 +playstation.com,playstation.com,inbound,001,World,0 +playstationmail.net,playstationmail.net,inbound,001,World,0 +playtika.com,emv8.com,inbound,001,World,0 +plexapp.com,plex.tv,inbound,001,World,1 +plumdistrict.com,plumdistrict.com,inbound,001,World,1 +pmailus.com,patrontechnology.com,inbound,001,World,0 +pnc.com,messagelabs.com,inbound,001,World,0.997194 +pnetweb.co.za,hosting.co.za,inbound,001,World,0 +pnetweb.co.za,salesnet.co.za,inbound,001,World,0 +pobox.com,pobox.com,inbound,001,World,0.975372 +pof.com,plentyoffish.co.uk,inbound,001,World,0 +pogo.com,pogo.com,inbound,001,World,0 +pointtown.com,gmo-media.jp,inbound,001,World,0 +poinx.com,poinx.com,inbound,001,World,0 +pokerstars.com,pokerstars.eu,inbound,001,World,0 +pokerstars.eu,pokerstars.eu,inbound,001,World,0 +pokupon.by,mailersend.com,inbound,001,World,0 +pokupon.ua,mailersend.com,inbound,001,World,0 +politicoemail.com,politicoemail.com,inbound,001,World,0 +polyvore.com,polyvore.com,inbound,001,World,1 +pontofrio.com.br,emv8.com,inbound,001,World,0 +popsugar.com,popsugar.com,inbound,001,World,0 +postcardfromhell.com,cyberthugs.com,inbound,001,World,1 +postgresql.org,postgresql.org,inbound,001,World,0.996805 +potterybarn.com,potterybarn.com,inbound,001,World,0 +potterybarnkids.com,potterybarnkids.com,inbound,001,World,0 +praca.pl,praca.pl,inbound,001,World,1 +pracuj.pl,pracuj.pl,inbound,001,World,0 +preferredpetclub.com,preferredpetclub.com,inbound,001,World,0 +presslaff.net,dat-e-baseonline.com,inbound,001,World,0 +pressmartmail.com,pressmartmail.com,inbound,001,World,0 +priceline.com,priceline.com,inbound,001,World,1 +princess.com,princess.com,inbound,001,World,0 +printvenue.com,fagms.de,inbound,001,World,0 +priorityoneemail.com,priorityoneemail.com,inbound,001,World,0 +privalia.com,privalia.com,inbound,001,World,3.94913202027326e-07 +private-elist.com,private-elist.com,inbound,001,World,0 +privoscite.si,privoscite.si,inbound,001,World,0 +profitcenteronline.com,groupdealtools.com,inbound,001,World,1 +progressive.com,progressive.com,inbound,001,World,0.897291 +progressiveagent.com,progressive.com,inbound,001,World,1 +promedmail.org,childrenshospital.org,inbound,001,World,1 +promod-news.fr,promod-news.com,inbound,001,World,0 +propertysolutions.com,propertysolutions.com,inbound,001,World,1 +prospectgeysercoop.com,prospectgeysercoop.com,inbound,001,World,1 +protopmail.com,protopmail.com,inbound,001,World,0 +providesupport.com,providesupport.com,inbound,001,World,0.000103 +proxyvote.com,adp-ics.com,inbound,001,World,0.908635 +psu.edu,psu.edu,inbound,001,World,0.073843 +pttplc.com,pttgrp.com,inbound,001,World,0 +publicators.com,publicators.com,inbound,001,World,0 +publix.com,publix.com,inbound,001,World,0.002567 +pucp.edu.pe,pucp.edu.pe,inbound,001,World,0.225541 +puffinmailer.com,zoothost.com,inbound,001,World,0 +pur3.net,pur3.net,inbound,001,World,0.001111 +purewow.com,purewow.com,inbound,001,World,0 +puritan.com,email-nbtyinc.com,inbound,001,World,0 +purlsmail.com,purlsmail.com,inbound,001,World,0 +pxsmail.com,pxsmail.com,inbound,001,World,0 +python.org,python.org,inbound,001,World,1 +q.com,synacor.com,inbound,001,World,0.999729 +qemailserver.com,qemailserver.com,inbound,001,World,0 +qoinpro.com,qoinpro.com,inbound,001,World,1 +qoo10.jp,qoo10.jp,inbound,001,World,2e-06 +qoo10.sg,qoo10.co.id,inbound,001,World,1.9e-05 +qoo10.sg,qoo10.com,inbound,001,World,0 +qoo10.sg,qoo10.my,inbound,001,World,2.2e-05 +qoo10.sg,qoo10.sg,inbound,001,World,8e-06 +qq.com,qq.com,inbound,001,World,0.999978 +qq.com,qq.com,outbound,001,World,1 +qtropnews.com,qtropnews.com,inbound,001,World,1.7e-05 +qualicorp.com.br,qualicorp.com.br,inbound,001,World,1 +quality.net.ua,quality.net.ua,inbound,001,World,0 +qualitysafelist.com,zoothost.com,inbound,001,World,0 +queopinas.com,confirmit.com,inbound,001,World,1 +quickbooks.com,intuit.com,inbound,001,World,0.99908 +quickrewards.net,quickrewards.net,inbound,001,World,0 +quikr.com,quikr.com,inbound,001,World,0.026599 +quinstreet.com,neoquin.com,inbound,001,World,0 +quora.com,quora.com,inbound,001,World,1 +quoramail.com,quoramail.com,inbound,001,World,1 +qvcemail.com,qvcemail.com,inbound,001,World,0 +r-project.org,ethz.ch,inbound,001,World,0.99999 +r51.it,musvc.com,inbound,001,World,0.092498 +r52.it,musvc.com,inbound,001,World,0.000221 +r57.it,musvc.com,inbound,001,World,0.139425 +r67.it,musvc.com,inbound,001,World,0.199845 +r70.it,musvc.com,inbound,001,World,0.311983 +rabota.ua,rabota.ua,inbound,001,World,0 +rackroom-email.com,rackroom-email.com,inbound,001,World,0 +radarsystems.net,radarsystems.net,inbound,001,World,1 +radiantretailapps.com,radiantretailapps.com,inbound,001,World,0 +radioshack.com,radioshack.com,inbound,001,World,0 +railcard-daysoutguide.co.uk,railcard-daysoutguide.co.uk,inbound,001,World,0 +rakuten.co.jp,rakuten.co.jp,inbound,001,World,0 +rakuten.co.jp,shareee.jp,inbound,001,World,0 +rakuten.co.jp,yahoo.co.jp,inbound,001,World,0 +rakuten.com,rakuten.com,inbound,001,World,0 +rakuten.ne.jp,rakuten.co.jp,inbound,001,World,0 +rambler.ru,rambler.ru,inbound,001,World,0.08173 +randomhouse.com,randomhouse.com,inbound,001,World,0 +rapattoni.com,rapmls.com,inbound,001,World,0 +ratedpeople.com,ratedpeople.com,inbound,001,World,0.000979 +rax.ru,rax.ru,inbound,001,World,0.000258 +razerzone.com,chtah.net,inbound,001,World,0 +rbc.com,rbc.com,inbound,001,World,0.001897 +rdio.com,rdio.com,inbound,001,World,1 +reactiveadz.com,downlinebuilderdirect.com,inbound,001,World,0 +realage-mail.com,postdirect.com,inbound,001,World,0 +realestate.com.au,realestate.com.au,inbound,001,World,0 +realtor.org,realtor.org,inbound,001,World,0 +realtytrac.com,realtytrac.com,inbound,001,World,0.001681 +realus.co.jp,realus.co.jp,inbound,001,World,0 +recipe.com,meredith.com,inbound,001,World,0 +recochoku.jp,recochoku.jp,inbound,001,World,0 +recruit.net,recruit.net,inbound,001,World,0 +redbox.com,exacttarget.com,inbound,001,World,0 +redbox.com,redbox.com,inbound,001,World,4e-06 +redcross.org.uk,redcross.org.uk,inbound,001,World,0 +redfin.com,redfin.com,inbound,001,World,0 +rediffmail.com,akadns.net,outbound,001,World,0 +rediffmail.com,rediffmail.com,inbound,001,World,0 +redtri.com,redtri.com,inbound,001,World,0 +reebokusnews.com,reebokusnews.com,inbound,001,World,0 +reebonz.com,ed10.com,inbound,001,World,0 +reebonz.com,reebonz.com,inbound,001,World,0.857615 +reed.co.uk,reed.co.uk,inbound,001,World,0 +regie11.net,odiso.net,inbound,001,World,0 +regionalhelpwanted.com,regionalhelpwanted.com,inbound,001,World,1 +registrar-servers.com,registrar-servers.com,inbound,001,World,0.053619 +registro.br,registro.br,inbound,001,World,0 +relax7.hu,gruppi.hu,inbound,001,World,0 +relianceada.com,relianceada.com,inbound,001,World,0.276515 +rent.com,rent.com,inbound,001,World,0.000397 +rentalcars.com,rentalcars.com,inbound,001,World,1 +renweb.com,renweb.com,inbound,001,World,0 +repica.jp,kakaku.com,inbound,001,World,0 +repica.jp,repica.jp,inbound,001,World,0 +republicwireless.com,republicwireless.com,inbound,001,World,0.033564 +research-panel.jp,research-panel.jp,inbound,001,World,0 +researchgate.net,researchgate.net,inbound,001,World,0 +responder.co.il,responder.co.il,inbound,001,World,1 +restorationhardware.com,restorationhardware.com,inbound,001,World,0 +retailjobinsider.com,retailjobinsider.com,inbound,001,World,0 +retailmenot.com,retailmenot.com,inbound,001,World,3.54930373308668e-07 +reverbnation.com,reverbnation.com,inbound,001,World,0 +revolutiongolf.com,revolutiongolf.com,inbound,001,World,0 +rewardme.in,bfi0.com,inbound,001,World,0 +reyrey.net,reyrey.net,inbound,001,World,0.946402 +ricardoeletro.com.br,allin.com.br,inbound,001,World,0 +richersoundsvip.com,ibwmail.com,inbound,001,World,0 +richyrichmailer.com,maddog-productions.info,inbound,001,World,1 +rightmove.com,rightmove.com,inbound,001,World,0 +rigzonemail.com,rigzonemail.com,inbound,001,World,0 +rikunabi.com,rikunabi.com,inbound,001,World,1e-05 +ringcentral.com,ringcentral.com,inbound,001,World,1 +ripleyperu.com.pe,icommarketing.com,inbound,001,World,0 +riseup.net,riseup.net,inbound,001,World,1 +rivamail.com,mailurja.com,inbound,001,World,0 +rmtr.de,rapidmail.de,inbound,001,World,0 +rnmk.com,rnmk.com,inbound,001,World,0 +roadrunner.com,rr.com,inbound,001,World,0.005479 +roamans.com,neolane.net,inbound,001,World,0 +rocketmail.com,yahoo.{...},inbound,001,World,1 +rocketmail.com,yahoodns.net,outbound,001,World,1 +rockpath.info,rockpath.info,inbound,001,World,1 +rockwellcollins.com,rockwellcollins.com,inbound,001,World,1 +rogers.com,yahoo.{...},inbound,001,World,1 +rogers.com,yahoodns.net,outbound,001,World,1 +rookiestewsemails.com,rookiestewsemails.com,inbound,001,World,0 +roulartamail.be,roulartamail.be,inbound,001,World,0 +royalcaribbeanmarketing.com,royalcaribbeanmarketing.com,inbound,001,World,0 +rpinow.org,app-info.net,inbound,001,World,0 +rpo9usa.email,rpo9usa.email,inbound,001,World,0 +rr.com,rr.com,inbound,001,World,0.008342 +rr.com,rr.com,outbound,001,World,0 +rsgsv.net,postini.com,inbound,001,World,0.093513 +rsgsv.net,rsgsv.net,inbound,001,World,0 +rsvpsv.net,rsvpsv.net,inbound,001,World,0 +rsvpsv.net,send.esp.br,inbound,001,World,0 +rsys2.com,amfam.com,inbound,001,World,0 +rsys2.com,cheaptickets.com,inbound,001,World,0 +rsys2.com,dishnetworkmail.com,inbound,001,World,0 +rsys2.com,e-comms.net,inbound,001,World,0 +rsys2.com,eharmony.com,inbound,001,World,0 +rsys2.com,fathead.com,inbound,001,World,0 +rsys2.com,intuit.com,inbound,001,World,0 +rsys2.com,kmart.com,inbound,001,World,0 +rsys2.com,kohlernews.com,inbound,001,World,0 +rsys2.com,lego.com,inbound,001,World,0 +rsys2.com,lenovo.com,inbound,001,World,0 +rsys2.com,modcloth.com,inbound,001,World,0 +rsys2.com,moxieinteractive.com,inbound,001,World,0 +rsys2.com,orbitz.com,inbound,001,World,0 +rsys2.com,payless.com,inbound,001,World,0 +rsys2.com,petsathome.com,inbound,001,World,0 +rsys2.com,quizzle.com,inbound,001,World,0 +rsys2.com,robeez.com,inbound,001,World,0 +rsys2.com,rsys1.com,inbound,001,World,0 +rsys2.com,rsys2.com,inbound,001,World,0 +rsys2.com,rsys3.com,inbound,001,World,0 +rsys2.com,rsys4.com,inbound,001,World,0 +rsys2.com,saucony.com,inbound,001,World,0 +rsys2.com,sears.com,inbound,001,World,0 +rsys2.com,shopbop.com,inbound,001,World,0 +rsys2.com,southwest.com,inbound,001,World,0 +rsys2.com,speeddatemail.com,inbound,001,World,0 +rsys2.com,thecompanystore.com,inbound,001,World,0 +rsys2.com,theknot.com,inbound,001,World,0 +rsys5.com,alibris.com,inbound,001,World,0 +rsys5.com,allstate-email.com,inbound,001,World,0 +rsys5.com,beachmint.com,inbound,001,World,0 +rsys5.com,belleandclive.com,inbound,001,World,0 +rsys5.com,br.dk,inbound,001,World,0 +rsys5.com,charlotterusse.com,inbound,001,World,0 +rsys5.com,comixology.com,inbound,001,World,0 +rsys5.com,cottonon.com,inbound,001,World,0 +rsys5.com,ediblearrangements.com,inbound,001,World,0 +rsys5.com,emailworldmarket.com,inbound,001,World,0 +rsys5.com,farfetch.com,inbound,001,World,0 +rsys5.com,frhiemailcommunications.com,inbound,001,World,0 +rsys5.com,harryanddavid.com,inbound,001,World,0 +rsys5.com,hollandandbarrett.com,inbound,001,World,0 +rsys5.com,icing.com,inbound,001,World,0 +rsys5.com,indigo.ca,inbound,001,World,0 +rsys5.com,jabong.com,inbound,001,World,0 +rsys5.com,jcrew.com,inbound,001,World,0 +rsys5.com,jjill.com,inbound,001,World,0 +rsys5.com,kanui.com.br,inbound,001,World,0 +rsys5.com,kirklands.com,inbound,001,World,0 +rsys5.com,lanebryant.com,inbound,001,World,0 +rsys5.com,lazada.com,inbound,001,World,0 +rsys5.com,leapfrog.com,inbound,001,World,0 +rsys5.com,llbean.com,inbound,001,World,0 +rsys5.com,lojascolombo.com.br,inbound,001,World,0 +rsys5.com,madewell.com,inbound,001,World,0 +rsys5.com,magazineluiza.com.br,inbound,001,World,0 +rsys5.com,missguided.co.uk,inbound,001,World,0 +rsys5.com,moma.org,inbound,001,World,0 +rsys5.com,nationalgeographic.com,inbound,001,World,0 +rsys5.com,neat.com,inbound,001,World,0 +rsys5.com,newbalance.com,inbound,001,World,0 +rsys5.com,news-voeazul.com.br,inbound,001,World,0 +rsys5.com,nordstrom.com,inbound,001,World,0 +rsys5.com,normthompson.com,inbound,001,World,0 +rsys5.com,novomundo.com.br,inbound,001,World,0 +rsys5.com,ourdeal.com.au,inbound,001,World,0 +rsys5.com,pier1.com,inbound,001,World,0 +rsys5.com,postini.com,inbound,001,World,0.0697 +rsys5.com,productmadness.com,inbound,001,World,0 +rsys5.com,rainbowshops.com,inbound,001,World,0 +rsys5.com,rei.com,inbound,001,World,0 +rsys5.com,roadrunnersports.com,inbound,001,World,0 +rsys5.com,rosettastone.com,inbound,001,World,0 +rsys5.com,seamless.com,inbound,001,World,0 +rsys5.com,serenaandlily.com,inbound,001,World,0 +rsys5.com,smiles.com.br,inbound,001,World,0 +rsys5.com,soubarato.com.br,inbound,001,World,0 +rsys5.com,strava.com,inbound,001,World,0 +rsys5.com,submarino.com.br,inbound,001,World,0 +rsys5.com,thewalkingcompany.com,inbound,001,World,0 +rsys5.com,tigerdirect.com,inbound,001,World,0 +rsys5.com,udemy.com,inbound,001,World,0 +rsys5.com,vitaminshoppe.com,inbound,001,World,0 +rsys5.com,vpusa.com,inbound,001,World,0 +rsys5.com,walmart.com.br,inbound,001,World,0 +rsys5.com,worldofwatches.com,inbound,001,World,0 +rsys5.com,xfinity.com,inbound,001,World,0 +rue21email.com,rue21email.com,inbound,001,World,0 +rueducommerce.com,groupe-rueducommerce.fr,inbound,001,World,0 +rummycirclemails.com,eccluster.com,inbound,001,World,0 +runkeeper.com,runkeeper.com,inbound,001,World,0 +runnet.jp,runnet.jp,inbound,001,World,0 +runtastic.com,runtastic.com,inbound,001,World,0 +rutenmail.com.tw,rutenmail.com.tw,inbound,001,World,0 +ruum.com,ruum.com,inbound,001,World,0 +ryanairmail.com,ryanairmail.com,inbound,001,World,0 +rzone.de,rzone.de,inbound,001,World,1 +s3s-br1.net,splio.com.br,inbound,001,World,0.908187 +s3s-main.net,splio.com,inbound,001,World,0.970428 +s4s-pl1.pl,splio.com,inbound,001,World,0.939032 +saavn.com,saavn.com,inbound,001,World,1 +safe-sender.net,safe-sender.net,inbound,001,World,0 +safelistextreme.com,quantumsafelist.com,inbound,001,World,0 +safelistpro.com,safelistpro.com,inbound,001,World,0.00014 +safeway.com,chtah.com,inbound,001,World,0 +safeway.com,safeway.com,inbound,001,World,0.000382 +sahibinden.com,sahibinden.com,inbound,001,World,0 +sailthru.com,sailthru.com,inbound,001,World,0 +saimails.in,infimail.com,inbound,001,World,0 +sainsburys.co.uk,emv5.com,inbound,001,World,0 +saisoncard.co.jp,saisoncard.co.jp,inbound,001,World,0 +saks.com,saks.com,inbound,001,World,0 +saksoff5th.com,saksoff5th.com,inbound,001,World,0 +sakura.ne.jp,sakura.ne.jp,inbound,001,World,0.640465 +salememail.net,salememail.net,inbound,001,World,0 +salesforce.com,postini.com,inbound,001,World,0.866057 +salesforce.com,salesforce.com,inbound,001,World,0.983322 +salesforce.com,salesforce.com,outbound,001,World,1 +salesmanago.pl,salesmanago.pl,inbound,001,World,0 +salliemae.com,salliemae.com,inbound,001,World,1 +salsalabs.net,salsalabs.net,inbound,001,World,0 +samashmusic.com,wc09.net,inbound,001,World,0 +samsclub.com,m0.net,inbound,001,World,0 +samsung.com,samsung.com,inbound,001,World,0.043941 +samsung.ru,samsung.ru,inbound,001,World,0 +samsungusa.com,samsungusa.com,inbound,001,World,0 +sanmina-sci.com,postini.com,inbound,001,World,0.999991 +sanmina.com,postini.com,inbound,001,World,0.9996 +sans.org,sans.org,inbound,001,World,0.497629 +santander.cl,santander.cl,inbound,001,World,0.999992 +santander.cl,santandersantiago.cl,inbound,001,World,1 +sapnetworkmail.com,sap-ag.de,inbound,001,World,1 +sapo.pt,sapo.pt,inbound,001,World,0.242839 +sapo.pt,sapo.pt,outbound,001,World,0 +saramin.co.kr,saramin.co.kr,inbound,001,World,0 +sassieshop.com,sassieshop.com,inbound,001,World,0.025887 +saturday.com,saturday.com,inbound,001,World,0 +savelivefresh.com,livesavemail.com,inbound,001,World,1 +savingdeals.in,infimail.com,inbound,001,World,0 +savingstar.com,savingstar.com,inbound,001,World,1 +sbcglobal.net,yahoo.{...},inbound,001,World,0.999991 +sbcglobal.net,yahoodns.net,outbound,001,World,1 +sbi.co.in,sbi.co.in,inbound,001,World,0 +sbr-inc.co.jp,hdemail.jp,inbound,001,World,0.000528 +sc.com,messagelabs.com,inbound,001,World,0.996156 +sc.com,sc.com,inbound,001,World,0.99683 +schwab.com,schwab.com,inbound,001,World,0.025055 +scmp.com,emarsys.net,inbound,001,World,0 +scoop.it,scoop.it,inbound,001,World,0 +scoopon.com.au,inxserver.de,inbound,001,World,1 +screwfix.info,fwdto.net,inbound,001,World,0 +sears.ca,sears.ca,inbound,001,World,0.005447 +searscard.com,searscard.com,inbound,001,World,1 +seaworld.com,seaworld.com,inbound,001,World,0 +secretescapes.com,secretescapes.com,inbound,001,World,0 +secure.ne.jp,secure.ne.jp,inbound,001,World,0.000356 +securence.com,securence.com,inbound,001,World,0.667957 +secureserver.net,secureserver.net,inbound,001,World,3.6e-05 +seek.com.au,seek.com.au,inbound,001,World,0 +seekingalpha.com,seekingalpha.com,inbound,001,World,1 +seekingalpha.com,sendgrid.net,inbound,001,World,1 +selectacast.net,selectacast.net,inbound,001,World,0.000561 +selection-priceminister.com,selection-priceminister.com,inbound,001,World,0 +semana.com,semana.com,inbound,001,World,0.005867 +senate.gov,senate.gov,inbound,001,World,0.992994 +sendearnings.com,sendearnings.com,inbound,001,World,0 +sender.lt,sritis.lt,inbound,001,World,0.000352 +sendgrid.info,sendgrid.net,inbound,001,World,0.999966 +sendgrid.me,sendgrid.net,inbound,001,World,1 +sendlane.com,sendlane.com,inbound,001,World,0 +sendpal.in,sendpal.in,inbound,001,World,0 +sendsmaily.info,sendsmaily.info,inbound,001,World,0 +seniorplanet.fr,seniorplanet.fr,inbound,001,World,0 +serpadres.es,chtah.net,inbound,001,World,0 +service-now.com,postini.com,inbound,001,World,0.988878 +service-now.com,service-now.com,inbound,001,World,0.998853 +serviciobancomer.com,serviciobancomer.com,inbound,001,World,0 +seznam.cz,seznam.cz,inbound,001,World,0.001781 +seznam.cz,seznam.cz,outbound,001,World,0.001741 +sfid01.com,sfid01.com,inbound,001,World,0 +sfimg.com,sfimarketing.com,inbound,001,World,0 +sfly.com,shutterfly.com,inbound,001,World,0 +sfr.fr,sfr.fr,inbound,001,World,0.236539 +sfr.fr,sfr.fr,outbound,001,World,0.004753 +shaadi.com,shaadi.com,inbound,001,World,0.000154 +shadowshopper.com,shadowshopper.com,inbound,001,World,5.6e-05 +shaw.ca,shaw.ca,inbound,001,World,0 +shaw.ca,shaw.ca,outbound,001,World,1 +sheplers.com,sheplers.com,inbound,001,World,0 +shiftplanning.com,shiftplanning.com,inbound,001,World,0 +shiksha.com,shiksha.com,inbound,001,World,0 +shinseibank.com,shinseibank.com,inbound,001,World,0 +shoedazzle.com,shoedazzle.com,inbound,001,World,0 +shoes.com,famousfootwear.com,inbound,001,World,0 +shop2gether.com.br,shop2gether.com.br,inbound,001,World,0 +shopbonton.com,shopbonton.com,inbound,001,World,0 +shopcluesemail.com,shopcluesemail.com,inbound,001,World,0 +shopcluesmail.com,shopcluesmail.com,inbound,001,World,0 +shophq.com,shophq.com,inbound,001,World,0 +shopjustice.com,shopjustice.com,inbound,001,World,0 +shopkick.com,shopkick.com,inbound,001,World,0 +shopko.com,shopko.com,inbound,001,World,0 +shopnineteenmails.in,iaires.com,inbound,001,World,0 +shoppersoptimum.ca,thindata.net,inbound,001,World,0 +shoppersstop.com,shoppersstop.com,inbound,001,World,0 +shoprite-email.com,email-mywebgrocer.com,inbound,001,World,0 +shoptime.com,shoptime.com,inbound,001,World,0 +shopto.net,shopto.net,inbound,001,World,1 +showingtime.com,showingtime.com,inbound,001,World,0 +showroomprive.com,showroomprive.be,inbound,001,World,0 +showroomprive.com,showroomprive.com,inbound,001,World,0.007102 +showroomprive.com,showroomprive.nl,inbound,001,World,0 +showroomprive.es,showroomprive.es,inbound,001,World,0 +showroomprive.it,showroomprive.pt,inbound,001,World,0 +showroomprive.pt,showroomprive.co.uk,inbound,001,World,0 +shtyle.fm,shtyle.fm,inbound,001,World,0 +shukatsu.jp,shukatsu.jp,inbound,001,World,0 +siella.jp,siella.jp,inbound,001,World,0.000199 +sierratradingpost.com,sierratradingpost.com,inbound,001,World,0.000885 +sigmabeauty.com,lstrk.net,inbound,001,World,1 +sii.cl,sii.cl,inbound,001,World,0 +simplesafelist.com,adminforfree.com,inbound,001,World,1 +simpletextadz.com,web-hosting.com,inbound,001,World,1 +simplyhired.com,simplyhired.com,inbound,001,World,0 +simplymarry.com,tbsl.in,inbound,001,World,0 +singsale.com.sg,singsale.com.sg,inbound,001,World,0 +siriusxm.com,xmradio.com,inbound,001,World,0 +sitecore-mailer.com,sendlabs.com,inbound,001,World,0 +sittercity.com,sittercity.com,inbound,001,World,0 +sixflags.com,sixflags.com,inbound,001,World,0 +skillpages-mailer.com,dynect.net,inbound,001,World,0 +skillpages-mailer.com,sendlabs.com,inbound,001,World,0 +skillpages-mailer.com,skillpagesmail.com,inbound,001,World,0 +sky.com,sky.com,inbound,001,World,8.8e-05 +skymall.com,skymall.com,inbound,001,World,0.001135 +skynet.be,belgacom.be,inbound,001,World,0.005903 +skype.com,delivery.net,inbound,001,World,0 +skype.com,skype.com,inbound,001,World,0 +skyscanner.net,skyscanner.net,inbound,001,World,1 +sld.cu,sld.cu,inbound,001,World,1 +slickdeals.net,slickdeals.net,inbound,001,World,4.9e-05 +slidesharemail.com,newslettergrid.com,inbound,001,World,1 +slidesharemail.com,slideshare.net,inbound,001,World,1 +slidesharemail.com,slidesharemail.com,inbound,001,World,1 +smartbrief.com,smartbrief.com,inbound,001,World,0 +smartdraw.com,smartdraw.com,inbound,001,World,0 +smartertravel.com,smartertravelmedia.com,inbound,001,World,0.021388 +smartphoneexperts.com,mailgun.net,inbound,001,World,1 +smartresponder.ru,smartresponder.ru,inbound,001,World,1 +smp.ne.jp,smp.ne.jp,inbound,001,World,0 +snagajob-email.com,snagajob-email.com,inbound,001,World,0 +snapdeal.com,snapdeal.com,inbound,001,World,0 +snapdealmail.in,snapdealmail.in,inbound,001,World,0 +snaphire.com,snaphire.com,inbound,001,World,0 +snapretail.com,snapretail.com,inbound,001,World,1 +socialappsmail.com,socialappsmail.com,inbound,001,World,1 +socialsex.biz,infinitypersonals.com,inbound,001,World,0 +sofmap.com,sofmap.com,inbound,001,World,0.0092 +softbank.jp,softbank.jp,inbound,001,World,0 +softbank.jp,softbank.jp,outbound,001,World,0 +softbank.ne.jp,softbank.ne.jp,inbound,001,World,0 +softbank.ne.jp,softbank.ne.jp,outbound,001,World,0 +solesociety.com,bronto.com,inbound,001,World,0 +solosenders.com,megasenders.com,inbound,001,World,8.2e-05 +solosenders.com,traxweb.org,inbound,001,World,0 +solveerrors.com,infimail.com,inbound,001,World,0 +soma.com,soma.com,inbound,001,World,0 +someecards.com,someecards.com,inbound,001,World,0 +songkick.com,songkick.com,inbound,001,World,1 +sony-latin.com,sony-latin.com,inbound,001,World,0.01735 +sony.com,sony.com,inbound,001,World,0.020225 +sony.jp,sony.jp,inbound,001,World,0.000654 +sonyentertainmentnetwork.com,sonyentertainmentnetwork.com,inbound,001,World,0 +sonyrewards.com,sonyrewards.com,inbound,001,World,0 +soundcloudmail.com,soundcloudmail.com,inbound,001,World,0.999996 +sourceforge.net,sourceforge.net,inbound,001,World,1 +sourcenext.info,sourcenext.info,inbound,001,World,0 +southwest.com,southwest.com,inbound,001,World,0 +sp.gov.br,sp.gov.br,inbound,001,World,0.485842 +spanishdict.com,spanishdict.com,inbound,001,World,0.002698 +spareroom.co.uk,spareroom.co.uk,inbound,001,World,1 +sparklist.com,sparklist.com,inbound,001,World,0 +sparkpeople.com,sparkpeople.com,inbound,001,World,0 +spartoo.com,spartoo.com,inbound,001,World,0 +spectersoft.com,spectersoft.com,inbound,001,World,0 +speedyrewards-email.com,speedyrewards-email.com,inbound,001,World,0 +spencersonline.com,spencersonline.com,inbound,001,World,0 +spiritairlines.com,ctd004.net,inbound,001,World,0 +spiritairlines.com,ctd005.net,inbound,001,World,0 +splitwise.com,splitwise.com,inbound,001,World,1 +sportlobster.com,sportlobster.com,inbound,001,World,1 +sportsdirect.com,sportsdirect.com,inbound,001,World,0 +sportsline.com,cbsig.net,inbound,001,World,1 +sportsmansguide.com,sportsmansguide.com,inbound,001,World,0.736903 +spotifymail.com,spotifymail.com,inbound,001,World,1 +sprint.com,m0.net,inbound,001,World,0 +sqlservercentral.com,sqlservercentral.com,inbound,001,World,0 +square-enix.com,messagelabs.com,inbound,001,World,0.004493 +squareup.com,squareup.com,inbound,001,World,0.986452 +ssgadm.com,ssg.com,inbound,001,World,0 +staffeazymailers.com,iaires.com,inbound,001,World,0 +stakemail.com,iaires.com,inbound,001,World,0 +stampmail.in,iaires.com,inbound,001,World,0 +standaard.be,vummail.be,inbound,001,World,0 +standardbank.co.za,standardbank.co.za,inbound,001,World,0 +stanford.edu,highwire.org,inbound,001,World,1 +stanford.edu,stanford.edu,inbound,001,World,0.93025 +stansberryresearch.com,stansberry-re.net,inbound,001,World,0 +stansberryresearch.com,stansberryresearch.com,inbound,001,World,0.001008 +staples-pt.com,1-hostingservice.com,inbound,001,World,0 +staples.co.uk,ncrwebhost.de,inbound,001,World,0 +staples.com,staples.com,inbound,001,World,0.00638 +starbucks.com,iphmx.com,inbound,001,World,0.999476 +starbucks.com,starbucks.com,inbound,001,World,0 +stardockcorporation.com,stardockcorporation.com,inbound,001,World,0 +stardockentertainment.info,stardockentertainment.info,inbound,001,World,0 +starsports.com,eccluster.com,inbound,001,World,0 +startribune.com,startribune.com,inbound,001,World,0.001728 +startwire.com,jobsreport.com,inbound,001,World,1 +startwire.com,startwire.com,inbound,001,World,1 +starwoodhotels.com,outlook.com,inbound,001,World,1 +state-of-the-art-mailer.com,futurebanners.net,inbound,001,World,0 +state.gov,state.gov,inbound,001,World,0 +statefarm.com,statefarm.com,inbound,001,World,1 +stayfriends.de,stayfriends.de,inbound,001,World,0 +steampowered.com,steampowered.com,inbound,001,World,1 +steinmart.com,steinmart.com,inbound,001,World,0 +stelladot.com,stelladot.com,inbound,001,World,0 +stepstone.de,stepstone.com,inbound,001,World,0.001689 +stevemadden.com,stevemadden.com,inbound,001,World,0 +stjobs.sg,st701.com,inbound,001,World,1 +stjude.org,stjude.org,inbound,001,World,0.006716 +strava.com,strava.com,inbound,001,World,1 +streetauthoritydaily.com,streetauthoritydaily.com,inbound,001,World,0 +streeteasy.com,streeteasy.com,inbound,001,World,0 +striata.com,striata.com,inbound,001,World,0 +stubhub.com,stubhub.com,inbound,001,World,1 +studentbeans.com,emv8.com,inbound,001,World,0 +stumblemail.com,stumblemail.com,inbound,001,World,1 +stylecareers.com,stylecareers.com,inbound,001,World,0 +suafaturanet.com.br,suafaturanet.com.br,inbound,001,World,0.995846 +subito.it,subito.it,inbound,001,World,0 +subscribe.ru,subscribe.ru,inbound,001,World,0 +subscribermail.com,subscribermail.com,inbound,001,World,0 +subtend.info,subtend.info,inbound,001,World,1 +subway.com,subway.com,inbound,001,World,0 +sungard.com,postini.com,inbound,001,World,0.499946 +sunwingvacationinfo.ca,sunwingvacationinfo.ca,inbound,001,World,1 +superbalist.com,sailthru.com,inbound,001,World,0 +superdeal.com.ua,mailersend.com,inbound,001,World,0 +superdrug.com,superdrug.com,inbound,001,World,0 +superjob.ru,superjob.ru,inbound,001,World,0 +supersafemailer.com,zoothost.com,inbound,001,World,0 +support-love.com,support-love.com,inbound,001,World,0 +supremelist.com,onlinehome-server.com,inbound,001,World,1 +surfmandelivery.com,surfmandelivery.com,inbound,001,World,0 +surlatable.com,surlatable.com,inbound,001,World,0 +surveyhelpcenter.com,jsmtp.net,inbound,001,World,0 +surveyjobopportunities.com,surveyjobopportunities.com,inbound,001,World,3.7e-05 +surveymonkey.com,surveymonkey.com,inbound,001,World,0 +surveysavvy.com,surveysavvy.com,inbound,001,World,0 +surveyspot.com,ssisurveys.com,inbound,001,World,0 +sut1.co.uk,sut1.co.uk,inbound,001,World,0.001789 +sut5.co.uk,sut5.co.uk,inbound,001,World,0 +swanson-vitamins.com,emv5.com,inbound,001,World,0 +sweepstakesalerts.com,sweepstakesalerts.com,inbound,001,World,0 +swimoutlet.com,isport.com,inbound,001,World,0 +sylectus.com,sylectus.com,inbound,001,World,0.361297 +sympatico.ca,hotmail.{...},inbound,001,World,1 +sympatico.ca,hotmail.{...},outbound,001,World,1 +synchronyfinancial.com,bigfootinteractive.com,inbound,001,World,0 +synergy360.jp,crmstyle.com,inbound,001,World,0 +t-online.de,t-online.de,inbound,001,World,1 +t-online.de,t-online.de,outbound,001,World,0.999939 +tadtopmails.com,tadtopmails.com,inbound,001,World,0 +taggedmail.com,taggedmail.com,inbound,001,World,0 +taipeifubon.com.tw,taipeifubon.com.tw,inbound,001,World,0 +taishinbank.com.tw,taishinbank.com.tw,inbound,001,World,0 +take2games.com,take2games.com,inbound,001,World,0 +talkmatch.com,talkmatch.com,inbound,001,World,0 +tamu.edu,tamu.edu,inbound,001,World,0.249656 +tanga.com,tanga.com,inbound,001,World,0 +tangeroutletsusa.com,bronto.com,inbound,001,World,0 +tanningmail.com,tanningmail.com,inbound,001,World,0 +tappingsolutionemail.com,tappingsolutionemail.com,inbound,001,World,0 +target-safelist.com,safelistpro.com,inbound,001,World,0.000215 +target.com,bigfootinteractive.com,inbound,001,World,0 +targetproblaster.com,targetproblaster.com,inbound,001,World,0 +targetx.com,targetx.com,inbound,001,World,0 +tarot.com,tarot.com,inbound,001,World,0 +tastefullysimpleparty.com,bigfootinteractive.com,inbound,001,World,0 +tasteofhome.com,tasteofhome.com,inbound,001,World,0 +tastingtable.com,tastingtable.com,inbound,001,World,0 +tatrabanka.sk,tatrabanka.sk,inbound,001,World,0 +taxi4sure.net,infimail.com,inbound,001,World,0 +tchibo.com.tr,euromsg.net,inbound,001,World,0 +tchibo.de,srv2.de,inbound,001,World,0.980445 +teach12.net,teach12.net,inbound,001,World,0 +teambuymail.com,teambuymail.com,inbound,001,World,0 +teamo.ru,teamo.ru,inbound,001,World,0 +teamsnap.com,teamsnap.com,inbound,001,World,1 +teamviewer.com,teamviewer.com,inbound,001,World,0 +teapartyinfo.org,teapartyinfo.org,inbound,001,World,0 +techgig.com,tbsl.in,inbound,001,World,0 +technolutions.net,technolutions.net,inbound,001,World,1 +techtarget.com,techtarget.com,inbound,001,World,0.001771 +telefonica.com,telefonica.com,inbound,001,World,0.998662 +telegraph.co.uk,telegraph.co.uk,inbound,001,World,0 +telenet.be,telenet-ops.be,inbound,001,World,0.000128 +teleportmyjob.com,clara.net,inbound,001,World,0 +telus.com,telus.com,inbound,001,World,0.000118 +telus.net,telus.net,inbound,001,World,0.006226 +templeandwebster.com.au,templeandwebster.com.au,inbound,001,World,5e-06 +ten24mail.com,ten24mail.com,inbound,001,World,0 +terra.com,terra.com,inbound,001,World,0.000463 +terra.com.br,terra.com,inbound,001,World,0 +terra.com.br,terra.com,outbound,001,World,0 +tesco.com,tesco.com,inbound,001,World,0 +testfunda.com,testfunda.com,inbound,001,World,0 +texasjobdepartment.com,texasjobdepartment.com,inbound,001,World,0 +textnow.me,textnow.me,inbound,001,World,0 +tgw.com,tgw.com,inbound,001,World,0 +theanimalrescuesite.com,theanimalrescuesite.com,inbound,001,World,0 +theatermania.com,wc09.net,inbound,001,World,0 +thebay.com,thebay.com,inbound,001,World,0 +thebodyshop-usa.com,email-bodyshop.com,inbound,001,World,0 +thebodyshop-usa.com,postdirect.com,inbound,001,World,0 +thecarousell.com,thecarousell.com,inbound,001,World,1 +thegrommet.com,lstrk.net,inbound,001,World,1 +theguardian.com,theguardian.com,inbound,001,World,0 +thehut.com,thehut.com,inbound,001,World,0 +theleadmagnet.com,your-server.de,inbound,001,World,1 +thelimited.com,thelimited.com,inbound,001,World,0 +themailbagsafelist.com,thomas-j-brown.com,inbound,001,World,0 +theoutnet.com,theoutnet.com,inbound,001,World,0 +thepamperedchef.com,thepamperedchef.com,inbound,001,World,0 +thephonehouse.es,splio.com,inbound,001,World,0.983578 +thephonehouse.es,splio.es,inbound,001,World,0.983266 +therealreal.com,email-realreal.com,inbound,001,World,0 +theskimm.com,theskimm.com,inbound,001,World,0 +thesource.ca,thesource.ca,inbound,001,World,0.00923 +thesovereigninvestor.com,sovereignsociety.com,inbound,001,World,0 +thewarehouse.co.nz,thewarehouse.co.nz,inbound,001,World,0 +thinkgeek.com,thinkgeek.com,inbound,001,World,1e-06 +thinkvidya.com,thinkvidya.com,inbound,001,World,0 +thirtyonegifts.com,thirtyonegifts.com,inbound,001,World,0 +thomascook.com,eccluster.com,inbound,001,World,0 +thoughtful-mind.com,thoughtful-mind.com,inbound,001,World,0 +thumbtack.com,thumbtack.com,inbound,001,World,1 +ticketmaster.com,ticketmaster.com,inbound,001,World,0.251337 +ticketmasterbiletix.com,ticketmasterbiletix.com,inbound,001,World,0 +ticketmonster.co.kr,ticketmonster.co.kr,inbound,001,World,0 +timehop.com,timehop.com,inbound,001,World,1 +timeout.com,ec-cluster.com,inbound,001,World,0 +timesjobs.com,tbsl.in,inbound,001,World,0 +timesjobsmail.com,tbsl.in,inbound,001,World,0 +timesofindia.com,indiatimes.com,inbound,001,World,0 +timewarnercable.com,bigfootinteractive.com,inbound,001,World,0 +timeweb.ru,timeweb.ru,inbound,001,World,1 +tinyletterapp.com,tinyletterapp.com,inbound,001,World,0 +tiscali.it,tiscali.it,outbound,001,World,0 +tmart.com,chtah.net,inbound,001,World,0 +tmp.com,tmpw.com,inbound,001,World,0 +tobi.com,messagebus.com,inbound,001,World,0 +tobizaru.jp,tobizaru.jp,inbound,001,World,0 +tocoo.jp,aics.ne.jp,inbound,001,World,0 +toluna.com,toluna.com,inbound,001,World,0 +tomtommailer.com,tomtommailer.com,inbound,001,World,0 +topface.com,topface.com,inbound,001,World,1e-06 +topica.com,topica-silver-y.com,inbound,001,World,0 +topqpon.si,topqpon.si,inbound,001,World,0 +topspin.net,topspin.net,inbound,001,World,1 +totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,001,World,0 +touchbase2.com,infimail.com,inbound,001,World,0 +touchbase2.com,mailurja.com,inbound,001,World,0 +touchbasepro.com,touchbasepro.com,inbound,001,World,0 +tower.jp,tower.jp,inbound,001,World,0 +townhallmail.com,townhallmail.com,inbound,001,World,0 +townnews-mail.com,townnews-mail.com,inbound,001,World,0 +townsquaremedia.info,sailthru.com,inbound,001,World,0 +toysrus.com,epsl1.com,inbound,001,World,0 +trabajar.com,trabajo.org,inbound,001,World,0.999997 +trabalhar.com,trabajo.org,inbound,001,World,0.999994 +tradeloop.com,tradeloop.com,inbound,001,World,1 +trademe.co.nz,trademe.co.nz,inbound,001,World,0.991916 +trafficboostermailer.com,trafficboostermailer.com,inbound,001,World,1 +trafficleads2incomevm.com,zoothost.com,inbound,001,World,0 +trafficprolist.com,thomas-j-brown.com,inbound,001,World,0 +trafficwave.net,trafficwave.net,inbound,001,World,0 +transittraveljobinsider.com,transittraveljobinsider.com,inbound,001,World,0 +transportexchangegroup.com,transportexchangegroup.com,inbound,001,World,0.998703 +transversal.net,transversal.net,inbound,001,World,1 +travelchannel.com,travelchannel.com,inbound,001,World,0 +travelocity.com,travelocity.com,inbound,001,World,0.000194 +travelzoo.com,travelzoo.com,inbound,001,World,0 +travisperkins.co.uk,travisperkins.co.uk,inbound,001,World,0 +trclient.com,trclient.com,inbound,001,World,0 +treemall.com.tw,symphox.com,inbound,001,World,0 +trello.com,mandrillapp.com,inbound,001,World,1 +trialsmith.com,membercentral.com,inbound,001,World,0 +tricaemidia.com.br,tricaemidia.com.br,inbound,001,World,0 +triongames.com,triongames.com,inbound,001,World,0.085718 +tripadvisor.com,tripadvisor.com,inbound,001,World,0.000588 +tripit.com,tripit.com,inbound,001,World,0 +tripolis.com,tripolis.com,inbound,001,World,0 +trovit.com,trovit.com,inbound,001,World,0 +trulia.com,trulia.com,inbound,001,World,0 +tsite.jp,tsite.jp,inbound,001,World,0 +tsmmail.com,tsmmail.com,inbound,001,World,0 +tsutaya.co.jp,tsutaya.co.jp,inbound,001,World,0 +tucasa.com,grupodtm.com,inbound,001,World,0 +tuesdaymorningmail.com,tuesdaymorningmail.com,inbound,001,World,0 +tumblr.com,tumblr.com,inbound,001,World,1 +turbine.com,turbine.com,inbound,001,World,0.013592 +turkcell.com.tr,turkcell.com.tr,inbound,001,World,0.043492 +turner.com,cnn.com,inbound,001,World,0 +twe-safelist.com,adminforfree.com,inbound,001,World,1 +twitch.tv,justin.tv,inbound,001,World,0 +twitter.com,postini.com,inbound,001,World,0.765163 +twitter.com,twitter.com,inbound,001,World,0.999969 +twoomail.com,netlogmail.com,inbound,001,World,0 +twoomail.com,twoomail.com,inbound,001,World,0 +type.jp,type.jp,inbound,001,World,0 +u-shopping.com.tw,u-shopping.com.tw,inbound,001,World,0 +uber.com,uber.com,inbound,001,World,1 +ubi.com,ubi.com,inbound,001,World,0 +ubivox.com,ubivox.com,inbound,001,World,0.956275 +ubuntu.com,canonical.com,inbound,001,World,0.000129 +ucla.edu,ucla.edu,inbound,001,World,0.806204 +udnpaper.com,udnpaper.com,inbound,001,World,0.998858 +udnshopping.com,udnshopping.com,inbound,001,World,0 +uga.edu,outlook.com,inbound,001,World,1 +uhaul.com,uhaul.com,inbound,001,World,0.997947 +uhcmedicaresolutions.com,uhcmedicaresolutions.com,inbound,001,World,0 +uiuc.edu,illinois.edu,inbound,001,World,0.999815 +ukr.net,fwdcdn.com,inbound,001,World,1 +ukr.net,ukr.net,outbound,001,World,0.999992 +ulta.com,exacttarget.com,inbound,001,World,0 +ulta.com,ulta.com,inbound,001,World,0.034861 +ulteem.com,ulteem.com,inbound,001,World,0 +ultimateadsites.net,ultimateadsites.net,inbound,001,World,1 +umd.edu,umd.edu,inbound,001,World,0.021709 +umn.edu,umn.edu,inbound,001,World,0.966992 +umpiredigital.com,inboxmarketer.com,inbound,001,World,0 +unilever.com,mxlogic.net,inbound,001,World,1 +uniqlo-usa.com,uniqlo-usa.com,inbound,001,World,0 +united.com,coair.com,inbound,001,World,1 +united.com,united.com,inbound,001,World,0 +unitedrepublic.org,unitedrepublic.org,inbound,001,World,1 +universalorlando.com,universalorlando.com,inbound,001,World,0 +unosinsidersclub.com,unosinsidersclub.com,inbound,001,World,0 +unrollmail.com,unrollmail.com,inbound,001,World,1 +uol.com.br,uol.com.br,inbound,001,World,0 +uol.com.br,uol.com.br,outbound,001,World,0 +upenn.edu,upenn.edu,inbound,001,World,0.16521 +upromise.com,delivery.net,inbound,001,World,0 +ups.com,ups.com,inbound,001,World,0.997955 +urbanoutfitters.com,freepeople.com,inbound,001,World,0 +urx.com.br,urx.com.br,inbound,001,World,0 +usaa.com,usaa.com,inbound,001,World,0.639434 +usafisnews.org,usafisnews.org,inbound,001,World,0 +usahockey-email.com,usahockey-email.com,inbound,001,World,0 +usajobs.gov,opm.gov,inbound,001,World,0.931948 +usc.edu,usc.edu,inbound,001,World,0.300314 +uscourts.gov,uscourts.gov,inbound,001,World,0 +uslargestsafelist.com,zoothost.com,inbound,001,World,0 +usndr.com,unisender.com,inbound,001,World,1 +usndr.com,usndr.com,inbound,001,World,1 +usp.br,usp.br,inbound,001,World,0.044176 +usps.com,usps.gov,inbound,001,World,0.909588 +usps.gov,usps.gov,inbound,001,World,0.940315 +ustream.tv,mailgun.net,inbound,001,World,1 +ustream.tv,mailgun.us,inbound,001,World,1 +usx.com.br,uqx.com.br,inbound,001,World,0 +usx.com.br,usx.com.br,inbound,001,World,0 +usx.com.br,utx.com.br,inbound,001,World,0 +utfsm.cl,utfsm.cl,inbound,001,World,0.002318 +utilitiesjobinsider.com,utilitiesjobinsider.com,inbound,001,World,0 +utx.com.br,utx.com.br,inbound,001,World,0 +uvarosa.com.br,uvarosa.com.br,inbound,001,World,0 +vacationstogo.com,vacationstogo.com,inbound,001,World,0 +vagas.com.br,vagas.com.br,inbound,001,World,0 +vakifbank.com.tr,vakifbank.com.tr,inbound,001,World,1 +valuedopinions.co.uk,researchnow-usa.com,inbound,001,World,1 +vanheusenrewards.com,vanheusenrewards.com,inbound,001,World,0 +vd.nl,emsecure.net,inbound,001,World,0 +velocityfrequentflyer.com,virginaustralia.com,inbound,001,World,0.003442 +venca.es,eccluster.com,inbound,001,World,0 +venere.com,kiwari.com,inbound,001,World,0 +vente-exclusive.com,vente-exclusive.com,inbound,001,World,0.000463 +venteprivee.com,venteprivee.com,inbound,001,World,0 +venusswimwear.net,venusswimwear.net,inbound,001,World,0 +verabradleymail.com,verabradleymail.com,inbound,001,World,0 +verizon.com,verizon.com,inbound,001,World,0.999793 +verizon.net,verizon.net,inbound,001,World,0.00713 +verizon.net,verizon.net,outbound,001,World,0 +verizon.net,yahoo.{...},inbound,001,World,0.999435 +verizonwireless.com,verizonwireless.com,inbound,001,World,0.972245 +vfoutletvip.com,vfoutletvip.com,inbound,001,World,0 +vhmnetworkemail.com,jobdiagnosis.com,inbound,001,World,0 +viagogo.com,chtah.net,inbound,001,World,0 +viajanet.com.br,viajanet.com.br,inbound,001,World,0.001345 +vicinity.nl,picsrv.net,inbound,001,World,0.022107 +victoriassecret.com,victoriassecret.com,inbound,001,World,0 +videotron.ca,videotron.ca,inbound,001,World,0.005886 +vietcombank.com.vn,vietcombank.com.vn,inbound,001,World,1 +vikingrivercruises.com,bfi0.com,inbound,001,World,0 +vimeo.com,vimeo.com,inbound,001,World,0 +vindale.com,vindale.com,inbound,001,World,0 +vipvoice.com,npdor.com,inbound,001,World,0 +viraladmagnet.com,viraladmagnet.com,inbound,001,World,1 +viralsender.com,viralsender.com,inbound,001,World,0 +virgilio.it,virgilio.net,inbound,001,World,0 +virginia.edu,virginia.edu,inbound,001,World,0.055153 +virtualtarget.com.br,virtualtarget.com.br,inbound,001,World,0 +vistaprint.com,vistaprint.com,inbound,001,World,0 +vistaprint.com.au,vistaprint.com.au,inbound,001,World,0 +visualsoft.co.uk,visualsoft.co.uk,inbound,001,World,0 +vitacost.com,vitacost.com,inbound,001,World,0 +vitaladviews.com,zoothost.com,inbound,001,World,0 +vitaminworld.com,email-nbtyinc.com,inbound,001,World,0 +vivastreet.com,viwii.net,inbound,001,World,0 +vk.com,vkontakte.ru,inbound,001,World,0 +vocus.com,vocus.com,inbound,001,World,0 +vodafone.com,vodafone.in,inbound,001,World,0.617518 +vonage.com,vonagenetworks.net,inbound,001,World,0.006531 +votervoice.net,votervoice.net,inbound,001,World,0 +vouchercloud.com,vouchercloud.com,inbound,001,World,0 +vovici.com,vovici.com,inbound,001,World,0 +voyageprive.com,cccampaigns.net,inbound,001,World,0 +voyageprive.es,ccmdcampaigns.net,inbound,001,World,0 +voyageprive.it,ccmdcampaigns.net,inbound,001,World,0 +voyages-sncf.com,neolane.net,inbound,001,World,0 +vpass.ne.jp,clickmailer.jp,inbound,001,World,0 +vpcontact.com,vpcontact.com,inbound,001,World,0 +vresp.com,verticalresponse.com,inbound,001,World,0 +vt.edu,vt.edu,inbound,001,World,0.978548 +vtext.com,vtext.com,inbound,001,World,0 +vtext.com,vtext.com,outbound,001,World,1 +vudu.com,vudu.com,inbound,001,World,0 +vueling.com,vueling.com,inbound,001,World,0 +vuezone.com,vuezone.com,inbound,001,World,0 +vzwpix.com,vtext.com,inbound,001,World,0 +wagjag.com,wagjag.com,inbound,001,World,0 +walgreens.com,walgreens.com,inbound,001,World,0.006128 +wallst.com,wallst.com,inbound,001,World,0 +wallstreetdaily.com,wallstreetdaily.com,inbound,001,World,0 +walmart.ca,walmart.ca,inbound,001,World,0 +walmart.com,walmart.com,inbound,001,World,0.315059 +wanadoo.fr,orange.fr,inbound,001,World,0 +wanadoo.fr,orange.fr,outbound,001,World,0 +warehouselogisticsjobinsider.com,warehouselogisticsjobinsider.com,inbound,001,World,0 +waterstones.com,waterstones.com,inbound,001,World,0 +wattpad.com,wattpad.com,inbound,001,World,1 +waves-audio.com,emv8.com,inbound,001,World,0 +way2movies.net,way2movies.net,inbound,001,World,0 +way2sms.biz,way2sms.biz,inbound,001,World,0 +way2sms.in,way2sms.in,inbound,001,World,0 +way2smsemail.com,way2smsemail.com,inbound,001,World,0 +way2smsemails.com,way2smsemails.com,inbound,001,World,0 +way2smsmail.in,way2smsmail.in,inbound,001,World,0 +way2smsmails.com,way2smsmails.com,inbound,001,World,0 +wayfair.com,csnstores.com,inbound,001,World,0 +wealthyaffiliate.com,wealthyaffiliate.com,inbound,001,World,1 +web.de,web.de,inbound,001,World,0.999986 +web.de,web.de,outbound,001,World,1 +webcas.net,webcas.net,inbound,001,World,0 +webmd.com,webmd.com,inbound,001,World,2e-06 +webs.com,epsl1.com,inbound,001,World,0 +websaver.ca,websaver.ca,inbound,001,World,0 +websitesettings.com,stabletransit.com,inbound,001,World,0 +websitewelcome.com,websitewelcome.com,inbound,001,World,1 +webstars2k.com,webstars2k.com,inbound,001,World,1 +wechat.com,qq.com,inbound,001,World,1 +weebly.com,weeblymail.com,inbound,001,World,0 +wegottickets.com,wegottickets.com,inbound,001,World,0 +weheartit.com,weheartit.com,inbound,001,World,1 +wehkamp.nl,wehkamp.nl,inbound,001,World,0 +wellsfargo.com,wellsfargo.com,inbound,001,World,1.0 +wellsfargoadvisors.com,wellsfargo.com,inbound,001,World,1 +wemakeprice.com,wemakeprice.com,inbound,001,World,0 +westelm.com,westelm.com,inbound,001,World,0 +westmarine.com,westmarine.com,inbound,001,World,0 +westwing.com.br,cust-cluster.com,inbound,001,World,0 +westwing.es,ecm-cluster.com,inbound,001,World,0 +westwing.ru,ecm-cluster.com,inbound,001,World,0 +wetransfer.com,wetransfer.com,inbound,001,World,0.999751 +wetsealnewsletter.com,wetsealnewsletter.com,inbound,001,World,0 +wgbh.org,wgbh.org,inbound,001,World,0 +whaakky.com,whaakky.com,inbound,001,World,0 +whatcounts.com,wc09.net,inbound,001,World,0 +whentowork.com,whentowork.com,inbound,001,World,0 +whereareyounow.com,wayn.net,inbound,001,World,0 +whitehouse.gov,whitehouse.gov,inbound,001,World,0 +whitelabelpros.com,whitelabelpros.com,inbound,001,World,0 +wiggle.com,wiggle.com,inbound,001,World,0 +wikia.com,wikia.com,inbound,001,World,0.550228 +wikimedia.org,wikimedia.org,inbound,001,World,0 +william-reed.com,neolane.net,inbound,001,World,0 +williamhill.com,williamhill.com,inbound,001,World,0 +williams-sonoma.com,williams-sonoma.com,inbound,001,World,0 +windstream.net,windstream.net,inbound,001,World,0.002172 +wine.com,wine.com,inbound,001,World,0 +winkalmail.com,fnbox.com,inbound,001,World,0 +wisdomitservices.com,infimail.com,inbound,001,World,0 +wldemail-mailer.com,wldemail.com,inbound,001,World,0 +wldemail.com,emarsys.net,inbound,001,World,0 +wmtransfer.com,wmtransfer.com,inbound,001,World,0 +wnd.com,emv4.net,inbound,001,World,0 +wnd.com,worldnetdaily.com,inbound,001,World,0 +wolfmedia.us,wolfmedia.us,inbound,001,World,0 +womanwithin.com,womanwithin.com,inbound,001,World,0 +woodforest.com,woodforest.com,inbound,001,World,1 +wordfly.com,wordfly.com,inbound,001,World,0 +work.ua,work.ua,inbound,001,World,1 +workcircle.com,workcircle.net,inbound,001,World,0 +workhunter.net,workhunter.net,inbound,001,World,1 +workingincanada.gc.ca,sdc-dsc.gc.ca,inbound,001,World,0 +worldsingles.co,worldsingles.com,inbound,001,World,0 +worldwinner.com,worldwinner.com,inbound,001,World,0.112191 +wotif.com,whatcounts.com,inbound,001,World,0 +wowcher.co.uk,wowcher.co.uk,inbound,001,World,0.000373 +wp.com,wordpress.com,inbound,001,World,0 +wp.pl,wp.pl,inbound,001,World,0.998027 +wp.pl,wp.pl,outbound,001,World,1 +wpengine.com,wpengine.com,inbound,001,World,1 +writers-community.com,writers-community.com,inbound,001,World,0 +writersstore.com,writersstore.com,inbound,001,World,0 +wsjemail.com,wsjemail.com,inbound,001,World,0 +wuaki.tv,chtah.net,inbound,001,World,0 +wustl.edu,app-info.net,inbound,001,World,0 +wwe.com,wwe.com,inbound,001,World,8e-06 +www.gov.tw,hinet.net,inbound,001,World,8e-05 +wyndhamhotelgroup.com,wyndhamhotelgroup.com,inbound,001,World,0 +xbox.com,xbox.com,inbound,001,World,0 +xcelenergy-emailnews.com,xcelenergy-emailnews.com,inbound,001,World,0 +xen.org,xen.org,inbound,001,World,1 +xing.com,xing.com,inbound,001,World,0 +xmailix.com,xmailix.com,inbound,001,World,0 +xmeeting.com,xmeeting.com,inbound,001,World,1 +xmr3.com,messagereach.com,inbound,001,World,0.999933 +xoom.com,xoom.com,inbound,001,World,0 +xpnews.com.br,xpnews.com.br,inbound,001,World,1 +xxxconnect.com,infinitypersonals.com,inbound,001,World,0 +yahoo-inc.com,yahoo.{...},inbound,001,World,0.999974 +yahoo.co.jp,yahoo.co.jp,inbound,001,World,1.5e-05 +yahoo.co.jp,yahoo.co.jp,outbound,001,World,0 +yahoo.{...},postini.com,inbound,001,World,0.767368 +yahoo.{...},yahoo.co.jp,inbound,001,World,0 +yahoo.{...},yahoo.{...},inbound,001,World,0.999416 +yahoo.{...},yahoodns.net,outbound,001,World,1 +yahoogroups.com,yahoodns.net,outbound,001,World,1 +yakala.co,euromsg.net,inbound,001,World,0 +yammer.com,yammer.com,inbound,001,World,1 +yandex.ru,yandex.net,inbound,001,World,0.999698 +yandex.ru,yandex.ru,outbound,001,World,1 +yapikredi.com.tr,yapikredi.com.tr,inbound,001,World,1 +yapstone.com,yapstone.com,inbound,001,World,0 +yelp.com,yelpcorp.com,inbound,001,World,0 +yesbank.in,yesbank.in,inbound,001,World,0.108676 +yipit.com,yipit.com,inbound,001,World,1 +ymail.com,yahoo.{...},inbound,001,World,1 +ymail.com,yahoodns.net,outbound,001,World,1 +ymlpserver.net,ymlpserver.net,inbound,001,World,0 +ymlpsrv.net,ymlpsrv.net,inbound,001,World,0 +yodobashi.com,yodobashi.com,inbound,001,World,0 +yoox.com,yoox.com,inbound,001,World,0 +youmail.com,youmail.com,inbound,001,World,0 +youravon.com,email-avonglobal.com,inbound,001,World,0 +youreletters3.com,equitymaster.com,inbound,001,World,0 +yourezads.com,yourezads.com,inbound,001,World,0.002974 +yourezlist.com,simplicityads.com,inbound,001,World,9.5e-05 +yourhostingaccount.com,yourhostingaccount.com,inbound,001,World,0 +yournewsletters.net,everydayhealth.com,inbound,001,World,0 +youversion.com,youversion.com,inbound,001,World,1 +zacks.com,zacks.com,inbound,001,World,0.999188 +zalando.be,fagms.de,inbound,001,World,0 +zalando.dk,fagms.de,inbound,001,World,0 +zalando.fi,fagms.de,inbound,001,World,0 +zalando.it,fagms.de,inbound,001,World,0 +zalando.nl,fagms.de,inbound,001,World,0 +zalando.pl,fagms.de,inbound,001,World,0 +zappos.com,zappos.com,inbound,001,World,0.626758 +zara.com,cheetahmail.com,inbound,001,World,0 +zattoo.com,sendnode.com,inbound,001,World,0 +zelonews.com.br,zelonews.com.br,inbound,001,World,0 +zendesk.com,zdsys.com,inbound,001,World,1 +zgalleriestyle.com,zgalleriestyle.com,inbound,001,World,0 +zibmail.info,zibmail.info,inbound,001,World,2e-06 +zillow.com,zillow.com,inbound,001,World,2.82542783334609e-07 +zinio.com,zinio.com,inbound,001,World,0.006193 +zinio.net,zinio.com,inbound,001,World,1 +zipalerts.com,sendgrid.net,inbound,001,World,1 +zipalerts.com,zipalerts.com,inbound,001,World,1 +ziprealty.com,ziprealty.com,inbound,001,World,0.994545 +ziprecruiter.com,ziprecruiter.com,inbound,001,World,1 +zivamewear.com,infimail.com,inbound,001,World,0 +zizigo.com,euromsg.net,inbound,001,World,0 +zlavadna.sk,zlavadna.sk,inbound,001,World,0 +zoom.com.br,zoom.com.br,inbound,001,World,0 +zoominternet.net,synacor.com,inbound,001,World,0 +zoosk.com,zoosk.com,inbound,001,World,0 +zoothost.com,zoothost.com,inbound,001,World,0.107168 +zorpia.com,zorpia.com,inbound,001,World,0.56104 +zovifashion.com,eccluster.com,inbound,001,World,0 +zulily.com,zulily.com,inbound,001,World,0 +zumzi.com,neogen.ro,inbound,001,World,0 +zumzi.com,zumzi.com,inbound,001,World,0 +zyngamail.com,zyngamail.com,inbound,001,World,0 +zzounds.com,zzounds.com,inbound,001,World,0 +careers24.com,careers24.com,inbound,002,Africa,0 +cpm.co.ma,cpm.co.ma,inbound,002,Africa,0 +fnb.co.za,fnb.co.za,inbound,002,Africa,0 +gmail.com,telkomadsl.co.za,inbound,002,Africa,0.999989 +gmail.com,vodacom.co.za,inbound,002,Africa,1 +gtbank.com,gtbank.com,inbound,002,Africa,0.056121 +pnetweb.co.za,hosting.co.za,inbound,002,Africa,0 +pnetweb.co.za,salesnet.co.za,inbound,002,Africa,0 +bigpond.com,bigpond.com,inbound,009,Oceania,0 +bigpond.com,bigpond.com,outbound,009,Oceania,1 +empoweredcomms.com.au,empoweredcomms.com.au,inbound,009,Oceania,0 +gmail.com,bigpond.net.au,inbound,009,Oceania,0.999907 +gmail.com,iinet.net.au,inbound,009,Oceania,0.966945 +gmail.com,optusnet.com.au,inbound,009,Oceania,0.992845 +gmail.com,tpgi.com.au,inbound,009,Oceania,0.999648 +mbounces.com,emdbms.com,inbound,009,Oceania,0 +realestate.com.au,realestate.com.au,inbound,009,Oceania,0 +snaphire.com,snaphire.com,inbound,009,Oceania,0 +trademe.co.nz,trademe.co.nz,inbound,009,Oceania,0.991916 +1-day.co.nz,1-day.co.nz,inbound,019,Americas,0 +12manage.com,netarrest.com,inbound,019,Americas,0.99998 +1800petmeds.com,1800petmeds.com,inbound,019,Americas,0.00599 +2touchbase.com,infimail.com,inbound,019,Americas,0 +4wheelparts.com,4wheelparts.com,inbound,019,Americas,0 +99acres.com,99acres.com,inbound,019,Americas,0 +aafes.com,aafes.com,inbound,019,Americas,0 +abercrombie-email.com,abercrombie-email.com,inbound,019,Americas,0 +abercrombiekids-email.com,abercrombie-email.com,inbound,019,Americas,0 +about.com,about.com,inbound,019,Americas,0 +about.com,sailthru.com,inbound,019,Americas,0 +acemserv.com,acemserv.com,inbound,019,Americas,0 +activesafelist.com,zoothost.com,inbound,019,Americas,0 +adidasusnews.com,adidasusnews.com,inbound,019,Americas,0 +adjockeys.com,thomas-j-brown.com,inbound,019,Americas,0 +admastersafelist.com,zoothost.com,inbound,019,Americas,0 +adorama.com,adorama.com,inbound,019,Americas,0 +adpirate.net,thomas-j-brown.com,inbound,019,Americas,0 +adtpulse.com,adtpulse.com,inbound,019,Americas,0 +ae.com,ae.com,inbound,019,Americas,0 +aexp.com,aexp.com,inbound,019,Americas,1 +affairalert.com,iverificationsystems.com,inbound,019,Americas,0 +agorafinancial.com,agorafinancial.com,inbound,019,Americas,0 +airbnb.com,airbnb.com,inbound,019,Americas,0.867975 +airbrake.io,mailgun.net,inbound,019,Americas,1 +airfarewatchdog.com,smartertravelmedia.com,inbound,019,Americas,0.012002 +airmiles.ca,bigfootinteractive.com,inbound,019,Americas,0 +akcijatau.lt,akcijatau.lt,inbound,019,Americas,0 +alarm.com,alarm.com,inbound,019,Americas,0 +alarmnet.com,alarmnet.com,inbound,019,Americas,0 +alaskaair.com,alaskaair.com,inbound,019,Americas,0 +alertid.com,alertid.com,inbound,019,Americas,0 +allheart.com,allheart.com,inbound,019,Americas,0 +allmodern.com,allmodern.com,inbound,019,Americas,0 +allout.org,allout.org,inbound,019,Americas,1 +allrecipes.com,allrecipes.com,inbound,019,Americas,0 +allstate.com,rsys1.com,inbound,019,Americas,0 +alm.com,sailthru.com,inbound,019,Americas,0 +alumniclass.com,alumniclass.com,inbound,019,Americas,0 +alumniconnections.com,alumniconnections.com,inbound,019,Americas,0 +amazon.{...},postini.com,inbound,019,Americas,0.658136 +amazonses.com,postini.com,inbound,019,Americas,0.733998 +americanas.com,americanas.com,inbound,019,Americas,0 +americanbar.org,abanet.org,inbound,019,Americas,0.00574 +amubm.com,amubm.com,inbound,019,Americas,1 +ancestry.com,ancestry.com,inbound,019,Americas,0 +angelbroking.in,infimail.com,inbound,019,Americas,0 +anghami.com,mailgun.net,inbound,019,Americas,1 +anthropologie.com,freepeople.com,inbound,019,Americas,0 +aol.com,aol.com,inbound,019,Americas,0.999528 +aol.com,aol.com,outbound,019,Americas,0.999984 +aol.com,sailthru.com,inbound,019,Americas,0 +aol.net,aol.com,inbound,019,Americas,1 +apache.org,apache.org,inbound,019,Americas,0 +apnacomplex.com,apnacomplex.com,inbound,019,Americas,0.999981 +apply-4-jobs.com,apply-4-jobs.com,inbound,019,Americas,0 +aptmail.in,mailurja.com,inbound,019,Americas,0 +arcamax.com,arcamax.com,inbound,019,Americas,1.4e-05 +aritzia.com,aritzia.com,inbound,019,Americas,0 +armaniexchange.com,bronto.com,inbound,019,Americas,0 +asadventure.com,asadventure.com,inbound,019,Americas,0 +asana.com,asana.com,inbound,019,Americas,1 +ashleymadison.com,ashleymadison.com,inbound,019,Americas,1 +asos.com,asos.com,inbound,019,Americas,0 +assembla.com,assembla.com,inbound,019,Americas,1 +astrology.com,astrology.com,inbound,019,Americas,0 +astrology.com,hsnlmailsvc.com,inbound,019,Americas,0 +astrology.com,webstakes.com,inbound,019,Americas,0 +astrology.com,wsafmailsvc.com,inbound,019,Americas,0 +atlassian.net,uc-inf.net,inbound,019,Americas,1 +atrapalo.cl,atrapalo.com,inbound,019,Americas,0 +atrapalo.com,atrapalo.com,inbound,019,Americas,0 +att-mail.com,att-mail.com,inbound,019,Americas,1.9e-05 +att-mail.com,att.com,inbound,019,Americas,0.999966 +att.net,att.net,outbound,019,Americas,0.204629 +att.net,mycingular.net,inbound,019,Americas,0.00021 +att.net,yahoo.{...},inbound,019,Americas,1 +australiagsm.net,australiagsm.net,inbound,019,Americas,0 +autoloop.us,loop28.com,inbound,019,Americas,0 +avaaz.org,avaaz.org,inbound,019,Americas,0 +avalanchesafelist.com,zoothost.com,inbound,019,Americas,0 +aveda.com,esteelauder.com,inbound,019,Americas,0 +avenue.com,avenue.com,inbound,019,Americas,0 +avg.com,avg.com,inbound,019,Americas,0 +avomail.com,avomail.com,inbound,019,Americas,0 +b2b-mail.net,b2b-mail.net,inbound,019,Americas,0 +b2b-mail.net,contact-list.net,inbound,019,Americas,0 +babycenter.com,rsys3.com,inbound,019,Americas,0 +babyoye.com,babyoye.com,inbound,019,Americas,0.011564 +badoo.com,monopost.com,inbound,019,Americas,1 +baligam.co.il,baligam.co.il,inbound,019,Americas,1 +banamex.com,ibrands.es,inbound,019,Americas,0 +bancoahorrofamsa.com,avantel.net.mx,inbound,019,Americas,1 +bancomercorreo.com,bancomercorreo.com,inbound,019,Americas,0 +bandsintown.com,bandsintown.com,inbound,019,Americas,1 +barclaycard.co.uk,barclays.co.uk,inbound,019,Americas,0 +barenecessities.com,barenecessities.com,inbound,019,Americas,0 +barleyment.ca,barleyment.ca,inbound,019,Americas,0 +barneys.com,barneys.com,inbound,019,Americas,0 +baseballsavings.com,baseballsavings.com,inbound,019,Americas,0 +basspronews.com,basspronews.com,inbound,019,Americas,0 +bathandbodyworks.com,bathandbodyworks.com,inbound,019,Americas,0 +baublebar.com,baublebar.com,inbound,019,Americas,0.011219 +bayt.com,bayt.com,inbound,019,Americas,2e-06 +bcp.com.pe,bcp.com.pe,inbound,019,Americas,1 +bellsouth.net,att.net,outbound,019,Americas,0 +bellsouth.net,yahoo.{...},inbound,019,Americas,1 +bergdorfgoodmanemail.com,neimanmarcusemail.com,inbound,019,Americas,0 +bespokeoffers.co.uk,chtah.net,inbound,019,Americas,0 +bestbuy.ca,bestbuy.ca,inbound,019,Americas,0 +bestdealsforyou.in,elabs5.com,inbound,019,Americas,0 +bevmo.com,bevmo.com,inbound,019,Americas,0.000967 +bhcosmetics.com,bronto.com,inbound,019,Americas,0 +bhg.com,meredith.com,inbound,019,Americas,0 +bigfishgames.com,bigfishgames.com,inbound,019,Americas,0 +biglist.com,biglist.com,inbound,019,Americas,0 +bigtent.com,carezen.net,inbound,019,Americas,0 +bionexo.com,bionexo.com.br,inbound,019,Americas,0.999594 +birthdayalarm.com,monkeyinferno.net,inbound,019,Americas,0 +bitbucket.org,bitbucket.org,inbound,019,Americas,0 +bitlysupport.com,mailgun.info,inbound,019,Americas,1 +bitlysupport.com,mailgun.us,inbound,019,Americas,1 +bitslane.email,bitslane.email,inbound,019,Americas,0 +bitstatement.org,bitstatement.org,inbound,019,Americas,1 +bizjournals.com,bizjournals.com,inbound,019,Americas,0 +bizmailtoday.com,bizmailtoday.com,inbound,019,Americas,0 +bjs.com,bjs.com,inbound,019,Americas,0 +blablacar.com,blablacar.com,inbound,019,Americas,1 +blackberry.com,blackberry.com,inbound,019,Americas,0 +blackboard.com,blackboard.com,inbound,019,Americas,1 +blissworld.com,lstrk.net,inbound,019,Americas,1 +bloomingdales.com,bloomingdales.com,inbound,019,Americas,0 +bloomingdalesoutlets.com,bloomingdalesoutlets.com,inbound,019,Americas,0 +bluehost.com,bluehost.com,inbound,019,Americas,0.000971 +bluehost.com,hostmonster.com,inbound,019,Americas,0 +bluehost.com,unifiedlayer.com,inbound,019,Americas,0 +blueshellgames.com,blueshellgames.com,inbound,019,Americas,0 +bluestatedigital.com,bluestatedigital.com,inbound,019,Americas,0 +bluestonemx.com,bluestonemx.com,inbound,019,Americas,1 +bm23.com,bronto.com,inbound,019,Americas,0 +bm324.com,bronto.com,inbound,019,Americas,0 +bmdeda99.com,bmdeda99.com,inbound,019,Americas,0 +bn.com,bn.com,inbound,019,Americas,0 +bnetmail.com,bnetmail.com,inbound,019,Americas,0 +bol.com.br,bol.com.br,inbound,019,Americas,0 +bol.com.br,bol.com.br,outbound,019,Americas,0 +boletinrenuevo.com,boletinrenuevo.com,inbound,019,Americas,0 +bomnegocio.com,bomnegocio.com,inbound,019,Americas,0.588708 +bonobos.com,bronto.com,inbound,019,Americas,0 +bookbub.com,bookbub.com,inbound,019,Americas,1 +booking.com,booking.com,inbound,019,Americas,1 +bookingbuddy.com,smartertravelmedia.com,inbound,019,Americas,0.000487 +boomtownroi.com,boomtownroi.com,inbound,019,Americas,0 +boscovs.com,boscovs.com,inbound,019,Americas,0 +bostonproper.com,bostonproper.com,inbound,019,Americas,0 +boutiquesecret.com,chtah.net,inbound,019,Americas,0 +bradfordexchange.com,bradfordexchange.com,inbound,019,Americas,0 +bradsdeals.com,bradsdeals.com,inbound,019,Americas,0 +brassring.com,brassring.com,inbound,019,Americas,1 +briantracyintl.com,briantracyintl.com,inbound,019,Americas,0 +brijj.com,brijj.com,inbound,019,Americas,0 +brincltd.com,brincltd.com,inbound,019,Americas,0 +bronto.com,bronto.com,inbound,019,Americas,0 +bsf01.com,bsftransmit33.com,inbound,019,Americas,0 +buffalo.edu,buffalo.edu,inbound,019,Americas,0.001059 +bumeran.com,bumeran.com,inbound,019,Americas,0 +burlingtoncoatfactory.com,burlingtoncoatfactory.com,inbound,019,Americas,0 +burton.co.uk,burton.co.uk,inbound,019,Americas,0 +buscojobs.com,amazonaws.com,inbound,019,Americas,0 +buy123.com.tw,buy123.com.tw,inbound,019,Americas,1 +bzm.mobi,nmsrv.com,inbound,019,Americas,1 +c21stores.com,c21stores.com,inbound,019,Americas,0 +ca.gov,ca.gov,inbound,019,Americas,0.702758 +cafepress.com,cafepress.com,inbound,019,Americas,0.000778 +caixa.gov.br,caixa.gov.br,inbound,019,Americas,0 +californiapsychicsemail.com,californiapsychicsemail.com,inbound,019,Americas,0 +calottery.com,calottery.com,inbound,019,Americas,0.999426 +camel.com,rjrsignup.com,inbound,019,Americas,0 +canadianvisaexpert.net,canadianvisaexpert.net,inbound,019,Americas,0 +cancer.org,delivery.net,inbound,019,Americas,0 +capillary.co.in,capillary.co.in,inbound,019,Americas,1 +capitalone.com,bigfootinteractive.com,inbound,019,Americas,0 +capitalone360.com,ingdirect.com,inbound,019,Americas,0 +care.com,care.com,inbound,019,Americas,0 +care2.com,care2.com,inbound,019,Americas,0 +careerage.com,careerage.com,inbound,019,Americas,0 +careerflash.net,careerflash.net,inbound,019,Americas,1 +carmamail.com,carmamail.com,inbound,019,Americas,0 +carnivalfunmail.com,carnivalfunmail.com,inbound,019,Americas,0 +carolsdaughter.com,carolsdaughter.com,inbound,019,Americas,0 +carwale.com,carwale.com,inbound,019,Americas,0 +case.edu,cwru.edu,inbound,019,Americas,0.999942 +castingnetworks.com,castingnetworks.com,inbound,019,Americas,0.000102 +causes.com,causes.com,inbound,019,Americas,1 +cb2.com,cb2.com,inbound,019,Americas,0 +cbsig.net,cbsig.net,inbound,019,Americas,1 +ccbchurch.com,ccbchurch.com,inbound,019,Americas,1 +ccialerts.com,ccialerts.com,inbound,019,Americas,0 +ccs.com,footlocker.com,inbound,019,Americas,2.5e-05 +cenlat.com,cenlat.com,inbound,019,Americas,0.064459 +cerberusapp.com,cerberusapp.com,inbound,019,Americas,1 +cfmvmail.com,cfmvmail.com,inbound,019,Americas,0 +chabad.org,chabad.org,inbound,019,Americas,0 +champssports.com,footlocker.com,inbound,019,Americas,0.000131 +change.org,change.org,inbound,019,Americas,1 +charlestyrwhitt.com,charlestyrwhitt.com,inbound,019,Americas,0 +charter.net,charter.net,inbound,019,Americas,0 +charter.net,charter.net,outbound,019,Americas,0 +chase.com,jpmchase.com,inbound,019,Americas,0.999999 +chatcitynotifications.com,chatcitynotifications.com,inbound,019,Americas,0 +chaturbate.com,chaturbate.com,inbound,019,Americas,1 +cheapairmailer.com,cheapairmailer.com,inbound,019,Americas,0 +check.me,check.me,inbound,019,Americas,0 +cheekylovers.com,ropot.net,inbound,019,Americas,0 +chess.com,chess.com,inbound,019,Americas,1 +chicagotribune.com,latimes.com,inbound,019,Americas,0 +chicos.com,chicos.com,inbound,019,Americas,0.000156 +childrensplace.com,childrensplace.com,inbound,019,Americas,0 +christianbook.com,christianbook.com,inbound,019,Americas,1 +christianmingle.com,christianmingle.com,inbound,019,Americas,0 +chtah.com,chtah.net,inbound,019,Americas,0 +chtah.net,chtah.net,inbound,019,Americas,0 +cincghq.com,searchhomesingta.com,inbound,019,Americas,1 +circleofmomsmail.com,circleofmomsmail.com,inbound,019,Americas,0 +citibank.com,bigfootinteractive.com,inbound,019,Americas,0 +ck.com,ck.com,inbound,019,Americas,0 +clarks.com,clarks.com,inbound,019,Americas,0 +clickdimensions.com,clickdimensions.com,inbound,019,Americas,0 +clickexperts.net,clickexperts.net,inbound,019,Americas,0 +clicktoviewthisurl.org,clicktoviewthisurl.org,inbound,019,Americas,0 +climber.com,climber.com,inbound,019,Americas,0 +clinique.com,esteelauder.com,inbound,019,Americas,0 +clubcupon.com.ar,clubcupon.com.ar,inbound,019,Americas,0 +cmm01.com,coremotivesmarketing.com,inbound,019,Americas,0 +coach.com,delivery.net,inbound,019,Americas,0 +codeproject.com,codeproject.com,inbound,019,Americas,0 +coldwatercreek.com,coldwatercreek.com,inbound,019,Americas,0 +collectionsetc.com,collectionsetc.com,inbound,019,Americas,0 +columbia.edu,columbia.edu,inbound,019,Americas,0.762355 +comcast.net,comcast.net,inbound,019,Americas,0.919244 +comcast.net,comcast.net,outbound,019,Americas,0.999998 +comenity.net,alldata.net,inbound,019,Americas,1 +comenity.net,bigfootinteractive.com,inbound,019,Americas,0 +commonfloor.com,commonfloor.com,inbound,019,Americas,1 +compute.internal,amazonaws.com,inbound,019,Americas,0.875148 +computerworld.com,computerworld.com,inbound,019,Americas,0 +comunicacaodemkt.com,locaweb.com.br,inbound,019,Americas,0 +constantcontact.com,confirmedcc.com,inbound,019,Americas,0 +constantcontact.com,constantcontact.com,inbound,019,Americas,5.3e-05 +constantcontact.com,postini.com,inbound,019,Americas,0.042128 +containerstore.com,containerstore.com,inbound,019,Americas,0 +convio.net,convio.net,inbound,019,Americas,0 +coremotivesmarketing.com,coremotivesmarketing.com,inbound,019,Americas,0 +cornell.edu,cornell.edu,inbound,019,Americas,0.192285 +correosocc.com,correosocc.com,inbound,019,Americas,1 +costco.co.uk,costco.com,inbound,019,Americas,0 +costco.com,costco.com,inbound,019,Americas,7e-06 +costcophotocenter.com,wc09.net,inbound,019,Americas,0 +costcoservices.com,costco.com,inbound,019,Americas,0 +cotswoldoutdoor.com,cotswoldoutdoor.com,inbound,019,Americas,0 +couchsurfing.org,couchsurfing.com,inbound,019,Americas,0 +couponamama.com,couponamama.com,inbound,019,Americas,1 +cox.com,cox.com,inbound,019,Americas,0.001665 +cox.net,cox.net,inbound,019,Americas,0.009187 +cox.net,cox.net,outbound,019,Americas,0 +coyotelogistics.com,postini.com,inbound,019,Americas,0 +cp20.com,cp20.com,inbound,019,Americas,0 +cpbnc.com,cpbnc.com,inbound,019,Americas,0 +cpbnc.com,fye.com,inbound,019,Americas,0 +crackle.com,crackle.com,inbound,019,Americas,0 +craigslist.org,craigslist.org,inbound,019,Americas,0 +craigslist.org,craigslist.org,outbound,019,Americas,1 +crashlytics.com,crashlytics.com,inbound,019,Americas,1 +crashlytics.com,sendgrid.net,inbound,019,Americas,1 +crateandbarrel.com,crateandbarrel.com,inbound,019,Americas,0 +creationsrewards.net,creationsrewards.net,inbound,019,Americas,0 +creditkarma.com,creditkarma.com,inbound,019,Americas,1 +crosswalkmail.com,crosswalkmail.com,inbound,019,Americas,0 +crowdcut.com,crowdcut.com,inbound,019,Americas,1 +crunchyroll.com,crunchyroll.com,inbound,019,Americas,0 +cumulusdist.net,cumulusdist.net,inbound,019,Americas,0 +cuponatic.com.pe,cuponatic.com.pe,inbound,019,Americas,1 +cuponicamail.com,fnbox.com,inbound,019,Americas,0 +curbednetwork.com,curbednetwork.com,inbound,019,Americas,1 +cuspemail.com,neimanmarcusemail.com,inbound,019,Americas,0 +custombriefings.com,custombriefings.com,inbound,019,Americas,0 +customercenter.net,customercenter.net,inbound,019,Americas,0.996453 +customeriomail.com,customeriomail.com,inbound,019,Americas,1 +cxomedia.com,cxomedia.com,inbound,019,Americas,0 +cybercoders.com,cybercoders.com,inbound,019,Americas,0 +dafiti.cl,dafiti.cl,inbound,019,Americas,0 +dailyhoroscope.com,tarot.com,inbound,019,Americas,0 +datehookup.com,datehookup.com,inbound,019,Americas,0 +datingvipnotifications.com,datingvipnotifications.com,inbound,019,Americas,0 +daviacalendar.com,daviacalendar.com,inbound,019,Americas,1 +davidsbridal.com,davidsbridal.com,inbound,019,Americas,0 +davidstea.com,bronto.com,inbound,019,Americas,0 +daz3d.com,bronto.com,inbound,019,Americas,0 +dealersocket.com,dealersocket.com,inbound,019,Americas,0 +dealsaver.com,secondstreetmedia.com,inbound,019,Americas,0.999823 +debshops.com,lstrk.net,inbound,019,Americas,1 +deliasshopemail.com,deliasshopemail.com,inbound,019,Americas,0 +delivery.net,delivery.net,inbound,019,Americas,0 +delivery.net,m0.net,inbound,019,Americas,0 +dell.com,bfi0.com,inbound,019,Americas,0 +dentalsenders.com,dentalsenders.com,inbound,019,Americas,0 +descontos.pt,descontos.pt,inbound,019,Americas,0 +designerapparel.com,myperfectsale.com,inbound,019,Americas,1 +despegar.com,despegar.com,inbound,019,Americas,0 +dhgate.com,chtah.net,inbound,019,Americas,0 +dice.com,dice.com,inbound,019,Americas,0 +digitalmailer.com,digitalmailer.com,inbound,019,Americas,0 +digitalmedia-comunicacion.es,chtah.net,inbound,019,Americas,0 +digitalromanceinc.com,digitalromanceinc.com,inbound,019,Americas,1 +directv.com,directv.com,inbound,019,Americas,0.026649 +discover.com,discoverfinancial.com,inbound,019,Americas,1 +disparadordeemails.com,locaweb.com.br,inbound,019,Americas,0 +disqus.net,disqus.net,inbound,019,Americas,0 +dn.net,naukri.com,inbound,019,Americas,0 +docusign.net,docusign.net,inbound,019,Americas,0.985435 +donationnet.net,donationnet.net,inbound,019,Americas,0 +dorothyperkins.com,dorothyperkins.com,inbound,019,Americas,0 +dowjones.info,dowjones.info,inbound,019,Americas,0 +dptagent.biz,dptagent.biz,inbound,019,Americas,0 +dptagent.net,dptagent.net,inbound,019,Americas,0 +dreamhost.com,dreamhost.com,inbound,019,Americas,0 +dreamwidth.org,dreamwidth.org,inbound,019,Americas,0 +drhinternet.net,drhinternet.net,inbound,019,Americas,0 +driftem.com,emce2.in,inbound,019,Americas,0 +driftem.com,mailurja.com,inbound,019,Americas,0 +dropbox.com,dropbox.com,inbound,019,Americas,1 +dropboxmail.com,dropbox.com,inbound,019,Americas,1 +dsw.com,dsw.com,inbound,019,Americas,0 +ducks.org,uptilt.com,inbound,019,Americas,0 +duke.edu,duke.edu,inbound,019,Americas,0.308101 +dukecareers.com,dukecareers.com,inbound,019,Americas,1 +dvor.com,dvor.com,inbound,019,Americas,0 +dynamite-safelist.com,thomas-j-brown.com,inbound,019,Americas,0 +dynect-mailer.net,sendlabs.com,inbound,019,Americas,0 +e-activist.com,e-activist.com,inbound,019,Americas,0 +e-beallsonline.com,e-stagestores.com,inbound,019,Americas,0 +e-costco.mx,costco.com,inbound,019,Americas,0 +e-goodysonline.com,e-stagestores.com,inbound,019,Americas,0 +e-peebles.com,e-stagestores.com,inbound,019,Americas,0 +e-rewards.net,e-rewards.net,inbound,019,Americas,1 +e-stagestores.com,e-stagestores.com,inbound,019,Americas,0 +e-travelclub.es,e-travelclub.es,inbound,019,Americas,0 +e2ma.net,e2ma.net,inbound,019,Americas,1 +ea.com,ea.com,inbound,019,Americas,0.001232 +eaccess.net,postini.com,inbound,019,Americas,0 +earn-e-miles.com,earn-e-miles.com,inbound,019,Americas,0 +earnerslist.com,traxweb.net,inbound,019,Americas,9e-06 +earthfare-email.com,edclient2.com,inbound,019,Americas,0 +earthlink.net,earthlink.net,inbound,019,Americas,0.031648 +earthlink.net,earthlink.net,outbound,019,Americas,0 +eastbay.com,footlocker.com,inbound,019,Americas,0 +easyhealthoptions.com,easyhealthoptions.com,inbound,019,Americas,1 +easyroommate.com,easyroommate.com,inbound,019,Americas,0 +ebates.com,bfi0.com,inbound,019,Americas,0 +ebay.{...},ebay.{...},inbound,019,Americas,0.99941 +ebizac2.com,ebizac2.com,inbound,019,Americas,0 +eblastengine.com,secondstreetmedia.com,inbound,019,Americas,0.999827 +ec2.internal,amazonaws.com,inbound,019,Americas,0.769271 +ecasend.com,ecasend.com,inbound,019,Americas,0 +ed.gov,leepfrog.com,inbound,019,Americas,0.106381 +ed10.net,ed10.com,inbound,019,Americas,0 +edirect1.com,ivytech.edu,inbound,019,Americas,0 +edmodo.com,edmodo.com,inbound,019,Americas,1.1e-05 +educationzone.co.in,iaires.com,inbound,019,Americas,0 +effectivesafelist.com,zoothost.com,inbound,019,Americas,0 +eharmony.com,eharmony.com,inbound,019,Americas,1e-06 +eigbox.net,eigbox.net,inbound,019,Americas,0 +elabs3.com,elabs3.com,inbound,019,Americas,0 +elabs3.com,meritline.com,inbound,019,Americas,0 +elabs5.com,elabs5.com,inbound,019,Americas,0 +elabs6.com,elabs6.com,inbound,019,Americas,0 +elanceonline.com,elanceonline.com,inbound,019,Americas,0 +eleadtrack.net,eleadtrack.net,inbound,019,Americas,0 +elitesafelist.com,elitesafelist.com,inbound,019,Americas,0 +email-cooking.com,email-cooking.com,inbound,019,Americas,0 +email-galls.com,email-galls.com,inbound,019,Americas,1 +email-od.com,smtprelayserver.com,inbound,019,Americas,0.999779 +email-ticketdada.com,email-ticketdada.com,inbound,019,Americas,1 +email4-beyond.com,email4-beyond.com,inbound,019,Americas,0 +emailcounts.com,secureserver.net,inbound,019,Americas,0 +emaildir2.com,emaildirect.net,inbound,019,Americas,0 +emaildir2.com,espsnd.com,inbound,019,Americas,0 +emailnotify.net,emailnotify.net,inbound,019,Americas,0.961424 +emailsbancoestado.cl,emailsbancoestado.cl,inbound,019,Americas,0 +emailsripley.cl,etarget.cl,inbound,019,Americas,0 +embluejet.com,embluejet.com,inbound,019,Americas,0 +embluejet.com,emblueuser.com,inbound,019,Americas,0 +emcsend.com,emcsend.com,inbound,019,Americas,0 +emergencyemail.org,emergencyemail.org,inbound,019,Americas,0 +emktsender.net,locaweb.com.br,inbound,019,Americas,0 +emma.cl,emma.cl,inbound,019,Americas,0.996895 +emobile.ad.jp,postini.com,inbound,019,Americas,0 +employboard.com,employboard.com,inbound,019,Americas,1 +entregadeemails.com,locaweb.com.br,inbound,019,Americas,0 +entregadordecampanhas.net,locaweb.com.br,inbound,019,Americas,0 +enviodecampanhas.net,locaweb.com.br,inbound,019,Americas,0 +enviodemkt.com.br,locaweb.com.br,inbound,019,Americas,0 +epriority.com,epriority.com,inbound,019,Americas,0 +equifax.com,equifax.com,inbound,019,Americas,1 +equussafelist.com,equussafelist.com,inbound,019,Americas,0.000265 +esri.com,esri.com,inbound,019,Americas,0.983104 +esteelauder.com,esteelauder.com,inbound,019,Americas,0 +evanguard.com,evanguard.com,inbound,019,Americas,0 +eventbrite.com,eventbrite.com,inbound,019,Americas,0 +eversavelocal.com,eversavelocal.com,inbound,019,Americas,0 +everydayhealthinc.com,waterfrontmedia.net,inbound,019,Americas,0 +everyjobforme.com,everyjobforme.com,inbound,019,Americas,0 +exchangesolutions.com,exchangesolutions.com,inbound,019,Americas,0.000143 +exec-u-net-mail.com,exec-u-net-mail.com,inbound,019,Americas,0 +exprpt.com,exprpt.com,inbound,019,Americas,0 +expvtinboxhub.net,expvtinboxhub.net,inbound,019,Americas,0 +fabletics.com,bronto.com,inbound,019,Americas,0 +facebook.com,facebook.com,inbound,019,Americas,0.719445 +facebook.com,facebook.com,outbound,019,Americas,1 +facebookappmail.com,facebook.com,inbound,019,Americas,1 +facebookmail.com,facebook.com,inbound,019,Americas,1 +facebookmail.com,postini.com,inbound,019,Americas,0.592681 +facebookmail.com,yahoo.{...},inbound,019,Americas,1 +familychristianmail.com,familychristianmail.com,inbound,019,Americas,0 +famousfootwear.com,famousfootwear.com,inbound,019,Americas,0 +fanfiction.com,fictionpress.com,inbound,019,Americas,1 +farmersonly.com,mailgun.us,inbound,019,Americas,1 +fashion2hub.in,mgenie.in,inbound,019,Americas,0 +fastgb.com,fastgb.com,inbound,019,Americas,0 +fastlistmailer.com,zoothost.com,inbound,019,Americas,0 +fastweb.com,fastweb.com,inbound,019,Americas,0 +fbi.gov,fbi.gov,inbound,019,Americas,0 +fbmta.com,fbmta.com,inbound,019,Americas,0 +fc2.com,fc2.com,inbound,019,Americas,0.000601 +fedoraproject.org,fedoraproject.org,inbound,019,Americas,0 +feedblitz.com,feedblitz.com,inbound,019,Americas,0 +fetlifemail.com,fetlifemail.com,inbound,019,Americas,0 +fibertel.com.ar,fibertel.com.ar,inbound,019,Americas,0.003898 +fidelizador.org,fidelizador.org,inbound,019,Americas,0 +findexpvtinbox.com,findexpvtinbox.com,inbound,019,Americas,0 +finishline.com,finishline.com,inbound,019,Americas,0 +firemountaingems.com,firemountaingems.com,inbound,019,Americas,0 +fisher-price.com,fisher-price.com,inbound,019,Americas,0 +fitbit.com,fitbit.com,inbound,019,Americas,1 +fitnessmagazine.com,meredith.com,inbound,019,Americas,0 +fiverr.com,fiverr.com,inbound,019,Americas,0 +flexmls.com,flexmls.com,inbound,019,Americas,0.999992 +flightaware.com,flightaware.com,inbound,019,Americas,0.020698 +flipkart.com,flipkart.com,inbound,019,Americas,1 +flirt.com,ropot.net,inbound,019,Americas,0 +flirthookup.com,flirthookup.com,inbound,019,Americas,1 +flyceb.com,flyceb.com,inbound,019,Americas,0 +flyfrontier.com,flyfrontier.com,inbound,019,Americas,0 +foolsubs.com,foolcs.com,inbound,019,Americas,0 +foolsubs.com,foolsubs.com,inbound,019,Americas,0 +footaction.com,footlocker.com,inbound,019,Americas,0 +footlocker.com,footlocker.com,inbound,019,Americas,0.000605 +forever21.com,forever21.com,inbound,019,Americas,0 +fortisbusinessmedia.com,fortisbusinessmedia.com,inbound,019,Americas,0 +foursquare.com,foursquare.com,inbound,019,Americas,1 +foxnews.com,foxnews.com,inbound,019,Americas,0.0139 +fragrancenet.com,fragrancenet.com,inbound,019,Americas,0.000427 +francescas.com,bronto.com,inbound,019,Americas,0 +freeadsmailer.com,zoothost.com,inbound,019,Americas,0 +freebeesafelist.com,zoothost.com,inbound,019,Americas,0 +freebizmag.com,delivery.net,inbound,019,Americas,0 +freebsd.org,freebsd.org,inbound,019,Americas,0.999845 +freecycle.org,freecycle.org,inbound,019,Americas,1 +freedesktop.org,freedesktop.org,inbound,019,Americas,0 +freeflys.com,freeflys.com,inbound,019,Americas,0 +freelancer.com,freelancer.com,inbound,019,Americas,0 +freelancer.com,freelancernotify.com,inbound,019,Americas,0 +freelancer.com,getafreelancer.com,inbound,019,Americas,0 +freelists.org,iquest.net,inbound,019,Americas,0 +freelotto.com,plasmanetinc.com,inbound,019,Americas,0 +freepeople.com,freepeople.com,inbound,019,Americas,0 +freesafelistking.com,zoothost.com,inbound,019,Americas,0 +freshdesk.com,freshdesk.com,inbound,019,Americas,1 +freshers2015.com,secureserver.net,inbound,019,Americas,0 +freshlatesave.com,freshlatesave.com,inbound,019,Americas,1 +friskone.com,mailurja.com,inbound,019,Americas,0 +frontsight.com,frontsight.com,inbound,019,Americas,0 +frys.com,frys.com,inbound,019,Americas,0.00388 +frysmail.com,frysmail.com,inbound,019,Americas,0 +fspeletters.com,agorapub.co.uk,inbound,019,Americas,0 +fuelrewards.com,britecast.com,inbound,019,Americas,0 +futureshop.com,futureshop.com,inbound,019,Americas,0 +gaiaonline.com,gaiaonline.com,inbound,019,Americas,0 +gamehouse.com,gamehouse.com,inbound,019,Americas,0 +gbyguess.com,guess.com,inbound,019,Americas,0.001787 +gemoney.com,rsys1.com,inbound,019,Americas,0 +generalmills.com,boxtops4education.com,inbound,019,Americas,0 +generalmills.com,pillsbury.com,inbound,019,Americas,0 +gentoo.org,gentoo.org,inbound,019,Americas,1 +get-me-jobs.com,get-me-jobs.com,inbound,019,Americas,0 +gethired.com,gethired.com,inbound,019,Americas,1 +getitfree.us,getitfree.us,inbound,019,Americas,0 +getpaidsolutions.com,getpaidsolutions.com,inbound,019,Americas,1 +getpocket.com,bronto.com,inbound,019,Americas,0 +ghin.com,ghinconnect.com,inbound,019,Americas,0 +ghup.in,mgenie.in,inbound,019,Americas,0 +gillyhicks-email.com,abercrombie-email.com,inbound,019,Americas,0 +github.com,github.com,inbound,019,Americas,1 +github.com,postini.com,inbound,019,Americas,0.837872 +glassdoor.com,glassdoor.com,inbound,019,Americas,1 +glasses.com,glasses.com,inbound,019,Americas,0 +gliq.com,gliq.com,inbound,019,Americas,0.99852 +globalsafelist.com,globalsafelist.com,inbound,019,Americas,0 +globaltestmarket.com,globaltestmarket.com,inbound,019,Americas,0 +gmail.com,amazonaws.com,inbound,019,Americas,0.994381 +gmail.com,anteldata.net.uy,inbound,019,Americas,0.998653 +gmail.com,bell.ca,inbound,019,Americas,0.992481 +gmail.com,bellsouth.net,inbound,019,Americas,0.9996 +gmail.com,blackberry.com,inbound,019,Americas,0.992207 +gmail.com,brasiltelecom.net.br,inbound,019,Americas,0.99995 +gmail.com,centurytel.net,inbound,019,Americas,0.999415 +gmail.com,cgocable.net,inbound,019,Americas,0.99829 +gmail.com,charter.com,inbound,019,Americas,0.999109 +gmail.com,claro.net.br,inbound,019,Americas,1 +gmail.com,comcast.net,inbound,019,Americas,0.999621 +gmail.com,comcastbusiness.net,inbound,019,Americas,0.985462 +gmail.com,cox.net,inbound,019,Americas,0.962619 +gmail.com,embarqhsd.net,inbound,019,Americas,0.999554 +gmail.com,franchiseindia.com,inbound,019,Americas,1 +gmail.com,frontiernet.net,inbound,019,Americas,0.995233 +gmail.com,gvt.net.br,inbound,019,Americas,0.999513 +gmail.com,lorexddns.net,inbound,019,Americas,0 +gmail.com,majesticmoneymailer.com,inbound,019,Americas,1 +gmail.com,mchsi.com,inbound,019,Americas,0.999951 +gmail.com,movistar.cl,inbound,019,Americas,0.999361 +gmail.com,mycingular.net,inbound,019,Americas,0.999918 +gmail.com,myvzw.com,inbound,019,Americas,0.99992 +gmail.com,naukri.com,inbound,019,Americas,0.000998 +gmail.com,optonline.net,inbound,019,Americas,0.999776 +gmail.com,postini.com,inbound,019,Americas,0.650888 +gmail.com,qwest.net,inbound,019,Americas,0.997574 +gmail.com,rcn.com,inbound,019,Americas,0.999275 +gmail.com,rogers.com,inbound,019,Americas,0.999916 +gmail.com,rr.com,inbound,019,Americas,0.986894 +gmail.com,sbcglobal.net,inbound,019,Americas,0.998817 +gmail.com,shawcable.net,inbound,019,Americas,0.999998 +gmail.com,spcsdns.net,inbound,019,Americas,0.999998 +gmail.com,suddenlink.net,inbound,019,Americas,0.961593 +gmail.com,telecom.net.ar,inbound,019,Americas,0.999664 +gmail.com,telesp.net.br,inbound,019,Americas,0.999743 +gmail.com,telus.com,inbound,019,Americas,1 +gmail.com,telus.net,inbound,019,Americas,0.974663 +gmail.com,tmodns.net,inbound,019,Americas,1 +gmail.com,veloxzone.com.br,inbound,019,Americas,0.999969 +gmail.com,verizon.net,inbound,019,Americas,0.990214 +gmail.com,videotron.ca,inbound,019,Americas,0.967196 +gmail.com,vtr.net,inbound,019,Americas,0.999072 +gmail.com,websitewelcome.com,inbound,019,Americas,1 +gmail.com,wideopenwest.com,inbound,019,Americas,0.999729 +gmail.com,windstream.net,inbound,019,Americas,0.951847 +gmail.com,yahoo.{...},inbound,019,Americas,0.999992 +gmail.com,zoothost.com,inbound,019,Americas,0.033858 +gob.ar,gob.ar,inbound,019,Americas,0.160006 +gob.ec,gob.ec,inbound,019,Americas,0.623867 +godaddy.com,secureserver.net,inbound,019,Americas,0 +gogecapital.com,rsys1.com,inbound,019,Americas,0 +goldenopsafelist.com,zoothost.com,inbound,019,Americas,0 +goldstar.com,goldstar.com,inbound,019,Americas,1 +golfmnb.com,golfmnb.com,inbound,019,Americas,0 +google.com,postini.com,inbound,019,Americas,0.584887 +gopusamedia.com,gopusamedia.com,inbound,019,Americas,0 +govdelivery.com,govdelivery.com,inbound,019,Americas,0 +governmentjobs.com,governmentjobs.com,inbound,019,Americas,0 +gpmailer.com.br,parperfeito.com,inbound,019,Americas,0 +grassrootsaction.com,grassfire.net,inbound,019,Americas,0 +greatergood.com,greatergood.com,inbound,019,Americas,0 +groupon.{...},chtah.net,inbound,019,Americas,0 +groupon.{...},groupon.{...},inbound,019,Americas,1.0 +groupon.{...},postini.com,inbound,019,Americas,0.886672 +grouponmail.{...},grouponmail.{...},inbound,019,Americas,0 +grupos.com.br,grupos.com.br,inbound,019,Americas,0 +guess.ca,guess.com,inbound,019,Americas,0.000807 +guess.com,guess.com,inbound,019,Americas,0.003805 +guessfactory.com,guess.com,inbound,019,Americas,0.00164 +gustazos.com,cityoferta.com,inbound,019,Americas,1 +hallmark.com,hallmark.com,inbound,019,Americas,0 +hannaandersson.com,hannaandersson.com,inbound,019,Americas,0.013533 +harristeetermail.com,harristeetermail.com,inbound,019,Americas,0.99673 +harvard.edu,harvard.edu,inbound,019,Americas,0.274906 +hayneedle.com,hayneedle.com,inbound,019,Americas,0 +helpareporter.net,helpareporter.com,inbound,019,Americas,0 +herculist.com,herculist.com,inbound,019,Americas,0 +hilton.com,hiltonemail.com,inbound,019,Americas,0 +hipchat.com,hipchat.com,inbound,019,Americas,1 +hispavista.com,hispavista.com,inbound,019,Americas,0 +hollister-email.com,abercrombie-email.com,inbound,019,Americas,0 +homeaway.com,haspf.com,inbound,019,Americas,0 +homedecorators.com,homedecorators.com,inbound,019,Americas,0 +homedepot.com,homedepot.com,inbound,019,Americas,1 +hootsuite.com,hootsuite.com,inbound,019,Americas,1 +horchowemail.com,horchowemail.com,inbound,019,Americas,0 +hostelworld.com,bronto.com,inbound,019,Americas,0 +hostgator.com,hostgator.com,inbound,019,Americas,0.98061 +hostgator.com,websitewelcome.com,inbound,019,Americas,1 +hotmail.{...},hotmail.{...},inbound,019,Americas,1 +hotmail.{...},hotmail.{...},outbound,019,Americas,1 +hotmail.{...},postini.com,inbound,019,Americas,0.723143 +hotornot.com,monopost.com,inbound,019,Americas,1 +hotschedules.com,hotschedules.com,inbound,019,Americas,0 +house.gov,house.gov,inbound,019,Americas,0.999966 +houseoffraser.co.uk,houseoffraser.co.uk,inbound,019,Americas,0 +houzz.com,houzz.com,inbound,019,Americas,1 +hubspot.com,hubspot.com,inbound,019,Americas,1 +hungry-girl.com,hungry-girl.com,inbound,019,Americas,0 +iamlgnd2.com,iamlgnd2.com,inbound,019,Americas,1 +ibsys.com,ibsys.com,inbound,019,Americas,9e-05 +icbc.com.ar,clickexperts.net,inbound,019,Americas,0 +icbc.com.ar,standardbank.com.ar,inbound,019,Americas,0 +icims.com,icims.com,inbound,019,Americas,0.999939 +icors.org,lsoft.us,inbound,019,Americas,0 +icpbounce.com,icpbounce.com,inbound,019,Americas,0 +idc.email,nmsrv.com,inbound,019,Americas,1 +idgconnect-resources.com,idgconnect-resources.com,inbound,019,Americas,0 +ieee.org,ieee.org,inbound,019,Americas,0.999912 +ig.com.br,ig.com.br,inbound,019,Americas,0 +ig.com.br,ig.com.br,outbound,019,Americas,0 +igot-mails.com,zoothost.com,inbound,019,Americas,0 +iimjobs.com,iimjobs.com,inbound,019,Americas,1 +ikmultimedianews.com,ikmultimedianews.com,inbound,019,Americas,0.993319 +illinois.edu,illinois.edu,inbound,019,Americas,0.866481 +imageshost.ca,imageshost.ca,inbound,019,Americas,0 +imakenews.net,imakenews.com,inbound,019,Americas,0 +imo.im,imo.im,inbound,019,Americas,1 +imodules.com,imodules.com,inbound,019,Americas,0 +imvu.com,imvu.com,inbound,019,Americas,7e-06 +inboxdollars.com,inboxdollars.com,inbound,019,Americas,0 +inboxfirst.com,inboxfirst.com,inbound,019,Americas,0 +inboxmarketer-mail.com,inboxmarketer-mail.com,inbound,019,Americas,0.999877 +inboxpays.com,inboxpays.com,inbound,019,Americas,0 +inboxpounds.co.uk,inboxpounds.co.uk,inbound,019,Americas,0 +indeed.com,indeed.com,inbound,019,Americas,0.000121 +indeedemail.com,indeedemail.com,inbound,019,Americas,0 +independentlivingbullion.com,independentlivingbullion.com,inbound,019,Americas,0 +infobradesco.com.br,infobradesco.com.br,inbound,019,Americas,0 +infojobs.com.br,anuntis.com,inbound,019,Americas,0 +infomoney.com.br,infomoney.com.br,inbound,019,Americas,1 +informz.net,informz.net,inbound,019,Americas,0 +infradead.org,infradead.org,inbound,019,Americas,1 +inman.com,inman.com,inbound,019,Americas,0 +innovyx.net,innovyx.net,inbound,019,Americas,0 +insidehook.com,sailthru.com,inbound,019,Americas,0 +instagram.com,facebook.com,inbound,019,Americas,1 +instantprofitlist.com,screenshotads.com,inbound,019,Americas,0 +interac.ca,certapay.com,inbound,019,Americas,0 +interactivebrokers.com,interactivebrokers.com,inbound,019,Americas,1 +interactiverealtyservices.com,interactiverealtyservices.com,inbound,019,Americas,0 +intercom.io,mailgun.info,inbound,019,Americas,1 +interealty.net,interealty.net,inbound,019,Americas,1 +interweave.com,interweave.com,inbound,019,Americas,0 +intliv2.net,internationalliving.com,inbound,019,Americas,0 +invalidemail.com,taleo.net,inbound,019,Americas,1 +investopedia.com,vclk.net,inbound,019,Americas,0.999999 +investorplace.com,investorplace.com,inbound,019,Americas,0.995093 +irctcshopping.com,chtah.net,inbound,019,Americas,0 +iridium.com,iridium.com,inbound,019,Americas,0.997882 +isendservice.com.br,isendservice.com.br,inbound,019,Americas,0 +itau-unibanco.com.br,itau.com.br,inbound,019,Americas,0 +ittoolbox.com,ittoolbox.com,inbound,019,Americas,0 +ittoolbox.com,toolbox.com,inbound,019,Americas,0 +itwhitepapers.com,itwhitepapers.com,inbound,019,Americas,0 +iwantoneofthose.com,thehut.com,inbound,019,Americas,0 +ixs1.net,ixs1.net,inbound,019,Americas,0.005131 +jcpenney.com,jcpenney.com,inbound,019,Americas,9e-06 +jeevansathi.com,jeevansathi.com,inbound,019,Americas,0 +jetsetter.com,smartertravelmedia.com,inbound,019,Americas,0.041888 +jibjab.com,storybots.com,inbound,019,Americas,0 +jira.com,uc-inf.net,inbound,019,Americas,1 +jobscentral.com.sg,mailgun.net,inbound,019,Americas,1 +jobson.com,jobsonmail.com,inbound,019,Americas,0 +jobsradar.com,jobsradar.com,inbound,019,Americas,0 +jockeycomfort.com,jockeycomfort.com,inbound,019,Americas,0 +johnstonandmurphy-email.com,johnstonandmurphy-email.com,inbound,019,Americas,0 +jomashop.com,lstrk.net,inbound,019,Americas,1 +josbank.com,josbank.com,inbound,019,Americas,0 +jossandmain.com,jossandmain.com,inbound,019,Americas,0 +jtv.com,jtv.com,inbound,019,Americas,0 +juno.com,untd.com,inbound,019,Americas,0 +juno.com,untd.com,outbound,019,Americas,0 +justdial.com,mailurja.com,inbound,019,Americas,0 +justfab.com,bronto.com,inbound,019,Americas,0 +justfab.fr,bronto.com,inbound,019,Americas,0 +keek.com,keek.com,inbound,019,Americas,1 +kernel.org,kernel.org,inbound,019,Americas,0 +kgstores.com,kgstores.com,inbound,019,Americas,0 +kickstarter.com,kickstarter.com,inbound,019,Americas,1 +kidsfootlocker.com,footlocker.com,inbound,019,Americas,0 +kik.com,kik.com,inbound,019,Americas,1 +kimblegroup.com,kimblegroup.com,inbound,019,Americas,1 +kintera.com,kintera.com,inbound,019,Americas,0 +klaviyomail.com,klaviyomail.com,inbound,019,Americas,1 +klove.com,emfbroadcasting.com,inbound,019,Americas,0 +komando.com,komando.com,inbound,019,Americas,0 +kp.org,kp.org,inbound,019,Americas,0.999975 +krogermail.com,bigfootinteractive.com,inbound,019,Americas,0 +landmarketingmailer.com,zoothost.com,inbound,019,Americas,0 +landofnod.com,landofnod.com,inbound,019,Americas,0.002525 +languagepod101.com,eclient10.com,inbound,019,Americas,0 +languagepod101.com,eddlvr.com,inbound,019,Americas,0 +languagepod101.com,ednwsltr3.com,inbound,019,Americas,0 +languagepod101.com,ednwsltr8.com,inbound,019,Americas,0 +languagepod101.com,emaildirect.net,inbound,019,Americas,0 +lasenza.com,lasenza.com,inbound,019,Americas,0 +lastcallemail.com,lastcallemail.com,inbound,019,Americas,0 +latimes.com,latimes.com,inbound,019,Americas,0 +lauraashley.com,lauraashley.com,inbound,019,Americas,0 +leftlanesports.com,auspient.com,inbound,019,Americas,0.00705 +leftlanesports.com,leftlanesports.com,inbound,019,Americas,0 +legalshieldassociate.com,legalshield.com,inbound,019,Americas,0 +lexico.com,lexico.com,inbound,019,Americas,0 +life360.com,life360.com,inbound,019,Americas,1 +lindenlab.com,lindenlab.com,inbound,019,Americas,0.999444 +linkedin.com,linkedin.com,inbound,019,Americas,0.999873 +linkedin.com,postini.com,inbound,019,Americas,0.713391 +listeneremail.net,listeneremail.net,inbound,019,Americas,0 +listia.com,listia.com,inbound,019,Americas,1 +listnerds.com,listnerds.com,inbound,019,Americas,0 +listreturn.com,zoothost.com,inbound,019,Americas,0 +listserve.com,listserve.com,inbound,019,Americas,0 +listvolta.com,listvolta.com,inbound,019,Americas,0 +listwire.com,listwire.com,inbound,019,Americas,0 +live.{...},hotmail.{...},inbound,019,Americas,1 +live.{...},hotmail.{...},outbound,019,Americas,1 +livefyre.com,andbit.net,inbound,019,Americas,1 +livescribe.com,bronto.com,inbound,019,Americas,0 +livingsocial.com,livingsocial.com,inbound,019,Americas,0 +livrariasaraiva.com.br,livrariasaraiva.com.br,inbound,019,Americas,0 +localhires.com,localhires.com,inbound,019,Americas,1 +logitech.com,dvsops.com,inbound,019,Americas,0 +lojasmarisa.com.br,lojasmarisa.com.br,inbound,019,Americas,0 +lolsolos.com,ultimateadsites.net,inbound,019,Americas,0.999996 +lonelywifehookup.com,iverificationsystems.com,inbound,019,Americas,0 +lordandtaylor.com,lordandtaylor.com,inbound,019,Americas,0 +loveaholics.com,ropot.net,inbound,019,Americas,0 +lovelywholesale.com,lovelywholesale.com,inbound,019,Americas,1 +lrsmail.com,lrsmail.com,inbound,019,Americas,0 +lt02.net,listrak.com,inbound,019,Americas,1 +lt02.net,lstrk.net,inbound,019,Americas,1 +ltdcommodities.com,ltdcomm.net,inbound,019,Americas,0 +luckymag.com,mkt4500.com,inbound,019,Americas,0 +lulu.com,bronto.com,inbound,019,Americas,0 +lulus.com,lstrk.net,inbound,019,Americas,1 +lumosity.com,lumosity.com,inbound,019,Americas,1 +lyst.com,lyst.com,inbound,019,Americas,1 +maccosmetics.com,esteelauder.com,inbound,019,Americas,0 +macupdate.com,mailgun.info,inbound,019,Americas,1 +madmels.info,ultimateadsites.net,inbound,019,Americas,1 +madmimi.com,madmimi.com,inbound,019,Americas,0 +magicjack.com,magicjack.com,inbound,019,Americas,1 +magnetdev.com,magnetmail.net,inbound,019,Americas,0 +mail-route.com,mail-route.com,inbound,019,Americas,0 +mail-thestreet.com,mail-thestreet.com,inbound,019,Americas,0 +mail.mil,mail.mil,inbound,019,Americas,0 +mailaccurate.com,mgenie.in,inbound,019,Americas,0 +mailfacil.com.br,md02.com,inbound,019,Americas,0 +mailfeast.com,mgenie.in,inbound,019,Americas,0 +mailgun.org,mailgun.info,inbound,019,Americas,1 +mailgun.org,mailgun.net,inbound,019,Americas,1 +mailgun.org,mailgun.us,inbound,019,Americas,1 +mailingathome.net,mailingathome.net,inbound,019,Americas,0.999995 +mailjayde.com,mailjayde.com,inbound,019,Americas,0 +mailmachine1050.com,mailmachine1050.com,inbound,019,Americas,0 +mailsend1.com,mailsend6.com,inbound,019,Americas,0 +mailsender.com.br,mailsender.com.br,inbound,019,Americas,0 +manager.com.br,manager.com.br,inbound,019,Americas,0 +mandrillapp.com,mandrillapp.com,inbound,019,Americas,1 +mandrillapp.com,myjobhelperalerts.com,inbound,019,Americas,1 +marcustheatres.com,movio.co,inbound,019,Americas,0 +markandgraham.com,markandgraham.com,inbound,019,Americas,0 +marketer-safelist.com,jsalfianmarketing.com,inbound,019,Americas,1 +marketinghq.net,elabs8.com,inbound,019,Americas,0 +marketingprofs.com,marketingprofs.com,inbound,019,Americas,0.004412 +marlboro.com,marlboro.com,inbound,019,Americas,0 +maropost.com,biotrustnews.com,inbound,019,Americas,0 +maropost.com,mailing-truthaboutabs.com,inbound,019,Americas,0 +maropost.com,maropost.com,inbound,019,Americas,0 +maropost.com,mp2201.com,inbound,019,Americas,0 +masivapp.com,masivapp.com,inbound,019,Americas,1 +massageenvyclinics.com,massageenvyclinics.com,inbound,019,Americas,0 +masterbase.com,masterbase.com,inbound,019,Americas,0 +mastercard-email.com,mastercard-email.com,inbound,019,Americas,0 +mate1.net,mate1.net,inbound,019,Americas,0 +matrixemailer.com,matrixemailer.com,inbound,019,Americas,0 +mbstrm.com,mobilestorm.com,inbound,019,Americas,0 +mcafee.com,mcafee.com,inbound,019,Americas,0.979126 +mcarthurglen.com,mcarthurglen.com,inbound,019,Americas,0 +mcdlv.net,mcdlv.net,inbound,019,Americas,0 +mckinsey.com,bigfootinteractive.com,inbound,019,Americas,0 +mcsv.net,mcsv.net,inbound,019,Americas,0 +mdlinx.com,mdlinx.com,inbound,019,Americas,0 +mec.gov.br,mec.gov.br,inbound,019,Americas,0 +mediabistro.com,iworld.com,inbound,019,Americas,0.006428 +medpagetoday.com,wc09.net,inbound,019,Americas,0 +meetmemail.com,meetmemail.com,inbound,019,Americas,0 +megasenders.com,megasenders.com,inbound,019,Americas,0.07662 +memberdealsusa.com,memberdealsusa.com,inbound,019,Americas,0 +menswearhouse.com,menswearhouse.com,inbound,019,Americas,0 +mercadojobs.com,sendgrid.net,inbound,019,Americas,1 +mercola.com,mercola.com,inbound,019,Americas,0.000369 +messagegears.net,messagegears.net,inbound,019,Americas,0 +met-art.com,hydentra.com,inbound,019,Americas,1 +mgo.com,bronto.com,inbound,019,Americas,0 +michaels.com,chtah.net,inbound,019,Americas,0 +michaels.com,michaels.com,inbound,019,Americas,0 +microcentermedia.com,bfi0.com,inbound,019,Americas,0 +microsoft.com,hotmail.{...},inbound,019,Americas,1 +microsoft.com,msn.com,inbound,019,Americas,1 +midnightsunsafelist.com,zoothost.com,inbound,019,Americas,0 +milfaholic.com,iverificationsystems.com,inbound,019,Americas,0 +miltnews.com,miltnews.com,inbound,019,Americas,0 +mindbodyonline.com,mindbodyonline.com,inbound,019,Americas,1 +mindfieldonline.com,mindfieldonline.com,inbound,019,Americas,0 +mindmoviesmail.com,mindmoviesmail.com,inbound,019,Americas,0.004239 +mindvalleymail3.com,mindvalleymail3.com,inbound,019,Americas,0 +mint.com,mint.com,inbound,019,Americas,0 +minted.com,messagelabs.com,inbound,019,Americas,0.999669 +missselfridge.com,wallis-fashion.com,inbound,019,Americas,0 +mistersafelist.com,zoothost.com,inbound,019,Americas,0 +mit.edu,mit.edu,inbound,019,Americas,0.869568 +mjinn.com,mailurja.com,inbound,019,Americas,0 +mkt015.com,mkt015.com,inbound,019,Americas,0 +mkt022.com,mkt022.com,inbound,019,Americas,0 +mkt063.com,mkt063.com,inbound,019,Americas,0 +mkt1136.com,mkt1136.com,inbound,019,Americas,0 +mkt1985.com,fmlinks.net,inbound,019,Americas,0 +mkt2010.com,mkt2010.com,inbound,019,Americas,0 +mkt2106.com,mkt2106.com,inbound,019,Americas,0 +mkt2170.com,mkt2170.com,inbound,019,Americas,0 +mkt2181.com,mkt2181.com,inbound,019,Americas,0 +mkt2615.com,mkt2615.com,inbound,019,Americas,0 +mkt2813.com,mkt2813.com,inbound,019,Americas,0 +mkt2944.com,mkt2944.com,inbound,019,Americas,0 +mkt3134.com,mkt3134.com,inbound,019,Americas,0 +mkt3142.com,mkt3142.com,inbound,019,Americas,0 +mkt3156.com,mkt3156.com,inbound,019,Americas,0 +mkt3203.com,mkt3203.com,inbound,019,Americas,0 +mkt346.com,mkt346.com,inbound,019,Americas,0 +mkt3544.com,mkt3544.com,inbound,019,Americas,0 +mkt3622.com,mkt3622.com,inbound,019,Americas,0 +mkt3682.com,mkt3682.com,inbound,019,Americas,0 +mkt3690.com,mkt3690.com,inbound,019,Americas,0 +mkt3695.com,mkt3695.com,inbound,019,Americas,0 +mkt3804.com,mkt3804.com,inbound,019,Americas,0 +mkt3815.com,mkt3815.com,inbound,019,Americas,0 +mkt3952.com,xoom.com,inbound,019,Americas,0 +mkt4355.com,mkt4355.com,inbound,019,Americas,0 +mkt4364.com,mkt4364.com,inbound,019,Americas,0 +mkt459.com,mkt459.com,inbound,019,Americas,0 +mkt4701.com,mkt4701.com,inbound,019,Americas,0 +mkt4728.com,mkt4728.com,inbound,019,Americas,0 +mkt4731.com,mkt4731.com,inbound,019,Americas,0 +mkt4738.com,mkt4738.com,inbound,019,Americas,0 +mkt5071.com,mkt5071.com,inbound,019,Americas,0 +mkt5098.com,mkt5098.com,inbound,019,Americas,0 +mkt5131.com,mkt5131.com,inbound,019,Americas,0 +mkt5144.com,mkt5144.com,inbound,019,Americas,0 +mkt5144.com,mkt5980.com,inbound,019,Americas,0 +mkt5144.com,mkt5981.com,inbound,019,Americas,0 +mkt5181.com,mkt5181.com,inbound,019,Americas,0 +mkt5269.com,mkt5269.com,inbound,019,Americas,0 +mkt529.com,mkt529.com,inbound,019,Americas,0 +mkt5297.com,mkt5297.com,inbound,019,Americas,0 +mkt5297.com,mkt5309.com,inbound,019,Americas,0 +mkt5371.com,mkt5371.com,inbound,019,Americas,0 +mkt5806.com,mkt5806.com,inbound,019,Americas,0 +mkt5934.com,mkt5934.com,inbound,019,Americas,0 +mkt5937.com,mkt5937.com,inbound,019,Americas,0 +mkt5970.com,mkt5970.com,inbound,019,Americas,0 +mkt6100.com,mkt6098.com,inbound,019,Americas,0 +mkt6276.com,mkt6276.com,inbound,019,Americas,0 +mkt6323.com,mkt6323.com,inbound,019,Americas,0 +mkt746.com,mkt746.com,inbound,019,Americas,0 +mkt824.com,mkt869.com,inbound,019,Americas,0 +mktdillards.com,mktdillards.com,inbound,019,Americas,0 +mo1send.com,mo1send.com,inbound,019,Americas,0 +mobly.com.br,mobly.com.br,inbound,019,Americas,0 +modellsemail.com,n-email.net,inbound,019,Americas,0 +moneymorning.com,moneymappress.com,inbound,019,Americas,0 +monster.com,monster.com,inbound,019,Americas,0 +monster.com,tmpw.net,inbound,019,Americas,0.000503 +moon-ray.com,moon-ray.com,inbound,019,Americas,0 +mooresclothing.com,mooresclothing.com,inbound,019,Americas,0 +moveon.org,moveon.org,inbound,019,Americas,0.996147 +mrmlsmatrix.com,mrmlsmatrix.com,inbound,019,Americas,0 +ms.com,ms.com,inbound,019,Americas,1 +msn.com,hotmail.{...},inbound,019,Americas,1 +msn.com,hotmail.{...},outbound,019,Americas,1 +mta.info,ealert.com,inbound,019,Americas,0 +mtasv.net,mtasv.net,inbound,019,Americas,0.999999 +musicnotes-alerts.com,mybuys.com,inbound,019,Americas,0 +mustanglist.com,mustanglist.com,inbound,019,Americas,0 +mycheapoair.com,mycheapoair.com,inbound,019,Americas,0.957931 +mydailymoment.biz,mydailymoment.biz,inbound,019,Americas,0 +mydailymoment.info,mydailymoment.info,inbound,019,Americas,0 +mydailymoment.net,mydailymoment.net,inbound,019,Americas,0 +mydailymoment.us,mydailymoment.us,inbound,019,Americas,0 +myfedloan.org,aessuccess.org,inbound,019,Americas,0.328917 +myfxbook.com,myfxbook.com,inbound,019,Americas,0 +mygreatlakes.org,glhec.org,inbound,019,Americas,0.000247 +myhealthwealthandhappiness.com,myhealthwealthandhappiness.com,inbound,019,Americas,0 +mymeijer.com,mymeijer.com,inbound,019,Americas,0 +myngp.com,ngpweb.com,inbound,019,Americas,0 +myperfectsale.com,myperfectsale.com,inbound,019,Americas,1 +myprotein.com,thehut.com,inbound,019,Americas,0 +mysafelistmailer.com,mysafelistmailer.com,inbound,019,Americas,0.00033 +mysmartprice.com,itzwow.com,inbound,019,Americas,1 +myzamanamail.com,myzamanamail.com,inbound,019,Americas,0 +n-email.net,n-email.net,inbound,019,Americas,0 +n-email1.net,n-email1.net,inbound,019,Americas,0 +n-email4.net,n-email4.net,inbound,019,Americas,0 +nanomail.com.br,araie.com.br,inbound,019,Americas,1 +napitipp.hu,napitipp.hu,inbound,019,Americas,0 +nasa.gov,nasa.gov,inbound,019,Americas,0.101289 +nastygal.com,bronto.com,inbound,019,Americas,0 +nationbuilder.com,nationbuilder.com,inbound,019,Americas,1 +nature.com,nature.com,inbound,019,Americas,0 +naukri.com,naukri.com,inbound,019,Americas,0.000533 +nauta.cu,etecsa.net,inbound,019,Americas,0 +nba.com,nba.com,inbound,019,Americas,0.005829 +nbaa.org,nbaa.org,inbound,019,Americas,0 +ncl.com,ncl.com,inbound,019,Americas,0 +neimanmarcusemail.com,neimanmarcusemail.com,inbound,019,Americas,0 +net-a-porter.com,net-a-porter.com,inbound,019,Americas,0 +net-empregos.com,net-empregos.com,inbound,019,Americas,0 +netcommunity1.com,blackbaud.com,inbound,019,Americas,0 +netflix.com,netflix.com,inbound,019,Americas,1 +netopia.pt,netopia.pt,inbound,019,Americas,0 +netprosoftmail.com,netprosoftmail.com,inbound,019,Americas,0 +netsuite.com,netsuite.com,inbound,019,Americas,0.60682 +networkworld.com,networkworld.com,inbound,019,Americas,0 +newgrounds.com,newgrounds.com,inbound,019,Americas,0 +newrelic.com,sendlabs.com,inbound,019,Americas,0 +newspaperdirect.com,newspaperdirect.com,inbound,019,Americas,0.000177 +newyorktimesinfo.com,newyorktimesinfo.com,inbound,019,Americas,0 +nexcess.net,nexcess.net,inbound,019,Americas,0.039513 +nextdoor.com,mailgun.info,inbound,019,Americas,1 +nfl.com,bfi0.com,inbound,019,Americas,0 +nih.gov,nih.gov,inbound,019,Americas,8.8e-05 +ninewestmail.com,ninewestmail.com,inbound,019,Americas,0 +ning.com,ning.com,inbound,019,Americas,0 +nixle.com,nixle.com,inbound,019,Americas,0 +nl00.net,netline.com,inbound,019,Americas,5e-06 +nl00.net,nl00.net,inbound,019,Americas,0 +nongnu.org,gnu.org,inbound,019,Americas,1 +nordstrom.com,taleo.net,inbound,019,Americas,1 +nortonfromsymantec.com,rsys1.com,inbound,019,Americas,0 +novidadeslojasrenner.com.br,novidadeslojasrenner.com.br,inbound,019,Americas,0 +numbersusa.com,numbersusa.com,inbound,019,Americas,0 +nyandcompany.com,nyandcompany.com,inbound,019,Americas,0 +ocadomail.com,ocadomail.com,inbound,019,Americas,0 +ofertasbmc.com.br,ofertasbmc.com.br,inbound,019,Americas,0 +ofertasefacil.com.br,ofertasefacil.com.br,inbound,019,Americas,0 +ofertop.pe,icommarketing.com,inbound,019,Americas,0 +officedepot.com,officedepot.com,inbound,019,Americas,2.6e-05 +olympiaedge.net,olympiaedge.net,inbound,019,Americas,0 +oneindia.in,infimail.com,inbound,019,Americas,0 +oneindia.in,mailurja.com,inbound,019,Americas,0 +onepatriotplace.com,britecast.com,inbound,019,Americas,0 +onestopplus.com,neolane.net,inbound,019,Americas,0 +onetravelspecials.com,onetravelspecials.com,inbound,019,Americas,0.365386 +online.com,cnet.com,inbound,019,Americas,0 +onthecitymail.org,onthecitymail.org,inbound,019,Americas,1 +oo155.com,bsftransmit7.com,inbound,019,Americas,0 +oo155.com,oo155.com,inbound,019,Americas,0 +openstack.org,openstack.org,inbound,019,Americas,0.997933 +openstackmail.com,infimail.com,inbound,019,Americas,0 +opentable.com,opentable.com,inbound,019,Americas,2e-06 +opinionoutpost.com,opinionoutpost.com,inbound,019,Americas,0 +opinionsquare.com,opinionsquare.com,inbound,019,Americas,0 +oprah.com,oprah.com,inbound,019,Americas,0 +opticsplanet.com,opticsplanet.com,inbound,019,Americas,0 +optonline.net,cv.net,inbound,019,Americas,0 +optonline.net,optonline.net,outbound,019,Americas,0 +oriental-trading.com,oriental-trading.com,inbound,019,Americas,0 +outlook.com,hotmail.{...},inbound,019,Americas,1 +outlook.com,hotmail.{...},outbound,019,Americas,1 +overnightprints.com,chtah.net,inbound,019,Americas,0 +ovuline.com,ovuline.com,inbound,019,Americas,1 +pagoda.com,zales.com,inbound,019,Americas,0 +pagseguro.com.br,uol.com.br,inbound,019,Americas,0 +pair.com,pair.com,inbound,019,Americas,0.893803 +palmscasinoresort.com,palmscasinoresort.com,inbound,019,Americas,0 +pampers.com,bfi0.com,inbound,019,Americas,0 +pandaresearch.com,pandaresearch.com,inbound,019,Americas,0 +pandora.com,pandora.com,inbound,019,Americas,1 +pandora.net,pandora.net,inbound,019,Americas,1 +parents.com,meredith.com,inbound,019,Americas,0 +parkmobileglobal.com,parkmobile.us,inbound,019,Americas,0 +path.com,path.com,inbound,019,Americas,1 +patriotupdate.com,inboxfirst.com,inbound,019,Americas,0 +payback.in,chtah.net,inbound,019,Americas,0 +paytm.com,paytm.com,inbound,019,Americas,1 +pbteen.com,pbteen.com,inbound,019,Americas,0 +pch.com,ed10.com,inbound,019,Americas,0 +pchfrontpage.com,ed10.com,inbound,019,Americas,0 +pchlotto.com,ed10.com,inbound,019,Americas,0 +pchplayandwin.com,ed10.com,inbound,019,Americas,0 +pchsearch.com,ed10.com,inbound,019,Americas,0 +pcmag.com,ittoolbox.com,inbound,019,Americas,0 +pcworld.com,pcworld.com,inbound,019,Americas,0 +pd25.com,pd25.com,inbound,019,Americas,1 +pearlsofwealth.com,pearlsofwealth.com,inbound,019,Americas,1 +peartreegreetings.com,rexcraft.com,inbound,019,Americas,0 +peixeurbano.com.br,peixeurbano.com.br,inbound,019,Americas,0 +pepboys.com,pepboys.com,inbound,019,Americas,0 +pepperfry.com,epidm.net,inbound,019,Americas,0 +perfectpriceindia.com,infimail.com,inbound,019,Americas,0 +perfora.net,perfora.net,inbound,019,Americas,1 +permissionresearch.com,permissionresearch.com,inbound,019,Americas,0 +personalliberty.com,personalliberty.com,inbound,019,Americas,1 +pga.com,pga.com,inbound,019,Americas,0 +pgeveryday.com,bfi0.com,inbound,019,Americas,0 +phoenix.edu,phoenix.edu,inbound,019,Americas,0 +phsmtpbox.com,phsmtpbox.com,inbound,019,Americas,0 +pinterest.com,pinterest.com,inbound,019,Americas,1 +pivotaltracker.com,pivotaltracker.com,inbound,019,Americas,1 +pixable.com,pixable.com,inbound,019,Americas,1 +pizzahut.com,quikorder.com,inbound,019,Americas,0 +plexapp.com,plex.tv,inbound,019,Americas,1 +pmailus.com,patrontechnology.com,inbound,019,Americas,0 +pnc.com,messagelabs.com,inbound,019,Americas,0.997194 +pobox.com,pobox.com,inbound,019,Americas,0.975372 +pof.com,plentyoffish.co.uk,inbound,019,Americas,0 +pogo.com,pogo.com,inbound,019,Americas,0 +polyvore.com,polyvore.com,inbound,019,Americas,1 +postcardfromhell.com,cyberthugs.com,inbound,019,Americas,1 +potterybarn.com,potterybarn.com,inbound,019,Americas,0 +potterybarnkids.com,potterybarnkids.com,inbound,019,Americas,0 +preferredpetclub.com,preferredpetclub.com,inbound,019,Americas,0 +presslaff.net,dat-e-baseonline.com,inbound,019,Americas,0 +pressmartmail.com,pressmartmail.com,inbound,019,Americas,0 +priorityoneemail.com,priorityoneemail.com,inbound,019,Americas,0 +private-elist.com,private-elist.com,inbound,019,Americas,0 +progressive.com,progressive.com,inbound,019,Americas,0.999893 +promedmail.org,childrenshospital.org,inbound,019,Americas,1 +propertysolutions.com,propertysolutions.com,inbound,019,Americas,1 +prospectgeysercoop.com,prospectgeysercoop.com,inbound,019,Americas,1 +providesupport.com,providesupport.com,inbound,019,Americas,0.000103 +proxyvote.com,adp-ics.com,inbound,019,Americas,0.908635 +psu.edu,psu.edu,inbound,019,Americas,0.073843 +puffinmailer.com,zoothost.com,inbound,019,Americas,0 +purewow.com,purewow.com,inbound,019,Americas,0 +purlsmail.com,purlsmail.com,inbound,019,Americas,0 +pxsmail.com,pxsmail.com,inbound,019,Americas,0 +q.com,synacor.com,inbound,019,Americas,0.999734 +qemailserver.com,qemailserver.com,inbound,019,Americas,0 +qtropnews.com,qtropnews.com,inbound,019,Americas,1.7e-05 +qualicorp.com.br,qualicorp.com.br,inbound,019,Americas,1 +qualitysafelist.com,zoothost.com,inbound,019,Americas,0 +queopinas.com,confirmit.com,inbound,019,Americas,1 +quickrewards.net,quickrewards.net,inbound,019,Americas,0 +quikr.com,quikr.com,inbound,019,Americas,0 +quora.com,quora.com,inbound,019,Americas,1 +qvcemail.com,qvcemail.com,inbound,019,Americas,0 +radarsystems.net,radarsystems.net,inbound,019,Americas,1 +radiantretailapps.com,radiantretailapps.com,inbound,019,Americas,0 +radioshack.com,radioshack.com,inbound,019,Americas,0 +rapattoni.com,rapmls.com,inbound,019,Americas,0 +razerzone.com,chtah.net,inbound,019,Americas,0 +rbc.com,rbc.com,inbound,019,Americas,0.003061 +rdio.com,rdio.com,inbound,019,Americas,1 +realtor.org,realtor.org,inbound,019,Americas,0 +realtytrac.com,realtytrac.com,inbound,019,Americas,0.001681 +recipe.com,meredith.com,inbound,019,Americas,0 +recruit.net,recruit.net,inbound,019,Americas,0 +redbox.com,redbox.com,inbound,019,Americas,0 +redfin.com,redfin.com,inbound,019,Americas,0 +redtri.com,redtri.com,inbound,019,Americas,0 +reebokusnews.com,reebokusnews.com,inbound,019,Americas,0 +reebonz.com,ed10.com,inbound,019,Americas,0 +reebonz.com,reebonz.com,inbound,019,Americas,1 +registro.br,registro.br,inbound,019,Americas,0 +rent.com,rent.com,inbound,019,Americas,0.000397 +rentalcars.com,rentalcars.com,inbound,019,Americas,1 +renweb.com,renweb.com,inbound,019,Americas,0 +researchgate.net,researchgate.net,inbound,019,Americas,0 +restorationhardware.com,restorationhardware.com,inbound,019,Americas,0 +retailmenot.com,retailmenot.com,inbound,019,Americas,0 +reverbnation.com,reverbnation.com,inbound,019,Americas,0 +rewardme.in,bfi0.com,inbound,019,Americas,0 +ricardoeletro.com.br,allin.com.br,inbound,019,Americas,0 +rigzonemail.com,rigzonemail.com,inbound,019,Americas,0 +ripleyperu.com.pe,icommarketing.com,inbound,019,Americas,0 +riseup.net,riseup.net,inbound,019,Americas,1 +rivamail.com,mailurja.com,inbound,019,Americas,0 +rnmk.com,rnmk.com,inbound,019,Americas,0 +roamans.com,neolane.net,inbound,019,Americas,0 +rockwellcollins.com,rockwellcollins.com,inbound,019,Americas,1 +rpinow.org,app-info.net,inbound,019,Americas,0 +rr.com,rr.com,inbound,019,Americas,0.03696 +rr.com,rr.com,outbound,019,Americas,0 +rsgsv.net,rsgsv.net,inbound,019,Americas,0 +rsvpsv.net,rsvpsv.net,inbound,019,Americas,0 +rsvpsv.net,send.esp.br,inbound,019,Americas,0 +rsys2.com,amfam.com,inbound,019,Americas,0 +rsys2.com,cheaptickets.com,inbound,019,Americas,0 +rsys2.com,dishnetworkmail.com,inbound,019,Americas,0 +rsys2.com,e-comms.net,inbound,019,Americas,0 +rsys2.com,eharmony.com,inbound,019,Americas,0 +rsys2.com,fathead.com,inbound,019,Americas,0 +rsys2.com,intuit.com,inbound,019,Americas,0 +rsys2.com,kmart.com,inbound,019,Americas,0 +rsys2.com,kohlernews.com,inbound,019,Americas,0 +rsys2.com,lego.com,inbound,019,Americas,0 +rsys2.com,lenovo.com,inbound,019,Americas,0 +rsys2.com,modcloth.com,inbound,019,Americas,0 +rsys2.com,moxieinteractive.com,inbound,019,Americas,0 +rsys2.com,orbitz.com,inbound,019,Americas,0 +rsys2.com,payless.com,inbound,019,Americas,0 +rsys2.com,petsathome.com,inbound,019,Americas,0 +rsys2.com,quizzle.com,inbound,019,Americas,0 +rsys2.com,robeez.com,inbound,019,Americas,0 +rsys2.com,rsys1.com,inbound,019,Americas,0 +rsys2.com,rsys2.com,inbound,019,Americas,0 +rsys2.com,rsys3.com,inbound,019,Americas,0 +rsys2.com,rsys4.com,inbound,019,Americas,0 +rsys2.com,saucony.com,inbound,019,Americas,0 +rsys2.com,sears.com,inbound,019,Americas,0 +rsys2.com,shopbop.com,inbound,019,Americas,0 +rsys2.com,southwest.com,inbound,019,Americas,0 +rsys2.com,speeddatemail.com,inbound,019,Americas,0 +rsys2.com,thecompanystore.com,inbound,019,Americas,0 +rsys2.com,theknot.com,inbound,019,Americas,0 +rsys5.com,alibris.com,inbound,019,Americas,0 +rsys5.com,allstate-email.com,inbound,019,Americas,0 +rsys5.com,beachmint.com,inbound,019,Americas,0 +rsys5.com,belleandclive.com,inbound,019,Americas,0 +rsys5.com,br.dk,inbound,019,Americas,0 +rsys5.com,charlotterusse.com,inbound,019,Americas,0 +rsys5.com,comixology.com,inbound,019,Americas,0 +rsys5.com,cottonon.com,inbound,019,Americas,0 +rsys5.com,ediblearrangements.com,inbound,019,Americas,0 +rsys5.com,emailworldmarket.com,inbound,019,Americas,0 +rsys5.com,farfetch.com,inbound,019,Americas,0 +rsys5.com,frhiemailcommunications.com,inbound,019,Americas,0 +rsys5.com,harryanddavid.com,inbound,019,Americas,0 +rsys5.com,hollandandbarrett.com,inbound,019,Americas,0 +rsys5.com,icing.com,inbound,019,Americas,0 +rsys5.com,indigo.ca,inbound,019,Americas,0 +rsys5.com,jabong.com,inbound,019,Americas,0 +rsys5.com,jcrew.com,inbound,019,Americas,0 +rsys5.com,jjill.com,inbound,019,Americas,0 +rsys5.com,kanui.com.br,inbound,019,Americas,0 +rsys5.com,kirklands.com,inbound,019,Americas,0 +rsys5.com,lanebryant.com,inbound,019,Americas,0 +rsys5.com,lazada.com,inbound,019,Americas,0 +rsys5.com,leapfrog.com,inbound,019,Americas,0 +rsys5.com,llbean.com,inbound,019,Americas,0 +rsys5.com,lojascolombo.com.br,inbound,019,Americas,0 +rsys5.com,madewell.com,inbound,019,Americas,0 +rsys5.com,magazineluiza.com.br,inbound,019,Americas,0 +rsys5.com,missguided.co.uk,inbound,019,Americas,0 +rsys5.com,moma.org,inbound,019,Americas,0 +rsys5.com,nationalgeographic.com,inbound,019,Americas,0 +rsys5.com,neat.com,inbound,019,Americas,0 +rsys5.com,newbalance.com,inbound,019,Americas,0 +rsys5.com,news-voeazul.com.br,inbound,019,Americas,0 +rsys5.com,nordstrom.com,inbound,019,Americas,0 +rsys5.com,normthompson.com,inbound,019,Americas,0 +rsys5.com,novomundo.com.br,inbound,019,Americas,0 +rsys5.com,ourdeal.com.au,inbound,019,Americas,0 +rsys5.com,pier1.com,inbound,019,Americas,0 +rsys5.com,productmadness.com,inbound,019,Americas,0 +rsys5.com,rainbowshops.com,inbound,019,Americas,0 +rsys5.com,rei.com,inbound,019,Americas,0 +rsys5.com,roadrunnersports.com,inbound,019,Americas,0 +rsys5.com,rosettastone.com,inbound,019,Americas,0 +rsys5.com,seamless.com,inbound,019,Americas,0 +rsys5.com,serenaandlily.com,inbound,019,Americas,0 +rsys5.com,smiles.com.br,inbound,019,Americas,0 +rsys5.com,soubarato.com.br,inbound,019,Americas,0 +rsys5.com,strava.com,inbound,019,Americas,0 +rsys5.com,submarino.com.br,inbound,019,Americas,0 +rsys5.com,thewalkingcompany.com,inbound,019,Americas,0 +rsys5.com,tigerdirect.com,inbound,019,Americas,0 +rsys5.com,udemy.com,inbound,019,Americas,0 +rsys5.com,vitaminshoppe.com,inbound,019,Americas,0 +rsys5.com,vpusa.com,inbound,019,Americas,0 +rsys5.com,walmart.com.br,inbound,019,Americas,0 +rsys5.com,worldofwatches.com,inbound,019,Americas,0 +rsys5.com,xfinity.com,inbound,019,Americas,0 +rue21email.com,rue21email.com,inbound,019,Americas,0 +ruum.com,ruum.com,inbound,019,Americas,0 +saavn.com,saavn.com,inbound,019,Americas,1 +safelistextreme.com,quantumsafelist.com,inbound,019,Americas,0 +safelistpro.com,safelistpro.com,inbound,019,Americas,0.00014 +safeway.com,chtah.com,inbound,019,Americas,0 +sailthru.com,sailthru.com,inbound,019,Americas,0 +saks.com,saks.com,inbound,019,Americas,0 +saksoff5th.com,saksoff5th.com,inbound,019,Americas,0 +salememail.net,salememail.net,inbound,019,Americas,0 +salesforce.com,postini.com,inbound,019,Americas,0.816952 +salesforce.com,salesforce.com,inbound,019,Americas,1 +salesforce.com,salesforce.com,outbound,019,Americas,1 +salliemae.com,salliemae.com,inbound,019,Americas,1 +salsalabs.net,salsalabs.net,inbound,019,Americas,0 +samashmusic.com,wc09.net,inbound,019,Americas,0 +samsclub.com,m0.net,inbound,019,Americas,0 +sans.org,sans.org,inbound,019,Americas,0.497629 +santander.cl,santander.cl,inbound,019,Americas,0.999992 +santander.cl,santandersantiago.cl,inbound,019,Americas,1 +sassieshop.com,sassieshop.com,inbound,019,Americas,0.025887 +savelivefresh.com,livesavemail.com,inbound,019,Americas,1 +savingstar.com,savingstar.com,inbound,019,Americas,1 +sbcglobal.net,yahoo.{...},inbound,019,Americas,1 +sbcglobal.net,yahoodns.net,outbound,019,Americas,1 +sc.com,messagelabs.com,inbound,019,Americas,0.996156 +schwab.com,schwab.com,inbound,019,Americas,0.025055 +seaworld.com,seaworld.com,inbound,019,Americas,0 +securence.com,securence.com,inbound,019,Americas,0.670246 +secureserver.net,secureserver.net,inbound,019,Americas,4.4e-05 +seekingalpha.com,seekingalpha.com,inbound,019,Americas,1 +seekingalpha.com,sendgrid.net,inbound,019,Americas,1 +senate.gov,senate.gov,inbound,019,Americas,0.992994 +sendearnings.com,sendearnings.com,inbound,019,Americas,0 +sendgrid.info,sendgrid.net,inbound,019,Americas,1 +sendgrid.me,sendgrid.net,inbound,019,Americas,1 +sendlane.com,sendlane.com,inbound,019,Americas,0 +serpadres.es,chtah.net,inbound,019,Americas,0 +service-now.com,postini.com,inbound,019,Americas,0.9858 +service-now.com,service-now.com,inbound,019,Americas,0.998562 +sfimg.com,sfimarketing.com,inbound,019,Americas,0 +sfly.com,shutterfly.com,inbound,019,Americas,0 +shaadi.com,shaadi.com,inbound,019,Americas,0.00037 +shadowshopper.com,shadowshopper.com,inbound,019,Americas,5.6e-05 +shaw.ca,shaw.ca,inbound,019,Americas,0 +shaw.ca,shaw.ca,outbound,019,Americas,1 +sheplers.com,sheplers.com,inbound,019,Americas,0 +shiftplanning.com,shiftplanning.com,inbound,019,Americas,0 +shiksha.com,shiksha.com,inbound,019,Americas,0 +shoedazzle.com,shoedazzle.com,inbound,019,Americas,0 +shoes.com,famousfootwear.com,inbound,019,Americas,0 +shopbonton.com,shopbonton.com,inbound,019,Americas,0 +shopcluesemail.com,shopcluesemail.com,inbound,019,Americas,0 +shopcluesmail.com,shopcluesmail.com,inbound,019,Americas,0 +shophq.com,shophq.com,inbound,019,Americas,0 +shopkick.com,shopkick.com,inbound,019,Americas,0 +shopko.com,shopko.com,inbound,019,Americas,0 +shoppersoptimum.ca,thindata.net,inbound,019,Americas,0 +shoptime.com,shoptime.com,inbound,019,Americas,0 +shtyle.fm,shtyle.fm,inbound,019,Americas,0 +sierratradingpost.com,sierratradingpost.com,inbound,019,Americas,0.000885 +sigmabeauty.com,lstrk.net,inbound,019,Americas,1 +sii.cl,sii.cl,inbound,019,Americas,0 +simplyhired.com,simplyhired.com,inbound,019,Americas,0 +siriusxm.com,xmradio.com,inbound,019,Americas,0 +sitecore-mailer.com,sendlabs.com,inbound,019,Americas,0 +sittercity.com,sittercity.com,inbound,019,Americas,0 +sixflags.com,sixflags.com,inbound,019,Americas,0 +skillpages-mailer.com,sendlabs.com,inbound,019,Americas,0 +skillpages-mailer.com,skillpagesmail.com,inbound,019,Americas,0 +sky.com,sky.com,inbound,019,Americas,0 +skype.com,delivery.net,inbound,019,Americas,0 +sld.cu,sld.cu,inbound,019,Americas,1 +slidesharemail.com,newslettergrid.com,inbound,019,Americas,1 +slidesharemail.com,slidesharemail.com,inbound,019,Americas,1 +smartbrief.com,smartbrief.com,inbound,019,Americas,0 +smartdraw.com,smartdraw.com,inbound,019,Americas,0 +smartertravel.com,smartertravelmedia.com,inbound,019,Americas,0.021434 +smartphoneexperts.com,mailgun.net,inbound,019,Americas,1 +snapretail.com,snapretail.com,inbound,019,Americas,1 +socialappsmail.com,socialappsmail.com,inbound,019,Americas,1 +solesociety.com,bronto.com,inbound,019,Americas,0 +solosenders.com,megasenders.com,inbound,019,Americas,8.2e-05 +solosenders.com,traxweb.org,inbound,019,Americas,0 +soma.com,soma.com,inbound,019,Americas,0 +someecards.com,someecards.com,inbound,019,Americas,0 +songkick.com,songkick.com,inbound,019,Americas,1 +sony-latin.com,sony-latin.com,inbound,019,Americas,0.01735 +sonyentertainmentnetwork.com,sonyentertainmentnetwork.com,inbound,019,Americas,0 +sourceforge.net,sourceforge.net,inbound,019,Americas,1 +southwest.com,southwest.com,inbound,019,Americas,0 +sp.gov.br,sp.gov.br,inbound,019,Americas,0.496357 +sparkpeople.com,sparkpeople.com,inbound,019,Americas,0 +spectersoft.com,spectersoft.com,inbound,019,Americas,0 +spencersonline.com,spencersonline.com,inbound,019,Americas,0 +spiritairlines.com,ctd004.net,inbound,019,Americas,0 +spiritairlines.com,ctd005.net,inbound,019,Americas,0 +splitwise.com,splitwise.com,inbound,019,Americas,1 +sportlobster.com,sportlobster.com,inbound,019,Americas,1 +sportsdirect.com,sportsdirect.com,inbound,019,Americas,0 +sportsline.com,cbsig.net,inbound,019,Americas,1 +sportsmansguide.com,sportsmansguide.com,inbound,019,Americas,0.736903 +sprint.com,m0.net,inbound,019,Americas,0 +squareup.com,squareup.com,inbound,019,Americas,0.986452 +stanford.edu,highwire.org,inbound,019,Americas,1 +stanford.edu,stanford.edu,inbound,019,Americas,0.93025 +stansberryresearch.com,stansberryresearch.com,inbound,019,Americas,0.001541 +staples.com,staples.com,inbound,019,Americas,0.006379 +starbucks.com,starbucks.com,inbound,019,Americas,0 +stardockcorporation.com,stardockcorporation.com,inbound,019,Americas,0 +stardockentertainment.info,stardockentertainment.info,inbound,019,Americas,0 +startribune.com,startribune.com,inbound,019,Americas,0.001728 +startwire.com,jobsreport.com,inbound,019,Americas,1 +startwire.com,startwire.com,inbound,019,Americas,1 +state.gov,state.gov,inbound,019,Americas,0 +statefarm.com,statefarm.com,inbound,019,Americas,1 +steinmart.com,steinmart.com,inbound,019,Americas,0 +stevemadden.com,stevemadden.com,inbound,019,Americas,0 +streetauthoritydaily.com,streetauthoritydaily.com,inbound,019,Americas,0 +stumblemail.com,stumblemail.com,inbound,019,Americas,1 +suafaturanet.com.br,suafaturanet.com.br,inbound,019,Americas,0.995846 +subscribermail.com,subscribermail.com,inbound,019,Americas,0 +sungard.com,postini.com,inbound,019,Americas,0.498265 +sunwingvacationinfo.ca,sunwingvacationinfo.ca,inbound,019,Americas,1 +superbalist.com,sailthru.com,inbound,019,Americas,0 +supersafemailer.com,zoothost.com,inbound,019,Americas,0 +supremelist.com,onlinehome-server.com,inbound,019,Americas,1 +surlatable.com,surlatable.com,inbound,019,Americas,0 +surveyjobopportunities.com,surveyjobopportunities.com,inbound,019,Americas,3.7e-05 +surveymonkey.com,surveymonkey.com,inbound,019,Americas,0 +surveysavvy.com,surveysavvy.com,inbound,019,Americas,0 +sylectus.com,sylectus.com,inbound,019,Americas,0.361297 +sympatico.ca,hotmail.{...},outbound,019,Americas,1 +taggedmail.com,taggedmail.com,inbound,019,Americas,0 +tamu.edu,tamu.edu,inbound,019,Americas,0.249876 +tangeroutletsusa.com,bronto.com,inbound,019,Americas,0 +target-safelist.com,safelistpro.com,inbound,019,Americas,0.000215 +targetproblaster.com,targetproblaster.com,inbound,019,Americas,0 +targetx.com,targetx.com,inbound,019,Americas,0 +tarot.com,tarot.com,inbound,019,Americas,0 +tastefullysimpleparty.com,bigfootinteractive.com,inbound,019,Americas,0 +tastingtable.com,tastingtable.com,inbound,019,Americas,0 +taxi4sure.net,infimail.com,inbound,019,Americas,0 +teach12.net,teach12.net,inbound,019,Americas,0 +techtarget.com,techtarget.com,inbound,019,Americas,0.001771 +telus.net,telus.net,inbound,019,Americas,0.006226 +ten24mail.com,ten24mail.com,inbound,019,Americas,0 +terra.com,terra.com,inbound,019,Americas,0.000463 +terra.com.br,terra.com,inbound,019,Americas,0 +terra.com.br,terra.com,outbound,019,Americas,0 +tesco.com,tesco.com,inbound,019,Americas,0 +testfunda.com,testfunda.com,inbound,019,Americas,0 +textnow.me,textnow.me,inbound,019,Americas,0 +tgw.com,tgw.com,inbound,019,Americas,0 +theanimalrescuesite.com,theanimalrescuesite.com,inbound,019,Americas,0 +theatermania.com,wc09.net,inbound,019,Americas,0 +thebay.com,thebay.com,inbound,019,Americas,0 +thegrommet.com,lstrk.net,inbound,019,Americas,1 +thehut.com,thehut.com,inbound,019,Americas,0 +thelimited.com,thelimited.com,inbound,019,Americas,0 +themailbagsafelist.com,thomas-j-brown.com,inbound,019,Americas,0 +theoutnet.com,theoutnet.com,inbound,019,Americas,0 +theskimm.com,theskimm.com,inbound,019,Americas,0 +thesovereigninvestor.com,sovereignsociety.com,inbound,019,Americas,0 +thirtyonegifts.com,thirtyonegifts.com,inbound,019,Americas,0 +thoughtful-mind.com,thoughtful-mind.com,inbound,019,Americas,0 +thumbtack.com,thumbtack.com,inbound,019,Americas,1 +ticketmaster.com,ticketmaster.com,inbound,019,Americas,0.769059 +tmart.com,chtah.net,inbound,019,Americas,0 +tmp.com,tmpw.com,inbound,019,Americas,0 +toluna.com,toluna.com,inbound,019,Americas,0 +tomtommailer.com,tomtommailer.com,inbound,019,Americas,0 +topspin.net,topspin.net,inbound,019,Americas,1 +totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,019,Americas,0 +touchbase2.com,infimail.com,inbound,019,Americas,0 +touchbase2.com,mailurja.com,inbound,019,Americas,0 +touchbasepro.com,touchbasepro.com,inbound,019,Americas,0 +townhallmail.com,townhallmail.com,inbound,019,Americas,0 +townsquaremedia.info,sailthru.com,inbound,019,Americas,0 +toysrus.com,epsl1.com,inbound,019,Americas,0 +trafficboostermailer.com,trafficboostermailer.com,inbound,019,Americas,1 +trafficleads2incomevm.com,zoothost.com,inbound,019,Americas,0 +trafficprolist.com,thomas-j-brown.com,inbound,019,Americas,0 +trialsmith.com,membercentral.com,inbound,019,Americas,0 +tricaemidia.com.br,tricaemidia.com.br,inbound,019,Americas,0 +tripit.com,tripit.com,inbound,019,Americas,0 +tuesdaymorningmail.com,tuesdaymorningmail.com,inbound,019,Americas,0 +tumblr.com,tumblr.com,inbound,019,Americas,1 +twitch.tv,justin.tv,inbound,019,Americas,0 +uber.com,uber.com,inbound,019,Americas,1 +ubi.com,ubi.com,inbound,019,Americas,0 +ubivox.com,ubivox.com,inbound,019,Americas,0.935106 +ucla.edu,ucla.edu,inbound,019,Americas,0.806204 +uhaul.com,uhaul.com,inbound,019,Americas,0.997947 +uiuc.edu,illinois.edu,inbound,019,Americas,0.999815 +ultimateadsites.net,ultimateadsites.net,inbound,019,Americas,1 +umd.edu,umd.edu,inbound,019,Americas,0.021709 +umn.edu,umn.edu,inbound,019,Americas,0.966964 +umpiredigital.com,inboxmarketer.com,inbound,019,Americas,0 +united.com,coair.com,inbound,019,Americas,1 +united.com,united.com,inbound,019,Americas,0 +universalorlando.com,universalorlando.com,inbound,019,Americas,0 +unrollmail.com,unrollmail.com,inbound,019,Americas,1 +uol.com.br,uol.com.br,inbound,019,Americas,0 +uol.com.br,uol.com.br,outbound,019,Americas,0 +upenn.edu,upenn.edu,inbound,019,Americas,0.16521 +upromise.com,delivery.net,inbound,019,Americas,0 +ups.com,ups.com,inbound,019,Americas,0.997955 +urbanoutfitters.com,freepeople.com,inbound,019,Americas,0 +usaa.com,usaa.com,inbound,019,Americas,0.072606 +usafisnews.org,usafisnews.org,inbound,019,Americas,0 +usajobs.gov,opm.gov,inbound,019,Americas,0.931948 +usc.edu,usc.edu,inbound,019,Americas,0.300314 +uscourts.gov,uscourts.gov,inbound,019,Americas,0 +uslargestsafelist.com,zoothost.com,inbound,019,Americas,0 +usndr.com,unisender.com,inbound,019,Americas,1 +usp.br,usp.br,inbound,019,Americas,0.044595 +usps.com,usps.gov,inbound,019,Americas,0.909591 +usps.gov,usps.gov,inbound,019,Americas,0.940315 +ustream.tv,mailgun.net,inbound,019,Americas,1 +ustream.tv,mailgun.us,inbound,019,Americas,1 +utfsm.cl,utfsm.cl,inbound,019,Americas,0.000352 +vacationstogo.com,vacationstogo.com,inbound,019,Americas,0 +vagas.com.br,vagas.com.br,inbound,019,Americas,0 +valuedopinions.co.uk,researchnow-usa.com,inbound,019,Americas,1 +vanheusenrewards.com,vanheusenrewards.com,inbound,019,Americas,0 +velocityfrequentflyer.com,virginaustralia.com,inbound,019,Americas,0 +vente-exclusive.com,vente-exclusive.com,inbound,019,Americas,0 +venusswimwear.net,venusswimwear.net,inbound,019,Americas,0 +verabradleymail.com,verabradleymail.com,inbound,019,Americas,0 +verizon.net,verizon.net,inbound,019,Americas,0.00713 +verizon.net,verizon.net,outbound,019,Americas,0 +verizonwireless.com,verizonwireless.com,inbound,019,Americas,0.972245 +vhmnetworkemail.com,jobdiagnosis.com,inbound,019,Americas,0 +viagogo.com,chtah.net,inbound,019,Americas,0 +viajanet.com.br,viajanet.com.br,inbound,019,Americas,0 +victoriassecret.com,victoriassecret.com,inbound,019,Americas,0 +videotron.ca,videotron.ca,inbound,019,Americas,0.005886 +vikingrivercruises.com,bfi0.com,inbound,019,Americas,0 +vimeo.com,vimeo.com,inbound,019,Americas,0 +vindale.com,vindale.com,inbound,019,Americas,0 +vipvoice.com,npdor.com,inbound,019,Americas,0 +viraladmagnet.com,viraladmagnet.com,inbound,019,Americas,1 +virginia.edu,virginia.edu,inbound,019,Americas,0.055153 +virtualtarget.com.br,virtualtarget.com.br,inbound,019,Americas,0 +vitacost.com,vitacost.com,inbound,019,Americas,0 +vitaladviews.com,zoothost.com,inbound,019,Americas,0 +vivastreet.com,viwii.net,inbound,019,Americas,0 +votervoice.net,votervoice.net,inbound,019,Americas,0 +vresp.com,verticalresponse.com,inbound,019,Americas,0 +vt.edu,vt.edu,inbound,019,Americas,0.978548 +vtext.com,vtext.com,inbound,019,Americas,0 +vtext.com,vtext.com,outbound,019,Americas,1 +vuezone.com,vuezone.com,inbound,019,Americas,0 +vzwpix.com,vtext.com,inbound,019,Americas,0 +wagjag.com,wagjag.com,inbound,019,Americas,0 +walgreens.com,walgreens.com,inbound,019,Americas,0.006128 +wallst.com,wallst.com,inbound,019,Americas,0 +wallstreetdaily.com,wallstreetdaily.com,inbound,019,Americas,0 +waterstones.com,waterstones.com,inbound,019,Americas,0 +wattpad.com,wattpad.com,inbound,019,Americas,1 +way2movies.net,way2movies.net,inbound,019,Americas,0 +wayfair.com,csnstores.com,inbound,019,Americas,0 +webs.com,epsl1.com,inbound,019,Americas,0 +websaver.ca,websaver.ca,inbound,019,Americas,0 +websitesettings.com,stabletransit.com,inbound,019,Americas,0 +websitewelcome.com,websitewelcome.com,inbound,019,Americas,1 +webstars2k.com,webstars2k.com,inbound,019,Americas,1 +weebly.com,weeblymail.com,inbound,019,Americas,0 +wellsfargo.com,wellsfargo.com,inbound,019,Americas,1.0 +wellsfargoadvisors.com,wellsfargo.com,inbound,019,Americas,1 +westelm.com,westelm.com,inbound,019,Americas,0 +westmarine.com,westmarine.com,inbound,019,Americas,0 +wetransfer.com,wetransfer.com,inbound,019,Americas,1 +wetsealnewsletter.com,wetsealnewsletter.com,inbound,019,Americas,0 +whatcounts.com,wc09.net,inbound,019,Americas,0 +whentowork.com,whentowork.com,inbound,019,Americas,0 +wikia.com,wikia.com,inbound,019,Americas,1 +williams-sonoma.com,williams-sonoma.com,inbound,019,Americas,0 +windstream.net,windstream.net,inbound,019,Americas,0.002172 +wine.com,wine.com,inbound,019,Americas,0 +winkalmail.com,fnbox.com,inbound,019,Americas,0 +wisdomitservices.com,infimail.com,inbound,019,Americas,0 +wldemail-mailer.com,wldemail.com,inbound,019,Americas,0 +womanwithin.com,womanwithin.com,inbound,019,Americas,0 +woodforest.com,woodforest.com,inbound,019,Americas,1 +workingincanada.gc.ca,sdc-dsc.gc.ca,inbound,019,Americas,0 +worldsingles.co,worldsingles.com,inbound,019,Americas,0 +wotif.com,whatcounts.com,inbound,019,Americas,0 +wp.com,wordpress.com,inbound,019,Americas,0 +wuaki.tv,chtah.net,inbound,019,Americas,0 +wustl.edu,app-info.net,inbound,019,Americas,0 +wwe.com,wwe.com,inbound,019,Americas,8e-06 +xen.org,xen.org,inbound,019,Americas,1 +xmeeting.com,xmeeting.com,inbound,019,Americas,1 +xmr3.com,messagereach.com,inbound,019,Americas,0.999933 +xoom.com,xoom.com,inbound,019,Americas,0 +xpnews.com.br,xpnews.com.br,inbound,019,Americas,1 +yahoo.{...},postini.com,inbound,019,Americas,0.664066 +yahoo.{...},yahoo.{...},inbound,019,Americas,0.999 +yahoo.{...},yahoodns.net,outbound,019,Americas,1 +yelp.com,yelpcorp.com,inbound,019,Americas,0 +yipit.com,yipit.com,inbound,019,Americas,1 +ymail.com,yahoo.{...},inbound,019,Americas,1 +ymail.com,yahoodns.net,outbound,019,Americas,1 +yoox.com,yoox.com,inbound,019,Americas,0 +youmail.com,youmail.com,inbound,019,Americas,0 +youreletters3.com,equitymaster.com,inbound,019,Americas,0 +yourezads.com,yourezads.com,inbound,019,Americas,0.002974 +yourezlist.com,simplicityads.com,inbound,019,Americas,9.5e-05 +yourhostingaccount.com,yourhostingaccount.com,inbound,019,Americas,0 +youversion.com,youversion.com,inbound,019,Americas,1 +zacks.com,zacks.com,inbound,019,Americas,0.999687 +zara.com,cheetahmail.com,inbound,019,Americas,0 +zendesk.com,zdsys.com,inbound,019,Americas,1 +zgalleriestyle.com,zgalleriestyle.com,inbound,019,Americas,0 +zibmail.info,zibmail.info,inbound,019,Americas,9e-06 +zinio.com,zinio.com,inbound,019,Americas,0 +zipalerts.com,zipalerts.com,inbound,019,Americas,1 +ziprealty.com,ziprealty.com,inbound,019,Americas,0.994545 +ziprecruiter.com,ziprecruiter.com,inbound,019,Americas,1 +zivamewear.com,infimail.com,inbound,019,Americas,0 +zoothost.com,zoothost.com,inbound,019,Americas,0.107168 +zorpia.com,zorpia.com,inbound,019,Americas,1 +zulily.com,zulily.com,inbound,019,Americas,0 +zzounds.com,zzounds.com,inbound,019,Americas,0 +0101.co.jp,0101.co.jp,inbound,142,Asia,0 +04auto.biz,01auto.biz,inbound,142,Asia,0 +123.com.tw,123.com.tw,inbound,142,Asia,0 +160by2.us,160by2.us,inbound,142,Asia,0 +163.com,163.com,inbound,142,Asia,0.534088 +163.com,netease.com,outbound,142,Asia,1 +17life.com.tw,17life.com.tw,inbound,142,Asia,0 +1lejend.com,asumeru.com,inbound,142,Asia,0 +1lejend.com,asumeru001.com,inbound,142,Asia,0 +33go.com.tw,33go.com.tw,inbound,142,Asia,0 +518.com.tw,518.com.tw,inbound,142,Asia,0 +7net.com.tw,7net.com.tw,inbound,142,Asia,0 +ab0.jp,altovision.co.jp,inbound,142,Asia,0 +activetrail.com,atmailsvr.net,inbound,142,Asia,0 +activetrail.com,mymarketing.co.il,inbound,142,Asia,0 +adchiever.com,kinder-rash-marketing.com,inbound,142,Asia,0 +adityabirla.com,adityabirla.com,inbound,142,Asia,0.00615 +agora.co.il,1host.co.il,inbound,142,Asia,0 +airtel.com,airtel.in,inbound,142,Asia,0.064377 +alertsindia.in,alertsindia.in,inbound,142,Asia,1 +alibaba.com,alibaba.com,inbound,142,Asia,0 +aliexpress.com,alibaba.com,inbound,142,Asia,0 +alipay.com,alipay.com,inbound,142,Asia,1 +alljob.co.il,alljob.co.il,inbound,142,Asia,0 +amazon.{...},amazon.{...},inbound,142,Asia,0 +ana.co.jp,ana.co.jp,inbound,142,Asia,0.534416 +anghami.com,mailgun.net,inbound,142,Asia,1 +apple.com,apple.com,inbound,142,Asia,0.999817 +artscow.com,dyxnet.com,inbound,142,Asia,0.000355 +asus.com,asus.com,inbound,142,Asia,0 +baycrews.co.jp,webcas.net,inbound,142,Asia,0 +beamtele.com,beamtele.com,inbound,142,Asia,0 +beanfun.com,beanfun.com,inbound,142,Asia,1 +belluna.net,belluna.net,inbound,142,Asia,0 +betrend.com,betrend.com,inbound,142,Asia,0 +bharatmatrimony.com,bharatmatrimony.com,inbound,142,Asia,1 +blayn.jp,bserver.jp,inbound,142,Asia,0 +bme.jp,bserver.jp,inbound,142,Asia,0 +bookoffonline.co.jp,bookoffonline.co.jp,inbound,142,Asia,0 +brands4friends.jp,webcas.net,inbound,142,Asia,0 +brandsfever.com,mailgun.net,inbound,142,Asia,1 +buyma.com,buyma.com,inbound,142,Asia,0 +cam2life.com,hinet.net,inbound,142,Asia,0 +camsonline.com,camsonline.com,inbound,142,Asia,0.136261 +careesma.in,careesma.in,inbound,142,Asia,0 +ccavenue.com,avenues.info,inbound,142,Asia,1 +chance.com,data-hotel.net,inbound,142,Asia,0 +chiangcn.com,chiangcn.com,inbound,142,Asia,0 +chinatrust.com.tw,chinatrust.com.tw,inbound,142,Asia,0.001272 +cityheaven.net,cityheaven.net,inbound,142,Asia,0 +clickmailer.jp,clickmailer.jp,inbound,142,Asia,9e-05 +cocacola.co.jp,cocacola.co.jp,inbound,142,Asia,0 +combzmail.jp,combzmail.jp,inbound,142,Asia,0 +communitymatrimony.com,communitymatrimony.com,inbound,142,Asia,1 +conrepmail.com,conrepmail.com,inbound,142,Asia,0 +cookpad.com,cookpad.com,inbound,142,Asia,0 +cpc.gov.in,cpc.gov.in,inbound,142,Asia,0 +crmstyle.com,crmstyle.com,inbound,142,Asia,0 +crocos.jp,crocos.jp,inbound,142,Asia,0 +ctrip.com,ctrip.com,inbound,142,Asia,0.019448 +cuenote.jp,cuenote.jp,inbound,142,Asia,0 +cw.com.tw,cw.com.tw,inbound,142,Asia,0.002535 +cyberlinkmember.com,cyberlinkmember.com,inbound,142,Asia,0 +dena.ne.jp,dena.ne.jp,inbound,142,Asia,0.000249 +dietnavi.com,data-hotel.net,inbound,142,Asia,0 +dip-net.co.jp,dip-net.co.jp,inbound,142,Asia,0 +directresponsemanager.com,wide.ne.jp,inbound,142,Asia,0 +disc.co.jp,disc.co.jp,inbound,142,Asia,0.001051 +dishtv.co.in,dishtv.co.in,inbound,142,Asia,0.047664 +disqus.net,disqus.net,inbound,142,Asia,0 +dks.com.tw,dks.com.tw,inbound,142,Asia,0.018134 +dmm.com,dmm.com,inbound,142,Asia,0 +docomo.ne.jp,docomo.ne.jp,inbound,142,Asia,0 +docomo.ne.jp,docomo.ne.jp,outbound,142,Asia,0 +dreammail.ne.jp,dreammail.jp,inbound,142,Asia,0 +drushim.co.il,drushim.co.il,inbound,142,Asia,0 +dstyleweb.com,dstyleweb.com,inbound,142,Asia,0.001099 +ec21.com,ec21.com,inbound,142,Asia,0.002263 +ecnavi.jp,ecnavi.jp,inbound,142,Asia,0 +en-japan.com,en-japan.com,inbound,142,Asia,0.000204 +eonet.ne.jp,eonet.ne.jp,inbound,142,Asia,0.99955 +epaper.com.tw,epaper.com.tw,inbound,142,Asia,0 +eplus.jp,eplus.jp,inbound,142,Asia,0 +eslitebooks.com,eslitebooks.com,inbound,142,Asia,0 +euromsg.net,euromsg.net,inbound,142,Asia,0 +evaair.com,evaair.com,inbound,142,Asia,0.007363 +ezweb.ne.jp,ezweb.ne.jp,inbound,142,Asia,0.282076 +ezweb.ne.jp,ezweb.ne.jp,outbound,142,Asia,0 +farmersonly.com,mailgun.net,inbound,142,Asia,1 +felissimo.jp,felissimo.jp,inbound,142,Asia,0 +finansbank.com.tr,finansbank.com.tr,inbound,142,Asia,0.927 +fmworld.net,fmworld.net,inbound,142,Asia,0 +fofa.jp,mpme.jp,inbound,142,Asia,0 +freeml.com,gmo-media.jp,inbound,142,Asia,0 +ftchinese.com,ftchinese.com,inbound,142,Asia,0 +fubonshop.com,fubonshop.com,inbound,142,Asia,0 +gamecity.ne.jp,gamecity.ne.jp,inbound,142,Asia,0 +garanti.com.tr,garanti.com.tr,inbound,142,Asia,0.421936 +gilt.jp,gilt.jp,inbound,142,Asia,0 +globalsources.com,globalsources.com,inbound,142,Asia,0.003024 +globetel.com.ph,globetel.com.ph,inbound,142,Asia,1 +gmail.com,asianet.co.th,inbound,142,Asia,0.998511 +gmail.com,au-net.ne.jp,inbound,142,Asia,1 +gmail.com,bbtec.net,inbound,142,Asia,1 +gmail.com,data-hotel.net,inbound,142,Asia,0.000607 +gmail.com,hinet.net,inbound,142,Asia,0.973114 +gmail.com,mtnl.net.in,inbound,142,Asia,0.999527 +gmail.com,netvigator.com,inbound,142,Asia,0.818263 +gmail.com,ocn.ne.jp,inbound,142,Asia,0.99466 +gmail.com,panda-world.ne.jp,inbound,142,Asia,1 +gmail.com,seed.net.tw,inbound,142,Asia,0.992252 +gmail.com,singnet.com.sg,inbound,142,Asia,0.968389 +gmail.com,totbb.net,inbound,142,Asia,0.999876 +gmo.jp,gmo-media.jp,inbound,142,Asia,0 +gmoes.jp,gmoes.jp,inbound,142,Asia,0 +gmt.ne.jp,gmt.ne.jp,inbound,142,Asia,0 +gnavi.co.jp,gnavi.co.jp,inbound,142,Asia,0.002441 +gomaji.com,gomaji.com,inbound,142,Asia,0 +gree.jp,gree.jp,inbound,142,Asia,0 +groupon.{...},groupon.{...},inbound,142,Asia,0 +gunosy.com,gunosy.com,inbound,142,Asia,0.998682 +gurunavi.jp,gurunavi.jp,inbound,142,Asia,0 +hdfcbank.com,powerelay.com,inbound,142,Asia,1 +hdfcbank.net,powerelay.com,inbound,142,Asia,1 +hdfcbank.net,quickvmail.com,inbound,142,Asia,0 +heteml.jp,heteml.jp,inbound,142,Asia,0.950296 +hinet.net,hinet.net,inbound,142,Asia,0.007064 +hinet.net,hinet.net,outbound,142,Asia,0.00565 +home.ne.jp,zaq.ne.jp,inbound,142,Asia,9e-06 +i-part.com.tw,i-part.com.tw,inbound,142,Asia,0.001865 +ibps.in,sify.net,inbound,142,Asia,0 +ibpsorg.org,sify.net,inbound,142,Asia,0 +icicibank.com,icicibank.com,inbound,142,Asia,0.009835 +icicisecurities.com,icicibank.com,inbound,142,Asia,0.000803 +icloud.com,apple.com,inbound,142,Asia,1 +imi.ne.jp,lifemedia.jp,inbound,142,Asia,0 +indiaproperty.com,indiaproperty.com,inbound,142,Asia,0 +intage.co.jp,intage.co.jp,inbound,142,Asia,0.00557 +intuit.com,intuit.com,inbound,142,Asia,0.983698 +isbank.com.tr,isbank.com.tr,inbound,142,Asia,0.009655 +itsmyascent.com,itsmyascent.com,inbound,142,Asia,0 +itunes.com,apple.com,inbound,142,Asia,1 +jcity.com,jcity.com,inbound,142,Asia,0 +jobinthailand.com,jobinthailand.com,inbound,142,Asia,1 +jobmaster.co.il,jobmaster1.co.il,inbound,142,Asia,0 +jobsdbalert.co.id,jobsdbalert.co.id,inbound,142,Asia,0 +jobsdbalert.com,jobsdbalert.com,inbound,142,Asia,0 +jobsdbalert.com.hk,jobsdbalert.com.hk,inbound,142,Asia,0 +jobsdbalert.com.sg,jobsdbalert.com.sg,inbound,142,Asia,0 +jobstreet.com,jobstreet.com,inbound,142,Asia,0 +joshin.co.jp,joshin.co.jp,inbound,142,Asia,8e-06 +kagoya.net,kagoya.net,inbound,142,Asia,0.013052 +karvy.com,karvy.com,inbound,142,Asia,0.045186 +kasikornbank.com,kasikornbank.com,inbound,142,Asia,0 +kotak.com,kotak.com,inbound,142,Asia,0.005566 +krs.bz,tricorn.net,inbound,142,Asia,0 +kvbmail.com,kvbmail.com,inbound,142,Asia,0 +lancers.jp,lancers.jp,inbound,142,Asia,0 +lelong.my,lelong.com.my,inbound,142,Asia,1 +lelong.my,lelong.net.my,inbound,142,Asia,1 +line.me,naver.com,inbound,142,Asia,1 +livedoor.com,livedoor.com,inbound,142,Asia,0 +luxa.jp,luxa.jp,inbound,142,Asia,0 +m3.com,m3.com,inbound,142,Asia,0 +mag2.com,tandem-m.com,inbound,142,Asia,0 +magicbricks.com,tbsl.in,inbound,142,Asia,0 +mail-boss.com,mail-boss.com,inbound,142,Asia,0 +mailgun.org,mailgun.net,inbound,142,Asia,1 +mbga.jp,mbga.jp,inbound,142,Asia,0 +mixi.jp,mixi.jp,inbound,142,Asia,0 +mmagic.jp,mmagic.jp,inbound,142,Asia,0.000531 +mobile01.com,mobile01.com,inbound,142,Asia,0 +monex.co.jp,monex.co.jp,inbound,142,Asia,0.019424 +moneycontrol.com,active18.com,inbound,142,Asia,0 +moneyforward.com,moneyforward.com,inbound,142,Asia,0 +monipla.jp,aainc.co.jp,inbound,142,Asia,0 +monster.co.in,monster.co.in,inbound,142,Asia,0 +morhipo.com,euromsg.net,inbound,142,Asia,0 +mpme.jp,mpme.jp,inbound,142,Asia,0 +mpse.jp,emsaqua.jp,inbound,142,Asia,0 +mpse.jp,emsbeige.jp,inbound,142,Asia,0 +mpse.jp,emsbrown.jp,inbound,142,Asia,0 +mpse.jp,emscyan.jp,inbound,142,Asia,0 +mpse.jp,emsgold.jp,inbound,142,Asia,0 +mpse.jp,emslime.jp,inbound,142,Asia,0 +mpse.jp,emsnavy.jp,inbound,142,Asia,0 +mpse.jp,emspink.jp,inbound,142,Asia,0 +mpse.jp,emssnow.jp,inbound,142,Asia,0 +mpse.jp,mpme.jp,inbound,142,Asia,0 +mpse.jp,yahoo.co.jp,inbound,142,Asia,0 +mynavi.jp,mynavi.jp,inbound,142,Asia,3.5e-05 +naver.com,naver.com,inbound,142,Asia,1 +naver.com,naver.com,outbound,142,Asia,1 +nesinemail.com,euromsg.net,inbound,142,Asia,0 +net-survey.jp,net-survey.jp,inbound,142,Asia,0 +netbk.co.jp,netbk.co.jp,inbound,142,Asia,0.010995 +next-engine.org,next-engine.org,inbound,142,Asia,1 +nextdoor.com,nextdoor.com,inbound,142,Asia,1 +nic.in,relayout.nic.in,inbound,142,Asia,0 +nicovideo.jp,nicovideo.jp,inbound,142,Asia,0 +nifty.com,nifty.com,inbound,142,Asia,0.762068 +nikkei.com,nikkei.co.jp,inbound,142,Asia,0 +nikkeibp.co.jp,nikkeibp.co.jp,inbound,142,Asia,4.9e-05 +nissen.jp,nissen.jp,inbound,142,Asia,0 +ocn.ad.jp,ocn.ad.jp,inbound,142,Asia,0 +ocn.ne.jp,ocn.ad.jp,inbound,142,Asia,0 +p-world.co.jp,p-world.co.jp,inbound,142,Asia,0 +panasonic.jp,panasonic.jp,inbound,142,Asia,0 +pepabo.com,pepabo.com,inbound,142,Asia,0 +pia.jp,pia.jp,inbound,142,Asia,0 +playstation.com,playstation.com,inbound,142,Asia,0 +pointtown.com,gmo-media.jp,inbound,142,Asia,0 +pttplc.com,pttgrp.com,inbound,142,Asia,0 +publicators.com,publicators.com,inbound,142,Asia,0 +qoo10.jp,qoo10.jp,inbound,142,Asia,0 +qq.com,qq.com,inbound,142,Asia,0.999973 +quickbooks.com,intuit.com,inbound,142,Asia,0.99908 +rakuten.co.jp,rakuten.co.jp,inbound,142,Asia,0 +rakuten.co.jp,yahoo.co.jp,inbound,142,Asia,0 +rakuten.ne.jp,rakuten.co.jp,inbound,142,Asia,0 +realus.co.jp,realus.co.jp,inbound,142,Asia,0 +recochoku.jp,recochoku.jp,inbound,142,Asia,0 +rediffmail.com,akadns.net,outbound,142,Asia,0 +rediffmail.com,rediffmail.com,inbound,142,Asia,0 +relianceada.com,relianceada.com,inbound,142,Asia,0.276515 +research-panel.jp,research-panel.jp,inbound,142,Asia,0 +responder.co.il,responder.co.il,inbound,142,Asia,1 +runnet.jp,runnet.jp,inbound,142,Asia,0 +rutenmail.com.tw,rutenmail.com.tw,inbound,142,Asia,0 +sahibinden.com,sahibinden.com,inbound,142,Asia,0 +saisoncard.co.jp,saisoncard.co.jp,inbound,142,Asia,0 +sakura.ne.jp,sakura.ne.jp,inbound,142,Asia,0.673305 +samsung.com,samsung.com,inbound,142,Asia,0.008685 +saramin.co.kr,saramin.co.kr,inbound,142,Asia,0 +sbi.co.in,sbi.co.in,inbound,142,Asia,0 +sbr-inc.co.jp,hdemail.jp,inbound,142,Asia,0 +sc.com,sc.com,inbound,142,Asia,0.99683 +secure.ne.jp,secure.ne.jp,inbound,142,Asia,3.7e-05 +secureserver.net,secureserver.net,inbound,142,Asia,0.000386 +shinseibank.com,shinseibank.com,inbound,142,Asia,0 +shukatsu.jp,shukatsu.jp,inbound,142,Asia,0 +simplymarry.com,tbsl.in,inbound,142,Asia,0 +smartphoneexperts.com,mailgun.net,inbound,142,Asia,1 +smp.ne.jp,smp.ne.jp,inbound,142,Asia,0 +snapdealmail.in,snapdealmail.in,inbound,142,Asia,0 +sofmap.com,sofmap.com,inbound,142,Asia,0.0092 +softbank.jp,softbank.jp,inbound,142,Asia,0 +sony.jp,sony.jp,inbound,142,Asia,0.000654 +sourcenext.info,sourcenext.info,inbound,142,Asia,0 +surfmandelivery.com,surfmandelivery.com,inbound,142,Asia,0 +synergy360.jp,crmstyle.com,inbound,142,Asia,0 +taipeifubon.com.tw,taipeifubon.com.tw,inbound,142,Asia,0 +techgig.com,tbsl.in,inbound,142,Asia,0 +thinkvidya.com,thinkvidya.com,inbound,142,Asia,0 +ticketmonster.co.kr,ticketmonster.co.kr,inbound,142,Asia,0 +timesjobs.com,tbsl.in,inbound,142,Asia,0 +timesjobsmail.com,tbsl.in,inbound,142,Asia,0 +timesofindia.com,indiatimes.com,inbound,142,Asia,0 +tobizaru.jp,tobizaru.jp,inbound,142,Asia,0 +tocoo.jp,aics.ne.jp,inbound,142,Asia,0 +tower.jp,tower.jp,inbound,142,Asia,0 +treemall.com.tw,symphox.com,inbound,142,Asia,0 +tsite.jp,tsite.jp,inbound,142,Asia,0 +tsutaya.co.jp,tsutaya.co.jp,inbound,142,Asia,0 +turkcell.com.tr,turkcell.com.tr,inbound,142,Asia,0.043492 +type.jp,type.jp,inbound,142,Asia,0 +u-shopping.com.tw,u-shopping.com.tw,inbound,142,Asia,0 +udnpaper.com,udnpaper.com,inbound,142,Asia,0.998858 +udnshopping.com,udnshopping.com,inbound,142,Asia,0 +vodafone.com,vodafone.in,inbound,142,Asia,0.617518 +vpass.ne.jp,clickmailer.jp,inbound,142,Asia,0 +vpcontact.com,vpcontact.com,inbound,142,Asia,0 +way2sms.biz,way2sms.biz,inbound,142,Asia,0 +way2sms.in,way2sms.in,inbound,142,Asia,0 +webcas.net,webcas.net,inbound,142,Asia,0 +wechat.com,qq.com,inbound,142,Asia,1 +www.gov.tw,hinet.net,inbound,142,Asia,8e-05 +yahoo.co.jp,yahoo.co.jp,inbound,142,Asia,8e-06 +yahoo.co.jp,yahoo.co.jp,outbound,142,Asia,0 +yahoo.{...},yahoo.co.jp,inbound,142,Asia,0 +yakala.co,euromsg.net,inbound,142,Asia,0 +yesbank.in,yesbank.in,inbound,142,Asia,0.241591 +yodobashi.com,yodobashi.com,inbound,142,Asia,0 +zizigo.com,euromsg.net,inbound,142,Asia,0 +3suisses.be,3suisses.be,inbound,150,Europe,0 +3suisses.fr,3suisses.fr,inbound,150,Europe,0 +aanotifier.nl,aanotifier.nl,inbound,150,Europe,0 +adidas.com,neolane.net,inbound,150,Europe,0 +admail.hu,sanomaonline.hu,inbound,150,Europe,0 +adsender.us,adsender.us,inbound,150,Europe,0 +adverts.ie,adverts.ie,inbound,150,Europe,1 +advfn.com,advfn.com,inbound,150,Europe,0.635382 +agnitas.de,agnitas.de,inbound,150,Europe,0.999265 +airliquide.com,airliquide.com,inbound,150,Europe,1 +alerteimmo.com,alerteimmo.com,inbound,150,Europe,0 +alinea.fr,bp06.net,inbound,150,Europe,0 +allegro.pl,allegro.pl,inbound,150,Europe,0 +allegroup.hu,allegroup.hu,inbound,150,Europe,0 +alza.cz,alza.cz,inbound,150,Europe,0.039449 +alza.sk,alza.cz,inbound,150,Europe,0.027725 +andrewchristian.com,emv8.com,inbound,150,Europe,0 +anpasia.com,anpasia.com,inbound,150,Europe,0 +aprovaconcursos.com.br,eadunicid.com.br,inbound,150,Europe,0 +aruba.it,aruba.it,inbound,150,Europe,0.055666 +ashampoo.com,ashampoo.com,inbound,150,Europe,1 +aswatson.com,emarsys.net,inbound,150,Europe,0 +avira.com,avira.com,inbound,150,Europe,0.042528 +avito.ru,avito.ru,inbound,150,Europe,0.000631 +badoo.com,monopost.com,inbound,150,Europe,1 +balsamik.fr,balsamik.fr,inbound,150,Europe,0 +bancomer.com,postini.com,inbound,150,Europe,1e-05 +bbvacompass.com,postini.com,inbound,150,Europe,0.997006 +be2.com,nmp1.net,inbound,150,Europe,0 +biglion.ru,biglion.ru,inbound,150,Europe,0.999775 +bigmailsender.com,bigmailsender.com,inbound,150,Europe,0 +bioagri.com.br,postini.com,inbound,150,Europe,0.991765 +biomedcentral.com,emv5.com,inbound,150,Europe,0 +blackberry.com,blackberry.com,inbound,150,Europe,0 +blinkboxmusic.com,mediagraft.com,inbound,150,Europe,1 +blogtrottr.com,blogtrottr.com,inbound,150,Europe,0 +blue-compass.com,blue-compass.com,inbound,150,Europe,0 +bmdeda99.com,bmdeda99.com,inbound,150,Europe,0 +bolsfr.fr,colt.net,inbound,150,Europe,0 +bonuszbrigad.hu,bonuszbrigad.hu,inbound,150,Europe,0 +boohooemail.com,smartfocusdigital.net,inbound,150,Europe,0 +booking.com,booking.com,inbound,150,Europe,1 +bouncemanager.it,musvc.com,inbound,150,Europe,0.362026 +br.com,cmailsys.com,inbound,150,Europe,0 +brandalley.com,brandalley.com,inbound,150,Europe,0 +brands4friends.de,emv5.com,inbound,150,Europe,0 +brandsvillage.net,brandsvillage.net,inbound,150,Europe,0 +bt.com,bt.com,inbound,150,Europe,0.409404 +bweeble.com,adlabsinc.com,inbound,150,Europe,0 +cabestan.com,cab07.net,inbound,150,Europe,0 +cadremploi.fr,cadremploi.fr,inbound,150,Europe,0 +cardsys.at,cardsys.at,inbound,150,Europe,1 +carmamail.com,carmamail.com,inbound,150,Europe,0 +casasbahia.com.br,casasbahia.com.br,inbound,150,Europe,0 +catchoftheday.com.au,inxserver.de,inbound,150,Europe,1 +catererglobal.com,madgexjb.com,inbound,150,Europe,0 +caterermail.com,totaljobsmail.co.uk,inbound,150,Europe,0 +cathkidston.com,cathkidston.co.uk,inbound,150,Europe,0 +cccampaigns.com,emv5.com,inbound,150,Europe,0 +cccampaigns.com,emv8.com,inbound,150,Europe,0 +cccampaigns.net,01net.com,inbound,150,Europe,0 +cccampaigns.net,cccampaigns.net,inbound,150,Europe,0 +cccampaigns.net,emv4.net,inbound,150,Europe,0 +ccmbg.com,benchmark.fr,inbound,150,Europe,0 +cdongroup.com,cdongroup.com,inbound,150,Europe,0.000147 +cheapflights.co.uk,cheapflights.co.uk,inbound,150,Europe,0 +cheapflights.com,cheapflights.com,inbound,150,Europe,0 +chelseafc.com,chelseafc.com,inbound,150,Europe,0.003566 +cinesa.es,cccampaigns.com,inbound,150,Europe,0 +cipherzone.com,infimail.com,inbound,150,Europe,0 +citybrands.hu,webinform.hu,inbound,150,Europe,1 +clickon.com.br,clickon.com.br,inbound,150,Europe,0 +clicplan.com,dmdelivery.com,inbound,150,Europe,0 +cobone.com,emarsys.net,inbound,150,Europe,0 +communicatoremail.com,communicatoremail.com,inbound,150,Europe,0 +compute.internal,amazonaws.com,inbound,150,Europe,0.81478 +confirmedoptin.com,confirmedoptin.com,inbound,150,Europe,0 +continente.pt,1-hostingservice.com,inbound,150,Europe,0 +cratusservices.in,ramcorp.in,inbound,150,Europe,0 +cricinfo.com,cricinfo.com,inbound,150,Europe,0 +critsend.com,critsend.com,inbound,150,Europe,0 +crsend.com,crsend.com,inbound,150,Europe,0.008688 +csas.cz,csas.cz,inbound,150,Europe,0.999971 +cupomturbinado.com.br,cupomnaweb.com.br,inbound,150,Europe,1 +cv-library.co.uk,cv-library.co.uk,inbound,150,Europe,0 +cvbankas.lt,efadm.eu,inbound,150,Europe,0 +cwjobsmail.co.uk,totaljobsmail.co.uk,inbound,150,Europe,0 +d-reizen.nl,dmdelivery.com,inbound,150,Europe,0 +dafiti.com.br,fagms.de,inbound,150,Europe,0 +datingfactory.com,caerussolutions.net,inbound,150,Europe,0 +dbgi.co.uk,emc1.co.uk,inbound,150,Europe,0 +deal.com.sg,emarsys.net,inbound,150,Europe,0 +debian.org,debian.org,inbound,150,Europe,1 +deezer.com,dms30.com,inbound,150,Europe,0 +directcrm.ru,directcrm.ru,inbound,150,Europe,0 +disney.co.uk,emv9.com,inbound,150,Europe,0 +dominosemail.co.uk,dominosemail.co.uk,inbound,150,Europe,0 +doodle.com,doodle.com,inbound,150,Europe,1 +dotmailer-email.com,dotmailer.com,inbound,150,Europe,0 +dotmailer.co.uk,dotmailer.com,inbound,150,Europe,0 +dpapp.nl,prikbordmailer.nl,inbound,150,Europe,0 +dpapp.nl,sslsecuref.nl,inbound,150,Europe,0 +dreivip.com,dreivip.com,inbound,150,Europe,0.000301 +dress-for-less.de,privalia.com,inbound,150,Europe,0 +drweb.com,drweb.com,inbound,150,Europe,0.969315 +e-boks.dk,e-boks.dk,inbound,150,Europe,1 +e-ebuyer.com,e-ebuyer.com,inbound,150,Europe,0 +e-mark.nl,e-mark.nl,inbound,150,Europe,0 +e-ngine.nl,e-ngine.nl,inbound,150,Europe,0 +ebay-kleinanzeigen.de,mobile.de,inbound,150,Europe,1 +ecommzone.com,ecommzone.com,inbound,150,Europe,0 +edarling.fr,fagms.de,inbound,150,Europe,0 +edima.hu,edima.hu,inbound,150,Europe,0 +efox-shop.com,dmdelivery.com,inbound,150,Europe,0 +ejobs.ro,ejobs.ro,inbound,150,Europe,8.5e-05 +elaine-asp.de,artegic.net,inbound,150,Europe,0.999997 +elcorteingles.es,elcorteingles.es,inbound,150,Europe,0 +elektronskaposta.si,eprvak.si,inbound,150,Europe,0 +elettershop.de,servicemail24.de,inbound,150,Europe,1 +emag.ro,emag.ro,inbound,150,Europe,0.005013 +email-comparethemarket.com,smartfocusdigital.net,inbound,150,Europe,0 +email360api.com,email360api.com,inbound,150,Europe,0 +emarsys.net,emarsys.net,inbound,150,Europe,0 +embluejet.com,emblueuser.com,inbound,150,Europe,0 +emsecure.net,emsecure.net,inbound,150,Europe,0 +emsmtp.com,emsmtp.com,inbound,150,Europe,0 +enewsletter.pl,enewsletter.pl,inbound,150,Europe,0.007349 +enewsletter.pl,sare25.com,inbound,150,Europe,0 +espmp-agfr.net,bp06.net,inbound,150,Europe,0 +esprit-friends.com,esprit-friends.com,inbound,150,Europe,0 +evanscycles.com,msgfocus.com,inbound,150,Europe,0 +experteer.com,experteer.com,inbound,150,Europe,0 +extra.com.br,emv8.com,inbound,150,Europe,0 +eyepin.com,eyepin.com,inbound,150,Europe,0 +fabfurnish.com,fagms.de,inbound,150,Europe,0 +facilisimo.com,facilisimo.com,inbound,150,Europe,1 +fagms.net,fagms.de,inbound,150,Europe,0 +finn.no,schibsted-it.no,inbound,150,Europe,0.002893 +fixeads.com,fixeads.com,inbound,150,Europe,0 +flirchi.com,flirchi.com,inbound,150,Europe,1.0 +flymonarchemail.com,flymonarchemail.com,inbound,150,Europe,0 +follow-up.se,follow-up.se,inbound,150,Europe,1 +fotocasa.es,fotocasa.es,inbound,150,Europe,0 +fotostrana.ru,fotocdn.net,inbound,150,Europe,3.4e-05 +free-lance.ru,free-lance.ru,inbound,150,Europe,0 +free.fr,free.fr,inbound,150,Europe,0.984012 +free.fr,free.fr,outbound,150,Europe,6.9e-05 +freecycle.org,freecycle.org,inbound,150,Europe,0.999865 +freemail.hu,freemail.hu,outbound,150,Europe,0 +freshmail.pl,freshmail.pl,inbound,150,Europe,0 +gardeningclubmail.co.uk,msgfocus.com,inbound,150,Europe,0 +giffgaff.com,giffgaff.com,inbound,150,Europe,0 +globasemail.com,globasemail.com,inbound,150,Europe,0.951088 +gmail.com,02.net,inbound,150,Europe,0.999617 +gmail.com,as13285.net,inbound,150,Europe,0.999943 +gmail.com,bbox.fr,inbound,150,Europe,0.919849 +gmail.com,belgacom.be,inbound,150,Europe,0.999444 +gmail.com,blackberry.com,inbound,150,Europe,0.998923 +gmail.com,bluewin.ch,inbound,150,Europe,0.93294 +gmail.com,btcentralplus.com,inbound,150,Europe,0.999969 +gmail.com,chello.nl,inbound,150,Europe,0.999951 +gmail.com,fastwebnet.it,inbound,150,Europe,0.984706 +gmail.com,jazztel.es,inbound,150,Europe,0.999701 +gmail.com,net24.it,inbound,150,Europe,0.999964 +gmail.com,netcabo.pt,inbound,150,Europe,0.998164 +gmail.com,numericable.fr,inbound,150,Europe,0.999723 +gmail.com,ono.com,inbound,150,Europe,0.995991 +gmail.com,orange.es,inbound,150,Europe,0.998742 +gmail.com,orange.fr,inbound,150,Europe,0 +gmail.com,otenet.gr,inbound,150,Europe,0.957917 +gmail.com,postini.com,inbound,150,Europe,0.924066 +gmail.com,proxad.net,inbound,150,Europe,0.998094 +gmail.com,rima-tde.net,inbound,150,Europe,0.99915 +gmail.com,sfr.net,inbound,150,Europe,0.999877 +gmail.com,skybroadband.com,inbound,150,Europe,0.999854 +gmail.com,t-ipconnect.de,inbound,150,Europe,0.999841 +gmail.com,tdc.net,inbound,150,Europe,0.999591 +gmail.com,telecomitalia.it,inbound,150,Europe,0.997 +gmail.com,telekom.hu,inbound,150,Europe,0.999977 +gmail.com,telenet.be,inbound,150,Europe,1 +gmail.com,telepac.pt,inbound,150,Europe,0.999584 +gmail.com,telia.com,inbound,150,Europe,1 +gmail.com,threembb.co.uk,inbound,150,Europe,1 +gmail.com,tpnet.pl,inbound,150,Europe,0.999761 +gmail.com,virginm.net,inbound,150,Europe,0.99661 +gmail.com,vodafone-ip.de,inbound,150,Europe,1 +gmail.com,vodafone.pt,inbound,150,Europe,0.999563 +gmail.com,vodafonedsl.it,inbound,150,Europe,0.999006 +gmail.com,wanadoo.fr,inbound,150,Europe,0.999752 +gmail.com,ziggo.nl,inbound,150,Europe,1 +gmx.de,gmx.net,inbound,150,Europe,1 +gmx.de,gmx.net,outbound,150,Europe,1 +gmx.net,gmx.net,inbound,150,Europe,1 +goalunited.org,ccmdcampaigns.net,inbound,150,Europe,0 +gog.com,gog.com,inbound,150,Europe,0 +gogroopie.com,gogroopie.com,inbound,150,Europe,0.000283 +goldenline.pl,goldenline.pl,inbound,150,Europe,1 +goodgame.com,emsmtp.com,inbound,150,Europe,0 +goodlife.pt,emv8.com,inbound,150,Europe,0 +google.com,postini.com,inbound,150,Europe,0.810567 +googlemail.com,t-ipconnect.de,inbound,150,Europe,0.999957 +gumtree.com,marktplaats.nl,inbound,150,Europe,0 +gumtree.com.au,kijiji.com,inbound,150,Europe,0 +gymglish.com,gymglish.com,inbound,150,Europe,0.000788 +haskell.org,haskell.org,inbound,150,Europe,0.000703 +hazteoir.org,hazteoir.org,inbound,150,Europe,0.31478 +hh.ru,hh.ru,inbound,150,Europe,0.996236 +hotel.de,emp-mail.de,inbound,150,Europe,0 +hotornot.com,monopost.com,inbound,150,Europe,0.983953 +hotukdeals.com,hotukdeals.com,inbound,150,Europe,1 +hpnotifier.nl,hpnotifier.nl,inbound,150,Europe,0 +icelandmail.co.uk,emsg-live.co.uk,inbound,150,Europe,0 +idealista.com,idealista.com,inbound,150,Europe,0.001627 +ideascost.com,ramcorp.in,inbound,150,Europe,0 +inboxair.com,inboxair.com,inbound,150,Europe,0 +infoempleo.com,infoempleo.com,inbound,150,Europe,0 +infojobs.it,infojobs.it,inbound,150,Europe,0 +infojobs.net,infojobs.net,inbound,150,Europe,0 +infopraca.pl,careesma.com,inbound,150,Europe,0 +ingdirect.es,ingdirect.es,inbound,150,Europe,1 +inter-chat.com,inter-chat.com,inbound,150,Europe,0 +interdatesa.com,fagms.net,inbound,150,Europe,0 +internations.org,internations.org,inbound,150,Europe,1 +inx1and1.de,1and1.com,inbound,150,Europe,1 +inxserver.com,inxserver.de,inbound,150,Europe,0.952863 +inxserver.de,inxserver.de,inbound,150,Europe,0.980838 +itms.in.ua,itms.in.ua,inbound,150,Europe,0 +jiscmail.ac.uk,lsoft.se,inbound,150,Europe,0 +jobisjob.com,jobisjob.com,inbound,150,Europe,0 +jobrapidoalert.com,jobrapidoalert.com,inbound,150,Europe,0 +jobs2web.com,ondemand.com,inbound,150,Europe,1 +jobserve.com,jobserve.com,inbound,150,Europe,0 +joobmailer.com,joobmailer.com,inbound,150,Europe,0 +jumia.com.ng,fagms.de,inbound,150,Europe,0 +justclick.ru,justclick.ru,inbound,150,Europe,0 +kalunga.com.br,kalunga.com.br,inbound,150,Europe,0 +kiabi.com,dms-02.net,inbound,150,Europe,0 +kijiji.ca,kijiji.com,inbound,150,Europe,0 +kismia.com,kismia.com,inbound,150,Europe,1 +kiwari.com,kiwari.com,inbound,150,Europe,9e-06 +kundenserver.de,kundenserver.de,inbound,150,Europe,1 +laposte.net,laposte.net,inbound,150,Europe,0.271722 +laposte.net,laposte.net,outbound,150,Europe,0 +laredoute.fr,laredoute.fr,inbound,150,Europe,0 +laterooms.com,laterooms.com,inbound,150,Europe,0.014746 +leboncoin.fr,leboncoin.fr,inbound,150,Europe,0 +leparisien.fr,leparisien.fr,inbound,150,Europe,0 +lexpress.fr,bp06.net,inbound,150,Europe,0 +libero.it,libero.it,inbound,150,Europe,0.00024 +libero.it,libero.it,outbound,150,Europe,0 +lifecooler.com,1-hostingservice.com,inbound,150,Europe,0 +listadventure.com,adlabsinc.com,inbound,150,Europe,0 +listjoe.com,adlabsinc.com,inbound,150,Europe,0 +litres.ru,litres.ru,inbound,150,Europe,1 +loccitane.com,neolane.net,inbound,150,Europe,0 +logentries.com,logentries.com,inbound,150,Europe,0 +loveplanet.ru,pochta.ru,inbound,150,Europe,0.640035 +lowcostholidays.co.uk,communicatoremail.com,inbound,150,Europe,0 +lua.org,pepperfish.net,inbound,150,Europe,1 +ludokados.com,ludokado.com,inbound,150,Europe,0 +mail-cdiscount.com,mail-cdiscount.com,inbound,150,Europe,0 +mail-mbank.pl,mail-mbank.pl,inbound,150,Europe,0 +mail.ru,mail.ru,inbound,150,Europe,0.991269 +mail.ru,mail.ru,outbound,150,Europe,0.006918 +mailer-service.de,mailer-service.de,inbound,150,Europe,4.9e-05 +mailersend.com,mailersend.com,inbound,150,Europe,0 +mailing-list.it,mailing-list.it,inbound,150,Europe,0 +mailjet.com,mailjet.com,inbound,150,Europe,0 +mailplus.nl,brightbase.net,inbound,150,Europe,1 +mailpv.net,pvmailer.net,inbound,150,Europe,1 +maisonsdumonde.com,bp06.net,inbound,150,Europe,0 +makro.nl,srv2.de,inbound,150,Europe,0.888692 +mapfre.com,emv5.com,inbound,150,Europe,0 +marktplaats.nl,marktplaats.nl,inbound,150,Europe,0 +matchwereld.nl,matchwereld.nl,inbound,150,Europe,0 +maxpark.com,gidepark.ru,inbound,150,Europe,1 +mdirector.com,mdrctr.com,inbound,150,Europe,0 +mecumauction.com,mecumauction.com,inbound,150,Europe,0 +meetic.com,meetic.com,inbound,150,Europe,0 +mequedouno.com,mequedouno.com,inbound,150,Europe,0 +metrodeal.com,fagms.de,inbound,150,Europe,0 +mightydeals.co.uk,mightydeals.co.uk,inbound,150,Europe,0 +mirtesen.ru,mtml.ru,inbound,150,Europe,0 +mitula.net,mitula.org,inbound,150,Europe,0 +mitula.org,mitula.org,inbound,150,Europe,0 +mixcloudmail.com,mixcloudmail.com,inbound,150,Europe,0.995482 +mlgns.com,mlgns.com,inbound,150,Europe,0 +mlgnserv.com,mlgnserv.com,inbound,150,Europe,0 +mmks.it,mail-maker.it,inbound,150,Europe,0 +mmsecure.nl,donenad.nl,inbound,150,Europe,0 +modnakasta.ua,emv5.com,inbound,150,Europe,0 +mooply.co,mailendo.com,inbound,150,Europe,0 +moviestarplanet.com,moviestarplanet.com,inbound,150,Europe,0 +mrc.org,msgfocus.com,inbound,150,Europe,0 +msdp1.com,msdp1.com,inbound,150,Europe,0 +msgfocus.com,msgfocus.com,inbound,150,Europe,0.011658 +mymms.com,fagms.de,inbound,150,Europe,0 +namorico.me,namorico.me,inbound,150,Europe,1 +nasza-klasa.pl,nasza-klasa.pl,inbound,150,Europe,0 +nationalexpress.com,nationalexpress.com,inbound,150,Europe,0 +neolane.net,neolane.net,inbound,150,Europe,0 +netopia.pt,netopia.pt,inbound,150,Europe,0.028429 +nhs.jobs,nhscareersjobs.co.uk,inbound,150,Europe,0 +nieuwsblad.be,vummail.be,inbound,150,Europe,0 +nmp1.com,nmp1.net,inbound,150,Europe,0 +nos.pt,netcabo.pt,inbound,150,Europe,6.3e-05 +noticiasaominuto.com,ccmdcampaigns.net,inbound,150,Europe,0 +noticiasaominuto.com,noticiasaominuto.com,inbound,150,Europe,0 +nrholding.net,nrholding.net,inbound,150,Europe,0 +odisseias.com,emv4.net,inbound,150,Europe,0 +odnoklassniki.ru,odnoklassniki.ru,inbound,150,Europe,0 +offerum.com,cccampaigns.com,inbound,150,Europe,0 +offerum.com,ccemails.com,inbound,150,Europe,0 +olx.pt,fixeads.com,inbound,150,Europe,0 +orange.fr,orange.fr,inbound,150,Europe,0 +orange.fr,orange.fr,outbound,150,Europe,0 +oroscopofree.com,adsender.us,inbound,150,Europe,0 +oroscopofree.com,oroscopofree.com,inbound,150,Europe,0 +orsay.com,emp-mail.de,inbound,150,Europe,0 +ovh.net,ovh.net,inbound,150,Europe,0.165188 +oxfam.org.uk,msgfocus.com,inbound,150,Europe,0 +payback.de,artegic.net,inbound,150,Europe,0.999986 +pccomponentes.com,pccomponentes.com,inbound,150,Europe,0 +peixeurbano.com.br,peixeurbano.com.br,inbound,150,Europe,0 +peperoni.de,peperoni.de,inbound,150,Europe,1 +peytz.dk,peytz.dk,inbound,150,Europe,4e-06 +photobox.com,photobox.com,inbound,150,Europe,0 +photoprintit.com,photoprintit.com,inbound,150,Europe,0 +pixum.com,pixum.com,inbound,150,Europe,0 +placedestendances.com,placedestendances.com,inbound,150,Europe,0 +plaisio.gr,fagms.de,inbound,150,Europe,0 +planeo.com,planeo.com,inbound,150,Europe,0 +planeo.pt,planeo.pt,inbound,150,Europe,0 +playtika.com,emv8.com,inbound,150,Europe,0 +poinx.com,poinx.com,inbound,150,Europe,0 +pokerstars.com,pokerstars.eu,inbound,150,Europe,0 +pokerstars.eu,pokerstars.eu,inbound,150,Europe,0 +pontofrio.com.br,emv8.com,inbound,150,Europe,0 +postgresql.org,postgresql.org,inbound,150,Europe,1 +praca.pl,praca.pl,inbound,150,Europe,1 +pracuj.pl,pracuj.pl,inbound,150,Europe,0 +printvenue.com,fagms.de,inbound,150,Europe,0 +privalia.com,privalia.com,inbound,150,Europe,3.94913202027326e-07 +promod-news.fr,promod-news.com,inbound,150,Europe,0 +protopmail.com,protopmail.com,inbound,150,Europe,0 +pur3.net,pur3.net,inbound,150,Europe,0.001123 +python.org,python.org,inbound,150,Europe,1 +quality.net.ua,quality.net.ua,inbound,150,Europe,0 +r-project.org,ethz.ch,inbound,150,Europe,0.99999 +r51.it,musvc.com,inbound,150,Europe,0.092498 +r52.it,musvc.com,inbound,150,Europe,0.000221 +r57.it,musvc.com,inbound,150,Europe,0.139425 +r67.it,musvc.com,inbound,150,Europe,0.199845 +r70.it,musvc.com,inbound,150,Europe,0.311983 +rakuten.co.jp,shareee.jp,inbound,150,Europe,0 +rambler.ru,rambler.ru,inbound,150,Europe,0.08173 +ratedpeople.com,ratedpeople.com,inbound,150,Europe,0.000979 +rax.ru,rax.ru,inbound,150,Europe,0.000258 +regie11.net,odiso.net,inbound,150,Europe,0 +relax7.hu,gruppi.hu,inbound,150,Europe,0 +richersoundsvip.com,ibwmail.com,inbound,150,Europe,0 +rightmove.com,rightmove.com,inbound,150,Europe,0 +roulartamail.be,roulartamail.be,inbound,150,Europe,0 +rueducommerce.com,groupe-rueducommerce.fr,inbound,150,Europe,0 +runtastic.com,runtastic.com,inbound,150,Europe,0 +ryanairmail.com,ryanairmail.com,inbound,150,Europe,0 +rzone.de,rzone.de,inbound,150,Europe,1 +saimails.in,infimail.com,inbound,150,Europe,0 +sainsburys.co.uk,emv5.com,inbound,150,Europe,0 +salesmanago.pl,salesmanago.pl,inbound,150,Europe,0 +samsung.ru,samsung.ru,inbound,150,Europe,0 +sapnetworkmail.com,sap-ag.de,inbound,150,Europe,1 +sapo.pt,sapo.pt,inbound,150,Europe,0.242839 +sapo.pt,sapo.pt,outbound,150,Europe,0 +savingdeals.in,infimail.com,inbound,150,Europe,0 +scmp.com,emarsys.net,inbound,150,Europe,0 +scoop.it,scoop.it,inbound,150,Europe,0 +scoopon.com.au,inxserver.de,inbound,150,Europe,1 +screwfix.info,fwdto.net,inbound,150,Europe,0 +secureserver.net,secureserver.net,inbound,150,Europe,0 +selection-priceminister.com,selection-priceminister.com,inbound,150,Europe,0 +sender.lt,sritis.lt,inbound,150,Europe,0.000339 +sendsmaily.info,sendsmaily.info,inbound,150,Europe,0 +seniorplanet.fr,seniorplanet.fr,inbound,150,Europe,0 +seznam.cz,seznam.cz,inbound,150,Europe,0.001781 +seznam.cz,seznam.cz,outbound,150,Europe,0.001741 +sfr.fr,sfr.fr,inbound,150,Europe,0.236539 +sfr.fr,sfr.fr,outbound,150,Europe,0.004753 +shopto.net,shopto.net,inbound,150,Europe,1 +skype.com,skype.com,inbound,150,Europe,0 +solveerrors.com,infimail.com,inbound,150,Europe,0 +spareroom.co.uk,spareroom.co.uk,inbound,150,Europe,1 +sqlservercentral.com,sqlservercentral.com,inbound,150,Europe,0 +staples-pt.com,1-hostingservice.com,inbound,150,Europe,0 +stepstone.de,stepstone.com,inbound,150,Europe,0.001689 +studentbeans.com,emv8.com,inbound,150,Europe,0 +subito.it,subito.it,inbound,150,Europe,0 +subscribe.ru,subscribe.ru,inbound,150,Europe,0 +superdrug.com,superdrug.com,inbound,150,Europe,0 +superjob.ru,superjob.ru,inbound,150,Europe,0 +support-love.com,support-love.com,inbound,150,Europe,0 +sut1.co.uk,sut1.co.uk,inbound,150,Europe,0.001789 +sut5.co.uk,sut5.co.uk,inbound,150,Europe,0 +swanson-vitamins.com,emv5.com,inbound,150,Europe,0 +t-online.de,t-online.de,inbound,150,Europe,1 +t-online.de,t-online.de,outbound,150,Europe,0.999939 +tatrabanka.sk,tatrabanka.sk,inbound,150,Europe,0 +tchibo.de,srv2.de,inbound,150,Europe,0.980447 +teamo.ru,teamo.ru,inbound,150,Europe,0 +teamviewer.com,teamviewer.com,inbound,150,Europe,0 +teapartyinfo.org,teapartyinfo.org,inbound,150,Europe,0 +telenet.be,telenet-ops.be,inbound,150,Europe,1.5e-05 +teleportmyjob.com,clara.net,inbound,150,Europe,0 +theleadmagnet.com,your-server.de,inbound,150,Europe,1 +timeweb.ru,timeweb.ru,inbound,150,Europe,1 +tiscali.it,tiscali.it,outbound,150,Europe,0 +totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,150,Europe,0 +transversal.net,transversal.net,inbound,150,Europe,1 +travisperkins.co.uk,travisperkins.co.uk,inbound,150,Europe,0 +trovit.com,trovit.com,inbound,150,Europe,0 +tucasa.com,grupodtm.com,inbound,150,Europe,0 +twoomail.com,twoomail.com,inbound,150,Europe,0 +ubuntu.com,canonical.com,inbound,150,Europe,0 +ukr.net,fwdcdn.com,inbound,150,Europe,1 +ukr.net,ukr.net,outbound,150,Europe,0.999992 +ulteem.com,ulteem.com,inbound,150,Europe,0 +usndr.com,usndr.com,inbound,150,Europe,1 +venere.com,kiwari.com,inbound,150,Europe,0 +venteprivee.com,venteprivee.com,inbound,150,Europe,0 +virgilio.it,virgilio.net,inbound,150,Europe,0 +visualsoft.co.uk,visualsoft.co.uk,inbound,150,Europe,0 +vouchercloud.com,vouchercloud.com,inbound,150,Europe,0 +voyageprive.com,cccampaigns.net,inbound,150,Europe,0 +voyageprive.es,ccmdcampaigns.net,inbound,150,Europe,0 +voyageprive.it,ccmdcampaigns.net,inbound,150,Europe,0 +voyages-sncf.com,neolane.net,inbound,150,Europe,0 +vueling.com,vueling.com,inbound,150,Europe,0 +wanadoo.fr,orange.fr,inbound,150,Europe,0 +wanadoo.fr,orange.fr,outbound,150,Europe,0 +waves-audio.com,emv8.com,inbound,150,Europe,0 +web.de,web.de,inbound,150,Europe,0.999986 +web.de,web.de,outbound,150,Europe,1 +whereareyounow.com,wayn.net,inbound,150,Europe,0 +wiggle.com,wiggle.com,inbound,150,Europe,0 +william-reed.com,neolane.net,inbound,150,Europe,0 +williamhill.com,williamhill.com,inbound,150,Europe,0 +wldemail.com,emarsys.net,inbound,150,Europe,0 +wmtransfer.com,wmtransfer.com,inbound,150,Europe,0 +wnd.com,emv4.net,inbound,150,Europe,0 +wnd.com,worldnetdaily.com,inbound,150,Europe,0 +work.ua,work.ua,inbound,150,Europe,1 +workcircle.com,workcircle.net,inbound,150,Europe,0 +wp.pl,wp.pl,inbound,150,Europe,0.998027 +wp.pl,wp.pl,outbound,150,Europe,1 +xmailix.com,xmailix.com,inbound,150,Europe,0 +yandex.ru,yandex.net,inbound,150,Europe,0.999658 +yandex.ru,yandex.ru,outbound,150,Europe,1 +ymlpserver.net,ymlpserver.net,inbound,150,Europe,0 +ymlpsrv.net,ymlpsrv.net,inbound,150,Europe,0 +zalando.be,fagms.de,inbound,150,Europe,0 +zalando.dk,fagms.de,inbound,150,Europe,0 +zalando.fi,fagms.de,inbound,150,Europe,0 +zalando.it,fagms.de,inbound,150,Europe,0 +zalando.nl,fagms.de,inbound,150,Europe,0 +zalando.pl,fagms.de,inbound,150,Europe,0 +zumzi.com,neogen.ro,inbound,150,Europe,0 +zumzi.com,zumzi.com,inbound,150,Europe,0 +0bz.biz,hmts.jp,inbound,ZZ,Unknown Region,0 +104.com.tw,104.com.tw,inbound,ZZ,Unknown Region,0.091133 +1105info.com,1105info.com,inbound,ZZ,Unknown Region,0 +1111.com.tw,1111.com.tw,inbound,ZZ,Unknown Region,0 +160by2inbox.com,160by2inbox.com,inbound,ZZ,Unknown Region,0 +160by2invite.com,160by2invite.com,inbound,ZZ,Unknown Region,0 +160by2mail.com,160by2mail.com,inbound,ZZ,Unknown Region,0 +163.com,163.com,inbound,ZZ,Unknown Region,0.996685 +1800flowersinc.com,1800flowersinc.com,inbound,ZZ,Unknown Region,0 +1sale.com,1sale.com,inbound,ZZ,Unknown Region,0 +1v1y.com,euromsg.net,inbound,ZZ,Unknown Region,0 +4shared.com,4shared.com,inbound,ZZ,Unknown Region,1 +6pm.com,6pm.com,inbound,ZZ,Unknown Region,1 +6pm.com,zappos.com,inbound,ZZ,Unknown Region,0.782581 +a8.net,a8.net,inbound,ZZ,Unknown Region,0 +aaa.com,nextjump.com,inbound,ZZ,Unknown Region,0 +aaas-science.org,aaas-science.org,inbound,ZZ,Unknown Region,0 +aarp.org,aarp.org,inbound,ZZ,Unknown Region,0 +about.com,about.com,inbound,ZZ,Unknown Region,8.2e-05 +academy-enews.com,academy-enews.com,inbound,ZZ,Unknown Region,0 +accenture.com,outlook.com,inbound,ZZ,Unknown Region,1 +accountonline.com,accountonline.com,inbound,ZZ,Unknown Region,0.348991 +acehelpfulemails.com,teradatadmc.com,inbound,ZZ,Unknown Region,0 +actorsaccess.com,nonfatmedia.com,inbound,ZZ,Unknown Region,0 +adminforfree.com,adminforfree.com,inbound,ZZ,Unknown Region,1 +adminforfree.net,adminforfree.com,inbound,ZZ,Unknown Region,1 +administrativejobinsider.com,administrativejobinsider.com,inbound,ZZ,Unknown Region,0 +adobe.com,obsmtp.com,inbound,ZZ,Unknown Region,1 +adobesystems.com,adobesystems.com,inbound,ZZ,Unknown Region,0 +adoreme.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +adp.com,adp.com,inbound,ZZ,Unknown Region,1 +adsender.us,adsender.us,inbound,ZZ,Unknown Region,0 +adsolutionline.com,adsolutionline.com,inbound,ZZ,Unknown Region,0 +adultfriendfinder.com,friendfinder.com,inbound,ZZ,Unknown Region,0 +advanceauto.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +advantagebusinessmedia.com,advantagebusinessmedia.com,inbound,ZZ,Unknown Region,0 +af.mil,af.mil,inbound,ZZ,Unknown Region,0.997561 +agoda-emails.com,agoda-emails.com,inbound,ZZ,Unknown Region,0 +agrupemonos.cl,agrupemonos.cl,inbound,ZZ,Unknown Region,1 +albertsonsemail.com,email4-mywebgrocer.com,inbound,ZZ,Unknown Region,0 +alibaba.com,alibaba.com,inbound,ZZ,Unknown Region,0 +alice.it,alice.it,inbound,ZZ,Unknown Region,0 +alice.it,aliceposta.it,outbound,ZZ,Unknown Region,0 +aliexpress.com,alibaba.com,inbound,ZZ,Unknown Region,0 +allegro.pl,allegro.pl,inbound,ZZ,Unknown Region,0 +allegrogroup.ua,allegrogroup.ua,inbound,ZZ,Unknown Region,0 +allsaints.com,allsaints.com,inbound,ZZ,Unknown Region,0 +ama-assn.org,elabs10.com,inbound,ZZ,Unknown Region,0 +amadeus.com,amadeus.net,inbound,ZZ,Unknown Region,0 +amazon.{...},amazon.{...},inbound,ZZ,Unknown Region,0.021685 +amazon.{...},amazonses.com,inbound,ZZ,Unknown Region,0.999971 +amazonses.com,amazonses.com,inbound,ZZ,Unknown Region,0.997919 +amazonses.com,postini.com,inbound,ZZ,Unknown Region,0.924067 +amctheatres.com,amctheatres.com,inbound,ZZ,Unknown Region,0 +americanpublicmediagroup.org,americanpublicmediagroup.org,inbound,ZZ,Unknown Region,0 +ancestry.com,ancestry.com,inbound,ZZ,Unknown Region,0 +angieslist.com,angieslist.com,inbound,ZZ,Unknown Region,0 +anntaylor.com,anntaylor.com,inbound,ZZ,Unknown Region,0 +anpdm.com,anpdm.com,inbound,ZZ,Unknown Region,4e-06 +aol.com,aol.com,outbound,ZZ,Unknown Region,1 +apple.com,apple.com,inbound,ZZ,Unknown Region,0.915839 +argos.co.uk,argos.co.uk,inbound,ZZ,Unknown Region,1 +argos.co.uk,exacttarget.com,inbound,ZZ,Unknown Region,1 +artists-hub.com,artists-hub.com,inbound,ZZ,Unknown Region,0 +asda.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 +ask.fm,ask.fm,inbound,ZZ,Unknown Region,1e-05 +askmen.com,askmen.com,inbound,ZZ,Unknown Region,0 +astrocenter.com,center.com,inbound,ZZ,Unknown Region,0 +athleta.com,athleta.com,inbound,ZZ,Unknown Region,0 +atlassian.net,uc-inf.net,inbound,ZZ,Unknown Region,1 +att.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999956 +auctionzip-email.com,email-auctionholdings.com,inbound,ZZ,Unknown Region,0 +auinmeio.com.br,fnac.com.br,inbound,ZZ,Unknown Region,0 +authorize.net,authorize.net,inbound,ZZ,Unknown Region,0 +authorize.net,visa.com,inbound,ZZ,Unknown Region,0.993555 +autoreply.com,autoreply.com,inbound,ZZ,Unknown Region,0 +avomail.com,avomail.com,inbound,ZZ,Unknown Region,0 +avon.com,email-avonglobal.com,inbound,ZZ,Unknown Region,0 +avon.com,postdirect.com,inbound,ZZ,Unknown Region,0 +aweber.com,aweber.com,inbound,ZZ,Unknown Region,3e-06 +ayi.com,ayi.com,inbound,ZZ,Unknown Region,0 +backcountry.com,backcountry.com,inbound,ZZ,Unknown Region,0 +backlog.jp,backlog.jp,inbound,ZZ,Unknown Region,0 +bagitgetitmailer.in,emce2.in,inbound,ZZ,Unknown Region,0 +banamex.com,citi.com,inbound,ZZ,Unknown Region,0.999958 +bananarepublic.com,bananarepublic.com,inbound,ZZ,Unknown Region,3.48869418874254e-07 +bancochile.cl,bancochile.cl,inbound,ZZ,Unknown Region,0.999504 +bancofalabella.com,bancofalabella.com,inbound,ZZ,Unknown Region,0 +banesco.com,banesco.com,inbound,ZZ,Unknown Region,0 +bankofamerica.com,bankofamerica.com,inbound,ZZ,Unknown Region,0.971142 +banorte.com,gfnorte.com.mx,inbound,ZZ,Unknown Region,0.994999 +barclaycardus.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +basecamp.com,basecamp.com,inbound,ZZ,Unknown Region,1 +basecamphq.com,basecamphq.com,inbound,ZZ,Unknown Region,1 +baskinrobbins.com,baskinrobbins.com,inbound,ZZ,Unknown Region,0 +bazarchic-invitations.com,bazarchic-emstech.com,inbound,ZZ,Unknown Region,0 +bcbg.com,bcbg.com,inbound,ZZ,Unknown Region,0 +beatport-email.com,beatport-email.com,inbound,ZZ,Unknown Region,0 +beautylish.com,beautylish.com,inbound,ZZ,Unknown Region,1 +bebe.com,ed10.com,inbound,ZZ,Unknown Region,0 +befrugal.com,befrugal.com,inbound,ZZ,Unknown Region,0 +belkemail.com,belkemail.com,inbound,ZZ,Unknown Region,0 +bellsouth.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999951 +benihana-news.com,benihana-news.com,inbound,ZZ,Unknown Region,0 +bestbuy.com,bestbuy.com,inbound,ZZ,Unknown Region,0.003289 +beta.lt,mailersend3.com,inbound,ZZ,Unknown Region,0 +beyondtherack.com,beyondtherack.com,inbound,ZZ,Unknown Region,0 +bigfishgames.com,bigfishgames.com,inbound,ZZ,Unknown Region,0 +biglots.com,biglots.com,inbound,ZZ,Unknown Region,0 +bjsrestaurants.com,bjsrestaurants.com,inbound,ZZ,Unknown Region,0 +blackberry.com,blackberry.com,inbound,ZZ,Unknown Region,0 +blackboard.com,notification.com,inbound,ZZ,Unknown Region,0 +blackpeoplemeet.com,blackpeoplemeet.com,inbound,ZZ,Unknown Region,0 +bloglovin.com,bloglovin.com,inbound,ZZ,Unknown Region,0 +blogtrottr.com,blogtrottr.com,inbound,ZZ,Unknown Region,0 +bloomberg.com,bloomberg.com,inbound,ZZ,Unknown Region,0.001463 +bloomberg.net,bloomberg.net,inbound,ZZ,Unknown Region,1 +bluediamondhost3.com,web-hosting.com,inbound,ZZ,Unknown Region,1 +bluehornet.com,bluehornet.com,inbound,ZZ,Unknown Region,0 +bluenile.com,bluenile.com,inbound,ZZ,Unknown Region,0 +bluestatedigital.com,bluestatedigital.com,inbound,ZZ,Unknown Region,0 +bm05.net,bm05.net,inbound,ZZ,Unknown Region,0 +bmnt.jp,bmnt.jp,inbound,ZZ,Unknown Region,0 +bmsend.com,bmsend.com,inbound,ZZ,Unknown Region,0 +bn.com,bn.com,inbound,ZZ,Unknown Region,0 +bncollegemail.com,bncollegemail.com,inbound,ZZ,Unknown Region,0 +booking.com,booking.com,inbound,ZZ,Unknown Region,1 +bookmyshow.com,eccluster.com,inbound,ZZ,Unknown Region,0 +boots.com,boots.com,inbound,ZZ,Unknown Region,0 +box.com,box.com,inbound,ZZ,Unknown Region,0.955607 +brierleycrm.com,brierleycrm.com,inbound,ZZ,Unknown Region,0 +brooksbrothers.com,brooksbrothers.com,inbound,ZZ,Unknown Region,0 +btinternet.com,cpcloud.co.uk,inbound,ZZ,Unknown Region,0 +btinternet.com,cpcloud.co.uk,outbound,ZZ,Unknown Region,0 +btinternet.com,yahoo.{...},inbound,ZZ,Unknown Region,1 +budgettravel.com,email-budgettravel.com,inbound,ZZ,Unknown Region,0 +buyinvite.com.au,buyinvite.com.au,inbound,ZZ,Unknown Region,0 +bv.com.br,bv.com.br,inbound,ZZ,Unknown Region,0 +byway.it,byway.it,inbound,ZZ,Unknown Region,0 +cabelas.com,cabelas.com,inbound,ZZ,Unknown Region,0 +californiajobdepartment.com,californiajobdepartment.com,inbound,ZZ,Unknown Region,0 +callcommand.com,callcommand.com,inbound,ZZ,Unknown Region,0 +calottery.com,calottery.com,inbound,ZZ,Unknown Region,1 +canadiantire.ca,canadiantire.ca,inbound,ZZ,Unknown Region,0 +canalplus.es,canalplus.es,inbound,ZZ,Unknown Region,0 +capitalone.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +capitaloneemail.com,capitaloneemail.com,inbound,ZZ,Unknown Region,0 +career-hub.net,career-hub.net,inbound,ZZ,Unknown Region,1 +careerbuilder-email.com,careerbuilder-email.com,inbound,ZZ,Unknown Region,0 +careerbuilder.com,careerbuilder.com,inbound,ZZ,Unknown Region,0 +careerflash.net,careerflash.net,inbound,ZZ,Unknown Region,1 +carrefour.fr,carrefour.fr,inbound,ZZ,Unknown Region,0 +carters.com,carters.com,inbound,ZZ,Unknown Region,2e-06 +caseyresearch.com,caseyresearch.com,inbound,ZZ,Unknown Region,1 +catchyfreebies.net,mmsend53.com,inbound,ZZ,Unknown Region,0 +cccampaigns.net,emv9.net,inbound,ZZ,Unknown Region,0 +cecentertainment.com,cecentertainment.com,inbound,ZZ,Unknown Region,0 +celebritycruises.com,celebritycruises.com,inbound,ZZ,Unknown Region,0 +centaur.co.uk,centaur.co.uk,inbound,ZZ,Unknown Region,0 +centauro.com.br,centauro.com.br,inbound,ZZ,Unknown Region,0 +centerparcs.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 +cfmailer.com,elabs11.com,inbound,ZZ,Unknown Region,0 +change.org,change.org,inbound,ZZ,Unknown Region,1 +channel4.com,channel4.com,inbound,ZZ,Unknown Region,0 +chase.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +cheaperthandirt.com,cheaperthandirt.com,inbound,ZZ,Unknown Region,0 +chefscatalog.com,chefscatalog.com,inbound,ZZ,Unknown Region,0 +chemistdirect.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 +chemistry.com,chemistry.com,inbound,ZZ,Unknown Region,0 +chick-fil-ainsiders.com,chick-fil-ainsiders.com,inbound,ZZ,Unknown Region,0 +chopra.com,chopra.com,inbound,ZZ,Unknown Region,1 +christianmingle.com,postdirect.com,inbound,ZZ,Unknown Region,0 +cir.ca,cir.ca,inbound,ZZ,Unknown Region,1 +citi.com,citi.com,inbound,ZZ,Unknown Region,0.999941 +citibank.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +citibank.com,citi.com,inbound,ZZ,Unknown Region,0.999997 +citicorp.com,citi.com,inbound,ZZ,Unknown Region,0.999999 +citruslane.com,citruslane.com,inbound,ZZ,Unknown Region,5e-06 +clarisonic.com,clarisonic.com,inbound,ZZ,Unknown Region,0 +classmates.com,classmates.com,inbound,ZZ,Unknown Region,0 +clickon.com.ar,clickon.com.ar,inbound,ZZ,Unknown Region,0 +cmail1.com,createsend.com,inbound,ZZ,Unknown Region,0 +cmail2.com,createsend.com,inbound,ZZ,Unknown Region,0 +cmrfalabella.com,cmrfalabella.com,inbound,ZZ,Unknown Region,0 +codebreak.info,codebreak.info,inbound,ZZ,Unknown Region,1 +comcast.net,comcast.net,outbound,ZZ,Unknown Region,1 +confirmsignup.com,mmsend53.com,inbound,ZZ,Unknown Region,0 +constantcontact.com,postini.com,inbound,ZZ,Unknown Region,0.139551 +constantcontact.com,yahoo.{...},inbound,ZZ,Unknown Region,0.999541 +contact-darty.com,mm-send.com,inbound,ZZ,Unknown Region,0 +contactlab.it,contactlab.it,inbound,ZZ,Unknown Region,0 +converse.com,converse.com,inbound,ZZ,Unknown Region,1 +cookingchanneltv.com,cookingchanneltv.com,inbound,ZZ,Unknown Region,0 +copernica.nl,picsrv.net,inbound,ZZ,Unknown Region,0.011507 +copernica.nl,vicinity.nl,inbound,ZZ,Unknown Region,0.011753 +coppel.com,coppel.com,inbound,ZZ,Unknown Region,0 +corporateperks.com,nextjump.com,inbound,ZZ,Unknown Region,0 +countrycurtainscatalog.com,countrycurtainscatalog.com,inbound,ZZ,Unknown Region,0 +coupondunia.in,coupondunia.in,inbound,ZZ,Unknown Region,1 +crabtree-evelyn.com,crabtree-evelyn.com,inbound,ZZ,Unknown Region,0 +crainnewsalerts.com,crainnewsalerts.com,inbound,ZZ,Unknown Region,0 +crashlytics.com,sendgrid.net,inbound,ZZ,Unknown Region,1 +cricut.com,elabs12.com,inbound,ZZ,Unknown Region,0 +criticalimpactinc.com,criticalimpactinc.com,inbound,ZZ,Unknown Region,0 +critsend.com,critsend.com,inbound,ZZ,Unknown Region,0 +crocs-email.com,crocs-email.com,inbound,ZZ,Unknown Region,0 +crunchyroll.com,crunchyroll.com,inbound,ZZ,Unknown Region,0 +cudo.com.au,exacttarget.com,inbound,ZZ,Unknown Region,0 +cuenote.jp,cuenote.jp,inbound,ZZ,Unknown Region,0 +cupomturbinado.com.br,cupomnaweb.com.br,inbound,ZZ,Unknown Region,1 +cuppon.pl,cuppon.pl,inbound,ZZ,Unknown Region,0 +curriculum.com.br,curriculum.com.br,inbound,ZZ,Unknown Region,0 +currys.co.uk,currys.co.uk,inbound,ZZ,Unknown Region,0 +custom-emailing.com,elabs12.com,inbound,ZZ,Unknown Region,0 +cvent-planner.com,cvent-planner.com,inbound,ZZ,Unknown Region,0 +cyberdiet.com.br,allinmedia.com.br,inbound,ZZ,Unknown Region,0 +dabmail.com,iaires.com,inbound,ZZ,Unknown Region,0 +dailyom.com,dailyom.com,inbound,ZZ,Unknown Region,1 +dairyqueen.com,dairyqueen.com,inbound,ZZ,Unknown Region,0 +datadrivenemail.com,datadrivenemail.com,inbound,ZZ,Unknown Region,0 +daveramsey.com,daveramsey.com,inbound,ZZ,Unknown Region,0 +ddc-emails.com,ddc-emails.com,inbound,ZZ,Unknown Region,0 +dealchicken.com,dealchicken.com,inbound,ZZ,Unknown Region,0 +dealchicken.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +dealfind.com,dealfind.com,inbound,ZZ,Unknown Region,0 +dealnews.com,dealnews.com,inbound,ZZ,Unknown Region,0 +dealsdirect.com.au,dealsdirect.com.au,inbound,ZZ,Unknown Region,0 +dealspl.us,dealspl.us,inbound,ZZ,Unknown Region,0 +delta.com,delta.com,inbound,ZZ,Unknown Region,0.040177 +dermstore.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +dhl.com,dhl.com,inbound,ZZ,Unknown Region,0.994107 +dietaesaude.com.br,dietaesaude.com.br,inbound,ZZ,Unknown Region,0 +dinda.com.br,dinda.com.br,inbound,ZZ,Unknown Region,0 +directvla.com,directvla.com,inbound,ZZ,Unknown Region,0 +discover.com,discover.com,inbound,ZZ,Unknown Region,0 +disneydestinations.com,disneyparks.com,inbound,ZZ,Unknown Region,0 +disneydestinations.com,disneyworld.com,inbound,ZZ,Unknown Region,0 +diynetwork.com,diynetwork.com,inbound,ZZ,Unknown Region,0 +doctoroz.com,email-sharecare2.com,inbound,ZZ,Unknown Region,0 +dollartree.com,email-dollartree.com,inbound,ZZ,Unknown Region,0 +dominos.com,dominos.com,inbound,ZZ,Unknown Region,0.011861 +dominos.com.au,dominos.com.au,inbound,ZZ,Unknown Region,0 +donuts.ne.jp,dnuts.jp,inbound,ZZ,Unknown Region,0 +dotz.com.br,dotz.com.br,inbound,ZZ,Unknown Region,0 +doubletakeoffers.com,doubletakeoffers.com,inbound,ZZ,Unknown Region,0 +downlinebuilderdirect.com,downlinebuilderdirect.com,inbound,ZZ,Unknown Region,0 +dptagent.net,dptagent.net,inbound,ZZ,Unknown Region,0 +draftkings.com,draftkings.com,inbound,ZZ,Unknown Region,0 +dreamhost.com,dreamhost.com,inbound,ZZ,Unknown Region,0 +driftem.com,emce2.in,inbound,ZZ,Unknown Region,0 +drjays-mail.com,drjays-mail.com,inbound,ZZ,Unknown Region,0 +dromadaire-news.com,ecmcluster.com,inbound,ZZ,Unknown Region,0 +dukecareers.com,dukecareers.com,inbound,ZZ,Unknown Region,1 +duluthtradingemail.com,email-duluthtrading.com,inbound,ZZ,Unknown Region,0 +dynect-mailer.net,dynect.net,inbound,ZZ,Unknown Region,0 +dynect-mailer.net,sendlabs.com,inbound,ZZ,Unknown Region,0 +e-bodyc.com,email-bodycentral.com,inbound,ZZ,Unknown Region,0 +e-jobs-ville.com,e-jobs-ville.com,inbound,ZZ,Unknown Region,1 +e-leclerc.com,e-leclerc.com,inbound,ZZ,Unknown Region,0 +easycanvasprints.com,easycanvasprints.com,inbound,ZZ,Unknown Region,0 +easyhits4u.com,easyhits4u.com,inbound,ZZ,Unknown Region,1 +easyhits4u.com,relmax.net,inbound,ZZ,Unknown Region,0 +ebags.com,ebags.com,inbound,ZZ,Unknown Region,0 +ebay-kleinanzeigen.de,mobile.de,inbound,ZZ,Unknown Region,1 +ebay.{...},ebay.{...},inbound,ZZ,Unknown Region,0.999648 +ebay.{...},emarsys.net,inbound,ZZ,Unknown Region,0 +ebay.{...},postdirect.com,inbound,ZZ,Unknown Region,0 +ebizac3.com,ebizac3.com,inbound,ZZ,Unknown Region,0 +ebuildabear.com,ebuildabear.com,inbound,ZZ,Unknown Region,8e-06 +ed10.net,ed10.com,inbound,ZZ,Unknown Region,0 +eddiebauer.com,eddiebauer.com,inbound,ZZ,Unknown Region,0 +eduk.com,eduk.com,inbound,ZZ,Unknown Region,0 +efamilydollar.com,efamilydollar.com,inbound,ZZ,Unknown Region,0 +elabs10.com,elabs10.com,inbound,ZZ,Unknown Region,0 +elabs12.com,elabs12.com,inbound,ZZ,Unknown Region,0 +elistas.net,elistas.net,inbound,ZZ,Unknown Region,0 +elkjop.no,ec-cluster.com,inbound,ZZ,Unknown Region,0 +elkjop.no,eccluster.com,inbound,ZZ,Unknown Region,0 +elo7.com.br,elo7.com.br,inbound,ZZ,Unknown Region,0 +email-1800contacts.com,email-1800contacts.com,inbound,ZZ,Unknown Region,0 +email-aaa.com,email-aaa.com,inbound,ZZ,Unknown Region,0 +email-aeriagames.com,email-aeriagames.com,inbound,ZZ,Unknown Region,0 +email-dressbarn.com,email-dressbarn.com,inbound,ZZ,Unknown Region,0 +email-firestone.com,reminder-firestone.com,inbound,ZZ,Unknown Region,0 +email-honest.com,email-honest.com,inbound,ZZ,Unknown Region,0 +email-od.com,email-od.com,inbound,ZZ,Unknown Region,0.999752 +email-petsmart.com,email-petsmart.com,inbound,ZZ,Unknown Region,0 +email-sportchalet.com,email-sportchalet.com,inbound,ZZ,Unknown Region,0 +email-telekom.de,ecm-cluster.com,inbound,ZZ,Unknown Region,0 +email-totalwine.com,email-totalwine.com,inbound,ZZ,Unknown Region,0 +email-wildstar-online.com,email-carbine.com,inbound,ZZ,Unknown Region,0 +email2-beyond.com,messagebus.com,inbound,ZZ,Unknown Region,0 +email360api.com,email360api.com,inbound,ZZ,Unknown Region,0 +email365inc.com,email365inc.com,inbound,ZZ,Unknown Region,0 +email3m.com,email3m.com,inbound,ZZ,Unknown Region,0 +emailrestaurant.com,emailrestaurant.com,inbound,ZZ,Unknown Region,0 +emailtoryburch.com,emailtoryburch.com,inbound,ZZ,Unknown Region,0 +emarsys.net,emarsys.net,inbound,ZZ,Unknown Region,0.265197 +embarqmail.com,centurylink.net,inbound,ZZ,Unknown Region,0.999918 +emergencyemail.org,emergencyemail.org,inbound,ZZ,Unknown Region,0 +eminentinc.com,eminentinc.com,inbound,ZZ,Unknown Region,0 +emktviajarbarato.com.br,splio.com.br,inbound,ZZ,Unknown Region,0.875902 +employboard.com,employboard.com,inbound,ZZ,Unknown Region,1 +emsecure.net,emsecure.net,inbound,ZZ,Unknown Region,0 +emsmtp.com,emsmtp.com,inbound,ZZ,Unknown Region,0.44284 +en25.com,kqed.org,inbound,ZZ,Unknown Region,0 +enewscartes.net,bp06.net,inbound,ZZ,Unknown Region,0 +enewsletter.pl,mydeal.pl,inbound,ZZ,Unknown Region,0 +enewsletter.pl,sare25.com,inbound,ZZ,Unknown Region,0 +enplenitud.com,enplenitud.com,inbound,ZZ,Unknown Region,0 +entrepreneur.com,entrepreneur.com,inbound,ZZ,Unknown Region,0 +ethingsremembered.com,ethingsremembered.com,inbound,ZZ,Unknown Region,0 +etrade.com,etrade.com,inbound,ZZ,Unknown Region,0 +etransmail.com,etransmail.com,inbound,ZZ,Unknown Region,0 +etransmail.com,ptransmail.com,inbound,ZZ,Unknown Region,0 +etrmailbox.com,etrmailbox.com,inbound,ZZ,Unknown Region,0 +etsy.com,etsy.com,inbound,ZZ,Unknown Region,0.020849 +evernote.com,evernote.com,inbound,ZZ,Unknown Region,1 +everydayfamily.com,everydayfamily.com,inbound,ZZ,Unknown Region,0 +everytown.org,everytown.org,inbound,ZZ,Unknown Region,1 +exacttarget.com,bazaarvoice.com,inbound,ZZ,Unknown Region,0 +exacttarget.com,booksamillion.com,inbound,ZZ,Unknown Region,0 +exacttarget.com,exacttarget.com,inbound,ZZ,Unknown Region,0.000325 +exacttarget.com,msg.com,inbound,ZZ,Unknown Region,0 +exacttarget.com,redboxinstant.com,inbound,ZZ,Unknown Region,0 +exacttarget.com,skylinetechnologies.com,inbound,ZZ,Unknown Region,0 +expediamail.com,airasiago.com,inbound,ZZ,Unknown Region,1 +expediamail.com,exacttarget.com,inbound,ZZ,Unknown Region,1 +expediamail.com,expediamail.com,inbound,ZZ,Unknown Region,0.839662 +expediamail.com,quotitmail.com,inbound,ZZ,Unknown Region,0 +experteer.com,experteer.com,inbound,ZZ,Unknown Region,0 +express.com,expressfashion.com,inbound,ZZ,Unknown Region,0 +facebook.com,facebook.com,inbound,ZZ,Unknown Region,0 +facebook.com,facebook.com,outbound,ZZ,Unknown Region,1 +facebookmail.com,postini.com,inbound,ZZ,Unknown Region,0.918705 +facebookmail.com,yahoo.{...},inbound,ZZ,Unknown Region,0.999846 +falabella.com,falabella.com,inbound,ZZ,Unknown Region,0 +fanatics.com,fanatics.com,inbound,ZZ,Unknown Region,0 +fanaticsretailgroup.com,fanaticsretailgroup.com,inbound,ZZ,Unknown Region,0 +fanbridge.com,fanbridge.com,inbound,ZZ,Unknown Region,0 +fanofannas.com,fanofannas.com,inbound,ZZ,Unknown Region,0 +fansedge.com,fansedge.com,inbound,ZZ,Unknown Region,0 +farmers.com,farmers.com,inbound,ZZ,Unknown Region,0.999984 +fastcompany.com,fastcompany.com,inbound,ZZ,Unknown Region,0 +fedex.com,fedex.com,inbound,ZZ,Unknown Region,0.919932 +feld-ent.com,postdirect.com,inbound,ZZ,Unknown Region,0 +fellowshiponemail.com,fellowshiponemail.com,inbound,ZZ,Unknown Region,0 +fetlifemail.com,fetlifemail.com,inbound,ZZ,Unknown Region,0 +fidelity.com,fidelity.com,inbound,ZZ,Unknown Region,1 +financialfreedommail.com,financialfreedommail.com,inbound,ZZ,Unknown Region,0 +fingerhut.com,fingerhut.com,inbound,ZZ,Unknown Region,0 +flets.com,flets.com,inbound,ZZ,Unknown Region,0 +flirtlocal.com,flirtlocal.com,inbound,ZZ,Unknown Region,1 +flmsecure.com,fling.com,inbound,ZZ,Unknown Region,0 +flmsecure.com,flmsecure.com,inbound,ZZ,Unknown Region,0 +floridajobdepartment.com,floridajobdepartment.com,inbound,ZZ,Unknown Region,0 +fnac.com,fnac.com,inbound,ZZ,Unknown Region,0.025375 +fnb.co.za,fnb.co.za,inbound,ZZ,Unknown Region,0.325259 +foodnetwork.com,foodnetwork.com,inbound,ZZ,Unknown Region,0 +forcemail.in,iaires.com,inbound,ZZ,Unknown Region,0 +foreseegame.com,iaires.com,inbound,ZZ,Unknown Region,0 +fotffamily.com,fotffamily.com,inbound,ZZ,Unknown Region,0 +fotolivro.com.br,fotolivro.com.br,inbound,ZZ,Unknown Region,0 +fpmailerbr.com,fpmailerbr.com,inbound,ZZ,Unknown Region,0 +freecycle.org,freecycle.org,inbound,ZZ,Unknown Region,1 +freelancer.com,getafreelancer.com,inbound,ZZ,Unknown Region,0 +freesafelistmailer.com,waters-advertising.com,inbound,ZZ,Unknown Region,0 +freshmail.pl,freshmail.pl,inbound,ZZ,Unknown Region,0 +fridays.com,fridays.com,inbound,ZZ,Unknown Region,0 +frk.com,frk.com,inbound,ZZ,Unknown Region,1 +frontdoor.com,frontdoor.com,inbound,ZZ,Unknown Region,0 +frontgate-email.com,frontgate-email.com,inbound,ZZ,Unknown Region,0 +fuckbooknet.net,infinitypersonals.com,inbound,ZZ,Unknown Region,0 +fundplaza.co.in,arrowsignindia.com,inbound,ZZ,Unknown Region,0 +fundplaza.in,fundplaza.in,inbound,ZZ,Unknown Region,0 +funonthenet.in,funonthenet.in,inbound,ZZ,Unknown Region,1 +futurmailer.pt,futurmailer.pt,inbound,ZZ,Unknown Region,0 +gabbar.info,gabbar.info,inbound,ZZ,Unknown Region,1 +gamefly.com,gamefly.com,inbound,ZZ,Unknown Region,0.014317 +gamingmails.com,gamingmails.com,inbound,ZZ,Unknown Region,0 +gap.com,gap.com,inbound,ZZ,Unknown Region,0 +gap.eu,gap.eu,inbound,ZZ,Unknown Region,0 +gapcanada.ca,gapcanada.ca,inbound,ZZ,Unknown Region,0 +garanti.com.tr,euromsg.net,inbound,ZZ,Unknown Region,0 +garnethill-email.com,garnethill-email.com,inbound,ZZ,Unknown Region,0 +gaylordalert.com,gaylordalert.com,inbound,ZZ,Unknown Region,0 +gcast.com.au,systemsserver.net,inbound,ZZ,Unknown Region,0 +gdtsuccess.com,groupdealtools.com,inbound,ZZ,Unknown Region,1 +geico.com,geico.com,inbound,ZZ,Unknown Region,0.096795 +gene.com,roche.com,inbound,ZZ,Unknown Region,1 +geocaching.com,groundspeak.com,inbound,ZZ,Unknown Region,1 +getinbox.net,getinbox.net,inbound,ZZ,Unknown Region,0 +getkeepsafe.com,getkeepsafe.com,inbound,ZZ,Unknown Region,1 +getmein.com,getmein.com,inbound,ZZ,Unknown Region,0 +getresponse.com,getresponse.com,inbound,ZZ,Unknown Region,0 +gfsmarketplace-email.com,gfsmarketplace-email.com,inbound,ZZ,Unknown Region,0 +gilt.com,gilt.com,inbound,ZZ,Unknown Region,1e-06 +github.com,github.net,inbound,ZZ,Unknown Region,1 +glassdoor.com,glassdoor.com,inbound,ZZ,Unknown Region,0 +globalmembersupport.com,globalmembersupport.com,inbound,ZZ,Unknown Region,0 +globalspec.com,globalspec.com,inbound,ZZ,Unknown Region,0 +gmail.com,blackberry.com,inbound,ZZ,Unknown Region,0.998326 +gmail.com,postini.com,inbound,ZZ,Unknown Region,0.891175 +gmail.com,yahoo.{...},inbound,ZZ,Unknown Region,0.998661 +go.com,starwave.com,inbound,ZZ,Unknown Region,0.006276 +godtubemail.com,godtubemail.com,inbound,ZZ,Unknown Region,0 +godvinemail.com,godvinemail.com,inbound,ZZ,Unknown Region,0 +gohappy.com.tw,gohappy.com.tw,inbound,ZZ,Unknown Region,0 +goldenbrands.gr,goldenbrands.gr,inbound,ZZ,Unknown Region,1 +golfnow.com,email-golfnow.com,inbound,ZZ,Unknown Region,0 +google.com,postini.com,inbound,ZZ,Unknown Region,0.81059 +gop.com,gop.com,inbound,ZZ,Unknown Region,0 +grabone-mail-ie.com,grabone-mail-ie.com,inbound,ZZ,Unknown Region,0 +grabone-mail.com,grabone-mail.com,inbound,ZZ,Unknown Region,0 +gratka.pl,gratka.pl,inbound,ZZ,Unknown Region,0 +grocerycouponnetwork.com,grocerycouponnetwork.com,inbound,ZZ,Unknown Region,0 +groopdealz.com,groopdealz.com,inbound,ZZ,Unknown Region,1 +groupalia.es,groupalia.es,inbound,ZZ,Unknown Region,0 +groupalia.it,groupalia.it,inbound,ZZ,Unknown Region,0 +groupon.jp,data-hotel.net,inbound,ZZ,Unknown Region,0 +groupon.{...},groupon.{...},inbound,ZZ,Unknown Region,0.990176 +grouponmail.{...},grouponmail.{...},inbound,ZZ,Unknown Region,0 +grubhubmail.com,grubhubmail.com,inbound,ZZ,Unknown Region,0 +grupanya.com,euromsg.net,inbound,ZZ,Unknown Region,0 +guruin.info,guru.net.in,inbound,ZZ,Unknown Region,1 +habitaclia.com,splio.es,inbound,ZZ,Unknown Region,0.951406 +harborfreightemail.com,harborfreightemail.com,inbound,ZZ,Unknown Region,0 +hautelook.com,hautelook.com,inbound,ZZ,Unknown Region,0 +hepsiburada.com,euromsg.net,inbound,ZZ,Unknown Region,0 +herbalifemail.com,herbalifemail.com,inbound,ZZ,Unknown Region,0 +herculist.com,herculist.com,inbound,ZZ,Unknown Region,0 +hgtv.com,hgtv.com,inbound,ZZ,Unknown Region,0 +hhgreggemail.com,hhgreggemail.com,inbound,ZZ,Unknown Region,0 +hipmunk.com,hipmunk.com,inbound,ZZ,Unknown Region,0 +hln.be,persgroep-ops.net,inbound,ZZ,Unknown Region,0 +hm-f.jp,hm-f.jp,inbound,ZZ,Unknown Region,0 +hobsonsmail.com,hobsonsmail.com,inbound,ZZ,Unknown Region,0 +homebaselife.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 +homechoice.co.za,homechoice.co.za,inbound,ZZ,Unknown Region,0 +homedepotemail.com,homedepotemail.com,inbound,ZZ,Unknown Region,0 +honto.jp,honto.jp,inbound,ZZ,Unknown Region,0 +horoscope.com,center.com,inbound,ZZ,Unknown Region,0 +hotels.com,hotels.com,inbound,ZZ,Unknown Region,0 +hotelurbano.com.br,allin.com.br,inbound,ZZ,Unknown Region,0 +hotmail.{...},hotmail.{...},inbound,ZZ,Unknown Region,0.999944 +hotmail.{...},hotmail.{...},outbound,ZZ,Unknown Region,1 +hotspotmailer.com,hotspotmailer.com,inbound,ZZ,Unknown Region,1 +hp.com,hp.com,inbound,ZZ,Unknown Region,0.198696 +hsn.com,hsn.com,inbound,ZZ,Unknown Region,0 +htcampusmailer.com,eccluster.com,inbound,ZZ,Unknown Region,0 +hubspot.com,hubspot.com,inbound,ZZ,Unknown Region,1 +huinforma.com.br,huinforma.com.br,inbound,ZZ,Unknown Region,0 +hulumail.com,hulumail.com,inbound,ZZ,Unknown Region,0 +hungryhouse.co.uk,mxmfb.com,inbound,ZZ,Unknown Region,0 +huntington.com,huntington.com,inbound,ZZ,Unknown Region,0.986937 +i-say.com,ipsos-interactive.com,inbound,ZZ,Unknown Region,1 +icloud.com,apple.com,inbound,ZZ,Unknown Region,1 +icloud.com,icloud.com,outbound,ZZ,Unknown Region,1 +icloud.com,mac.com,inbound,ZZ,Unknown Region,1 +icloud.com,me.com,inbound,ZZ,Unknown Region,0.999995 +ifttt.com,ifttt.com,inbound,ZZ,Unknown Region,1 +ign.com,ign.com,inbound,ZZ,Unknown Region,0 +ignitionsender.com,ignitionsender.com,inbound,ZZ,Unknown Region,0 +iheart.com,iheart.com,inbound,ZZ,Unknown Region,0 +immobilienscout24.de,immobilienscout24.de,inbound,ZZ,Unknown Region,1 +in-boxpays.com,in-boxpays.com,inbound,ZZ,Unknown Region,0 +indiamart.com,indiamart.com,inbound,ZZ,Unknown Region,1 +indiatimes.com,speakingtree.in,inbound,ZZ,Unknown Region,0 +indiatimeshop.com,sendpal.in,inbound,ZZ,Unknown Region,0 +indieroyale.com,desura.com,inbound,ZZ,Unknown Region,1 +infibeam.com,eccluster.com,inbound,ZZ,Unknown Region,0 +infopanel.jp,mailds.jp,inbound,ZZ,Unknown Region,0 +infos-micromania.com,infos-micromania.com,inbound,ZZ,Unknown Region,0 +infosephora.com,splio.com,inbound,ZZ,Unknown Region,0.962167 +infoworld.com,infoworld.com,inbound,ZZ,Unknown Region,0 +infusionmail.com,infusionmail.com,inbound,ZZ,Unknown Region,0 +inmotionhosting.com,inmotionhosting.com,inbound,ZZ,Unknown Region,1 +ino.com,ino.com,inbound,ZZ,Unknown Region,0.999981 +interwell.gr,interwell.gr,inbound,ZZ,Unknown Region,0 +ipcmedia.co.uk,ipcmedia.co.uk,inbound,ZZ,Unknown Region,0 +itunes.com,apple.com,inbound,ZZ,Unknown Region,0.043012 +jackwills.com,jackwills.com,inbound,ZZ,Unknown Region,0 +jalag.de,jalag.de,inbound,ZZ,Unknown Region,1 +jane.com,jane.com,inbound,ZZ,Unknown Region,1 +jango.com,jango.com,inbound,ZZ,Unknown Region,0 +jared.com,jared.com,inbound,ZZ,Unknown Region,0 +jdate.com,postdirect.com,inbound,ZZ,Unknown Region,0 +jetprivilege.com,jetprivilege.com,inbound,ZZ,Unknown Region,0 +jeuxvideo.com,jeuxvideo.com,inbound,ZZ,Unknown Region,0.148921 +jeweloscoemail.com,email-mywebgrocer2.com,inbound,ZZ,Unknown Region,0 +joann-mail.com,joann-mail.com,inbound,ZZ,Unknown Region,0 +jobinsider.com,jobinsider.com,inbound,ZZ,Unknown Region,0 +jobisjob.com,jobisjob.com,inbound,ZZ,Unknown Region,0 +jobomas.com,jobomas.com,inbound,ZZ,Unknown Region,1 +jobstreet.com,jobstreet.com,inbound,ZZ,Unknown Region,0 +jpcycles.com,jpcycles.com,inbound,ZZ,Unknown Region,0.001716 +jungleerummy.com,jungleerummy.com,inbound,ZZ,Unknown Region,1 +jusbrasil.com.br,jusbrasil.com.br,inbound,ZZ,Unknown Region,0 +just-eat.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 +justclick.ru,justclick.ru,inbound,ZZ,Unknown Region,0 +justdial.com,iaires.com,inbound,ZZ,Unknown Region,0 +k1speed.com,k1speed.com,inbound,ZZ,Unknown Region,1 +kaskusnetworks.com,kaskus.com,inbound,ZZ,Unknown Region,0 +kay.com,kay.com,inbound,ZZ,Unknown Region,0 +keek.com,keek.com,inbound,ZZ,Unknown Region,1 +kgbdeals.co.uk,email1-kgbdeals.com,inbound,ZZ,Unknown Region,0 +kliksa.net,euromsg.net,inbound,ZZ,Unknown Region,0 +kliktoday.com,kliktoday.com,inbound,ZZ,Unknown Region,0 +klm-mail.com,klm-mail.com,inbound,ZZ,Unknown Region,0 +kohls.com,kohls.com,inbound,ZZ,Unknown Region,0 +kongregate.com,kongregate.com,inbound,ZZ,Unknown Region,0 +krs.bz,tricorn.net,inbound,ZZ,Unknown Region,0 +la-meteo-mail.fr,splio.com,inbound,ZZ,Unknown Region,1 +laaptuemail.com,laaptuemail.com,inbound,ZZ,Unknown Region,0 +lakewoodchurch.com,lakewoodchurch.com,inbound,ZZ,Unknown Region,0 +landsend.com,email-landsend.com,inbound,ZZ,Unknown Region,0 +landsend.com,postdirect.com,inbound,ZZ,Unknown Region,0 +laptuinvite.com,laptuinvite.com,inbound,ZZ,Unknown Region,0 +lastminute.com,lastminute.com,inbound,ZZ,Unknown Region,0 +lazerhits.com,lazerhits.com,inbound,ZZ,Unknown Region,1 +leadercontato.com.br,leadercontato.com.br,inbound,ZZ,Unknown Region,0 +lefigaro.fr,splio.com,inbound,ZZ,Unknown Region,1 +lemonde.fr,lemonde.fr,inbound,ZZ,Unknown Region,0 +life360.com,life360.com,inbound,ZZ,Unknown Region,1 +lifecare-news.com,email-lifecare.com,inbound,ZZ,Unknown Region,0 +lifemiles.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +lifescript.com,ilinkmd.com,inbound,ZZ,Unknown Region,0 +line6.com,line6.com,inbound,ZZ,Unknown Region,0 +linkedin.com,linkedin.com,inbound,ZZ,Unknown Region,0.995201 +linkedin.com,postini.com,inbound,ZZ,Unknown Region,0.940251 +liquidation.com,liquidation.com,inbound,ZZ,Unknown Region,0 +listbuildingmaximizer.com,listbuildingmaximizer.com,inbound,ZZ,Unknown Region,0.00023 +live.{...},hotmail.{...},inbound,ZZ,Unknown Region,0.999921 +live.{...},hotmail.{...},outbound,ZZ,Unknown Region,1 +livejournal.com,livejournal.com,inbound,ZZ,Unknown Region,0 +livemailservice.com,livemailservice.com,inbound,ZZ,Unknown Region,0 +livenation.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +lmlmgv.com.br,gvarev.com.br,inbound,ZZ,Unknown Region,0 +loccitane.com,neolane.net,inbound,ZZ,Unknown Region,0 +loft.com,anntaylor.com,inbound,ZZ,Unknown Region,0 +lombardipublishing.com,lombardipublishing.com,inbound,ZZ,Unknown Region,0 +lookout.com,lookout.com,inbound,ZZ,Unknown Region,1 +lsi.com,postini.com,inbound,ZZ,Unknown Region,0.981115 +lynxmail.in,iaires.com,inbound,ZZ,Unknown Region,0 +lyris.net,lyris.net,inbound,ZZ,Unknown Region,0 +m1e.net,m1e.net,inbound,ZZ,Unknown Region,0.000342 +mac.com,icloud.com,outbound,ZZ,Unknown Region,1 +mac.com,mac.com,inbound,ZZ,Unknown Region,1 +macromill.com,macromill.com,inbound,ZZ,Unknown Region,0 +macys.com,macys.com,inbound,ZZ,Unknown Region,0 +magix.net,magix.net,inbound,ZZ,Unknown Region,0.673176 +mail-backcountry.com,email-bcmarketing.com,inbound,ZZ,Unknown Region,0 +mail.ru,mail.ru,inbound,ZZ,Unknown Region,0.986526 +mail.ru,mail.ru,outbound,ZZ,Unknown Region,0.006561 +maileclipse.com,emce2.in,inbound,ZZ,Unknown Region,0 +mailengine1.com,mailengine1.com,inbound,ZZ,Unknown Region,0 +mailer4u.in,elabs10.com,inbound,ZZ,Unknown Region,0 +mailersend.com,mailersend.com,inbound,ZZ,Unknown Region,0 +mailjet.com,mailjet.com,inbound,ZZ,Unknown Region,0.803083 +mailmailmail.net,mailmailmail.net,inbound,ZZ,Unknown Region,0 +mailoct.in,tcmailer14.in,inbound,ZZ,Unknown Region,0 +mailoct1.in,mailoct1.in,inbound,ZZ,Unknown Region,0 +mailoct1.in,myntramail2.in,inbound,ZZ,Unknown Region,0 +mailorama.fr,mailorama.fr,inbound,ZZ,Unknown Region,0 +mailpost.in,iaires.com,inbound,ZZ,Unknown Region,0 +mailquant.com,iaires.com,inbound,ZZ,Unknown Region,0 +mandrillapp.com,backpage.com,inbound,ZZ,Unknown Region,1 +mandrillapp.com,mandrillapp.com,inbound,ZZ,Unknown Region,1 +mandrillapp.com,mcsignup.com,inbound,ZZ,Unknown Region,1 +mandrillapp.com,myjobhelperalerts.com,inbound,ZZ,Unknown Region,1 +mango.com,emstechnology2.net,inbound,ZZ,Unknown Region,0 +manipal.edu,iaires.com,inbound,ZZ,Unknown Region,0 +manta.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +mar0.net,mar0.net,inbound,ZZ,Unknown Region,0.976409 +markavip.com,markavip.com,inbound,ZZ,Unknown Region,0 +marketingstudio.com,marketingstudio.com,inbound,ZZ,Unknown Region,0 +marksandspencer.com,marksandspencer.com,inbound,ZZ,Unknown Region,0 +maropost.com,mp2200.com,inbound,ZZ,Unknown Region,0 +maropost.com,survivallife.com,inbound,ZZ,Unknown Region,0 +marykay.com,marykay.com,inbound,ZZ,Unknown Region,0 +masivapp.com,masivapp.com,inbound,ZZ,Unknown Region,1 +match.com,match.com,inbound,ZZ,Unknown Region,0 +mbga.jp,mbga.jp,inbound,ZZ,Unknown Region,0 +mbna.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 +mcdlv.net,mcdlv.net,inbound,ZZ,Unknown Region,0 +mcsv.net,mcsv.net,inbound,ZZ,Unknown Region,0 +me.com,icloud.com,outbound,ZZ,Unknown Region,1 +me.com,mac.com,inbound,ZZ,Unknown Region,1 +medallia.com,medallia.com,inbound,ZZ,Unknown Region,1 +mediapost.com,mediapost.com,inbound,ZZ,Unknown Region,0 +medium.com,messagebus.com,inbound,ZZ,Unknown Region,0 +medscape.com,medscape.com,inbound,ZZ,Unknown Region,0 +meetup.com,meetup.com,inbound,ZZ,Unknown Region,0 +melaleuca.com,melaleuca.com,inbound,ZZ,Unknown Region,0 +mercadojobs.com,sendgrid.net,inbound,ZZ,Unknown Region,1 +mercadolibre.com,mercadolibre.com,inbound,ZZ,Unknown Region,0 +mercadolivre.com,mercadolibre.com,inbound,ZZ,Unknown Region,0 +merceworld.com,merceworld.com,inbound,ZZ,Unknown Region,0.996737 +merodea.me,sendgrid.net,inbound,ZZ,Unknown Region,1 +metro.co.in,srv2.de,inbound,ZZ,Unknown Region,0.966947 +mgmresorts.com,mgmresorts.com,inbound,ZZ,Unknown Region,0 +microsoft.com,msn.com,inbound,ZZ,Unknown Region,1 +microsoftemail.com,microsoftemail.com,inbound,ZZ,Unknown Region,0 +microsoftemail.com,microsoftstoreemail.com,inbound,ZZ,Unknown Region,0 +mileageplusshoppingnews.com,mail-skymilesshoppingsupport.com,inbound,ZZ,Unknown Region,0 +minhavida.com.br,minhavida.com.br,inbound,ZZ,Unknown Region,0 +mixi.jp,mixi.jp,inbound,ZZ,Unknown Region,0 +mjinn.com,mailurja.com,inbound,ZZ,Unknown Region,0 +mktomail.com,mktdns.com,inbound,ZZ,Unknown Region,0 +mktomail.com,mktomail.com,inbound,ZZ,Unknown Region,0 +mktomail.com,mktroute.com,inbound,ZZ,Unknown Region,0 +mlsend.com,mlsend.com,inbound,ZZ,Unknown Region,0 +mlsend2.com,mlsend2.com,inbound,ZZ,Unknown Region,0 +mlssoccer.com,mlssoccer.com,inbound,ZZ,Unknown Region,0 +mmaco.net,mmaco.net,inbound,ZZ,Unknown Region,0.999998 +mmorpg.com,mmorpg.com,inbound,ZZ,Unknown Region,0.002979 +mocospace.com,mocospace.com,inbound,ZZ,Unknown Region,0 +moneyforward.com,moneyforward.com,inbound,ZZ,Unknown Region,0 +moneysupermarketmail.com,moneysupermarketmail.com,inbound,ZZ,Unknown Region,0 +monografias.com,elistas.net,inbound,ZZ,Unknown Region,0 +monster.com,monster.com,inbound,ZZ,Unknown Region,0.000503 +monsterindia.com,monster.co.in,inbound,ZZ,Unknown Region,0 +mooply.co,mailendo.com,inbound,ZZ,Unknown Region,0 +morningstar.net,morningstar.net,inbound,ZZ,Unknown Region,0 +mothercaregroup.com,neolane.net,inbound,ZZ,Unknown Region,0 +mozilla.org,mozilla.com,inbound,ZZ,Unknown Region,0.633241 +mpse.jp,mpme.jp,inbound,ZZ,Unknown Region,0 +ms00.net,ms00.net,inbound,ZZ,Unknown Region,0 +msdp1.com,msdp1.com,inbound,ZZ,Unknown Region,0 +msn.com,hotmail.{...},inbound,ZZ,Unknown Region,0.999946 +msn.com,hotmail.{...},outbound,ZZ,Unknown Region,1 +musiciansfriend.com,musiciansfriend.com,inbound,ZZ,Unknown Region,0 +mxmfb.com,mxmfb.com,inbound,ZZ,Unknown Region,0 +mycolorscreen.com,mta4.net,inbound,ZZ,Unknown Region,0 +myfitnesspal.com,messagebus.com,inbound,ZZ,Unknown Region,0 +mygroupon.co.th,grouponmail.{...},inbound,ZZ,Unknown Region,0 +myheritage.com,myheritage.com,inbound,ZZ,Unknown Region,0 +myideeli.com,myideeli.com,inbound,ZZ,Unknown Region,0 +myntramail.com,iaires.com,inbound,ZZ,Unknown Region,0 +myntramail.com,myntramail.com,inbound,ZZ,Unknown Region,0 +myntramails.in,icubes.in,inbound,ZZ,Unknown Region,0 +myoutlets.in,trustmailer.com,inbound,ZZ,Unknown Region,0 +mypoints.com,mypoints.com,inbound,ZZ,Unknown Region,0 +mysale.my,mysale.my,inbound,ZZ,Unknown Region,0 +mysale.ph,mysale.ph,inbound,ZZ,Unknown Region,0 +mysupermarket.co.uk,mysupermarket.co.uk,inbound,ZZ,Unknown Region,0 +mysurvey.com,mysurvey.com,inbound,ZZ,Unknown Region,0 +mysurvey.eu,mysurvey.com,inbound,ZZ,Unknown Region,0 +myvegas.com,myvegas.com,inbound,ZZ,Unknown Region,1 +naaptoldeals.com,eccluster.com,inbound,ZZ,Unknown Region,0 +nanomail.com.br,araie.com.br,inbound,ZZ,Unknown Region,1 +nascar.com,nascar.com,inbound,ZZ,Unknown Region,0 +nationbuilder.com,nationbuilder.com,inbound,ZZ,Unknown Region,1 +nationwide-communications.co.uk,nationwide-communications.co.uk,inbound,ZZ,Unknown Region,0 +naukri.com,naukri.com,inbound,ZZ,Unknown Region,0 +navy.mil,navy.mil,inbound,ZZ,Unknown Region,0.000243 +nend.net,postini.com,inbound,ZZ,Unknown Region,0 +netatlantic.com,netatlantic.com,inbound,ZZ,Unknown Region,0.001085 +netflix.com,amazonses.com,inbound,ZZ,Unknown Region,0.999999 +netflix.com,netflix.com,inbound,ZZ,Unknown Region,1 +netlogmail.com,netlogmail.com,inbound,ZZ,Unknown Region,0 +netprosoftmail.com,netprosoftmail.com,inbound,ZZ,Unknown Region,0 +netshoes.com.br,netshoes.com.br,inbound,ZZ,Unknown Region,0 +newegg.com,newegg.com,inbound,ZZ,Unknown Region,2e-06 +newmarkethealth.com,newmarkethealth.com,inbound,ZZ,Unknown Region,0 +news-h5g.com,news-h5g.com,inbound,ZZ,Unknown Region,0 +newsletter-verychic.com,splio.es,inbound,ZZ,Unknown Region,0.9804 +newsmax.com,newsmax.com,inbound,ZZ,Unknown Region,0 +nflshop.com,nflshop.com,inbound,ZZ,Unknown Region,0 +nieuwsblad.be,vummail.be,inbound,ZZ,Unknown Region,0 +nike.com,nike.com,inbound,ZZ,Unknown Region,0 +ninewestmail.com,ninewestmail.com,inbound,ZZ,Unknown Region,0 +nokia.com,nokia.com,inbound,ZZ,Unknown Region,0.001256 +npr.org,npr.org,inbound,ZZ,Unknown Region,0 +ns.nl,tripolis.com,inbound,ZZ,Unknown Region,0 +nsandi.com,mxmfb.com,inbound,ZZ,Unknown Region,0 +nytimes.com,nytimes.com,inbound,ZZ,Unknown Region,0 +nzsale.co.nz,nzsale.co.nz,inbound,ZZ,Unknown Region,0 +oakley.com,oakley.com,inbound,ZZ,Unknown Region,0 +ocmail1.in,tcmail.in,inbound,ZZ,Unknown Region,0 +ocmail14.in,tcmailer5.in,inbound,ZZ,Unknown Region,0 +ocmail22.in,tcmailer15.in,inbound,ZZ,Unknown Region,0 +ocmail22.in,tcmailer4.in,inbound,ZZ,Unknown Region,0 +ocmail40.in,tcmailer15.in,inbound,ZZ,Unknown Region,0 +ocmail40.in,tcmailer4.in,inbound,ZZ,Unknown Region,0 +ocnmail.in,ocmail6.in,inbound,ZZ,Unknown Region,0 +ocnmail.in,tcmail3.in,inbound,ZZ,Unknown Region,0 +ofertasbmc.com.br,ofertasbmc.com.br,inbound,ZZ,Unknown Region,0 +ofertix.com,ofertix.com,inbound,ZZ,Unknown Region,0 +offers.com,offers.com,inbound,ZZ,Unknown Region,1 +officedepot.com,officedepot.com,inbound,ZZ,Unknown Region,0.019269 +officemax.com,officemax.com,inbound,ZZ,Unknown Region,0 +officemax.com,officemaxworkplace.com,inbound,ZZ,Unknown Region,0 +ofsys.com,bulletin-metro.ca,inbound,ZZ,Unknown Region,0 +oknotify2.com,oknotify2.com,inbound,ZZ,Unknown Region,0 +oldnavy.ca,oldnavy.ca,inbound,ZZ,Unknown Region,0 +oldnavy.com,oldnavy.com,inbound,ZZ,Unknown Region,0 +omahasteaks.com,omahasteaks.com,inbound,ZZ,Unknown Region,0 +oneindia.in,mailurja.com,inbound,ZZ,Unknown Region,0 +onekingslane.com,onekingslane.com,inbound,ZZ,Unknown Region,0 +onlive.com,ipost.com,inbound,ZZ,Unknown Region,0 +onmicrosoft.com,outlook.com,inbound,ZZ,Unknown Region,1 +optimusmail.in,iaires.com,inbound,ZZ,Unknown Region,0 +orderscatalog.com,orderscatalog.com,inbound,ZZ,Unknown Region,0 +oroscopofree.com,adsender.us,inbound,ZZ,Unknown Region,0 +os-email.com,os-email.com,inbound,ZZ,Unknown Region,0 +oshkoshbgosh.com,oshkoshbgosh.com,inbound,ZZ,Unknown Region,6e-06 +osu.edu,outlook.com,inbound,ZZ,Unknown Region,1 +otto.de,eccluster.com,inbound,ZZ,Unknown Region,1 +ouffer.com,ouffer.com,inbound,ZZ,Unknown Region,0 +ourtime.com,seniorpeoplemeet.com,inbound,ZZ,Unknown Region,0 +outback.com,outback.com,inbound,ZZ,Unknown Region,0 +outlook.com,hotmail.{...},inbound,ZZ,Unknown Region,0.999843 +outlook.com,hotmail.{...},outbound,ZZ,Unknown Region,1 +outspot.be,teneo.be,inbound,ZZ,Unknown Region,0 +outspot.nl,teneo.be,inbound,ZZ,Unknown Region,0 +ovenmail.com,iaires.com,inbound,ZZ,Unknown Region,0 +overstock.com,overstock.com,inbound,ZZ,Unknown Region,0 +ovh.net,ovh.net,inbound,ZZ,Unknown Region,0.352531 +ozsale.com.au,ozsale.com.au,inbound,ZZ,Unknown Region,0.000192 +panelplace.com,smtp.com,inbound,ZZ,Unknown Region,0 +panerabreadnews.com,panerabreadnews.com,inbound,ZZ,Unknown Region,0 +pantaloondirect.net,iaires.com,inbound,ZZ,Unknown Region,0 +papajohns-specials.com,papajohns-specials.com,inbound,ZZ,Unknown Region,0 +paradisepublishers.com,paradisepublishers.com,inbound,ZZ,Unknown Region,0.99957 +path.com,path.com,inbound,ZZ,Unknown Region,1 +payback.in,eccluster.com,inbound,ZZ,Unknown Region,0 +payback.in,ecm-cluster.com,inbound,ZZ,Unknown Region,0 +payback.in,ecmcluster.com,inbound,ZZ,Unknown Region,0 +paypal.co.uk,paypal.com,inbound,ZZ,Unknown Region,1 +paypal.com,paypal.com,inbound,ZZ,Unknown Region,0.608834 +paypal.com.au,paypal.com,inbound,ZZ,Unknown Region,1 +paypal.de,paypal.com,inbound,ZZ,Unknown Region,1 +pd25.com,pd25.com,inbound,ZZ,Unknown Region,1 +peanuthome.info,adopterc.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,aguitytr.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,bevest.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,bluester.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,burror.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,bursion.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,cantexi.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,caserhi.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,celect.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,chintone.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,citery.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,cleathal.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,coherentrequittal.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,colicom.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,complec.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,cyprinoidkaiserdom.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,deciarc.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,declaws.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,dewest.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,epconce.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,fnotec.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,folkswor.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,forepert.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,gurgaro.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,heallyps.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,holeph.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,homewor.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,hydroni.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,ingenbu.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,kinklybotaurus.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,ninetiethwhiffet.info,inbound,ZZ,Unknown Region,0 +peanuthome.info,unglibshudder.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,adcrent.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,addmiel.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,agilhe.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,allegap.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,andvore.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,angogl.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,animass.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,arettery.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,aribank.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,arkefoc.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,avenog.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,barrave.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,bindowmo.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,bitravit.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,borsand.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,branti.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,breaserp.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,bredogly.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,briantra.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,bridea.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,carial.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,castac.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,chedoner.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,chiquent.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,cinchoi.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,cliate.info,inbound,ZZ,Unknown Region,0 +peanutwebmaster.info,cognn.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,abjibbin.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,audiette.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,blancer.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,bluester.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,burror.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,bursion.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,caserhi.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,celect.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,cleathal.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,coherentrequittal.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,complec.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,condost.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,cyprinoidkaiserdom.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,deciarc.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,declaws.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,epconce.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,ferrayer.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,fnotec.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,folkswor.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,forepert.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,gurgaro.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,holeph.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,homewor.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,hydroni.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,ingenbu.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,kinklybotaurus.info,inbound,ZZ,Unknown Region,0 +peanutwebsite.info,ninetiethwhiffet.info,inbound,ZZ,Unknown Region,0 +peixeurbano.com.br,peixeurbano.com.br,inbound,ZZ,Unknown Region,0 +pennwell.com,pennwell.com,inbound,ZZ,Unknown Region,0 +perfectworld.com,perfectworld.com,inbound,ZZ,Unknown Region,0 +personare.com.br,personare.com.br,inbound,ZZ,Unknown Region,0 +pge.com,pge.com,inbound,ZZ,Unknown Region,0.149792 +philosophy.com,philosophy.com,inbound,ZZ,Unknown Region,0 +phpclasses.org,phpclasses.org,inbound,ZZ,Unknown Region,0 +pinger.com,pinger.com,inbound,ZZ,Unknown Region,0 +pinterest.com,pinterest.com,inbound,ZZ,Unknown Region,1 +pizzahutoffers.com,pizzahutoffers.com,inbound,ZZ,Unknown Region,0 +playstationmail.net,playstationmail.net,inbound,ZZ,Unknown Region,0 +plumdistrict.com,plumdistrict.com,inbound,ZZ,Unknown Region,1 +politicoemail.com,politicoemail.com,inbound,ZZ,Unknown Region,0 +polyvore.com,polyvore.com,inbound,ZZ,Unknown Region,1 +popsugar.com,popsugar.com,inbound,ZZ,Unknown Region,0 +priceline.com,priceline.com,inbound,ZZ,Unknown Region,1 +princess.com,princess.com,inbound,ZZ,Unknown Region,0 +privoscite.si,privoscite.si,inbound,ZZ,Unknown Region,0 +profitcenteronline.com,groupdealtools.com,inbound,ZZ,Unknown Region,1 +progressive.com,progressive.com,inbound,ZZ,Unknown Region,0.814003 +publix.com,publix.com,inbound,ZZ,Unknown Region,0 +puritan.com,email-nbtyinc.com,inbound,ZZ,Unknown Region,0 +qoinpro.com,qoinpro.com,inbound,ZZ,Unknown Region,1 +qoo10.jp,qoo10.jp,inbound,ZZ,Unknown Region,4e-06 +qoo10.sg,qoo10.co.id,inbound,ZZ,Unknown Region,1.9e-05 +qoo10.sg,qoo10.com,inbound,ZZ,Unknown Region,0 +qoo10.sg,qoo10.my,inbound,ZZ,Unknown Region,2.2e-05 +qoo10.sg,qoo10.sg,inbound,ZZ,Unknown Region,8e-06 +quinstreet.com,neoquin.com,inbound,ZZ,Unknown Region,0 +quora.com,quora.com,inbound,ZZ,Unknown Region,1 +rabota.ua,rabota.ua,inbound,ZZ,Unknown Region,0 +rackroom-email.com,rackroom-email.com,inbound,ZZ,Unknown Region,0 +railcard-daysoutguide.co.uk,railcard-daysoutguide.co.uk,inbound,ZZ,Unknown Region,0 +rakuten.co.jp,rakuten.co.jp,inbound,ZZ,Unknown Region,0 +rakuten.com,rakuten.com,inbound,ZZ,Unknown Region,0 +reactiveadz.com,downlinebuilderdirect.com,inbound,ZZ,Unknown Region,0 +realage-mail.com,postdirect.com,inbound,ZZ,Unknown Region,0 +redbox.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +redcross.org.uk,redcross.org.uk,inbound,ZZ,Unknown Region,0 +rediffmail.com,rediffmail.com,inbound,ZZ,Unknown Region,0 +reebonz.com,reebonz.com,inbound,ZZ,Unknown Region,0.759458 +reed.co.uk,reed.co.uk,inbound,ZZ,Unknown Region,0 +regie11.net,odiso.net,inbound,ZZ,Unknown Region,0 +regionalhelpwanted.com,regionalhelpwanted.com,inbound,ZZ,Unknown Region,1 +registrar-servers.com,registrar-servers.com,inbound,ZZ,Unknown Region,0.05163 +repica.jp,kakaku.com,inbound,ZZ,Unknown Region,0 +repica.jp,repica.jp,inbound,ZZ,Unknown Region,0 +republicwireless.com,republicwireless.com,inbound,ZZ,Unknown Region,0.033564 +retailjobinsider.com,retailjobinsider.com,inbound,ZZ,Unknown Region,0 +retailmenot.com,retailmenot.com,inbound,ZZ,Unknown Region,4.68294583517529e-07 +reverbnation.com,reverbnation.com,inbound,ZZ,Unknown Region,0 +revolutiongolf.com,revolutiongolf.com,inbound,ZZ,Unknown Region,0 +reyrey.net,reyrey.net,inbound,ZZ,Unknown Region,0.999904 +richyrichmailer.com,maddog-productions.info,inbound,ZZ,Unknown Region,1 +rikunabi.com,rikunabi.com,inbound,ZZ,Unknown Region,0 +ringcentral.com,ringcentral.com,inbound,ZZ,Unknown Region,1 +rmtr.de,rapidmail.de,inbound,ZZ,Unknown Region,0 +rnmk.com,rnmk.com,inbound,ZZ,Unknown Region,0 +rockpath.info,rockpath.info,inbound,ZZ,Unknown Region,1 +rogers.com,yahoo.{...},inbound,ZZ,Unknown Region,1 +rogers.com,yahoodns.net,outbound,ZZ,Unknown Region,1 +rookiestewsemails.com,rookiestewsemails.com,inbound,ZZ,Unknown Region,0 +royalcaribbeanmarketing.com,royalcaribbeanmarketing.com,inbound,ZZ,Unknown Region,0 +rpo9usa.email,rpo9usa.email,inbound,ZZ,Unknown Region,0 +rr.com,rr.com,inbound,ZZ,Unknown Region,2e-06 +rr.com,rr.com,outbound,ZZ,Unknown Region,0 +rsgsv.net,rsgsv.net,inbound,ZZ,Unknown Region,0 +rummycirclemails.com,eccluster.com,inbound,ZZ,Unknown Region,0 +runkeeper.com,runkeeper.com,inbound,ZZ,Unknown Region,0 +s3s-br1.net,splio.com.br,inbound,ZZ,Unknown Region,0.908187 +s3s-main.net,splio.com,inbound,ZZ,Unknown Region,0.970428 +s4s-pl1.pl,splio.com,inbound,ZZ,Unknown Region,0.939032 +safe-sender.net,safe-sender.net,inbound,ZZ,Unknown Region,0 +safeway.com,safeway.com,inbound,ZZ,Unknown Region,0.000382 +salesforce.com,postini.com,inbound,ZZ,Unknown Region,0.915635 +salesforce.com,salesforce.com,inbound,ZZ,Unknown Region,0.952721 +samsungusa.com,samsungusa.com,inbound,ZZ,Unknown Region,0 +sanmina-sci.com,postini.com,inbound,ZZ,Unknown Region,0.999991 +sanmina.com,postini.com,inbound,ZZ,Unknown Region,0.999828 +saturday.com,saturday.com,inbound,ZZ,Unknown Region,0 +sbcglobal.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999985 +sears.ca,sears.ca,inbound,ZZ,Unknown Region,0.005447 +searscard.com,searscard.com,inbound,ZZ,Unknown Region,1 +secretescapes.com,secretescapes.com,inbound,ZZ,Unknown Region,0 +secure.ne.jp,secure.ne.jp,inbound,ZZ,Unknown Region,0.000618 +secureserver.net,secureserver.net,inbound,ZZ,Unknown Region,0 +seek.com.au,seek.com.au,inbound,ZZ,Unknown Region,0 +selectacast.net,selectacast.net,inbound,ZZ,Unknown Region,0.000561 +semana.com,semana.com,inbound,ZZ,Unknown Region,0 +sendgrid.info,sendgrid.net,inbound,ZZ,Unknown Region,0.999896 +sendgrid.me,sendgrid.net,inbound,ZZ,Unknown Region,1 +sendpal.in,sendpal.in,inbound,ZZ,Unknown Region,0 +serviciobancomer.com,serviciobancomer.com,inbound,ZZ,Unknown Region,0 +sfid01.com,sfid01.com,inbound,ZZ,Unknown Region,0 +shaadi.com,shaadi.com,inbound,ZZ,Unknown Region,0 +shop2gether.com.br,shop2gether.com.br,inbound,ZZ,Unknown Region,0 +shopjustice.com,shopjustice.com,inbound,ZZ,Unknown Region,0 +shopnineteenmails.in,iaires.com,inbound,ZZ,Unknown Region,0 +shoppersstop.com,shoppersstop.com,inbound,ZZ,Unknown Region,0 +shoprite-email.com,email-mywebgrocer.com,inbound,ZZ,Unknown Region,0 +showingtime.com,showingtime.com,inbound,ZZ,Unknown Region,0 +showroomprive.com,showroomprive.be,inbound,ZZ,Unknown Region,0 +showroomprive.com,showroomprive.nl,inbound,ZZ,Unknown Region,0 +showroomprive.es,showroomprive.es,inbound,ZZ,Unknown Region,0 +showroomprive.it,showroomprive.pt,inbound,ZZ,Unknown Region,0 +showroomprive.pt,showroomprive.co.uk,inbound,ZZ,Unknown Region,0 +shtyle.fm,shtyle.fm,inbound,ZZ,Unknown Region,0 +simplesafelist.com,adminforfree.com,inbound,ZZ,Unknown Region,1 +simpletextadz.com,web-hosting.com,inbound,ZZ,Unknown Region,1 +singsale.com.sg,singsale.com.sg,inbound,ZZ,Unknown Region,0 +skillpages-mailer.com,dynect.net,inbound,ZZ,Unknown Region,0 +skymall.com,skymall.com,inbound,ZZ,Unknown Region,0 +skynet.be,belgacom.be,inbound,ZZ,Unknown Region,0 +skype.com,skype.com,inbound,ZZ,Unknown Region,0 +skyscanner.net,skyscanner.net,inbound,ZZ,Unknown Region,1 +slickdeals.net,slickdeals.net,inbound,ZZ,Unknown Region,0 +slidesharemail.com,slideshare.net,inbound,ZZ,Unknown Region,1 +smartresponder.ru,smartresponder.ru,inbound,ZZ,Unknown Region,1 +snagajob-email.com,snagajob-email.com,inbound,ZZ,Unknown Region,0 +snapdeal.com,snapdeal.com,inbound,ZZ,Unknown Region,0 +socialsex.biz,infinitypersonals.com,inbound,ZZ,Unknown Region,0 +softbank.jp,softbank.jp,outbound,ZZ,Unknown Region,0 +softbank.ne.jp,softbank.ne.jp,inbound,ZZ,Unknown Region,0 +softbank.ne.jp,softbank.ne.jp,outbound,ZZ,Unknown Region,0 +sony.com,sony.com,inbound,ZZ,Unknown Region,0 +sonyrewards.com,sonyrewards.com,inbound,ZZ,Unknown Region,0 +soundcloudmail.com,soundcloudmail.com,inbound,ZZ,Unknown Region,0.999996 +spanishdict.com,spanishdict.com,inbound,ZZ,Unknown Region,0 +sparklist.com,sparklist.com,inbound,ZZ,Unknown Region,0 +spartoo.com,spartoo.com,inbound,ZZ,Unknown Region,0 +speedyrewards-email.com,speedyrewards-email.com,inbound,ZZ,Unknown Region,0 +spotifymail.com,spotifymail.com,inbound,ZZ,Unknown Region,1 +ssgadm.com,ssg.com,inbound,ZZ,Unknown Region,0 +staffeazymailers.com,iaires.com,inbound,ZZ,Unknown Region,0 +stakemail.com,iaires.com,inbound,ZZ,Unknown Region,0 +stampmail.in,iaires.com,inbound,ZZ,Unknown Region,0 +standaard.be,vummail.be,inbound,ZZ,Unknown Region,0 +stansberryresearch.com,stansberry-re.net,inbound,ZZ,Unknown Region,0 +stansberryresearch.com,stansberryresearch.com,inbound,ZZ,Unknown Region,0 +staples.co.uk,ncrwebhost.de,inbound,ZZ,Unknown Region,0 +starsports.com,eccluster.com,inbound,ZZ,Unknown Region,0 +startwire.com,jobsreport.com,inbound,ZZ,Unknown Region,1 +starwoodhotels.com,outlook.com,inbound,ZZ,Unknown Region,1 +state-of-the-art-mailer.com,futurebanners.net,inbound,ZZ,Unknown Region,0 +stayfriends.de,stayfriends.de,inbound,ZZ,Unknown Region,0 +steampowered.com,steampowered.com,inbound,ZZ,Unknown Region,1 +stelladot.com,stelladot.com,inbound,ZZ,Unknown Region,0 +stjobs.sg,st701.com,inbound,ZZ,Unknown Region,1 +stjude.org,stjude.org,inbound,ZZ,Unknown Region,0.006723 +strava.com,strava.com,inbound,ZZ,Unknown Region,1 +streeteasy.com,streeteasy.com,inbound,ZZ,Unknown Region,0 +stylecareers.com,stylecareers.com,inbound,ZZ,Unknown Region,0 +subtend.info,subtend.info,inbound,ZZ,Unknown Region,1 +subway.com,subway.com,inbound,ZZ,Unknown Region,0 +surveyspot.com,ssisurveys.com,inbound,ZZ,Unknown Region,0 +sweepstakesalerts.com,sweepstakesalerts.com,inbound,ZZ,Unknown Region,0 +swimoutlet.com,isport.com,inbound,ZZ,Unknown Region,0 +sympatico.ca,hotmail.{...},inbound,ZZ,Unknown Region,1 +synchronyfinancial.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +tadtopmails.com,tadtopmails.com,inbound,ZZ,Unknown Region,0 +taishinbank.com.tw,taishinbank.com.tw,inbound,ZZ,Unknown Region,0 +take2games.com,take2games.com,inbound,ZZ,Unknown Region,0 +talkmatch.com,talkmatch.com,inbound,ZZ,Unknown Region,0 +tanga.com,tanga.com,inbound,ZZ,Unknown Region,0 +tanningmail.com,tanningmail.com,inbound,ZZ,Unknown Region,0 +tappingsolutionemail.com,tappingsolutionemail.com,inbound,ZZ,Unknown Region,0 +target.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +tasteofhome.com,tasteofhome.com,inbound,ZZ,Unknown Region,0 +tchibo.com.tr,euromsg.net,inbound,ZZ,Unknown Region,0 +teambuymail.com,teambuymail.com,inbound,ZZ,Unknown Region,0 +teamsnap.com,teamsnap.com,inbound,ZZ,Unknown Region,1 +technolutions.net,technolutions.net,inbound,ZZ,Unknown Region,1 +telegraph.co.uk,telegraph.co.uk,inbound,ZZ,Unknown Region,0 +telus.com,telus.com,inbound,ZZ,Unknown Region,0 +templeandwebster.com.au,templeandwebster.com.au,inbound,ZZ,Unknown Region,0 +texasjobdepartment.com,texasjobdepartment.com,inbound,ZZ,Unknown Region,0 +thebodyshop-usa.com,email-bodyshop.com,inbound,ZZ,Unknown Region,0 +thebodyshop-usa.com,postdirect.com,inbound,ZZ,Unknown Region,0 +thecarousell.com,thecarousell.com,inbound,ZZ,Unknown Region,1 +theguardian.com,theguardian.com,inbound,ZZ,Unknown Region,0 +thepamperedchef.com,thepamperedchef.com,inbound,ZZ,Unknown Region,0 +thephonehouse.es,splio.com,inbound,ZZ,Unknown Region,0.983578 +thephonehouse.es,splio.es,inbound,ZZ,Unknown Region,0.983266 +therealreal.com,email-realreal.com,inbound,ZZ,Unknown Region,0 +thesource.ca,thesource.ca,inbound,ZZ,Unknown Region,0 +thewarehouse.co.nz,thewarehouse.co.nz,inbound,ZZ,Unknown Region,0 +thinkgeek.com,thinkgeek.com,inbound,ZZ,Unknown Region,1e-06 +thirtyonegifts.com,thirtyonegifts.com,inbound,ZZ,Unknown Region,0 +thomascook.com,eccluster.com,inbound,ZZ,Unknown Region,0 +ticketmaster.com,ticketmaster.com,inbound,ZZ,Unknown Region,0.001001 +ticketmasterbiletix.com,ticketmasterbiletix.com,inbound,ZZ,Unknown Region,0 +timehop.com,timehop.com,inbound,ZZ,Unknown Region,1 +timeout.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 +timewarnercable.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 +tinyletterapp.com,tinyletterapp.com,inbound,ZZ,Unknown Region,0 +tobi.com,messagebus.com,inbound,ZZ,Unknown Region,0 +topface.com,topface.com,inbound,ZZ,Unknown Region,1e-06 +topica.com,topica-silver-y.com,inbound,ZZ,Unknown Region,0 +topqpon.si,topqpon.si,inbound,ZZ,Unknown Region,0 +touchbase2.com,mailurja.com,inbound,ZZ,Unknown Region,0 +townnews-mail.com,townnews-mail.com,inbound,ZZ,Unknown Region,0 +trabajar.com,trabajo.org,inbound,ZZ,Unknown Region,0.999997 +trabalhar.com,trabajo.org,inbound,ZZ,Unknown Region,0.999994 +tradeloop.com,tradeloop.com,inbound,ZZ,Unknown Region,1 +trafficwave.net,trafficwave.net,inbound,ZZ,Unknown Region,0 +transittraveljobinsider.com,transittraveljobinsider.com,inbound,ZZ,Unknown Region,0 +transportexchangegroup.com,transportexchangegroup.com,inbound,ZZ,Unknown Region,0.998825 +travelchannel.com,travelchannel.com,inbound,ZZ,Unknown Region,0 +travelocity.com,travelocity.com,inbound,ZZ,Unknown Region,0.000195 +travelzoo.com,travelzoo.com,inbound,ZZ,Unknown Region,0 +trclient.com,trclient.com,inbound,ZZ,Unknown Region,0 +trello.com,mandrillapp.com,inbound,ZZ,Unknown Region,1 +triongames.com,triongames.com,inbound,ZZ,Unknown Region,0.085718 +tripadvisor.com,tripadvisor.com,inbound,ZZ,Unknown Region,0.000588 +tripolis.com,tripolis.com,inbound,ZZ,Unknown Region,0 +trulia.com,trulia.com,inbound,ZZ,Unknown Region,0 +tsmmail.com,tsmmail.com,inbound,ZZ,Unknown Region,0 +tumblr.com,tumblr.com,inbound,ZZ,Unknown Region,1 +turbine.com,turbine.com,inbound,ZZ,Unknown Region,0 +turner.com,cnn.com,inbound,ZZ,Unknown Region,0 +twe-safelist.com,adminforfree.com,inbound,ZZ,Unknown Region,1 +twitter.com,twitter.com,inbound,ZZ,Unknown Region,0.999969 +twoomail.com,netlogmail.com,inbound,ZZ,Unknown Region,0 +ubivox.com,ubivox.com,inbound,ZZ,Unknown Region,0.964085 +uga.edu,outlook.com,inbound,ZZ,Unknown Region,1 +uhcmedicaresolutions.com,uhcmedicaresolutions.com,inbound,ZZ,Unknown Region,0 +ulta.com,exacttarget.com,inbound,ZZ,Unknown Region,0 +ulta.com,ulta.com,inbound,ZZ,Unknown Region,0 +uniqlo-usa.com,uniqlo-usa.com,inbound,ZZ,Unknown Region,0 +unitedrepublic.org,unitedrepublic.org,inbound,ZZ,Unknown Region,1 +unosinsidersclub.com,unosinsidersclub.com,inbound,ZZ,Unknown Region,0 +urx.com.br,urx.com.br,inbound,ZZ,Unknown Region,0 +usaa.com,usaa.com,inbound,ZZ,Unknown Region,0.999997 +usahockey-email.com,usahockey-email.com,inbound,ZZ,Unknown Region,0 +usndr.com,usndr.com,inbound,ZZ,Unknown Region,1 +usx.com.br,uqx.com.br,inbound,ZZ,Unknown Region,0 +usx.com.br,usx.com.br,inbound,ZZ,Unknown Region,0 +usx.com.br,utx.com.br,inbound,ZZ,Unknown Region,0 +utilitiesjobinsider.com,utilitiesjobinsider.com,inbound,ZZ,Unknown Region,0 +utx.com.br,utx.com.br,inbound,ZZ,Unknown Region,0 +uvarosa.com.br,uvarosa.com.br,inbound,ZZ,Unknown Region,0 +vakifbank.com.tr,vakifbank.com.tr,inbound,ZZ,Unknown Region,1 +vd.nl,emsecure.net,inbound,ZZ,Unknown Region,0 +venca.es,eccluster.com,inbound,ZZ,Unknown Region,0 +verizon.com,verizon.com,inbound,ZZ,Unknown Region,0.999816 +vfoutletvip.com,vfoutletvip.com,inbound,ZZ,Unknown Region,0 +vicinity.nl,picsrv.net,inbound,ZZ,Unknown Region,0.022107 +vietcombank.com.vn,vietcombank.com.vn,inbound,ZZ,Unknown Region,1 +viralsender.com,viralsender.com,inbound,ZZ,Unknown Region,0 +vistaprint.com,vistaprint.com,inbound,ZZ,Unknown Region,0 +vistaprint.com.au,vistaprint.com.au,inbound,ZZ,Unknown Region,0 +vitaminworld.com,email-nbtyinc.com,inbound,ZZ,Unknown Region,0 +vk.com,vkontakte.ru,inbound,ZZ,Unknown Region,0 +vocus.com,vocus.com,inbound,ZZ,Unknown Region,0 +vovici.com,vovici.com,inbound,ZZ,Unknown Region,0 +vresp.com,verticalresponse.com,inbound,ZZ,Unknown Region,0 +vudu.com,vudu.com,inbound,ZZ,Unknown Region,0 +walmart.ca,walmart.ca,inbound,ZZ,Unknown Region,0 +walmart.com,walmart.com,inbound,ZZ,Unknown Region,0.315059 +warehouselogisticsjobinsider.com,warehouselogisticsjobinsider.com,inbound,ZZ,Unknown Region,0 +way2sms.biz,way2sms.biz,inbound,ZZ,Unknown Region,0 +way2sms.in,way2sms.in,inbound,ZZ,Unknown Region,0 +way2smsemail.com,way2smsemail.com,inbound,ZZ,Unknown Region,0 +way2smsemails.com,way2smsemails.com,inbound,ZZ,Unknown Region,0 +way2smsmail.in,way2smsmail.in,inbound,ZZ,Unknown Region,0 +way2smsmails.com,way2smsmails.com,inbound,ZZ,Unknown Region,0 +wealthyaffiliate.com,wealthyaffiliate.com,inbound,ZZ,Unknown Region,1 +webmd.com,webmd.com,inbound,ZZ,Unknown Region,0 +wegottickets.com,wegottickets.com,inbound,ZZ,Unknown Region,0 +weheartit.com,weheartit.com,inbound,ZZ,Unknown Region,1 +wehkamp.nl,wehkamp.nl,inbound,ZZ,Unknown Region,0 +wellsfargo.com,wellsfargo.com,inbound,ZZ,Unknown Region,1 +wemakeprice.com,wemakeprice.com,inbound,ZZ,Unknown Region,0 +westwing.com.br,cust-cluster.com,inbound,ZZ,Unknown Region,0 +westwing.es,ecm-cluster.com,inbound,ZZ,Unknown Region,0 +westwing.ru,ecm-cluster.com,inbound,ZZ,Unknown Region,0 +wgbh.org,wgbh.org,inbound,ZZ,Unknown Region,0 +whaakky.com,whaakky.com,inbound,ZZ,Unknown Region,0 +whereareyounow.com,wayn.net,inbound,ZZ,Unknown Region,0 +whitehouse.gov,whitehouse.gov,inbound,ZZ,Unknown Region,0 +whitelabelpros.com,whitelabelpros.com,inbound,ZZ,Unknown Region,0 +wikia.com,wikia.com,inbound,ZZ,Unknown Region,0.289222 +wisdomitservices.com,infimail.com,inbound,ZZ,Unknown Region,0 +wolfmedia.us,wolfmedia.us,inbound,ZZ,Unknown Region,0 +wordfly.com,wordfly.com,inbound,ZZ,Unknown Region,0 +workhunter.net,workhunter.net,inbound,ZZ,Unknown Region,1 +worldwinner.com,worldwinner.com,inbound,ZZ,Unknown Region,0 +wowcher.co.uk,wowcher.co.uk,inbound,ZZ,Unknown Region,0 +wp.com,wordpress.com,inbound,ZZ,Unknown Region,0 +wpengine.com,wpengine.com,inbound,ZZ,Unknown Region,1 +writers-community.com,writers-community.com,inbound,ZZ,Unknown Region,0 +writersstore.com,writersstore.com,inbound,ZZ,Unknown Region,0 +wsjemail.com,wsjemail.com,inbound,ZZ,Unknown Region,0 +wyndhamhotelgroup.com,wyndhamhotelgroup.com,inbound,ZZ,Unknown Region,0 +xbox.com,xbox.com,inbound,ZZ,Unknown Region,0 +xcelenergy-emailnews.com,xcelenergy-emailnews.com,inbound,ZZ,Unknown Region,0 +xing.com,xing.com,inbound,ZZ,Unknown Region,0 +xxxconnect.com,infinitypersonals.com,inbound,ZZ,Unknown Region,0 +yahoo-inc.com,yahoo.{...},inbound,ZZ,Unknown Region,1 +yahoo.{...},yahoo.{...},inbound,ZZ,Unknown Region,0.999989 +yahoo.{...},yahoodns.net,outbound,ZZ,Unknown Region,1 +yahoogroups.com,yahoodns.net,outbound,ZZ,Unknown Region,1 +yammer.com,yammer.com,inbound,ZZ,Unknown Region,1 +yapikredi.com.tr,yapikredi.com.tr,inbound,ZZ,Unknown Region,1 +yapstone.com,yapstone.com,inbound,ZZ,Unknown Region,0 +yesbank.in,yesbank.in,inbound,ZZ,Unknown Region,0 +yipit.com,yipit.com,inbound,ZZ,Unknown Region,1 +ymail.com,yahoo.{...},inbound,ZZ,Unknown Region,1 +ymail.com,yahoodns.net,outbound,ZZ,Unknown Region,1 +youravon.com,email-avonglobal.com,inbound,ZZ,Unknown Region,0 +yournewsletters.net,everydayhealth.com,inbound,ZZ,Unknown Region,0 +youversion.com,youversion.com,inbound,ZZ,Unknown Region,1 +zappos.com,zappos.com,inbound,ZZ,Unknown Region,0.625377 +zattoo.com,sendnode.com,inbound,ZZ,Unknown Region,0 +zelonews.com.br,zelonews.com.br,inbound,ZZ,Unknown Region,0 +zendesk.com,zdsys.com,inbound,ZZ,Unknown Region,1 +zibmail.info,zibmail.info,inbound,ZZ,Unknown Region,0 +zillow.com,zillow.com,inbound,ZZ,Unknown Region,2.82543102656668e-07 +zinio.net,zinio.com,inbound,ZZ,Unknown Region,1 +zipalerts.com,sendgrid.net,inbound,ZZ,Unknown Region,1 +zipalerts.com,zipalerts.com,inbound,ZZ,Unknown Region,1 +zlavadna.sk,zlavadna.sk,inbound,ZZ,Unknown Region,0 +zoom.com.br,zoom.com.br,inbound,ZZ,Unknown Region,0 +zoominternet.net,synacor.com,inbound,ZZ,Unknown Region,0 +zoosk.com,zoosk.com,inbound,ZZ,Unknown Region,0 +zorpia.com,zorpia.com,inbound,ZZ,Unknown Region,0.520147 +zovifashion.com,eccluster.com,inbound,ZZ,Unknown Region,0 +zyngamail.com,zyngamail.com,inbound,ZZ,Unknown Region,0 \ No newline at end of file From 6a1aa8e6b640e0c6504cdbb9635f88ec9929cd7d Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 7 Aug 2014 17:34:21 -0400 Subject: [PATCH 057/256] Update to latest config format. --- CheckSTARTTLS.py | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index 205a4a779..9e5117b84 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -7,6 +7,7 @@ import socket import subprocess import re import json +import collections import dns.resolver from M2Crypto import X509 @@ -152,12 +153,8 @@ if __name__ == '__main__': if len(sys.argv) == 1: print("Usage: CheckSTARTTLS.py list-of-domains.txt > output.json") - config = { - "address-domains": { - }, - "mx-domains": { - } - } + config = collections.defaultdict(dict) + for domain in open(sys.argv[1]).readlines(): domain = domain.strip() if not os.path.exists(domain): @@ -168,10 +165,10 @@ if __name__ == '__main__': min_version = min_tls_version(domain) if suffix != "": suffix_match = "." + suffix - config["address-domains"][domain] = { + config["acceptable-mxs"][domain] = { "accept-mx-domains": [suffix_match] } - config["mx-domains"][suffix_match] = { + config["tls-policies"][suffix_match] = { "require-tls": True, "min-tls-version": min_version } From 749c4e39e0fa539a36cfa717a07554153ff97406 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Thu, 7 Aug 2014 17:34:40 -0400 Subject: [PATCH 058/256] Update meta-config with latest domains. --- starttls-everywhere.json | 93 +++++++++++++++++++++++++++++++++------- 1 file changed, 77 insertions(+), 16 deletions(-) diff --git a/starttls-everywhere.json b/starttls-everywhere.json index 5dd487f9a..db76745ef 100644 --- a/starttls-everywhere.json +++ b/starttls-everywhere.json @@ -1,5 +1,15 @@ { - "address-domains": { + "acceptable-mxs": { + "163.com": { + "accept-mx-domains": [ + ".163.com" + ] + }, + "aol.com": { + "accept-mx-domains": [ + ".aol.com" + ] + }, "craigslist.org": { "accept-mx-domains": [ ".craigslist.org" @@ -10,19 +20,49 @@ ".google.com" ] }, - "interia.pl": { + "hotmail.com": { "accept-mx-domains": [ - ".interia.pl" + ".outlook.com" ] }, - "marktplaats.nl": { + "icloud.com": { "accept-mx-domains": [ - ".marktplaats.nl" + ".icloud.com" ] }, - "rambler.ru": { + "live.com": { "accept-mx-domains": [ - ".rambler.ru" + ".outlook.com" + ] + }, + "mac.com": { + "accept-mx-domains": [ + ".icloud.com" + ] + }, + "me.com": { + "accept-mx-domains": [ + ".icloud.com" + ] + }, + "msn.com": { + "accept-mx-domains": [ + ".outlook.com" + ] + }, + "naver.com": { + "accept-mx-domains": [ + ".naver.com" + ] + }, + "outlook.com": { + "accept-mx-domains": [ + ".outlook.com" + ] + }, + "qq.com": { + "accept-mx-domains": [ + ".qq.com" ] }, "rocketmail.com": { @@ -45,9 +85,14 @@ ".yahoo.com" ] }, - "sompo-japan.co.jp": { + "shaw.ca": { "accept-mx-domains": [ - ".psmtp.com" + ".shaw.ca" + ] + }, + "sympatico.ca": { + "accept-mx-domains": [ + ".outlook.com" ] }, "t-online.de": { @@ -60,12 +105,12 @@ ".wp.pl" ] }, - "yahoo.co.uk": { + "yahoo.com": { "accept-mx-domains": [ ".yahoo.com" ] }, - "yahoo.com": { + "yahoogroups.com": { "accept-mx-domains": [ ".yahoo.com" ] @@ -81,7 +126,15 @@ ] } }, - "mx-domains": { + "tls-policies": { + ".163.com": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".aol.com": { + "min-tls-version": "TLSv1", + "require-tls": true + }, ".craigslist.org": { "min-tls-version": "TLSv1.1", "require-tls": true @@ -90,11 +143,15 @@ "min-tls-version": "TLSv1.1", "require-tls": true }, - ".interia.pl": { + ".icloud.com": { "min-tls-version": "TLSv1", "require-tls": true }, - ".marktplaats.nl": { + ".naver.com": { + "min-tls-version": "TLSv1.1", + "require-tls": true + }, + ".outlook.com": { "min-tls-version": "TLSv1.1", "require-tls": true }, @@ -102,8 +159,12 @@ "min-tls-version": "TLSv1", "require-tls": true }, - ".rambler.ru": { - "min-tls-version": "TLSv1.1", + ".qq.com": { + "min-tls-version": "TLSv1", + "require-tls": true + }, + ".shaw.ca": { + "min-tls-version": "TLSv1", "require-tls": true }, ".t-online.de": { From cebc6f9a205696d7f849bba6ebbd6af549849043 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 8 Aug 2014 13:28:01 -0400 Subject: [PATCH 059/256] ProcessGoogleSTARTTLSDomains -> latest CSV format. Also output in a more useful format, require >= 99% encrypted output in the CSV, hande .{...} domains, and manually add gmail.com. --- ProcessGoogleSTARTTLSDomains.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/ProcessGoogleSTARTTLSDomains.py b/ProcessGoogleSTARTTLSDomains.py index abb2b3495..3078bd93a 100755 --- a/ProcessGoogleSTARTTLSDomains.py +++ b/ProcessGoogleSTARTTLSDomains.py @@ -15,8 +15,15 @@ from collections import defaultdict csvreader = csv.reader(codecs.open(sys.argv[1], "rU", "utf-8"), delimiter=',', quotechar='"') d = defaultdict(set) -for (address_suffix, hostname_suffix, direction, region, fraction_encrypted) in csvreader: +# Google's report doesn't include gmail.com because it's local delivery, but we +# know they support STARTTLS, so manually include them. +d["gmail.com"] = set([1]) +for (address_suffix, hostname_suffix, direction, region, region_name, fraction_encrypted) in csvreader: if direction == "outbound": + # Some domains exist in many TLDs and are summarized as, e.g. yahoo.{...}. + # We're tryingto get a solid list of the relevant TLDs, but in the meantime + # just use .com. + address_suffix = address_suffix.replace("{...}", "com") try: d[address_suffix].add(float(fraction_encrypted)) except ValueError: @@ -24,4 +31,4 @@ for (address_suffix, hostname_suffix, direction, region, fraction_encrypted) in for address_suffix, fraction_encrypted in d.iteritems(): if min(fraction_encrypted) >= 0.99: - print min(fraction_encrypted), address_suffix + print address_suffix From 21ff3acf932c74455e2d50ac4679afbd5cfb27a4 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 11:26:59 -0700 Subject: [PATCH 060/256] Set/list comprehensions are a bit more readable than lambdas --- CheckSTARTTLS.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index 9e5117b84..ffff05dce 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -24,7 +24,7 @@ def mkdirp(path): else: raise def extract_names(pem): - """Return a list of DNS subject names from PEM-encoded leaf cert.""" + """Return a set of DNS subject names from PEM-encoded leaf cert.""" leaf = X509.load_cert_string(pem, X509.FORMAT_PEM) subj = leaf.get_subject() @@ -93,7 +93,7 @@ def check_certs(mail_domain): return "" else: new_names = extract_names_from_openssl_output(filename) - new_names = map(lambda n: public_suffix_list.get_public_suffix(n), new_names) + new_names = set(public_suffix_list.get_public_suffix(n) for in new_names) names.update(new_names) if len(names) >= 1: # Hack: Just pick an arbitrary suffix for now. Do something cleverer later. From ff5810d78f0cdc4e46de03470aa685744b05fa91 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 11:36:04 -0700 Subject: [PATCH 061/256] Don't accept files on the command line that don't do anything --- CheckSTARTTLS.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index ffff05dce..eda1761f0 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -150,7 +150,7 @@ def collect(mail_domain): if __name__ == '__main__': """Consume a target list of domains and output a configuration file for those domains.""" - if len(sys.argv) == 1: + if len(sys.argv) != 2: # XXX or accept multiple files as input print("Usage: CheckSTARTTLS.py list-of-domains.txt > output.json") config = collections.defaultdict(dict) From 0bd8134e5fde7930de557c041adf69199ef2cd5a Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 11:57:01 -0700 Subject: [PATCH 062/256] Comments (and code review in comment form) --- CheckSTARTTLS.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index eda1761f0..a9d8de9de 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -86,6 +86,8 @@ def valid_cert(filename): return False def check_certs(mail_domain): + # Return "" if any certs for any mx domains pointed to by mail_domain + # were invalid, and a public suffix for one if they were all valid names = set() for mx_hostname in os.listdir(mail_domain): filename = os.path.join(mail_domain, mx_hostname) @@ -141,6 +143,8 @@ def min_tls_version(mail_domain): return min(protocols) def collect(mail_domain): + # XXX comment this function and explain why we're using the + # filesystem rather than internal data structures for plumbing here print "Checking domain %s" % mail_domain mkdirp(mail_domain) answers = dns.resolver.query(mail_domain, 'MX') From 30ba7e930587ac40104c9bf9d6173e2f8706eb34 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 13:01:04 -0700 Subject: [PATCH 063/256] Deduplicate stray comment line --- MTAConfigGenerator.py | 1 - 1 file changed, 1 deletion(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 4d2f3432a..061b9445f 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -6,7 +6,6 @@ import os, os.path def parse_line(line_data): """ - Return the left and right hand sides of stripped, non-comment postfix Return the (line number, left hand side, right hand side) of a stripped postfix config line. From 8c6d28ce9583a56fa07d342fdbaf9b4c72eddf0f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 13:01:33 -0700 Subject: [PATCH 064/256] Comment with some sample postfix log lines (both those we support already, and those we may want to in the future...) --- PostfixLogSummary.py | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index daec93db0..566651cc2 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -5,10 +5,26 @@ import collections import ConfigParser +# XXX There's more to be learned from postfix logs! Here's one sample +# observed during failures from the sender vagrant vm: + +# Jun 6 00:21:31 precise32 postfix/smtpd[3648]: connect from localhost[127.0.0.1] +# Jun 6 00:21:34 precise32 postfix/smtpd[3648]: lost connection after STARTTLS from localhost[127.0.0.1] +# Jun 6 00:21:34 precise32 postfix/smtpd[3648]: disconnect from localhost[127.0.0.1] +# Jun 6 00:21:56 precise32 postfix/master[3001]: reload -- version 2.9.6, configuration /etc/postfix +# Jun 6 00:22:01 precise32 postfix/pickup[3674]: AF3B6480475: uid=0 from= +# Jun 6 00:22:01 precise32 postfix/cleanup[3680]: AF3B6480475: message-id=<20140606002201.AF3B6480475@sender.example.com> +# Jun 6 00:22:01 precise32 postfix/qmgr[3673]: AF3B6480475: from=, size=576, nrcpt=1 (queue active) +# Jun 6 00:22:01 precise32 postfix/smtp[3682]: SSL_connect error to valid-example-recipient.com[192.168.33.7]:25: -1 +# Jun 6 00:22:01 precise32 postfix/smtp[3682]: warning: TLS library problem: 3682:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:381: +# Jun 6 00:22:01 precise32 postfix/smtp[3682]: AF3B6480475: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.06, delays=0.03/0.03/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) +# def get_counts(input, config): seen_trusted = False counts = collections.defaultdict(lambda: collections.defaultdict(int)) + # Typical line looks like: + # Jun 12 06:24:14 sender postfix/smtp[9045]: Untrusted TLS connection established to valid-example-recipient.com[192.168.33.7]:25: TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits) r = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") for line in sys.stdin: result = r.search(line) From 9cafcf1caf14ca8bb81bf61f9597014f6c060b71 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 13:15:15 -0700 Subject: [PATCH 065/256] Comment regexp --- PostfixLogSummary.py | 1 + 1 file changed, 1 insertion(+) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 566651cc2..db3653a6f 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -25,6 +25,7 @@ def get_counts(input, config): counts = collections.defaultdict(lambda: collections.defaultdict(int)) # Typical line looks like: # Jun 12 06:24:14 sender postfix/smtp[9045]: Untrusted TLS connection established to valid-example-recipient.com[192.168.33.7]:25: TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits) + # ([^[]*) <--- any group of characters that is not "[" r = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") for line in sys.stdin: result = r.search(line) From 78a55c3823b1794c9ff6d7e268e78e785d817b93 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Fri, 8 Aug 2014 13:16:40 -0700 Subject: [PATCH 066/256] Question about postfix logparsing output --- PostfixLogSummary.py | 1 + 1 file changed, 1 insertion(+) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index db3653a6f..1c9d64610 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -40,6 +40,7 @@ def get_counts(input, config): counts[d][validation] += 1 counts[d]["all"] += 1 if not seen_trusted: + # XXX aren't these outbound? How can the admin install certs? print "Didn't see any trusted connections. Need to install some certs?" return counts From e0edc1b7ec0867d2624ef56d33da79765d776554 Mon Sep 17 00:00:00 2001 From: jsha Date: Tue, 12 Aug 2014 12:18:32 -0400 Subject: [PATCH 067/256] Add link to mailing list. --- README.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/README.md b/README.md index e50630ab8..3f5818255 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ Jacob Hoffman-Andrews , Peter Eckersley +## Mailing List + +starttls-everywhere@eff.org, https://lists.eff.org/mailman/listinfo/starttls-everywhere + ## Background Most email transferred between SMTP servers (aka MTAs) is transmitted in the clear and trivially interceptable. Encryption of SMTP traffic is possible using the STARTTLS mechanism, which encrypts traffic but is vulnerable to a trivial downgrade attack. From ad40618897ee3905a7e651443ba0fb624eebbfdf Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 13 Aug 2014 10:49:50 -0400 Subject: [PATCH 068/256] Respond to pde's comments --- CheckSTARTTLS.py | 52 ++++++++++++++++++++++++-------------------- PostfixLogSummary.py | 7 +++--- 2 files changed, 33 insertions(+), 26 deletions(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index a9d8de9de..7c9c94e0f 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -86,8 +86,10 @@ def valid_cert(filename): return False def check_certs(mail_domain): - # Return "" if any certs for any mx domains pointed to by mail_domain - # were invalid, and a public suffix for one if they were all valid + """ + Return "" if any certs for any mx domains pointed to by mail_domain + were invalid, and a public suffix for one if they were all valid + """ names = set() for mx_hostname in os.listdir(mail_domain): filename = os.path.join(mail_domain, mx_hostname) @@ -95,7 +97,7 @@ def check_certs(mail_domain): return "" else: new_names = extract_names_from_openssl_output(filename) - new_names = set(public_suffix_list.get_public_suffix(n) for in new_names) + new_names = set(public_suffix_list.get_public_suffix(n) for n in new_names) names.update(new_names) if len(names) >= 1: # Hack: Just pick an arbitrary suffix for now. Do something cleverer later. @@ -143,8 +145,11 @@ def min_tls_version(mail_domain): return min(protocols) def collect(mail_domain): - # XXX comment this function and explain why we're using the - # filesystem rather than internal data structures for plumbing here + """ + Attempt to connect to each MX hostname for mail_doman and negotiate STARTTLS. + Store the output in a directory with the same name as mail_domain to make + subsequent analysis faster. + """ print "Checking domain %s" % mail_domain mkdirp(mail_domain) answers = dns.resolver.query(mail_domain, 'MX') @@ -154,27 +159,28 @@ def collect(mail_domain): if __name__ == '__main__': """Consume a target list of domains and output a configuration file for those domains.""" - if len(sys.argv) != 2: # XXX or accept multiple files as input + if len(sys.argv) < 2: print("Usage: CheckSTARTTLS.py list-of-domains.txt > output.json") config = collections.defaultdict(dict) - for domain in open(sys.argv[1]).readlines(): - domain = domain.strip() - if not os.path.exists(domain): - collect(domain) - if len(os.listdir(domain)) == 0: - continue - suffix = check_certs(domain) - min_version = min_tls_version(domain) - if suffix != "": - suffix_match = "." + suffix - config["acceptable-mxs"][domain] = { - "accept-mx-domains": [suffix_match] - } - config["tls-policies"][suffix_match] = { - "require-tls": True, - "min-tls-version": min_version - } + for input in sys.argv[1:]: + for domain in open(input).readlines(): + domain = domain.strip() + if not os.path.exists(domain): + collect(domain) + if len(os.listdir(domain)) == 0: + continue + suffix = check_certs(domain) + min_version = min_tls_version(domain) + if suffix != "": + suffix_match = "." + suffix + config["acceptable-mxs"][domain] = { + "accept-mx-domains": [suffix_match] + } + config["tls-policies"][suffix_match] = { + "require-tls": True, + "min-tls-version": min_version + } print json.dumps(config, indent=2, sort_keys=True) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 1c9d64610..b68c7f6c6 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -5,7 +5,7 @@ import collections import ConfigParser -# XXX There's more to be learned from postfix logs! Here's one sample +# TODO: There's more to be learned from postfix logs! Here's one sample # observed during failures from the sender vagrant vm: # Jun 6 00:21:31 precise32 postfix/smtpd[3648]: connect from localhost[127.0.0.1] @@ -40,8 +40,9 @@ def get_counts(input, config): counts[d][validation] += 1 counts[d]["all"] += 1 if not seen_trusted: - # XXX aren't these outbound? How can the admin install certs? - print "Didn't see any trusted connections. Need to install some certs?" + # Postfix will only emit 'Trusted' if the certificate validates according to + # the set of trust roots (CA certs) configured in smtp_tls_CAfile. + print "Didn't see any trusted connections. Need to install some trust roots?" return counts def print_summary(counts): From 31e320d0a7832ca8d25032eeb321cce75f48b51b Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 13 Aug 2014 15:59:50 -0400 Subject: [PATCH 069/256] Collect certs in a subdir. --- CheckSTARTTLS.py | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index 7c9c94e0f..e8adc010e 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -14,6 +14,7 @@ from M2Crypto import X509 from publicsuffix import PublicSuffixList public_suffix_list = PublicSuffixList() +CERTS_OBSERVED = 'certs-observed' def mkdirp(path): try: @@ -63,7 +64,7 @@ def tls_connect(mx_host, mail_domain): return # Save a copy of the certificate for later analysis - with open(os.path.join(mail_domain, mx_host), "w") as f: + with open(os.path.join(CERTS_OBSERVED, mail_domain, mx_host), "w") as f: f.write(output) def valid_cert(filename): @@ -90,9 +91,12 @@ def check_certs(mail_domain): Return "" if any certs for any mx domains pointed to by mail_domain were invalid, and a public suffix for one if they were all valid """ + dir = os.path.join(CERTS_OBSERVED, mail_domain) + if not os.path.exists(dir): + collect(mail_domain) names = set() - for mx_hostname in os.listdir(mail_domain): - filename = os.path.join(mail_domain, mx_hostname) + for mx_hostname in os.listdir(dir): + filename = os.path.join(dir, mx_hostname) if not valid_cert(filename): return "" else: @@ -137,8 +141,8 @@ def supports_starttls(mx_host): def min_tls_version(mail_domain): protocols = [] - for mx_hostname in os.listdir(mail_domain): - filename = os.path.join(mail_domain, mx_hostname) + for mx_hostname in os.listdir(os.path.join(CERTS_OBSERVED, mail_domain)): + filename = os.path.join(CERTS_OBSERVED, mail_domain, mx_hostname) contents = open(filename).read() protocol = re.findall("Protocol : (.*)", contents)[0] protocols.append(protocol) @@ -151,7 +155,7 @@ def collect(mail_domain): subsequent analysis faster. """ print "Checking domain %s" % mail_domain - mkdirp(mail_domain) + mkdirp(os.path.join(CERTS_OBSERVED, mail_domain)) answers = dns.resolver.query(mail_domain, 'MX') for rdata in answers: mx_host = str(rdata.exchange).rstrip(".") @@ -167,10 +171,6 @@ if __name__ == '__main__': for input in sys.argv[1:]: for domain in open(input).readlines(): domain = domain.strip() - if not os.path.exists(domain): - collect(domain) - if len(os.listdir(domain)) == 0: - continue suffix = check_certs(domain) min_version = min_tls_version(domain) if suffix != "": From 42c63cb6ddb4864f155a3a844f512a1add61b50f Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 8 Sep 2014 16:25:40 -0400 Subject: [PATCH 070/256] More informative message for RDNS fail. --- CheckSTARTTLS.py | 11 ++++++++--- requirements.txt | 3 +++ 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 requirements.txt diff --git a/CheckSTARTTLS.py b/CheckSTARTTLS.py index e8adc010e..e5c5a4323 100755 --- a/CheckSTARTTLS.py +++ b/CheckSTARTTLS.py @@ -135,8 +135,13 @@ def supports_starttls(mx_host): except socket.error as e: print "Connection to %s failed: %s" % (mx_host, e.strerror) return False - except smtplib.SMTPException: - print "No STARTTLS support on %s" % mx_host + except smtplib.SMTPException, e: + # In order to talk to some hosts, you need to run this from a host that has a + # reverse DNS entry. AWS instances all have reverse DNS, as an example. + if e[0] == 554: + print e[1] + else: + print "No STARTTLS support on %s" % mx_host, e[0] return False def min_tls_version(mail_domain): @@ -172,8 +177,8 @@ if __name__ == '__main__': for domain in open(input).readlines(): domain = domain.strip() suffix = check_certs(domain) - min_version = min_tls_version(domain) if suffix != "": + min_version = min_tls_version(domain) suffix_match = "." + suffix config["acceptable-mxs"][domain] = { "accept-mx-domains": [suffix_match] diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 000000000..891e5809d --- /dev/null +++ b/requirements.txt @@ -0,0 +1,3 @@ +dnspython +publicsuffix +m2crypto From 622fc72dc13d4d9de2c95875e4ef98fff6895b05 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Wed, 10 Sep 2014 17:36:46 -0400 Subject: [PATCH 071/256] Treat min-tls-version as a minimum. Fixes #5. --- MTAConfigGenerator.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 061b9445f..a733ab27a 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -128,7 +128,14 @@ class PostfixConfigGenerator(MTAConfigGenerator): mx_policy = self.policy_config.tls_policies[mx_domain] entry = address_domain + " encrypt" if "min-tls-version" in mx_policy: - entry += " protocols=" + mx_policy["min-tls-version"] + if mx_policy["min-tls-version"].lower() == "tlsv1": + entry += " protocols=!SSLv2,!SSLv3" + elif mx_policy["min-tls-version"].lower() == "tlsv1.1": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + elif mx_policy["min-tls-version"].lower() == "tlsv1.2": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + else: + print mx_policy["min-tls-version"] self.policy_lines.append(entry) f = open(self.policy_file, "w") From a1d016d0312c6f4a9e97ed772c0df90031bda7b5 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 13 Oct 2014 15:57:46 -0400 Subject: [PATCH 072/256] Add motivating examples to README --- PostfixLogSummary.py | 25 +++++++++++++++++++------ README.md | 8 ++++++++ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index b68c7f6c6..0348432b0 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -18,18 +18,27 @@ import ConfigParser # Jun 6 00:22:01 precise32 postfix/smtp[3682]: SSL_connect error to valid-example-recipient.com[192.168.33.7]:25: -1 # Jun 6 00:22:01 precise32 postfix/smtp[3682]: warning: TLS library problem: 3682:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:381: # Jun 6 00:22:01 precise32 postfix/smtp[3682]: AF3B6480475: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.06, delays=0.03/0.03/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) -# +# +# Also: +# Oct 10 19:12:13 sender postfix/smtp[1711]: 62D3F481249: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.07, delays=0.03/0.01/0.03/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host valid-example-recipient.com[192.168.33.7]) def get_counts(input, config): seen_trusted = False counts = collections.defaultdict(lambda: collections.defaultdict(int)) + tls_deferred = collections.defaultdict(int) # Typical line looks like: # Jun 12 06:24:14 sender postfix/smtp[9045]: Untrusted TLS connection established to valid-example-recipient.com[192.168.33.7]:25: TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits) + # indicate a problem that should be alerted on. # ([^[]*) <--- any group of characters that is not "[" - r = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") + # Log lines for when a message is deferred for a TLS-related reason. These + deferred_re = re.compile("relay=([^[]*).* status=deferred.*TLS") + # Log lines for when a TLS connection was successfully established. These can + # indicate the difference between Untrusted, Trusted, and Verified certs. + connected_re = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") for line in sys.stdin: - result = r.search(line) - if result: + deferred = deferred_re.search(line) + connected = connected_re.search(line) + if connected: validation = result.group(1) mx_hostname = result.group(2).lower() if validation == "Trusted" or validation == "Verified": @@ -39,11 +48,14 @@ def get_counts(input, config): for d in address_domains: counts[d][validation] += 1 counts[d]["all"] += 1 + elif deferred: + mx_hostname = result.group(1).lower() + tls_deferred[mx_hostname] += 1 if not seen_trusted: # Postfix will only emit 'Trusted' if the certificate validates according to # the set of trust roots (CA certs) configured in smtp_tls_CAfile. print "Didn't see any trusted connections. Need to install some trust roots?" - return counts + return (counts, tls_deferred) def print_summary(counts): for mx_hostname, validations in counts.items(): @@ -54,5 +66,6 @@ def print_summary(counts): if __name__ == "__main__": config = ConfigParser.Config("starttls-everywhere.json") - counts = get_counts(sys.stdin, config) + (counts, tls_deferred) = get_counts(sys.stdin, config) print_summary(counts) + print tls_deferred diff --git a/README.md b/README.md index 3f5818255..8d6160c9a 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,14 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d * Develop a fully-decentralized solution. * Initially we are not engineering to scale to all mail domains on the Internet, though we believe this design can be scaled as required if large numbers of domains publish policies to it. +## Motivating examples + +* [Unnammed mobile broadband provider overwrites STARTTLS flag and commands to + prevent negotiating an encrypted connection] + (https://www.techdirt.com/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml) +* [Unknown party removes STARTTLS flag from all SMTP connections leaving + Thailand](http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand) + ## Threat model Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. From 726afb8b95f7759724c487f1163d582119333332 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:32 -0400 Subject: [PATCH 073/256] Install CAfile on config generation. --- MTAConfigGenerator.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index a733ab27a..051d9676d 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -28,11 +28,16 @@ class PostfixConfigGenerator(MTAConfigGenerator): def __init__(self, policy_config, postfix_dir, fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) self.postfix_cf_file = self.find_postfix_cf() + if not os.access(self.postfix_cf_file, os.W_OK): + raise Exception("Can't write to %s, please re-run as root." + % self.postfix_cf_file) + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") + MTAConfigGenerator.__init__(self, policy_config) self.wrangle_existing_config() self.set_domainwise_tls_policies() + self.update_CAfile() os.system("sudo service postfix reload") def ensure_cf_var(self, var, ideal, also_acceptable): @@ -49,7 +54,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): values = map(parse_line, l) if len(set(values)) > 1: if self.fixup: - #print "Scheduling deletions:" + `values` conflicting_lines = [num for num,_var,val in values] self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) @@ -57,7 +61,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): raise ExistingConfigError, "Conflicting existing config values " + `l` val = values[0][2] if val not in acceptable: - #print "Scheduling deletions:" + `values` if self.fixup: self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) @@ -86,6 +89,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): policy_cf_entry = "texthash:" + self.policy_file self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) self.maybe_add_config_lines() @@ -109,7 +113,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.new_cf += line self.new_cf += sep + new_cf_lines - #print self.new_cf f = open(self.fn, "w") f.write(self.new_cf) f.close() @@ -142,6 +145,10 @@ class PostfixConfigGenerator(MTAConfigGenerator): f.write("\n".join(self.policy_lines) + "\n") f.close() + def update_CAfile(self): + os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + + self.ca_file) + if __name__ == "__main__": import ConfigParser if len(sys.argv) != 3: @@ -150,3 +157,4 @@ if __name__ == "__main__": c = ConfigParser.Config(sys.argv[1]) postfix_dir = sys.argv[2] pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) + print "Done." From 1d47acddfdffe93f75c0d07ae0f127dd1693d984 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:44 -0400 Subject: [PATCH 074/256] Remove extraneous print of config. --- ConfigParser.py | 1 - 1 file changed, 1 deletion(-) diff --git a/ConfigParser.py b/ConfigParser.py index 2d7c88ada..d1c413f74 100755 --- a/ConfigParser.py +++ b/ConfigParser.py @@ -90,7 +90,6 @@ class Config: # XXX is it ever permissible to have a domain with an acceptable-mx # that does not point to a TLS security policy? If not, check/warn/fail # here - print self.tls_policies def get_address_domains(self, mx_hostname): labels = mx_hostname.split(".") From 828c00b758063172990073bd4b667b61c1a30699 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Fri, 17 Oct 2014 15:28:49 -0400 Subject: [PATCH 075/256] Find deferred lines in log summary. Also add a cron mode that only emits output if there's something wrong. --- PostfixLogSummary.py | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 0348432b0..9b2f9c3b1 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -2,6 +2,7 @@ import re import sys import collections +import argparse import ConfigParser @@ -39,8 +40,8 @@ def get_counts(input, config): deferred = deferred_re.search(line) connected = connected_re.search(line) if connected: - validation = result.group(1) - mx_hostname = result.group(2).lower() + validation = connected.group(1) + mx_hostname = connected.group(2).lower() if validation == "Trusted" or validation == "Verified": seen_trusted = True address_domains = config.get_address_domains(mx_hostname) @@ -49,13 +50,13 @@ def get_counts(input, config): counts[d][validation] += 1 counts[d]["all"] += 1 elif deferred: - mx_hostname = result.group(1).lower() + mx_hostname = deferred.group(1).lower() tls_deferred[mx_hostname] += 1 if not seen_trusted: # Postfix will only emit 'Trusted' if the certificate validates according to # the set of trust roots (CA certs) configured in smtp_tls_CAfile. print "Didn't see any trusted connections. Need to install some trust roots?" - return (counts, tls_deferred) + return (counts, tls_deferred, seen_trusted) def print_summary(counts): for mx_hostname, validations in counts.items(): @@ -65,7 +66,19 @@ def print_summary(counts): print mx_hostname, validation, validation_count / validations["all"], "of", validations["all"] if __name__ == "__main__": + arg_parser = argparse.ArgumentParser(description='This is a PyMOTW sample program') + arg_parser.add_argument('-c', action="store_true", dest="cron", default=False) + args = arg_parser.parse_args() + config = ConfigParser.Config("starttls-everywhere.json") - (counts, tls_deferred) = get_counts(sys.stdin, config) - print_summary(counts) - print tls_deferred + (counts, tls_deferred, seen_trusted) = get_counts(sys.stdin, config) + + # If not running in cron, print an overall summary of log lines seen from known hosts. + if not args.cron: + print_summary(counts) + if not seen_trusted: + print 'No Trusted connections seen! Probably need to install a CAfile.' + + if len(tls_deferred) > 0: + print "Some mail was deferred due to TLS problems:" + print tls_deferred From f04e8259a9aef0e6547fe22884268581461512e2 Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 20 Oct 2014 09:29:22 -0400 Subject: [PATCH 076/256] Protocols separated by colons, not commas. --- MTAConfigGenerator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 051d9676d..5ca8f5aee 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -132,11 +132,11 @@ class PostfixConfigGenerator(MTAConfigGenerator): entry = address_domain + " encrypt" if "min-tls-version" in mx_policy: if mx_policy["min-tls-version"].lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" + entry += " protocols=!SSLv2:!SSLv3" elif mx_policy["min-tls-version"].lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1" elif mx_policy["min-tls-version"].lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" else: print mx_policy["min-tls-version"] self.policy_lines.append(entry) From 613a8f5e8877878f3d0b169a045b0f6b2b31adec Mon Sep 17 00:00:00 2001 From: Jacob Hoffman-Andrews Date: Mon, 20 Oct 2014 16:15:13 -0400 Subject: [PATCH 077/256] Improve cronjob operation to only process diffs. --- PostfixLogSummary.py | 34 +++++++++++++++++++++++----------- 1 file changed, 23 insertions(+), 11 deletions(-) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 9b2f9c3b1..be130d958 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -1,11 +1,15 @@ #!/usr/bin/python2.7 +import argparse +import collections +import os import re import sys -import collections -import argparse +import time import ConfigParser +TIME_FORMAT = "%b %d %H:%M:%S" + # TODO: There's more to be learned from postfix logs! Here's one sample # observed during failures from the sender vagrant vm: @@ -22,7 +26,7 @@ import ConfigParser # # Also: # Oct 10 19:12:13 sender postfix/smtp[1711]: 62D3F481249: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.07, delays=0.03/0.01/0.03/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host valid-example-recipient.com[192.168.33.7]) -def get_counts(input, config): +def get_counts(input, config, earliest_timestamp): seen_trusted = False counts = collections.defaultdict(lambda: collections.defaultdict(int)) @@ -32,11 +36,15 @@ def get_counts(input, config): # indicate a problem that should be alerted on. # ([^[]*) <--- any group of characters that is not "[" # Log lines for when a message is deferred for a TLS-related reason. These - deferred_re = re.compile("relay=([^[]*).* status=deferred.*TLS") + deferred_re = re.compile("relay=([^[ ]*).* status=deferred.*TLS") # Log lines for when a TLS connection was successfully established. These can # indicate the difference between Untrusted, Trusted, and Verified certs. connected_re = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") + timestamp = 0 for line in sys.stdin: + timestamp = time.strptime(line[0:15], TIME_FORMAT) + if timestamp < earliest_timestamp: + continue deferred = deferred_re.search(line) connected = connected_re.search(line) if connected: @@ -52,11 +60,7 @@ def get_counts(input, config): elif deferred: mx_hostname = deferred.group(1).lower() tls_deferred[mx_hostname] += 1 - if not seen_trusted: - # Postfix will only emit 'Trusted' if the certificate validates according to - # the set of trust roots (CA certs) configured in smtp_tls_CAfile. - print "Didn't see any trusted connections. Need to install some trust roots?" - return (counts, tls_deferred, seen_trusted) + return (counts, tls_deferred, seen_trusted, timestamp) def print_summary(counts): for mx_hostname, validations in counts.items(): @@ -71,7 +75,14 @@ if __name__ == "__main__": args = arg_parser.parse_args() config = ConfigParser.Config("starttls-everywhere.json") - (counts, tls_deferred, seen_trusted) = get_counts(sys.stdin, config) + + last_timestamp_processed = 0 + timestamp_file = '/tmp/starttls-everywhere-last-timestamp-processed.txt' + if os.path.isfile(timestamp_file): + last_timestamp_processed = time.strptime(open(timestamp_file).read(), TIME_FORMAT) + (counts, tls_deferred, seen_trusted, latest_timestamp) = get_counts(sys.stdin, config, last_timestamp_processed) + with open(timestamp_file, "w") as f: + f.write(time.strftime(TIME_FORMAT, latest_timestamp)) # If not running in cron, print an overall summary of log lines seen from known hosts. if not args.cron: @@ -81,4 +92,5 @@ if __name__ == "__main__": if len(tls_deferred) > 0: print "Some mail was deferred due to TLS problems:" - print tls_deferred + for (k, v) in tls_deferred.iteritems(): + print "%s: %s" % (k, v) From fe17c873c0e7bd0f1e6debdb5cc1e6df11bcb0a3 Mon Sep 17 00:00:00 2001 From: pypoet Date: Tue, 13 Oct 2015 17:09:03 -0400 Subject: [PATCH 078/256] Initial re-vamp of the Config object to centralize validation and lay the basis for making compositions of configs and overrides. Lots of TODOs, be warned. --- Config.py | 315 ++++++++++++++++++++++++++++++++++++++++ bigger_test_config.json | 36 +++++ 2 files changed, 351 insertions(+) create mode 100644 Config.py create mode 100644 bigger_test_config.json diff --git a/Config.py b/Config.py new file mode 100644 index 000000000..157c2c2e4 --- /dev/null +++ b/Config.py @@ -0,0 +1,315 @@ +from datetime import datetime +import json + + +"""Idea here being to start with something that is decomposed so it's easier to +make do json in *and* out, differences between configs and config extension. +""" + +def parse_bool_from_json(value, attr_name): + if value in ('true', '1', 1, 'yes'): + bool_value = True + elif value in ('false', '0', 0, 'no'): + bool_value = False + elif value in (True, False): + bool_value = value + else: + raise ValueError('Config value %s is an invalid boolean value.' % attr_name) + return bool_value + + +def parse_timestamp(value, attr_name): + #TODO support full extended timestamp "2014-06-06T14:30:16+00:00" as well + if isinstance(value, datetime): + dt = value + else: + try: + ts = int(value) + dt = datetime.fromtimestamp(ts) + except: + raise ValueError('Config value %s is an invalid timestamp integer.' % attr_name) + return dt + + +def verify_member_of(value, member_list, attr_name): + if value not in member_list: + raise ValueError('Config value "%s" must be one of (%s)' % ( + attr_name, ', '.join(member_list)) + ) + return value + + +def verify_string(value, attr_name, max_length=200): + if not isinstance(value, (str, unicode)): + raise TypeError('Config value %s must be a string.' % attr_name) + if len(value) > max_length: + raise ValueError('Config value %s is too long.' % attr_name) + return value + + +class Config(object): + """Config container for StartTLS Everywhere configuration. + + Intended as a simple container that unifies where validatation occurs, + and is capable of comparing configs to warn of things like changing + certificate fingerprints from one scan to the next. + + There is a one to one mapping of the object attributes to the JSON + object keys, albeit with dashes replaced with underscores. + """ + + def __init__(self): + # container for validated properties with JSON names + self._data = {} + + self.tls_policies = [] + self.acceptable_mxs = [] + + def __add__(self, other_config): + """Allow addition but not really of *full* configs, need to flesh that out.""" + #TODO add this + raise NotImplemented + + def __repr__(self): + #TODO fix this generically, and maybe put it in the inheritence tree + s = '' % (self._data.iteritems()) + return s + + def update(self, other_config): + """Update properties of config from a 'newer' config and force verification.""" + #TODO add this + raise NotImplemented + + def load_from_json_file(self, json_filename, f_open=open): + #TODO add robust catching and checking + # try: + with f_open(json_filename, 'r') as f: + json_str = f.read() + json_dict = json.loads(json_str) + # except oserr + # except json parse err + self.from_json_dict(json_dict) + + def from_json_dict(self, json_dict): + """Assign JSON data to Config properties and declare sub-objects. + + Let's property verification methods do the heavy lifting and mostly + maps between the JSON config names and attributes. Keeps track of + unused variables and warns about them. + """ + for key, val in json_dict.iteritems(): + if key == 'author': + self.author = val + elif key == 'comment': + self.comment = val + elif key == 'expires': + self.expires = val + elif key == 'timestamp': + self.timestamp = val + elif key == 'tls-policies': + self.tls_policies = self.make_tls_policy_dict(val) + elif key == 'acceptable-mxs': + self.acceptable_mxs = self.make_acceptable_mxs_dict(val) + else: + #TODO log warning + print 'Unknown attribute "%s", skipping' % key + + def to_json(self): + #TODO implement output and make sure it can be re-input with identical results + raise NotImplemented + + @property + def author(self): + return self._data.get('author') + + @author.setter + def author(self, value): + self._data['author'] = verify_string(value, 'author') + + @property + def comment(self): + return self._data.get('comment') + + @comment.setter + def comment(self, value): + self._data['comment'] = verify_string(value, 'comment') + + @property + def expires(self): + return self._data.get('expires') + + @expires.setter + def expires(self, value): + self._data['expires'] = parse_timestamp(value, 'expires') + + @property + def timestamp(self): + return self._data.get('timestamp') + + @timestamp.setter + def timestamp(self, value): + self._data['timestamp'] = parse_timestamp(value, 'timestamp') + + def make_tls_policy_dict(self, policy_dict): + tls_policy_dict = {} + for domain_suffix, settings in policy_dict.iteritems(): + new_domain_policy = TLSPolicy(domain_suffix) + #TODO define config errs and use + #try + new_domain_policy.from_json_dict(settings) + #except config err + tls_policy_dict[domain_suffix] = new_domain_policy + return tls_policy_dict + + def make_acceptable_mxs_dict(self, mxs_dict): + acceptable_mxs_dict = {} + for domain, settings in mxs_dict.iteritems(): + new_domain_policy = AcceptableMX(domain) + #TODO define config errs and use + #try + new_domain_policy.from_json_dict(settings) + #except config err + acceptable_mxs_dict[domain] = new_domain_policy + return acceptable_mxs_dict + + def is_valid(self): + #TODO implement with checks to make sure domains don't overlap + # and every acceptable mx has a tls policy, etc. + raise NotImplemented + + +class TLSPolicy(object): + + ENFORCE_MODES = ('enforce', 'log-only') + TLS_VERSIONS = ('TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3') + + def __init__(self, domain_suffix): + # container for validated properties with JSON names + self._data = {} + self.domain_suffix = domain_suffix + + #TODO add me + self.accept_spki_hashs = None + #TODO add me + self.error_notification = None + + def from_json_dict(self, json_dict): + for key, val in json_dict.iteritems(): + if key == 'comment': + self.comment = val + elif key == 'enforce-mode': + self.enforce_mode = val + elif key == 'min-tls-version': + self.min_tls_version = val + elif key == 'require-tls': + self.require_tls = val + elif key == 'require-valid-certificate': + self.require_valid_certificate = val + else: + #TODO wat, log this instead + print 'Unknown key %s' % key + + def is_valid(self): + """Do simple check that config contains all required values. + + Should find a way to expose easily which config values + are required, at least place in error messages such that + incomplete configs will expose it. + """ + required_attrs = ('enforce-mode', 'min-tls-version', + 'require-tls') + values_set = [self._data.get(attr) for attr in required_attrs] + if not all(values_set): + return False + else: + return True + + @property + def comment(self): + return self._data.get('comment') + + @comment.setter + def comment(self, value): + self._data['comment'] = verify_string(value, 'comment') + + @property + def enforce_mode(self): + return self._data.get('enforce-mode') + + @enforce_mode.setter + def enforce_mode(self, value): + self._data['enforce-mode'] = verify_member_of(value, self.ENFORCE_MODES, 'enforce-mode') + + @property + def min_tls_version(self): + return self._data.get('min-tls-version') + + @min_tls_version.setter + def min_tls_version(self, value): + """Should this be dealing only with strings processed by map ... lower()?""" + tls_versions = [ver.lower() for ver in self.TLS_VERSIONS] + tls_versions.extend(self.TLS_VERSIONS) + self._data['min-tls-version'] = verify_member_of(value, tls_versions, 'min-tls-version') + + @property + def require_tls(self): + return self._data.get('require-tls') + + @require_tls.setter + def require_tls(self, value): + self._data['require-tls'] = parse_bool_from_json(value, 'require-tls') + + @property + def require_valid_certificate(self): + return self._data.get('require-valid-certificate') + + @require_valid_certificate.setter + def require_valid_certificate(self, value): + self._data['require-valid-certificate'] = parse_bool_from_json(value, 'require-valid-certificate') + + +class AcceptableMX(object): + """Holds acceptable MX domain suffixes for a single mail serving domain. + + Such as for gmail.com that single mail serving suffix domain is: + gmail-smtp-in.l.google.com. + + Configuration of the acceptable MX suffix domains must match up with TLS policies + for the suffix domains. + """ + def __init__(self, domain): + self.domain = domain + # container for validated properties with JSON names + self._data = {} + self._data['accept-mx-domains'] = [] + + def add_acceptable_mx(self, domain_suffix): + unique_domain_suffixes = set(self._data['accept-mx-domains']) + unique_domain_suffixes.add(domain_suffix) + self._data['accept-mx-domains'] = list(unique_domain_suffixes) + + def is_valid(self): + """Check to make sure there is one acceptable domain suffix. + + This will need to be updated once we can actually test and support + for more than one acceptable domain suffix. + + TODO: could make this object double check the data it is given with + DNS queries. + """ + if len(self._data['accept-mx-domains']) != 1: + return False + else: + return True + + def from_json_dict(self, json_dict): + for key, val in json_dict.iteritems(): + if key == 'accept-mx-domains': + if isinstance(val, list): + for domain_suffix in val: + self.add_acceptable_mx(domain_suffix) + else: + self.add_acceptable_mx(val) + else: + #TODO add logging for this + print 'warning: unknown key %s' % key diff --git a/bigger_test_config.json b/bigger_test_config.json new file mode 100644 index 000000000..e0697fc85 --- /dev/null +++ b/bigger_test_config.json @@ -0,0 +1,36 @@ +{ + "timestamp": 1401414363, + "author": "Electronic Frontier Foundation https://eff.org", + "expires": 1404242424, + "tls-policies": { + ".yahoodns.net": { + "require-valid-certificate": true + }, + ".eff.org": { + "require-tls": true, + "min-tls-version": "TLSv1.1", + "enforce-mode": "enforce", + "accept-spki-hashes": [ + "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", + "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" + ] + }, + ".google.com": { + "require-valid-certificate": true, + "min-tls-version": "TLSv1.1", + "enforce-mode": "log-only", + "error-notification": "https://google.com/post/reports/here" + } + }, + "acceptable-mxs": { + "yahoo.com": { + "accept-mx-domains": [".yahoodns.net"] + }, + "gmail.com": { + "accept-mx-domains": [".google.com"] + }, + "eff.org": { + "accept-mx-domains": [".eff.org"] + } + } +} From 147f58bdbc5cc08c7abe43d304df6efd2ad86fe2 Mon Sep 17 00:00:00 2001 From: pypoet Date: Wed, 14 Oct 2015 02:49:34 -0400 Subject: [PATCH 079/256] Rounds out missing features and is now on par with ConfigParser.py. Still missing logging, composibility and a couple of attributes. --- Config.py | 165 +++++++++++++++++++++++++++++++++--------------------- 1 file changed, 101 insertions(+), 64 deletions(-) diff --git a/Config.py b/Config.py index 157c2c2e4..93504dd5a 100644 --- a/Config.py +++ b/Config.py @@ -1,11 +1,14 @@ from datetime import datetime +from dateutil import parser import json +import pprint """Idea here being to start with something that is decomposed so it's easier to make do json in *and* out, differences between configs and config extension. """ + def parse_bool_from_json(value, attr_name): if value in ('true', '1', 1, 'yes'): bool_value = True @@ -14,26 +17,27 @@ def parse_bool_from_json(value, attr_name): elif value in (True, False): bool_value = value else: - raise ValueError('Config value %s is an invalid boolean value.' % attr_name) + raise ConfigError('Config value %s is an invalid boolean value.' % attr_name) return bool_value def parse_timestamp(value, attr_name): - #TODO support full extended timestamp "2014-06-06T14:30:16+00:00" as well if isinstance(value, datetime): - dt = value - else: - try: - ts = int(value) - dt = datetime.fromtimestamp(ts) - except: - raise ValueError('Config value %s is an invalid timestamp integer.' % attr_name) - return dt + return value + try: + ts = int(value) + return datetime.fromtimestamp(ts) + except (TypeError, ValueError): + pass + try: + return parser.parse(value) + except (TypeError, ValueError): + raise ConfigError('Config value %s is an invalid date or timestamp.' % attr_name) def verify_member_of(value, member_list, attr_name): if value not in member_list: - raise ValueError('Config value "%s" must be one of (%s)' % ( + raise ConfigError('Config value "%s" must be one of (%s)' % ( attr_name, ', '.join(member_list)) ) return value @@ -41,13 +45,67 @@ def verify_member_of(value, member_list, attr_name): def verify_string(value, attr_name, max_length=200): if not isinstance(value, (str, unicode)): - raise TypeError('Config value %s must be a string.' % attr_name) + raise ConfigError('Config value %s must be a string.' % attr_name) if len(value) > max_length: - raise ValueError('Config value %s is too long.' % attr_name) + raise ConfigError('Config value %s is too long.' % attr_name) return value -class Config(object): +def to_dict(config_dict): + """Cleans up BaseConfig children to be serialized.""" + d = {} + for key, val in config_dict.iteritems(): + if isinstance(val, BaseConfig): + d[key] = to_dict(val._data) + elif isinstance(val, datetime): + d[key] = val.strftime('%Y-%m-%dT%H:%M:%S%z') + elif isinstance(val, dict): + d[key] = to_dict(val) + else: + d[key] = val + return d + + +class BaseConfig(object): + """Top level config class for common methods.""" + + def __init__(self): + # container for validated properties with JSON names + self._data = {} + + def __repr__(self): + s = '< %s %s >' % (self.__class__.__name__, + pprint.pformat(self._data)) + return s + + def to_json(self): + d = to_dict(self._data) + return json.dumps(d) + + def write_to_json_file(self, json_filename, f_open=open): + data = self.to_json() + try: + with f_open(json_filename, 'w') as f: + f.write(data) + except IOError: + raise + + def load_from_json_file(self, json_filename, f_open=open): + try: + with f_open(json_filename, 'r') as f: + json_str = f.read() + json_dict = json.loads(json_str) + except IOError: + raise + except ValueError: + raise ConfigError('No valid JSON found in file: %s' % json_filename) + self.from_json_dict(json_dict) + + def from_json_dict(self, json_dict): + raise NotImplmented('BaseConfig should not be populated.') + + +class Config(BaseConfig): """Config container for StartTLS Everywhere configuration. Intended as a simple container that unifies where validatation occurs, @@ -59,37 +117,20 @@ class Config(object): """ def __init__(self): - # container for validated properties with JSON names - self._data = {} - - self.tls_policies = [] - self.acceptable_mxs = [] + super(self.__class__, self).__init__() + self._data['tls-policies'] = {} + self._data['acceptable-mxs'] = {} def __add__(self, other_config): """Allow addition but not really of *full* configs, need to flesh that out.""" #TODO add this raise NotImplemented - def __repr__(self): - #TODO fix this generically, and maybe put it in the inheritence tree - s = '' % (self._data.iteritems()) - return s - def update(self, other_config): """Update properties of config from a 'newer' config and force verification.""" #TODO add this raise NotImplemented - def load_from_json_file(self, json_filename, f_open=open): - #TODO add robust catching and checking - # try: - with f_open(json_filename, 'r') as f: - json_str = f.read() - json_dict = json.loads(json_str) - # except oserr - # except json parse err - self.from_json_dict(json_dict) - def from_json_dict(self, json_dict): """Assign JSON data to Config properties and declare sub-objects. @@ -107,17 +148,13 @@ class Config(object): elif key == 'timestamp': self.timestamp = val elif key == 'tls-policies': - self.tls_policies = self.make_tls_policy_dict(val) + self.make_tls_policy_dict(val) elif key == 'acceptable-mxs': - self.acceptable_mxs = self.make_acceptable_mxs_dict(val) + self.make_acceptable_mxs_dict(val) else: #TODO log warning print 'Unknown attribute "%s", skipping' % key - def to_json(self): - #TODO implement output and make sure it can be re-input with identical results - raise NotImplemented - @property def author(self): return self._data.get('author') @@ -151,47 +188,42 @@ class Config(object): self._data['timestamp'] = parse_timestamp(value, 'timestamp') def make_tls_policy_dict(self, policy_dict): - tls_policy_dict = {} + tls_policy_dict = self._data['tls-policies'] for domain_suffix, settings in policy_dict.iteritems(): new_domain_policy = TLSPolicy(domain_suffix) - #TODO define config errs and use - #try - new_domain_policy.from_json_dict(settings) - #except config err + try: + new_domain_policy.from_json_dict(settings) + except ConfigError as e: + raise tls_policy_dict[domain_suffix] = new_domain_policy - return tls_policy_dict def make_acceptable_mxs_dict(self, mxs_dict): - acceptable_mxs_dict = {} + acceptable_mxs_dict = self._data['acceptable-mxs'] for domain, settings in mxs_dict.iteritems(): new_domain_policy = AcceptableMX(domain) - #TODO define config errs and use - #try - new_domain_policy.from_json_dict(settings) - #except config err + try: + new_domain_policy.from_json_dict(settings) + except ConfigError as e: + raise acceptable_mxs_dict[domain] = new_domain_policy - return acceptable_mxs_dict def is_valid(self): #TODO implement with checks to make sure domains don't overlap # and every acceptable mx has a tls policy, etc. raise NotImplemented + - -class TLSPolicy(object): +class TLSPolicy(BaseConfig): ENFORCE_MODES = ('enforce', 'log-only') TLS_VERSIONS = ('TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3') def __init__(self, domain_suffix): - # container for validated properties with JSON names - self._data = {} + super(self.__class__, self).__init__() self.domain_suffix = domain_suffix - - #TODO add me - self.accept_spki_hashs = None - #TODO add me - self.error_notification = None + #TODO add support for two designed but yet unsupported attrs + # self._data['accept-spki-hashs'] = None + # self._data['error-notification'] = None def from_json_dict(self, json_dict): for key, val in json_dict.iteritems(): @@ -268,7 +300,7 @@ class TLSPolicy(object): self._data['require-valid-certificate'] = parse_bool_from_json(value, 'require-valid-certificate') -class AcceptableMX(object): +class AcceptableMX(BaseConfig): """Holds acceptable MX domain suffixes for a single mail serving domain. Such as for gmail.com that single mail serving suffix domain is: @@ -278,9 +310,8 @@ class AcceptableMX(object): for the suffix domains. """ def __init__(self, domain): + super(self.__class__, self).__init__() self.domain = domain - # container for validated properties with JSON names - self._data = {} self._data['accept-mx-domains'] = [] def add_acceptable_mx(self, domain_suffix): @@ -313,3 +344,9 @@ class AcceptableMX(object): else: #TODO add logging for this print 'warning: unknown key %s' % key + + +class ConfigError(ValueError): + def __init__(self, message): + super(self.__class__, self).__init__(message) + From 6da5de6b19d3247c49290631dd4557a05f1e230b Mon Sep 17 00:00:00 2001 From: pypoet Date: Fri, 16 Oct 2015 00:57:42 -0400 Subject: [PATCH 080/256] Beginnings of generic config composibility in place. --- Config.py | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 73 insertions(+), 7 deletions(-) diff --git a/Config.py b/Config.py index 93504dd5a..740de35c0 100644 --- a/Config.py +++ b/Config.py @@ -67,7 +67,18 @@ def to_dict(config_dict): class BaseConfig(object): - """Top level config class for common methods.""" + """Top level config class for common methods. + + Requirements for using class: + - list all properties with getters *and* setters in class + variable 'config_properties' + - __init__ of child classes must be callable with *only* + keyword arguments to allow method calls to update to create + a new config + ... more ... + """ + + config_properties = [] def __init__(self): # container for validated properties with JSON names @@ -78,6 +89,27 @@ class BaseConfig(object): pprint.pformat(self._data)) return s + def update(self, newer_config, merge=False, **kwargs): + fresh_config = self.__class__(**kwargs) + if not isinstance(newer_config, self.__class__): + raise ConfigError('Attempting to update a %s with a %s' % ( + self.__class__, + newer_config.__class__)) + for prop_name in self.config_properties: + prop = self.__class__.__dict__.get(prop_name) + assert prop + new_value = prop.fget(newer_config) + old_value = prop.fget(self) + if new_value is not None: + prop.fset(fresh_config, new_value) + elif merge and old_value is not None: + prop.fset(fresh_config, old_value) + return fresh_config + + def merge(self, newer_config, **kwargs): + kwargs['merge'] = True + return self.update(newer_config, **kwargs) + def to_json(self): d = to_dict(self._data) return json.dumps(d) @@ -129,7 +161,10 @@ class Config(BaseConfig): def update(self, other_config): """Update properties of config from a 'newer' config and force verification.""" #TODO add this + new_config = Config() raise NotImplemented + + def from_json_dict(self, json_dict): """Assign JSON data to Config properties and declare sub-objects. @@ -187,6 +222,14 @@ class Config(BaseConfig): def timestamp(self, value): self._data['timestamp'] = parse_timestamp(value, 'timestamp') + @property + def tls_policies(self): + return self._data.get('tls-policies') + + @property + def acceptable_mxs(self): + return self._data.get('acceptable-mxs') + def make_tls_policy_dict(self, policy_dict): tls_policy_dict = self._data['tls-policies'] for domain_suffix, settings in policy_dict.iteritems(): @@ -208,9 +251,19 @@ class Config(BaseConfig): acceptable_mxs_dict[domain] = new_domain_policy def is_valid(self): - #TODO implement with checks to make sure domains don't overlap - # and every acceptable mx has a tls policy, etc. - raise NotImplemented + #TODO implement checks to make sure domains don't overlap + #TODO add debug logging for troubleshooting stake + for mx_config in self.acceptable_mxs.values(): + if not mx_config.is_valid(): + return False + for domain_suffix in mx_config.accept_mx_domains: + # check to make sure every accepted MX has a TLS policy + if not domain_suffix in self.tls_policies: + return False + for tls_config in self.tls_policies.values(): + if not tls_config.is_valid(): + return False + return True class TLSPolicy(BaseConfig): @@ -218,7 +271,10 @@ class TLSPolicy(BaseConfig): ENFORCE_MODES = ('enforce', 'log-only') TLS_VERSIONS = ('TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3') - def __init__(self, domain_suffix): + config_properties = ['comment', 'enforce_mode', 'min_tls_version', + 'require_tls', 'require_valid_certificate'] + + def __init__(self, domain_suffix=None): super(self.__class__, self).__init__() self.domain_suffix = domain_suffix #TODO add support for two designed but yet unsupported attrs @@ -256,6 +312,12 @@ class TLSPolicy(BaseConfig): else: return True + def update(self, newer_policy, **kwargs): + fresh_policy = super(self.__class__, self).update(newer_policy, + domain_suffix=self.domain_suffix) + fresh_policy.domain_suffix = self.domain_suffix + return fresh_policy + @property def comment(self): return self._data.get('comment') @@ -278,7 +340,7 @@ class TLSPolicy(BaseConfig): @min_tls_version.setter def min_tls_version(self, value): - """Should this be dealing only with strings processed by map ... lower()?""" + """TODO: Should this be dealing only with strings processed by map ... lower()?""" tls_versions = [ver.lower() for ver in self.TLS_VERSIONS] tls_versions.extend(self.TLS_VERSIONS) self._data['min-tls-version'] = verify_member_of(value, tls_versions, 'min-tls-version') @@ -309,11 +371,15 @@ class AcceptableMX(BaseConfig): Configuration of the acceptable MX suffix domains must match up with TLS policies for the suffix domains. """ - def __init__(self, domain): + def __init__(self, domain=None): super(self.__class__, self).__init__() self.domain = domain self._data['accept-mx-domains'] = [] + @property + def accept_mx_domains(self): + return self._data.get('accept-mx-domains') + def add_acceptable_mx(self, domain_suffix): unique_domain_suffixes = set(self._data['accept-mx-domains']) unique_domain_suffixes.add(domain_suffix) From 9a71b18b851c58bd7cb7c6a3fdfdaee23bdc3d94 Mon Sep 17 00:00:00 2001 From: pypoet Date: Fri, 23 Oct 2015 18:26:26 -0700 Subject: [PATCH 081/256] Fix updates and merges, add testing to make sure they stay fixed. --- Config.py | 65 ++++++++++++++++++++++++++++++++++++++------- TestConfig.py | 73 +++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 128 insertions(+), 10 deletions(-) create mode 100644 TestConfig.py diff --git a/Config.py b/Config.py index 740de35c0..9cfbad3f0 100644 --- a/Config.py +++ b/Config.py @@ -1,6 +1,7 @@ from datetime import datetime from dateutil import parser import json +import logging import pprint @@ -8,6 +9,10 @@ import pprint make do json in *and* out, differences between configs and config extension. """ +#TODO scope logging and handlers better, control verbosity by command line flags +logger = logging.getLogger(__name__) +logger.addHandler(logging.StreamHandler()) + def parse_bool_from_json(value, attr_name): if value in ('true', '1', 1, 'yes'): @@ -90,7 +95,11 @@ class BaseConfig(object): return s def update(self, newer_config, merge=False, **kwargs): + # removed 'merge' kw arg - and it was passed to constructor + # make a note to not do that, consume it on the param list fresh_config = self.__class__(**kwargs) + logger.debug('from parent update kwargs %s' % kwargs) + logger.debug('from parent update merge %s' % merge) if not isinstance(newer_config, self.__class__): raise ConfigError('Attempting to update a %s with a %s' % ( self.__class__, @@ -108,6 +117,7 @@ class BaseConfig(object): def merge(self, newer_config, **kwargs): kwargs['merge'] = True + logger.debug('from parent merge: %s' % kwargs) return self.update(newer_config, **kwargs) def to_json(self): @@ -163,8 +173,6 @@ class Config(BaseConfig): #TODO add this new_config = Config() raise NotImplemented - - def from_json_dict(self, json_dict): """Assign JSON data to Config properties and declare sub-objects. @@ -187,8 +195,7 @@ class Config(BaseConfig): elif key == 'acceptable-mxs': self.make_acceptable_mxs_dict(val) else: - #TODO log warning - print 'Unknown attribute "%s", skipping' % key + logger.warn('Unknown attribute "%s", skipping' % key) @property def author(self): @@ -294,8 +301,7 @@ class TLSPolicy(BaseConfig): elif key == 'require-valid-certificate': self.require_valid_certificate = val else: - #TODO wat, log this instead - print 'Unknown key %s' % key + logger.warn('Unknown key %s' % key) def is_valid(self): """Do simple check that config contains all required values. @@ -313,9 +319,17 @@ class TLSPolicy(BaseConfig): return True def update(self, newer_policy, **kwargs): + if not kwargs.get('domain_suffix'): + kwargs['domain_suffix'] = self.domain_suffix fresh_policy = super(self.__class__, self).update(newer_policy, - domain_suffix=self.domain_suffix) - fresh_policy.domain_suffix = self.domain_suffix + **kwargs) + logger.debug('from TLS child update %s' % kwargs) + return fresh_policy + + def merge(self, newer_policy, **kwargs): + logger.debug('from TLS child merge: %s' % kwargs) + fresh_policy = super(self.__class__, self).merge(newer_policy, + domain_suffix=self.domain_suffix) return fresh_policy @property @@ -385,6 +399,14 @@ class AcceptableMX(BaseConfig): unique_domain_suffixes.add(domain_suffix) self._data['accept-mx-domains'] = list(unique_domain_suffixes) + @property + def comment(self): + return self._data.get('comment') + + @comment.setter + def comment(self, value): + self._data['comment'] = verify_string(value, 'comment') + def is_valid(self): """Check to make sure there is one acceptable domain suffix. @@ -407,9 +429,32 @@ class AcceptableMX(BaseConfig): self.add_acceptable_mx(domain_suffix) else: self.add_acceptable_mx(val) + elif key == 'comment': + self.comment = val else: - #TODO add logging for this - print 'warning: unknown key %s' % key + logger.warn('warning: unknown key %s' % key) + + def update(self, newer_policy, **kwargs): + logger.debug('from MX child update got %s' % kwargs) + if not kwargs.get('domain'): + kwargs['domain'] = self.domain + fresh_policy = super(self.__class__, self).update(newer_policy, + **kwargs) + if kwargs.get('merge'): + new_accepted_mxs = set(self.accept_mx_domains) + new_accepted_mxs = new_accepted_mxs.union(newer_policy.accept_mx_domains) + else: + new_accepted_mxs = newer_policy.accept_mx_domains + for domain in new_accepted_mxs: + fresh_policy.add_acceptable_mx(domain) + + return fresh_policy + + def merge(self, newer_policy, **kwargs): + logger.debug('from MX child merge: %s' % kwargs) + fresh_policy = super(self.__class__, self).merge(newer_policy, + **kwargs) + return fresh_policy class ConfigError(ValueError): diff --git a/TestConfig.py b/TestConfig.py new file mode 100644 index 000000000..043eb2dca --- /dev/null +++ b/TestConfig.py @@ -0,0 +1,73 @@ +import copy +import logging +import unittest + +import Config + +logger = logging.getLogger(__name__) +logger.addHandler(logging.StreamHandler()) + + +class TestTLSPolicy(unittest.TestCase): + + def setUp(self): + self.old_config = Config.TLSPolicy(domain_suffix='.eff.org') + self.old_config.comment = 'Testing EFF.org TLS policy' + self.old_config.require_tls = True + self.old_config.require_valid_certificate = False + self.old_config.min_tls_version = 'TLSv1' + self.old_config.enforce_mode = 'log-only' + + self.new_config = Config.TLSPolicy(domain_suffix='.eff.org') + self.new_config.require_valid_certificate = True + self.new_config.min_tls_version = 'TLSv1.2' + self.new_config.enforce_mode = 'enforce' + + def testUpdateDropsOldSettings(self): + logger.debug('old: %s' % self.old_config) + logger.debug('new: %s' % self.new_config) + tls_policy = self.old_config.update(self.new_config) + logger.debug('just generated: %s' % tls_policy) + self.assertFalse(any([tls_policy.require_tls, tls_policy.comment])) + + def testMergeKeepsOldSettings(self): + logger.debug('old: %s' % self.old_config) + logger.debug('new: %s' % self.new_config) + tls_policy = self.old_config.merge(self.new_config, merge=True) + logger.debug('just generated: %s' % tls_policy) + self.assertTrue(all([tls_policy.require_tls, tls_policy.comment])) + + def testUpdateGetsNameSet(self): + tls_policy = self.old_config.update(self.new_config) + self.assertEquals(tls_policy.domain_suffix, self.old_config.domain_suffix) + + +class TestAcceptableMX(unittest.TestCase): + + def setUp(self): + self.old_config = Config.AcceptableMX(domain='eff.org') + self.old_config.add_acceptable_mx('.eff.org') + + def testUpdateDropsOldMXs(self): + new_bogus_mx = '.testing.eff.org' + new_config = Config.AcceptableMX(domain='eff.org') + new_config.add_acceptable_mx(new_bogus_mx) + updated_config = self.old_config.update(new_config) + self.assertNotIn('.eff.org', updated_config.accept_mx_domains) + + def testMergeKeepsOldMXs(self): + new_bogus_mx = '.testing.eff.org' + new_config = Config.AcceptableMX(domain='eff.org') + new_config.add_acceptable_mx(new_bogus_mx) + updated_config = self.old_config.merge(new_config) + self.assertListEqual(sorted(['.eff.org', '.testing.eff.org']), + sorted(updated_config.accept_mx_domains)) + + def testUpdateGetsNameSet(self): + new_policy = Config.AcceptableMX(domain=self.old_config.domain) + mx_policy = self.old_config.update(new_policy) + self.assertEquals(mx_policy.domain, self.old_config.domain) + + +if __name__ == '__main__': + unittest.main() From c87b5d6a7834553379b8f1a105adb35685499b96 Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Thu, 21 Jan 2016 00:56:29 -0800 Subject: [PATCH 082/256] Hook the MTA config generation into the new config container. --- Config.py | 77 ++++++++++++++++++++++++++++++++++++++--- MTAConfigGenerator.py | 31 +++++++++-------- PostfixLogSummary.py | 24 ++++++++----- TestConfig.py | 58 +++++++++++++++++++++++++++++++ bigger_test_config.json | 2 +- 5 files changed, 164 insertions(+), 28 deletions(-) diff --git a/Config.py b/Config.py index 9cfbad3f0..eb4f31dba 100644 --- a/Config.py +++ b/Config.py @@ -1,5 +1,6 @@ from datetime import datetime from dateutil import parser +import collections import json import logging import pprint @@ -238,7 +239,7 @@ class Config(BaseConfig): return self._data.get('acceptable-mxs') def make_tls_policy_dict(self, policy_dict): - tls_policy_dict = self._data['tls-policies'] + tls_policy_dict = self.tls_policies for domain_suffix, settings in policy_dict.iteritems(): new_domain_policy = TLSPolicy(domain_suffix) try: @@ -247,6 +248,9 @@ class Config(BaseConfig): raise tls_policy_dict[domain_suffix] = new_domain_policy + def get_tls_policy(self, mx_domain): + return self.tls_policies.get(mx_domain) + def make_acceptable_mxs_dict(self, mxs_dict): acceptable_mxs_dict = self._data['acceptable-mxs'] for domain, settings in mxs_dict.iteritems(): @@ -257,9 +261,71 @@ class Config(BaseConfig): raise acceptable_mxs_dict[domain] = new_domain_policy + def get_address_domains(self, mx_hostname, mx_to_domain_map): + """Do a fuzzy DNS host match on provided map to get lists of policies. + + Args: + mx_hostname (string): The hostname from an MX record. + mx_to_domain_map: Mapping from MX hosts to AcceptableMX + policies, the same AcceptableMX policy may occur more + than once. e.g. {'mx_host3': set(AcceptableMX, ...)} + The map can be generated by Config.get_mx_to_domain_policy_map. + + Returns: + The set containing all AcceptableMX policies that list the + provided MX host as viable. + """ + labels = mx_hostname.split(".") + for n in range(1, len(labels)): + parent = "." + ".".join(labels[n:]) + if parent in mx_to_domains_map: + return mx_to_domain_map[parent] + return None + + def get_mx_to_domain_policy_map(self): + """Create mapping of MX hostnames to sets of AcceptableMX policies. + + Generate a dictionary that is typically used in log analysis + (e.g. if your MTA logs interact with beta.innotech.com you use + this mapping to tell you it used the innotech.com AcceptableMX + policy or policies). There are of course complications. + """ + # create reverse mapping dictionary as well for auditing + # and reviewing logs + mx_to_domain_policy = collections.defaultdict(set) + + for mx_host, domain_policy in self.get_all_mx_items(): + existing_mx_policies = mx_to_domain_policy.get(mx_host) + if existing_mx_policies: + existing_domains = [ e.domain for e in existing_mx_policies ] + if domain_policy.domain not in existing_domains: + #TODO plenty of room to enforce a security policy here + # this is also the case of google apps personal domains + msg = ('Attempting to add domain policy (%s) for MX host but MX' + ' host already has a domain policy (%s), appending...') + logger.debug(msg % (domain_policy.domain, + ', '.join(existing_domains))) + mx_to_domain_policy[mx_host].add(domain_policy) + return mx_to_domain_policy + + def get_all_mx_items(self): + """Iterate over (mx_host, mx_policy) - be sure to dedup!""" + all_mx_items = [] + for policy in self.acceptable_mxs.values(): + accepted_mxs = policy.accept_mx_domains + all_mx_items.extend([(mx_host, policy) + for mx_host in accepted_mxs]) + return all_mx_items + + def get_all_mx_hosts(self): + all_mx_hosts = [] + [ all_mx_hosts.extend(domain_policy.acceptable_mxs) + for domain_policy in self.acceptable_mxs.values() ] + return all_mx_hosts + def is_valid(self): #TODO implement checks to make sure domains don't overlap - #TODO add debug logging for troubleshooting stake + #TODO add debug logging for troubleshooting sake for mx_config in self.acceptable_mxs.values(): if not mx_config.is_valid(): return False @@ -267,9 +333,13 @@ class Config(BaseConfig): # check to make sure every accepted MX has a TLS policy if not domain_suffix in self.tls_policies: return False - for tls_config in self.tls_policies.values(): + all_mx_hosts = self.get_all_mx_hosts() + for domain_suffix, tls_config in self.tls_policies.iteritems(): if not tls_config.is_valid(): return False + # make sure no unclaimed TLS policies have made their way in + if domain_suffix not in all_mx_hosts: + return False return True @@ -460,4 +530,3 @@ class AcceptableMX(BaseConfig): class ConfigError(ValueError): def __init__(self, message): super(self.__class__, self).__init__(message) - diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index a733ab27a..f83d98d93 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -33,6 +33,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.postfix_cf_file = self.find_postfix_cf() self.wrangle_existing_config() self.set_domainwise_tls_policies() + #TODO make this optional for testing, etc. os.system("sudo service postfix reload") def ensure_cf_var(self, var, ideal, also_acceptable): @@ -120,33 +121,35 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - for address_domain, properties in self.policy_config.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] + all_acceptable_mxs = self.policy_config.get_acceptable_mxs_dict() + for address_domain, properties in all_acceptable_mxs.items(): + mx_list = properties.accept_mx_domains if len(mx_list) > 1: print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain mx_domain = mx_list[0] - mx_policy = self.policy_config.tls_policies[mx_domain] + mx_policy = self.policy_config.get_tls_policy(mx_domain) entry = address_domain + " encrypt" - if "min-tls-version" in mx_policy: - if mx_policy["min-tls-version"].lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" - elif mx_policy["min-tls-version"].lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" - elif mx_policy["min-tls-version"].lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" - else: - print mx_policy["min-tls-version"] + if mx_policy.min_tls_version.lower() == "tlsv1": + entry += " protocols=!SSLv2,!SSLv3" + elif mx_policy.min_tls_version.lower() == "tlsv1.1": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + elif mx_policy.min_tls_version.lower() == "tlsv1.2": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + else: + print mx_policy.min_tls_version self.policy_lines.append(entry) f = open(self.policy_file, "w") f.write("\n".join(self.policy_lines) + "\n") f.close() + if __name__ == "__main__": - import ConfigParser + import Config as config if len(sys.argv) != 3: print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" sys.exit(1) - c = ConfigParser.Config(sys.argv[1]) + c = config.Config() + c.load_from_json_file(sys.argv[1]) postfix_dir = sys.argv[2] pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index 0348432b0..c08e953ae 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -3,7 +3,7 @@ import re import sys import collections -import ConfigParser +import Config as config # TODO: There's more to be learned from postfix logs! Here's one sample # observed during failures from the sender vagrant vm: @@ -35,21 +35,23 @@ def get_counts(input, config): # Log lines for when a TLS connection was successfully established. These can # indicate the difference between Untrusted, Trusted, and Verified certs. connected_re = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") + mx_to_domain_mapping = config.get_mx_to_domain_policy_map() + for line in sys.stdin: deferred = deferred_re.search(line) connected = connected_re.search(line) if connected: - validation = result.group(1) - mx_hostname = result.group(2).lower() + validation = connected.group(1) + mx_hostname = connected.group(2).lower() if validation == "Trusted" or validation == "Verified": seen_trusted = True - address_domains = config.get_address_domains(mx_hostname) + address_domains = config.get_address_domains(mx_hostname, mx_to_domain_mapping) if address_domains: - for d in address_domains: - counts[d][validation] += 1 - counts[d]["all"] += 1 + d = ', '.join(address_domains) + counts[d][validation] += 1 + counts[d]["all"] += 1 elif deferred: - mx_hostname = result.group(1).lower() + mx_hostname = deferred.group(1).lower() tls_deferred[mx_hostname] += 1 if not seen_trusted: # Postfix will only emit 'Trusted' if the certificate validates according to @@ -65,7 +67,11 @@ def print_summary(counts): print mx_hostname, validation, validation_count / validations["all"], "of", validations["all"] if __name__ == "__main__": - config = ConfigParser.Config("starttls-everywhere.json") + if len(sys.argv) != 2: + print "Usage: %s starttls-everywhere.json" % sys.argv[0] + sys.exit(1) + c = config.Config() + c.load_from_json_file(sys.argv[1]) (counts, tls_deferred) = get_counts(sys.stdin, config) print_summary(counts) print tls_deferred diff --git a/TestConfig.py b/TestConfig.py index 043eb2dca..f323554c0 100644 --- a/TestConfig.py +++ b/TestConfig.py @@ -1,4 +1,5 @@ import copy +import itertools import logging import unittest @@ -69,5 +70,62 @@ class TestAcceptableMX(unittest.TestCase): self.assertEquals(mx_policy.domain, self.old_config.domain) +class TestConfig(unittest.TestCase): + """Test entire configuration. + + Currently lower coverage is being obtained since string sets are + being compared rather than returned objects. Comparison logic for + the config objects isn't clear yet and proof that they function is enough. + """ + + def setUp(self): + self.config = Config.Config() + domain_policies = self.config._data['acceptable-mxs'] + self.mail_domains = ['gmail.com', 'yahoo.com', 'hotmail.com', '123.cn', 'qq.com'] + for domain in self.mail_domains: + new = Config.AcceptableMX(domain=domain) + new.add_acceptable_mx('.' + domain) + domain_policies[domain] = new + + def testGetAllMxItems(self): + """Make sure the basic use case of get_all_mx_items functions.""" + # [ ('.gmail.com', 'gmail.com'), ('.yahoo.com', 'yahoo.com'), ... ] + control_data = [ ('.' + domain, domain) for domain in self.mail_domains ] + test_data = [ (mx, p.domain) for mx, p in self.config.get_all_mx_items() ] + self.assertListEqual(sorted(test_data), sorted(control_data)) + + def testGetAllMxItemsMultiMX(self): + config = copy.deepcopy(self.config) + domain_policy = config.acceptable_mxs.get('gmail.com') + # deal with reality, mail.google.com + domain_policy.add_acceptable_mx('.mail.google.com') + control_data = [ ('.' + domain, domain) for domain in self.mail_domains ] + control_data.append(('.mail.google.com', 'gmail.com')) + test_data = [ (mx, p.domain) for mx, p in config.get_all_mx_items() ] + self.assertListEqual(sorted(test_data), sorted(control_data)) + + def testGetMXtoDomainPolicy(self): + control_data = dict([ ('.' + domain, set([domain])) + for domain in self.mail_domains ]) + test_data = {} + for mx, pset in self.config.get_mx_to_domain_policy_map().items(): + policy_list = [ p.domain for p in pset ] + test_data[mx] = set(policy_list) + self.assertDictEqual(test_data, control_data) + + def testGetMXtoDomainPolicyMultiMX(self): + config = copy.deepcopy(self.config) + domain_policy = config.acceptable_mxs.get('gmail.com') + domain_policy.add_acceptable_mx('.mail.google.com') + control_data = dict([ ('.' + domain, set([domain])) + for domain in self.mail_domains ]) + control_data['.mail.google.com'] = set(['gmail.com']) + test_data = {} + for mx, pset in config.get_mx_to_domain_policy_map().items(): + policy_list = [ p.domain for p in pset ] + test_data[mx] = set(policy_list) + self.assertDictEqual(test_data, control_data) + + if __name__ == '__main__': unittest.main() diff --git a/bigger_test_config.json b/bigger_test_config.json index e0697fc85..c3c23c455 100644 --- a/bigger_test_config.json +++ b/bigger_test_config.json @@ -1,7 +1,7 @@ { "timestamp": 1401414363, "author": "Electronic Frontier Foundation https://eff.org", - "expires": 1404242424, + "expires": "2015-08-01T12:00:00+08:00", "tls-policies": { ".yahoodns.net": { "require-valid-certificate": true From 7c6c3efb0f94a6954c99cc8e90b9f0821c1222a8 Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Thu, 21 Jan 2016 01:46:30 -0800 Subject: [PATCH 083/256] Confirmed Postfix log parsing is working again. --- Config.py | 2 +- PostfixLogSummary.py | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/Config.py b/Config.py index eb4f31dba..256a17b04 100644 --- a/Config.py +++ b/Config.py @@ -278,7 +278,7 @@ class Config(BaseConfig): labels = mx_hostname.split(".") for n in range(1, len(labels)): parent = "." + ".".join(labels[n:]) - if parent in mx_to_domains_map: + if parent in mx_to_domain_map: return mx_to_domain_map[parent] return None diff --git a/PostfixLogSummary.py b/PostfixLogSummary.py index c08e953ae..f9e717f66 100755 --- a/PostfixLogSummary.py +++ b/PostfixLogSummary.py @@ -3,7 +3,7 @@ import re import sys import collections -import Config as config +import Config # TODO: There's more to be learned from postfix logs! Here's one sample # observed during failures from the sender vagrant vm: @@ -47,7 +47,8 @@ def get_counts(input, config): seen_trusted = True address_domains = config.get_address_domains(mx_hostname, mx_to_domain_mapping) if address_domains: - d = ', '.join(address_domains) + domains_str = [ a.domain for a in address_domains ] + d = ', '.join(domains_str) counts[d][validation] += 1 counts[d]["all"] += 1 elif deferred: @@ -70,8 +71,8 @@ if __name__ == "__main__": if len(sys.argv) != 2: print "Usage: %s starttls-everywhere.json" % sys.argv[0] sys.exit(1) - c = config.Config() - c.load_from_json_file(sys.argv[1]) + config = Config.Config() + config.load_from_json_file(sys.argv[1]) (counts, tls_deferred) = get_counts(sys.stdin, config) print_summary(counts) print tls_deferred From 904dc11b03a9883952572b6b3294edcd040fc64a Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Wed, 17 Feb 2016 09:45:37 -0800 Subject: [PATCH 084/256] Add docstrings for Config objects update/merge methods. --- Config.py | 39 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/Config.py b/Config.py index 256a17b04..dc402529a 100644 --- a/Config.py +++ b/Config.py @@ -1,5 +1,5 @@ from datetime import datetime -from dateutil import parser +from dateutil import dateutil_parser import collections import json import logging @@ -36,7 +36,7 @@ def parse_timestamp(value, attr_name): except (TypeError, ValueError): pass try: - return parser.parse(value) + return dateutil_parser.parse(value) except (TypeError, ValueError): raise ConfigError('Config value %s is an invalid date or timestamp.' % attr_name) @@ -96,6 +96,30 @@ class BaseConfig(object): return s def update(self, newer_config, merge=False, **kwargs): + """Create a fresh config combining the new and old configs. + + It does this by iterating over the 'config_properties' class + attribute which contains names of property attributes for the config. + + Two methods of combining configs are possible, an 'update' and + a 'merge', the latter set by the keyword argument 'merge=True'. + + An update overrides older values with new values -- even if those + new values are None. Update will remove values that are present in + the old config if they are not present in the new config. + + A merge by comparison will allow old values to persist if they are + not specified in the new config. This can be used for end-user + customizations to override specific settings without having to re-create + large portions of a config to override it. + + Arguments: + newer_config: A config object to combine with the current config. + merge: Allows old values not overridden to survive into the fresh config. + + Returns: + A config object of the same sort as called upon. + """ # removed 'merge' kw arg - and it was passed to constructor # make a note to not do that, consume it on the param list fresh_config = self.__class__(**kwargs) @@ -117,6 +141,17 @@ class BaseConfig(object): return fresh_config def merge(self, newer_config, **kwargs): + """Combines configs and keeps old values if they are not overridden. + + See docstring for 'update' method for more details. + + Arguments: + newer_config: A config object to combine with the current config. + merge: Allows old values not overridden to survive into the fresh config. + + Returns: + A config object of the same sort as called upon. + """ kwargs['merge'] = True logger.debug('from parent merge: %s' % kwargs) return self.update(newer_config, **kwargs) From 146fce3878f7b75ae3e7a9733f79cfae666de448 Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Wed, 17 Feb 2016 09:51:37 -0800 Subject: [PATCH 085/256] Add comment about magic hat trick with class properties. --- Config.py | 1 + 1 file changed, 1 insertion(+) diff --git a/Config.py b/Config.py index dc402529a..402fb4953 100644 --- a/Config.py +++ b/Config.py @@ -130,6 +130,7 @@ class BaseConfig(object): self.__class__, newer_config.__class__)) for prop_name in self.config_properties: + # get the specified property off of the current class prop = self.__class__.__dict__.get(prop_name) assert prop new_value = prop.fget(newer_config) From 9abef4c0bdf33fd4e2c874103def6c9bcac74462 Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Wed, 17 Feb 2016 10:20:56 -0800 Subject: [PATCH 086/256] Log MX records that will not be configured. --- MTAConfigGenerator.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index f83d98d93..1c273cf94 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -125,7 +125,9 @@ class PostfixConfigGenerator(MTAConfigGenerator): for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain + print "Lists of multiple accept-mx-domains not yet supported." + print "Using MX %s for %s" % (mx_list[0], address_domain) + print "Ignoring: %s" % (', '.join(mx_list[1:])) mx_domain = mx_list[0] mx_policy = self.policy_config.get_tls_policy(mx_domain) entry = address_domain + " encrypt" From 39a01190d50514666a9bc6f147fc9ba6cce20227 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 11:19:02 -0800 Subject: [PATCH 087/256] Use 4 space indents For greater compatibility with LE codebases --- MTAConfigGenerator.py | 262 +++++++++++++++++++++--------------------- 1 file changed, 131 insertions(+), 131 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 1c273cf94..bb3d5e5db 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -5,153 +5,153 @@ import string import os, os.path def parse_line(line_data): - """ - Return the (line number, left hand side, right hand side) of a stripped - postfix config line. + """ + Return the (line number, left hand side, right hand side) of a stripped + postfix config line. - Lines are like: - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache - """ - num,line = line_data - left, sep, right = line.partition("=") - if not sep: - return None - return (num, left.strip(), right.strip()) + Lines are like: + smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + """ + num,line = line_data + left, sep, right = line.partition("=") + if not sep: + return None + return (num, left.strip(), right.strip()) class MTAConfigGenerator: - def __init__(self, policy_config): - self.policy_config = policy_config + def __init__(self, policy_config): + self.policy_config = policy_config class ExistingConfigError(ValueError): pass class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, policy_config, postfix_dir, fixup=False): - self.fixup = fixup - self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) - self.postfix_cf_file = self.find_postfix_cf() - self.wrangle_existing_config() - self.set_domainwise_tls_policies() - #TODO make this optional for testing, etc. - os.system("sudo service postfix reload") + def __init__(self, policy_config, postfix_dir, fixup=False): + self.fixup = fixup + self.postfix_dir = postfix_dir + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + MTAConfigGenerator.__init__(self, policy_config) + self.postfix_cf_file = self.find_postfix_cf() + self.wrangle_existing_config() + self.set_domainwise_tls_policies() + #TODO make this optional for testing, etc. + os.system("sudo service postfix reload") - def ensure_cf_var(self, var, ideal, also_acceptable): - """ - Ensure that existing postfix config @var is in the list of @acceptable - values; if not, set it to the ideal value. - """ - acceptable = [ideal] + also_acceptable + def ensure_cf_var(self, var, ideal, also_acceptable): + """ + Ensure that existing postfix config @var is in the list of @acceptable + values; if not, set it to the ideal value. + """ + acceptable = [ideal] + also_acceptable - l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] - if not any(l): - self.additions.append(var + " = " + ideal) - else: - values = map(parse_line, l) - if len(set(values)) > 1: - if self.fixup: - #print "Scheduling deletions:" + `values` - conflicting_lines = [num for num,_var,val in values] - self.deletions.extend(conflicting_lines) - self.additions.append(var + " = " + ideal) + l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] + if not any(l): + self.additions.append(var + " = " + ideal) else: - raise ExistingConfigError, "Conflicting existing config values " + `l` - val = values[0][2] - if val not in acceptable: - #print "Scheduling deletions:" + `values` + values = map(parse_line, l) + if len(set(values)) > 1: + if self.fixup: + #print "Scheduling deletions:" + `values` + conflicting_lines = [num for num,_var,val in values] + self.deletions.extend(conflicting_lines) + self.additions.append(var + " = " + ideal) + else: + raise ExistingConfigError, "Conflicting existing config values " + `l` + val = values[0][2] + if val not in acceptable: + #print "Scheduling deletions:" + `values` + if self.fixup: + self.deletions.append(values[0][0]) + self.additions.append(var + " = " + ideal) + else: + raise ExistingConfigError, "Existing config has %s=%s"%(var,val) + + def wrangle_existing_config(self): + """ + Try to ensure/mutate that the config file is in a sane state. + Fixup means we'll delete existing lines if necessary to get there. + """ + self.additions = [] + self.deletions = [] + self.fn = self.find_postfix_cf() + self.raw_cf = open(self.fn).readlines() + self.cf = map(string.strip, self.raw_cf) + #self.cf = [line for line in cf if line and not line.startswith("#")] + + # Check we're currently accepting inbound STARTTLS sensibly + self.ensure_cf_var("smtpd_use_tls", "yes", []) + # Ideally we use it opportunistically in the outbound direction + self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) + # Maximum verbosity lets us collect failure information + self.ensure_cf_var("smtp_tls_loglevel", "1", []) + # Inject a reference to our per-domain policy map + policy_cf_entry = "texthash:" + self.policy_file + + self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + + self.maybe_add_config_lines() + + def maybe_add_config_lines(self): + if not self.additions: + return if self.fixup: - self.deletions.append(values[0][0]) - self.additions.append(var + " = " + ideal) - else: - raise ExistingConfigError, "Existing config has %s=%s"%(var,val) + print "Deleting lines:", self.deletions + self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] + new_cf_lines = "\n".join(self.additions) + "\n" + print "Adding to %s:" % self.fn + print new_cf_lines + if self.raw_cf[-1][-1] == "\n": sep = "" + else: sep = "\n" - def wrangle_existing_config(self): - """ - Try to ensure/mutate that the config file is in a sane state. - Fixup means we'll delete existing lines if necessary to get there. - """ - self.additions = [] - self.deletions = [] - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] + self.new_cf = "" + for num, line in enumerate(self.raw_cf): + if self.fixup and num in self.deletions: + self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line + else: + self.new_cf += line + self.new_cf += sep + new_cf_lines - # Check we're currently accepting inbound STARTTLS sensibly - self.ensure_cf_var("smtpd_use_tls", "yes", []) - # Ideally we use it opportunistically in the outbound direction - self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) - # Maximum verbosity lets us collect failure information - self.ensure_cf_var("smtp_tls_loglevel", "1", []) - # Inject a reference to our per-domain policy map - policy_cf_entry = "texthash:" + self.policy_file + #print self.new_cf + f = open(self.fn, "w") + f.write(self.new_cf) + f.close() - self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + def find_postfix_cf(self): + "Search far and wide for the correct postfix configuration file" + return os.path.join(self.postfix_dir, "main.cf") - self.maybe_add_config_lines() + def set_domainwise_tls_policies(self): + self.policy_lines = [] + all_acceptable_mxs = self.policy_config.get_acceptable_mxs_dict() + for address_domain, properties in all_acceptable_mxs.items(): + mx_list = properties.accept_mx_domains + if len(mx_list) > 1: + print "Lists of multiple accept-mx-domains not yet supported." + print "Using MX %s for %s" % (mx_list[0], address_domain) + print "Ignoring: %s" % (', '.join(mx_list[1:])) + mx_domain = mx_list[0] + mx_policy = self.policy_config.get_tls_policy(mx_domain) + entry = address_domain + " encrypt" + if mx_policy.min_tls_version.lower() == "tlsv1": + entry += " protocols=!SSLv2,!SSLv3" + elif mx_policy.min_tls_version.lower() == "tlsv1.1": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + elif mx_policy.min_tls_version.lower() == "tlsv1.2": + entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + else: + print mx_policy.min_tls_version + self.policy_lines.append(entry) - def maybe_add_config_lines(self): - if not self.additions: - return - if self.fixup: - print "Deleting lines:", self.deletions - self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] - new_cf_lines = "\n".join(self.additions) + "\n" - print "Adding to %s:" % self.fn - print new_cf_lines - if self.raw_cf[-1][-1] == "\n": sep = "" - else: sep = "\n" - - self.new_cf = "" - for num, line in enumerate(self.raw_cf): - if self.fixup and num in self.deletions: - self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line - else: - self.new_cf += line - self.new_cf += sep + new_cf_lines - - #print self.new_cf - f = open(self.fn, "w") - f.write(self.new_cf) - f.close() - - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.postfix_dir, "main.cf") - - def set_domainwise_tls_policies(self): - self.policy_lines = [] - all_acceptable_mxs = self.policy_config.get_acceptable_mxs_dict() - for address_domain, properties in all_acceptable_mxs.items(): - mx_list = properties.accept_mx_domains - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported." - print "Using MX %s for %s" % (mx_list[0], address_domain) - print "Ignoring: %s" % (', '.join(mx_list[1:])) - mx_domain = mx_list[0] - mx_policy = self.policy_config.get_tls_policy(mx_domain) - entry = address_domain + " encrypt" - if mx_policy.min_tls_version.lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" - elif mx_policy.min_tls_version.lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" - elif mx_policy.min_tls_version.lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" - else: - print mx_policy.min_tls_version - self.policy_lines.append(entry) - - f = open(self.policy_file, "w") - f.write("\n".join(self.policy_lines) + "\n") - f.close() + f = open(self.policy_file, "w") + f.write("\n".join(self.policy_lines) + "\n") + f.close() if __name__ == "__main__": - import Config as config - if len(sys.argv) != 3: - print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" - sys.exit(1) - c = config.Config() - c.load_from_json_file(sys.argv[1]) - postfix_dir = sys.argv[2] - pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) + import Config as config + if len(sys.argv) != 3: + print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" + sys.exit(1) + c = config.Config() + c.load_from_json_file(sys.argv[1]) + postfix_dir = sys.argv[2] + pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) From 965027ce528358cd838cffd6f3a8228630643637 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 11:36:38 -0800 Subject: [PATCH 088/256] Start metamorphising to use LE's IInstaller interface --- MTAConfigGenerator.py | 137 +++++++++++++++++++++++++++++++++++++++--- 1 file changed, 130 insertions(+), 7 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index bb3d5e5db..ae74892eb 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -28,13 +28,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): def __init__(self, policy_config, postfix_dir, fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) - self.postfix_cf_file = self.find_postfix_cf() - self.wrangle_existing_config() - self.set_domainwise_tls_policies() - #TODO make this optional for testing, etc. - os.system("sudo service postfix reload") def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -145,6 +138,133 @@ class PostfixConfigGenerator(MTAConfigGenerator): f.write("\n".join(self.policy_lines) + "\n") f.close() + ### Let's Encrypt client IPlugin ### + + def prepare(): + """Prepare the plugin. + Finish up any additional initialization. + :raises .PluginError: + when full initialization cannot be completed. + :raises .MisconfigurationError: + when full initialization cannot be completed. Plugin will + be displayed on a list of available plugins. + :raises .NoInstallationError: + when the necessary programs/files cannot be located. Plugin + will NOT be displayed on a list of available plugins. + :raises .NotSupportedError: + when the installation is recognized, but the version is not + currently supported. + """ + # XXX ensure we raise the right kinds of exceptions + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + MTAConfigGenerator.__init__(self, policy_config) + self.postfix_cf_file = self.find_postfix_cf() + + + def more_info(): + """Human-readable string to help the user. + Should describe the steps taken and any relevant info to help the user + decide which plugin to use. + :rtype str: + """ + + + ### Let's Encrypt client IInstaller ### + + def get_all_names(): + """Returns all names that may be authenticated. + :rtype: `list` of `str` + """ + + def deploy_cert(domain, cert_path, key_path, chain_path, fullchain_path): + """Deploy certificate. + :param str domain: domain to deploy certificate file + :param str cert_path: absolute path to the certificate file + :param str key_path: absolute path to the private key file + :param str chain_path: absolute path to the certificate chain file + :param str fullchain_path: absolute path to the certificate fullchain + file (cert plus chain) + :raises .PluginError: when cert cannot be deployed + """ + + self.wrangle_existing_config() + self.set_domainwise_tls_policies() + + def enhance(domain, enhancement, options=None): + """Perform a configuration enhancement. + :param str domain: domain for which to provide enhancement + :param str enhancement: An enhancement as defined in + :const:`~letsencrypt.constants.ENHANCEMENTS` + :param options: Flexible options parameter for enhancement. + Check documentation of + :const:`~letsencrypt.constants.ENHANCEMENTS` + for expected options for each enhancement. + :raises .PluginError: If Enhancement is not supported, or if + an error occurs during the enhancement. + """ + + def supported_enhancements(): + """Returns a list of supported enhancements. + :returns: supported enhancements which should be a subset of + :const:`~letsencrypt.constants.ENHANCEMENTS` + :rtype: :class:`list` of :class:`str` + """ + + def get_all_certs_keys(): + """Retrieve all certs and keys set in configuration. + :returns: tuples with form `[(cert, key, path)]`, where: + - `cert` - str path to certificate file + - `key` - str path to associated key file + - `path` - file path to configuration file + :rtype: list + """ + + def save(title=None, temporary=False): + """Saves all changes to the configuration files. + Both title and temporary are needed because a save may be + intended to be permanent, but the save is not ready to be a full + checkpoint. If an exception is raised, it is assumed a new + checkpoint was not created. + :param str title: The title of the save. If a title is given, the + configuration will be saved as a new checkpoint and put in a + timestamped directory. `title` has no effect if temporary is true. + :param bool temporary: Indicates whether the changes made will + be quickly reversed in the future (challenges) + :raises .PluginError: when save is unsuccessful + """ + + def rollback_checkpoints(rollback=1): + """Revert `rollback` number of configuration checkpoints. + :raises .PluginError: when configuration cannot be fully reverted + """ + + def recovery_routine(): + """Revert configuration to most recent finalized checkpoint. + Remove all changes (temporary and permanent) that have not been + finalized. This is useful to protect against crashes and other + execution interruptions. + :raises .errors.PluginError: If unable to recover the configuration + """ + + def view_config_changes(): + """Display all of the LE config changes. + :raises .PluginError: when config changes cannot be parsed + """ + + def config_test(): + """Make sure the configuration is valid. + :raises .MisconfigurationError: when the config is not in a usable state + """ + + def restart(): + """Restart or refresh the server content. + :raises .PluginError: when server cannot be restarted + """ + if os.geteuid() != 0: + os.system("sudo service postfix reload") + else: + os.system("service postfix reload") + if __name__ == "__main__": import Config as config @@ -155,3 +275,6 @@ if __name__ == "__main__": c.load_from_json_file(sys.argv[1]) postfix_dir = sys.argv[2] pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) + pcgen.prepare() + pcgen.deploy_cert() # XXX add cert args! + pcgen.restart() From fedf97028427203ff8ea9e3b2e63e24826982c71 Mon Sep 17 00:00:00 2001 From: dmwilcox Date: Wed, 17 Feb 2016 11:37:28 -0800 Subject: [PATCH 089/256] Fix bad import to be import *as*... as it should be. --- Config.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Config.py b/Config.py index 402fb4953..ac5202d0c 100644 --- a/Config.py +++ b/Config.py @@ -1,5 +1,5 @@ from datetime import datetime -from dateutil import dateutil_parser +from dateutil import parser as dateutil_parser import collections import json import logging From 47a5b7e3ba6fd6708e2a776f5730602029f12c00 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 11:56:41 -0800 Subject: [PATCH 090/256] Start implementing cert installation --- MTAConfigGenerator.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index ae74892eb..74a53a345 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -81,7 +81,6 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) - self.maybe_add_config_lines() def maybe_add_config_lines(self): if not self.additions: @@ -186,8 +185,9 @@ class PostfixConfigGenerator(MTAConfigGenerator): file (cert plus chain) :raises .PluginError: when cert cannot be deployed """ - self.wrangle_existing_config() + self.ensure_cf_var("smtpd_tls_cert_file", fullchain_path, []) + self.ensure_cf_var("smtpd_tls_key_file", key_path, []) self.set_domainwise_tls_policies() def enhance(domain, enhancement, options=None): @@ -233,6 +233,8 @@ class PostfixConfigGenerator(MTAConfigGenerator): :raises .PluginError: when save is unsuccessful """ + self.maybe_add_config_lines() + def rollback_checkpoints(rollback=1): """Revert `rollback` number of configuration checkpoints. :raises .PluginError: when configuration cannot be fully reverted @@ -277,4 +279,5 @@ if __name__ == "__main__": pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) pcgen.prepare() pcgen.deploy_cert() # XXX add cert args! + pcgen.save() pcgen.restart() From 8f5b8558d28f817077d663854d89b5128d1b8cbe Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 12:09:25 -0800 Subject: [PATCH 091/256] Actually deploy a cert? - Also add missing selves to interface methods --- MTAConfigGenerator.py | 48 ++++++++++++++++++++++++++----------------- 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 74a53a345..3a2a653d6 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -28,6 +28,8 @@ class PostfixConfigGenerator(MTAConfigGenerator): def __init__(self, policy_config, postfix_dir, fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + MTAConfigGenerator.__init__(self, policy_config) def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -139,7 +141,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): ### Let's Encrypt client IPlugin ### - def prepare(): + def prepare(self): """Prepare the plugin. Finish up any additional initialization. :raises .PluginError: @@ -155,12 +157,10 @@ class PostfixConfigGenerator(MTAConfigGenerator): currently supported. """ # XXX ensure we raise the right kinds of exceptions - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) self.postfix_cf_file = self.find_postfix_cf() - def more_info(): + def more_info(self): """Human-readable string to help the user. Should describe the steps taken and any relevant info to help the user decide which plugin to use. @@ -170,12 +170,12 @@ class PostfixConfigGenerator(MTAConfigGenerator): ### Let's Encrypt client IInstaller ### - def get_all_names(): + def get_all_names(self): """Returns all names that may be authenticated. :rtype: `list` of `str` """ - def deploy_cert(domain, cert_path, key_path, chain_path, fullchain_path): + def deploy_cert(self, domain, _cert_path, key_path, _chain_path, fullchain_path): """Deploy certificate. :param str domain: domain to deploy certificate file :param str cert_path: absolute path to the certificate file @@ -190,7 +190,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.ensure_cf_var("smtpd_tls_key_file", key_path, []) self.set_domainwise_tls_policies() - def enhance(domain, enhancement, options=None): + def enhance(self, domain, enhancement, options=None): """Perform a configuration enhancement. :param str domain: domain for which to provide enhancement :param str enhancement: An enhancement as defined in @@ -203,14 +203,14 @@ class PostfixConfigGenerator(MTAConfigGenerator): an error occurs during the enhancement. """ - def supported_enhancements(): + def supported_enhancements(self): """Returns a list of supported enhancements. :returns: supported enhancements which should be a subset of :const:`~letsencrypt.constants.ENHANCEMENTS` :rtype: :class:`list` of :class:`str` """ - def get_all_certs_keys(): + def get_all_certs_keys(self): """Retrieve all certs and keys set in configuration. :returns: tuples with form `[(cert, key, path)]`, where: - `cert` - str path to certificate file @@ -219,7 +219,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): :rtype: list """ - def save(title=None, temporary=False): + def save(self, title=None, temporary=False): """Saves all changes to the configuration files. Both title and temporary are needed because a save may be intended to be permanent, but the save is not ready to be a full @@ -235,12 +235,12 @@ class PostfixConfigGenerator(MTAConfigGenerator): self.maybe_add_config_lines() - def rollback_checkpoints(rollback=1): + def rollback_checkpoints(self, rollback=1): """Revert `rollback` number of configuration checkpoints. :raises .PluginError: when configuration cannot be fully reverted """ - def recovery_routine(): + def recovery_routine(self): """Revert configuration to most recent finalized checkpoint. Remove all changes (temporary and permanent) that have not been finalized. This is useful to protect against crashes and other @@ -248,17 +248,17 @@ class PostfixConfigGenerator(MTAConfigGenerator): :raises .errors.PluginError: If unable to recover the configuration """ - def view_config_changes(): + def view_config_changes(self): """Display all of the LE config changes. :raises .PluginError: when config changes cannot be parsed """ - def config_test(): + def config_test(self): """Make sure the configuration is valid. :raises .MisconfigurationError: when the config is not in a usable state """ - def restart(): + def restart(self): """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted """ @@ -268,16 +268,26 @@ class PostfixConfigGenerator(MTAConfigGenerator): os.system("service postfix reload") +def usage(): + print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" + sys.exit(1) + if __name__ == "__main__": import Config as config - if len(sys.argv) != 3: - print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" - sys.exit(1) + if len(sys.argv) != 4: + usage() c = config.Config() c.load_from_json_file(sys.argv[1]) postfix_dir = sys.argv[2] + le_lineage = sys.argv[3] + pieces = [os.path.join(le_lineage, f) for f in ("cert.pem", "privkey.pem", "chain.pem", "fullchain.pem")] + if not os.isdir(le_lineage) or not all(os.isfile(p) for p in pieces) : + print "Let's Encrypt directory", le_lineage, "does not appear to contain a valid lineage" + print + usage() + cert, key, chain, fullchain = pieces pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) pcgen.prepare() - pcgen.deploy_cert() # XXX add cert args! + pcgen.deploy_cert(cert, key, chain, fullchain) pcgen.save() pcgen.restart() From 3aeb62cf7e3d0eacedaafeca386afddf4a85a39f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 12:13:28 -0800 Subject: [PATCH 092/256] bugfixes, cleanups --- MTAConfigGenerator.py | 8 +++++--- requirements.txt | 1 + 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 3a2a653d6..3c676700e 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -269,7 +269,8 @@ class PostfixConfigGenerator(MTAConfigGenerator): def usage(): - print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" + print ("Usage: %s starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" % + sys.argv[0]) sys.exit(1) if __name__ == "__main__": @@ -280,8 +281,9 @@ if __name__ == "__main__": c.load_from_json_file(sys.argv[1]) postfix_dir = sys.argv[2] le_lineage = sys.argv[3] - pieces = [os.path.join(le_lineage, f) for f in ("cert.pem", "privkey.pem", "chain.pem", "fullchain.pem")] - if not os.isdir(le_lineage) or not all(os.isfile(p) for p in pieces) : + pieces = [os.path.join(le_lineage, f) for f in ( + "cert.pem", "privkey.pem", "chain.pem", "fullchain.pem")] + if not os.path.isdir(le_lineage) or not all(os.path.isfile(p) for p in pieces) : print "Let's Encrypt directory", le_lineage, "does not appear to contain a valid lineage" print usage() diff --git a/requirements.txt b/requirements.txt index 891e5809d..5334ba03a 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ dnspython publicsuffix m2crypto +dateutils From 074fef773bcf3097a6c6532740b12535e3f3334d Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 12:14:24 -0800 Subject: [PATCH 093/256] Make up a domain --- MTAConfigGenerator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 3c676700e..9de48ca26 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -290,6 +290,6 @@ if __name__ == "__main__": cert, key, chain, fullchain = pieces pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) pcgen.prepare() - pcgen.deploy_cert(cert, key, chain, fullchain) + pcgen.deploy_cert("example.com", cert, key, chain, fullchain) pcgen.save() pcgen.restart() From 28bb0eb6acf7c63c763189963803a93f0b2691fd Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 17 Feb 2016 12:20:26 -0800 Subject: [PATCH 094/256] Obtain acceptable_mxs the right way --- MTAConfigGenerator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 9de48ca26..43dad5f37 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -115,7 +115,7 @@ class PostfixConfigGenerator(MTAConfigGenerator): def set_domainwise_tls_policies(self): self.policy_lines = [] - all_acceptable_mxs = self.policy_config.get_acceptable_mxs_dict() + all_acceptable_mxs = self.policy_config.acceptable_mxs for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains if len(mx_list) > 1: From 9e42f6ed08e27f022568a4d651d24ddcf38aeffd Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Thu, 18 Feb 2016 18:57:41 -0800 Subject: [PATCH 095/256] Clarify project status --- README.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e50630ab8..49db2aeda 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,11 @@ # STARTTLS Everywhere +NOTE: this is a pre-alpha codebase. Do not run it on non-experimental systems +yet! + ## Authors -Jacob Hoffman-Andrews , Peter Eckersley +Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox ## Background From 4d14423a2146bc39f6d4f24c0266e26e262d71f2 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Wed, 24 Feb 2016 21:38:31 +0100 Subject: [PATCH 096/256] re-structured project folder.. * Removed `ConfigParser.py` (ACK by Daniel). * Removed MTAConfigGenerator-stub and renamed to `PostfixConfigGenerator.py` * Moved all text/csv processing scripts to `tools/`. * Moved all configuration files into dedicated `examples/` directory. * unified all shebangs to `#!/usr/bin/env python` (default system python). * Moved domain CSV and text-files to `share/`. --- ConfigParser.py | 115 ------------------ .../bigger_test_config.json | 0 config.json => examples/config.json | 0 .../starttls-everywhere.json | 0 Config.py => letsencrypt-postfix/Config.py | 1 + .../PostfixConfigGenerator.py | 15 +-- .../PostfixLogSummary.py | 2 +- .../TestConfig.py | 1 + .../golden-domains.txt | 0 .../google-starttls-domains.csv | 0 CheckSTARTTLS.py => tools/CheckSTARTTLS.py | 2 +- .../ProcessGoogleSTARTTLSDomains.py | 2 +- 12 files changed, 10 insertions(+), 128 deletions(-) delete mode 100755 ConfigParser.py rename bigger_test_config.json => examples/bigger_test_config.json (100%) rename config.json => examples/config.json (100%) rename starttls-everywhere.json => examples/starttls-everywhere.json (100%) rename Config.py => letsencrypt-postfix/Config.py (99%) rename MTAConfigGenerator.py => letsencrypt-postfix/PostfixConfigGenerator.py (96%) rename PostfixLogSummary.py => letsencrypt-postfix/PostfixLogSummary.py (99%) rename TestConfig.py => letsencrypt-postfix/TestConfig.py (99%) mode change 100644 => 100755 rename golden-domains.txt => share/golden-domains.txt (100%) rename google-starttls-domains.csv => share/google-starttls-domains.csv (100%) rename CheckSTARTTLS.py => tools/CheckSTARTTLS.py (99%) rename ProcessGoogleSTARTTLSDomains.py => tools/ProcessGoogleSTARTTLSDomains.py (98%) diff --git a/ConfigParser.py b/ConfigParser.py deleted file mode 100755 index 2d7c88ada..000000000 --- a/ConfigParser.py +++ /dev/null @@ -1,115 +0,0 @@ -#!/usr/bin/env python - -import sys -import json -from datetime import datetime -import string -import collections - -def parse_timestamp(ts): - try: - int(ts) - dt = datetime.fromtimestamp(ts) - return dt - except: - raise ValueError, "Invalid timestamp integer: " + `ts` - -legal = string.letters + string.digits + ".-" -known_tlds =["com","org","net","biz","info",] # xxx make me from an ICANN list -def looks_like_a_domain(s): - "Return true if string looks like a domain, as best we can tell..." - global known_tlds - try: - domain = s.lower() - assert domain[0].islower() - assert all([c in legal for c in domain]) - tld = s.split(".")[-1] - if tld not in known_tlds: - # XXX perform DNS query to determine that this TLD exists - pass - return True - except: - return False - -class Config: - def __init__(self, cfg_file_name = "config.json"): - f = open(cfg_file_name) - self.cfg = json.loads(f.read()) - self.tls_policies = {} - self.mx_map = {} - for atr, val in self.cfg.items(): - # Verify each attribute of the structure - if atr.startswith("comment"): - continue - if atr == "author": - if type(val) not in [str, unicode]: - raise TypeError, "Author must be a string: " + `val` - elif atr == "timestamp": - self.timestamp = parse_timestamp(val) - elif atr == "expires": - self.expires = parse_timestamp(val) - elif atr == "tls-policies": - for domain, policies in self.check_tls_policy_domains(val): - if type(policies) != dict: - raise TypeError, domain + "'s policies should be a dict: " + `policies` - self.tls_policies[domain] = {} # being here enforces TLS at all - for policy, v in policies.items(): - value = str(v).lower() - if policy == "require-tls": - if value in ("true", "1", "yes"): - self.tls_policies[domain]["required"] = True - elif value in ("false", "0", "no"): - self.tls_policies[domain]["required"] = False - else: - raise ValueError, "Unknown require-tls value " + `value` - elif policy == "min-tls-version": - reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] - reasonable = map(string.lower, reasonable) - if not value in reasonable: - raise ValueError, "Not a valid TLS version string: " + `value` - self.tls_policies[domain]["min-tls-version"] = str(value) - elif policy == "enforce-mode": - if value == "enforce": - self.tls_policies[domain]["enforce"] = True - elif value == "log-only": - self.tls_policies[domain]["enforce"] = False - else: - raise ValueError, "Not a known enoforcement policy " + `value` - elif atr == "acceptable-mxs": - self.acceptable_mxs = val - self.mx_domain_to_address_domains = collections.defaultdict(set) - for address_domain, properties in self.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain - mx_domain = mx_list[0] - self.mx_domain_to_address_domains[mx_domain].add(address_domain) - pass - else: - sys.stderr.write("Unknown attribute: " + `atr` + "\n") - # XXX is it ever permissible to have a domain with an acceptable-mx - # that does not point to a TLS security policy? If not, check/warn/fail - # here - print self.tls_policies - - def get_address_domains(self, mx_hostname): - labels = mx_hostname.split(".") - for n in range(1, len(labels)): - parent = "." + ".".join(labels[n:]) - if parent in self.mx_domain_to_address_domains: - return self.mx_domain_to_address_domains[parent] - return None - - def check_tls_policy_domains(self, val): - if type(val) != dict: - raise TypeError, "tls-policies should be a dict" + `val` - for domain, policies in val.items(): - try: - assert type(domain) == unicode - d = str(domain) # convert from unicode - except: - raise TypeError, "tls-policy domain not a string" + `domain` - yield (d, policies) - -if __name__ == "__main__": - c = Config() diff --git a/bigger_test_config.json b/examples/bigger_test_config.json similarity index 100% rename from bigger_test_config.json rename to examples/bigger_test_config.json diff --git a/config.json b/examples/config.json similarity index 100% rename from config.json rename to examples/config.json diff --git a/starttls-everywhere.json b/examples/starttls-everywhere.json similarity index 100% rename from starttls-everywhere.json rename to examples/starttls-everywhere.json diff --git a/Config.py b/letsencrypt-postfix/Config.py similarity index 99% rename from Config.py rename to letsencrypt-postfix/Config.py index ac5202d0c..cc0df00d1 100644 --- a/Config.py +++ b/letsencrypt-postfix/Config.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python from datetime import datetime from dateutil import parser as dateutil_parser import collections diff --git a/MTAConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py similarity index 96% rename from MTAConfigGenerator.py rename to letsencrypt-postfix/PostfixConfigGenerator.py index 43dad5f37..af1953208 100755 --- a/MTAConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -1,5 +1,4 @@ #!/usr/bin/env python - import sys import string import os, os.path @@ -18,18 +17,14 @@ def parse_line(line_data): return None return (num, left.strip(), right.strip()) -class MTAConfigGenerator: - def __init__(self, policy_config): - self.policy_config = policy_config - class ExistingConfigError(ValueError): pass -class PostfixConfigGenerator(MTAConfigGenerator): +class PostfixConfigGenerator: def __init__(self, policy_config, postfix_dir, fixup=False): - self.fixup = fixup - self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - MTAConfigGenerator.__init__(self, policy_config) + self.fixup = fixup + self.postfix_dir = postfix_dir + self.policy_config = policy_config + self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") def ensure_cf_var(self, var, ideal, also_acceptable): """ diff --git a/PostfixLogSummary.py b/letsencrypt-postfix/PostfixLogSummary.py similarity index 99% rename from PostfixLogSummary.py rename to letsencrypt-postfix/PostfixLogSummary.py index f9e717f66..956a069eb 100755 --- a/PostfixLogSummary.py +++ b/letsencrypt-postfix/PostfixLogSummary.py @@ -1,4 +1,4 @@ -#!/usr/bin/python2.7 +#!/usr/bin/env python import re import sys import collections diff --git a/TestConfig.py b/letsencrypt-postfix/TestConfig.py old mode 100644 new mode 100755 similarity index 99% rename from TestConfig.py rename to letsencrypt-postfix/TestConfig.py index f323554c0..ca8e77654 --- a/TestConfig.py +++ b/letsencrypt-postfix/TestConfig.py @@ -1,3 +1,4 @@ +#!/usr/bin/env python import copy import itertools import logging diff --git a/golden-domains.txt b/share/golden-domains.txt similarity index 100% rename from golden-domains.txt rename to share/golden-domains.txt diff --git a/google-starttls-domains.csv b/share/google-starttls-domains.csv similarity index 100% rename from google-starttls-domains.csv rename to share/google-starttls-domains.csv diff --git a/CheckSTARTTLS.py b/tools/CheckSTARTTLS.py similarity index 99% rename from CheckSTARTTLS.py rename to tools/CheckSTARTTLS.py index e5c5a4323..ef0bf2e5c 100755 --- a/CheckSTARTTLS.py +++ b/tools/CheckSTARTTLS.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python import sys import os import errno diff --git a/ProcessGoogleSTARTTLSDomains.py b/tools/ProcessGoogleSTARTTLSDomains.py similarity index 98% rename from ProcessGoogleSTARTTLSDomains.py rename to tools/ProcessGoogleSTARTTLSDomains.py index 3078bd93a..815ec5d4e 100755 --- a/ProcessGoogleSTARTTLSDomains.py +++ b/tools/ProcessGoogleSTARTTLSDomains.py @@ -1,4 +1,4 @@ -#!/usr/bin/python +#!/usr/bin/env python """ Process Google's TLS delivery data from https://www.google.com/transparencyreport/saferemail/data/?hl=en From 6db285882552e73e7ffcb6eff10293dbe0f48ce8 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 24 Feb 2016 18:19:47 -0800 Subject: [PATCH 097/256] Correct policy map delimitation --- MTAConfigGenerator.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py index 43dad5f37..ea4eeaa26 100755 --- a/MTAConfigGenerator.py +++ b/MTAConfigGenerator.py @@ -126,11 +126,11 @@ class PostfixConfigGenerator(MTAConfigGenerator): mx_policy = self.policy_config.get_tls_policy(mx_domain) entry = address_domain + " encrypt" if mx_policy.min_tls_version.lower() == "tlsv1": - entry += " protocols=!SSLv2,!SSLv3" + entry += " protocols=!SSLv2:!SSLv3" elif mx_policy.min_tls_version.lower() == "tlsv1.1": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1" elif mx_policy.min_tls_version.lower() == "tlsv1.2": - entry += " protocols=!SSLv2,!SSLv3,!TLSv1,!TLSv1.1" + entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" else: print mx_policy.min_tls_version self.policy_lines.append(entry) From 6e2b6a081706ced2e6ca1ddbc7cd3556e141934f Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:37:56 -0800 Subject: [PATCH 098/256] Update README --- README.md | 31 ++++++++++++++++++++++++++++--- 1 file changed, 28 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 288a6ea10..f244d91e6 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,36 @@ # STARTTLS Everywhere -NOTE: this is a pre-alpha codebase. Do not run it on non-experimental systems -yet! + +## Example usage + +**WARNING: this is a pre-alpha codebase. Do not run it on production +mailservers!!!** + + +If you have a Postfix server you're willing to endanger deliverability on, you +can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), not the directory it lives in below `/etc/letsencrypt/live` and then do: + +``` +git clone https://github.com/EFForg/starttls-everywhere +cd starttls-everywhere +# Promise you don't care if deliverability breaks on this mail server +letsencrypt-postfix/PostfixConfigGenerator.py examples/starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/YOUR.DOMAIN.EXAMPLE.COM +``` + +This will: +* Install the cert in Postfix +* Enforce mandatory TLS to some major email domains +* Enforce minimum TLS versions to some major email domains + +## Project status + +* Postfix configuration generation: working pre-alpha, not yet safe +* Email security database: working pre-alpha, definitely not yet safe +* Let's Encrypt client plugin: in progress ## Authors -Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox +Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox , Aaron Zauner ## Mailing List From 1210c04f147f6bf6f539ee0683f46af9c8939de1 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:38:55 -0800 Subject: [PATCH 099/256] tweak README --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index f244d91e6..8a4e04601 100644 --- a/README.md +++ b/README.md @@ -8,7 +8,7 @@ mailservers!!!** If you have a Postfix server you're willing to endanger deliverability on, you -can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), not the directory it lives in below `/etc/letsencrypt/live` and then do: +can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), note the directory it lives in below `/etc/letsencrypt/live` and then do: ``` git clone https://github.com/EFForg/starttls-everywhere @@ -26,7 +26,7 @@ This will: * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe -* Let's Encrypt client plugin: in progress +* Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready ## Authors From 3a8e1d7a707a509022839fa31944b1daf8f4b2e6 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 16:40:03 -0800 Subject: [PATCH 100/256] Further status update --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 8a4e04601..e0746c4a1 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,8 @@ This will: * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe * Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready +* DANE support: none yet +* SMTP-STS integration: none yet ## Authors From a435036a1ecedcfe143d00f186dbf808e06d1983 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 19:03:47 -0800 Subject: [PATCH 101/256] Document MVP objectives --- README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/README.md b/README.md index e0746c4a1..9f20c4457 100644 --- a/README.md +++ b/README.md @@ -24,11 +24,18 @@ This will: ## Project status +STARTTLS Everywhere development is re-starting after a hiatus. Initial +objectives: + * Postfix configuration generation: working pre-alpha, not yet safe * Email security database: working pre-alpha, definitely not yet safe * Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready * DANE support: none yet * SMTP-STS integration: none yet +* Direct mechanisms for mail domains to request inclusion: none yet +* Failure reporting mechanisms: early progress, not yet ready +* Mechanisms for secure mutli-organization signature on the policy database: + none yet ## Authors From b2977ad6a996aae6bf2cd1527098722286282b3e Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Tue, 1 Mar 2016 19:06:02 -0800 Subject: [PATCH 102/256] Documentation details --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9f20c4457..008907baf 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,8 @@ letsencrypt-postfix/PostfixConfigGenerator.py examples/starttls-everywhere.json ``` This will: -* Install the cert in Postfix +* Ensure your mail server initiates STARTTLS encryption +* Install the Let's Encrypt cert in Postfix * Enforce mandatory TLS to some major email domains * Enforce minimum TLS versions to some major email domains From 874c59012ab219d24678907891a1249b1277d0d8 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Mar 2016 10:47:52 -0800 Subject: [PATCH 103/256] Update README --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 008907baf..27563a899 100644 --- a/README.md +++ b/README.md @@ -35,8 +35,9 @@ objectives: * SMTP-STS integration: none yet * Direct mechanisms for mail domains to request inclusion: none yet * Failure reporting mechanisms: early progress, not yet ready -* Mechanisms for secure mutli-organization signature on the policy database: +* Mechanisms for secure multi-organization signature on the policy database: none yet +* Support for mail servers other than Postfix: none yet ## Authors From e88eac65da32fe33228c650eeee51ca40ef138ea Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 2 Mar 2016 10:47:59 -0800 Subject: [PATCH 104/256] [documentation] Add links to LEPC interface sources --- letsencrypt-postfix/PostfixConfigGenerator.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 43a3c19cf..25cab9ce7 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -135,6 +135,7 @@ class PostfixConfigGenerator: f.close() ### Let's Encrypt client IPlugin ### + # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 def prepare(self): """Prepare the plugin. @@ -164,6 +165,7 @@ class PostfixConfigGenerator: ### Let's Encrypt client IInstaller ### + # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/interfaces.py#L232 def get_all_names(self): """Returns all names that may be authenticated. From 0ce1684ba6895706422349dce5d2b1c94e60ae05 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:50:15 -0800 Subject: [PATCH 105/256] Changes to MTAConfigGenerator needed to be moved by hand --- MTAConfigGenerator.py | 160 ------------------ letsencrypt-postfix/PostfixConfigGenerator.py | 18 +- 2 files changed, 12 insertions(+), 166 deletions(-) delete mode 100755 MTAConfigGenerator.py diff --git a/MTAConfigGenerator.py b/MTAConfigGenerator.py deleted file mode 100755 index 5ca8f5aee..000000000 --- a/MTAConfigGenerator.py +++ /dev/null @@ -1,160 +0,0 @@ -#!/usr/bin/env python - -import sys -import string -import os, os.path - -def parse_line(line_data): - """ - Return the (line number, left hand side, right hand side) of a stripped - postfix config line. - - Lines are like: - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache - """ - num,line = line_data - left, sep, right = line.partition("=") - if not sep: - return None - return (num, left.strip(), right.strip()) - -class MTAConfigGenerator: - def __init__(self, policy_config): - self.policy_config = policy_config - -class ExistingConfigError(ValueError): pass - -class PostfixConfigGenerator(MTAConfigGenerator): - def __init__(self, policy_config, postfix_dir, fixup=False): - self.fixup = fixup - self.postfix_dir = postfix_dir - self.postfix_cf_file = self.find_postfix_cf() - if not os.access(self.postfix_cf_file, os.W_OK): - raise Exception("Can't write to %s, please re-run as root." - % self.postfix_cf_file) - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") - self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") - MTAConfigGenerator.__init__(self, policy_config) - self.wrangle_existing_config() - self.set_domainwise_tls_policies() - self.update_CAfile() - os.system("sudo service postfix reload") - - def ensure_cf_var(self, var, ideal, also_acceptable): - """ - Ensure that existing postfix config @var is in the list of @acceptable - values; if not, set it to the ideal value. - """ - acceptable = [ideal] + also_acceptable - - l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] - if not any(l): - self.additions.append(var + " = " + ideal) - else: - values = map(parse_line, l) - if len(set(values)) > 1: - if self.fixup: - conflicting_lines = [num for num,_var,val in values] - self.deletions.extend(conflicting_lines) - self.additions.append(var + " = " + ideal) - else: - raise ExistingConfigError, "Conflicting existing config values " + `l` - val = values[0][2] - if val not in acceptable: - if self.fixup: - self.deletions.append(values[0][0]) - self.additions.append(var + " = " + ideal) - else: - raise ExistingConfigError, "Existing config has %s=%s"%(var,val) - - def wrangle_existing_config(self): - """ - Try to ensure/mutate that the config file is in a sane state. - Fixup means we'll delete existing lines if necessary to get there. - """ - self.additions = [] - self.deletions = [] - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] - - # Check we're currently accepting inbound STARTTLS sensibly - self.ensure_cf_var("smtpd_use_tls", "yes", []) - # Ideally we use it opportunistically in the outbound direction - self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) - # Maximum verbosity lets us collect failure information - self.ensure_cf_var("smtp_tls_loglevel", "1", []) - # Inject a reference to our per-domain policy map - policy_cf_entry = "texthash:" + self.policy_file - - self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) - self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) - - self.maybe_add_config_lines() - - def maybe_add_config_lines(self): - if not self.additions: - return - if self.fixup: - print "Deleting lines:", self.deletions - self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] - new_cf_lines = "\n".join(self.additions) + "\n" - print "Adding to %s:" % self.fn - print new_cf_lines - if self.raw_cf[-1][-1] == "\n": sep = "" - else: sep = "\n" - - self.new_cf = "" - for num, line in enumerate(self.raw_cf): - if self.fixup and num in self.deletions: - self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line - else: - self.new_cf += line - self.new_cf += sep + new_cf_lines - - f = open(self.fn, "w") - f.write(self.new_cf) - f.close() - - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.postfix_dir, "main.cf") - - def set_domainwise_tls_policies(self): - self.policy_lines = [] - for address_domain, properties in self.policy_config.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain - mx_domain = mx_list[0] - mx_policy = self.policy_config.tls_policies[mx_domain] - entry = address_domain + " encrypt" - if "min-tls-version" in mx_policy: - if mx_policy["min-tls-version"].lower() == "tlsv1": - entry += " protocols=!SSLv2:!SSLv3" - elif mx_policy["min-tls-version"].lower() == "tlsv1.1": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1" - elif mx_policy["min-tls-version"].lower() == "tlsv1.2": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" - else: - print mx_policy["min-tls-version"] - self.policy_lines.append(entry) - - f = open(self.policy_file, "w") - f.write("\n".join(self.policy_lines) + "\n") - f.close() - - def update_CAfile(self): - os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + - self.ca_file) - -if __name__ == "__main__": - import ConfigParser - if len(sys.argv) != 3: - print "Usage: MTAConfigGenerator starttls-everywhere.json /etc/postfix" - sys.exit(1) - c = ConfigParser.Config(sys.argv[1]) - postfix_dir = sys.argv[2] - pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) - print "Done." diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 25cab9ce7..af29d493c 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -25,6 +25,7 @@ class PostfixConfigGenerator: self.postfix_dir = postfix_dir self.policy_config = policy_config self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -40,7 +41,6 @@ class PostfixConfigGenerator: values = map(parse_line, l) if len(set(values)) > 1: if self.fixup: - #print "Scheduling deletions:" + `values` conflicting_lines = [num for num,_var,val in values] self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) @@ -48,7 +48,6 @@ class PostfixConfigGenerator: raise ExistingConfigError, "Conflicting existing config values " + `l` val = values[0][2] if val not in acceptable: - #print "Scheduling deletions:" + `values` if self.fixup: self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) @@ -99,10 +98,11 @@ class PostfixConfigGenerator: self.new_cf += line self.new_cf += sep + new_cf_lines - #print self.new_cf - f = open(self.fn, "w") - f.write(self.new_cf) - f.close() + if not os.access(self.postfix_cf_file, os.W_OK): + raise Exception("Can't write to %s, please re-run as root." + % self.postfix_cf_file) + with open(self.fn, "w") as f: + f.write(self.new_cf) def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" @@ -186,6 +186,7 @@ class PostfixConfigGenerator: self.ensure_cf_var("smtpd_tls_cert_file", fullchain_path, []) self.ensure_cf_var("smtpd_tls_key_file", key_path, []) self.set_domainwise_tls_policies() + self.update_CAfile() def enhance(self, domain, enhancement, options=None): """Perform a configuration enhancement. @@ -259,17 +260,22 @@ class PostfixConfigGenerator: """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted """ + print "Reloading postfix config..." if os.geteuid() != 0: os.system("sudo service postfix reload") else: os.system("service postfix reload") + def update_CAfile(self): + os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) + def usage(): print ("Usage: %s starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" % sys.argv[0]) sys.exit(1) + if __name__ == "__main__": import Config as config if len(sys.argv) != 4: From a58c6524436d04adc43a89a0fa7534e7d6cdfdba Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:54:15 -0800 Subject: [PATCH 106/256] ConfigParser is gone! --- ConfigParser.py | 114 ------------------------------------------------ 1 file changed, 114 deletions(-) delete mode 100755 ConfigParser.py diff --git a/ConfigParser.py b/ConfigParser.py deleted file mode 100755 index d1c413f74..000000000 --- a/ConfigParser.py +++ /dev/null @@ -1,114 +0,0 @@ -#!/usr/bin/env python - -import sys -import json -from datetime import datetime -import string -import collections - -def parse_timestamp(ts): - try: - int(ts) - dt = datetime.fromtimestamp(ts) - return dt - except: - raise ValueError, "Invalid timestamp integer: " + `ts` - -legal = string.letters + string.digits + ".-" -known_tlds =["com","org","net","biz","info",] # xxx make me from an ICANN list -def looks_like_a_domain(s): - "Return true if string looks like a domain, as best we can tell..." - global known_tlds - try: - domain = s.lower() - assert domain[0].islower() - assert all([c in legal for c in domain]) - tld = s.split(".")[-1] - if tld not in known_tlds: - # XXX perform DNS query to determine that this TLD exists - pass - return True - except: - return False - -class Config: - def __init__(self, cfg_file_name = "config.json"): - f = open(cfg_file_name) - self.cfg = json.loads(f.read()) - self.tls_policies = {} - self.mx_map = {} - for atr, val in self.cfg.items(): - # Verify each attribute of the structure - if atr.startswith("comment"): - continue - if atr == "author": - if type(val) not in [str, unicode]: - raise TypeError, "Author must be a string: " + `val` - elif atr == "timestamp": - self.timestamp = parse_timestamp(val) - elif atr == "expires": - self.expires = parse_timestamp(val) - elif atr == "tls-policies": - for domain, policies in self.check_tls_policy_domains(val): - if type(policies) != dict: - raise TypeError, domain + "'s policies should be a dict: " + `policies` - self.tls_policies[domain] = {} # being here enforces TLS at all - for policy, v in policies.items(): - value = str(v).lower() - if policy == "require-tls": - if value in ("true", "1", "yes"): - self.tls_policies[domain]["required"] = True - elif value in ("false", "0", "no"): - self.tls_policies[domain]["required"] = False - else: - raise ValueError, "Unknown require-tls value " + `value` - elif policy == "min-tls-version": - reasonable = ["TLS", "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3"] - reasonable = map(string.lower, reasonable) - if not value in reasonable: - raise ValueError, "Not a valid TLS version string: " + `value` - self.tls_policies[domain]["min-tls-version"] = str(value) - elif policy == "enforce-mode": - if value == "enforce": - self.tls_policies[domain]["enforce"] = True - elif value == "log-only": - self.tls_policies[domain]["enforce"] = False - else: - raise ValueError, "Not a known enoforcement policy " + `value` - elif atr == "acceptable-mxs": - self.acceptable_mxs = val - self.mx_domain_to_address_domains = collections.defaultdict(set) - for address_domain, properties in self.acceptable_mxs.items(): - mx_list = properties["accept-mx-domains"] - if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported, skipping ", address_domain - mx_domain = mx_list[0] - self.mx_domain_to_address_domains[mx_domain].add(address_domain) - pass - else: - sys.stderr.write("Unknown attribute: " + `atr` + "\n") - # XXX is it ever permissible to have a domain with an acceptable-mx - # that does not point to a TLS security policy? If not, check/warn/fail - # here - - def get_address_domains(self, mx_hostname): - labels = mx_hostname.split(".") - for n in range(1, len(labels)): - parent = "." + ".".join(labels[n:]) - if parent in self.mx_domain_to_address_domains: - return self.mx_domain_to_address_domains[parent] - return None - - def check_tls_policy_domains(self, val): - if type(val) != dict: - raise TypeError, "tls-policies should be a dict" + `val` - for domain, policies in val.items(): - try: - assert type(domain) == unicode - d = str(domain) # convert from unicode - except: - raise TypeError, "tls-policy domain not a string" + `domain` - yield (d, policies) - -if __name__ == "__main__": - c = Config() From 87022782fb0fa8431632a5713f12927874d0a7b3 Mon Sep 17 00:00:00 2001 From: Peter Eckersley Date: Wed, 9 Mar 2016 10:59:10 -0800 Subject: [PATCH 107/256] Catch stray missing line --- letsencrypt-postfix/PostfixConfigGenerator.py | 1 + 1 file changed, 1 insertion(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index af29d493c..20ca3edb4 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -76,6 +76,7 @@ class PostfixConfigGenerator: policy_cf_entry = "texthash:" + self.policy_file self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) def maybe_add_config_lines(self): From e42a222c5d54d08836371200afb0af30106d3685 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 15:02:59 +0200 Subject: [PATCH 108/256] preliminary Postfix version check --- letsencrypt-postfix/PostfixConfigGenerator.py | 25 ++++++++++++++++--- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 25cab9ce7..162a0d832 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -1,6 +1,7 @@ #!/usr/bin/env python import sys import string +import subprocess import os, os.path def parse_line(line_data): @@ -148,13 +149,29 @@ class PostfixConfigGenerator: :raises .NoInstallationError: when the necessary programs/files cannot be located. Plugin will NOT be displayed on a list of available plugins. - :raises .NotSupportedError: - when the installation is recognized, but the version is not - currently supported. - """ + :raises .NotSupportedError: + when the installation is recognized, but the version is not + currently supported. + :rtype tuple: + """ # XXX ensure we raise the right kinds of exceptions self.postfix_cf_file = self.find_postfix_cf() + # Parse Postfix version number (feature support, syntax changes etc.) + mail_version = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], \ + stdout=subprocess.PIPE) \ + .communicate()[0].split()[2] + maj, min, rev = mail_version.split('.') + + # Postfix has changed support for TLS features, supported protocol versions + # KEX methods, ciphers et cetera over the years. We sort out version dependend + # differences here and pass them onto other configuration functions. + # see: + # http://www.postfix.org/TLS_README.html + # http://www.postfix.org/FORWARD_SECRECY_README.html + self.postfix_version = mail_version + + return maj, min, rev def more_info(self): """Human-readable string to help the user. From 1cde7f9b5429bc70bee06c38034b51947c5cb758 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 16:19:34 +0200 Subject: [PATCH 109/256] added doc. on postfix version dependent features --- letsencrypt-postfix/PostfixConfigGenerator.py | 39 ++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 162a0d832..5e219cc43 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -162,6 +162,7 @@ class PostfixConfigGenerator: stdout=subprocess.PIPE) \ .communicate()[0].split()[2] maj, min, rev = mail_version.split('.') + self.postfix_version = mail_version # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend @@ -169,8 +170,44 @@ class PostfixConfigGenerator: # see: # http://www.postfix.org/TLS_README.html # http://www.postfix.org/FORWARD_SECRECY_README.html - self.postfix_version = mail_version + + # Postfix == 2.2: + # - TLS support introduced via 3rd party patch, see: + # http://www.postfix.org/TLS_LEGACY_README.html + # Postfix => 2.2: + # - built-in TLS support added + # - Support for PFS introduced + # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k + + # Postfix => 2.5: + # - Syntax to specify mandatory protocol version changes: + # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` + # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` + # - Certificate fingerprint verification added + + # Postfix => 2.6: + # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) + # - Support for configurable cipher-suites and protocol versions added, pre-2.6 + # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` + # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added + + # Postfix => 2.8: + # - Override Client suite preference w. `tls_preempt_cipherlist = yes` + # - Elliptic curve crypto. support enabled by default + + # Postfix => 2.9: + # - Public key fingerprint support added + # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and + # `check_ccert_access` config. options added + + # Postfix <= 2.9.5: + # - BUG: Public key fingerprint is computed incorrectly + + # Postfix => 3.1: + # - Built-in support for TLS management and DANE added, see: + # http://www.postfix.org/postfix-tls.1.html + return maj, min, rev def more_info(self): From 1d37e94e17b552712d1ade5f981aed8ba4835b17 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 18:43:08 +0200 Subject: [PATCH 110/256] disable SSLv3 and v3 by default #24 --- letsencrypt-postfix/PostfixConfigGenerator.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 4b6783633..dfb20ccea 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -79,6 +79,10 @@ class PostfixConfigGenerator: self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) + # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed + # between Postfix version 2.5 and 2.6, since we only support => 2.11 + # we don't use nor support legacy Postfix syntax. + self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): if not self.additions: From 0ba508ee2dc88bd86aa4209efd55c498e394ffea Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 19:02:00 +0200 Subject: [PATCH 111/256] disable SSLv2,3 client-side too #24 --- letsencrypt-postfix/PostfixConfigGenerator.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index dfb20ccea..609477f0b 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -82,7 +82,10 @@ class PostfixConfigGenerator: # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed # between Postfix version 2.5 and 2.6, since we only support => 2.11 # we don't use nor support legacy Postfix syntax. + # - Server: self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) + # - Client: + self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): if not self.additions: From 2900d5122ca91531fe9696fba4a13de0f7cefb8c Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Tue, 29 Mar 2016 19:29:46 +0200 Subject: [PATCH 112/256] set _all_ client&server options to exclude v2 and v3 #24 --- letsencrypt-postfix/PostfixConfigGenerator.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 609477f0b..2066b74e2 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -83,8 +83,10 @@ class PostfixConfigGenerator: # between Postfix version 2.5 and 2.6, since we only support => 2.11 # we don't use nor support legacy Postfix syntax. # - Server: - self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) + self.ensure_cf_var("smtpd_tls_protocols", "!SSLv2, !SSLv3", []) + self.ensure_cf_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) # - Client: + self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): From 5cc317408ca73c7b741a65db5b20ccde4e032402 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Tue, 29 Mar 2016 14:19:13 -0700 Subject: [PATCH 113/256] Move attributes into init and allow for injecting file contents for testing. --- letsencrypt-postfix/PostfixConfigGenerator.py | 32 ++++++++++--------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index af1953208..34654a2d1 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -3,6 +3,7 @@ import sys import string import os, os.path + def parse_line(line_data): """ Return the (line number, left hand side, right hand side) of a stripped @@ -17,15 +18,30 @@ def parse_line(line_data): return None return (num, left.strip(), right.strip()) + class ExistingConfigError(ValueError): pass + class PostfixConfigGenerator: - def __init__(self, policy_config, postfix_dir, fixup=False): + def __init__(self, policy_config, postfix_dir, fixup=False, fopen=open): self.fixup = fixup self.postfix_dir = postfix_dir self.policy_config = policy_config self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.additions = [] + self.deletions = [] + self.fn = self.find_postfix_cf() + self.raw_cf = fopen(self.fn).readlines() + self.cf = map(string.strip, self.raw_cf) + #self.cf = [line for line in cf if line and not line.startswith("#")] + self.policy_lines = [] + self.new_cf = "" + + def find_postfix_cf(self): + "Search far and wide for the correct postfix configuration file" + return os.path.join(self.postfix_dir, "main.cf") + def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable @@ -60,13 +76,6 @@ class PostfixConfigGenerator: Try to ensure/mutate that the config file is in a sane state. Fixup means we'll delete existing lines if necessary to get there. """ - self.additions = [] - self.deletions = [] - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] - # Check we're currently accepting inbound STARTTLS sensibly self.ensure_cf_var("smtpd_use_tls", "yes", []) # Ideally we use it opportunistically in the outbound direction @@ -91,7 +100,6 @@ class PostfixConfigGenerator: if self.raw_cf[-1][-1] == "\n": sep = "" else: sep = "\n" - self.new_cf = "" for num, line in enumerate(self.raw_cf): if self.fixup and num in self.deletions: self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line @@ -104,12 +112,7 @@ class PostfixConfigGenerator: f.write(self.new_cf) f.close() - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.postfix_dir, "main.cf") - def set_domainwise_tls_policies(self): - self.policy_lines = [] all_acceptable_mxs = self.policy_config.acceptable_mxs for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains @@ -152,7 +155,6 @@ class PostfixConfigGenerator: currently supported. """ # XXX ensure we raise the right kinds of exceptions - self.postfix_cf_file = self.find_postfix_cf() def more_info(self): From fee9c862334bfd290a2b9bd1e07b93badfb66ae5 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Tue, 29 Mar 2016 14:20:33 -0700 Subject: [PATCH 114/256] Add failing test for get_all_names. --- .../TestPostfixConfigGenerator.py | 62 +++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 letsencrypt-postfix/TestPostfixConfigGenerator.py diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/letsencrypt-postfix/TestPostfixConfigGenerator.py new file mode 100644 index 000000000..98a0afb5d --- /dev/null +++ b/letsencrypt-postfix/TestPostfixConfigGenerator.py @@ -0,0 +1,62 @@ +#!/usr/bin/env python +# -*- coding: utf-8 -*- + +from __future__ import absolute_import +from __future__ import division +from __future__ import print_function +from __future__ import unicode_literals + +import io +import logging +import unittest + +import Config +import PostfixConfigGenerator as pcg + + +logger = logging.getLogger(__name__) +logger.addHandler(logging.StreamHandler()) + + +# Fake Postfix Configs +names_only_config = """myhostname = mail.fubard.org +mydomain = fubard.org +myorigin = fubard.org""" + + +def GetFakeOpen(fake_file_contents): + fake_file = io.StringIO() + # cast this to unicode for py2 + fake_file.write(fake_file_contents) + fake_file.seek(0) + + def FakeOpen(_): + return fake_file + + return FakeOpen + + +class TestPostfixConfigGenerator(unittest.TestCase): + + def setUp(self): + self.fopen_names_only_config = GetFakeOpen(names_only_config) + #self.config = Config.Config() + self.config = None + self.postfix_dir = 'tests/' + + def tearDown(self): + pass + + def testGetAllNames(self): + sorted_names = ('fubard.org', 'mail.fubard.org') + postfix_config_gen = pcg.PostfixConfigGenerator( + self.config, + self.postfix_dir, + fixup=True, + fopen=self.fopen_names_only_config + ) + self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) + + +if __name__ == '__main__': + unittest.main() From fd1cef3fa03d026e1a0936a84985d68f67b98614 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Tue, 29 Mar 2016 14:31:27 -0700 Subject: [PATCH 115/256] Implement get_all_names. --- letsencrypt-postfix/PostfixConfigGenerator.py | 9 +++++++++ letsencrypt-postfix/TestPostfixConfigGenerator.py | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 34654a2d1..9863d05d2 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -171,6 +171,15 @@ class PostfixConfigGenerator: """Returns all names that may be authenticated. :rtype: `list` of `str` """ + var_names = ('myhostname', 'mydomain', 'myorigin') + names_found = set() + for num, line in enumerate(self.cf): + num, found_var, found_value = parse_line((num, line)) + if found_var in var_names: + names_found.add(found_value) + name_list = list(names_found) + name_list.sort() + return name_list def deploy_cert(self, domain, _cert_path, key_path, _chain_path, fullchain_path): """Deploy certificate. diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/letsencrypt-postfix/TestPostfixConfigGenerator.py index 98a0afb5d..e1d921c6f 100644 --- a/letsencrypt-postfix/TestPostfixConfigGenerator.py +++ b/letsencrypt-postfix/TestPostfixConfigGenerator.py @@ -48,7 +48,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): pass def testGetAllNames(self): - sorted_names = ('fubard.org', 'mail.fubard.org') + sorted_names = ['fubard.org', 'mail.fubard.org'] postfix_config_gen = pcg.PostfixConfigGenerator( self.config, self.postfix_dir, From 0bf2537a55db2752ee5a8f536b80e5e544128155 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Tue, 29 Mar 2016 14:32:53 -0700 Subject: [PATCH 116/256] Add initial gitignore. --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index 94c6f7089..cc957df18 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,3 @@ .* *.orig +*.pyc From 1f95ac964071cb904585599ac565fd0fe7dda914 Mon Sep 17 00:00:00 2001 From: Aaron Zauner Date: Wed, 20 Apr 2016 12:43:51 +0700 Subject: [PATCH 117/256] README fixup pt. 1 --- README.md | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 27563a899..774556e7e 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,7 @@ objectives: * Email security database: working pre-alpha, definitely not yet safe * Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready * DANE support: none yet +* DEEP support: none yet * SMTP-STS integration: none yet * Direct mechanisms for mail domains to request inclusion: none yet * Failure reporting mechanisms: early progress, not yet ready @@ -41,7 +42,10 @@ objectives: ## Authors -Jacob Hoffman-Andrews , Peter Eckersley , Daniel Wilcox , Aaron Zauner +Jacob Hoffman-Andrews , +Peter Eckersley , +Daniel Wilcox , +Aaron Zauner ## Mailing List @@ -49,13 +53,13 @@ starttls-everywhere@eff.org, https://lists.eff.org/mailman/listinfo/starttls-eve ## Background -Most email transferred between SMTP servers (aka MTAs) is transmitted in the clear and trivially interceptable. Encryption of SMTP traffic is possible using the STARTTLS mechanism, which encrypts traffic but is vulnerable to a trivial downgrade attack. +Most email transferred between SMTP servers (aka MTAs) is transmitted in the clear and trivially interceptable. Encryption of SMTP traffic is possible using the STARTTLS mechanism, which encrypts traffic but is vulnerable to trivial downgrade attacks. -To illustrate an easy version of this attack, suppose a network-based attacker Mallory notices that Alice has just uploaded message to her mail server. Mallory can inject a TCP reset (RST) packet during the mail server's next TLS negotiation with another mail server. Nearly all mail servers that implement STARTTLS do so in opportunistic mode, which means that they will retry without encryption if there is any problem with a TLS connection. So Alice's message will be transmitted in the clear. +To illustrate an easy version of this attack, suppose a network-based attacker `Mallory` notices that `Alice` has just uploaded message to her mail server. `Mallory` can inject a TCP reset (RST) packet during the mail server's next TLS negotiation with another mail server. Nearly all mail servers that implement STARTTLS do so in opportunistic mode, which means that they will retry without encryption if there is any problem with a TLS connection. So `Alice`'s message will be transmitted in the clear. Opportunistic TLS in SMTP also extends to certificate validation. Mail servers commonly provide self-signed certificates or certificates with non-validatable hostnames, and senders commonly accept these. This means that if we say 'require TLS for this mail domain,' the domain may still be vulnerable to a man-in-the-middle using any key and certificate chosen by the attacker. -Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. +Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM or Denial of Service is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently deployed, it allows either bulk or semi-targeted attacks that are very unlikely to be detected. We would like to deploy both detection and prevention for such semi-targeted attacks. @@ -63,7 +67,8 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d * Prevent RST attacks from revealing email contents in transit between major MTAs that support STARTTLS. * Prevent MITM attacks at the DNS, SMTP, TLS, or other layers from revealing same. -* Zero or minimal decrease to deliverability rates unless network attacks are actually occurring +* Zero or minimal decrease to deliverability rates unless network attacks are actually occurring. +* Create feedback-loops on targeted attacks and bulk surveilance in an opt-in, anonymized way. ## Non-goals @@ -86,7 +91,7 @@ Attacker has control of routers on the path between two MTAs of interest. Attack ## Alternatives -Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of a DANE solution easier. +Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of DANE-based solutions easier. ## Detailed design @@ -147,7 +152,7 @@ The basic file format will be JSON with comments (http://blog.getify.com/json-co A user of this file format may choose to accept multiple files. For instance, the EFF might provide an overall configuration covering major mail providers, and another organization might produce an overlay for mail providers in a specific country. If so, they override each other on a per-domain basis. -The _timestamp_ field is an integer number of epoch seconds. When retrieving a fresh configuration file, config-generator should validate that the timestamp is greater than or equal to the version number of the file it already has. +The _timestamp_ field is an integer number of epoch seconds from 00:00:00 UTC on 1 January 1970. When retrieving a fresh configuration file, config-generator should validate that the timestamp is greater than or equal to the version number of the file it already has. There is no inline signature field. The configuration file should be distributed with authentication using an offline signing key. @@ -183,7 +188,7 @@ The _accept-pinset_ field references an entry in the pinsets list, which has the ## Pinning and hostname verification -Like Chrome (and soon Firefox) we want to encourage pinning to a trusted root or intermediate rather than a leaf cert, to minimize spurious pinning failures when hosts rotate keys. +Like Chrome and Firefox we want to encourage pinning to a trusted root or intermediate rather than a leaf cert, to minimize spurious pinning failures when hosts rotate keys. The other option is to automatically pin leaf certs as observed in the wild. This would be one solution to the hostname verification and self-signed certificate problem. However, it is a non-starter. Even if we expect mail operators to auto-update configuration on a daily basis, this approach cannot add new certs until they are observed in the wild. That means that any time an operator rotates keys on a mail server, there would be a significant window of time in which the new keys would be rejected. @@ -194,7 +199,7 @@ We do not attempt to solve the self-signed certificate problem. For mail hosts w We have three options for creating the configuration file: 1. Ask mail operators to submit policies for their domains which we incorporate. -2. Manually curate a set of policies for the top N mail domains. +2. Manually curate a set of policies for the top `N` mail domains. 3. Programmatically create a set of policies by connecting to the top N mail domains. For option (1), there's a bootstrapping problem: No one will opt in until it's useful; It won't be useful until people opt in. Option (1) does have the advantage that it's the only good way to get pinning directives. @@ -225,6 +230,6 @@ Additionally, for ongoing monitoring of third-party deployments, we will create ## Failure reporting -For the mail operator deploying STARTTLS Everywhere, we will provide log analysis scripts that can be used out-of-the-box to monitor how many delivery failures or would-be failures are due to STARTTLS Everywhere policies. These would be designed to run in a cron job and send notices only when STARTTLS Everywhere-related failures exceed 0.1% for any given recipient domains. For very high-volume mail operators, it would likely be necessary to adapt the analysis scripts to their own logging and analysis infrastructure. +For the mail operator deploying STARTTLS Everywhere, we will provide log analysis scripts that can be used out-of-the-box to monitor how many delivery failures or would-be failures are due to STARTTLS Everywhere policies. These would be designed to run in a cron job or small opt-in daemon and send notices only when STARTTLS Everywhere-related failures exceed a certain percentage for any given recipient domains. For very high-volume mail operators, it would likely be necessary to adapt the analysis scripts to their own logging and analysis infrastructure. For recipient domains who are listed in the STARTTLS Everywhere configuration, we would provide a configuration field to specify an email address or HTTPS URL to which that sender domains could send failure information. This would provide a mechanism for recipient domains to identify problems with their TLS deployment and fix them. The reported information should not contain any personal information, including email addresses. Example fields for failure reports: timestamps at minute granularity, target MX hostname, resolved MX IP address, failure type, certificate. Since failures are likely to come in batches, the error sending mechanism should batch them up and summarize as necessary to avoid flooding the recipient. From cc83e9ba52d9bd13dd43e72942458e95b0e6fba8 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 12:26:56 -0700 Subject: [PATCH 118/256] Wrap some lines, new style exceptions, return check for restart. --- letsencrypt-postfix/PostfixConfigGenerator.py | 39 ++++++++++++------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 1ac9d9fc6..927b7e729 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -28,7 +28,8 @@ class PostfixConfigGenerator: self.fixup = fixup self.postfix_dir = postfix_dir self.policy_config = policy_config - self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") + self.policy_file = os.path.join(postfix_dir, + "starttls_everywhere_policy") self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") self.additions = [] @@ -51,7 +52,8 @@ class PostfixConfigGenerator: """ acceptable = [ideal] + also_acceptable - l = [(num,line) for num,line in enumerate(self.cf) if line.startswith(var)] + l = [(num,line) for num,line in enumerate(self.cf) + if line.startswith(var)] if not any(l): self.additions.append(var + " = " + ideal) else: @@ -62,14 +64,18 @@ class PostfixConfigGenerator: self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) else: - raise ExistingConfigError, "Conflicting existing config values " + `l` + raise ExistingConfigError( + "Conflicting existing config values " + `l` + ) val = values[0][2] if val not in acceptable: if self.fixup: self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) else: - raise ExistingConfigError, "Existing config has %s=%s"%(var,val) + raise ExistingConfigError( + "Existing config has %s=%s"%(var,val) + ) def wrangle_existing_config(self): """ @@ -96,12 +102,14 @@ class PostfixConfigGenerator: # - Client: self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) - def maybe_add_config_lines(self): + def maybe_add_config_lines(self, fopen=open): if not self.additions: return if self.fixup: print "Deleting lines:", self.deletions - self.additions[:0]=["#","# New config lines added by STARTTLS Everywhere","#"] + self.additions[:0]=["#", + "# New config lines added by STARTTLS Everywhere", + "#"] new_cf_lines = "\n".join(self.additions) + "\n" print "Adding to %s:" % self.fn print new_cf_lines @@ -118,10 +126,10 @@ class PostfixConfigGenerator: if not os.access(self.postfix_cf_file, os.W_OK): raise Exception("Can't write to %s, please re-run as root." % self.postfix_cf_file) - with open(self.fn, "w") as f: + with fopen(self.fn, "w") as f: f.write(self.new_cf) - def set_domainwise_tls_policies(self): + def set_domainwise_tls_policies(self, fopen=open): all_acceptable_mxs = self.policy_config.acceptable_mxs for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains @@ -142,9 +150,8 @@ class PostfixConfigGenerator: print mx_policy.min_tls_version self.policy_lines.append(entry) - f = open(self.policy_file, "w") - f.write("\n".join(self.policy_lines) + "\n") - f.close() + with fopen(self.policy_file, "w") as f: + f.write("\n".join(self.policy_lines) + "\n") ### Let's Encrypt client IPlugin ### # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 @@ -335,17 +342,19 @@ class PostfixConfigGenerator: """ print "Reloading postfix config..." if os.geteuid() != 0: - os.system("sudo service postfix reload") + rc = os.system("sudo service postfix reload") else: - os.system("service postfix reload") + rc = os.system("service postfix reload") + if rc != 0: + raise Exception('PluginError: cannot restart postfix') def update_CAfile(self): os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) def usage(): - print ("Usage: %s starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/example.com/" % - sys.argv[0]) + print ("Usage: %s starttls-everywhere.json /etc/postfix " + "/etc/letsencrypt/live/example.com/" % sys.argv[0]) sys.exit(1) From e75bafa43908d9f66f94ffae1393f18c9262f5a1 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 12:27:49 -0700 Subject: [PATCH 119/256] Add basic test for get_all_certs_keys IInstaller interface method. --- .../TestPostfixConfigGenerator.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/letsencrypt-postfix/TestPostfixConfigGenerator.py index e1d921c6f..ebcf12a4c 100644 --- a/letsencrypt-postfix/TestPostfixConfigGenerator.py +++ b/letsencrypt-postfix/TestPostfixConfigGenerator.py @@ -24,6 +24,12 @@ mydomain = fubard.org myorigin = fubard.org""" +certs_only_config = """ +smtpd_tls_cert_file = /etc/letsencrypt/live/www.fubard.org/fullchain.pem +smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem +""" + + def GetFakeOpen(fake_file_contents): fake_file = io.StringIO() # cast this to unicode for py2 @@ -40,6 +46,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): def setUp(self): self.fopen_names_only_config = GetFakeOpen(names_only_config) + self.fopen_certs_only_config = GetFakeOpen(certs_only_config) #self.config = Config.Config() self.config = None self.postfix_dir = 'tests/' @@ -57,6 +64,18 @@ class TestPostfixConfigGenerator(unittest.TestCase): ) self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) + def testGetAllCertAndKeys(self): + return_vals = ('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', + '/etc/letsencrypt/live/www.fubard.org/privkey.pem', + None) + postfix_config_gen = pcg.PostfixConfigGenerator( + self.config, + self.postfix_dir, + fixup=True, + fopen=self.fopen_certs_only_config + ) + self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) + if __name__ == '__main__': unittest.main() From c6baa82ee4030bc75c8da3ea60ff22865d3a9137 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 15:14:06 -0700 Subject: [PATCH 120/256] Implement basic get_all_certs_keys, tests pass. --- letsencrypt-postfix/PostfixConfigGenerator.py | 11 +++++++++++ letsencrypt-postfix/TestPostfixConfigGenerator.py | 13 ++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 927b7e729..b5adba1a2 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -296,6 +296,17 @@ class PostfixConfigGenerator: - `path` - file path to configuration file :rtype: list """ + cert_materials = {'smtpd_tls_key_file': None, + 'smtpd_tls_cert_file': None, + } + for num, line in enumerate(self.cf): + print 'Line is: %s' % line + num, found_var, found_value = parse_line((num, line)) + if found_var in cert_materials.keys(): + cert_materials[found_var] = found_value + return [(cert_materials['smtpd_tls_cert_file'], + cert_materials['smtpd_tls_key_file'], + self.fn),] def save(self, title=None, temporary=False): """Saves all changes to the configuration files. diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/letsencrypt-postfix/TestPostfixConfigGenerator.py index ebcf12a4c..57cbb59c0 100644 --- a/letsencrypt-postfix/TestPostfixConfigGenerator.py +++ b/letsencrypt-postfix/TestPostfixConfigGenerator.py @@ -24,10 +24,9 @@ mydomain = fubard.org myorigin = fubard.org""" -certs_only_config = """ -smtpd_tls_cert_file = /etc/letsencrypt/live/www.fubard.org/fullchain.pem -smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem -""" +certs_only_config = ( +"""smtpd_tls_cert_file = /etc/letsencrypt/live/www.fubard.org/fullchain.pem +smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") def GetFakeOpen(fake_file_contents): @@ -65,9 +64,9 @@ class TestPostfixConfigGenerator(unittest.TestCase): self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) def testGetAllCertAndKeys(self): - return_vals = ('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', - '/etc/letsencrypt/live/www.fubard.org/privkey.pem', - None) + return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', + '/etc/letsencrypt/live/www.fubard.org/privkey.pem', + 'tests/main.cf'),] postfix_config_gen = pcg.PostfixConfigGenerator( self.config, self.postfix_dir, From 7edceec8ac976ea5680ab081d8884ec6e6ff2a2c Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 15:27:11 -0700 Subject: [PATCH 121/256] Add test case and fix to properly handle configs with no smtpd_tls_* vars. --- letsencrypt-postfix/PostfixConfigGenerator.py | 12 ++++++++---- letsencrypt-postfix/TestPostfixConfigGenerator.py | 11 +++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index b5adba1a2..859d86ffe 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -300,13 +300,17 @@ class PostfixConfigGenerator: 'smtpd_tls_cert_file': None, } for num, line in enumerate(self.cf): - print 'Line is: %s' % line num, found_var, found_value = parse_line((num, line)) if found_var in cert_materials.keys(): cert_materials[found_var] = found_value - return [(cert_materials['smtpd_tls_cert_file'], - cert_materials['smtpd_tls_key_file'], - self.fn),] + + if not all(cert_materials.values()): + cert_material_tuples = [] + else: + cert_material_tuples = [(cert_materials['smtpd_tls_cert_file'], + cert_materials['smtpd_tls_key_file'], + self.fn),] + return cert_material_tuples def save(self, title=None, temporary=False): """Saves all changes to the configuration files. diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/letsencrypt-postfix/TestPostfixConfigGenerator.py index 57cbb59c0..4a96aa30f 100644 --- a/letsencrypt-postfix/TestPostfixConfigGenerator.py +++ b/letsencrypt-postfix/TestPostfixConfigGenerator.py @@ -46,6 +46,8 @@ class TestPostfixConfigGenerator(unittest.TestCase): def setUp(self): self.fopen_names_only_config = GetFakeOpen(names_only_config) self.fopen_certs_only_config = GetFakeOpen(certs_only_config) + self.fopen_no_certs_only_config = self.fopen_names_only_config + #self.config = Config.Config() self.config = None self.postfix_dir = 'tests/' @@ -75,6 +77,15 @@ class TestPostfixConfigGenerator(unittest.TestCase): ) self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) + def testGetAllCertsAndKeys_With_None(self): + postfix_config_gen = pcg.PostfixConfigGenerator( + self.config, + self.postfix_dir, + fixup=True, + fopen=self.fopen_no_certs_only_config + ) + self.assertEqual([], postfix_config_gen.get_all_certs_keys()) + if __name__ == '__main__': unittest.main() From 4d24eb83a82095b7a740263629bbc55f7972e0f9 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 16:11:37 -0700 Subject: [PATCH 122/256] Move version fetching into get_version and implement more_info method. --- letsencrypt-postfix/PostfixConfigGenerator.py | 57 ++++++++++++++++--- 1 file changed, 48 insertions(+), 9 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 859d86ffe..0163e4bff 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -24,7 +24,12 @@ class ExistingConfigError(ValueError): pass class PostfixConfigGenerator: - def __init__(self, policy_config, postfix_dir, fixup=False, fopen=open): + def __init__(self, + policy_config, + postfix_dir, + fixup=False, + fopen=open, + version=None): self.fixup = fixup self.postfix_dir = postfix_dir self.policy_config = policy_config @@ -41,6 +46,9 @@ class PostfixConfigGenerator: self.policy_lines = [] self.new_cf = "" + # Set in .prepare() unless running in a test + self.postfix_version = version + def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return os.path.join(self.postfix_dir, "main.cf") @@ -174,13 +182,14 @@ class PostfixConfigGenerator: """ # XXX ensure we raise the right kinds of exceptions - # Parse Postfix version number (feature support, syntax changes etc.) - mail_version = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], \ - stdout=subprocess.PIPE) \ - .communicate()[0].split()[2] - maj, min, rev = mail_version.split('.') - self.postfix_version = mail_version - + if not self.postfix_version: + self.postfix_version = self.get_version() + + if self.postfix_version < (2, 11, 0): + raise Exception( + 'NotSupportedError: Postfix version is too old -- test.' + ) + # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend # differences here and pass them onto other configuration functions. @@ -225,7 +234,28 @@ class PostfixConfigGenerator: # - Built-in support for TLS management and DANE added, see: # http://www.postfix.org/postfix-tls.1.html - return maj, min, rev + def get_version(self): + """Return the mail version of Postfix. + + Version is returned as a tuple. (e.g. '2.11.3' is (2, 11, 3)) + + :returns: version + :rtype: tuple + + :raises .PluginError: + Unable to find Postfix version. + """ + # Parse Postfix version number (feature support, syntax changes etc.) + cmd = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], + stdout=subprocess.PIPE) + stdout, _ = cmd.communicate() + if cmd.returncode != 0: + raise Exception('PluginError: Unable to determine Postfix version.') + + # grabs version component of string like "mail_version = 2.11.3" + mail_version = stdout.split()[2] + postfix_version = tuple([int(i) for i in mail_version.split('.')]) + return postfix_version def more_info(self): """Human-readable string to help the user. @@ -233,6 +263,15 @@ class PostfixConfigGenerator: decide which plugin to use. :rtype str: """ + return ( + "Configures Postfix to try to authenticate mail servers, use " + "installed certificates and disable weak ciphers and protocols.{0}" + "Server root: {root}{0}" + "Version: {version}".format( + os.linesep, + root=self.postfix_dir, + version='.'.join([str(i) for i in self.postfix_version])) + ) ### Let's Encrypt client IInstaller ### From c43602c90808d19e78bd2ee213f007e6ee7fc9ad Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 16:30:08 -0700 Subject: [PATCH 123/256] Add simple config_test implementation. --- letsencrypt-postfix/PostfixConfigGenerator.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 0163e4bff..166206560 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -364,7 +364,6 @@ class PostfixConfigGenerator: be quickly reversed in the future (challenges) :raises .PluginError: when save is unsuccessful """ - self.maybe_add_config_lines() def rollback_checkpoints(self, rollback=1): @@ -389,6 +388,12 @@ class PostfixConfigGenerator: """Make sure the configuration is valid. :raises .MisconfigurationError: when the config is not in a usable state """ + if os.geteuid() != 0: + rc = os.system('sudo /usr/sbin/postfix check') + else: + rc = os.system('/usr/sbin/postfix check') + if rc != 0: + raise Exception('MisconfigurationError: Postfix failed self-check.') def restart(self): """Restart or refresh the server content. From 5d07b702695f08dfd0fb35a59f74c411f756c22c Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 16:40:06 -0700 Subject: [PATCH 124/256] Change over to using logging module from print statements. --- letsencrypt-postfix/PostfixConfigGenerator.py | 26 +++++++++++++------ 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 166206560..43a8fa116 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -1,10 +1,15 @@ #!/usr/bin/env python + +import logging import sys import string import subprocess import os, os.path +logger = logging.getLogger(__name__) + + def parse_line(line_data): """ Return the (line number, left hand side, right hand side) of a stripped @@ -114,13 +119,13 @@ class PostfixConfigGenerator: if not self.additions: return if self.fixup: - print "Deleting lines:", self.deletions + logger.info('Deleting lines: {}'.format(self.deletions)) self.additions[:0]=["#", "# New config lines added by STARTTLS Everywhere", "#"] new_cf_lines = "\n".join(self.additions) + "\n" - print "Adding to %s:" % self.fn - print new_cf_lines + logger.info('Adding to {}:'.format(self.fn)) + logger.info(new_cf_lines) if self.raw_cf[-1][-1] == "\n": sep = "" else: sep = "\n" @@ -142,9 +147,12 @@ class PostfixConfigGenerator: for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains if len(mx_list) > 1: - print "Lists of multiple accept-mx-domains not yet supported." - print "Using MX %s for %s" % (mx_list[0], address_domain) - print "Ignoring: %s" % (', '.join(mx_list[1:])) + logger.warn('Lists of multiple accept-mx-domains not yet ' + 'supported.') + logger.warn('Using MX {} for {}".format(mx_list[0], + address_domain) + ) + logger.warn('Ignoring: {}'.format(', '.join(mx_list[1:]))) mx_domain = mx_list[0] mx_policy = self.policy_config.get_tls_policy(mx_domain) entry = address_domain + " encrypt" @@ -155,7 +163,9 @@ class PostfixConfigGenerator: elif mx_policy.min_tls_version.lower() == "tlsv1.2": entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" else: - print mx_policy.min_tls_version + logger.warn('Unknown minimum TLS version: {} '.format( + mx_policy.min_tls_version) + ) self.policy_lines.append(entry) with fopen(self.policy_file, "w") as f: @@ -399,7 +409,7 @@ class PostfixConfigGenerator: """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted """ - print "Reloading postfix config..." + logger.info('Reloading postfix config...') if os.geteuid() != 0: rc = os.system("sudo service postfix reload") else: From 887871833d407f4597066ca18c07a0c204a4e097 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 16:44:25 -0700 Subject: [PATCH 125/256] Fix typo in changing quotes. --- letsencrypt-postfix/PostfixConfigGenerator.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 43a8fa116..214d98954 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -149,7 +149,7 @@ class PostfixConfigGenerator: if len(mx_list) > 1: logger.warn('Lists of multiple accept-mx-domains not yet ' 'supported.') - logger.warn('Using MX {} for {}".format(mx_list[0], + logger.warn('Using MX {} for {}'.format(mx_list[0], address_domain) ) logger.warn('Ignoring: {}'.format(', '.join(mx_list[1:]))) From af38c30c9c506cb6e40cd4b1b32103d964ab9bee Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 17:02:29 -0700 Subject: [PATCH 126/256] Fix path to postfix config variable. --- letsencrypt-postfix/PostfixConfigGenerator.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 214d98954..8fcfb7e8b 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -136,9 +136,9 @@ class PostfixConfigGenerator: self.new_cf += line self.new_cf += sep + new_cf_lines - if not os.access(self.postfix_cf_file, os.W_OK): + if not os.access(self.fn, os.W_OK): raise Exception("Can't write to %s, please re-run as root." - % self.postfix_cf_file) + % self.fn) with fopen(self.fn, "w") as f: f.write(self.new_cf) From a5f23b5314c6afbac26c27e494d3d92603d777e1 Mon Sep 17 00:00:00 2001 From: Daniel Wilcox Date: Thu, 28 Apr 2016 17:10:21 -0700 Subject: [PATCH 127/256] Configure logger to be a touch louder... than silent --- letsencrypt-postfix/PostfixConfigGenerator.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/letsencrypt-postfix/PostfixConfigGenerator.py index 8fcfb7e8b..38ef0f4c9 100755 --- a/letsencrypt-postfix/PostfixConfigGenerator.py +++ b/letsencrypt-postfix/PostfixConfigGenerator.py @@ -8,6 +8,10 @@ import os, os.path logger = logging.getLogger(__name__) +logger.setLevel(logging.DEBUG) +log_handler = logging.StreamHandler() +log_handler.setLevel(logging.DEBUG) +logger.addHandler(log_handler) def parse_line(line_data): From 619e273ae5ef6800c584cbe1ef9160fb6045a1e6 Mon Sep 17 00:00:00 2001 From: Ewoud Kohl van Wijngaarden Date: Wed, 10 May 2017 15:44:55 +0200 Subject: [PATCH 128/256] Correct markdown link syntax --- README.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/README.md b/README.md index 774556e7e..7413228f6 100644 --- a/README.md +++ b/README.md @@ -80,8 +80,7 @@ STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently d ## Motivating examples * [Unnammed mobile broadband provider overwrites STARTTLS flag and commands to - prevent negotiating an encrypted connection] - (https://www.techdirt.com/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml) + prevent negotiating an encrypted connection](https://www.techdirt.com/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml) * [Unknown party removes STARTTLS flag from all SMTP connections leaving Thailand](http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand) From e2d95b371992247ba5806c5b107b5449047e8c8d Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:02:56 -0700 Subject: [PATCH 129/256] Create packaging around PostfixConfigGenerator. --- certbot-postfix/LICENSE.txt | 190 ++++++++++++++++++ certbot-postfix/MANIFEST.in | 2 + certbot-postfix/README.rst | 1 + certbot-postfix/certbot_postfix/__init__.py | 3 + .../certbot_postfix/installer.py | 0 .../certbot_postfix/installer_test.py | 0 certbot-postfix/setup.cfg | 2 + certbot-postfix/setup.py | 57 ++++++ 8 files changed, 255 insertions(+) create mode 100644 certbot-postfix/LICENSE.txt create mode 100644 certbot-postfix/MANIFEST.in create mode 100644 certbot-postfix/README.rst create mode 100644 certbot-postfix/certbot_postfix/__init__.py rename letsencrypt-postfix/PostfixConfigGenerator.py => certbot-postfix/certbot_postfix/installer.py (100%) mode change 100755 => 100644 rename letsencrypt-postfix/TestPostfixConfigGenerator.py => certbot-postfix/certbot_postfix/installer_test.py (100%) create mode 100644 certbot-postfix/setup.cfg create mode 100644 certbot-postfix/setup.py diff --git a/certbot-postfix/LICENSE.txt b/certbot-postfix/LICENSE.txt new file mode 100644 index 000000000..c8314fd1c --- /dev/null +++ b/certbot-postfix/LICENSE.txt @@ -0,0 +1,190 @@ + Copyright 2017 Electronic Frontier Foundation and others + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS diff --git a/certbot-postfix/MANIFEST.in b/certbot-postfix/MANIFEST.in new file mode 100644 index 000000000..97e2ad3df --- /dev/null +++ b/certbot-postfix/MANIFEST.in @@ -0,0 +1,2 @@ +include LICENSE.txt +include README.rst diff --git a/certbot-postfix/README.rst b/certbot-postfix/README.rst new file mode 100644 index 000000000..ee88648d3 --- /dev/null +++ b/certbot-postfix/README.rst @@ -0,0 +1 @@ +Postfix plugin for Certbot diff --git a/certbot-postfix/certbot_postfix/__init__.py b/certbot-postfix/certbot_postfix/__init__.py new file mode 100644 index 000000000..703cb659b --- /dev/null +++ b/certbot-postfix/certbot_postfix/__init__.py @@ -0,0 +1,3 @@ +"""Certbot Postfix plugin.""" + +from certbot_postfix.installer import PostfixConfigGenerator as Installer diff --git a/letsencrypt-postfix/PostfixConfigGenerator.py b/certbot-postfix/certbot_postfix/installer.py old mode 100755 new mode 100644 similarity index 100% rename from letsencrypt-postfix/PostfixConfigGenerator.py rename to certbot-postfix/certbot_postfix/installer.py diff --git a/letsencrypt-postfix/TestPostfixConfigGenerator.py b/certbot-postfix/certbot_postfix/installer_test.py similarity index 100% rename from letsencrypt-postfix/TestPostfixConfigGenerator.py rename to certbot-postfix/certbot_postfix/installer_test.py diff --git a/certbot-postfix/setup.cfg b/certbot-postfix/setup.cfg new file mode 100644 index 000000000..2a9acf13d --- /dev/null +++ b/certbot-postfix/setup.cfg @@ -0,0 +1,2 @@ +[bdist_wheel] +universal = 1 diff --git a/certbot-postfix/setup.py b/certbot-postfix/setup.py new file mode 100644 index 000000000..df78948bb --- /dev/null +++ b/certbot-postfix/setup.py @@ -0,0 +1,57 @@ +import sys + +from setuptools import setup +from setuptools import find_packages + + +version = '0.18.0.dev0' + +install_requires = [ + 'acme=={0}'.format(version), + 'certbot=={0}'.format(version), + # For pkg_resources. >=1.0 so pip resolves it to a version cryptography + # will tolerate; see #2599: + 'setuptools>=1.0', +] + +setup( + name='certbot-postfix', + version=version, + description="Postfix plugin for Certbot", + url='https://github.com/certbot/certbot', + author="Certbot Project", + author_email='client-dev@letsencrypt.org', + license='Apache License 2.0', + classifiers=[ + 'Development Status :: 3 - Alpha', + 'Environment :: Plugins', + 'Intended Audience :: System Administrators', + 'License :: OSI Approved :: Apache Software License', + 'Operating System :: POSIX :: Linux', + 'Programming Language :: Python', + 'Programming Language :: Python :: 2', + 'Programming Language :: Python :: 2.6', + 'Programming Language :: Python :: 2.7', + 'Programming Language :: Python :: 3', + 'Programming Language :: Python :: 3.3', + 'Programming Language :: Python :: 3.4', + 'Programming Language :: Python :: 3.5', + 'Programming Language :: Python :: 3.6', + 'Topic :: Communications :: Email :: Mail Transport Agents', + 'Topic :: Security', + 'Topic :: System :: Installation/Setup', + 'Topic :: System :: Networking', + 'Topic :: System :: Systems Administration', + 'Topic :: Utilities', + ], + + packages=find_packages(), + include_package_data=True, + install_requires=install_requires, + entry_points={ + 'certbot.plugins': [ + 'postfix = certbot_postfix:Installer', + ], + }, + test_suite='certbot_postfix', +) From 74b22a596e07e76626a014dac68a90fb7e50e30e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:03:30 -0700 Subject: [PATCH 130/256] Ignore egg-info dirs --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index cc957df18..e36c9c50b 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ .* *.orig *.pyc +*.egg-info/ From f89051cc2ad7ddd514cacf873d0758fece796c06 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:18:51 -0700 Subject: [PATCH 131/256] Completely implement the Certbot plugin interfaces --- certbot-postfix/certbot_postfix/installer.py | 12 +++++++++++- certbot-postfix/setup.py | 1 + 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index d660e35f5..a4500cf24 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -6,6 +6,11 @@ import string import subprocess import os, os.path +import zope.interface + +from certbot import interfaces +from certbot.plugins import common as plugins_common + logger = logging.getLogger(__name__) logger.setLevel(logging.DEBUG) @@ -32,7 +37,12 @@ def parse_line(line_data): class ExistingConfigError(ValueError): pass -class PostfixConfigGenerator: +@zope.interface.implementer(interfaces.IInstaller) +@zope.interface.provider(interfaces.IPluginFactory) +class PostfixConfigGenerator(plugins_common.Plugin): + + description = "Configure TLS with the Postfix MTA" + def __init__(self, policy_config, postfix_dir, diff --git a/certbot-postfix/setup.py b/certbot-postfix/setup.py index df78948bb..1f087ccc0 100644 --- a/certbot-postfix/setup.py +++ b/certbot-postfix/setup.py @@ -12,6 +12,7 @@ install_requires = [ # For pkg_resources. >=1.0 so pip resolves it to a version cryptography # will tolerate; see #2599: 'setuptools>=1.0', + 'zope.interface', ] setup( From ae08dc6beaab6e6d090de85e710e2d913a0cd1aa Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:24:04 -0700 Subject: [PATCH 132/256] Fix Postfix installer tests --- certbot-postfix/certbot_postfix/installer_test.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 4a96aa30f..cc86653f6 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -10,8 +10,7 @@ import io import logging import unittest -import Config -import PostfixConfigGenerator as pcg +import certbot_postfix logger = logging.getLogger(__name__) @@ -57,7 +56,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): def testGetAllNames(self): sorted_names = ['fubard.org', 'mail.fubard.org'] - postfix_config_gen = pcg.PostfixConfigGenerator( + postfix_config_gen = certbot_postfix.Installer( self.config, self.postfix_dir, fixup=True, @@ -69,7 +68,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', 'tests/main.cf'),] - postfix_config_gen = pcg.PostfixConfigGenerator( + postfix_config_gen = certbot_postfix.Installer( self.config, self.postfix_dir, fixup=True, @@ -78,7 +77,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) def testGetAllCertsAndKeys_With_None(self): - postfix_config_gen = pcg.PostfixConfigGenerator( + postfix_config_gen = certbot_postfix.Installer( self.config, self.postfix_dir, fixup=True, From 5bf4ad1f52b28badc6a0dd2d82f7d987d6cb184b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:25:12 -0700 Subject: [PATCH 133/256] Rename PostfixConfigGenerator to simply Installer --- certbot-postfix/certbot_postfix/__init__.py | 2 +- certbot-postfix/certbot_postfix/installer.py | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot-postfix/certbot_postfix/__init__.py b/certbot-postfix/certbot_postfix/__init__.py index 703cb659b..122c54bc6 100644 --- a/certbot-postfix/certbot_postfix/__init__.py +++ b/certbot-postfix/certbot_postfix/__init__.py @@ -1,3 +1,3 @@ """Certbot Postfix plugin.""" -from certbot_postfix.installer import PostfixConfigGenerator as Installer +from certbot_postfix.installer import Installer diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index a4500cf24..ac2adbdf0 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -39,7 +39,7 @@ class ExistingConfigError(ValueError): pass @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) -class PostfixConfigGenerator(plugins_common.Plugin): +class Installer(plugins_common.Plugin): description = "Configure TLS with the Postfix MTA" From c2a8ce59ae298b80cdc334f2bb62d74629c45043 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:28:22 -0700 Subject: [PATCH 134/256] Remove code to run the installer as on its own. --- certbot-postfix/certbot_postfix/installer.py | 34 -------------------- 1 file changed, 34 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index ac2adbdf0..52244ce92 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -1,5 +1,3 @@ -#!/usr/bin/env python - import logging import sys import string @@ -13,10 +11,6 @@ from certbot.plugins import common as plugins_common logger = logging.getLogger(__name__) -logger.setLevel(logging.DEBUG) -log_handler = logging.StreamHandler() -log_handler.setLevel(logging.DEBUG) -logger.addHandler(log_handler) def parse_line(line_data): @@ -435,31 +429,3 @@ class Installer(plugins_common.Plugin): def update_CAfile(self): os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) - - -def usage(): - print ("Usage: %s starttls-everywhere.json /etc/postfix " - "/etc/letsencrypt/live/example.com/" % sys.argv[0]) - sys.exit(1) - - -if __name__ == "__main__": - import Config as config - if len(sys.argv) != 4: - usage() - c = config.Config() - c.load_from_json_file(sys.argv[1]) - postfix_dir = sys.argv[2] - le_lineage = sys.argv[3] - pieces = [os.path.join(le_lineage, f) for f in ( - "cert.pem", "privkey.pem", "chain.pem", "fullchain.pem")] - if not os.path.isdir(le_lineage) or not all(os.path.isfile(p) for p in pieces) : - print "Let's Encrypt directory", le_lineage, "does not appear to contain a valid lineage" - print - usage() - cert, key, chain, fullchain = pieces - pcgen = PostfixConfigGenerator(c, postfix_dir, fixup=True) - pcgen.prepare() - pcgen.deploy_cert("example.com", cert, key, chain, fullchain) - pcgen.save() - pcgen.restart() From 6c4b3c08a7ce8e5453fcafcb9333fca043951e7d Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:30:11 -0700 Subject: [PATCH 135/256] Clean up installer imports --- certbot-postfix/certbot_postfix/installer.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 52244ce92..0a109e1de 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -1,8 +1,8 @@ import logging -import sys +import os import string import subprocess -import os, os.path +import sys import zope.interface From 1c258c0a2c382a3a404091d1b099c19a9bd3b8ef Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:31:10 -0700 Subject: [PATCH 136/256] Add basic docstrings to Installer --- certbot-postfix/certbot_postfix/installer.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 0a109e1de..cd9c00714 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -1,3 +1,4 @@ +"""Certbot installer plugin for Postfix.""" import logging import os import string @@ -34,6 +35,7 @@ class ExistingConfigError(ValueError): pass @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) class Installer(plugins_common.Plugin): + """Certbot installer plugin for Postfix.""" description = "Configure TLS with the Postfix MTA" From 694746409f45904082f635557a933b900e34e901 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:42:26 -0700 Subject: [PATCH 137/256] s/ExistingConfigError/MisconfigurationError --- certbot-postfix/certbot_postfix/installer.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index cd9c00714..b0a075eeb 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -7,6 +7,7 @@ import sys import zope.interface +from certbot import errors from certbot import interfaces from certbot.plugins import common as plugins_common @@ -29,9 +30,6 @@ def parse_line(line_data): return (num, left.strip(), right.strip()) -class ExistingConfigError(ValueError): pass - - @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) class Installer(plugins_common.Plugin): @@ -72,6 +70,10 @@ class Installer(plugins_common.Plugin): """ Ensure that existing postfix config @var is in the list of @acceptable values; if not, set it to the ideal value. + + :raises .errors.MisconfigurationError: if conflicting existing values + are found for var + """ acceptable = [ideal] + also_acceptable @@ -87,8 +89,8 @@ class Installer(plugins_common.Plugin): self.deletions.extend(conflicting_lines) self.additions.append(var + " = " + ideal) else: - raise ExistingConfigError( - "Conflicting existing config values " + `l` + raise errors.MisconfigurationError( + "Conflicting existing config values {0}".format(l) ) val = values[0][2] if val not in acceptable: @@ -96,7 +98,7 @@ class Installer(plugins_common.Plugin): self.deletions.append(values[0][0]) self.additions.append(var + " = " + ideal) else: - raise ExistingConfigError( + raise errors.MisconfigurationError( "Existing config has %s=%s"%(var,val) ) From 61c2209110292c84d18b0bd5087ba783d3269b25 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:56:39 -0700 Subject: [PATCH 138/256] Use Certbot error types in the Postfix Installer --- certbot-postfix/certbot_postfix/installer.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index b0a075eeb..00491e735 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -210,9 +210,7 @@ class Installer(plugins_common.Plugin): self.postfix_version = self.get_version() if self.postfix_version < (2, 11, 0): - raise Exception( - 'NotSupportedError: Postfix version is too old -- test.' - ) + raise errors.NotSupportedError('Postfix version is too old') # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend @@ -274,7 +272,7 @@ class Installer(plugins_common.Plugin): stdout=subprocess.PIPE) stdout, _ = cmd.communicate() if cmd.returncode != 0: - raise Exception('PluginError: Unable to determine Postfix version.') + raise errors.PluginError('Unable to determine Postfix version.') # grabs version component of string like "mail_version = 2.11.3" mail_version = stdout.split()[2] @@ -417,7 +415,7 @@ class Installer(plugins_common.Plugin): else: rc = os.system('/usr/sbin/postfix check') if rc != 0: - raise Exception('MisconfigurationError: Postfix failed self-check.') + raise errors.MisconfigurationError('Postfix failed self-check.') def restart(self): """Restart or refresh the server content. @@ -429,7 +427,7 @@ class Installer(plugins_common.Plugin): else: rc = os.system("service postfix reload") if rc != 0: - raise Exception('PluginError: cannot restart postfix') + raise errors.MisconfigurationError('cannot restart postfix') def update_CAfile(self): os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) From 66ba0b5276b63ccdfc0c986f1c751d214f41f8b7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 09:57:44 -0700 Subject: [PATCH 139/256] Remove invalid permissions exception. Once things like locks are added, this error shouldn't be possible as it will have occurred earlier. --- certbot-postfix/certbot_postfix/installer.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 00491e735..5196e1e64 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -150,9 +150,6 @@ class Installer(plugins_common.Plugin): self.new_cf += line self.new_cf += sep + new_cf_lines - if not os.access(self.fn, os.W_OK): - raise Exception("Can't write to %s, please re-run as root." - % self.fn) with fopen(self.fn, "w") as f: f.write(self.new_cf) From 4a3fd19c93b8dc5543859459d920662138274156 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:00:04 -0700 Subject: [PATCH 140/256] Move parse_line to the end of installer.py --- certbot-postfix/certbot_postfix/installer.py | 30 ++++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 5196e1e64..da573baaa 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -15,21 +15,6 @@ from certbot.plugins import common as plugins_common logger = logging.getLogger(__name__) -def parse_line(line_data): - """ - Return the (line number, left hand side, right hand side) of a stripped - postfix config line. - - Lines are like: - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache - """ - num,line = line_data - left, sep, right = line.partition("=") - if not sep: - return None - return (num, left.strip(), right.strip()) - - @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) class Installer(plugins_common.Plugin): @@ -428,3 +413,18 @@ class Installer(plugins_common.Plugin): def update_CAfile(self): os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) + + +def parse_line(line_data): + """ + Return the (line number, left hand side, right hand side) of a stripped + postfix config line. + + Lines are like: + smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache + """ + num,line = line_data + left, sep, right = line.partition("=") + if not sep: + return None + return (num, left.strip(), right.strip()) From b37be61807159443442f1df738c1caf16849a40c Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:12:54 -0700 Subject: [PATCH 141/256] Import installer module directly in tests. --- certbot-postfix/certbot_postfix/installer_test.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index cc86653f6..7ee40a955 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -10,7 +10,7 @@ import io import logging import unittest -import certbot_postfix +from certbot_postfix import installer logger = logging.getLogger(__name__) @@ -56,7 +56,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): def testGetAllNames(self): sorted_names = ['fubard.org', 'mail.fubard.org'] - postfix_config_gen = certbot_postfix.Installer( + postfix_config_gen = installer.Installer( self.config, self.postfix_dir, fixup=True, @@ -68,7 +68,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', 'tests/main.cf'),] - postfix_config_gen = certbot_postfix.Installer( + postfix_config_gen = installer.Installer( self.config, self.postfix_dir, fixup=True, @@ -77,7 +77,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) def testGetAllCertsAndKeys_With_None(self): - postfix_config_gen = certbot_postfix.Installer( + postfix_config_gen = installer.Installer( self.config, self.postfix_dir, fixup=True, From b50a71ff4e0b95dd9e491ea89bf2ce1bb1cd7bd6 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:19:46 -0700 Subject: [PATCH 142/256] Remove fopen argument in favor of mock. This simplifies the actual production code and is a more standard approach in Python. --- certbot-postfix/certbot_postfix/installer.py | 11 ++-- .../certbot_postfix/installer_test.py | 63 +++++++------------ 2 files changed, 29 insertions(+), 45 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index da573baaa..96fc1b4d1 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -26,7 +26,6 @@ class Installer(plugins_common.Plugin): policy_config, postfix_dir, fixup=False, - fopen=open, version=None): self.fixup = fixup self.postfix_dir = postfix_dir @@ -38,7 +37,7 @@ class Installer(plugins_common.Plugin): self.additions = [] self.deletions = [] self.fn = self.find_postfix_cf() - self.raw_cf = fopen(self.fn).readlines() + self.raw_cf = open(self.fn).readlines() self.cf = map(string.strip, self.raw_cf) #self.cf = [line for line in cf if line and not line.startswith("#")] self.policy_lines = [] @@ -114,7 +113,7 @@ class Installer(plugins_common.Plugin): self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) - def maybe_add_config_lines(self, fopen=open): + def maybe_add_config_lines(self): if not self.additions: return if self.fixup: @@ -135,10 +134,10 @@ class Installer(plugins_common.Plugin): self.new_cf += line self.new_cf += sep + new_cf_lines - with fopen(self.fn, "w") as f: + with open(self.fn, "w") as f: f.write(self.new_cf) - def set_domainwise_tls_policies(self, fopen=open): + def set_domainwise_tls_policies(self): all_acceptable_mxs = self.policy_config.acceptable_mxs for address_domain, properties in all_acceptable_mxs.items(): mx_list = properties.accept_mx_domains @@ -164,7 +163,7 @@ class Installer(plugins_common.Plugin): ) self.policy_lines.append(entry) - with fopen(self.policy_file, "w") as f: + with open(self.policy_file, "w") as f: f.write("\n".join(self.policy_lines) + "\n") ### Let's Encrypt client IPlugin ### diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 7ee40a955..93aa171a9 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -6,10 +6,12 @@ from __future__ import division from __future__ import print_function from __future__ import unicode_literals -import io import logging import unittest +import mock +import six + from certbot_postfix import installer @@ -28,61 +30,44 @@ certs_only_config = ( smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") -def GetFakeOpen(fake_file_contents): - fake_file = io.StringIO() - # cast this to unicode for py2 - fake_file.write(fake_file_contents) - fake_file.seek(0) - - def FakeOpen(_): - return fake_file - - return FakeOpen - - class TestPostfixConfigGenerator(unittest.TestCase): def setUp(self): - self.fopen_names_only_config = GetFakeOpen(names_only_config) - self.fopen_certs_only_config = GetFakeOpen(certs_only_config) - self.fopen_no_certs_only_config = self.fopen_names_only_config - - #self.config = Config.Config() self.config = None self.postfix_dir = 'tests/' - def tearDown(self): - pass - def testGetAllNames(self): sorted_names = ['fubard.org', 'mail.fubard.org'] - postfix_config_gen = installer.Installer( - self.config, - self.postfix_dir, - fixup=True, - fopen=self.fopen_names_only_config - ) + with mock.patch('certbot_postfix.installer.open') as mock_open: + mock_open.return_value = six.StringIO(names_only_config) + postfix_config_gen = installer.Installer( + self.config, + self.postfix_dir, + fixup=True, + ) self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) def testGetAllCertAndKeys(self): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', 'tests/main.cf'),] - postfix_config_gen = installer.Installer( - self.config, - self.postfix_dir, - fixup=True, - fopen=self.fopen_certs_only_config - ) + with mock.patch('certbot_postfix.installer.open') as mock_open: + mock_open.return_value = six.StringIO(certs_only_config) + postfix_config_gen = installer.Installer( + self.config, + self.postfix_dir, + fixup=True, + ) self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) def testGetAllCertsAndKeys_With_None(self): - postfix_config_gen = installer.Installer( - self.config, - self.postfix_dir, - fixup=True, - fopen=self.fopen_no_certs_only_config - ) + with mock.patch('certbot_postfix.installer.open') as mock_open: + mock_open.return_value = six.StringIO(names_only_config) + postfix_config_gen = installer.Installer( + self.config, + self.postfix_dir, + fixup=True, + ) self.assertEqual([], postfix_config_gen.get_all_certs_keys()) From 49cdfcec06564a9c56b1f592225b8600d0417cda Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:20:36 -0700 Subject: [PATCH 143/256] add six dependency --- certbot-postfix/setup.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot-postfix/setup.py b/certbot-postfix/setup.py index 1f087ccc0..2fdcd46aa 100644 --- a/certbot-postfix/setup.py +++ b/certbot-postfix/setup.py @@ -12,6 +12,7 @@ install_requires = [ # For pkg_resources. >=1.0 so pip resolves it to a version cryptography # will tolerate; see #2599: 'setuptools>=1.0', + 'six', 'zope.interface', ] From a66500ea386e16d88b858469707436f767c3fa18 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:25:09 -0700 Subject: [PATCH 144/256] Remove unused version argument. --- certbot-postfix/certbot_postfix/installer.py | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 96fc1b4d1..7fa32b8f5 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -25,8 +25,7 @@ class Installer(plugins_common.Plugin): def __init__(self, policy_config, postfix_dir, - fixup=False, - version=None): + fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir self.policy_config = policy_config @@ -43,9 +42,6 @@ class Installer(plugins_common.Plugin): self.policy_lines = [] self.new_cf = "" - # Set in .prepare() unless running in a test - self.postfix_version = version - def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return os.path.join(self.postfix_dir, "main.cf") @@ -187,10 +183,7 @@ class Installer(plugins_common.Plugin): """ # XXX ensure we raise the right kinds of exceptions - if not self.postfix_version: - self.postfix_version = self.get_version() - - if self.postfix_version < (2, 11, 0): + if self.get_version() < (2, 11, 0): raise errors.NotSupportedError('Postfix version is too old') # Postfix has changed support for TLS features, supported protocol versions @@ -273,7 +266,7 @@ class Installer(plugins_common.Plugin): "Version: {version}".format( os.linesep, root=self.postfix_dir, - version='.'.join([str(i) for i in self.postfix_version])) + version='.'.join([str(i) for i in self.get_version()])) ) From 6c5a8423b865881dddc15a1ee7b60c69d42faf19 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 4 Aug 2017 10:28:52 -0700 Subject: [PATCH 145/256] Remove unused logger from tests --- certbot-postfix/certbot_postfix/installer_test.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 93aa171a9..db35511ac 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -15,10 +15,6 @@ import six from certbot_postfix import installer -logger = logging.getLogger(__name__) -logger.addHandler(logging.StreamHandler()) - - # Fake Postfix Configs names_only_config = """myhostname = mail.fubard.org mydomain = fubard.org From a15fe57225e06c9c00b3d21b2b2176eb0027038f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 9 Aug 2017 15:57:19 -0700 Subject: [PATCH 146/256] remove policy config param --- certbot-postfix/certbot_postfix/installer.py | 60 +++++++++---------- .../certbot_postfix/installer_test.py | 4 -- 2 files changed, 29 insertions(+), 35 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 7fa32b8f5..a6c1cd9fe 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -23,12 +23,10 @@ class Installer(plugins_common.Plugin): description = "Configure TLS with the Postfix MTA" def __init__(self, - policy_config, postfix_dir, fixup=False): self.fixup = fixup self.postfix_dir = postfix_dir - self.policy_config = policy_config self.policy_file = os.path.join(postfix_dir, "starttls_everywhere_policy") self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") @@ -133,35 +131,6 @@ class Installer(plugins_common.Plugin): with open(self.fn, "w") as f: f.write(self.new_cf) - def set_domainwise_tls_policies(self): - all_acceptable_mxs = self.policy_config.acceptable_mxs - for address_domain, properties in all_acceptable_mxs.items(): - mx_list = properties.accept_mx_domains - if len(mx_list) > 1: - logger.warn('Lists of multiple accept-mx-domains not yet ' - 'supported.') - logger.warn('Using MX {} for {}'.format(mx_list[0], - address_domain) - ) - logger.warn('Ignoring: {}'.format(', '.join(mx_list[1:]))) - mx_domain = mx_list[0] - mx_policy = self.policy_config.get_tls_policy(mx_domain) - entry = address_domain + " encrypt" - if mx_policy.min_tls_version.lower() == "tlsv1": - entry += " protocols=!SSLv2:!SSLv3" - elif mx_policy.min_tls_version.lower() == "tlsv1.1": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1" - elif mx_policy.min_tls_version.lower() == "tlsv1.2": - entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" - else: - logger.warn('Unknown minimum TLS version: {} '.format( - mx_policy.min_tls_version) - ) - self.policy_lines.append(entry) - - with open(self.policy_file, "w") as f: - f.write("\n".join(self.policy_lines) + "\n") - ### Let's Encrypt client IPlugin ### # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 @@ -406,6 +375,35 @@ class Installer(plugins_common.Plugin): def update_CAfile(self): os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) + # def set_domainwise_tls_policies(self): + # all_acceptable_mxs = self.policy_config.acceptable_mxs + # for address_domain, properties in all_acceptable_mxs.items(): + # mx_list = properties.accept_mx_domains + # if len(mx_list) > 1: + # logger.warn('Lists of multiple accept-mx-domains not yet ' + # 'supported.') + # logger.warn('Using MX {} for {}'.format(mx_list[0], + # address_domain) + # ) + # logger.warn('Ignoring: {}'.format(', '.join(mx_list[1:]))) + # mx_domain = mx_list[0] + # mx_policy = self.policy_config.get_tls_policy(mx_domain) + # entry = address_domain + " encrypt" + # if mx_policy.min_tls_version.lower() == "tlsv1": + # entry += " protocols=!SSLv2:!SSLv3" + # elif mx_policy.min_tls_version.lower() == "tlsv1.1": + # entry += " protocols=!SSLv2:!SSLv3:!TLSv1" + # elif mx_policy.min_tls_version.lower() == "tlsv1.2": + # entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" + # else: + # logger.warn('Unknown minimum TLS version: {} '.format( + # mx_policy.min_tls_version) + # ) + # self.policy_lines.append(entry) + + # with open(self.policy_file, "w") as f: + # f.write("\n".join(self.policy_lines) + "\n") + def parse_line(line_data): """ diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index db35511ac..04d86468e 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -29,7 +29,6 @@ smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") class TestPostfixConfigGenerator(unittest.TestCase): def setUp(self): - self.config = None self.postfix_dir = 'tests/' def testGetAllNames(self): @@ -37,7 +36,6 @@ class TestPostfixConfigGenerator(unittest.TestCase): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) postfix_config_gen = installer.Installer( - self.config, self.postfix_dir, fixup=True, ) @@ -50,7 +48,6 @@ class TestPostfixConfigGenerator(unittest.TestCase): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(certs_only_config) postfix_config_gen = installer.Installer( - self.config, self.postfix_dir, fixup=True, ) @@ -60,7 +57,6 @@ class TestPostfixConfigGenerator(unittest.TestCase): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) postfix_config_gen = installer.Installer( - self.config, self.postfix_dir, fixup=True, ) From d97a15861bc96eb7638bb9af80bdf105f47af9bc Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 9 Aug 2017 16:06:06 -0700 Subject: [PATCH 147/256] Add --postfix-config-dir argument --- certbot-postfix/certbot_postfix/installer.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index a6c1cd9fe..6175c06f3 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -22,6 +22,12 @@ class Installer(plugins_common.Plugin): description = "Configure TLS with the Postfix MTA" + @classmethod + def add_parser_arguments(cls, add): + add("config-dir", help="Path to the directory containing the " + "Postfix main.cf file to modify instead of using the " + "default configuration paths") + def __init__(self, postfix_dir, fixup=False): From 481fb8413b6f6a68a403e2080834abfdf589aea2 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 08:50:08 -0700 Subject: [PATCH 148/256] Fix Postfix Installer __init__() --- certbot-postfix/certbot_postfix/installer.py | 13 ++++----- .../certbot_postfix/installer_test.py | 29 +++++++++++-------- 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 6175c06f3..5f9fe7322 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -28,14 +28,13 @@ class Installer(plugins_common.Plugin): "Postfix main.cf file to modify instead of using the " "default configuration paths") - def __init__(self, - postfix_dir, - fixup=False): - self.fixup = fixup - self.postfix_dir = postfix_dir - self.policy_file = os.path.join(postfix_dir, + def __init__(self, *args, **kwargs): + super(Installer, self).__init__(*args, **kwargs) + self.fixup = False + self.postfix_dir = self.conf("config-dir") + self.policy_file = os.path.join(self.postfix_dir, "starttls_everywhere_policy") - self.ca_file = os.path.join(postfix_dir, "starttls_everywhere_CAfile") + self.ca_file = os.path.join(self.postfix_dir, "starttls_everywhere_CAfile") self.additions = [] self.deletions = [] diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 04d86468e..b9e9e1463 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -35,10 +35,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): sorted_names = ['fubard.org', 'mail.fubard.org'] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = installer.Installer( - self.postfix_dir, - fixup=True, - ) + postfix_config_gen = self._create_installer() self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) def testGetAllCertAndKeys(self): @@ -47,21 +44,29 @@ class TestPostfixConfigGenerator(unittest.TestCase): 'tests/main.cf'),] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(certs_only_config) - postfix_config_gen = installer.Installer( - self.postfix_dir, - fixup=True, - ) + postfix_config_gen = self._create_installer() self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) def testGetAllCertsAndKeys_With_None(self): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = installer.Installer( - self.postfix_dir, - fixup=True, - ) + postfix_config_gen = self._create_installer() self.assertEqual([], postfix_config_gen.get_all_certs_keys()) + def _create_installer(self): + """Creates and returns a new Postfix Installer. + + :returns: a new Postfix installer + :rtype: certbot_postfix.installer.Installer + + """ + config = mock.MagicMock(postfix_config_dir=self.postfix_dir) + name = "postfix" + + from certbot_postfix import installer + return installer.Installer(config, name) + + if __name__ == '__main__': unittest.main() From 2a217189a6cbf9768bcdc9a4783cc1340caf500b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 10:58:27 -0700 Subject: [PATCH 149/256] (temporarily) remove policy_file --- certbot-postfix/certbot_postfix/installer.py | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 5f9fe7322..c3bf2a189 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -32,8 +32,6 @@ class Installer(plugins_common.Plugin): super(Installer, self).__init__(*args, **kwargs) self.fixup = False self.postfix_dir = self.conf("config-dir") - self.policy_file = os.path.join(self.postfix_dir, - "starttls_everywhere_policy") self.ca_file = os.path.join(self.postfix_dir, "starttls_everywhere_CAfile") self.additions = [] @@ -97,9 +95,9 @@ class Installer(plugins_common.Plugin): # Maximum verbosity lets us collect failure information self.ensure_cf_var("smtp_tls_loglevel", "1", []) # Inject a reference to our per-domain policy map - policy_cf_entry = "texthash:" + self.policy_file + # policy_cf_entry = "texthash:" + self.policy_file - self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) + # self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed From 89ae874f890bde600f12e52ae56508631225f5f1 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 11:03:47 -0700 Subject: [PATCH 150/256] (temporarily) remove ca-certificates logic --- certbot-postfix/certbot_postfix/installer.py | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index c3bf2a189..2663e44fd 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -32,7 +32,6 @@ class Installer(plugins_common.Plugin): super(Installer, self).__init__(*args, **kwargs) self.fixup = False self.postfix_dir = self.conf("config-dir") - self.ca_file = os.path.join(self.postfix_dir, "starttls_everywhere_CAfile") self.additions = [] self.deletions = [] @@ -98,7 +97,7 @@ class Installer(plugins_common.Plugin): # policy_cf_entry = "texthash:" + self.policy_file # self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) - self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) + # self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed # between Postfix version 2.5 and 2.6, since we only support => 2.11 @@ -375,9 +374,9 @@ class Installer(plugins_common.Plugin): if rc != 0: raise errors.MisconfigurationError('cannot restart postfix') - def update_CAfile(self): - os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) - + # def update_CAfile(self): + # os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) + # # def set_domainwise_tls_policies(self): # all_acceptable_mxs = self.policy_config.acceptable_mxs # for address_domain, properties in all_acceptable_mxs.items(): From 86fe5ad3623d590b3f93212a712b38a9f8234bdd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 11:16:46 -0700 Subject: [PATCH 151/256] Move calls to postconf to prepare(). --- certbot-postfix/certbot_postfix/installer.py | 11 +++++--- .../certbot_postfix/installer_test.py | 28 +++++++++++++++---- 2 files changed, 29 insertions(+), 10 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 2663e44fd..43037e886 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -35,12 +35,11 @@ class Installer(plugins_common.Plugin): self.additions = [] self.deletions = [] - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] self.policy_lines = [] self.new_cf = "" + self.fn = None + self.raw_cf = [] + self.cf = [] def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" @@ -152,6 +151,10 @@ class Installer(plugins_common.Plugin): currently supported. :rtype tuple: """ + self.fn = self.find_postfix_cf() + self.raw_cf = open(self.fn).readlines() + self.cf = map(string.strip, self.raw_cf) + #self.cf = [line for line in cf if line and not line.startswith("#")] # XXX ensure we raise the right kinds of exceptions if self.get_version() < (2, 11, 0): diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index b9e9e1463..9be3744e3 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -12,9 +12,6 @@ import unittest import mock import six -from certbot_postfix import installer - - # Fake Postfix Configs names_only_config = """myhostname = mail.fubard.org mydomain = fubard.org @@ -35,7 +32,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): sorted_names = ['fubard.org', 'mail.fubard.org'] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = self._create_installer() + postfix_config_gen = self._create_prepared_installer() self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) def testGetAllCertAndKeys(self): @@ -44,15 +41,34 @@ class TestPostfixConfigGenerator(unittest.TestCase): 'tests/main.cf'),] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(certs_only_config) - postfix_config_gen = self._create_installer() + postfix_config_gen = self._create_prepared_installer() self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) def testGetAllCertsAndKeys_With_None(self): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = self._create_installer() + postfix_config_gen = self._create_prepared_installer() self.assertEqual([], postfix_config_gen.get_all_certs_keys()) + def _create_prepared_installer(self): + """Creates and returns a new prepared Postfix Installer. + + Calls in prepare() are mocked out so the Postfix version check + is successful. + + :returns: a prepared Postfix installer + :rtype: certbot_postfix.installer.Installer + + """ + installer = self._create_installer() + + popen_path = "certbot_postfix.installer.subprocess.Popen" + with mock.patch(popen_path) as mock_popen: + mock_popen().returncode = 0 + mock_popen().communicate.return_value = ("mail_version = 3.1.4", "") + installer.prepare() + + return installer def _create_installer(self): """Creates and returns a new Postfix Installer. From a2dbf2fe4cc03750c1d9dfb2f4b4d185ce6ed104 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 11:20:21 -0700 Subject: [PATCH 152/256] Fix spacing --- certbot-postfix/certbot_postfix/installer.py | 119 ++++++++++--------- 1 file changed, 61 insertions(+), 58 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 43037e886..aade01f9b 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -98,15 +98,15 @@ class Installer(plugins_common.Plugin): # self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) # self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) - # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed - # between Postfix version 2.5 and 2.6, since we only support => 2.11 - # we don't use nor support legacy Postfix syntax. - # - Server: - self.ensure_cf_var("smtpd_tls_protocols", "!SSLv2, !SSLv3", []) - self.ensure_cf_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) - # - Client: - self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) - self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) + # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed + # between Postfix version 2.5 and 2.6, since we only support => 2.11 + # we don't use nor support legacy Postfix syntax. + # - Server: + self.ensure_cf_var("smtpd_tls_protocols", "!SSLv2, !SSLv3", []) + self.ensure_cf_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) + # - Client: + self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) + self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) def maybe_add_config_lines(self): if not self.additions: @@ -137,7 +137,9 @@ class Installer(plugins_common.Plugin): def prepare(self): """Prepare the plugin. + Finish up any additional initialization. + :raises .PluginError: when full initialization cannot be completed. :raises .MisconfigurationError: @@ -146,11 +148,12 @@ class Installer(plugins_common.Plugin): :raises .NoInstallationError: when the necessary programs/files cannot be located. Plugin will NOT be displayed on a list of available plugins. - :raises .NotSupportedError: - when the installation is recognized, but the version is not - currently supported. - :rtype tuple: - """ + :raises .NotSupportedError: + when the installation is recognized, but the version is not + currently supported. + :rtype tuple: + + """ self.fn = self.find_postfix_cf() self.raw_cf = open(self.fn).readlines() self.cf = map(string.strip, self.raw_cf) @@ -160,49 +163,49 @@ class Installer(plugins_common.Plugin): if self.get_version() < (2, 11, 0): raise errors.NotSupportedError('Postfix version is too old') - # Postfix has changed support for TLS features, supported protocol versions - # KEX methods, ciphers et cetera over the years. We sort out version dependend - # differences here and pass them onto other configuration functions. - # see: - # http://www.postfix.org/TLS_README.html - # http://www.postfix.org/FORWARD_SECRECY_README.html + # Postfix has changed support for TLS features, supported protocol versions + # KEX methods, ciphers et cetera over the years. We sort out version dependend + # differences here and pass them onto other configuration functions. + # see: + # http://www.postfix.org/TLS_README.html + # http://www.postfix.org/FORWARD_SECRECY_README.html - # Postfix == 2.2: - # - TLS support introduced via 3rd party patch, see: - # http://www.postfix.org/TLS_LEGACY_README.html - - # Postfix => 2.2: - # - built-in TLS support added - # - Support for PFS introduced - # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k + # Postfix == 2.2: + # - TLS support introduced via 3rd party patch, see: + # http://www.postfix.org/TLS_LEGACY_README.html - # Postfix => 2.5: - # - Syntax to specify mandatory protocol version changes: - # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` - # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` - # - Certificate fingerprint verification added + # Postfix => 2.2: + # - built-in TLS support added + # - Support for PFS introduced + # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k - # Postfix => 2.6: - # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) - # - Support for configurable cipher-suites and protocol versions added, pre-2.6 - # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` - # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added - - # Postfix => 2.8: - # - Override Client suite preference w. `tls_preempt_cipherlist = yes` - # - Elliptic curve crypto. support enabled by default - - # Postfix => 2.9: - # - Public key fingerprint support added - # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and - # `check_ccert_access` config. options added + # Postfix => 2.5: + # - Syntax to specify mandatory protocol version changes: + # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` + # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` + # - Certificate fingerprint verification added - # Postfix <= 2.9.5: - # - BUG: Public key fingerprint is computed incorrectly + # Postfix => 2.6: + # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) + # - Support for configurable cipher-suites and protocol versions added, pre-2.6 + # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` + # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added - # Postfix => 3.1: - # - Built-in support for TLS management and DANE added, see: - # http://www.postfix.org/postfix-tls.1.html + # Postfix => 2.8: + # - Override Client suite preference w. `tls_preempt_cipherlist = yes` + # - Elliptic curve crypto. support enabled by default + + # Postfix => 2.9: + # - Public key fingerprint support added + # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and + # `check_ccert_access` config. options added + + # Postfix <= 2.9.5: + # - BUG: Public key fingerprint is computed incorrectly + + # Postfix => 3.1: + # - Built-in support for TLS management and DANE added, see: + # http://www.postfix.org/postfix-tls.1.html def get_version(self): """Return the mail version of Postfix. @@ -212,12 +215,12 @@ class Installer(plugins_common.Plugin): :returns: version :rtype: tuple - :raises .PluginError: - Unable to find Postfix version. + :raises .PluginError: Unable to find Postfix version. + """ - # Parse Postfix version number (feature support, syntax changes etc.) - cmd = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], - stdout=subprocess.PIPE) + # Parse Postfix version number (feature support, syntax changes etc.) + cmd = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], + stdout=subprocess.PIPE) stdout, _ = cmd.communicate() if cmd.returncode != 0: raise errors.PluginError('Unable to determine Postfix version.') @@ -225,7 +228,7 @@ class Installer(plugins_common.Plugin): # grabs version component of string like "mail_version = 2.11.3" mail_version = stdout.split()[2] postfix_version = tuple([int(i) for i in mail_version.split('.')]) - return postfix_version + return postfix_version def more_info(self): """Human-readable string to help the user. From b395b72d1ba6704ea26489840645858001976714 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 11:51:01 -0700 Subject: [PATCH 153/256] Don't hardcode postconf path. --- certbot-postfix/certbot_postfix/installer.py | 165 ++++++++++-------- .../certbot_postfix/installer_test.py | 10 +- 2 files changed, 99 insertions(+), 76 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index aade01f9b..394ed5525 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -9,7 +9,9 @@ import zope.interface from certbot import errors from certbot import interfaces +from certbot import util from certbot.plugins import common as plugins_common +from certbot.plugins import util as plugins_util logger = logging.getLogger(__name__) @@ -27,6 +29,8 @@ class Installer(plugins_common.Plugin): add("config-dir", help="Path to the directory containing the " "Postfix main.cf file to modify instead of using the " "default configuration paths") + add("config-utility", default="postconf", + help="Path to the 'postconf' executable.") def __init__(self, *args, **kwargs): super(Installer, self).__init__(*args, **kwargs) @@ -41,6 +45,94 @@ class Installer(plugins_common.Plugin): self.raw_cf = [] self.cf = [] + def prepare(self): + """Prepare the installer. + + Finish up any additional initialization. + + :raises .PluginError: + when full initialization cannot be completed. + :raises .MisconfigurationError: + when full initialization cannot be completed. Plugin will + be displayed on a list of available plugins. + :raises .NoInstallationError: + when the necessary programs/files cannot be located. Plugin + will NOT be displayed on a list of available plugins. + :raises .NotSupportedError: + when the installation is recognized, but the version is not + currently supported. + :rtype tuple: + + """ + self._verify_postconf_available() + + self.fn = self.find_postfix_cf() + self.raw_cf = open(self.fn).readlines() + self.cf = map(string.strip, self.raw_cf) + #self.cf = [line for line in cf if line and not line.startswith("#")] + # XXX ensure we raise the right kinds of exceptions + + if self.get_version() < (2, 11, 0): + raise errors.NotSupportedError('Postfix version is too old') + + # Postfix has changed support for TLS features, supported protocol versions + # KEX methods, ciphers et cetera over the years. We sort out version dependend + # differences here and pass them onto other configuration functions. + # see: + # http://www.postfix.org/TLS_README.html + # http://www.postfix.org/FORWARD_SECRECY_README.html + + # Postfix == 2.2: + # - TLS support introduced via 3rd party patch, see: + # http://www.postfix.org/TLS_LEGACY_README.html + + # Postfix => 2.2: + # - built-in TLS support added + # - Support for PFS introduced + # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k + + # Postfix => 2.5: + # - Syntax to specify mandatory protocol version changes: + # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` + # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` + # - Certificate fingerprint verification added + + # Postfix => 2.6: + # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) + # - Support for configurable cipher-suites and protocol versions added, pre-2.6 + # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` + # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added + + # Postfix => 2.8: + # - Override Client suite preference w. `tls_preempt_cipherlist = yes` + # - Elliptic curve crypto. support enabled by default + + # Postfix => 2.9: + # - Public key fingerprint support added + # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and + # `check_ccert_access` config. options added + + # Postfix <= 2.9.5: + # - BUG: Public key fingerprint is computed incorrectly + + # Postfix => 3.1: + # - Built-in support for TLS management and DANE added, see: + # http://www.postfix.org/postfix-tls.1.html + + def _verify_postconf_available(self): + """Ensure 'postconf' can be found. + + :raises .NoInstallationError: when unable to find 'postconf' + + """ + if not util.exe_exists(self.conf("config-utility")): + if not plugins_util.path_surgery(self.conf("config-utility")): + raise errors.NoInstallationError( + "Cannot find executable '{0}'. You can provide the " + "path to this command with --{1}".format( + self.conf("config-utility"), + self.option_name("config-utility"))) + def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return os.path.join(self.postfix_dir, "main.cf") @@ -135,77 +227,6 @@ class Installer(plugins_common.Plugin): ### Let's Encrypt client IPlugin ### # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 - def prepare(self): - """Prepare the plugin. - - Finish up any additional initialization. - - :raises .PluginError: - when full initialization cannot be completed. - :raises .MisconfigurationError: - when full initialization cannot be completed. Plugin will - be displayed on a list of available plugins. - :raises .NoInstallationError: - when the necessary programs/files cannot be located. Plugin - will NOT be displayed on a list of available plugins. - :raises .NotSupportedError: - when the installation is recognized, but the version is not - currently supported. - :rtype tuple: - - """ - self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] - # XXX ensure we raise the right kinds of exceptions - - if self.get_version() < (2, 11, 0): - raise errors.NotSupportedError('Postfix version is too old') - - # Postfix has changed support for TLS features, supported protocol versions - # KEX methods, ciphers et cetera over the years. We sort out version dependend - # differences here and pass them onto other configuration functions. - # see: - # http://www.postfix.org/TLS_README.html - # http://www.postfix.org/FORWARD_SECRECY_README.html - - # Postfix == 2.2: - # - TLS support introduced via 3rd party patch, see: - # http://www.postfix.org/TLS_LEGACY_README.html - - # Postfix => 2.2: - # - built-in TLS support added - # - Support for PFS introduced - # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k - - # Postfix => 2.5: - # - Syntax to specify mandatory protocol version changes: - # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` - # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` - # - Certificate fingerprint verification added - - # Postfix => 2.6: - # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) - # - Support for configurable cipher-suites and protocol versions added, pre-2.6 - # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` - # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added - - # Postfix => 2.8: - # - Override Client suite preference w. `tls_preempt_cipherlist = yes` - # - Elliptic curve crypto. support enabled by default - - # Postfix => 2.9: - # - Public key fingerprint support added - # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and - # `check_ccert_access` config. options added - - # Postfix <= 2.9.5: - # - BUG: Public key fingerprint is computed incorrectly - - # Postfix => 3.1: - # - Built-in support for TLS management and DANE added, see: - # http://www.postfix.org/postfix-tls.1.html def get_version(self): """Return the mail version of Postfix. @@ -219,7 +240,7 @@ class Installer(plugins_common.Plugin): """ # Parse Postfix version number (feature support, syntax changes etc.) - cmd = subprocess.Popen(['/usr/sbin/postconf', '-d', 'mail_version'], + cmd = subprocess.Popen([self.conf('config-utility'), '-d', 'mail_version'], stdout=subprocess.PIPE) stdout, _ = cmd.communicate() if cmd.returncode != 0: diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 9be3744e3..332c6ec60 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -62,11 +62,13 @@ class TestPostfixConfigGenerator(unittest.TestCase): """ installer = self._create_installer() + exe_exists_path = "certbot_postfix.installer.util.exe_exists" popen_path = "certbot_postfix.installer.subprocess.Popen" - with mock.patch(popen_path) as mock_popen: - mock_popen().returncode = 0 - mock_popen().communicate.return_value = ("mail_version = 3.1.4", "") - installer.prepare() + with mock.patch(exe_exists_path, return_value=True) as mock_exe_exists: + with mock.patch(popen_path) as mock_popen: + mock_popen().returncode = 0 + mock_popen().communicate.return_value = ("mail_version = 3.1.4", "") + installer.prepare() return installer From 192f0f60daadac4a44541b10aa90181b4156a248 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 12:19:59 -0700 Subject: [PATCH 154/256] test add_parser_arguments --- certbot-postfix/certbot_postfix/installer_test.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 332c6ec60..b3e8f560d 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -28,6 +28,15 @@ class TestPostfixConfigGenerator(unittest.TestCase): def setUp(self): self.postfix_dir = 'tests/' + def test_add_parser_arguments(self): + mock_add = mock.MagicMock() + + from certbot_postfix import installer + installer.Installer.add_parser_arguments(mock_add) + + for call in mock_add.call_args_list: + self.assertTrue(call[0][0] in ('config-dir', 'config-utility')) + def testGetAllNames(self): sorted_names = ['fubard.org', 'mail.fubard.org'] with mock.patch('certbot_postfix.installer.open') as mock_open: From dfd1cceb9b5e18d646ef55d0b12b561712510379 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 12:26:47 -0700 Subject: [PATCH 155/256] Test prepare() failure due to missing postconf --- certbot-postfix/certbot_postfix/installer_test.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index b3e8f560d..721790797 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -12,6 +12,8 @@ import unittest import mock import six +from certbot import errors + # Fake Postfix Configs names_only_config = """myhostname = mail.fubard.org mydomain = fubard.org @@ -37,6 +39,17 @@ class TestPostfixConfigGenerator(unittest.TestCase): for call in mock_add.call_args_list: self.assertTrue(call[0][0] in ('config-dir', 'config-utility')) + def test_no_postconf_prepare(self): + installer = self._create_installer() + + installer_path = "certbot_postfix.installer" + exe_exists_path = installer_path + ".util.exe_exists" + path_surgery_path = installer_path + ".plugins_util.path_surgery" + + with mock.patch(path_surgery_path, return_value=False): + with mock.patch(exe_exists_path, return_value=False): + self.assertRaises(errors.NoInstallationError, installer.prepare) + def testGetAllNames(self): sorted_names = ['fubard.org', 'mail.fubard.org'] with mock.patch('certbot_postfix.installer.open') as mock_open: From 5beaae3b6502fa4e39ddc80a564f8308347cb67f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 14:17:13 -0700 Subject: [PATCH 156/256] Add check_output function and tests. --- certbot-postfix/certbot_postfix/util.py | 49 +++++++++++++++++++ certbot-postfix/certbot_postfix/util_test.py | 50 ++++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 certbot-postfix/certbot_postfix/util.py create mode 100644 certbot-postfix/certbot_postfix/util_test.py diff --git a/certbot-postfix/certbot_postfix/util.py b/certbot-postfix/certbot_postfix/util.py new file mode 100644 index 000000000..8ad6408c4 --- /dev/null +++ b/certbot-postfix/certbot_postfix/util.py @@ -0,0 +1,49 @@ +"""Utility functions for use in the Postfix installer.""" + +import logging +import subprocess + + +logger = logging.getLogger(__name__) + + +def check_output(*args, **kwargs): + """Backported version of subprocess.check_output for Python 2.6+. + + This is the same as subprocess.check_output from newer versions of + Python, except: + + 1. The return value is a string rather than a byte string. To + accomplish this, the caller cannot set the parameter + universal_newlines. + 2. If the command exits with a nonzero status, output is not + included in the raised subprocess.CalledProcessError because + subprocess.CalledProcessError on Python 2.6 does not support this. + Instead, the failure including the output is logged. + + :param tuple args: positional arguments for Popen + :param dict kwargs: keyword arguments for Popen + + :returns: data printed to stdout + :rtype: str + + """ + for keyword in ('stdout', 'universal_newlines',): + if keyword in kwargs: + raise ValueError( + keyword + ' argument not allowed, it will be overridden.') + + kwargs['stdout'] = subprocess.PIPE + kwargs['universal_newlines'] = True + + process = subprocess.Popen(*args, **kwargs) + output, unused_err = process.communicate() + retcode = process.poll() + if retcode: + cmd = kwargs.get('args') + if cmd is None: + cmd = args[0] + logger.debug( + "'%s' exited with %d. Output was:\n%s", cmd, retcode, output) + raise subprocess.CalledProcessError(retcode, cmd) + return output diff --git a/certbot-postfix/certbot_postfix/util_test.py b/certbot-postfix/certbot_postfix/util_test.py new file mode 100644 index 000000000..019f34532 --- /dev/null +++ b/certbot-postfix/certbot_postfix/util_test.py @@ -0,0 +1,50 @@ +"""Tests for certbot_postfix.util.""" + +import subprocess +import unittest + +import mock + +class CheckOutputTest(unittest.TestCase): + """Tests for certbot_postfix.util.check_output.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import check_output + return check_output(*args, **kwargs) + + @mock.patch('certbot_postfix.util.logger') + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_command_error(self, mock_popen, mock_logger): + command = 'foo' + retcode = 42 + output = 'bar' + + mock_popen().communicate.return_value = (output, '') + mock_popen().poll.return_value = 42 + + self.assertRaises(subprocess.CalledProcessError, self._call, command) + + log_args = mock_logger.debug.call_args[0] + self.assertTrue(command in log_args) + self.assertTrue(retcode in log_args) + self.assertTrue(output in log_args) + + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_success(self, mock_popen): + command = 'foo' + output = 'bar' + mock_popen().communicate.return_value = (output, '') + mock_popen().poll.return_value = 0 + + self.assertEqual(self._call(command), output) + + def test_stdout_error(self): + self.assertRaises(ValueError, self._call, stdout=None) + + def test_universal_newlines_error(self): + self.assertRaises(ValueError, self._call, universal_newlines=False) + + +if __name__ == '__main__': # pragma: no cover + unittest.main() From 4715b2b12ceede6b8b40e5a336a546435a7315dd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 14:18:27 -0700 Subject: [PATCH 157/256] Further document check_output --- certbot-postfix/certbot_postfix/util.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/certbot-postfix/certbot_postfix/util.py b/certbot-postfix/certbot_postfix/util.py index 8ad6408c4..d7145b7c8 100644 --- a/certbot-postfix/certbot_postfix/util.py +++ b/certbot-postfix/certbot_postfix/util.py @@ -27,6 +27,9 @@ def check_output(*args, **kwargs): :returns: data printed to stdout :rtype: str + :raises ValueError: if arguments are invalid + :raises subprocess.CalledProcessError: if the command fails + """ for keyword in ('stdout', 'universal_newlines',): if keyword in kwargs: From 5a1d031f07cc2a64410258920c48f14562a1addd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 14:19:44 -0700 Subject: [PATCH 158/256] Rename util to certbot_util --- certbot-postfix/certbot_postfix/installer.py | 4 ++-- certbot-postfix/certbot_postfix/installer_test.py | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 394ed5525..3de96d9a5 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -9,7 +9,7 @@ import zope.interface from certbot import errors from certbot import interfaces -from certbot import util +from certbot import util as certbot_util from certbot.plugins import common as plugins_common from certbot.plugins import util as plugins_util @@ -125,7 +125,7 @@ class Installer(plugins_common.Plugin): :raises .NoInstallationError: when unable to find 'postconf' """ - if not util.exe_exists(self.conf("config-utility")): + if not certbot_util.exe_exists(self.conf("config-utility")): if not plugins_util.path_surgery(self.conf("config-utility")): raise errors.NoInstallationError( "Cannot find executable '{0}'. You can provide the " diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 721790797..9c8aa4f77 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -43,7 +43,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): installer = self._create_installer() installer_path = "certbot_postfix.installer" - exe_exists_path = installer_path + ".util.exe_exists" + exe_exists_path = installer_path + ".certbot_util.exe_exists" path_surgery_path = installer_path + ".plugins_util.path_surgery" with mock.patch(path_surgery_path, return_value=False): @@ -84,7 +84,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): """ installer = self._create_installer() - exe_exists_path = "certbot_postfix.installer.util.exe_exists" + exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" popen_path = "certbot_postfix.installer.subprocess.Popen" with mock.patch(exe_exists_path, return_value=True) as mock_exe_exists: with mock.patch(popen_path) as mock_popen: From 4e5740615c2d300b57785126ec84030aadb55445 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 14:25:08 -0700 Subject: [PATCH 159/256] Use util.check_output in Postfix installer --- certbot-postfix/certbot_postfix/installer.py | 13 +++++++++---- certbot-postfix/certbot_postfix/installer_test.py | 9 ++++----- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3de96d9a5..44f77227e 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -13,6 +13,8 @@ from certbot import util as certbot_util from certbot.plugins import common as plugins_common from certbot.plugins import util as plugins_util +from certbot_postfix import util + logger = logging.getLogger(__name__) @@ -240,10 +242,13 @@ class Installer(plugins_common.Plugin): """ # Parse Postfix version number (feature support, syntax changes etc.) - cmd = subprocess.Popen([self.conf('config-utility'), '-d', 'mail_version'], - stdout=subprocess.PIPE) - stdout, _ = cmd.communicate() - if cmd.returncode != 0: + try: + stdout = util.check_output( + [self.conf('config-utility'), '-d', 'mail_version']) + except subprocess.CalledProcessError: + logger.debug( + 'Encountered an error when trying to determine Postfix version.', + exc_info=True) raise errors.PluginError('Unable to determine Postfix version.') # grabs version component of string like "mail_version = 2.11.3" diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 9c8aa4f77..a0aa060e8 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -84,12 +84,11 @@ class TestPostfixConfigGenerator(unittest.TestCase): """ installer = self._create_installer() + check_output_path = "certbot_postfix.installer.util.check_output" exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - popen_path = "certbot_postfix.installer.subprocess.Popen" - with mock.patch(exe_exists_path, return_value=True) as mock_exe_exists: - with mock.patch(popen_path) as mock_popen: - mock_popen().returncode = 0 - mock_popen().communicate.return_value = ("mail_version = 3.1.4", "") + with mock.patch(check_output_path) as mock_check_output: + with mock.patch(exe_exists_path, return_value=True): + mock_check_output.return_value = "mail_version = 3.1.4" installer.prepare() return installer From 7334fc3066dc51ada34c0c8e88abf6f3552c711d Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 14:29:56 -0700 Subject: [PATCH 160/256] Rename postfix_dir to config_dir --- certbot-postfix/certbot_postfix/installer.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 44f77227e..54928279b 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -37,7 +37,7 @@ class Installer(plugins_common.Plugin): def __init__(self, *args, **kwargs): super(Installer, self).__init__(*args, **kwargs) self.fixup = False - self.postfix_dir = self.conf("config-dir") + self.config_dir = self.conf("config-dir") self.additions = [] self.deletions = [] @@ -137,7 +137,7 @@ class Installer(plugins_common.Plugin): def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" - return os.path.join(self.postfix_dir, "main.cf") + return os.path.join(self.config_dir, "main.cf") def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -268,7 +268,7 @@ class Installer(plugins_common.Plugin): "Server root: {root}{0}" "Version: {version}".format( os.linesep, - root=self.postfix_dir, + root=self.config_dir, version='.'.join([str(i) for i in self.get_version()])) ) From b72dfc0c08e43149f9e9d11e1a6e3ff111dfb1a9 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 15:07:32 -0700 Subject: [PATCH 161/256] Add get_config_var --- certbot-postfix/certbot_postfix/installer.py | 69 ++++++++++++++++---- 1 file changed, 55 insertions(+), 14 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 54928279b..51455a340 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -241,20 +241,8 @@ class Installer(plugins_common.Plugin): :raises .PluginError: Unable to find Postfix version. """ - # Parse Postfix version number (feature support, syntax changes etc.) - try: - stdout = util.check_output( - [self.conf('config-utility'), '-d', 'mail_version']) - except subprocess.CalledProcessError: - logger.debug( - 'Encountered an error when trying to determine Postfix version.', - exc_info=True) - raise errors.PluginError('Unable to determine Postfix version.') - - # grabs version component of string like "mail_version = 2.11.3" - mail_version = stdout.split()[2] - postfix_version = tuple([int(i) for i in mail_version.split('.')]) - return postfix_version + mail_version = self.get_config_var("mail_version", default=True) + return tuple(int(i) for i in mail_version.split('.')) def more_info(self): """Human-readable string to help the user. @@ -406,6 +394,59 @@ class Installer(plugins_common.Plugin): if rc != 0: raise errors.MisconfigurationError('cannot restart postfix') + def get_config_var(self, name, default=False): + """Return the value of the specified Postfix config parameter. + + :param str name: name of the Postfix config parameter to return + :param bool default: whether or not to return the default value + instead of the actual value + + :returns: value of the specified configuration parameter + :rtype: str + + """ + cmd = self._build_cmd_for_config_var(name, default) + + try: + output = util.check_output(cmd) + except subprocess.CalledProcessError: + logger.debug("Encountered an error when running 'postconf'", + exc_info=True) + raise errors.PluginError( + "Unable to determine the value " + "of Postfix parameter {0}".format(name)) + + expected_prefix = name + " =" + if not output.startswith(expected_prefix): + raise errors.PluginError( + "Unexpected output from '{0}'".format(''.join(cmd))) + + return output[len(expected_prefix):].strip() + + def _build_cmd_for_config_var(self, name, default): + """Return a command to run to get a Postfix config parameter. + + :param str name: name of the Postfix config parameter to return + :param bool default: whether or not to return the default value + instead of the actual value + + :returns: command to run + :rtype: list + + """ + cmd = [self.conf("config-utility")] + + if self.conf("config-dir") is not None: + cmd.extend(("-c", self.conf("config-dir"),)) + + if default: + cmd.append("-d") + + cmd.append(name) + + return cmd + + # def update_CAfile(self): # os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) # From 02c7eca6daa6727683161105ab2758b7f3adff07 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 15:08:41 -0700 Subject: [PATCH 162/256] Rename test classes and methods. --- certbot-postfix/certbot_postfix/installer_test.py | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index a0aa060e8..6c7a3b628 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -25,7 +25,7 @@ certs_only_config = ( smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") -class TestPostfixConfigGenerator(unittest.TestCase): +class InstallerTest(unittest.TestCase): def setUp(self): self.postfix_dir = 'tests/' @@ -50,14 +50,14 @@ class TestPostfixConfigGenerator(unittest.TestCase): with mock.patch(exe_exists_path, return_value=False): self.assertRaises(errors.NoInstallationError, installer.prepare) - def testGetAllNames(self): + def test_get_all_names(self): sorted_names = ['fubard.org', 'mail.fubard.org'] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) postfix_config_gen = self._create_prepared_installer() self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) - def testGetAllCertAndKeys(self): + def test_get_all_certs_and_keys(self): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', 'tests/main.cf'),] @@ -66,7 +66,7 @@ class TestPostfixConfigGenerator(unittest.TestCase): postfix_config_gen = self._create_prepared_installer() self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) - def testGetAllCertsAndKeys_With_None(self): + def test_get_all_certs_and_keys_with_none(self): with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(names_only_config) postfix_config_gen = self._create_prepared_installer() From 4c4b63437f9c2652be9d0633c61ac19c186a7b21 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 15:28:17 -0700 Subject: [PATCH 163/256] Test building of get_config_var command --- .../certbot_postfix/installer_test.py | 35 +++++++++++++++++-- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 6c7a3b628..3eeb5288c 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -28,7 +28,7 @@ smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") class InstallerTest(unittest.TestCase): def setUp(self): - self.postfix_dir = 'tests/' + self.config = mock.MagicMock(postfix_config_dir="tests/") def test_add_parser_arguments(self): mock_add = mock.MagicMock() @@ -72,6 +72,36 @@ class InstallerTest(unittest.TestCase): postfix_config_gen = self._create_prepared_installer() self.assertEqual([], postfix_config_gen.get_all_certs_keys()) + def test_get_config_var_success(self): + self.config.postfix_config_dir = None + + command = self._test_get_config_var_success_common('foo', False) + self.assertFalse("-c" in command) + self.assertFalse("-d" in command) + + def test_get_config_var_success_with_config(self): + command = self._test_get_config_var_success_common('foo', False) + self.assertTrue("-c" in command) + self.assertFalse("-d" in command) + + def test_get_config_var_success_with_default(self): + self.config.postfix_config_dir = None + + command = self._test_get_config_var_success_common('foo', True) + self.assertFalse("-c" in command) + self.assertTrue("-d" in command) + + def _test_get_config_var_success_common(self, name, default): + installer = self._create_installer() + + check_output_path = "certbot_postfix.installer.util.check_output" + with mock.patch(check_output_path) as mock_check_output: + value = "bar" + mock_check_output.return_value = name + " = " + value + self.assertEqual(installer.get_config_var(name, default), value) + + return mock_check_output.call_args[0][0] + def _create_prepared_installer(self): """Creates and returns a new prepared Postfix Installer. @@ -100,11 +130,10 @@ class InstallerTest(unittest.TestCase): :rtype: certbot_postfix.installer.Installer """ - config = mock.MagicMock(postfix_config_dir=self.postfix_dir) name = "postfix" from certbot_postfix import installer - return installer.Installer(config, name) + return installer.Installer(self.config, name) if __name__ == '__main__': From 25d1f6ec7522ccb76b20ef89db2527946067f335 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:11:09 -0700 Subject: [PATCH 164/256] Test all branches of test_get_config_var --- .../certbot_postfix/installer_test.py | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 3eeb5288c..9fd192d66 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -7,6 +7,7 @@ from __future__ import print_function from __future__ import unicode_literals import logging +import subprocess import unittest import mock @@ -28,7 +29,8 @@ smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") class InstallerTest(unittest.TestCase): def setUp(self): - self.config = mock.MagicMock(postfix_config_dir="tests/") + self.config = mock.MagicMock(postfix_config_dir="tests/", + postfix_config_utility="postconf") def test_add_parser_arguments(self): mock_add = mock.MagicMock() @@ -91,6 +93,22 @@ class InstallerTest(unittest.TestCase): self.assertFalse("-c" in command) self.assertTrue("-d" in command) + @mock.patch("certbot_postfix.installer.logger") + @mock.patch("certbot_postfix.installer.util.check_output") + def test_get_config_var_failure(self, mock_check_output, mock_logger): + mock_check_output.side_effect = subprocess.CalledProcessError(42, "foo") + installer = self._create_installer() + self.assertRaises(errors.PluginError, installer.get_config_var, "foo") + self.assertTrue(mock_logger.debug.call_args[1]["exc_info"]) + + @mock.patch("certbot_postfix.installer.util.check_output") + def test_get_config_var_unexpected_output(self, mock_check_output): + self.config.postfix_config_dir = None + mock_check_output.return_value = "foo" + + installer = self._create_installer() + self.assertRaises(errors.PluginError, installer.get_config_var, "foo") + def _test_get_config_var_success_common(self, name, default): installer = self._create_installer() From 2e8a8dfed528be9e485775215a5bf976757d3576 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:17:46 -0700 Subject: [PATCH 165/256] add _set_config_dir --- certbot-postfix/certbot_postfix/installer.py | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 51455a340..9756da684 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -37,7 +37,7 @@ class Installer(plugins_common.Plugin): def __init__(self, *args, **kwargs): super(Installer, self).__init__(*args, **kwargs) self.fixup = False - self.config_dir = self.conf("config-dir") + self.config_dir = None self.additions = [] self.deletions = [] @@ -67,6 +67,7 @@ class Installer(plugins_common.Plugin): """ self._verify_postconf_available() + self._set_config_dir() self.fn = self.find_postfix_cf() self.raw_cf = open(self.fn).readlines() @@ -135,6 +136,19 @@ class Installer(plugins_common.Plugin): self.conf("config-utility"), self.option_name("config-utility"))) + def _set_config_dir(self): + """Ensure self.config_dir is set to the correct path. + + If the configuration directory to use was set by the user, we'll + use that value, otherwise, we'll find the default path using + 'postconf'. + + """ + if self.conf("config-dir") is None: + self.config_dir = self.get_config_var("config_directory") + else: + self.config_dir = self.conf("config-dir") + def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return os.path.join(self.config_dir, "main.cf") From 749f758adb699cb540d4d0fc1e781c0e87a79a6e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:25:30 -0700 Subject: [PATCH 166/256] use a temporary directory --- certbot-postfix/certbot_postfix/installer_test.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 9fd192d66..08c9d478f 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -7,6 +7,7 @@ from __future__ import print_function from __future__ import unicode_literals import logging +import os import subprocess import unittest @@ -14,6 +15,7 @@ import mock import six from certbot import errors +from certbot.tests import util as certbot_test_util # Fake Postfix Configs names_only_config = """myhostname = mail.fubard.org @@ -26,10 +28,11 @@ certs_only_config = ( smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") -class InstallerTest(unittest.TestCase): +class InstallerTest(certbot_test_util.TempDirTestCase): def setUp(self): - self.config = mock.MagicMock(postfix_config_dir="tests/", + super(InstallerTest, self).setUp() + self.config = mock.MagicMock(postfix_config_dir=self.tempdir, postfix_config_utility="postconf") def test_add_parser_arguments(self): @@ -62,7 +65,7 @@ class InstallerTest(unittest.TestCase): def test_get_all_certs_and_keys(self): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', - 'tests/main.cf'),] + os.path.join(self.tempdir, 'main.cf')),] with mock.patch('certbot_postfix.installer.open') as mock_open: mock_open.return_value = six.StringIO(certs_only_config) postfix_config_gen = self._create_prepared_installer() From 48c5731a6b18032b244ba1ed2dd9f26b17efecf4 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:29:08 -0700 Subject: [PATCH 167/256] Write out temp config instead of mocking. --- .../certbot_postfix/installer_test.py | 25 ++++++++++--------- 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 08c9d478f..9e83699ab 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -57,25 +57,26 @@ class InstallerTest(certbot_test_util.TempDirTestCase): def test_get_all_names(self): sorted_names = ['fubard.org', 'mail.fubard.org'] - with mock.patch('certbot_postfix.installer.open') as mock_open: - mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = self._create_prepared_installer() - self.assertEqual(sorted_names, postfix_config_gen.get_all_names()) + self._write_config(names_only_config) + installer = self._create_prepared_installer() + self.assertEqual(sorted_names, installer.get_all_names()) def test_get_all_certs_and_keys(self): return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', '/etc/letsencrypt/live/www.fubard.org/privkey.pem', os.path.join(self.tempdir, 'main.cf')),] - with mock.patch('certbot_postfix.installer.open') as mock_open: - mock_open.return_value = six.StringIO(certs_only_config) - postfix_config_gen = self._create_prepared_installer() - self.assertEqual(return_vals, postfix_config_gen.get_all_certs_keys()) + self._write_config(certs_only_config) + installer = self._create_prepared_installer() + self.assertEqual(return_vals, installer.get_all_certs_keys()) def test_get_all_certs_and_keys_with_none(self): - with mock.patch('certbot_postfix.installer.open') as mock_open: - mock_open.return_value = six.StringIO(names_only_config) - postfix_config_gen = self._create_prepared_installer() - self.assertEqual([], postfix_config_gen.get_all_certs_keys()) + self._write_config(names_only_config) + installer = self._create_prepared_installer() + self.assertEqual([], installer.get_all_certs_keys()) + + def _write_config(self, content): + with open(os.path.join(self.tempdir, "main.cf"), "w") as f: + f.write(content) def test_get_config_var_success(self): self.config.postfix_config_dir = None From 290f5b8ce7ae544fc42dca1d383906fcc5dad7b1 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:35:21 -0700 Subject: [PATCH 168/256] add test_set_config_dir --- certbot-postfix/certbot_postfix/installer.py | 2 +- .../certbot_postfix/installer_test.py | 22 ++++++++++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 9756da684..546cf49cc 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -433,7 +433,7 @@ class Installer(plugins_common.Plugin): expected_prefix = name + " =" if not output.startswith(expected_prefix): raise errors.PluginError( - "Unexpected output from '{0}'".format(''.join(cmd))) + "Unexpected output from '{0}'".format(' '.join(cmd))) return output[len(expected_prefix):].strip() diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 9e83699ab..aae61bd59 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -55,6 +55,25 @@ class InstallerTest(certbot_test_util.TempDirTestCase): with mock.patch(exe_exists_path, return_value=False): self.assertRaises(errors.NoInstallationError, installer.prepare) + def test_set_config_dir(self): + self.config.postfix_config_dir = os.path.join(self.tempdir, "subdir") + os.mkdir(self.config.postfix_config_dir) + self._write_config(names_only_config) + installer = self._create_installer() + + expected = self.config.postfix_config_dir + self.config.postfix_config_dir = None + + check_output_path = "certbot_postfix.installer.util.check_output" + exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" + with mock.patch(check_output_path) as mock_check_output: + mock_check_output.side_effect = [ + "config_directory = " + expected, "mail_version = 3.1.4" + ] + with mock.patch(exe_exists_path, return_value=True): + installer.prepare() + self.assertEqual(installer.config_dir, expected) + def test_get_all_names(self): sorted_names = ['fubard.org', 'mail.fubard.org'] self._write_config(names_only_config) @@ -75,7 +94,8 @@ class InstallerTest(certbot_test_util.TempDirTestCase): self.assertEqual([], installer.get_all_certs_keys()) def _write_config(self, content): - with open(os.path.join(self.tempdir, "main.cf"), "w") as f: + config_dir = self.config.postfix_config_dir + with open(os.path.join(config_dir, "main.cf"), "w") as f: f.write(content) def test_get_config_var_success(self): From 8c4ff5cb63dab6632f643da49f87cc86dcc3d8c9 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:36:08 -0700 Subject: [PATCH 169/256] Use context manager to read conf file. --- certbot-postfix/certbot_postfix/installer.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 546cf49cc..bba46a168 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -70,7 +70,8 @@ class Installer(plugins_common.Plugin): self._set_config_dir() self.fn = self.find_postfix_cf() - self.raw_cf = open(self.fn).readlines() + with open(self.fn) as f: + self.raw_cf = f.readlines() self.cf = map(string.strip, self.raw_cf) #self.cf = [line for line in cf if line and not line.startswith("#")] # XXX ensure we raise the right kinds of exceptions From 50a1f6340ff2c33d80fe2bf1f2b7b95b3cdebe69 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:38:27 -0700 Subject: [PATCH 170/256] Add _check_version. --- certbot-postfix/certbot_postfix/installer.py | 61 +++++++++++--------- 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index bba46a168..2c3f4397e 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -74,11 +74,42 @@ class Installer(plugins_common.Plugin): self.raw_cf = f.readlines() self.cf = map(string.strip, self.raw_cf) #self.cf = [line for line in cf if line and not line.startswith("#")] - # XXX ensure we raise the right kinds of exceptions + def _verify_postconf_available(self): + """Ensure 'postconf' can be found. + + :raises .NoInstallationError: when unable to find 'postconf' + + """ + if not certbot_util.exe_exists(self.conf("config-utility")): + if not plugins_util.path_surgery(self.conf("config-utility")): + raise errors.NoInstallationError( + "Cannot find executable '{0}'. You can provide the " + "path to this command with --{1}".format( + self.conf("config-utility"), + self.option_name("config-utility"))) + + def _set_config_dir(self): + """Ensure self.config_dir is set to the correct path. + + If the configuration directory to use was set by the user, we'll + use that value, otherwise, we'll find the default path using + 'postconf'. + + """ + if self.conf("config-dir") is None: + self.config_dir = self.get_config_var("config_directory") + else: + self.config_dir = self.conf("config-dir") + + def _check_version(self): + """Verifies that the installed Postfix version is supported. + + :raises errors.NotSupportedError: if the version is unsupported + + """ if self.get_version() < (2, 11, 0): raise errors.NotSupportedError('Postfix version is too old') - # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend # differences here and pass them onto other configuration functions. @@ -123,32 +154,6 @@ class Installer(plugins_common.Plugin): # - Built-in support for TLS management and DANE added, see: # http://www.postfix.org/postfix-tls.1.html - def _verify_postconf_available(self): - """Ensure 'postconf' can be found. - - :raises .NoInstallationError: when unable to find 'postconf' - - """ - if not certbot_util.exe_exists(self.conf("config-utility")): - if not plugins_util.path_surgery(self.conf("config-utility")): - raise errors.NoInstallationError( - "Cannot find executable '{0}'. You can provide the " - "path to this command with --{1}".format( - self.conf("config-utility"), - self.option_name("config-utility"))) - - def _set_config_dir(self): - """Ensure self.config_dir is set to the correct path. - - If the configuration directory to use was set by the user, we'll - use that value, otherwise, we'll find the default path using - 'postconf'. - - """ - if self.conf("config-dir") is None: - self.config_dir = self.get_config_var("config_directory") - else: - self.config_dir = self.conf("config-dir") def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" From b98f541b9107fe6ccc34963b22d4b93f8d1ec67c Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:41:59 -0700 Subject: [PATCH 171/256] clean up prepare() --- certbot-postfix/certbot_postfix/installer.py | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 2c3f4397e..bac33fd59 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -52,22 +52,14 @@ class Installer(plugins_common.Plugin): Finish up any additional initialization. - :raises .PluginError: - when full initialization cannot be completed. - :raises .MisconfigurationError: - when full initialization cannot be completed. Plugin will - be displayed on a list of available plugins. - :raises .NoInstallationError: - when the necessary programs/files cannot be located. Plugin - will NOT be displayed on a list of available plugins. - :raises .NotSupportedError: - when the installation is recognized, but the version is not - currently supported. - :rtype tuple: + :raises errors.PluginError: when an unexpected error occurs + :raises errors.NoInstallationError: when can't find installation + :raises errors.NotSupportedError: when version is not supported """ self._verify_postconf_available() self._set_config_dir() + self._check_version() self.fn = self.find_postfix_cf() with open(self.fn) as f: From c9813a44d7b8a86964012ff09e62211833ace1bd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 10 Aug 2017 16:42:48 -0700 Subject: [PATCH 172/256] protect get_version() --- certbot-postfix/certbot_postfix/installer.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index bac33fd59..c0200ff3d 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -100,7 +100,7 @@ class Installer(plugins_common.Plugin): :raises errors.NotSupportedError: if the version is unsupported """ - if self.get_version() < (2, 11, 0): + if self._get_version() < (2, 11, 0): raise errors.NotSupportedError('Postfix version is too old') # Postfix has changed support for TLS features, supported protocol versions # KEX methods, ciphers et cetera over the years. We sort out version dependend @@ -242,7 +242,7 @@ class Installer(plugins_common.Plugin): # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 - def get_version(self): + def _get_version(self): """Return the mail version of Postfix. Version is returned as a tuple. (e.g. '2.11.3' is (2, 11, 3)) @@ -269,7 +269,7 @@ class Installer(plugins_common.Plugin): "Version: {version}".format( os.linesep, root=self.config_dir, - version='.'.join([str(i) for i in self.get_version()])) + version='.'.join([str(i) for i in self._get_version()])) ) From d1f3a2deefacc5b9bd678c3c241ac23df3e13765 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 23 Aug 2017 15:13:06 -0700 Subject: [PATCH 173/256] move _get_version --- certbot-postfix/certbot_postfix/installer.py | 27 ++++++++++---------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index c0200ff3d..292be3f8d 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -146,6 +146,19 @@ class Installer(plugins_common.Plugin): # - Built-in support for TLS management and DANE added, see: # http://www.postfix.org/postfix-tls.1.html + def _get_version(self): + """Return the mail version of Postfix. + + Version is returned as a tuple. (e.g. '2.11.3' is (2, 11, 3)) + + :returns: version + :rtype: tuple + + :raises .PluginError: Unable to find Postfix version. + + """ + mail_version = self.get_config_var("mail_version", default=True) + return tuple(int(i) for i in mail_version.split('.')) def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" @@ -242,20 +255,6 @@ class Installer(plugins_common.Plugin): # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 - def _get_version(self): - """Return the mail version of Postfix. - - Version is returned as a tuple. (e.g. '2.11.3' is (2, 11, 3)) - - :returns: version - :rtype: tuple - - :raises .PluginError: Unable to find Postfix version. - - """ - mail_version = self.get_config_var("mail_version", default=True) - return tuple(int(i) for i in mail_version.split('.')) - def more_info(self): """Human-readable string to help the user. Should describe the steps taken and any relevant info to help the user From 83e37acc8b794fad3ce495fcb209be65c8becf3e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 23 Aug 2017 15:16:07 -0700 Subject: [PATCH 174/256] group IPlugin methods --- certbot-postfix/certbot_postfix/installer.py | 41 ++++++++++---------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 292be3f8d..d8e8420d9 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -146,6 +146,26 @@ class Installer(plugins_common.Plugin): # - Built-in support for TLS management and DANE added, see: # http://www.postfix.org/postfix-tls.1.html + def find_postfix_cf(self): + "Search far and wide for the correct postfix configuration file" + return os.path.join(self.config_dir, "main.cf") + + def more_info(self): + """Human-readable string to help the user. + Should describe the steps taken and any relevant info to help the user + decide which plugin to use. + :rtype str: + """ + return ( + "Configures Postfix to try to authenticate mail servers, use " + "installed certificates and disable weak ciphers and protocols.{0}" + "Server root: {root}{0}" + "Version: {version}".format( + os.linesep, + root=self.config_dir, + version='.'.join([str(i) for i in self._get_version()])) + ) + def _get_version(self): """Return the mail version of Postfix. @@ -160,10 +180,6 @@ class Installer(plugins_common.Plugin): mail_version = self.get_config_var("mail_version", default=True) return tuple(int(i) for i in mail_version.split('.')) - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.config_dir, "main.cf") - def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable @@ -255,23 +271,6 @@ class Installer(plugins_common.Plugin): # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 - def more_info(self): - """Human-readable string to help the user. - Should describe the steps taken and any relevant info to help the user - decide which plugin to use. - :rtype str: - """ - return ( - "Configures Postfix to try to authenticate mail servers, use " - "installed certificates and disable weak ciphers and protocols.{0}" - "Server root: {root}{0}" - "Version: {version}".format( - os.linesep, - root=self.config_dir, - version='.'.join([str(i) for i in self._get_version()])) - ) - - ### Let's Encrypt client IInstaller ### # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/interfaces.py#L232 From b342f40c2ba68b73ed7428b4190705671c5e7caf Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 23 Aug 2017 15:16:36 -0700 Subject: [PATCH 175/256] remove old comments --- certbot-postfix/certbot_postfix/installer.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index d8e8420d9..92ba3f13d 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -267,13 +267,6 @@ class Installer(plugins_common.Plugin): with open(self.fn, "w") as f: f.write(self.new_cf) - ### Let's Encrypt client IPlugin ### - # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/plugins/common.py#L35 - - - ### Let's Encrypt client IInstaller ### - # https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/interfaces.py#L232 - def get_all_names(self): """Returns all names that may be authenticated. :rtype: `list` of `str` From 90ffe2aac0d310947b7931792acfcfc96c036601 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 09:04:57 -0700 Subject: [PATCH 176/256] Remove legacy get_all_certs_and_keys() method --- certbot-postfix/certbot_postfix/installer.py | 24 ------------------- .../certbot_postfix/installer_test.py | 13 ---------- 2 files changed, 37 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 92ba3f13d..3eb670161 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -317,30 +317,6 @@ class Installer(plugins_common.Plugin): :rtype: :class:`list` of :class:`str` """ - def get_all_certs_keys(self): - """Retrieve all certs and keys set in configuration. - :returns: tuples with form `[(cert, key, path)]`, where: - - `cert` - str path to certificate file - - `key` - str path to associated key file - - `path` - file path to configuration file - :rtype: list - """ - cert_materials = {'smtpd_tls_key_file': None, - 'smtpd_tls_cert_file': None, - } - for num, line in enumerate(self.cf): - num, found_var, found_value = parse_line((num, line)) - if found_var in cert_materials.keys(): - cert_materials[found_var] = found_value - - if not all(cert_materials.values()): - cert_material_tuples = [] - else: - cert_material_tuples = [(cert_materials['smtpd_tls_cert_file'], - cert_materials['smtpd_tls_key_file'], - self.fn),] - return cert_material_tuples - def save(self, title=None, temporary=False): """Saves all changes to the configuration files. Both title and temporary are needed because a save may be diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index aae61bd59..0c83a25e6 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -80,19 +80,6 @@ class InstallerTest(certbot_test_util.TempDirTestCase): installer = self._create_prepared_installer() self.assertEqual(sorted_names, installer.get_all_names()) - def test_get_all_certs_and_keys(self): - return_vals = [('/etc/letsencrypt/live/www.fubard.org/fullchain.pem', - '/etc/letsencrypt/live/www.fubard.org/privkey.pem', - os.path.join(self.tempdir, 'main.cf')),] - self._write_config(certs_only_config) - installer = self._create_prepared_installer() - self.assertEqual(return_vals, installer.get_all_certs_keys()) - - def test_get_all_certs_and_keys_with_none(self): - self._write_config(names_only_config) - installer = self._create_prepared_installer() - self.assertEqual([], installer.get_all_certs_keys()) - def _write_config(self, content): config_dir = self.config.postfix_config_dir with open(os.path.join(config_dir, "main.cf"), "w") as f: From 967a1830e6fdab696d9d0edf9d8416622811b341 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 14:59:25 -0700 Subject: [PATCH 177/256] Rewrite get_all_names --- certbot-postfix/certbot_postfix/installer.py | 26 ++++++++----------- .../certbot_postfix/installer_test.py | 14 ++++++---- 2 files changed, 20 insertions(+), 20 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3eb670161..3bbb112ba 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -180,6 +180,15 @@ class Installer(plugins_common.Plugin): mail_version = self.get_config_var("mail_version", default=True) return tuple(int(i) for i in mail_version.split('.')) + def get_all_names(self): + """Returns all names that may be authenticated. + + :rtype: `set` of `str` + + """ + return set(self.get_config_var(var) + for var in ('mydomain', 'myhostname', 'myorigin',)) + def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable @@ -267,20 +276,6 @@ class Installer(plugins_common.Plugin): with open(self.fn, "w") as f: f.write(self.new_cf) - def get_all_names(self): - """Returns all names that may be authenticated. - :rtype: `list` of `str` - """ - var_names = ('myhostname', 'mydomain', 'myorigin') - names_found = set() - for num, line in enumerate(self.cf): - num, found_var, found_value = parse_line((num, line)) - if found_var in var_names: - names_found.add(found_value) - name_list = list(names_found) - name_list.sort() - return name_list - def deploy_cert(self, domain, _cert_path, key_path, _chain_path, fullchain_path): """Deploy certificate. :param str domain: domain to deploy certificate file @@ -398,7 +393,8 @@ class Installer(plugins_common.Plugin): expected_prefix = name + " =" if not output.startswith(expected_prefix): raise errors.PluginError( - "Unexpected output from '{0}'".format(' '.join(cmd))) + "Unexpected output '{0}' from '{1}'".format(output, + ' '.join(cmd))) return output[len(expected_prefix):].strip() diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 0c83a25e6..467eed752 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -18,8 +18,8 @@ from certbot import errors from certbot.tests import util as certbot_test_util # Fake Postfix Configs -names_only_config = """myhostname = mail.fubard.org -mydomain = fubard.org +names_only_config = """mydomain = fubard.org +myhostname = mail.fubard.org myorigin = fubard.org""" @@ -74,11 +74,15 @@ class InstallerTest(certbot_test_util.TempDirTestCase): installer.prepare() self.assertEqual(installer.config_dir, expected) - def test_get_all_names(self): - sorted_names = ['fubard.org', 'mail.fubard.org'] + @mock.patch("certbot_postfix.installer.util.check_output") + def test_get_all_names(self, mock_check_output): self._write_config(names_only_config) installer = self._create_prepared_installer() - self.assertEqual(sorted_names, installer.get_all_names()) + mock_check_output.side_effect = names_only_config.splitlines() + + result = installer.get_all_names() + self.assertTrue("fubard.org" in result) + self.assertTrue("mail.fubard.org" in result) def _write_config(self, content): config_dir = self.config.postfix_config_dir From 0efc02d6eeeabe6383ffa0c3a9c43842fca9aedb Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:03:11 -0700 Subject: [PATCH 178/256] Lock the Postfix config dir --- certbot-postfix/certbot_postfix/installer.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3bbb112ba..362fe5e8c 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -60,6 +60,7 @@ class Installer(plugins_common.Plugin): self._verify_postconf_available() self._set_config_dir() self._check_version() + self._lock_config_dir() self.fn = self.find_postfix_cf() with open(self.fn) as f: @@ -146,6 +147,19 @@ class Installer(plugins_common.Plugin): # - Built-in support for TLS management and DANE added, see: # http://www.postfix.org/postfix-tls.1.html + def _lock_config_dir(self): + """Stop two Postfix plugins from modifying the config at once. + + :raises .PluginError: if unable to acquire the lock + + """ + try: + certbot_util.lock_dir_until_exit(self.config_dir) + except (OSError, errors.LockError): + logger.debug("Encountered error:", exc_info=True) + raise errors.PluginError( + "Unable to lock %s", self.config_dir) + def find_postfix_cf(self): "Search far and wide for the correct postfix configuration file" return os.path.join(self.config_dir, "main.cf") From 3b2e9e49be4183f980f5d0c981438df2151209d8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:04:36 -0700 Subject: [PATCH 179/256] Remove unneeded instance variables --- certbot-postfix/certbot_postfix/installer.py | 14 -------------- 1 file changed, 14 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 362fe5e8c..9a7c3802e 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -39,14 +39,6 @@ class Installer(plugins_common.Plugin): self.fixup = False self.config_dir = None - self.additions = [] - self.deletions = [] - self.policy_lines = [] - self.new_cf = "" - self.fn = None - self.raw_cf = [] - self.cf = [] - def prepare(self): """Prepare the installer. @@ -62,12 +54,6 @@ class Installer(plugins_common.Plugin): self._check_version() self._lock_config_dir() - self.fn = self.find_postfix_cf() - with open(self.fn) as f: - self.raw_cf = f.readlines() - self.cf = map(string.strip, self.raw_cf) - #self.cf = [line for line in cf if line and not line.startswith("#")] - def _verify_postconf_available(self): """Ensure 'postconf' can be found. From b9177948d393b590d11342d2463681e8a2bdc01e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:05:24 -0700 Subject: [PATCH 180/256] Remove _write_config --- certbot-postfix/certbot_postfix/installer_test.py | 7 ------- 1 file changed, 7 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 467eed752..5122bcfe9 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -58,7 +58,6 @@ class InstallerTest(certbot_test_util.TempDirTestCase): def test_set_config_dir(self): self.config.postfix_config_dir = os.path.join(self.tempdir, "subdir") os.mkdir(self.config.postfix_config_dir) - self._write_config(names_only_config) installer = self._create_installer() expected = self.config.postfix_config_dir @@ -76,7 +75,6 @@ class InstallerTest(certbot_test_util.TempDirTestCase): @mock.patch("certbot_postfix.installer.util.check_output") def test_get_all_names(self, mock_check_output): - self._write_config(names_only_config) installer = self._create_prepared_installer() mock_check_output.side_effect = names_only_config.splitlines() @@ -84,11 +82,6 @@ class InstallerTest(certbot_test_util.TempDirTestCase): self.assertTrue("fubard.org" in result) self.assertTrue("mail.fubard.org" in result) - def _write_config(self, content): - config_dir = self.config.postfix_config_dir - with open(os.path.join(config_dir, "main.cf"), "w") as f: - f.write(content) - def test_get_config_var_success(self): self.config.postfix_config_dir = None From b94e268f83f383b13d3ea61e1a16e6b166ddeffa Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:05:39 -0700 Subject: [PATCH 181/256] Remove unused certs_only_config --- certbot-postfix/certbot_postfix/installer_test.py | 5 ----- 1 file changed, 5 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 5122bcfe9..429974e49 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -23,11 +23,6 @@ myhostname = mail.fubard.org myorigin = fubard.org""" -certs_only_config = ( -"""smtpd_tls_cert_file = /etc/letsencrypt/live/www.fubard.org/fullchain.pem -smtpd_tls_key_file = /etc/letsencrypt/live/www.fubard.org/privkey.pem""") - - class InstallerTest(certbot_test_util.TempDirTestCase): def setUp(self): From cc3896d5d45bc3c68cc7b888447ce49a62ec0e2e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:12:11 -0700 Subject: [PATCH 182/256] Add test_lock_error --- certbot-postfix/certbot_postfix/installer_test.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 429974e49..29dcf3200 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -6,6 +6,7 @@ from __future__ import division from __future__ import print_function from __future__ import unicode_literals +import functools import logging import os import subprocess @@ -68,6 +69,12 @@ class InstallerTest(certbot_test_util.TempDirTestCase): installer.prepare() self.assertEqual(installer.config_dir, expected) + def test_lock_error(self): + assert_raises = functools.partial(self.assertRaises, + errors.PluginError, + self._create_prepared_installer) + certbot_test_util.lock_and_call(assert_raises, self.tempdir) + @mock.patch("certbot_postfix.installer.util.check_output") def test_get_all_names(self, mock_check_output): installer = self._create_prepared_installer() From baf0d3343aceba3568dc06898c654c0322bd428a Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:13:02 -0700 Subject: [PATCH 183/256] Remove postfix version notes --- certbot-postfix/certbot_postfix/installer.py | 43 -------------------- 1 file changed, 43 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 9a7c3802e..0f3796e1f 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -89,49 +89,6 @@ class Installer(plugins_common.Plugin): """ if self._get_version() < (2, 11, 0): raise errors.NotSupportedError('Postfix version is too old') - # Postfix has changed support for TLS features, supported protocol versions - # KEX methods, ciphers et cetera over the years. We sort out version dependend - # differences here and pass them onto other configuration functions. - # see: - # http://www.postfix.org/TLS_README.html - # http://www.postfix.org/FORWARD_SECRECY_README.html - - # Postfix == 2.2: - # - TLS support introduced via 3rd party patch, see: - # http://www.postfix.org/TLS_LEGACY_README.html - - # Postfix => 2.2: - # - built-in TLS support added - # - Support for PFS introduced - # - Support for (E)DHE params >= 1024bit (need to be generated), default 1k - - # Postfix => 2.5: - # - Syntax to specify mandatory protocol version changes: - # * < 2.5: `smtpd_tls_mandatory_protocols = TLSv1` - # * => 2.5: `smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3` - # - Certificate fingerprint verification added - - # Postfix => 2.6: - # - Support for ECDHE NIST P-256 curve (enable `smtpd_tls_eecdh_grade = strong`) - # - Support for configurable cipher-suites and protocol versions added, pre-2.6 - # releases always set EXPORT, options: `smtp_tls_ciphers` and `smtp_tls_protocols` - # - `smtp_tls_eccert_file` and `smtp_tls_eckey_file` config. options added - - # Postfix => 2.8: - # - Override Client suite preference w. `tls_preempt_cipherlist = yes` - # - Elliptic curve crypto. support enabled by default - - # Postfix => 2.9: - # - Public key fingerprint support added - # - `permit_tls_clientcerts`, `permit_tls_all_clientcerts` and - # `check_ccert_access` config. options added - - # Postfix <= 2.9.5: - # - BUG: Public key fingerprint is computed incorrectly - - # Postfix => 3.1: - # - Built-in support for TLS management and DANE added, see: - # http://www.postfix.org/postfix-tls.1.html def _lock_config_dir(self): """Stop two Postfix plugins from modifying the config at once. From b92df1b71cf6b21b5414176c74f048e0af9c793d Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:15:41 -0700 Subject: [PATCH 184/256] Remove unused find_postfix_cf --- certbot-postfix/certbot_postfix/installer.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 0f3796e1f..d9aeb4887 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -103,10 +103,6 @@ class Installer(plugins_common.Plugin): raise errors.PluginError( "Unable to lock %s", self.config_dir) - def find_postfix_cf(self): - "Search far and wide for the correct postfix configuration file" - return os.path.join(self.config_dir, "main.cf") - def more_info(self): """Human-readable string to help the user. Should describe the steps taken and any relevant info to help the user From 00e28592b6163f314f68a7c81dc5faa1854ca2f6 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:18:40 -0700 Subject: [PATCH 185/256] Add supported_enhancements --- certbot-postfix/certbot_postfix/installer.py | 14 ++++++++------ certbot-postfix/certbot_postfix/installer_test.py | 4 ++++ 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index d9aeb4887..45768df6c 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -142,6 +142,14 @@ class Installer(plugins_common.Plugin): return set(self.get_config_var(var) for var in ('mydomain', 'myhostname', 'myorigin',)) + def supported_enhancements(self): + """Returns a list of supported enhancements. + + :rtype: list + + """ + return [] + def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable @@ -258,12 +266,6 @@ class Installer(plugins_common.Plugin): an error occurs during the enhancement. """ - def supported_enhancements(self): - """Returns a list of supported enhancements. - :returns: supported enhancements which should be a subset of - :const:`~letsencrypt.constants.ENHANCEMENTS` - :rtype: :class:`list` of :class:`str` - """ def save(self, title=None, temporary=False): """Saves all changes to the configuration files. diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 29dcf3200..ea7d0e503 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -84,6 +84,10 @@ class InstallerTest(certbot_test_util.TempDirTestCase): self.assertTrue("fubard.org" in result) self.assertTrue("mail.fubard.org" in result) + def test_supported_enhancements(self): + self.assertEqual( + self._create_prepared_installer().supported_enhancements(), []) + def test_get_config_var_success(self): self.config.postfix_config_dir = None From 60c6cc5f2abf12884506172233894e358e18e670 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 15:26:52 -0700 Subject: [PATCH 186/256] Write enhance() --- certbot-postfix/certbot_postfix/installer.py | 24 ++++++++----------- .../certbot_postfix/installer_test.py | 5 ++++ 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 45768df6c..189836bbe 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -142,6 +142,16 @@ class Installer(plugins_common.Plugin): return set(self.get_config_var(var) for var in ('mydomain', 'myhostname', 'myorigin',)) + def enhance(self, domain, enhancement, options=None): + """Raises an exception for request for unsupported enhancement. + + :raises .PluginError: this is always raised as no enhancements + are currently supported + + """ + raise errors.PluginError( + "Unsupported enhancement: {0}".format(enhancement)) + def supported_enhancements(self): """Returns a list of supported enhancements. @@ -253,20 +263,6 @@ class Installer(plugins_common.Plugin): self.set_domainwise_tls_policies() self.update_CAfile() - def enhance(self, domain, enhancement, options=None): - """Perform a configuration enhancement. - :param str domain: domain for which to provide enhancement - :param str enhancement: An enhancement as defined in - :const:`~letsencrypt.constants.ENHANCEMENTS` - :param options: Flexible options parameter for enhancement. - Check documentation of - :const:`~letsencrypt.constants.ENHANCEMENTS` - for expected options for each enhancement. - :raises .PluginError: If Enhancement is not supported, or if - an error occurs during the enhancement. - """ - - def save(self, title=None, temporary=False): """Saves all changes to the configuration files. Both title and temporary are needed because a save may be diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index ea7d0e503..1796c60ca 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -84,6 +84,11 @@ class InstallerTest(certbot_test_util.TempDirTestCase): self.assertTrue("fubard.org" in result) self.assertTrue("mail.fubard.org" in result) + def test_enhance(self): + self.assertRaises(errors.PluginError, + self._create_prepared_installer().enhance, + "example.org", "redirect") + def test_supported_enhancements(self): self.assertEqual( self._create_prepared_installer().supported_enhancements(), []) From 0f4c5c230538458f99418f28b4f3658477d59bc7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 11:41:30 -0700 Subject: [PATCH 187/256] Use common installer base --- certbot-postfix/certbot_postfix/installer.py | 20 +------------------ .../certbot_postfix/installer_test.py | 6 +++--- 2 files changed, 4 insertions(+), 22 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 189836bbe..366824f07 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -21,7 +21,7 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) -class Installer(plugins_common.Plugin): +class Installer(plugins_common.Installer): """Certbot installer plugin for Postfix.""" description = "Configure TLS with the Postfix MTA" @@ -278,24 +278,6 @@ class Installer(plugins_common.Plugin): """ self.maybe_add_config_lines() - def rollback_checkpoints(self, rollback=1): - """Revert `rollback` number of configuration checkpoints. - :raises .PluginError: when configuration cannot be fully reverted - """ - - def recovery_routine(self): - """Revert configuration to most recent finalized checkpoint. - Remove all changes (temporary and permanent) that have not been - finalized. This is useful to protect against crashes and other - execution interruptions. - :raises .errors.PluginError: If unable to recover the configuration - """ - - def view_config_changes(self): - """Display all of the LE config changes. - :raises .PluginError: when config changes cannot be parsed - """ - def config_test(self): """Make sure the configuration is valid. :raises .MisconfigurationError: when the config is not in a usable state diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 1796c60ca..547a954e2 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -24,12 +24,12 @@ myhostname = mail.fubard.org myorigin = fubard.org""" -class InstallerTest(certbot_test_util.TempDirTestCase): +class InstallerTest(certbot_test_util.ConfigTestCase): def setUp(self): super(InstallerTest, self).setUp() - self.config = mock.MagicMock(postfix_config_dir=self.tempdir, - postfix_config_utility="postconf") + self.config.postfix_config_dir = self.tempdir + self.config.postfix_config_utility = "postconf" def test_add_parser_arguments(self): mock_add = mock.MagicMock() From a29a99fb6ff359630b34629f2b1ec35cfc1455a9 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 13:34:03 -0700 Subject: [PATCH 188/256] Add --postfix-ctl flag. --- certbot-postfix/certbot_postfix/installer.py | 4 +++- certbot-postfix/certbot_postfix/installer_test.py | 3 ++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 366824f07..3c4a4a85b 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -28,9 +28,11 @@ class Installer(plugins_common.Installer): @classmethod def add_parser_arguments(cls, add): + add("ctl", default="postfix", + help="Path to the 'postfix' control program.") add("config-dir", help="Path to the directory containing the " "Postfix main.cf file to modify instead of using the " - "default configuration paths") + "default configuration paths.") add("config-utility", default="postconf", help="Path to the 'postconf' executable.") diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 547a954e2..a761a4386 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -32,13 +32,14 @@ class InstallerTest(certbot_test_util.ConfigTestCase): self.config.postfix_config_utility = "postconf" def test_add_parser_arguments(self): + options = set(('ctl', 'config-dir', 'config-utility',)) mock_add = mock.MagicMock() from certbot_postfix import installer installer.Installer.add_parser_arguments(mock_add) for call in mock_add.call_args_list: - self.assertTrue(call[0][0] in ('config-dir', 'config-utility')) + self.assertTrue(call[0][0] in options) def test_no_postconf_prepare(self): installer = self._create_installer() From b4b5c447500ef3f328d14efc99b6ca0a2ce54f28 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 13:38:07 -0700 Subject: [PATCH 189/256] Check postfix executable is found. --- certbot-postfix/certbot_postfix/installer.py | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3c4a4a85b..73e54b4f5 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -51,24 +51,27 @@ class Installer(plugins_common.Installer): :raises errors.NotSupportedError: when version is not supported """ - self._verify_postconf_available() + for param in ("ctl", "config_dir",): + self._verify_executable_is_available(param) self._set_config_dir() self._check_version() self._lock_config_dir() - def _verify_postconf_available(self): - """Ensure 'postconf' can be found. + def _verify_executable_is_available(self, config_name): + """Asserts the program in the specified config param is found. - :raises .NoInstallationError: when unable to find 'postconf' + :param str config_name: name of the config param + + :raises .NoInstallationError: when the executable isn't found """ - if not certbot_util.exe_exists(self.conf("config-utility")): - if not plugins_util.path_surgery(self.conf("config-utility")): + if not certbot_util.exe_exists(self.conf(config_name)): + if not plugins_util.path_surgery(self.conf(config_name)): raise errors.NoInstallationError( "Cannot find executable '{0}'. You can provide the " "path to this command with --{1}".format( - self.conf("config-utility"), - self.option_name("config-utility"))) + self.conf(config_name), + self.option_name(config_name))) def _set_config_dir(self): """Ensure self.config_dir is set to the correct path. From 2ae187b1d6bffb6cc63aaa36ddea14be3b7675d3 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 13:55:21 -0700 Subject: [PATCH 190/256] Update config_test method --- certbot-postfix/certbot_postfix/installer.py | 46 +++++++++++++++----- 1 file changed, 35 insertions(+), 11 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 73e54b4f5..60c8b3109 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -165,6 +165,41 @@ class Installer(plugins_common.Installer): """ return [] + def config_test(self): + """Make sure the configuration is valid. + + :raises .MisconfigurationError: if the config is invalid + + """ + try: + self._run_postfix_subcommand("check") + except subprocess.CalledProcessError: + raise errors.MisconfigurationError( + "Postfix failed internal configuration check.") + + def _run_postfix_subcommand(self, subcommand): + """Runs a subcommand of the 'postfix' control program. + + If the command fails, the exception is logged at the DEBUG + level. + + :param str subcommand: subcommand to run + + :raises subprocess.CalledProcessError: if the command fails + + """ + cmd = [self.conf("ctl")] + if self.conf("config-dir") is not None: + cmd.extend(("-c", self.conf("config-dir"),)) + cmd.append(subcommand) + + try: + subprocess.check_call(cmd) + except subprocess.CalledProcessError: + logger.debug("%s exited with a non-zero status.", + "".join(cmd), exc_info=True) + raise + def ensure_cf_var(self, var, ideal, also_acceptable): """ Ensure that existing postfix config @var is in the list of @acceptable @@ -283,17 +318,6 @@ class Installer(plugins_common.Installer): """ self.maybe_add_config_lines() - def config_test(self): - """Make sure the configuration is valid. - :raises .MisconfigurationError: when the config is not in a usable state - """ - if os.geteuid() != 0: - rc = os.system('sudo /usr/sbin/postfix check') - else: - rc = os.system('/usr/sbin/postfix check') - if rc != 0: - raise errors.MisconfigurationError('Postfix failed self-check.') - def restart(self): """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted From 5f3be9b1cf667bae9ff8c66c6ee3ae38c1873ae8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 13:58:45 -0700 Subject: [PATCH 191/256] test config_test failure --- certbot-postfix/certbot_postfix/installer_test.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index a761a4386..a7a9d27fa 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -28,6 +28,7 @@ class InstallerTest(certbot_test_util.ConfigTestCase): def setUp(self): super(InstallerTest, self).setUp() + self.config.postfix_ctl = "postfix" self.config.postfix_config_dir = self.tempdir self.config.postfix_config_utility = "postconf" @@ -94,6 +95,12 @@ class InstallerTest(certbot_test_util.ConfigTestCase): self.assertEqual( self._create_prepared_installer().supported_enhancements(), []) + @mock.patch("certbot_postfix.installer.subprocess.check_call") + def test_config_test_failure(self, mock_check_call): + installer = self._create_prepared_installer() + mock_check_call.side_effect = subprocess.CalledProcessError(42, "foo") + self.assertRaises(errors.MisconfigurationError, installer.config_test) + def test_get_config_var_success(self): self.config.postfix_config_dir = None From 68dc678eed9d997a446f54eca55266a9e8531d4f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 14:02:57 -0700 Subject: [PATCH 192/256] Call config_test in prepare --- certbot-postfix/certbot_postfix/installer.py | 1 + certbot-postfix/certbot_postfix/installer_test.py | 10 +++++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 60c8b3109..910fa67a6 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -55,6 +55,7 @@ class Installer(plugins_common.Installer): self._verify_executable_is_available(param) self._set_config_dir() self._check_version() + self.config_test() self._lock_config_dir() def _verify_executable_is_available(self, config_name): diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index a7a9d27fa..425f0dd54 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -61,6 +61,7 @@ class InstallerTest(certbot_test_util.ConfigTestCase): expected = self.config.postfix_config_dir self.config.postfix_config_dir = None + check_call_path = "certbot_postfix.installer.subprocess.check_call" check_output_path = "certbot_postfix.installer.util.check_output" exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" with mock.patch(check_output_path) as mock_check_output: @@ -68,7 +69,8 @@ class InstallerTest(certbot_test_util.ConfigTestCase): "config_directory = " + expected, "mail_version = 3.1.4" ] with mock.patch(exe_exists_path, return_value=True): - installer.prepare() + with mock.patch(check_call_path): + installer.prepare() self.assertEqual(installer.config_dir, expected) def test_lock_error(self): @@ -159,12 +161,14 @@ class InstallerTest(certbot_test_util.ConfigTestCase): """ installer = self._create_installer() + check_call_path = "certbot_postfix.installer.subprocess.check_call" check_output_path = "certbot_postfix.installer.util.check_output" exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" with mock.patch(check_output_path) as mock_check_output: with mock.patch(exe_exists_path, return_value=True): - mock_check_output.return_value = "mail_version = 3.1.4" - installer.prepare() + with mock.patch(check_call_path): + mock_check_output.return_value = "mail_version = 3.1.4" + installer.prepare() return installer From a6c08a2e255801eaa9daedb050ee4d588c1b89ab Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 14:03:29 -0700 Subject: [PATCH 193/256] Update prepare docstring. --- certbot-postfix/certbot_postfix/installer.py | 1 + 1 file changed, 1 insertion(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 910fa67a6..94cfa3194 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -47,6 +47,7 @@ class Installer(plugins_common.Installer): Finish up any additional initialization. :raises errors.PluginError: when an unexpected error occurs + :raises errors.MisconfigurationError: when the config is invalid :raises errors.NoInstallationError: when can't find installation :raises errors.NotSupportedError: when version is not supported From 218e15c9d4fc5b74ae57b1a57e8c1ab28a57b620 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 14:25:22 -0700 Subject: [PATCH 194/256] Make restart() more robust. --- certbot-postfix/certbot_postfix/installer.py | 65 ++++++++++++++++---- 1 file changed, 53 insertions(+), 12 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 94cfa3194..d73b73a37 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -179,6 +179,59 @@ class Installer(plugins_common.Installer): raise errors.MisconfigurationError( "Postfix failed internal configuration check.") + def restart(self): + """Restart or refresh the server content. + + :raises .PluginError: when server cannot be restarted + + """ + logger.info("Reloading Postfix configuration...") + if self._is_postfix_running(): + self._reload() + else: + self._start() + + def _is_postfix_running(self): + """Is Postfix currently running? + + Uses the 'postfix status' command to determine if Postfix is + currently running using the specified configuration files. + + :returns: True if Postfix is running, otherwise, False + :rtype: bool + + """ + try: + self._run_postfix_subcommand("status") + except subprocess.CalledProcessError: + return False + return True + + def _reload(self): + """Instructions Postfix to reload its configuration. + + If Postfix isn't currently running, this method will fail. + + :raises .PluginError: when Postfix cannot reload + + """ + try: + self._run_postfix_subcommand("reload") + except subprocess.CalledProcessError: + raise errors.PluginError( + "Postfix failed to reload its configuration.") + + def _start(self): + """Instructions Postfix to start running. + + :raises .PluginError: when Postfix cannot start + + """ + try: + self._run_postfix_subcommand("start") + except subprocess.CalledProcessError: + raise errors.PluginError("Postfix failed to start") + def _run_postfix_subcommand(self, subcommand): """Runs a subcommand of the 'postfix' control program. @@ -320,18 +373,6 @@ class Installer(plugins_common.Installer): """ self.maybe_add_config_lines() - def restart(self): - """Restart or refresh the server content. - :raises .PluginError: when server cannot be restarted - """ - logger.info('Reloading postfix config...') - if os.geteuid() != 0: - rc = os.system("sudo service postfix reload") - else: - rc = os.system("service postfix reload") - if rc != 0: - raise errors.MisconfigurationError('cannot restart postfix') - def get_config_var(self, name, default=False): """Return the value of the specified Postfix config parameter. From b21b66c0c07ac3b33db0dc199a946c667dee6106 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 25 Aug 2017 14:29:50 -0700 Subject: [PATCH 195/256] Test restart command. --- .../certbot_postfix/installer_test.py | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 425f0dd54..69d999b31 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -103,6 +103,33 @@ class InstallerTest(certbot_test_util.ConfigTestCase): mock_check_call.side_effect = subprocess.CalledProcessError(42, "foo") self.assertRaises(errors.MisconfigurationError, installer.config_test) + @mock.patch("certbot_postfix.installer.subprocess.check_call") + def test_postfix_reload_failure(self, mock_check_call): + installer = self._create_prepared_installer() + mock_check_call.side_effect = [ + None, subprocess.CalledProcessError(42, "foo") + ] + self.assertRaises(errors.PluginError, installer.restart) + + @mock.patch("certbot_postfix.installer.subprocess.check_call") + def test_postfix_reload_success(self, mock_check_call): + installer = self._create_prepared_installer() + installer.restart() + + @mock.patch("certbot_postfix.installer.subprocess.check_call") + def test_postfix_start_failure(self, mock_check_call): + installer = self._create_prepared_installer() + mock_check_call.side_effect = subprocess.CalledProcessError(42, "foo") + self.assertRaises(errors.PluginError, installer.restart) + + @mock.patch("certbot_postfix.installer.subprocess.check_call") + def test_postfix_start_success(self, mock_check_call): + installer = self._create_prepared_installer() + mock_check_call.side_effect = [ + subprocess.CalledProcessError(42, "foo"), None + ] + installer.restart() + def test_get_config_var_success(self): self.config.postfix_config_dir = None From 11b820c0e4b8a60b9145cfea97d9a0ba89149bb7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 14:41:07 -0700 Subject: [PATCH 196/256] add set_config_var --- certbot-postfix/certbot_postfix/installer.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index d73b73a37..e384e0396 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -40,6 +40,7 @@ class Installer(plugins_common.Installer): super(Installer, self).__init__(*args, **kwargs) self.fixup = False self.config_dir = None + self.proposed_changes = {} def prepare(self): """Prepare the installer. @@ -426,6 +427,19 @@ class Installer(plugins_common.Installer): return cmd + def set_config_var(self, name, value): + """Set the Postfix config parameter name to value. + + This method only stores the requested change in memory. The + Postfix configuration is not modified until save() is called. + + :param str name: name of the Postfix config parameter + :param str value: value to set the Postfix config parameter to + + """ + assert isinstance(name, str), "Invalid name value" + assert isinstance(value, str), "Invalid key value" + self.proposed_changes[name] = value # def update_CAfile(self): # os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) From 4805fb4b88945863f03a3aaa7638ce2684ca6fd8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 14:52:05 -0700 Subject: [PATCH 197/256] Add deploy_cert --- certbot-postfix/certbot_postfix/installer.py | 36 +++++++++++--------- 1 file changed, 20 insertions(+), 16 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index e384e0396..3b67cfa9c 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -150,6 +150,26 @@ class Installer(plugins_common.Installer): return set(self.get_config_var(var) for var in ('mydomain', 'myhostname', 'myorigin',)) + def deploy_cert(self, domain, cert_path, + key_path, chain_path, fullchain_path): + """Configure the Postfix SMTP server to use the given TLS cert. + + :param str domain: domain to deploy certificate file + :param str cert_path: absolute path to the certificate file + :param str key_path: absolute path to the private key file + :param str chain_path: absolute path to the certificate chain file + :param str fullchain_path: absolute path to the certificate fullchain + file (cert plus chain) + + :raises .PluginError: when cert cannot be deployed + + """ + self.set_config_var("smtpd_tls_cert_file", fullchain_path) + self.set_config_var("smtpd_tls_key_file", key_path) + self.set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") + self.set_config_var("smtpd_tls_protocols", "!SSLv2, !SSLv3") + self.set_config_var("smtpd_use_tls", "yes") + def enhance(self, domain, enhancement, options=None): """Raises an exception for request for unsupported enhancement. @@ -343,22 +363,6 @@ class Installer(plugins_common.Installer): with open(self.fn, "w") as f: f.write(self.new_cf) - def deploy_cert(self, domain, _cert_path, key_path, _chain_path, fullchain_path): - """Deploy certificate. - :param str domain: domain to deploy certificate file - :param str cert_path: absolute path to the certificate file - :param str key_path: absolute path to the private key file - :param str chain_path: absolute path to the certificate chain file - :param str fullchain_path: absolute path to the certificate fullchain - file (cert plus chain) - :raises .PluginError: when cert cannot be deployed - """ - self.wrangle_existing_config() - self.ensure_cf_var("smtpd_tls_cert_file", fullchain_path, []) - self.ensure_cf_var("smtpd_tls_key_file", key_path, []) - self.set_domainwise_tls_policies() - self.update_CAfile() - def save(self, title=None, temporary=False): """Saves all changes to the configuration files. Both title and temporary are needed because a save may be From d0ea5958f90505b6ac6c3b45b3bc06eda165e17e Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 14:54:53 -0700 Subject: [PATCH 198/256] Protect _set_config_var --- certbot-postfix/certbot_postfix/installer.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3b67cfa9c..7281a7e4d 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -164,11 +164,11 @@ class Installer(plugins_common.Installer): :raises .PluginError: when cert cannot be deployed """ - self.set_config_var("smtpd_tls_cert_file", fullchain_path) - self.set_config_var("smtpd_tls_key_file", key_path) - self.set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") - self.set_config_var("smtpd_tls_protocols", "!SSLv2, !SSLv3") - self.set_config_var("smtpd_use_tls", "yes") + self._set_config_var("smtpd_tls_cert_file", fullchain_path) + self._set_config_var("smtpd_tls_key_file", key_path) + self._set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") + self._set_config_var("smtpd_tls_protocols", "!SSLv2, !SSLv3") + self._set_config_var("smtpd_use_tls", "yes") def enhance(self, domain, enhancement, options=None): """Raises an exception for request for unsupported enhancement. @@ -431,7 +431,7 @@ class Installer(plugins_common.Installer): return cmd - def set_config_var(self, name, value): + def _set_config_var(self, name, value): """Set the Postfix config parameter name to value. This method only stores the requested change in memory. The From 72637b2cf6ae546c1d2b316e677b937206967cf8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 15:20:22 -0700 Subject: [PATCH 199/256] Add util.check_call --- certbot-postfix/certbot_postfix/util.py | 33 ++++++++++++++++++-- certbot-postfix/certbot_postfix/util_test.py | 23 ++++++++++++++ 2 files changed, 53 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/certbot_postfix/util.py b/certbot-postfix/certbot_postfix/util.py index d7145b7c8..b65e4231e 100644 --- a/certbot-postfix/certbot_postfix/util.py +++ b/certbot-postfix/certbot_postfix/util.py @@ -7,6 +7,24 @@ import subprocess logger = logging.getLogger(__name__) +def check_call(*args, **kwargs): + """A simple wrapper of subprocess.check_call that logs errors. + + :param tuple args: positional arguments to subprocess.check_call + :param dict kargs: keyword arguments to subprocess.check_call + + :raises subprocess.CalledProcessError: if the call fails + + """ + try: + subprocess.check_call(*args, **kwargs) + except subprocess.CalledProcessError: + cmd = _get_cmd(*args, **kwargs) + logger.debug("%s exited with a non-zero status.", + "".join(cmd), exc_info=True) + raise + + def check_output(*args, **kwargs): """Backported version of subprocess.check_output for Python 2.6+. @@ -43,10 +61,19 @@ def check_output(*args, **kwargs): output, unused_err = process.communicate() retcode = process.poll() if retcode: - cmd = kwargs.get('args') - if cmd is None: - cmd = args[0] + cmd = _get_cmd(*args, **kwargs) logger.debug( "'%s' exited with %d. Output was:\n%s", cmd, retcode, output) raise subprocess.CalledProcessError(retcode, cmd) return output + + +def _get_cmd(*args, **kwargs): + """Return the command from Popen args. + + :param tuple args: Popen args + :param dict kwargs: Popen kwargs + + """ + cmd = kwargs.get('args') + return args[0] if cmd is None else cmd diff --git a/certbot-postfix/certbot_postfix/util_test.py b/certbot-postfix/certbot_postfix/util_test.py index 019f34532..95253e1fd 100644 --- a/certbot-postfix/certbot_postfix/util_test.py +++ b/certbot-postfix/certbot_postfix/util_test.py @@ -5,6 +5,29 @@ import unittest import mock +class CheckCallTest(unittest.TestCase): + """Tests for certbot_postfix.util.check_call.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import check_call + return check_call(*args, **kwargs) + + @mock.patch('certbot_postfix.util.logger') + @mock.patch('certbot_postfix.util.subprocess.check_call') + def test_failure(self, mock_check_call, mock_logger): + cmd = "postconf smtpd_use_tls=yes".split() + mock_check_call.side_effect = subprocess.CalledProcessError(42, cmd) + self.assertRaises(subprocess.CalledProcessError, self._call, cmd) + self.assertTrue(mock_logger.method_calls) + + @mock.patch('certbot_postfix.util.subprocess.check_call') + def test_success(self, mock_check_call): + cmd = "postconf smtpd_use_tls=yes".split() + self._call(cmd) + mock_check_call.assert_called_once_with(cmd) + + class CheckOutputTest(unittest.TestCase): """Tests for certbot_postfix.util.check_output.""" From d663f7981a08ff47477047a8d37e09f3be6aaa63 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 15:24:51 -0700 Subject: [PATCH 200/256] Add _write_config_changes --- certbot-postfix/certbot_postfix/installer.py | 37 ++++++++++++++------ 1 file changed, 27 insertions(+), 10 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 7281a7e4d..3f4ff0227 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -269,12 +269,7 @@ class Installer(plugins_common.Installer): cmd.extend(("-c", self.conf("config-dir"),)) cmd.append(subcommand) - try: - subprocess.check_call(cmd) - except subprocess.CalledProcessError: - logger.debug("%s exited with a non-zero status.", - "".join(cmd), exc_info=True) - raise + util.check_call(cmd) def ensure_cf_var(self, var, ideal, also_acceptable): """ @@ -419,10 +414,7 @@ class Installer(plugins_common.Installer): :rtype: list """ - cmd = [self.conf("config-utility")] - - if self.conf("config-dir") is not None: - cmd.extend(("-c", self.conf("config-dir"),)) + cmd = self._postconf_command_base() if default: cmd.append("-d") @@ -445,6 +437,31 @@ class Installer(plugins_common.Installer): assert isinstance(value, str), "Invalid key value" self.proposed_changes[name] = value + def _write_config_changes(self): + """Write proposed changes to the Postfix config. + + :raises errors.PluginError: if an error occurs + + """ + cmd = self._postconf_command_base() + cmd.extend("{0}={1}".format(name, value) + for name, value in self.proposed_changes.items()) + + try: + util.check_call(cmd) + except subprocess.CalledProcessError: + raise errors.PluginError( + "An error occurred while updating your Postfix config.") + + def _postconf_command_base(self): + """Builds start of a postconf command using the selected config.""" + cmd = [self.conf("config-utility")] + + if self.conf("config-dir") is not None: + cmd.extend(("-c", self.conf("config-dir"),)) + + return cmd + # def update_CAfile(self): # os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) # From a339de80f43966e5551a19ba8b5c53a7be129a40 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 28 Aug 2017 17:17:29 -0700 Subject: [PATCH 201/256] Add save() --- certbot-postfix/certbot_postfix/installer.py | 29 ++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 3f4ff0227..71515c687 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -41,6 +41,7 @@ class Installer(plugins_common.Installer): self.fixup = False self.config_dir = None self.proposed_changes = {} + self.save_notes = [] def prepare(self): """Prepare the installer. @@ -164,6 +165,7 @@ class Installer(plugins_common.Installer): :raises .PluginError: when cert cannot be deployed """ + self.save_notes.append("Configuring TLS for {0}".format(domain)) self._set_config_var("smtpd_tls_cert_file", fullchain_path) self._set_config_var("smtpd_tls_key_file", key_path) self._set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") @@ -188,6 +190,32 @@ class Installer(plugins_common.Installer): """ return [] + def save(self, title=None, temporary=False): + """Creates backups and writes changes to configuration files. + + :param str title: The title of the save. If a title is given, the + configuration will be saved as a new checkpoint and put in a + timestamped directory. `title` has no effect if temporary is true. + + :param bool temporary: Indicates whether the changes made will + be quickly reversed in the future (challenges) + + :raises errors.PluginError: when save is unsuccessful + + """ + if not self.proposed_changes: + return + + self.add_to_checkpoint(os.path.join(self.config_dir, "main.cf"), + "\n".join(self.save_notes), temporary) + self._write_config_changes() + + self.proposed_changes.clear() + del self.save_notes[:] + + if title and not temporary: + self.finalize_checkpoint(title) + def config_test(self): """Make sure the configuration is valid. @@ -436,6 +464,7 @@ class Installer(plugins_common.Installer): assert isinstance(name, str), "Invalid name value" assert isinstance(value, str), "Invalid key value" self.proposed_changes[name] = value + self.save_notes.append("\t* Set {0} to {1}".format(name, value)) def _write_config_changes(self): """Write proposed changes to the Postfix config. From 142bc3354568853c4b32e8998699bc37c0d966ce Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 29 Aug 2017 10:38:53 -0700 Subject: [PATCH 202/256] Remove dead code --- certbot-postfix/certbot_postfix/installer.py | 152 +------------------ 1 file changed, 1 insertion(+), 151 deletions(-) diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 71515c687..09e1cc18b 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -38,8 +38,7 @@ class Installer(plugins_common.Installer): def __init__(self, *args, **kwargs): super(Installer, self).__init__(*args, **kwargs) - self.fixup = False - self.config_dir = None + self.config_dir = None self.proposed_changes = {} self.save_notes = [] @@ -299,108 +298,6 @@ class Installer(plugins_common.Installer): util.check_call(cmd) - def ensure_cf_var(self, var, ideal, also_acceptable): - """ - Ensure that existing postfix config @var is in the list of @acceptable - values; if not, set it to the ideal value. - - :raises .errors.MisconfigurationError: if conflicting existing values - are found for var - - """ - acceptable = [ideal] + also_acceptable - - l = [(num,line) for num,line in enumerate(self.cf) - if line.startswith(var)] - if not any(l): - self.additions.append(var + " = " + ideal) - else: - values = map(parse_line, l) - if len(set(values)) > 1: - if self.fixup: - conflicting_lines = [num for num,_var,val in values] - self.deletions.extend(conflicting_lines) - self.additions.append(var + " = " + ideal) - else: - raise errors.MisconfigurationError( - "Conflicting existing config values {0}".format(l) - ) - val = values[0][2] - if val not in acceptable: - if self.fixup: - self.deletions.append(values[0][0]) - self.additions.append(var + " = " + ideal) - else: - raise errors.MisconfigurationError( - "Existing config has %s=%s"%(var,val) - ) - - def wrangle_existing_config(self): - """ - Try to ensure/mutate that the config file is in a sane state. - Fixup means we'll delete existing lines if necessary to get there. - """ - # Check we're currently accepting inbound STARTTLS sensibly - self.ensure_cf_var("smtpd_use_tls", "yes", []) - # Ideally we use it opportunistically in the outbound direction - self.ensure_cf_var("smtp_tls_security_level", "may", ["encrypt","dane"]) - # Maximum verbosity lets us collect failure information - self.ensure_cf_var("smtp_tls_loglevel", "1", []) - # Inject a reference to our per-domain policy map - # policy_cf_entry = "texthash:" + self.policy_file - - # self.ensure_cf_var("smtp_tls_policy_maps", policy_cf_entry, []) - # self.ensure_cf_var("smtp_tls_CAfile", self.ca_file, []) - - # Disable SSLv2 and SSLv3. Syntax for `smtp_tls_protocols` changed - # between Postfix version 2.5 and 2.6, since we only support => 2.11 - # we don't use nor support legacy Postfix syntax. - # - Server: - self.ensure_cf_var("smtpd_tls_protocols", "!SSLv2, !SSLv3", []) - self.ensure_cf_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) - # - Client: - self.ensure_cf_var("smtp_tls_protocols", "!SSLv2, !SSLv3", []) - self.ensure_cf_var("smtp_tls_mandatory_protocols", "!SSLv2, !SSLv3", []) - - def maybe_add_config_lines(self): - if not self.additions: - return - if self.fixup: - logger.info('Deleting lines: {}'.format(self.deletions)) - self.additions[:0]=["#", - "# New config lines added by STARTTLS Everywhere", - "#"] - new_cf_lines = "\n".join(self.additions) + "\n" - logger.info('Adding to {}:'.format(self.fn)) - logger.info(new_cf_lines) - if self.raw_cf[-1][-1] == "\n": sep = "" - else: sep = "\n" - - for num, line in enumerate(self.raw_cf): - if self.fixup and num in self.deletions: - self.new_cf += "# Line removed by STARTTLS Everywhere\n# " + line - else: - self.new_cf += line - self.new_cf += sep + new_cf_lines - - with open(self.fn, "w") as f: - f.write(self.new_cf) - - def save(self, title=None, temporary=False): - """Saves all changes to the configuration files. - Both title and temporary are needed because a save may be - intended to be permanent, but the save is not ready to be a full - checkpoint. If an exception is raised, it is assumed a new - checkpoint was not created. - :param str title: The title of the save. If a title is given, the - configuration will be saved as a new checkpoint and put in a - timestamped directory. `title` has no effect if temporary is true. - :param bool temporary: Indicates whether the changes made will - be quickly reversed in the future (challenges) - :raises .PluginError: when save is unsuccessful - """ - self.maybe_add_config_lines() - def get_config_var(self, name, default=False): """Return the value of the specified Postfix config parameter. @@ -490,50 +387,3 @@ class Installer(plugins_common.Installer): cmd.extend(("-c", self.conf("config-dir"),)) return cmd - - # def update_CAfile(self): - # os.system("cat /usr/share/ca-certificates/mozilla/*.crt > " + self.ca_file) - # - # def set_domainwise_tls_policies(self): - # all_acceptable_mxs = self.policy_config.acceptable_mxs - # for address_domain, properties in all_acceptable_mxs.items(): - # mx_list = properties.accept_mx_domains - # if len(mx_list) > 1: - # logger.warn('Lists of multiple accept-mx-domains not yet ' - # 'supported.') - # logger.warn('Using MX {} for {}'.format(mx_list[0], - # address_domain) - # ) - # logger.warn('Ignoring: {}'.format(', '.join(mx_list[1:]))) - # mx_domain = mx_list[0] - # mx_policy = self.policy_config.get_tls_policy(mx_domain) - # entry = address_domain + " encrypt" - # if mx_policy.min_tls_version.lower() == "tlsv1": - # entry += " protocols=!SSLv2:!SSLv3" - # elif mx_policy.min_tls_version.lower() == "tlsv1.1": - # entry += " protocols=!SSLv2:!SSLv3:!TLSv1" - # elif mx_policy.min_tls_version.lower() == "tlsv1.2": - # entry += " protocols=!SSLv2:!SSLv3:!TLSv1:!TLSv1.1" - # else: - # logger.warn('Unknown minimum TLS version: {} '.format( - # mx_policy.min_tls_version) - # ) - # self.policy_lines.append(entry) - - # with open(self.policy_file, "w") as f: - # f.write("\n".join(self.policy_lines) + "\n") - - -def parse_line(line_data): - """ - Return the (line number, left hand side, right hand side) of a stripped - postfix config line. - - Lines are like: - smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache - """ - num,line = line_data - left, sep, right = line.partition("=") - if not sep: - return None - return (num, left.strip(), right.strip()) From dde0bf08217c6fd31d83922977a233328124bcfd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 29 Aug 2017 10:42:31 -0700 Subject: [PATCH 203/256] Remove non-plugin files --- .gitignore | 4 - README.md | 234 - Vagrantfile | 27 - examples/bigger_test_config.json | 36 - examples/config.json | 17 - examples/starttls-everywhere.json | 187 - letsencrypt-postfix/Config.py | 569 -- letsencrypt-postfix/PostfixLogSummary.py | 104 - letsencrypt-postfix/TestConfig.py | 132 - requirements.txt | 4 - share/golden-domains.txt | 32 - share/google-starttls-domains.csv | 6734 ----------------- tools/CheckSTARTTLS.py | 191 - tools/ProcessGoogleSTARTTLSDomains.py | 34 - vagrant-bootstrap.sh | 31 - vagrant-shared/certificates/ca.crt | 22 - vagrant-shared/certificates/ca.key | 27 - vagrant-shared/certificates/certificates | 1 - vagrant-shared/certificates/valid.crt | 21 - vagrant-shared/certificates/valid.csr | 18 - vagrant-shared/certificates/valid.key | 27 - .../postfix-config-sender-tls_policy | 1 - vagrant-shared/postfix-config-sender.cf | 39 - .../postfix-config-valid-example-recipient.cf | 46 - 24 files changed, 8538 deletions(-) delete mode 100644 .gitignore delete mode 100644 README.md delete mode 100644 Vagrantfile delete mode 100644 examples/bigger_test_config.json delete mode 100644 examples/config.json delete mode 100644 examples/starttls-everywhere.json delete mode 100644 letsencrypt-postfix/Config.py delete mode 100755 letsencrypt-postfix/PostfixLogSummary.py delete mode 100755 letsencrypt-postfix/TestConfig.py delete mode 100644 requirements.txt delete mode 100644 share/golden-domains.txt delete mode 100644 share/google-starttls-domains.csv delete mode 100755 tools/CheckSTARTTLS.py delete mode 100755 tools/ProcessGoogleSTARTTLSDomains.py delete mode 100755 vagrant-bootstrap.sh delete mode 100644 vagrant-shared/certificates/ca.crt delete mode 100644 vagrant-shared/certificates/ca.key delete mode 120000 vagrant-shared/certificates/certificates delete mode 100644 vagrant-shared/certificates/valid.crt delete mode 100644 vagrant-shared/certificates/valid.csr delete mode 100644 vagrant-shared/certificates/valid.key delete mode 100644 vagrant-shared/postfix-config-sender-tls_policy delete mode 100644 vagrant-shared/postfix-config-sender.cf delete mode 100644 vagrant-shared/postfix-config-valid-example-recipient.cf diff --git a/.gitignore b/.gitignore deleted file mode 100644 index e36c9c50b..000000000 --- a/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -.* -*.orig -*.pyc -*.egg-info/ diff --git a/README.md b/README.md deleted file mode 100644 index 7413228f6..000000000 --- a/README.md +++ /dev/null @@ -1,234 +0,0 @@ -# STARTTLS Everywhere - - -## Example usage - -**WARNING: this is a pre-alpha codebase. Do not run it on production -mailservers!!!** - - -If you have a Postfix server you're willing to endanger deliverability on, you -can try obtain a certificate with the [Let's Encrypt Python Client](https://github.com/letsencrypt/letsencrypt), note the directory it lives in below `/etc/letsencrypt/live` and then do: - -``` -git clone https://github.com/EFForg/starttls-everywhere -cd starttls-everywhere -# Promise you don't care if deliverability breaks on this mail server -letsencrypt-postfix/PostfixConfigGenerator.py examples/starttls-everywhere.json /etc/postfix /etc/letsencrypt/live/YOUR.DOMAIN.EXAMPLE.COM -``` - -This will: -* Ensure your mail server initiates STARTTLS encryption -* Install the Let's Encrypt cert in Postfix -* Enforce mandatory TLS to some major email domains -* Enforce minimum TLS versions to some major email domains - -## Project status - -STARTTLS Everywhere development is re-starting after a hiatus. Initial -objectives: - -* Postfix configuration generation: working pre-alpha, not yet safe -* Email security database: working pre-alpha, definitely not yet safe -* Fully integrated Let's Encrypt client postfix plugin: in progress, not yet ready -* DANE support: none yet -* DEEP support: none yet -* SMTP-STS integration: none yet -* Direct mechanisms for mail domains to request inclusion: none yet -* Failure reporting mechanisms: early progress, not yet ready -* Mechanisms for secure multi-organization signature on the policy database: - none yet -* Support for mail servers other than Postfix: none yet - -## Authors - -Jacob Hoffman-Andrews , -Peter Eckersley , -Daniel Wilcox , -Aaron Zauner - -## Mailing List - -starttls-everywhere@eff.org, https://lists.eff.org/mailman/listinfo/starttls-everywhere - -## Background - -Most email transferred between SMTP servers (aka MTAs) is transmitted in the clear and trivially interceptable. Encryption of SMTP traffic is possible using the STARTTLS mechanism, which encrypts traffic but is vulnerable to trivial downgrade attacks. - -To illustrate an easy version of this attack, suppose a network-based attacker `Mallory` notices that `Alice` has just uploaded message to her mail server. `Mallory` can inject a TCP reset (RST) packet during the mail server's next TLS negotiation with another mail server. Nearly all mail servers that implement STARTTLS do so in opportunistic mode, which means that they will retry without encryption if there is any problem with a TLS connection. So `Alice`'s message will be transmitted in the clear. - -Opportunistic TLS in SMTP also extends to certificate validation. Mail servers commonly provide self-signed certificates or certificates with non-validatable hostnames, and senders commonly accept these. This means that if we say 'require TLS for this mail domain,' the domain may still be vulnerable to a man-in-the-middle using any key and certificate chosen by the attacker. - -Even if senders require a valid certificate that matches the hostname of a mail host, a DNS MITM or Denial of Service is still possible. The sender, to find the correct target hostname, queries DNS for MX records on the recipient domain. Absent DNSSEC, the response can be spoofed to provide the attacker's hostname, for which the attacker holds a valid certificate. - -STARTTLS by itself thwarts purely passive eavesdroppers. However, as currently deployed, it allows either bulk or semi-targeted attacks that are very unlikely to be detected. We would like to deploy both detection and prevention for such semi-targeted attacks. - -## Goals - -* Prevent RST attacks from revealing email contents in transit between major MTAs that support STARTTLS. -* Prevent MITM attacks at the DNS, SMTP, TLS, or other layers from revealing same. -* Zero or minimal decrease to deliverability rates unless network attacks are actually occurring. -* Create feedback-loops on targeted attacks and bulk surveilance in an opt-in, anonymized way. - -## Non-goals - -* Prevent fully-targeted exploits of vulnerabilities on endpoints or on mail hosts. -* Refuse delivery on the recipient side if sender does not negotiate TLS (this may be a future project). -* Develop a fully-decentralized solution. -* Initially we are not engineering to scale to all mail domains on the Internet, though we believe this design can be scaled as required if large numbers of domains publish policies to it. - -## Motivating examples - -* [Unnammed mobile broadband provider overwrites STARTTLS flag and commands to - prevent negotiating an encrypted connection](https://www.techdirt.com/articles/20141012/06344928801/revealed-isps-already-violating-net-neutrality-to-block-encryption-make-everyone-less-safe-online.shtml) -* [Unknown party removes STARTTLS flag from all SMTP connections leaving - Thailand](http://www.telecomasia.net/content/google-yahoo-smtp-email-severs-hit-thailand) - -## Threat model - -Attacker has control of routers on the path between two MTAs of interest. Attacker cannot or will not issue valid certificates for arbitrary names. Attacker cannot or will not attack endpoints. We are trying to protect confidentiality and integrity of email transmitted over SMTP between MTAs. - -## Alternatives - -Our goals can also be accomplished through use of [DNSSEC and DANE](http://tools.ietf.org/html/draft-ietf-dane-smtp-with-dane-10), which is certainly a more scalable solution. However, operators have been very slow to roll out DNSSEC supprt. We feel there is value in deploying an intermediate solution that does not rely on DNSSEC. This will improve the email security situation more quickly. It will also provide operational experience with authenticated SMTP over TLS that will make eventual rollout of DANE-based solutions easier. - -## Detailed design - -Senders need to know which target hosts are known to support STARTTLS, and how to authenticate them. Since the network cannot be trusted to provide this information, it must be communicated securely out-of-band. We will provide: - - (a) a configuration file format to convey STARTTLS support for recipient domains, - - (b) Python code (config-generator) to transform (a) into configuration files for popular MTAs., and - - (c) a method to create and securely distribute files of type (a) for major email domains that that agree to be included, plus any other domains that proactively request to be included. - -## File Format - -The basic file format will be JSON with comments (http://blog.getify.com/json-comments/). Example: - - { - // Canonical URL https://eff.org/starttls-everywhere/config -- redirects to latest version - "timestamp": "2014-06-06T14:30:16+00:00", - // "timestamp": 1401414363, : also acceptable - "author": "Electronic Frontier Foundation https://eff.org", - "expires": "2014-06-06T14:30:16+00:00", - "tls-policies": { - // These match on the MX domain. - "*.yahoodns.net": { - "require-valid-certificate": true, - } - "*.eff.org": { - "require-tls": true, - "min-tls-version": "TLSv1.1", - "enforce-mode": "enforce" - "accept-spki-hashes": [ - "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", - "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" - ] - } - "*.google.com": { - "require-valid-certificate": true, - "min-tls-version": "TLSv1.1", - "enforce-mode": "log-only", - "error-notification": "https://google.com/post/reports/here" - }, - } - // Since the MX lookup is not secure, we list valid responses for each - // address domain, to protect against DNS spoofing. - "acceptable-mxs": { - "yahoo.com": { - "accept-mx-domains": ["*.yahoodns.net"] - } - "gmail.com": { - "accept-mx-domains": ["*.google.com"] - } - "eff.org": { - "accept-mx-domains": ["*.eff.org"] - } - } - } - - -A user of this file format may choose to accept multiple files. For instance, the EFF might provide an overall configuration covering major mail providers, and another organization might produce an overlay for mail providers in a specific country. If so, they override each other on a per-domain basis. - -The _timestamp_ field is an integer number of epoch seconds from 00:00:00 UTC on 1 January 1970. When retrieving a fresh configuration file, config-generator should validate that the timestamp is greater than or equal to the version number of the file it already has. - -There is no inline signature field. The configuration file should be distributed with authentication using an offline signing key. - -Option 1: Plain JSON distributed with a signature using gpg --clearsign. Config-generator should validate the signature against a known GPG public key before extracting. The public key is part of the permanent system configuration, like the fetch URL. - -Option 2: Git is a revision control system built on top of an authenticated, history-preserving file system. Let's use it as an authenticated, history preserving file system: valid versions of recipient policy files may be fetched and verified via signed git tags. [Here's an example shell recipe to do this.](https://gist.github.com/jsha/6230206e89759cc6e00d) - -Config-generator should attempt to fetch the configuration file daily and transform it into MTA configs. If there is a retrieval failure, and the cached configuration file has an 'expires' time past the current date, an alert should be raised to the system operator and all existing configs from config-generator should be removed, reverting the MTA configuration to use opportunistic TLS for all domains. - -**address-domains** - -The _address-domains_ field maps from mail domains (the part of an address after the "@") onto a list of properties for that domain. Matching of mail domains is on an exact-match basis, not a subdomain basis. For instance, eff.org would be listed separately from lists.eff.org in the _address-domains_ section. - -Currently the only property defined for _address-domains_ is _accept-mx-domains_, a list. If an MX lookup for a listed address domain returns a hostname that is not a subdomain of one of the domains listed in the _accept-mx-domains_ property, the MTA should fail delivery or log an advisory failure, as appropriate. Matching of MX hostnames against the _accept-mx-domains_ list is on a subdomain basis. For instance, if an MX record for yahoo.com lists mta7.am0.yahoodns.net, and the _accept-mx-domains_ property for yahoo.com is ["yahoodns.net"], that should be considered a match. All domains listed in any _accept-mx-domains_ list must correspond to an exactly matching field in the _mx-domains_ config section. - -The _accept-mx-domains_ mechanism partially solves the problem of DNS MITM. It doesn't completely solve the problem, since an attacker might somehow control a different hostname under an acceptable domain, e.g. evil.yahoodns.net. But it strikes a balance between improving security and allowing mail operators to change configuration as needed. Some mail operators delegate their MX handling to a third-party provider (i.e. Google Apps for Your Domain). If those operators are included in STARTTLS Everywhere and wish to change providers, they will have to first send an update to their _accept-mx-domains_ to include their new provider. - -**mx-domains** - -The keys of this section are MX domains as described above for the _accept-mx-domains_ property. Each _mx-domain_ entry must be an exact match with an entry in one of the _accept-mx-domains_ lists provided. No _mx-domain_can be a subdomain of any other _mx-domain_in the configuration file. Fields in this section specify minimum security requirements that should be applied when connecting to any MX hostname that is a subdomain of the specified _mx-domain_. - -Implicitly each _mx-domain_ listed has a property _require-tls: true_. MX domains that do not support TLS will not be listed. The only required property is _enforce-mode_, which must be either _log-only_ or _enforce_. If _enforce-mode_ is _log-only_, the generated configs will not stop mail delivery on policy failures, but will produce logging information. - -If the _min-tls-version_ property is present, sending mail to domains under this policy should fail if the sending MTA cannot negotiate a TLS version equal to or greater than the listed version. Valid values are _TLSv1, TLSv1.1, and TLSv1.2._ - -_Require-valid-certificate_defaults to false. If the _require-valid-certificate_ property is 'true' for a given _mx-domain_ the certificate presented must be valid for a hostname that is subdomain of the _mx-domain_. Validity means all of these must be true: - -1. The CN or a DNS entry under subjectAltName matches an appropriate hostname. -2. The certificate is unexpired. -3. There is a valid chain from the certificate to a root certificate included in [Mozilla's trust store](https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/) (available as [Debian package ca-certificates](https://packages.debian.org/sid/ca-certificates)). - -The _accept-pinset_ field references an entry in the pinsets list, which has the same format and semantics as [Chrome's pinning list](https://src.chromium.org/chrome/trunk/src/net/http/transport_security_state_static.json). Most _mx-domain_s should specify a pinset that describes trust roots rather than leaf certificates, but both are possible. Pinning will only be added at the request of mail operators because it requires operators be careful when issuing new leaf certificates. - -## Pinning and hostname verification - -Like Chrome and Firefox we want to encourage pinning to a trusted root or intermediate rather than a leaf cert, to minimize spurious pinning failures when hosts rotate keys. - -The other option is to automatically pin leaf certs as observed in the wild. This would be one solution to the hostname verification and self-signed certificate problem. However, it is a non-starter. Even if we expect mail operators to auto-update configuration on a daily basis, this approach cannot add new certs until they are observed in the wild. That means that any time an operator rotates keys on a mail server, there would be a significant window of time in which the new keys would be rejected. - -We do not attempt to solve the self-signed certificate problem. For mail hosts with self-signed certificates, we can require TLS but will not require validation of the certificates. Such hosts should be encouraged to upgrade to a CA-signed certificate that can be validated by senders. - -## Creating configuration - -We have three options for creating the configuration file: - -1. Ask mail operators to submit policies for their domains which we incorporate. -2. Manually curate a set of policies for the top `N` mail domains. -3. Programmatically create a set of policies by connecting to the top N mail domains. - -For option (1), there's a bootstrapping problem: No one will opt in until it's useful; It won't be useful until people opt in. Option (1) does have the advantage that it's the only good way to get pinning directives. - -For option (3) we'd be likely to pull in bad policies that could result in failed delivery. - -We'll initially launch a demo using option (2), do some initial deployments to prove viability and delivery rate impact, and then start reaching out to operators to do option (1). - -## Distribution - -The configuration file will be provided at a long-term maintained URL. It will be signed using a key held offline on an airgapped machine or smartcard. - -Since recipient mail servers may abruptly stop supporting TLS, we will request that mail operators set up auto-updating of the configuration file, with signature verification. This allows us to minimize the delivery impact of such events. However, config-generator should not auto-update its own code, since that would amount to auto-deployment of third party code, which some operators may not wish to do. - -We may choose to implement a form of immutable log along the lines of certificate transparency. This would be appealing if we chose to use this mechanism to distribute expected leaf keys as a primary authentication mechanism, but as described in "Pinning and hostname verification," that's not a viable option. Instead we will rely on the CA ecosystem to do primary authentication, so an immutable log for this system is probably overkill, engineering-wise. - -## Python code - -Config-generator should parse input JSON and produce output configs for various mail servers. It should not be possible for any input JSON to cause arbitrary code execution or even any MTA config directives beyond the ones that specifically impact the decision to deliver or bounce based on TLS support. For instance, it must not be possible for config-generator to output a directive to forward mail from one domain to another. Config-generator will have the option to directly pull the latest config from a URL, or from a file on local disk distributed regularly from another system that has outside network access. - -Config-generator will be manually updated by mail operators. - -## Testing - -We will create a reproducible test configuration that can be run locally and exercises each of the major cases: Enforce mode vs log mode; Enforced TLS negotiation, enforced MX hostname match, and enforced valid certificates. - -Additionally, for ongoing monitoring of third-party deployments, we will create a canary mail domain that intentionally fails one of the tests but is included in the configuration file. For instance, starttls-canary.org would be listed in the configuration as requiring STARTTLS, but would not actually offer STARTTLS. Each time a mail operator commits to configuring STARTTLS Everywhere, we would request an account on their email domain from which to send automated daily email to starttls-canary.org. We should expect bounces. If such mail is successfully delivered to starttls-canary.org, that would indicate a configuration failure on the sending host, and we would manually notify the operator. - -## Failure reporting - -For the mail operator deploying STARTTLS Everywhere, we will provide log analysis scripts that can be used out-of-the-box to monitor how many delivery failures or would-be failures are due to STARTTLS Everywhere policies. These would be designed to run in a cron job or small opt-in daemon and send notices only when STARTTLS Everywhere-related failures exceed a certain percentage for any given recipient domains. For very high-volume mail operators, it would likely be necessary to adapt the analysis scripts to their own logging and analysis infrastructure. - -For recipient domains who are listed in the STARTTLS Everywhere configuration, we would provide a configuration field to specify an email address or HTTPS URL to which that sender domains could send failure information. This would provide a mechanism for recipient domains to identify problems with their TLS deployment and fix them. The reported information should not contain any personal information, including email addresses. Example fields for failure reports: timestamps at minute granularity, target MX hostname, resolved MX IP address, failure type, certificate. Since failures are likely to come in batches, the error sending mechanism should batch them up and summarize as necessary to avoid flooding the recipient. diff --git a/Vagrantfile b/Vagrantfile deleted file mode 100644 index b7153a7b8..000000000 --- a/Vagrantfile +++ /dev/null @@ -1,27 +0,0 @@ -# -*- mode: ruby -*- -# vi: set ft=ruby : - -# Vagrantfile API/syntax version. Don't touch unless you know what you're doing! -VAGRANTFILE_API_VERSION = "2" - -Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - config.vm.box = "hashicorp/precise32" - - config.vm.define "sender" do |sender| - sender.vm.network "private_network", ip: "192.168.33.5" - sender.vm.hostname = "sender.example.com" - end - config.vm.define "valid" do |valid| - valid.vm.network "private_network", ip: "192.168.33.7" - valid.vm.hostname = "valid-example-recipient.com" - end - config.vm.synced_folder "vagrant-shared", "/vagrant" - config.vm.synced_folder "vagrant-shared/starttls-everywhere", "/vagrant/starttls-everywhere" - config.vm.provision :shell, path: "vagrant-bootstrap.sh" - - config.vm.provider "virtualbox" do |vb| - # vb.gui = true - vb.customize ["modifyvm", :id, "--memory", "256"] - end - -end diff --git a/examples/bigger_test_config.json b/examples/bigger_test_config.json deleted file mode 100644 index c3c23c455..000000000 --- a/examples/bigger_test_config.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "timestamp": 1401414363, - "author": "Electronic Frontier Foundation https://eff.org", - "expires": "2015-08-01T12:00:00+08:00", - "tls-policies": { - ".yahoodns.net": { - "require-valid-certificate": true - }, - ".eff.org": { - "require-tls": true, - "min-tls-version": "TLSv1.1", - "enforce-mode": "enforce", - "accept-spki-hashes": [ - "sha1/5R0zeLx7EWRxqw6HRlgCRxNLHDo=", - "sha1/YlrkMlC6C4SJRZSVyRvnvoJ+8eM=" - ] - }, - ".google.com": { - "require-valid-certificate": true, - "min-tls-version": "TLSv1.1", - "enforce-mode": "log-only", - "error-notification": "https://google.com/post/reports/here" - } - }, - "acceptable-mxs": { - "yahoo.com": { - "accept-mx-domains": [".yahoodns.net"] - }, - "gmail.com": { - "accept-mx-domains": [".google.com"] - }, - "eff.org": { - "accept-mx-domains": [".eff.org"] - } - } -} diff --git a/examples/config.json b/examples/config.json deleted file mode 100644 index 05fc237bf..000000000 --- a/examples/config.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "comment": "Canonical URL https://eff.org/starttls-everywhere/config -- redirects to latest version", - "timestamp": 1401093333, - "author": "Electronic Frontier Foundation https://eff.org", - "expires": 1404677353, "comment 2:": "epoch seconds", - "tls-policies": { - ".valid-example-recipient.com": { - "min-tls-version": "TLSv1.1" - } - }, - "acceptable-mxs": { - "valid-example-recipient.com": { - "accept-mx-domains": [ ".valid-example-recipient.com" ] - } - } - -} diff --git a/examples/starttls-everywhere.json b/examples/starttls-everywhere.json deleted file mode 100644 index db76745ef..000000000 --- a/examples/starttls-everywhere.json +++ /dev/null @@ -1,187 +0,0 @@ -{ - "acceptable-mxs": { - "163.com": { - "accept-mx-domains": [ - ".163.com" - ] - }, - "aol.com": { - "accept-mx-domains": [ - ".aol.com" - ] - }, - "craigslist.org": { - "accept-mx-domains": [ - ".craigslist.org" - ] - }, - "gmail.com": { - "accept-mx-domains": [ - ".google.com" - ] - }, - "hotmail.com": { - "accept-mx-domains": [ - ".outlook.com" - ] - }, - "icloud.com": { - "accept-mx-domains": [ - ".icloud.com" - ] - }, - "live.com": { - "accept-mx-domains": [ - ".outlook.com" - ] - }, - "mac.com": { - "accept-mx-domains": [ - ".icloud.com" - ] - }, - "me.com": { - "accept-mx-domains": [ - ".icloud.com" - ] - }, - "msn.com": { - "accept-mx-domains": [ - ".outlook.com" - ] - }, - "naver.com": { - "accept-mx-domains": [ - ".naver.com" - ] - }, - "outlook.com": { - "accept-mx-domains": [ - ".outlook.com" - ] - }, - "qq.com": { - "accept-mx-domains": [ - ".qq.com" - ] - }, - "rocketmail.com": { - "accept-mx-domains": [ - ".yahoo.com" - ] - }, - "rogers.com": { - "accept-mx-domains": [ - ".yahoo.com" - ] - }, - "salesforce.com": { - "accept-mx-domains": [ - ".psmtp.com" - ] - }, - "sbcglobal.net": { - "accept-mx-domains": [ - ".yahoo.com" - ] - }, - "shaw.ca": { - "accept-mx-domains": [ - ".shaw.ca" - ] - }, - "sympatico.ca": { - "accept-mx-domains": [ - ".outlook.com" - ] - }, - "t-online.de": { - "accept-mx-domains": [ - ".t-online.de" - ] - }, - "wp.pl": { - "accept-mx-domains": [ - ".wp.pl" - ] - }, - "yahoo.com": { - "accept-mx-domains": [ - ".yahoo.com" - ] - }, - "yahoogroups.com": { - "accept-mx-domains": [ - ".yahoo.com" - ] - }, - "yandex.ru": { - "accept-mx-domains": [ - ".yandex.ru" - ] - }, - "ymail.com": { - "accept-mx-domains": [ - ".yahoo.com" - ] - } - }, - "tls-policies": { - ".163.com": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".aol.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".craigslist.org": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".google.com": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".icloud.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".naver.com": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".outlook.com": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".psmtp.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".qq.com": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".shaw.ca": { - "min-tls-version": "TLSv1", - "require-tls": true - }, - ".t-online.de": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".wp.pl": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".yahoo.com": { - "min-tls-version": "TLSv1.1", - "require-tls": true - }, - ".yandex.ru": { - "min-tls-version": "TLSv1.1", - "require-tls": true - } - } -} diff --git a/letsencrypt-postfix/Config.py b/letsencrypt-postfix/Config.py deleted file mode 100644 index cc0df00d1..000000000 --- a/letsencrypt-postfix/Config.py +++ /dev/null @@ -1,569 +0,0 @@ -#!/usr/bin/env python -from datetime import datetime -from dateutil import parser as dateutil_parser -import collections -import json -import logging -import pprint - - -"""Idea here being to start with something that is decomposed so it's easier to -make do json in *and* out, differences between configs and config extension. -""" - -#TODO scope logging and handlers better, control verbosity by command line flags -logger = logging.getLogger(__name__) -logger.addHandler(logging.StreamHandler()) - - -def parse_bool_from_json(value, attr_name): - if value in ('true', '1', 1, 'yes'): - bool_value = True - elif value in ('false', '0', 0, 'no'): - bool_value = False - elif value in (True, False): - bool_value = value - else: - raise ConfigError('Config value %s is an invalid boolean value.' % attr_name) - return bool_value - - -def parse_timestamp(value, attr_name): - if isinstance(value, datetime): - return value - try: - ts = int(value) - return datetime.fromtimestamp(ts) - except (TypeError, ValueError): - pass - try: - return dateutil_parser.parse(value) - except (TypeError, ValueError): - raise ConfigError('Config value %s is an invalid date or timestamp.' % attr_name) - - -def verify_member_of(value, member_list, attr_name): - if value not in member_list: - raise ConfigError('Config value "%s" must be one of (%s)' % ( - attr_name, ', '.join(member_list)) - ) - return value - - -def verify_string(value, attr_name, max_length=200): - if not isinstance(value, (str, unicode)): - raise ConfigError('Config value %s must be a string.' % attr_name) - if len(value) > max_length: - raise ConfigError('Config value %s is too long.' % attr_name) - return value - - -def to_dict(config_dict): - """Cleans up BaseConfig children to be serialized.""" - d = {} - for key, val in config_dict.iteritems(): - if isinstance(val, BaseConfig): - d[key] = to_dict(val._data) - elif isinstance(val, datetime): - d[key] = val.strftime('%Y-%m-%dT%H:%M:%S%z') - elif isinstance(val, dict): - d[key] = to_dict(val) - else: - d[key] = val - return d - - -class BaseConfig(object): - """Top level config class for common methods. - - Requirements for using class: - - list all properties with getters *and* setters in class - variable 'config_properties' - - __init__ of child classes must be callable with *only* - keyword arguments to allow method calls to update to create - a new config - ... more ... - """ - - config_properties = [] - - def __init__(self): - # container for validated properties with JSON names - self._data = {} - - def __repr__(self): - s = '< %s %s >' % (self.__class__.__name__, - pprint.pformat(self._data)) - return s - - def update(self, newer_config, merge=False, **kwargs): - """Create a fresh config combining the new and old configs. - - It does this by iterating over the 'config_properties' class - attribute which contains names of property attributes for the config. - - Two methods of combining configs are possible, an 'update' and - a 'merge', the latter set by the keyword argument 'merge=True'. - - An update overrides older values with new values -- even if those - new values are None. Update will remove values that are present in - the old config if they are not present in the new config. - - A merge by comparison will allow old values to persist if they are - not specified in the new config. This can be used for end-user - customizations to override specific settings without having to re-create - large portions of a config to override it. - - Arguments: - newer_config: A config object to combine with the current config. - merge: Allows old values not overridden to survive into the fresh config. - - Returns: - A config object of the same sort as called upon. - """ - # removed 'merge' kw arg - and it was passed to constructor - # make a note to not do that, consume it on the param list - fresh_config = self.__class__(**kwargs) - logger.debug('from parent update kwargs %s' % kwargs) - logger.debug('from parent update merge %s' % merge) - if not isinstance(newer_config, self.__class__): - raise ConfigError('Attempting to update a %s with a %s' % ( - self.__class__, - newer_config.__class__)) - for prop_name in self.config_properties: - # get the specified property off of the current class - prop = self.__class__.__dict__.get(prop_name) - assert prop - new_value = prop.fget(newer_config) - old_value = prop.fget(self) - if new_value is not None: - prop.fset(fresh_config, new_value) - elif merge and old_value is not None: - prop.fset(fresh_config, old_value) - return fresh_config - - def merge(self, newer_config, **kwargs): - """Combines configs and keeps old values if they are not overridden. - - See docstring for 'update' method for more details. - - Arguments: - newer_config: A config object to combine with the current config. - merge: Allows old values not overridden to survive into the fresh config. - - Returns: - A config object of the same sort as called upon. - """ - kwargs['merge'] = True - logger.debug('from parent merge: %s' % kwargs) - return self.update(newer_config, **kwargs) - - def to_json(self): - d = to_dict(self._data) - return json.dumps(d) - - def write_to_json_file(self, json_filename, f_open=open): - data = self.to_json() - try: - with f_open(json_filename, 'w') as f: - f.write(data) - except IOError: - raise - - def load_from_json_file(self, json_filename, f_open=open): - try: - with f_open(json_filename, 'r') as f: - json_str = f.read() - json_dict = json.loads(json_str) - except IOError: - raise - except ValueError: - raise ConfigError('No valid JSON found in file: %s' % json_filename) - self.from_json_dict(json_dict) - - def from_json_dict(self, json_dict): - raise NotImplmented('BaseConfig should not be populated.') - - -class Config(BaseConfig): - """Config container for StartTLS Everywhere configuration. - - Intended as a simple container that unifies where validatation occurs, - and is capable of comparing configs to warn of things like changing - certificate fingerprints from one scan to the next. - - There is a one to one mapping of the object attributes to the JSON - object keys, albeit with dashes replaced with underscores. - """ - - def __init__(self): - super(self.__class__, self).__init__() - self._data['tls-policies'] = {} - self._data['acceptable-mxs'] = {} - - def __add__(self, other_config): - """Allow addition but not really of *full* configs, need to flesh that out.""" - #TODO add this - raise NotImplemented - - def update(self, other_config): - """Update properties of config from a 'newer' config and force verification.""" - #TODO add this - new_config = Config() - raise NotImplemented - - def from_json_dict(self, json_dict): - """Assign JSON data to Config properties and declare sub-objects. - - Let's property verification methods do the heavy lifting and mostly - maps between the JSON config names and attributes. Keeps track of - unused variables and warns about them. - """ - for key, val in json_dict.iteritems(): - if key == 'author': - self.author = val - elif key == 'comment': - self.comment = val - elif key == 'expires': - self.expires = val - elif key == 'timestamp': - self.timestamp = val - elif key == 'tls-policies': - self.make_tls_policy_dict(val) - elif key == 'acceptable-mxs': - self.make_acceptable_mxs_dict(val) - else: - logger.warn('Unknown attribute "%s", skipping' % key) - - @property - def author(self): - return self._data.get('author') - - @author.setter - def author(self, value): - self._data['author'] = verify_string(value, 'author') - - @property - def comment(self): - return self._data.get('comment') - - @comment.setter - def comment(self, value): - self._data['comment'] = verify_string(value, 'comment') - - @property - def expires(self): - return self._data.get('expires') - - @expires.setter - def expires(self, value): - self._data['expires'] = parse_timestamp(value, 'expires') - - @property - def timestamp(self): - return self._data.get('timestamp') - - @timestamp.setter - def timestamp(self, value): - self._data['timestamp'] = parse_timestamp(value, 'timestamp') - - @property - def tls_policies(self): - return self._data.get('tls-policies') - - @property - def acceptable_mxs(self): - return self._data.get('acceptable-mxs') - - def make_tls_policy_dict(self, policy_dict): - tls_policy_dict = self.tls_policies - for domain_suffix, settings in policy_dict.iteritems(): - new_domain_policy = TLSPolicy(domain_suffix) - try: - new_domain_policy.from_json_dict(settings) - except ConfigError as e: - raise - tls_policy_dict[domain_suffix] = new_domain_policy - - def get_tls_policy(self, mx_domain): - return self.tls_policies.get(mx_domain) - - def make_acceptable_mxs_dict(self, mxs_dict): - acceptable_mxs_dict = self._data['acceptable-mxs'] - for domain, settings in mxs_dict.iteritems(): - new_domain_policy = AcceptableMX(domain) - try: - new_domain_policy.from_json_dict(settings) - except ConfigError as e: - raise - acceptable_mxs_dict[domain] = new_domain_policy - - def get_address_domains(self, mx_hostname, mx_to_domain_map): - """Do a fuzzy DNS host match on provided map to get lists of policies. - - Args: - mx_hostname (string): The hostname from an MX record. - mx_to_domain_map: Mapping from MX hosts to AcceptableMX - policies, the same AcceptableMX policy may occur more - than once. e.g. {'mx_host3': set(AcceptableMX, ...)} - The map can be generated by Config.get_mx_to_domain_policy_map. - - Returns: - The set containing all AcceptableMX policies that list the - provided MX host as viable. - """ - labels = mx_hostname.split(".") - for n in range(1, len(labels)): - parent = "." + ".".join(labels[n:]) - if parent in mx_to_domain_map: - return mx_to_domain_map[parent] - return None - - def get_mx_to_domain_policy_map(self): - """Create mapping of MX hostnames to sets of AcceptableMX policies. - - Generate a dictionary that is typically used in log analysis - (e.g. if your MTA logs interact with beta.innotech.com you use - this mapping to tell you it used the innotech.com AcceptableMX - policy or policies). There are of course complications. - """ - # create reverse mapping dictionary as well for auditing - # and reviewing logs - mx_to_domain_policy = collections.defaultdict(set) - - for mx_host, domain_policy in self.get_all_mx_items(): - existing_mx_policies = mx_to_domain_policy.get(mx_host) - if existing_mx_policies: - existing_domains = [ e.domain for e in existing_mx_policies ] - if domain_policy.domain not in existing_domains: - #TODO plenty of room to enforce a security policy here - # this is also the case of google apps personal domains - msg = ('Attempting to add domain policy (%s) for MX host but MX' - ' host already has a domain policy (%s), appending...') - logger.debug(msg % (domain_policy.domain, - ', '.join(existing_domains))) - mx_to_domain_policy[mx_host].add(domain_policy) - return mx_to_domain_policy - - def get_all_mx_items(self): - """Iterate over (mx_host, mx_policy) - be sure to dedup!""" - all_mx_items = [] - for policy in self.acceptable_mxs.values(): - accepted_mxs = policy.accept_mx_domains - all_mx_items.extend([(mx_host, policy) - for mx_host in accepted_mxs]) - return all_mx_items - - def get_all_mx_hosts(self): - all_mx_hosts = [] - [ all_mx_hosts.extend(domain_policy.acceptable_mxs) - for domain_policy in self.acceptable_mxs.values() ] - return all_mx_hosts - - def is_valid(self): - #TODO implement checks to make sure domains don't overlap - #TODO add debug logging for troubleshooting sake - for mx_config in self.acceptable_mxs.values(): - if not mx_config.is_valid(): - return False - for domain_suffix in mx_config.accept_mx_domains: - # check to make sure every accepted MX has a TLS policy - if not domain_suffix in self.tls_policies: - return False - all_mx_hosts = self.get_all_mx_hosts() - for domain_suffix, tls_config in self.tls_policies.iteritems(): - if not tls_config.is_valid(): - return False - # make sure no unclaimed TLS policies have made their way in - if domain_suffix not in all_mx_hosts: - return False - return True - - -class TLSPolicy(BaseConfig): - - ENFORCE_MODES = ('enforce', 'log-only') - TLS_VERSIONS = ('TLSv1', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3') - - config_properties = ['comment', 'enforce_mode', 'min_tls_version', - 'require_tls', 'require_valid_certificate'] - - def __init__(self, domain_suffix=None): - super(self.__class__, self).__init__() - self.domain_suffix = domain_suffix - #TODO add support for two designed but yet unsupported attrs - # self._data['accept-spki-hashs'] = None - # self._data['error-notification'] = None - - def from_json_dict(self, json_dict): - for key, val in json_dict.iteritems(): - if key == 'comment': - self.comment = val - elif key == 'enforce-mode': - self.enforce_mode = val - elif key == 'min-tls-version': - self.min_tls_version = val - elif key == 'require-tls': - self.require_tls = val - elif key == 'require-valid-certificate': - self.require_valid_certificate = val - else: - logger.warn('Unknown key %s' % key) - - def is_valid(self): - """Do simple check that config contains all required values. - - Should find a way to expose easily which config values - are required, at least place in error messages such that - incomplete configs will expose it. - """ - required_attrs = ('enforce-mode', 'min-tls-version', - 'require-tls') - values_set = [self._data.get(attr) for attr in required_attrs] - if not all(values_set): - return False - else: - return True - - def update(self, newer_policy, **kwargs): - if not kwargs.get('domain_suffix'): - kwargs['domain_suffix'] = self.domain_suffix - fresh_policy = super(self.__class__, self).update(newer_policy, - **kwargs) - logger.debug('from TLS child update %s' % kwargs) - return fresh_policy - - def merge(self, newer_policy, **kwargs): - logger.debug('from TLS child merge: %s' % kwargs) - fresh_policy = super(self.__class__, self).merge(newer_policy, - domain_suffix=self.domain_suffix) - return fresh_policy - - @property - def comment(self): - return self._data.get('comment') - - @comment.setter - def comment(self, value): - self._data['comment'] = verify_string(value, 'comment') - - @property - def enforce_mode(self): - return self._data.get('enforce-mode') - - @enforce_mode.setter - def enforce_mode(self, value): - self._data['enforce-mode'] = verify_member_of(value, self.ENFORCE_MODES, 'enforce-mode') - - @property - def min_tls_version(self): - return self._data.get('min-tls-version') - - @min_tls_version.setter - def min_tls_version(self, value): - """TODO: Should this be dealing only with strings processed by map ... lower()?""" - tls_versions = [ver.lower() for ver in self.TLS_VERSIONS] - tls_versions.extend(self.TLS_VERSIONS) - self._data['min-tls-version'] = verify_member_of(value, tls_versions, 'min-tls-version') - - @property - def require_tls(self): - return self._data.get('require-tls') - - @require_tls.setter - def require_tls(self, value): - self._data['require-tls'] = parse_bool_from_json(value, 'require-tls') - - @property - def require_valid_certificate(self): - return self._data.get('require-valid-certificate') - - @require_valid_certificate.setter - def require_valid_certificate(self, value): - self._data['require-valid-certificate'] = parse_bool_from_json(value, 'require-valid-certificate') - - -class AcceptableMX(BaseConfig): - """Holds acceptable MX domain suffixes for a single mail serving domain. - - Such as for gmail.com that single mail serving suffix domain is: - gmail-smtp-in.l.google.com. - - Configuration of the acceptable MX suffix domains must match up with TLS policies - for the suffix domains. - """ - def __init__(self, domain=None): - super(self.__class__, self).__init__() - self.domain = domain - self._data['accept-mx-domains'] = [] - - @property - def accept_mx_domains(self): - return self._data.get('accept-mx-domains') - - def add_acceptable_mx(self, domain_suffix): - unique_domain_suffixes = set(self._data['accept-mx-domains']) - unique_domain_suffixes.add(domain_suffix) - self._data['accept-mx-domains'] = list(unique_domain_suffixes) - - @property - def comment(self): - return self._data.get('comment') - - @comment.setter - def comment(self, value): - self._data['comment'] = verify_string(value, 'comment') - - def is_valid(self): - """Check to make sure there is one acceptable domain suffix. - - This will need to be updated once we can actually test and support - for more than one acceptable domain suffix. - - TODO: could make this object double check the data it is given with - DNS queries. - """ - if len(self._data['accept-mx-domains']) != 1: - return False - else: - return True - - def from_json_dict(self, json_dict): - for key, val in json_dict.iteritems(): - if key == 'accept-mx-domains': - if isinstance(val, list): - for domain_suffix in val: - self.add_acceptable_mx(domain_suffix) - else: - self.add_acceptable_mx(val) - elif key == 'comment': - self.comment = val - else: - logger.warn('warning: unknown key %s' % key) - - def update(self, newer_policy, **kwargs): - logger.debug('from MX child update got %s' % kwargs) - if not kwargs.get('domain'): - kwargs['domain'] = self.domain - fresh_policy = super(self.__class__, self).update(newer_policy, - **kwargs) - if kwargs.get('merge'): - new_accepted_mxs = set(self.accept_mx_domains) - new_accepted_mxs = new_accepted_mxs.union(newer_policy.accept_mx_domains) - else: - new_accepted_mxs = newer_policy.accept_mx_domains - for domain in new_accepted_mxs: - fresh_policy.add_acceptable_mx(domain) - - return fresh_policy - - def merge(self, newer_policy, **kwargs): - logger.debug('from MX child merge: %s' % kwargs) - fresh_policy = super(self.__class__, self).merge(newer_policy, - **kwargs) - return fresh_policy - - -class ConfigError(ValueError): - def __init__(self, message): - super(self.__class__, self).__init__(message) diff --git a/letsencrypt-postfix/PostfixLogSummary.py b/letsencrypt-postfix/PostfixLogSummary.py deleted file mode 100755 index a641a9f31..000000000 --- a/letsencrypt-postfix/PostfixLogSummary.py +++ /dev/null @@ -1,104 +0,0 @@ -#!/usr/bin/env python -import argparse -import collections -import os -import re -import sys -import time - -import Config - -TIME_FORMAT = "%b %d %H:%M:%S" - -# TODO: There's more to be learned from postfix logs! Here's one sample -# observed during failures from the sender vagrant vm: - -# Jun 6 00:21:31 precise32 postfix/smtpd[3648]: connect from localhost[127.0.0.1] -# Jun 6 00:21:34 precise32 postfix/smtpd[3648]: lost connection after STARTTLS from localhost[127.0.0.1] -# Jun 6 00:21:34 precise32 postfix/smtpd[3648]: disconnect from localhost[127.0.0.1] -# Jun 6 00:21:56 precise32 postfix/master[3001]: reload -- version 2.9.6, configuration /etc/postfix -# Jun 6 00:22:01 precise32 postfix/pickup[3674]: AF3B6480475: uid=0 from= -# Jun 6 00:22:01 precise32 postfix/cleanup[3680]: AF3B6480475: message-id=<20140606002201.AF3B6480475@sender.example.com> -# Jun 6 00:22:01 precise32 postfix/qmgr[3673]: AF3B6480475: from=, size=576, nrcpt=1 (queue active) -# Jun 6 00:22:01 precise32 postfix/smtp[3682]: SSL_connect error to valid-example-recipient.com[192.168.33.7]:25: -1 -# Jun 6 00:22:01 precise32 postfix/smtp[3682]: warning: TLS library problem: 3682:error:140740BF:SSL routines:SSL23_CLIENT_HELLO:no protocols available:s23_clnt.c:381: -# Jun 6 00:22:01 precise32 postfix/smtp[3682]: AF3B6480475: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.06, delays=0.03/0.03/0/0, dsn=4.7.5, status=deferred (Cannot start TLS: handshake failure) -# -# Also: -# Oct 10 19:12:13 sender postfix/smtp[1711]: 62D3F481249: to=, relay=valid-example-recipient.com[192.168.33.7]:25, delay=0.07, delays=0.03/0.01/0.03/0, dsn=4.7.4, status=deferred (TLS is required, but was not offered by host valid-example-recipient.com[192.168.33.7]) -def get_counts(input, config, earliest_timestamp): - seen_trusted = False - - counts = collections.defaultdict(lambda: collections.defaultdict(int)) - tls_deferred = collections.defaultdict(int) - # Typical line looks like: - # Jun 12 06:24:14 sender postfix/smtp[9045]: Untrusted TLS connection established to valid-example-recipient.com[192.168.33.7]:25: TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits) - # indicate a problem that should be alerted on. - # ([^[]*) <--- any group of characters that is not "[" - # Log lines for when a message is deferred for a TLS-related reason. These - deferred_re = re.compile("relay=([^[ ]*).* status=deferred.*TLS") - # Log lines for when a TLS connection was successfully established. These can - # indicate the difference between Untrusted, Trusted, and Verified certs. - connected_re = re.compile("([A-Za-z]+) TLS connection established to ([^[]*)") - mx_to_domain_mapping = config.get_mx_to_domain_policy_map() - - timestamp = 0 - for line in sys.stdin: - timestamp = time.strptime(line[0:15], TIME_FORMAT) - if timestamp < earliest_timestamp: - continue - deferred = deferred_re.search(line) - connected = connected_re.search(line) - if connected: - validation = connected.group(1) - mx_hostname = connected.group(2).lower() - if validation == "Trusted" or validation == "Verified": - seen_trusted = True - address_domains = config.get_address_domains(mx_hostname, mx_to_domain_mapping) - if address_domains: - domains_str = [ a.domain for a in address_domains ] - d = ', '.join(domains_str) - counts[d][validation] += 1 - counts[d]["all"] += 1 - elif deferred: - mx_hostname = deferred.group(1).lower() - tls_deferred[mx_hostname] += 1 - return (counts, tls_deferred, seen_trusted, timestamp) - -def print_summary(counts): - for mx_hostname, validations in counts.items(): - for validation, validation_count in validations.items(): - if validation == "all": - continue - print mx_hostname, validation, validation_count / validations["all"], "of", validations["all"] - -if __name__ == "__main__": - arg_parser = argparse.ArgumentParser(description='Detect delivery problems' - ' in Postfix log files that may be caused by security policies') - arg_parser.add_argument('-c', action="store_true", dest="cron", default=False) - arg_parser.add_argument("policy_file", nargs='?', - default=os.path.join("examples", "starttls-everywhere.json"), - help="STARTTLS Everywhere policy file") - - args = arg_parser.parse_args() - config = Config.Config() - config.load_from_json_file(args.policy_file) - - last_timestamp_processed = 0 - timestamp_file = '/tmp/starttls-everywhere-last-timestamp-processed.txt' - if os.path.isfile(timestamp_file): - last_timestamp_processed = time.strptime(open(timestamp_file).read(), TIME_FORMAT) - (counts, tls_deferred, seen_trusted, latest_timestamp) = get_counts(sys.stdin, config, last_timestamp_processed) - with open(timestamp_file, "w") as f: - f.write(time.strftime(TIME_FORMAT, latest_timestamp)) - - # If not running in cron, print an overall summary of log lines seen from known hosts. - if not args.cron: - print_summary(counts) - if not seen_trusted: - print 'No Trusted connections seen! Probably need to install a CAfile.' - - if len(tls_deferred) > 0: - print "Some mail was deferred due to TLS problems:" - for (k, v) in tls_deferred.iteritems(): - print "%s: %s" % (k, v) diff --git a/letsencrypt-postfix/TestConfig.py b/letsencrypt-postfix/TestConfig.py deleted file mode 100755 index ca8e77654..000000000 --- a/letsencrypt-postfix/TestConfig.py +++ /dev/null @@ -1,132 +0,0 @@ -#!/usr/bin/env python -import copy -import itertools -import logging -import unittest - -import Config - -logger = logging.getLogger(__name__) -logger.addHandler(logging.StreamHandler()) - - -class TestTLSPolicy(unittest.TestCase): - - def setUp(self): - self.old_config = Config.TLSPolicy(domain_suffix='.eff.org') - self.old_config.comment = 'Testing EFF.org TLS policy' - self.old_config.require_tls = True - self.old_config.require_valid_certificate = False - self.old_config.min_tls_version = 'TLSv1' - self.old_config.enforce_mode = 'log-only' - - self.new_config = Config.TLSPolicy(domain_suffix='.eff.org') - self.new_config.require_valid_certificate = True - self.new_config.min_tls_version = 'TLSv1.2' - self.new_config.enforce_mode = 'enforce' - - def testUpdateDropsOldSettings(self): - logger.debug('old: %s' % self.old_config) - logger.debug('new: %s' % self.new_config) - tls_policy = self.old_config.update(self.new_config) - logger.debug('just generated: %s' % tls_policy) - self.assertFalse(any([tls_policy.require_tls, tls_policy.comment])) - - def testMergeKeepsOldSettings(self): - logger.debug('old: %s' % self.old_config) - logger.debug('new: %s' % self.new_config) - tls_policy = self.old_config.merge(self.new_config, merge=True) - logger.debug('just generated: %s' % tls_policy) - self.assertTrue(all([tls_policy.require_tls, tls_policy.comment])) - - def testUpdateGetsNameSet(self): - tls_policy = self.old_config.update(self.new_config) - self.assertEquals(tls_policy.domain_suffix, self.old_config.domain_suffix) - - -class TestAcceptableMX(unittest.TestCase): - - def setUp(self): - self.old_config = Config.AcceptableMX(domain='eff.org') - self.old_config.add_acceptable_mx('.eff.org') - - def testUpdateDropsOldMXs(self): - new_bogus_mx = '.testing.eff.org' - new_config = Config.AcceptableMX(domain='eff.org') - new_config.add_acceptable_mx(new_bogus_mx) - updated_config = self.old_config.update(new_config) - self.assertNotIn('.eff.org', updated_config.accept_mx_domains) - - def testMergeKeepsOldMXs(self): - new_bogus_mx = '.testing.eff.org' - new_config = Config.AcceptableMX(domain='eff.org') - new_config.add_acceptable_mx(new_bogus_mx) - updated_config = self.old_config.merge(new_config) - self.assertListEqual(sorted(['.eff.org', '.testing.eff.org']), - sorted(updated_config.accept_mx_domains)) - - def testUpdateGetsNameSet(self): - new_policy = Config.AcceptableMX(domain=self.old_config.domain) - mx_policy = self.old_config.update(new_policy) - self.assertEquals(mx_policy.domain, self.old_config.domain) - - -class TestConfig(unittest.TestCase): - """Test entire configuration. - - Currently lower coverage is being obtained since string sets are - being compared rather than returned objects. Comparison logic for - the config objects isn't clear yet and proof that they function is enough. - """ - - def setUp(self): - self.config = Config.Config() - domain_policies = self.config._data['acceptable-mxs'] - self.mail_domains = ['gmail.com', 'yahoo.com', 'hotmail.com', '123.cn', 'qq.com'] - for domain in self.mail_domains: - new = Config.AcceptableMX(domain=domain) - new.add_acceptable_mx('.' + domain) - domain_policies[domain] = new - - def testGetAllMxItems(self): - """Make sure the basic use case of get_all_mx_items functions.""" - # [ ('.gmail.com', 'gmail.com'), ('.yahoo.com', 'yahoo.com'), ... ] - control_data = [ ('.' + domain, domain) for domain in self.mail_domains ] - test_data = [ (mx, p.domain) for mx, p in self.config.get_all_mx_items() ] - self.assertListEqual(sorted(test_data), sorted(control_data)) - - def testGetAllMxItemsMultiMX(self): - config = copy.deepcopy(self.config) - domain_policy = config.acceptable_mxs.get('gmail.com') - # deal with reality, mail.google.com - domain_policy.add_acceptable_mx('.mail.google.com') - control_data = [ ('.' + domain, domain) for domain in self.mail_domains ] - control_data.append(('.mail.google.com', 'gmail.com')) - test_data = [ (mx, p.domain) for mx, p in config.get_all_mx_items() ] - self.assertListEqual(sorted(test_data), sorted(control_data)) - - def testGetMXtoDomainPolicy(self): - control_data = dict([ ('.' + domain, set([domain])) - for domain in self.mail_domains ]) - test_data = {} - for mx, pset in self.config.get_mx_to_domain_policy_map().items(): - policy_list = [ p.domain for p in pset ] - test_data[mx] = set(policy_list) - self.assertDictEqual(test_data, control_data) - - def testGetMXtoDomainPolicyMultiMX(self): - config = copy.deepcopy(self.config) - domain_policy = config.acceptable_mxs.get('gmail.com') - domain_policy.add_acceptable_mx('.mail.google.com') - control_data = dict([ ('.' + domain, set([domain])) - for domain in self.mail_domains ]) - control_data['.mail.google.com'] = set(['gmail.com']) - test_data = {} - for mx, pset in config.get_mx_to_domain_policy_map().items(): - policy_list = [ p.domain for p in pset ] - test_data[mx] = set(policy_list) - self.assertDictEqual(test_data, control_data) - - -if __name__ == '__main__': - unittest.main() diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 5334ba03a..000000000 --- a/requirements.txt +++ /dev/null @@ -1,4 +0,0 @@ -dnspython -publicsuffix -m2crypto -dateutils diff --git a/share/golden-domains.txt b/share/golden-domains.txt deleted file mode 100644 index bca6d2f89..000000000 --- a/share/golden-domains.txt +++ /dev/null @@ -1,32 +0,0 @@ -163.com -aol.com -bigpond.com -comcast.net -craigslist.org -facebook.com -gmail.com -gmx.de -hotmail.com -icloud.com -live.com -mac.com -me.com -msn.com -naver.com -outlook.com -qq.com -rocketmail.com -rogers.com -salesforce.com -sbcglobal.net -shaw.ca -sympatico.ca -t-online.de -ukr.net -vtext.com -web.de -wp.pl -yahoo.com -yahoogroups.com -yandex.ru -ymail.com diff --git a/share/google-starttls-domains.csv b/share/google-starttls-domains.csv deleted file mode 100644 index 5d6a00f17..000000000 --- a/share/google-starttls-domains.csv +++ /dev/null @@ -1,6734 +0,0 @@ -Address Suffix,Hostname Suffix,Direction,UN M.49 Region Code,Region Name,Fraction Encrypted -0101.co.jp,0101.co.jp,inbound,001,World,0 -04auto.biz,01auto.biz,inbound,001,World,0 -0bz.biz,hmts.jp,inbound,001,World,0 -1-day.co.nz,1-day.co.nz,inbound,001,World,0 -104.com.tw,104.com.tw,inbound,001,World,0.091112 -1105info.com,1105info.com,inbound,001,World,0 -1111.com.tw,1111.com.tw,inbound,001,World,0 -123.com.tw,123.com.tw,inbound,001,World,0 -12manage.com,netarrest.com,inbound,001,World,0.99998 -160by2.us,160by2.us,inbound,001,World,0 -160by2inbox.com,160by2inbox.com,inbound,001,World,0 -160by2invite.com,160by2invite.com,inbound,001,World,0 -160by2mail.com,160by2mail.com,inbound,001,World,0 -163.com,163.com,inbound,001,World,0.711306 -163.com,netease.com,outbound,001,World,1 -17life.com.tw,17life.com.tw,inbound,001,World,0 -1800flowersinc.com,1800flowersinc.com,inbound,001,World,0 -1800petmeds.com,1800petmeds.com,inbound,001,World,0.00599 -1lejend.com,asumeru.com,inbound,001,World,0 -1lejend.com,asumeru001.com,inbound,001,World,0 -1sale.com,1sale.com,inbound,001,World,0 -1v1y.com,euromsg.net,inbound,001,World,0 -2touchbase.com,infimail.com,inbound,001,World,0 -33go.com.tw,33go.com.tw,inbound,001,World,0 -3suisses.be,3suisses.be,inbound,001,World,0 -3suisses.fr,3suisses.fr,inbound,001,World,0 -4shared.com,4shared.com,inbound,001,World,0.999946 -4wheelparts.com,4wheelparts.com,inbound,001,World,0 -518.com.tw,518.com.tw,inbound,001,World,0 -6pm.com,6pm.com,inbound,001,World,1 -6pm.com,zappos.com,inbound,001,World,0.782581 -7net.com.tw,7net.com.tw,inbound,001,World,0 -99acres.com,99acres.com,inbound,001,World,0 -9dot9digital.in,emce2.in,inbound,001,World,0 -a8.net,a8.net,inbound,001,World,0 -aaa.com,nextjump.com,inbound,001,World,0 -aaas-science.org,aaas-science.org,inbound,001,World,0 -aafes.com,aafes.com,inbound,001,World,0 -aanotifier.nl,aanotifier.nl,inbound,001,World,0 -aarp.org,aarp.org,inbound,001,World,0.006249 -ab0.jp,altovision.co.jp,inbound,001,World,0 -abercrombie-email.com,abercrombie-email.com,inbound,001,World,0 -abercrombiekids-email.com,abercrombie-email.com,inbound,001,World,0 -about.com,about.com,inbound,001,World,2.4e-05 -about.com,sailthru.com,inbound,001,World,0 -academy-enews.com,academy-enews.com,inbound,001,World,0 -accenture.com,outlook.com,inbound,001,World,1 -accountonline.com,accountonline.com,inbound,001,World,0.348991 -acehelpfulemails.com,teradatadmc.com,inbound,001,World,0 -acemserv.com,acemserv.com,inbound,001,World,0 -activesafelist.com,zoothost.com,inbound,001,World,0 -activetrail.com,atmailsvr.net,inbound,001,World,0 -activetrail.com,mymarketing.co.il,inbound,001,World,0 -actorsaccess.com,nonfatmedia.com,inbound,001,World,0 -adchiever.com,kinder-rash-marketing.com,inbound,001,World,0 -adidas.com,neolane.net,inbound,001,World,0 -adidasusnews.com,adidasusnews.com,inbound,001,World,0 -adityabirla.com,adityabirla.com,inbound,001,World,0.006468 -adjockeys.com,thomas-j-brown.com,inbound,001,World,0 -admail.hu,sanomaonline.hu,inbound,001,World,0 -admastersafelist.com,zoothost.com,inbound,001,World,0 -adminforfree.com,adminforfree.com,inbound,001,World,1 -adminforfree.net,adminforfree.com,inbound,001,World,1 -administrativejobinsider.com,administrativejobinsider.com,inbound,001,World,0 -adobe.com,obsmtp.com,inbound,001,World,0.999986 -adobesystems.com,adobesystems.com,inbound,001,World,0 -adorama.com,adorama.com,inbound,001,World,0 -adoreme.com,exacttarget.com,inbound,001,World,0 -adp.com,adp.com,inbound,001,World,1 -adpirate.net,thomas-j-brown.com,inbound,001,World,0 -adsender.us,adsender.us,inbound,001,World,0 -adsolutionline.com,adsolutionline.com,inbound,001,World,0 -adtpulse.com,adtpulse.com,inbound,001,World,0 -adultfriendfinder.com,friendfinder.com,inbound,001,World,0 -advanceauto.com,bigfootinteractive.com,inbound,001,World,0 -advantagebusinessmedia.com,advantagebusinessmedia.com,inbound,001,World,0 -adverts.ie,adverts.ie,inbound,001,World,1 -advfn.com,advfn.com,inbound,001,World,0.635382 -ae.com,ae.com,inbound,001,World,0 -aexp.com,aexp.com,inbound,001,World,1 -af.mil,af.mil,inbound,001,World,0.996166 -affairalert.com,iverificationsystems.com,inbound,001,World,0 -agnitas.de,agnitas.de,inbound,001,World,0.999277 -agoda-emails.com,agoda-emails.com,inbound,001,World,0 -agora.co.il,1host.co.il,inbound,001,World,0 -agorafinancial.com,agorafinancial.com,inbound,001,World,0 -agrupemonos.cl,agrupemonos.cl,inbound,001,World,1 -airbnb.com,airbnb.com,inbound,001,World,0.867975 -airbrake.io,mailgun.net,inbound,001,World,1 -airfarewatchdog.com,smartertravelmedia.com,inbound,001,World,0.011961 -airliquide.com,airliquide.com,inbound,001,World,1 -airmiles.ca,bigfootinteractive.com,inbound,001,World,0 -airtel.com,airtel.in,inbound,001,World,0.064377 -akcijatau.lt,akcijatau.lt,inbound,001,World,0 -alarm.com,alarm.com,inbound,001,World,0 -alarmnet.com,alarmnet.com,inbound,001,World,0 -alaskaair.com,alaskaair.com,inbound,001,World,0 -albertsonsemail.com,email4-mywebgrocer.com,inbound,001,World,0 -alerteimmo.com,alerteimmo.com,inbound,001,World,0 -alertid.com,alertid.com,inbound,001,World,0 -alertsindia.in,alertsindia.in,inbound,001,World,1 -alibaba.com,alibaba.com,inbound,001,World,0 -alice.it,alice.it,inbound,001,World,0 -alice.it,aliceposta.it,outbound,001,World,0 -aliexpress.com,alibaba.com,inbound,001,World,0 -alinea.fr,bp06.net,inbound,001,World,0 -alipay.com,alipay.com,inbound,001,World,1 -allegro.pl,allegro.pl,inbound,001,World,0 -allegrogroup.ua,allegrogroup.ua,inbound,001,World,0 -allegroup.hu,allegroup.hu,inbound,001,World,0 -allheart.com,allheart.com,inbound,001,World,0 -alljob.co.il,alljob.co.il,inbound,001,World,0 -allmodern.com,allmodern.com,inbound,001,World,0 -allout.org,allout.org,inbound,001,World,1 -allrecipes.com,allrecipes.com,inbound,001,World,0 -allsaints.com,allsaints.com,inbound,001,World,0 -allstate.com,rsys1.com,inbound,001,World,0 -alm.com,sailthru.com,inbound,001,World,0 -alumniclass.com,alumniclass.com,inbound,001,World,0 -alumniconnections.com,alumniconnections.com,inbound,001,World,0 -alza.cz,alza.cz,inbound,001,World,0.039449 -alza.sk,alza.cz,inbound,001,World,0.027725 -ama-assn.org,elabs10.com,inbound,001,World,0 -amadeus.com,amadeus.net,inbound,001,World,0 -amazon.{...},amazon.{...},inbound,001,World,0.020886 -amazon.{...},amazonses.com,inbound,001,World,0.999971 -amazon.{...},postini.com,inbound,001,World,0.7325 -amazon.{...},yahoo.{...},inbound,001,World,0.995995 -amazonses.com,amazonses.com,inbound,001,World,0.997919 -amazonses.com,postini.com,inbound,001,World,0.843221 -amctheatres.com,amctheatres.com,inbound,001,World,0 -americanas.com,americanas.com,inbound,001,World,0 -americanbar.org,abanet.org,inbound,001,World,0.00574 -americanexpress.com,americanexpress.com,inbound,001,World,0.000688 -americanpublicmediagroup.org,americanpublicmediagroup.org,inbound,001,World,0 -amubm.com,amubm.com,inbound,001,World,1 -amwayemail.com,mailrouter.net,inbound,001,World,1 -ana.co.jp,ana.co.jp,inbound,001,World,0.534416 -ancestry.com,ancestry.com,inbound,001,World,0 -andrewchristian.com,emv8.com,inbound,001,World,0 -angelbroking.in,infimail.com,inbound,001,World,0 -anghami.com,mailgun.net,inbound,001,World,1 -angieslist.com,angieslist.com,inbound,001,World,0.014064 -anntaylor.com,anntaylor.com,inbound,001,World,0 -anpasia.com,anpasia.com,inbound,001,World,0 -anpdm.com,anpdm.com,inbound,001,World,6e-06 -anthropologie.com,freepeople.com,inbound,001,World,0 -aol.com,aol.com,inbound,001,World,0.999529 -aol.com,aol.com,outbound,001,World,0.999992 -aol.com,sailthru.com,inbound,001,World,0 -aol.net,aol.com,inbound,001,World,1 -apache.org,apache.org,inbound,001,World,0 -apnacomplex.com,apnacomplex.com,inbound,001,World,0.999981 -apple.com,apple.com,inbound,001,World,0.974422 -apply-4-jobs.com,apply-4-jobs.com,inbound,001,World,0 -aprovaconcursos.com.br,eadunicid.com.br,inbound,001,World,0 -aptmail.in,mailurja.com,inbound,001,World,0 -ara.cat,ara.cat,inbound,001,World,0.997709 -arcamax.com,arcamax.com,inbound,001,World,1.4e-05 -argos.co.uk,argos.co.uk,inbound,001,World,1 -argos.co.uk,exacttarget.com,inbound,001,World,1 -aritzia.com,aritzia.com,inbound,001,World,0 -armaniexchange.com,bronto.com,inbound,001,World,0 -artists-hub.com,artists-hub.com,inbound,001,World,0 -artscow.com,dyxnet.com,inbound,001,World,0.00062 -aruba.it,aruba.it,inbound,001,World,0.055666 -asadventure.com,asadventure.com,inbound,001,World,0 -asana.com,asana.com,inbound,001,World,1 -asda.com,ec-cluster.com,inbound,001,World,0 -ashampoo.com,ashampoo.com,inbound,001,World,1 -ashleymadison.com,ashleymadison.com,inbound,001,World,1 -ask.fm,ask.fm,inbound,001,World,1e-05 -askmen.com,askmen.com,inbound,001,World,0 -asos.com,asos.com,inbound,001,World,0 -assembla.com,assembla.com,inbound,001,World,1 -astrocenter.com,center.com,inbound,001,World,0 -astrology.com,astrology.com,inbound,001,World,0 -astrology.com,hsnlmailsvc.com,inbound,001,World,0 -astrology.com,webstakes.com,inbound,001,World,0 -astrology.com,wsafmailsvc.com,inbound,001,World,0 -asus.com,asus.com,inbound,001,World,0 -aswatson.com,emarsys.net,inbound,001,World,0 -athleta.com,athleta.com,inbound,001,World,0 -atlassian.net,uc-inf.net,inbound,001,World,1 -atrapalo.cl,atrapalo.com,inbound,001,World,0 -atrapalo.com,atrapalo.com,inbound,001,World,0 -att-mail.com,att-mail.com,inbound,001,World,2.2e-05 -att-mail.com,att.com,inbound,001,World,0.999966 -att.net,att.net,outbound,001,World,0.204629 -att.net,mycingular.net,inbound,001,World,0.00021 -att.net,yahoo.{...},inbound,001,World,0.99997 -auctionzip-email.com,email-auctionholdings.com,inbound,001,World,0 -auinmeio.com.br,fnac.com.br,inbound,001,World,0 -australiagsm.net,australiagsm.net,inbound,001,World,0 -authorize.net,authorize.net,inbound,001,World,0 -authorize.net,visa.com,inbound,001,World,0.993558 -autoloop.us,loop28.com,inbound,001,World,0 -autoreply.com,autoreply.com,inbound,001,World,0 -avaaz.org,avaaz.org,inbound,001,World,0 -avalanchesafelist.com,zoothost.com,inbound,001,World,0 -avast.com,avast.com,inbound,001,World,0.007867 -aveda.com,esteelauder.com,inbound,001,World,0 -avenue.com,avenue.com,inbound,001,World,0 -avg.com,avg.com,inbound,001,World,0.015703 -avira.com,avira.com,inbound,001,World,0.042528 -avito.ru,avito.ru,inbound,001,World,0.002677 -avomail.com,avomail.com,inbound,001,World,0 -avon.com,email-avonglobal.com,inbound,001,World,0 -avon.com,postdirect.com,inbound,001,World,0 -aweber.com,aweber.com,inbound,001,World,3e-06 -ayi.com,ayi.com,inbound,001,World,0 -b2b-mail.net,b2b-mail.net,inbound,001,World,0 -b2b-mail.net,contact-list.net,inbound,001,World,0 -babycenter.com,rsys3.com,inbound,001,World,0 -babyoye.com,babyoye.com,inbound,001,World,0.011564 -backcountry.com,backcountry.com,inbound,001,World,0 -backlog.jp,backlog.jp,inbound,001,World,0 -badoo.com,monopost.com,inbound,001,World,1 -bagitgetitmailer.in,emce2.in,inbound,001,World,0 -baligam.co.il,baligam.co.il,inbound,001,World,1 -balsamik.fr,balsamik.fr,inbound,001,World,0 -banamex.com,citi.com,inbound,001,World,0.999958 -banamex.com,ibrands.es,inbound,001,World,0 -bananarepublic.com,bananarepublic.com,inbound,001,World,3.48869418874254e-07 -bancoahorrofamsa.com,avantel.net.mx,inbound,001,World,1 -bancochile.cl,bancochile.cl,inbound,001,World,0.999504 -bancofalabella.com,bancofalabella.com,inbound,001,World,0 -bancomer.com,postini.com,inbound,001,World,5.9e-05 -bancomercorreo.com,bancomercorreo.com,inbound,001,World,0 -bandsintown.com,bandsintown.com,inbound,001,World,1 -banesco.com,banesco.com,inbound,001,World,0 -bankofamerica.com,bankofamerica.com,inbound,001,World,0.97133 -banorte.com,gfnorte.com.mx,inbound,001,World,0.994999 -barclaycard.co.uk,barclays.co.uk,inbound,001,World,0 -barclaycardus.com,bigfootinteractive.com,inbound,001,World,0 -barenecessities.com,barenecessities.com,inbound,001,World,0 -barleyment.ca,barleyment.ca,inbound,001,World,0 -barneys.com,barneys.com,inbound,001,World,0 -baseballsavings.com,baseballsavings.com,inbound,001,World,0 -basecamp.com,basecamp.com,inbound,001,World,1 -basecamphq.com,basecamphq.com,inbound,001,World,1 -baskinrobbins.com,baskinrobbins.com,inbound,001,World,0 -basspronews.com,basspronews.com,inbound,001,World,0 -bathandbodyworks.com,bathandbodyworks.com,inbound,001,World,0 -baublebar.com,baublebar.com,inbound,001,World,0.011219 -baycrews.co.jp,webcas.net,inbound,001,World,0 -bayt.com,bayt.com,inbound,001,World,2e-06 -bazarchic-invitations.com,bazarchic-emstech.com,inbound,001,World,0 -bbvacompass.com,postini.com,inbound,001,World,0.996402 -bcbg.com,bcbg.com,inbound,001,World,0 -bci.cl,bci.cl,inbound,001,World,0.999963 -bcp.com.pe,bcp.com.pe,inbound,001,World,1 -be2.com,nmp1.net,inbound,001,World,0 -beamtele.com,beamtele.com,inbound,001,World,0 -beanfun.com,beanfun.com,inbound,001,World,1 -beatport-email.com,beatport-email.com,inbound,001,World,0 -beautylish.com,beautylish.com,inbound,001,World,1 -bebe.com,ed10.com,inbound,001,World,0 -befrugal.com,befrugal.com,inbound,001,World,0.050462 -belkemail.com,belkemail.com,inbound,001,World,0 -bellsouth.net,att.net,outbound,001,World,0 -bellsouth.net,yahoo.{...},inbound,001,World,0.999967 -belluna.net,belluna.net,inbound,001,World,0 -benihana-news.com,benihana-news.com,inbound,001,World,0 -bergdorfgoodmanemail.com,neimanmarcusemail.com,inbound,001,World,0 -bespokeoffers.co.uk,chtah.net,inbound,001,World,0 -bestbuy.ca,bestbuy.ca,inbound,001,World,0 -bestbuy.com,bestbuy.com,inbound,001,World,0.003289 -bestdealsforyou.in,elabs5.com,inbound,001,World,0 -beta.lt,mailersend3.com,inbound,001,World,0 -betrend.com,betrend.com,inbound,001,World,0 -bevmo.com,bevmo.com,inbound,001,World,0.000967 -beyondtherack.com,beyondtherack.com,inbound,001,World,0 -bharatmatrimony.com,bharatmatrimony.com,inbound,001,World,1 -bhcosmetics.com,bronto.com,inbound,001,World,0 -bhg.com,meredith.com,inbound,001,World,0 -bigfishgames.com,bigfishgames.com,inbound,001,World,0 -biglion.ru,biglion.ru,inbound,001,World,0.999775 -biglist.com,biglist.com,inbound,001,World,0 -biglots.com,biglots.com,inbound,001,World,0.00029 -bigmailsender.com,bigmailsender.com,inbound,001,World,0 -bigpond.com,bigpond.com,inbound,001,World,0 -bigpond.com,bigpond.com,outbound,001,World,1 -bigtent.com,carezen.net,inbound,001,World,0 -bioagri.com.br,postini.com,inbound,001,World,0.991765 -biomedcentral.com,emv5.com,inbound,001,World,0 -bionexo.com,bionexo.com.br,inbound,001,World,0.999594 -birthdayalarm.com,monkeyinferno.net,inbound,001,World,0 -bitbucket.org,bitbucket.org,inbound,001,World,0 -bitlysupport.com,mailgun.info,inbound,001,World,1 -bitlysupport.com,mailgun.us,inbound,001,World,1 -bitslane.email,bitslane.email,inbound,001,World,0 -bitstatement.org,bitstatement.org,inbound,001,World,1 -bizjournals.com,bizjournals.com,inbound,001,World,0 -bizmailtoday.com,bizmailtoday.com,inbound,001,World,0 -bjs.com,bjs.com,inbound,001,World,0 -bjsrestaurants.com,bjsrestaurants.com,inbound,001,World,0 -bk.ru,mail.ru,inbound,001,World,0.992498 -blablacar.com,blablacar.com,inbound,001,World,1 -blackberry.com,blackberry.com,inbound,001,World,0 -blackboard.com,blackboard.com,inbound,001,World,0.998206 -blackboard.com,notification.com,inbound,001,World,0 -blackpeoplemeet.com,blackpeoplemeet.com,inbound,001,World,0 -blayn.jp,bserver.jp,inbound,001,World,0 -blinkboxmusic.com,mediagraft.com,inbound,001,World,1 -blissworld.com,lstrk.net,inbound,001,World,1 -blizzard.com,battle.net,inbound,001,World,0.11977 -bloglovin.com,bloglovin.com,inbound,001,World,0.000154 -blogtrottr.com,blogtrottr.com,inbound,001,World,0 -bloomberg.com,bloomberg.com,inbound,001,World,0.00501 -bloomberg.net,bloomberg.net,inbound,001,World,1 -bloomingdales.com,bloomingdales.com,inbound,001,World,0 -bloomingdalesoutlets.com,bloomingdalesoutlets.com,inbound,001,World,0 -blue-compass.com,blue-compass.com,inbound,001,World,0 -bluediamondhost3.com,web-hosting.com,inbound,001,World,1 -bluehornet.com,bluehornet.com,inbound,001,World,0 -bluehost.com,bluehost.com,inbound,001,World,0.000943 -bluehost.com,hostmonster.com,inbound,001,World,0 -bluehost.com,unifiedlayer.com,inbound,001,World,1.6e-05 -bluenile.com,bluenile.com,inbound,001,World,0 -blueshellgames.com,blueshellgames.com,inbound,001,World,0 -bluestatedigital.com,bluestatedigital.com,inbound,001,World,0 -bluestonemx.com,bluestonemx.com,inbound,001,World,1 -bm05.net,bm05.net,inbound,001,World,0 -bm23.com,bronto.com,inbound,001,World,0 -bm324.com,bronto.com,inbound,001,World,0 -bmdeda99.com,bmdeda99.com,inbound,001,World,0 -bme.jp,bserver.jp,inbound,001,World,0 -bmnt.jp,bmnt.jp,inbound,001,World,0 -bmsend.com,bmsend.com,inbound,001,World,0 -bn.com,bn.com,inbound,001,World,0 -bncollegemail.com,bncollegemail.com,inbound,001,World,0 -bnetmail.com,bnetmail.com,inbound,001,World,0 -bol.com.br,bol.com.br,inbound,001,World,0 -bol.com.br,bol.com.br,outbound,001,World,0 -boletinrenuevo.com,boletinrenuevo.com,inbound,001,World,0 -bolsfr.fr,colt.net,inbound,001,World,0 -bomnegocio.com,bomnegocio.com,inbound,001,World,0.687113 -bonobos.com,bronto.com,inbound,001,World,0 -bonuszbrigad.hu,bonuszbrigad.hu,inbound,001,World,0 -boohooemail.com,smartfocusdigital.net,inbound,001,World,0 -bookbub.com,bookbub.com,inbound,001,World,1 -booking.com,booking.com,inbound,001,World,1 -bookingbuddy.com,smartertravelmedia.com,inbound,001,World,0.000486 -bookmyshow.com,eccluster.com,inbound,001,World,0 -bookoffonline.co.jp,bookoffonline.co.jp,inbound,001,World,0 -boomtownroi.com,boomtownroi.com,inbound,001,World,0 -boots.com,boots.com,inbound,001,World,0 -boscovs.com,boscovs.com,inbound,001,World,0 -bostonproper.com,bostonproper.com,inbound,001,World,0 -bouncemanager.it,musvc.com,inbound,001,World,0.362026 -boutiquesecret.com,chtah.net,inbound,001,World,0 -box.com,box.com,inbound,001,World,0.955607 -br.com,cmailsys.com,inbound,001,World,0 -bradfordexchange.com,bradfordexchange.com,inbound,001,World,0 -bradsdeals.com,bradsdeals.com,inbound,001,World,0 -brandalley.com,brandalley.com,inbound,001,World,0 -brands4friends.de,emv5.com,inbound,001,World,0 -brands4friends.jp,webcas.net,inbound,001,World,0 -brandsfever.com,mailgun.net,inbound,001,World,1 -brandsvillage.net,brandsvillage.net,inbound,001,World,0 -brassring.com,brassring.com,inbound,001,World,0.999989 -briantracyintl.com,briantracyintl.com,inbound,001,World,0 -brierleycrm.com,brierleycrm.com,inbound,001,World,0 -brijj.com,brijj.com,inbound,001,World,0 -brincltd.com,brincltd.com,inbound,001,World,0 -bronto.com,bronto.com,inbound,001,World,0 -brooksbrothers.com,brooksbrothers.com,inbound,001,World,0 -bsf01.com,bsftransmit33.com,inbound,001,World,0 -bt.com,bt.com,inbound,001,World,0.409404 -btinternet.com,cpcloud.co.uk,inbound,001,World,0 -btinternet.com,cpcloud.co.uk,outbound,001,World,0 -btinternet.com,yahoo.{...},inbound,001,World,0.99998 -budgettravel.com,email-budgettravel.com,inbound,001,World,0 -buffalo.edu,buffalo.edu,inbound,001,World,0.001059 -bumeran.com,bumeran.com,inbound,001,World,0 -burlingtoncoatfactory.com,burlingtoncoatfactory.com,inbound,001,World,0 -burton.co.uk,burton.co.uk,inbound,001,World,0 -buscojobs.com,amazonaws.com,inbound,001,World,0 -buy123.com.tw,buy123.com.tw,inbound,001,World,1 -buyinvite.com.au,buyinvite.com.au,inbound,001,World,0 -buyma.com,buyma.com,inbound,001,World,0 -bv.com.br,bv.com.br,inbound,001,World,0 -bweeble.com,adlabsinc.com,inbound,001,World,0 -byway.it,byway.it,inbound,001,World,0 -bzm.mobi,nmsrv.com,inbound,001,World,1 -c21stores.com,c21stores.com,inbound,001,World,0 -ca.gov,ca.gov,inbound,001,World,0.694242 -cabelas.com,cabelas.com,inbound,001,World,0 -cabestan.com,cab07.net,inbound,001,World,0 -cadremploi.fr,cadremploi.fr,inbound,001,World,0 -cafepress.com,cafepress.com,inbound,001,World,0.000778 -caixa.gov.br,caixa.gov.br,inbound,001,World,0 -californiajobdepartment.com,californiajobdepartment.com,inbound,001,World,0 -californiapsychicsemail.com,californiapsychicsemail.com,inbound,001,World,0 -callcommand.com,callcommand.com,inbound,001,World,0 -calottery.com,calottery.com,inbound,001,World,0.999517 -cam2life.com,hinet.net,inbound,001,World,0 -camel.com,rjrsignup.com,inbound,001,World,0 -camsonline.com,camsonline.com,inbound,001,World,0.136261 -canadiantire.ca,canadiantire.ca,inbound,001,World,0 -canadianvisaexpert.net,canadianvisaexpert.net,inbound,001,World,0 -canalplus.es,canalplus.es,inbound,001,World,0 -cancer.org,delivery.net,inbound,001,World,0 -capillary.co.in,capillary.co.in,inbound,001,World,1 -capitalone.com,bigfootinteractive.com,inbound,001,World,0 -capitalone360.com,ingdirect.com,inbound,001,World,0 -capitaloneemail.com,capitaloneemail.com,inbound,001,World,0 -cardsys.at,cardsys.at,inbound,001,World,1 -care.com,care.com,inbound,001,World,0 -care2.com,care2.com,inbound,001,World,0 -career-hub.net,career-hub.net,inbound,001,World,1 -careerage.com,careerage.com,inbound,001,World,0 -careerbuilder-email.com,careerbuilder-email.com,inbound,001,World,0 -careerbuilder.com,careerbuilder.com,inbound,001,World,0.000449 -careerflash.net,careerflash.net,inbound,001,World,1 -careers24.com,careers24.com,inbound,001,World,0 -careesma.in,careesma.in,inbound,001,World,0 -carmamail.com,carmamail.com,inbound,001,World,0 -carnivalfunmail.com,carnivalfunmail.com,inbound,001,World,0 -carolsdaughter.com,carolsdaughter.com,inbound,001,World,0 -carrefour.fr,carrefour.fr,inbound,001,World,0 -carters.com,carters.com,inbound,001,World,0.003931 -cartrade.com,cartrade.com,inbound,001,World,0.006389 -carwale.com,carwale.com,inbound,001,World,0 -casasbahia.com.br,casasbahia.com.br,inbound,001,World,0 -case.edu,cwru.edu,inbound,001,World,0.999942 -caseyresearch.com,caseyresearch.com,inbound,001,World,1 -castingnetworks.com,castingnetworks.com,inbound,001,World,0.000102 -catchoftheday.com.au,inxserver.de,inbound,001,World,1 -catchyfreebies.net,mmsend53.com,inbound,001,World,0 -catererglobal.com,madgexjb.com,inbound,001,World,0 -caterermail.com,totaljobsmail.co.uk,inbound,001,World,0 -cathkidston.com,cathkidston.co.uk,inbound,001,World,0 -causes.com,causes.com,inbound,001,World,1 -cb2.com,cb2.com,inbound,001,World,0 -cbsig.net,cbsig.net,inbound,001,World,1 -ccavenue.com,avenues.info,inbound,001,World,1 -ccbchurch.com,ccbchurch.com,inbound,001,World,1 -cccampaigns.com,emv5.com,inbound,001,World,0 -cccampaigns.com,emv8.com,inbound,001,World,0 -cccampaigns.net,01net.com,inbound,001,World,0 -cccampaigns.net,cccampaigns.net,inbound,001,World,0 -cccampaigns.net,emv4.net,inbound,001,World,0 -cccampaigns.net,emv9.net,inbound,001,World,0 -ccialerts.com,ccialerts.com,inbound,001,World,0 -ccmbg.com,benchmark.fr,inbound,001,World,0 -ccs.com,footlocker.com,inbound,001,World,2.5e-05 -cdongroup.com,cdongroup.com,inbound,001,World,0.000147 -cecentertainment.com,cecentertainment.com,inbound,001,World,0 -celebritycruises.com,celebritycruises.com,inbound,001,World,0 -cenlat.com,cenlat.com,inbound,001,World,0.064459 -centaur.co.uk,centaur.co.uk,inbound,001,World,0 -centauro.com.br,centauro.com.br,inbound,001,World,0 -centerparcs.co.uk,ec-cluster.com,inbound,001,World,0 -cerberusapp.com,cerberusapp.com,inbound,001,World,1 -cfmailer.com,elabs11.com,inbound,001,World,0 -cfmvmail.com,cfmvmail.com,inbound,001,World,0 -chabad.org,chabad.org,inbound,001,World,0 -champssports.com,footlocker.com,inbound,001,World,0.000131 -chance.com,data-hotel.net,inbound,001,World,0 -change.org,change.org,inbound,001,World,1 -channel4.com,channel4.com,inbound,001,World,0.000613 -charlestyrwhitt.com,charlestyrwhitt.com,inbound,001,World,0 -charter.net,charter.net,inbound,001,World,0 -charter.net,charter.net,outbound,001,World,0 -chase.com,bigfootinteractive.com,inbound,001,World,0 -chase.com,jpmchase.com,inbound,001,World,0.999999 -chatcitynotifications.com,chatcitynotifications.com,inbound,001,World,0 -chaturbate.com,chaturbate.com,inbound,001,World,1 -cheapairmailer.com,cheapairmailer.com,inbound,001,World,0 -cheaperthandirt.com,cheaperthandirt.com,inbound,001,World,2.2e-05 -cheapflights.co.uk,cheapflights.co.uk,inbound,001,World,0 -cheapflights.com,cheapflights.com,inbound,001,World,0 -check.me,check.me,inbound,001,World,0 -cheekylovers.com,ropot.net,inbound,001,World,0 -chefscatalog.com,chefscatalog.com,inbound,001,World,0 -chelseafc.com,chelseafc.com,inbound,001,World,0.003566 -chemistdirect.co.uk,ec-cluster.com,inbound,001,World,0 -chemistry.com,chemistry.com,inbound,001,World,0 -chess.com,chess.com,inbound,001,World,1 -chiangcn.com,chiangcn.com,inbound,001,World,0 -chicagotribune.com,latimes.com,inbound,001,World,0 -chick-fil-ainsiders.com,chick-fil-ainsiders.com,inbound,001,World,0 -chicos.com,chicos.com,inbound,001,World,0.000156 -childrensplace.com,childrensplace.com,inbound,001,World,0 -chinatrust.com.tw,chinatrust.com.tw,inbound,001,World,0.001272 -chopra.com,chopra.com,inbound,001,World,1 -christianbook.com,christianbook.com,inbound,001,World,1 -christianmingle.com,christianmingle.com,inbound,001,World,0 -christianmingle.com,postdirect.com,inbound,001,World,0 -chtah.com,chtah.net,inbound,001,World,0 -chtah.net,chtah.net,inbound,001,World,0 -cincghq.com,searchhomesingta.com,inbound,001,World,1 -cinesa.es,cccampaigns.com,inbound,001,World,0 -cipherzone.com,infimail.com,inbound,001,World,0 -cir.ca,cir.ca,inbound,001,World,1 -circleofmomsmail.com,circleofmomsmail.com,inbound,001,World,0 -citi.com,citi.com,inbound,001,World,0.999941 -citibank.com,bigfootinteractive.com,inbound,001,World,0 -citibank.com,citi.com,inbound,001,World,0.999997 -citicorp.com,citi.com,inbound,001,World,0.999999 -citruslane.com,citruslane.com,inbound,001,World,5e-06 -citybrands.hu,webinform.hu,inbound,001,World,1 -cityheaven.net,cityheaven.net,inbound,001,World,0 -ck.com,ck.com,inbound,001,World,0 -clarisonic.com,clarisonic.com,inbound,001,World,0 -clarks.com,clarks.com,inbound,001,World,0 -classmates.com,classmates.com,inbound,001,World,0 -clickdimensions.com,clickdimensions.com,inbound,001,World,0 -clickexperts.net,clickexperts.net,inbound,001,World,0 -clickmailer.jp,clickmailer.jp,inbound,001,World,9e-05 -clickon.com.ar,clickon.com.ar,inbound,001,World,0 -clickon.com.br,clickon.com.br,inbound,001,World,0 -clicktoviewthisurl.org,clicktoviewthisurl.org,inbound,001,World,0 -clicplan.com,dmdelivery.com,inbound,001,World,0 -climber.com,climber.com,inbound,001,World,0 -clinique.com,esteelauder.com,inbound,001,World,0 -clubcupon.com.ar,clubcupon.com.ar,inbound,001,World,0 -cmail1.com,createsend.com,inbound,001,World,0 -cmail2.com,createsend.com,inbound,001,World,0 -cmm01.com,coremotivesmarketing.com,inbound,001,World,0 -cmrfalabella.com,cmrfalabella.com,inbound,001,World,0 -coach.com,delivery.net,inbound,001,World,0 -cobone.com,emarsys.net,inbound,001,World,0 -cocacola.co.jp,cocacola.co.jp,inbound,001,World,0 -codebreak.info,codebreak.info,inbound,001,World,1 -codeproject.com,codeproject.com,inbound,001,World,0 -coldwatercreek.com,coldwatercreek.com,inbound,001,World,0 -collectionsetc.com,collectionsetc.com,inbound,001,World,0 -columbia.edu,columbia.edu,inbound,001,World,0.762355 -combzmail.jp,combzmail.jp,inbound,001,World,0 -comcast.net,comcast.net,inbound,001,World,0.888399 -comcast.net,comcast.net,outbound,001,World,0.999999 -comenity.net,alldata.net,inbound,001,World,1 -comenity.net,bigfootinteractive.com,inbound,001,World,0 -commonfloor.com,commonfloor.com,inbound,001,World,1 -communicatoremail.com,communicatoremail.com,inbound,001,World,0 -communitymatrimony.com,communitymatrimony.com,inbound,001,World,1 -compute.internal,amazonaws.com,inbound,001,World,0.858276 -computerworld.com,computerworld.com,inbound,001,World,0 -comunicacaodemkt.com,locaweb.com.br,inbound,001,World,0 -confirmedoptin.com,confirmedoptin.com,inbound,001,World,0 -confirmsignup.com,mmsend53.com,inbound,001,World,0 -conrepmail.com,conrepmail.com,inbound,001,World,0 -constantcontact.com,confirmedcc.com,inbound,001,World,0 -constantcontact.com,constantcontact.com,inbound,001,World,5.3e-05 -constantcontact.com,postini.com,inbound,001,World,0.078144 -constantcontact.com,yahoo.{...},inbound,001,World,0.999724 -contact-darty.com,mm-send.com,inbound,001,World,0 -contactlab.it,contactlab.it,inbound,001,World,0 -containerstore.com,containerstore.com,inbound,001,World,0 -continente.pt,1-hostingservice.com,inbound,001,World,0 -converse.com,converse.com,inbound,001,World,1 -convio.net,convio.net,inbound,001,World,0 -cookingchanneltv.com,cookingchanneltv.com,inbound,001,World,0 -cookpad.com,cookpad.com,inbound,001,World,0 -copernica.nl,picsrv.net,inbound,001,World,0.011507 -copernica.nl,vicinity.nl,inbound,001,World,0.011753 -coppel.com,coppel.com,inbound,001,World,0 -coremotivesmarketing.com,coremotivesmarketing.com,inbound,001,World,0 -cornell.edu,cornell.edu,inbound,001,World,0.195104 -corporateperks.com,nextjump.com,inbound,001,World,0 -correosocc.com,correosocc.com,inbound,001,World,1 -costco.co.uk,costco.com,inbound,001,World,0 -costco.com,costco.com,inbound,001,World,7e-06 -costcophotocenter.com,wc09.net,inbound,001,World,0 -costcoservices.com,costco.com,inbound,001,World,0 -cotswoldoutdoor.com,cotswoldoutdoor.com,inbound,001,World,0 -couchsurfing.org,couchsurfing.com,inbound,001,World,0 -countrycurtainscatalog.com,countrycurtainscatalog.com,inbound,001,World,0 -couponamama.com,couponamama.com,inbound,001,World,1 -coupondunia.in,coupondunia.in,inbound,001,World,1 -cox.com,cox.com,inbound,001,World,0.001665 -cox.net,cox.net,inbound,001,World,0.009187 -cox.net,cox.net,outbound,001,World,0 -coyotelogistics.com,postini.com,inbound,001,World,0 -cp20.com,cp20.com,inbound,001,World,0 -cpbnc.com,cpbnc.com,inbound,001,World,0 -cpbnc.com,fye.com,inbound,001,World,0 -cpc.gov.in,cpc.gov.in,inbound,001,World,0 -cpm.co.ma,cpm.co.ma,inbound,001,World,0 -crabtree-evelyn.com,crabtree-evelyn.com,inbound,001,World,0.000566 -crackle.com,crackle.com,inbound,001,World,0 -craigslist.org,craigslist.org,inbound,001,World,0 -craigslist.org,craigslist.org,outbound,001,World,1 -crainnewsalerts.com,crainnewsalerts.com,inbound,001,World,0 -crashlytics.com,crashlytics.com,inbound,001,World,1 -crashlytics.com,sendgrid.net,inbound,001,World,1 -crateandbarrel.com,crateandbarrel.com,inbound,001,World,0 -cratusservices.in,ramcorp.in,inbound,001,World,0 -creationsrewards.net,creationsrewards.net,inbound,001,World,0 -creditkarma.com,creditkarma.com,inbound,001,World,1 -credoaction.com,credoaction.com,inbound,001,World,1 -cricinfo.com,cricinfo.com,inbound,001,World,0 -cricut.com,elabs12.com,inbound,001,World,0 -criticalimpactinc.com,criticalimpactinc.com,inbound,001,World,0 -critsend.com,critsend.com,inbound,001,World,0 -crmstyle.com,crmstyle.com,inbound,001,World,0 -crocos.jp,crocos.jp,inbound,001,World,0 -crocs-email.com,crocs-email.com,inbound,001,World,0 -crosswalkmail.com,crosswalkmail.com,inbound,001,World,0 -crowdcut.com,crowdcut.com,inbound,001,World,1 -crsend.com,crsend.com,inbound,001,World,0.008688 -crunchyroll.com,crunchyroll.com,inbound,001,World,0 -csas.cz,csas.cz,inbound,001,World,0.999971 -ctrip.com,ctrip.com,inbound,001,World,0.01917 -cudo.com.au,exacttarget.com,inbound,001,World,0 -cuenote.jp,cuenote.jp,inbound,001,World,0 -cumulusdist.net,cumulusdist.net,inbound,001,World,0 -cupomturbinado.com.br,cupomnaweb.com.br,inbound,001,World,1 -cuponatic.com.pe,cuponatic.com.pe,inbound,001,World,1 -cuponicamail.com,fnbox.com,inbound,001,World,0 -cuppon.pl,cuppon.pl,inbound,001,World,0 -curbednetwork.com,curbednetwork.com,inbound,001,World,1 -curriculum.com.br,curriculum.com.br,inbound,001,World,0 -currys.co.uk,currys.co.uk,inbound,001,World,0 -cuspemail.com,neimanmarcusemail.com,inbound,001,World,0 -custom-emailing.com,elabs12.com,inbound,001,World,0 -custombriefings.com,custombriefings.com,inbound,001,World,0 -customercenter.net,customercenter.net,inbound,001,World,0.996453 -customeriomail.com,customeriomail.com,inbound,001,World,1 -cv-library.co.uk,cv-library.co.uk,inbound,001,World,0 -cvbankas.lt,efadm.eu,inbound,001,World,0 -cvent-planner.com,cvent-planner.com,inbound,001,World,0 -cw.com.tw,cw.com.tw,inbound,001,World,0.002535 -cwjobsmail.co.uk,totaljobsmail.co.uk,inbound,001,World,0 -cxomedia.com,cxomedia.com,inbound,001,World,0 -cybercoders.com,cybercoders.com,inbound,001,World,0 -cyberdiet.com.br,allinmedia.com.br,inbound,001,World,0 -cyberlinkmember.com,cyberlinkmember.com,inbound,001,World,0 -d-reizen.nl,dmdelivery.com,inbound,001,World,0 -dabmail.com,iaires.com,inbound,001,World,0 -dabmail.com,mailurja.com,inbound,001,World,0 -dafiti.cl,dafiti.cl,inbound,001,World,0 -dafiti.com.br,fagms.de,inbound,001,World,0 -dailyhoroscope.com,tarot.com,inbound,001,World,0 -dailyom.com,dailyom.com,inbound,001,World,1 -dairyqueen.com,dairyqueen.com,inbound,001,World,0 -datadrivenemail.com,datadrivenemail.com,inbound,001,World,0 -datehookup.com,datehookup.com,inbound,001,World,0 -datingfactory.com,caerussolutions.net,inbound,001,World,0 -datingvipnotifications.com,datingvipnotifications.com,inbound,001,World,0 -daveramsey.com,daveramsey.com,inbound,001,World,0.025924 -daviacalendar.com,daviacalendar.com,inbound,001,World,1 -davidsbridal.com,davidsbridal.com,inbound,001,World,0 -davidstea.com,bronto.com,inbound,001,World,0 -daz3d.com,bronto.com,inbound,001,World,0 -dbgi.co.uk,emc1.co.uk,inbound,001,World,0 -ddc-emails.com,ddc-emails.com,inbound,001,World,0 -deal.com.sg,emarsys.net,inbound,001,World,0 -dealchicken.com,dealchicken.com,inbound,001,World,0 -dealchicken.com,exacttarget.com,inbound,001,World,0 -dealersocket.com,dealersocket.com,inbound,001,World,4e-06 -dealfind.com,dealfind.com,inbound,001,World,0 -dealnews.com,dealnews.com,inbound,001,World,0 -dealsaver.com,secondstreetmedia.com,inbound,001,World,0.999823 -dealsdirect.com.au,dealsdirect.com.au,inbound,001,World,0 -dealspl.us,dealspl.us,inbound,001,World,0 -debian.org,debian.org,inbound,001,World,1 -debshops.com,lstrk.net,inbound,001,World,1 -deezer.com,dms30.com,inbound,001,World,0 -deliasshopemail.com,deliasshopemail.com,inbound,001,World,0 -delivery.net,delivery.net,inbound,001,World,0 -delivery.net,m0.net,inbound,001,World,0 -dell.com,bfi0.com,inbound,001,World,0 -dell.com,dell.com,inbound,001,World,0.969277 -delta.com,delta.com,inbound,001,World,0.092496 -dena.ne.jp,dena.ne.jp,inbound,001,World,0.000249 -dentalsenders.com,dentalsenders.com,inbound,001,World,0 -dermstore.com,exacttarget.com,inbound,001,World,0 -descontos.pt,descontos.pt,inbound,001,World,0 -designerapparel.com,myperfectsale.com,inbound,001,World,1 -despegar.com,despegar.com,inbound,001,World,0 -dhgate.com,chtah.net,inbound,001,World,0 -dhl.com,dhl.com,inbound,001,World,0.994107 -dice.com,dice.com,inbound,001,World,0 -dietaesaude.com.br,dietaesaude.com.br,inbound,001,World,0 -dietnavi.com,data-hotel.net,inbound,001,World,0 -digitalmailer.com,digitalmailer.com,inbound,001,World,0 -digitalmedia-comunicacion.es,chtah.net,inbound,001,World,0 -digitalromanceinc.com,digitalromanceinc.com,inbound,001,World,1 -dinda.com.br,dinda.com.br,inbound,001,World,0.017061 -dip-net.co.jp,dip-net.co.jp,inbound,001,World,0 -directcrm.ru,directcrm.ru,inbound,001,World,0 -directresponsemanager.com,wide.ne.jp,inbound,001,World,0 -directv.com,directv.com,inbound,001,World,0.050604 -directvla.com,directvla.com,inbound,001,World,0 -disc.co.jp,disc.co.jp,inbound,001,World,0.001051 -discover.com,discover.com,inbound,001,World,0 -discover.com,discoverfinancial.com,inbound,001,World,1 -dishtv.co.in,dishtv.co.in,inbound,001,World,0.047664 -disney.co.uk,emv9.com,inbound,001,World,0 -disneydestinations.com,disneyparks.com,inbound,001,World,0 -disneydestinations.com,disneyworld.com,inbound,001,World,0 -disparadordeemails.com,locaweb.com.br,inbound,001,World,0 -disqus.net,disqus.net,inbound,001,World,0 -diynetwork.com,diynetwork.com,inbound,001,World,0 -dks.com.tw,dks.com.tw,inbound,001,World,0.018134 -dmm.com,dmm.com,inbound,001,World,0 -dn.net,naukri.com,inbound,001,World,0 -docomo.ne.jp,docomo.ne.jp,inbound,001,World,0 -docomo.ne.jp,docomo.ne.jp,outbound,001,World,0 -doctoroz.com,email-sharecare2.com,inbound,001,World,0 -docusign.net,docusign.net,inbound,001,World,0.985435 -dollartree.com,email-dollartree.com,inbound,001,World,0 -dominos.com,dominos.com,inbound,001,World,0.011684 -dominos.com.au,dominos.com.au,inbound,001,World,0 -dominosemail.co.uk,dominosemail.co.uk,inbound,001,World,0 -donationnet.net,donationnet.net,inbound,001,World,0 -donuts.ne.jp,dnuts.jp,inbound,001,World,0 -doodle.com,doodle.com,inbound,001,World,1 -dorothyperkins.com,dorothyperkins.com,inbound,001,World,0 -dotmailer-email.com,dotmailer.com,inbound,001,World,0 -dotmailer.co.uk,dotmailer.com,inbound,001,World,0 -dotz.com.br,dotz.com.br,inbound,001,World,0 -doubletakeoffers.com,doubletakeoffers.com,inbound,001,World,0 -dowjones.info,dowjones.info,inbound,001,World,0 -downlinebuilderdirect.com,downlinebuilderdirect.com,inbound,001,World,0 -dpapp.nl,prikbordmailer.nl,inbound,001,World,0 -dpapp.nl,sslsecuref.nl,inbound,001,World,0 -dptagent.biz,dptagent.biz,inbound,001,World,0 -dptagent.net,dptagent.net,inbound,001,World,0 -draftkings.com,draftkings.com,inbound,001,World,0 -dreamhost.com,dreamhost.com,inbound,001,World,0 -dreammail.ne.jp,dreammail.jp,inbound,001,World,0 -dreamwidth.org,dreamwidth.org,inbound,001,World,0 -dreivip.com,dreivip.com,inbound,001,World,0.000301 -dress-for-less.de,privalia.com,inbound,001,World,0 -drhinternet.net,drhinternet.net,inbound,001,World,0 -driftem.com,emce2.in,inbound,001,World,0 -driftem.com,mailurja.com,inbound,001,World,0 -drjays-mail.com,drjays-mail.com,inbound,001,World,0 -dromadaire-news.com,ecmcluster.com,inbound,001,World,0 -dropbox.com,dropbox.com,inbound,001,World,1 -dropboxmail.com,dropbox.com,inbound,001,World,1 -drushim.co.il,drushim.co.il,inbound,001,World,0 -drweb.com,drweb.com,inbound,001,World,0.969315 -dstyleweb.com,dstyleweb.com,inbound,001,World,0.001099 -dsw.com,dsw.com,inbound,001,World,0 -ducks.org,uptilt.com,inbound,001,World,0 -duke.edu,duke.edu,inbound,001,World,0.308101 -dukecareers.com,dukecareers.com,inbound,001,World,1 -duluthtradingemail.com,email-duluthtrading.com,inbound,001,World,0 -dvor.com,dvor.com,inbound,001,World,0 -dynamite-safelist.com,thomas-j-brown.com,inbound,001,World,0 -dynect-mailer.net,dynect.net,inbound,001,World,0 -dynect-mailer.net,sendlabs.com,inbound,001,World,0 -e-activist.com,e-activist.com,inbound,001,World,0 -e-beallsonline.com,e-stagestores.com,inbound,001,World,0 -e-bodyc.com,email-bodycentral.com,inbound,001,World,0 -e-boks.dk,e-boks.dk,inbound,001,World,1 -e-costco.mx,costco.com,inbound,001,World,0 -e-ebuyer.com,e-ebuyer.com,inbound,001,World,0 -e-goodysonline.com,e-stagestores.com,inbound,001,World,0 -e-jobs-ville.com,e-jobs-ville.com,inbound,001,World,1 -e-leclerc.com,e-leclerc.com,inbound,001,World,0.000248 -e-mark.nl,e-mark.nl,inbound,001,World,0 -e-ngine.nl,e-ngine.nl,inbound,001,World,0 -e-peebles.com,e-stagestores.com,inbound,001,World,0 -e-rewards.net,e-rewards.net,inbound,001,World,1 -e-stagestores.com,e-stagestores.com,inbound,001,World,0 -e-travelclub.es,e-travelclub.es,inbound,001,World,0 -e2ma.net,e2ma.net,inbound,001,World,1 -ea.com,ea.com,inbound,001,World,0.001314 -eaccess.net,postini.com,inbound,001,World,0 -earn-e-miles.com,earn-e-miles.com,inbound,001,World,0 -earnerslist.com,traxweb.net,inbound,001,World,9e-06 -earthfare-email.com,edclient2.com,inbound,001,World,0 -earthlink.net,earthlink.net,inbound,001,World,0.031678 -earthlink.net,earthlink.net,outbound,001,World,0 -eastbay.com,footlocker.com,inbound,001,World,0 -easycanvasprints.com,easycanvasprints.com,inbound,001,World,0 -easyhealthoptions.com,easyhealthoptions.com,inbound,001,World,1 -easyhits4u.com,easyhits4u.com,inbound,001,World,1 -easyhits4u.com,relmax.net,inbound,001,World,0 -easyroommate.com,easyroommate.com,inbound,001,World,0.108483 -ebags.com,ebags.com,inbound,001,World,0 -ebates.com,bfi0.com,inbound,001,World,0 -ebay-kleinanzeigen.de,mobile.de,inbound,001,World,1 -ebay.{...},ebay.{...},inbound,001,World,0.99953 -ebay.{...},emarsys.net,inbound,001,World,0 -ebay.{...},postdirect.com,inbound,001,World,0 -ebizac2.com,ebizac2.com,inbound,001,World,0 -ebizac3.com,ebizac3.com,inbound,001,World,0 -eblastengine.com,secondstreetmedia.com,inbound,001,World,0.999827 -ebuildabear.com,ebuildabear.com,inbound,001,World,8e-06 -ec2.internal,amazonaws.com,inbound,001,World,0.769117 -ec21.com,ec21.com,inbound,001,World,0.002261 -ecasend.com,ecasend.com,inbound,001,World,0 -ecnavi.jp,ecnavi.jp,inbound,001,World,0 -ecommzone.com,ecommzone.com,inbound,001,World,0 -ed.gov,leepfrog.com,inbound,001,World,0.106381 -ed10.net,ed10.com,inbound,001,World,0 -ed10.net,postini.com,inbound,001,World,0.083658 -edarling.fr,fagms.de,inbound,001,World,0 -eddiebauer.com,eddiebauer.com,inbound,001,World,0 -edima.hu,edima.hu,inbound,001,World,0 -edirect1.com,ivytech.edu,inbound,001,World,0 -edmodo.com,edmodo.com,inbound,001,World,1.1e-05 -educationzone.co.in,iaires.com,inbound,001,World,0 -eduk.com,eduk.com,inbound,001,World,0 -efamilydollar.com,efamilydollar.com,inbound,001,World,0 -effectivesafelist.com,zoothost.com,inbound,001,World,0 -efox-shop.com,dmdelivery.com,inbound,001,World,0 -eharmony.com,eharmony.com,inbound,001,World,1e-06 -eigbox.net,eigbox.net,inbound,001,World,0 -ejobs.ro,ejobs.ro,inbound,001,World,8.4e-05 -elabs10.com,elabs10.com,inbound,001,World,0 -elabs12.com,elabs12.com,inbound,001,World,0 -elabs3.com,elabs3.com,inbound,001,World,0 -elabs3.com,meritline.com,inbound,001,World,0 -elabs5.com,elabs5.com,inbound,001,World,0 -elabs6.com,elabs6.com,inbound,001,World,0 -elaine-asp.de,artegic.net,inbound,001,World,0.999997 -elanceonline.com,elanceonline.com,inbound,001,World,0 -elcorteingles.es,elcorteingles.es,inbound,001,World,0 -eleadtrack.net,eleadtrack.net,inbound,001,World,0 -elektronskaposta.si,eprvak.si,inbound,001,World,0 -elettershop.de,servicemail24.de,inbound,001,World,1 -elistas.net,elistas.net,inbound,001,World,0 -elitesafelist.com,elitesafelist.com,inbound,001,World,0 -elkjop.no,ec-cluster.com,inbound,001,World,0 -elkjop.no,eccluster.com,inbound,001,World,0 -elo7.com.br,elo7.com.br,inbound,001,World,0 -emag.ro,emag.ro,inbound,001,World,0.005013 -email-1800contacts.com,email-1800contacts.com,inbound,001,World,0 -email-aaa.com,email-aaa.com,inbound,001,World,0 -email-aeriagames.com,email-aeriagames.com,inbound,001,World,0 -email-comparethemarket.com,smartfocusdigital.net,inbound,001,World,0 -email-cooking.com,email-cooking.com,inbound,001,World,0 -email-dressbarn.com,email-dressbarn.com,inbound,001,World,0 -email-firestone.com,reminder-firestone.com,inbound,001,World,0 -email-galls.com,email-galls.com,inbound,001,World,1 -email-honest.com,email-honest.com,inbound,001,World,0 -email-od.com,email-od.com,inbound,001,World,0.999652 -email-od.com,smtprelayserver.com,inbound,001,World,0.999779 -email-petsmart.com,email-petsmart.com,inbound,001,World,0 -email-sportchalet.com,email-sportchalet.com,inbound,001,World,0 -email-telekom.de,ecm-cluster.com,inbound,001,World,0 -email-ticketdada.com,email-ticketdada.com,inbound,001,World,1 -email-totalwine.com,email-totalwine.com,inbound,001,World,0 -email-wildstar-online.com,email-carbine.com,inbound,001,World,0 -email2-beyond.com,messagebus.com,inbound,001,World,0 -email360api.com,email360api.com,inbound,001,World,0 -email365inc.com,email365inc.com,inbound,001,World,0 -email3m.com,email3m.com,inbound,001,World,0 -email4-beyond.com,email4-beyond.com,inbound,001,World,0 -emailcounts.com,secureserver.net,inbound,001,World,0 -emaildir2.com,emaildirect.net,inbound,001,World,0 -emaildir2.com,espsnd.com,inbound,001,World,0 -emailnotify.net,emailnotify.net,inbound,001,World,0.961424 -emailrestaurant.com,emailrestaurant.com,inbound,001,World,0 -emailsbancoestado.cl,emailsbancoestado.cl,inbound,001,World,0 -emailsripley.cl,etarget.cl,inbound,001,World,0 -emailtoryburch.com,emailtoryburch.com,inbound,001,World,0 -emarsys.net,emarsys.net,inbound,001,World,0.092041 -embarqmail.com,centurylink.net,inbound,001,World,0.999918 -embluejet.com,embluejet.com,inbound,001,World,0 -embluejet.com,emblueuser.com,inbound,001,World,0 -emcsend.com,emcsend.com,inbound,001,World,0 -emergencyemail.org,emergencyemail.org,inbound,001,World,0 -eminentinc.com,eminentinc.com,inbound,001,World,0 -emktsender.net,locaweb.com.br,inbound,001,World,0 -emktviajarbarato.com.br,splio.com.br,inbound,001,World,0.875902 -emma.cl,emma.cl,inbound,001,World,0.996895 -emobile.ad.jp,postini.com,inbound,001,World,0 -employboard.com,employboard.com,inbound,001,World,1 -empoweredcomms.com.au,empoweredcomms.com.au,inbound,001,World,0 -emsecure.net,emsecure.net,inbound,001,World,0 -emsmtp.com,emsmtp.com,inbound,001,World,0.175797 -en-japan.com,en-japan.com,inbound,001,World,0.000204 -en25.com,kqed.org,inbound,001,World,0 -enewscartes.net,bp06.net,inbound,001,World,0 -enewsletter.pl,enewsletter.pl,inbound,001,World,0.005395 -enewsletter.pl,mydeal.pl,inbound,001,World,0 -enewsletter.pl,sare25.com,inbound,001,World,0 -enplenitud.com,enplenitud.com,inbound,001,World,0 -entregadeemails.com,locaweb.com.br,inbound,001,World,0 -entregadordecampanhas.net,locaweb.com.br,inbound,001,World,0 -entrepreneur.com,entrepreneur.com,inbound,001,World,0 -enviodecampanhas.net,locaweb.com.br,inbound,001,World,0 -enviodemkt.com.br,locaweb.com.br,inbound,001,World,0 -eonet.ne.jp,eonet.ne.jp,inbound,001,World,0.99955 -epaper.com.tw,epaper.com.tw,inbound,001,World,0 -eplus.jp,eplus.jp,inbound,001,World,0 -epriority.com,epriority.com,inbound,001,World,0 -equifax.com,equifax.com,inbound,001,World,0.936013 -equussafelist.com,equussafelist.com,inbound,001,World,0.000265 -eslitebooks.com,eslitebooks.com,inbound,001,World,0 -espmp-agfr.net,bp06.net,inbound,001,World,0 -esprit-friends.com,esprit-friends.com,inbound,001,World,0 -esri.com,esri.com,inbound,001,World,0.983104 -esteelauder.com,esteelauder.com,inbound,001,World,0 -ethingsremembered.com,ethingsremembered.com,inbound,001,World,0 -etrade.com,etrade.com,inbound,001,World,0.021422 -etransmail.com,etransmail.com,inbound,001,World,0 -etransmail.com,ptransmail.com,inbound,001,World,0 -etrmailbox.com,etrmailbox.com,inbound,001,World,0 -etsy.com,etsy.com,inbound,001,World,0.020844 -euromsg.net,euromsg.net,inbound,001,World,0 -evaair.com,evaair.com,inbound,001,World,0.007363 -evanguard.com,evanguard.com,inbound,001,World,0 -evanscycles.com,msgfocus.com,inbound,001,World,0 -eventbrite.com,eventbrite.com,inbound,001,World,0 -evernote.com,evernote.com,inbound,001,World,1 -eversavelocal.com,eversavelocal.com,inbound,001,World,0 -everydayfamily.com,everydayfamily.com,inbound,001,World,0 -everydayhealthinc.com,waterfrontmedia.net,inbound,001,World,0 -everyjobforme.com,everyjobforme.com,inbound,001,World,0 -everytown.org,everytown.org,inbound,001,World,1 -exacttarget.com,bazaarvoice.com,inbound,001,World,0 -exacttarget.com,booksamillion.com,inbound,001,World,0 -exacttarget.com,exacttarget.com,inbound,001,World,0.000325 -exacttarget.com,msg.com,inbound,001,World,0 -exacttarget.com,redboxinstant.com,inbound,001,World,0 -exacttarget.com,skylinetechnologies.com,inbound,001,World,0 -exchangesolutions.com,exchangesolutions.com,inbound,001,World,0.000143 -exec-u-net-mail.com,exec-u-net-mail.com,inbound,001,World,0 -expediamail.com,airasiago.com,inbound,001,World,1 -expediamail.com,exacttarget.com,inbound,001,World,1 -expediamail.com,expediamail.com,inbound,001,World,0.839662 -expediamail.com,quotitmail.com,inbound,001,World,0 -experteer.com,experteer.com,inbound,001,World,0 -express.com,expressfashion.com,inbound,001,World,0 -exprpt.com,exprpt.com,inbound,001,World,0 -expvtinboxhub.net,expvtinboxhub.net,inbound,001,World,0 -extra.com.br,emv8.com,inbound,001,World,0 -eyepin.com,eyepin.com,inbound,001,World,0 -ezweb.ne.jp,ezweb.ne.jp,inbound,001,World,0.282076 -ezweb.ne.jp,ezweb.ne.jp,outbound,001,World,0 -fabfurnish.com,fagms.de,inbound,001,World,0 -fabletics.com,bronto.com,inbound,001,World,0 -facebook.com,facebook.com,inbound,001,World,0.553197 -facebook.com,facebook.com,outbound,001,World,1 -facebookappmail.com,facebook.com,inbound,001,World,1 -facebookmail.com,facebook.com,inbound,001,World,1 -facebookmail.com,postini.com,inbound,001,World,0.726315 -facebookmail.com,yahoo.{...},inbound,001,World,0.999904 -facilisimo.com,facilisimo.com,inbound,001,World,1 -fagms.net,fagms.de,inbound,001,World,0 -falabella.com,falabella.com,inbound,001,World,0 -familychristianmail.com,familychristianmail.com,inbound,001,World,0 -famousfootwear.com,famousfootwear.com,inbound,001,World,0 -fanatics.com,fanatics.com,inbound,001,World,0 -fanaticsretailgroup.com,fanaticsretailgroup.com,inbound,001,World,0 -fanbridge.com,fanbridge.com,inbound,001,World,0.000198 -fanfiction.com,fictionpress.com,inbound,001,World,1 -fanofannas.com,fanofannas.com,inbound,001,World,0 -fansedge.com,fansedge.com,inbound,001,World,0 -farmers.com,farmers.com,inbound,001,World,0.999984 -farmersonly.com,mailgun.net,inbound,001,World,1 -farmersonly.com,mailgun.us,inbound,001,World,1 -fashion2hub.in,mgenie.in,inbound,001,World,0 -fastcompany.com,fastcompany.com,inbound,001,World,0 -fastgb.com,fastgb.com,inbound,001,World,0 -fastlistmailer.com,zoothost.com,inbound,001,World,0 -fastweb.com,fastweb.com,inbound,001,World,0 -fbi.gov,fbi.gov,inbound,001,World,0 -fbmta.com,fbmta.com,inbound,001,World,0 -fc2.com,fc2.com,inbound,001,World,0.000798 -fedex.com,fedex.com,inbound,001,World,0.921011 -fedoraproject.org,fedoraproject.org,inbound,001,World,5e-06 -feedblitz.com,feedblitz.com,inbound,001,World,0 -feld-ent.com,postdirect.com,inbound,001,World,0 -felissimo.jp,felissimo.jp,inbound,001,World,0 -fellowshiponemail.com,fellowshiponemail.com,inbound,001,World,0 -fetlifemail.com,fetlifemail.com,inbound,001,World,0 -fibertel.com.ar,fibertel.com.ar,inbound,001,World,0.003897 -fidelity.com,fidelity.com,inbound,001,World,1 -fidelizador.org,fidelizador.org,inbound,001,World,0 -financialfreedommail.com,financialfreedommail.com,inbound,001,World,0 -finansbank.com.tr,finansbank.com.tr,inbound,001,World,0.927 -findexpvtinbox.com,findexpvtinbox.com,inbound,001,World,0 -fingerhut.com,fingerhut.com,inbound,001,World,0.020664 -finishline.com,finishline.com,inbound,001,World,0 -finn.no,schibsted-it.no,inbound,001,World,0.002893 -firemountaingems.com,firemountaingems.com,inbound,001,World,0 -fiscosoft.com.br,fiscosoft.com.br,inbound,001,World,0 -fisher-price.com,fisher-price.com,inbound,001,World,0 -fitbit.com,fitbit.com,inbound,001,World,1 -fitnessmagazine.com,meredith.com,inbound,001,World,0 -fiverr.com,fiverr.com,inbound,001,World,0 -fixeads.com,fixeads.com,inbound,001,World,0 -flets.com,flets.com,inbound,001,World,0 -flexmls.com,flexmls.com,inbound,001,World,0.999992 -flightaware.com,flightaware.com,inbound,001,World,0.020698 -flipkart.com,flipkart.com,inbound,001,World,1 -flirchi.com,flirchi.com,inbound,001,World,1.0 -flirt.com,ropot.net,inbound,001,World,0 -flirthookup.com,flirthookup.com,inbound,001,World,1 -flirtlocal.com,flirtlocal.com,inbound,001,World,1 -flmsecure.com,fling.com,inbound,001,World,0 -flmsecure.com,flmsecure.com,inbound,001,World,0 -floridajobdepartment.com,floridajobdepartment.com,inbound,001,World,0 -flyceb.com,flyceb.com,inbound,001,World,0 -flyfrontier.com,flyfrontier.com,inbound,001,World,0 -flymonarchemail.com,flymonarchemail.com,inbound,001,World,0 -fmworld.net,fmworld.net,inbound,001,World,0 -fnac.com,fnac.com,inbound,001,World,0.021985 -fnb.co.za,fnb.co.za,inbound,001,World,0.104983 -fofa.jp,mpme.jp,inbound,001,World,0 -follow-up.se,follow-up.se,inbound,001,World,1 -foodnetwork.com,foodnetwork.com,inbound,001,World,0 -foolsubs.com,foolcs.com,inbound,001,World,0 -foolsubs.com,foolsubs.com,inbound,001,World,0 -footaction.com,footlocker.com,inbound,001,World,0 -footlocker.com,footlocker.com,inbound,001,World,0.000605 -forcemail.in,iaires.com,inbound,001,World,0 -foreseegame.com,iaires.com,inbound,001,World,0 -forever21.com,forever21.com,inbound,001,World,0 -fortisbusinessmedia.com,fortisbusinessmedia.com,inbound,001,World,0 -fotffamily.com,fotffamily.com,inbound,001,World,0 -fotocasa.es,fotocasa.es,inbound,001,World,0 -fotolivro.com.br,fotolivro.com.br,inbound,001,World,0 -fotostrana.ru,fotocdn.net,inbound,001,World,3.4e-05 -foursquare.com,foursquare.com,inbound,001,World,1 -foxnews.com,foxnews.com,inbound,001,World,0.0139 -fpmailerbr.com,fpmailerbr.com,inbound,001,World,0 -fragrancenet.com,fragrancenet.com,inbound,001,World,0.000427 -francescas.com,bronto.com,inbound,001,World,0 -free-lance.ru,free-lance.ru,inbound,001,World,0 -free.fr,free.fr,inbound,001,World,0.984012 -free.fr,free.fr,outbound,001,World,6.9e-05 -freeadsmailer.com,zoothost.com,inbound,001,World,0 -freebeesafelist.com,zoothost.com,inbound,001,World,0 -freebizmag.com,delivery.net,inbound,001,World,0 -freebsd.org,freebsd.org,inbound,001,World,0.999835 -freecycle.org,freecycle.org,inbound,001,World,0.999927 -freedesktop.org,freedesktop.org,inbound,001,World,0 -freeflys.com,freeflys.com,inbound,001,World,0 -freelancer.com,freelancer.com,inbound,001,World,0 -freelancer.com,freelancernotify.com,inbound,001,World,0 -freelancer.com,getafreelancer.com,inbound,001,World,0 -freelists.org,iquest.net,inbound,001,World,0 -freelotto.com,plasmanetinc.com,inbound,001,World,0 -freemail.hu,freemail.hu,outbound,001,World,0 -freeml.com,gmo-media.jp,inbound,001,World,0 -freepeople.com,freepeople.com,inbound,001,World,0 -freesafelistking.com,zoothost.com,inbound,001,World,0 -freesafelistmailer.com,waters-advertising.com,inbound,001,World,0 -freshdesk.com,freshdesk.com,inbound,001,World,1 -freshers2015.com,secureserver.net,inbound,001,World,0 -freshlatesave.com,freshlatesave.com,inbound,001,World,1 -freshmail.pl,freshmail.pl,inbound,001,World,0 -fridays.com,fridays.com,inbound,001,World,0 -friskone.com,mailurja.com,inbound,001,World,0 -frk.com,frk.com,inbound,001,World,0.999995 -frontdoor.com,frontdoor.com,inbound,001,World,0 -frontgate-email.com,frontgate-email.com,inbound,001,World,0 -frontsight.com,frontsight.com,inbound,001,World,0 -frys.com,frys.com,inbound,001,World,0.00388 -frysmail.com,frysmail.com,inbound,001,World,0 -fspeletters.com,agorapub.co.uk,inbound,001,World,0 -ftchinese.com,ftchinese.com,inbound,001,World,0 -fubonshop.com,fubonshop.com,inbound,001,World,0 -fuckbooknet.net,infinitypersonals.com,inbound,001,World,0 -fuelrewards.com,britecast.com,inbound,001,World,0 -fundplaza.co.in,arrowsignindia.com,inbound,001,World,0 -fundplaza.in,fundplaza.in,inbound,001,World,0 -funonthenet.in,funonthenet.in,inbound,001,World,1 -futureshop.com,futureshop.com,inbound,001,World,0 -futurmailer.pt,futurmailer.pt,inbound,001,World,0 -gabbar.info,gabbar.info,inbound,001,World,1 -gaiaonline.com,gaiaonline.com,inbound,001,World,0 -gamecity.ne.jp,gamecity.ne.jp,inbound,001,World,0 -gamefly.com,gamefly.com,inbound,001,World,0.013381 -gamehouse.com,gamehouse.com,inbound,001,World,0 -gamingmails.com,gamingmails.com,inbound,001,World,0 -gap.com,gap.com,inbound,001,World,0 -gap.eu,gap.eu,inbound,001,World,0 -gapcanada.ca,gapcanada.ca,inbound,001,World,0 -garanti.com.tr,euromsg.net,inbound,001,World,0 -garanti.com.tr,garanti.com.tr,inbound,001,World,0.421936 -gardeningclubmail.co.uk,msgfocus.com,inbound,001,World,0 -garnethill-email.com,garnethill-email.com,inbound,001,World,0 -gaylordalert.com,gaylordalert.com,inbound,001,World,0 -gbyguess.com,guess.com,inbound,001,World,0.001787 -gcast.com.au,systemsserver.net,inbound,001,World,0 -gdtsuccess.com,groupdealtools.com,inbound,001,World,1 -geico.com,geico.com,inbound,001,World,0.096879 -gemoney.com,rsys1.com,inbound,001,World,0 -gene.com,roche.com,inbound,001,World,1 -generalmills.com,boxtops4education.com,inbound,001,World,0 -generalmills.com,pillsbury.com,inbound,001,World,0 -gentoo.org,gentoo.org,inbound,001,World,1 -geocaching.com,groundspeak.com,inbound,001,World,1 -geojit.com,geojit.com,inbound,001,World,0.203748 -get-me-jobs.com,get-me-jobs.com,inbound,001,World,0 -gethired.com,gethired.com,inbound,001,World,1 -getinbox.net,getinbox.net,inbound,001,World,0 -getitfree.us,getitfree.us,inbound,001,World,0 -getkeepsafe.com,getkeepsafe.com,inbound,001,World,1 -getmein.com,getmein.com,inbound,001,World,0 -getpaidsolutions.com,getpaidsolutions.com,inbound,001,World,1 -getpocket.com,bronto.com,inbound,001,World,0 -getresponse.com,getresponse.com,inbound,001,World,0 -gfsmarketplace-email.com,gfsmarketplace-email.com,inbound,001,World,0 -ghin.com,ghinconnect.com,inbound,001,World,0 -ghup.in,mgenie.in,inbound,001,World,0 -giffgaff.com,giffgaff.com,inbound,001,World,0 -gillyhicks-email.com,abercrombie-email.com,inbound,001,World,0 -gilt.com,gilt.com,inbound,001,World,1e-06 -gilt.jp,gilt.jp,inbound,001,World,0 -github.com,github.com,inbound,001,World,1 -github.com,github.net,inbound,001,World,1 -github.com,postini.com,inbound,001,World,0.872186 -glassdoor.com,glassdoor.com,inbound,001,World,0.662834 -glasses.com,glasses.com,inbound,001,World,0 -gliq.com,gliq.com,inbound,001,World,0.99852 -globalmembersupport.com,globalmembersupport.com,inbound,001,World,0 -globalsafelist.com,globalsafelist.com,inbound,001,World,0 -globalsources.com,globalsources.com,inbound,001,World,0.007546 -globalspec.com,globalspec.com,inbound,001,World,0 -globaltestmarket.com,globaltestmarket.com,inbound,001,World,0 -globasemail.com,globasemail.com,inbound,001,World,0.951088 -globetel.com.ph,globetel.com.ph,inbound,001,World,1 -gmail.com,02.net,inbound,001,World,0.998007 -gmail.com,amazonaws.com,inbound,001,World,0.988441 -gmail.com,anteldata.net.uy,inbound,001,World,0.998653 -gmail.com,as13285.net,inbound,001,World,0.999943 -gmail.com,asianet.co.th,inbound,001,World,0.998473 -gmail.com,au-net.ne.jp,inbound,001,World,1 -gmail.com,bbox.fr,inbound,001,World,0.919868 -gmail.com,bbtec.net,inbound,001,World,1 -gmail.com,belgacom.be,inbound,001,World,0.822281 -gmail.com,bell.ca,inbound,001,World,0.992482 -gmail.com,bellsouth.net,inbound,001,World,0.9996 -gmail.com,bezeqint.net,inbound,001,World,0.974444 -gmail.com,bigpond.net.au,inbound,001,World,0.999907 -gmail.com,blackberry.com,inbound,001,World,0.996337 -gmail.com,bluewin.ch,inbound,001,World,0.9337 -gmail.com,brasiltelecom.net.br,inbound,001,World,0.99995 -gmail.com,btcentralplus.com,inbound,001,World,0.999969 -gmail.com,centurytel.net,inbound,001,World,0.999415 -gmail.com,cgocable.net,inbound,001,World,0.998291 -gmail.com,charter.com,inbound,001,World,0.999111 -gmail.com,chello.nl,inbound,001,World,0.999951 -gmail.com,claro.net.br,inbound,001,World,1 -gmail.com,comcast.net,inbound,001,World,0.999616 -gmail.com,comcastbusiness.net,inbound,001,World,0.985464 -gmail.com,cox.net,inbound,001,World,0.962636 -gmail.com,data-hotel.net,inbound,001,World,0.000605 -gmail.com,emailsrvr.com,inbound,001,World,1 -gmail.com,embarqhsd.net,inbound,001,World,0.999554 -gmail.com,fastwebnet.it,inbound,001,World,0.984708 -gmail.com,franchiseindia.com,inbound,001,World,1 -gmail.com,frontiernet.net,inbound,001,World,0.995233 -gmail.com,gvt.net.br,inbound,001,World,0.999513 -gmail.com,hinet.net,inbound,001,World,0.97312 -gmail.com,iinet.net.au,inbound,001,World,0.966984 -gmail.com,jazztel.es,inbound,001,World,0.999701 -gmail.com,lorexddns.net,inbound,001,World,0 -gmail.com,majesticmoneymailer.com,inbound,001,World,1 -gmail.com,mchsi.com,inbound,001,World,0.999951 -gmail.com,movistar.cl,inbound,001,World,0.999361 -gmail.com,mtnl.net.in,inbound,001,World,0.999527 -gmail.com,mycingular.net,inbound,001,World,0.999918 -gmail.com,myvzw.com,inbound,001,World,0.999889 -gmail.com,naukri.com,inbound,001,World,0.000998 -gmail.com,net24.it,inbound,001,World,0.999964 -gmail.com,netcabo.pt,inbound,001,World,0.998164 -gmail.com,netvigator.com,inbound,001,World,0.818637 -gmail.com,numericable.fr,inbound,001,World,0.999726 -gmail.com,ocn.ne.jp,inbound,001,World,0.99466 -gmail.com,ono.com,inbound,001,World,0.995991 -gmail.com,optonline.net,inbound,001,World,0.999776 -gmail.com,optusnet.com.au,inbound,001,World,0.992856 -gmail.com,orange.es,inbound,001,World,0.998743 -gmail.com,orange.fr,inbound,001,World,0 -gmail.com,otenet.gr,inbound,001,World,0.957964 -gmail.com,panda-world.ne.jp,inbound,001,World,1 -gmail.com,postini.com,inbound,001,World,0.776029 -gmail.com,proxad.net,inbound,001,World,0.998094 -gmail.com,qwest.net,inbound,001,World,0.997575 -gmail.com,rcn.com,inbound,001,World,0.986768 -gmail.com,rima-tde.net,inbound,001,World,0.99915 -gmail.com,rogers.com,inbound,001,World,0.999917 -gmail.com,rr.com,inbound,001,World,0.967896 -gmail.com,sbcglobal.net,inbound,001,World,0.998817 -gmail.com,secureserver.net,inbound,001,World,0.272513 -gmail.com,seed.net.tw,inbound,001,World,0.992252 -gmail.com,sfr.net,inbound,001,World,0.999878 -gmail.com,shawcable.net,inbound,001,World,0.999998 -gmail.com,singnet.com.sg,inbound,001,World,0.955461 -gmail.com,skybroadband.com,inbound,001,World,0.999854 -gmail.com,spcsdns.net,inbound,001,World,0.999998 -gmail.com,suddenlink.net,inbound,001,World,0.961594 -gmail.com,t-ipconnect.de,inbound,001,World,0.999841 -gmail.com,tdc.net,inbound,001,World,0.999591 -gmail.com,telecom.net.ar,inbound,001,World,0.999664 -gmail.com,telecomitalia.it,inbound,001,World,0.996998 -gmail.com,telekom.hu,inbound,001,World,0.999977 -gmail.com,telenet.be,inbound,001,World,1 -gmail.com,telepac.pt,inbound,001,World,0.999584 -gmail.com,telesp.net.br,inbound,001,World,0.999743 -gmail.com,telia.com,inbound,001,World,1 -gmail.com,telkomadsl.co.za,inbound,001,World,0.999989 -gmail.com,telus.com,inbound,001,World,1 -gmail.com,telus.net,inbound,001,World,0.974677 -gmail.com,threembb.co.uk,inbound,001,World,1 -gmail.com,tmodns.net,inbound,001,World,0.999979 -gmail.com,totbb.net,inbound,001,World,0.999876 -gmail.com,tpgi.com.au,inbound,001,World,0.999649 -gmail.com,tpnet.pl,inbound,001,World,0.999761 -gmail.com,veloxzone.com.br,inbound,001,World,0.999969 -gmail.com,verizon.net,inbound,001,World,0.990214 -gmail.com,videotron.ca,inbound,001,World,0.967213 -gmail.com,virginm.net,inbound,001,World,0.996611 -gmail.com,vodacom.co.za,inbound,001,World,1 -gmail.com,vodafone-ip.de,inbound,001,World,1 -gmail.com,vodafone.pt,inbound,001,World,0.999563 -gmail.com,vodafonedsl.it,inbound,001,World,0.999006 -gmail.com,vtr.net,inbound,001,World,0.999072 -gmail.com,wanadoo.fr,inbound,001,World,0.999753 -gmail.com,websitewelcome.com,inbound,001,World,1 -gmail.com,wideopenwest.com,inbound,001,World,0.999729 -gmail.com,windstream.net,inbound,001,World,0.951847 -gmail.com,yahoo.{...},inbound,001,World,0.999147 -gmail.com,ziggo.nl,inbound,001,World,1 -gmail.com,zoothost.com,inbound,001,World,0.033858 -gmo.jp,gmo-media.jp,inbound,001,World,0 -gmoes.jp,gmoes.jp,inbound,001,World,0 -gmsend.com,gmsend.com,inbound,001,World,0 -gmt.ne.jp,gmt.ne.jp,inbound,001,World,0 -gmx.de,gmx.net,inbound,001,World,1 -gmx.de,gmx.net,outbound,001,World,1 -gmx.net,gmx.net,inbound,001,World,1 -gnavi.co.jp,gnavi.co.jp,inbound,001,World,0.002441 -go.com,starwave.com,inbound,001,World,0.006276 -go4worldbusiness.com,go4worldbusiness.com,inbound,001,World,1 -goalunited.org,ccmdcampaigns.net,inbound,001,World,0 -gob.ar,gob.ar,inbound,001,World,0.159673 -gob.ec,gob.ec,inbound,001,World,0.618006 -godaddy.com,secureserver.net,inbound,001,World,0 -godtubemail.com,godtubemail.com,inbound,001,World,0 -godvinemail.com,godvinemail.com,inbound,001,World,0 -gog.com,gog.com,inbound,001,World,0 -gogecapital.com,rsys1.com,inbound,001,World,0 -gogroopie.com,gogroopie.com,inbound,001,World,0.000283 -gohappy.com.tw,gohappy.com.tw,inbound,001,World,0.000104 -goldenbrands.gr,goldenbrands.gr,inbound,001,World,1 -goldenline.pl,goldenline.pl,inbound,001,World,1 -goldenopsafelist.com,zoothost.com,inbound,001,World,0 -goldstar.com,goldstar.com,inbound,001,World,1 -golfmnb.com,golfmnb.com,inbound,001,World,0 -golfnow.com,email-golfnow.com,inbound,001,World,0 -gomaji.com,gomaji.com,inbound,001,World,0 -goodgame.com,emsmtp.com,inbound,001,World,0 -goodlife.pt,emv8.com,inbound,001,World,0 -google.com,postini.com,inbound,001,World,0.703706 -googlegroups.com,postini.com,inbound,001,World,0.674075 -googlemail.com,t-ipconnect.de,inbound,001,World,0.999957 -gop.com,gop.com,inbound,001,World,0 -gopusamedia.com,gopusamedia.com,inbound,001,World,0 -govdelivery.com,govdelivery.com,inbound,001,World,0 -govdelivery.com,postini.com,inbound,001,World,0.089736 -governmentjobs.com,governmentjobs.com,inbound,001,World,0 -gpmailer.com.br,parperfeito.com,inbound,001,World,0 -grabone-mail-ie.com,grabone-mail-ie.com,inbound,001,World,0 -grabone-mail.com,grabone-mail.com,inbound,001,World,0 -grassrootsaction.com,grassfire.net,inbound,001,World,0 -gratka.pl,gratka.pl,inbound,001,World,0 -greatergood.com,greatergood.com,inbound,001,World,0 -gree.jp,gree.jp,inbound,001,World,0 -grocerycouponnetwork.com,grocerycouponnetwork.com,inbound,001,World,0 -groopdealz.com,groopdealz.com,inbound,001,World,1 -groupalia.es,groupalia.es,inbound,001,World,0 -groupalia.it,groupalia.it,inbound,001,World,0 -groupon.jp,data-hotel.net,inbound,001,World,1e-06 -groupon.{...},chtah.net,inbound,001,World,0 -groupon.{...},groupon.{...},inbound,001,World,0.989844 -groupon.{...},postini.com,inbound,001,World,0.887392 -grouponmail.{...},grouponmail.{...},inbound,001,World,0 -grubhubmail.com,grubhubmail.com,inbound,001,World,0 -grupanya.com,euromsg.net,inbound,001,World,0 -grupos.com.br,grupos.com.br,inbound,001,World,0 -gtbank.com,gtbank.com,inbound,001,World,0.056121 -guess.ca,guess.com,inbound,001,World,0.000807 -guess.com,guess.com,inbound,001,World,0.003805 -guessfactory.com,guess.com,inbound,001,World,0.00164 -gumtree.com,marktplaats.nl,inbound,001,World,0 -gumtree.com.au,kijiji.com,inbound,001,World,0 -gunosy.com,gunosy.com,inbound,001,World,0.998682 -guruin.info,guru.net.in,inbound,001,World,1 -gurunavi.jp,gurunavi.jp,inbound,001,World,0 -gustazos.com,cityoferta.com,inbound,001,World,1 -gymglish.com,gymglish.com,inbound,001,World,0.000788 -habitaclia.com,splio.es,inbound,001,World,0.951406 -hallmark.com,hallmark.com,inbound,001,World,0 -hannaandersson.com,hannaandersson.com,inbound,001,World,0.013533 -harborfreightemail.com,harborfreightemail.com,inbound,001,World,0 -harristeetermail.com,harristeetermail.com,inbound,001,World,0.99673 -harvard.edu,harvard.edu,inbound,001,World,0.1751 -haskell.org,haskell.org,inbound,001,World,0.000703 -hautelook.com,hautelook.com,inbound,001,World,0.000459 -hayneedle.com,hayneedle.com,inbound,001,World,0 -hazteoir.org,hazteoir.org,inbound,001,World,0.31478 -hdfcbank.com,powerelay.com,inbound,001,World,1 -hdfcbank.net,powerelay.com,inbound,001,World,1 -hdfcbank.net,quickvmail.com,inbound,001,World,0 -helpareporter.net,helpareporter.com,inbound,001,World,0 -hepsiburada.com,euromsg.net,inbound,001,World,0 -herbalifemail.com,herbalifemail.com,inbound,001,World,0 -herculist.com,herculist.com,inbound,001,World,0 -heteml.jp,heteml.jp,inbound,001,World,0.950766 -hgtv.com,hgtv.com,inbound,001,World,0 -hh.ru,hh.ru,inbound,001,World,0.996236 -hhgreggemail.com,hhgreggemail.com,inbound,001,World,0 -hilton.com,hiltonemail.com,inbound,001,World,0 -hinet.net,hinet.net,inbound,001,World,0.007093 -hinet.net,hinet.net,outbound,001,World,0.00565 -hipchat.com,hipchat.com,inbound,001,World,1 -hipmunk.com,hipmunk.com,inbound,001,World,0 -hispavista.com,hispavista.com,inbound,001,World,0 -hln.be,persgroep-ops.net,inbound,001,World,0 -hm-f.jp,hm-f.jp,inbound,001,World,0 -hobsonsmail.com,hobsonsmail.com,inbound,001,World,0 -hollister-email.com,abercrombie-email.com,inbound,001,World,0 -home.ne.jp,zaq.ne.jp,inbound,001,World,9e-06 -homeaway.com,haspf.com,inbound,001,World,0 -homebaselife.com,ec-cluster.com,inbound,001,World,0 -homechoice.co.za,homechoice.co.za,inbound,001,World,0 -homedecorators.com,homedecorators.com,inbound,001,World,0 -homedepot.com,homedepot.com,inbound,001,World,1 -homedepotemail.com,homedepotemail.com,inbound,001,World,0 -honto.jp,honto.jp,inbound,001,World,0 -hootsuite.com,hootsuite.com,inbound,001,World,1 -horchowemail.com,horchowemail.com,inbound,001,World,0 -horoscope.com,center.com,inbound,001,World,2e-06 -hostelworld.com,bronto.com,inbound,001,World,0 -hostgator.com,hostgator.com,inbound,001,World,0.976131 -hostgator.com,websitewelcome.com,inbound,001,World,0.999822 -hotel.de,emp-mail.de,inbound,001,World,0 -hotels.com,hotels.com,inbound,001,World,0 -hotelurbano.com.br,allin.com.br,inbound,001,World,0 -hotmail.{...},hotmail.{...},inbound,001,World,0.999968 -hotmail.{...},hotmail.{...},outbound,001,World,1 -hotmail.{...},postini.com,inbound,001,World,0.837967 -hotornot.com,monopost.com,inbound,001,World,0.99472 -hotschedules.com,hotschedules.com,inbound,001,World,0 -hotspotmailer.com,hotspotmailer.com,inbound,001,World,1 -hotukdeals.com,hotukdeals.com,inbound,001,World,1 -hotwire.com,hotwire.com,inbound,001,World,0 -house.gov,house.gov,inbound,001,World,0.999966 -houseoffraser.co.uk,houseoffraser.co.uk,inbound,001,World,0 -houzz.com,houzz.com,inbound,001,World,1 -hp.com,hp.com,inbound,001,World,0.202841 -hpnotifier.nl,hpnotifier.nl,inbound,001,World,0 -hsbc.co.in,hsbc.com.hk,inbound,001,World,1 -hsbc.com.hk,hsbc.com.hk,inbound,001,World,1 -hsn.com,hsn.com,inbound,001,World,0 -htcampusmailer.com,eccluster.com,inbound,001,World,0 -hubspot.com,hubspot.com,inbound,001,World,1 -huinforma.com.br,huinforma.com.br,inbound,001,World,0 -hulumail.com,hulumail.com,inbound,001,World,0 -hungry-girl.com,hungry-girl.com,inbound,001,World,0 -hungryhouse.co.uk,mxmfb.com,inbound,001,World,0 -huntington.com,huntington.com,inbound,001,World,0.987351 -i-part.com.tw,i-part.com.tw,inbound,001,World,0.001865 -i-say.com,ipsos-interactive.com,inbound,001,World,1 -iamlgnd2.com,iamlgnd2.com,inbound,001,World,1 -ibm.com,ibm.com,inbound,001,World,0.94413 -ibps.in,sify.net,inbound,001,World,0 -ibpsorg.org,sify.net,inbound,001,World,0 -ibsys.com,ibsys.com,inbound,001,World,9e-05 -icbc.com.ar,clickexperts.net,inbound,001,World,0 -icbc.com.ar,standardbank.com.ar,inbound,001,World,0 -icelandmail.co.uk,emsg-live.co.uk,inbound,001,World,0 -icicibank.com,icicibank.com,inbound,001,World,0.009835 -icicisecurities.com,icicibank.com,inbound,001,World,0.000803 -icims.com,icims.com,inbound,001,World,0.999939 -icloud.com,apple.com,inbound,001,World,1 -icloud.com,icloud.com,outbound,001,World,1 -icloud.com,mac.com,inbound,001,World,1 -icloud.com,me.com,inbound,001,World,0.999995 -icors.org,lsoft.us,inbound,001,World,0 -icpbounce.com,icpbounce.com,inbound,001,World,0 -idc.email,nmsrv.com,inbound,001,World,1 -idealista.com,idealista.com,inbound,001,World,0.001627 -ideascost.com,ramcorp.in,inbound,001,World,0 -idgconnect-resources.com,idgconnect-resources.com,inbound,001,World,0 -ieee.org,ieee.org,inbound,001,World,0.999912 -ifttt.com,ifttt.com,inbound,001,World,1 -ig.com.br,ig.com.br,inbound,001,World,0 -ig.com.br,ig.com.br,outbound,001,World,0 -ign.com,ign.com,inbound,001,World,0 -ignitionsender.com,ignitionsender.com,inbound,001,World,0 -igot-mails.com,zoothost.com,inbound,001,World,0 -iheart.com,iheart.com,inbound,001,World,0 -iimjobs.com,iimjobs.com,inbound,001,World,1 -ikmultimedianews.com,ikmultimedianews.com,inbound,001,World,0.993319 -illinois.edu,illinois.edu,inbound,001,World,0.866481 -imageshost.ca,imageshost.ca,inbound,001,World,0 -imakenews.net,imakenews.com,inbound,001,World,0 -imi.ne.jp,lifemedia.jp,inbound,001,World,0 -immobilienscout24.de,immobilienscout24.de,inbound,001,World,1 -imo.im,imo.im,inbound,001,World,1 -imodules.com,imodules.com,inbound,001,World,0 -imvu.com,imvu.com,inbound,001,World,7e-06 -in-boxpays.com,in-boxpays.com,inbound,001,World,0 -inboxair.com,inboxair.com,inbound,001,World,0 -inboxdollars.com,inboxdollars.com,inbound,001,World,0 -inboxfirst.com,inboxfirst.com,inbound,001,World,0 -inboxmarketer-mail.com,inboxmarketer-mail.com,inbound,001,World,0.999877 -inboxpays.com,inboxpays.com,inbound,001,World,0 -inboxpounds.co.uk,inboxpounds.co.uk,inbound,001,World,0 -indeed.com,indeed.com,inbound,001,World,0.000121 -indeedemail.com,indeedemail.com,inbound,001,World,0 -independentlivingbullion.com,independentlivingbullion.com,inbound,001,World,0 -indiamart.com,indiamart.com,inbound,001,World,1 -indiaproperty.com,indiaproperty.com,inbound,001,World,0 -indiatimes.com,speakingtree.in,inbound,001,World,0 -indiatimeshop.com,sendpal.in,inbound,001,World,0 -indieroyale.com,desura.com,inbound,001,World,1 -infibeam.com,eccluster.com,inbound,001,World,0 -infobradesco.com.br,infobradesco.com.br,inbound,001,World,0 -infoempleo.com,infoempleo.com,inbound,001,World,0 -infojobs.com.br,anuntis.com,inbound,001,World,0 -infojobs.it,infojobs.it,inbound,001,World,0 -infojobs.net,infojobs.net,inbound,001,World,0 -infomoney.com.br,infomoney.com.br,inbound,001,World,1 -infopanel.jp,mailds.jp,inbound,001,World,0 -infopraca.pl,careesma.com,inbound,001,World,0 -informz.net,informz.net,inbound,001,World,0 -infos-micromania.com,infos-micromania.com,inbound,001,World,0 -infosephora.com,splio.com,inbound,001,World,0.962167 -infoworld.com,infoworld.com,inbound,001,World,0 -infradead.org,infradead.org,inbound,001,World,1 -infusionmail.com,infusionmail.com,inbound,001,World,0 -ingdirect.es,ingdirect.es,inbound,001,World,1 -inman.com,inman.com,inbound,001,World,0 -inmotionhosting.com,inmotionhosting.com,inbound,001,World,0.990051 -innovyx.net,innovyx.net,inbound,001,World,0 -ino.com,ino.com,inbound,001,World,0.999981 -insidehook.com,sailthru.com,inbound,001,World,0 -instagram.com,facebook.com,inbound,001,World,1 -instantprofitlist.com,screenshotads.com,inbound,001,World,0 -intage.co.jp,intage.co.jp,inbound,001,World,0.00557 -inter-chat.com,inter-chat.com,inbound,001,World,0 -interac.ca,certapay.com,inbound,001,World,0 -interactivebrokers.com,interactivebrokers.com,inbound,001,World,1 -interactiverealtyservices.com,interactiverealtyservices.com,inbound,001,World,0 -intercom.io,mailgun.info,inbound,001,World,1 -interdatesa.com,fagms.net,inbound,001,World,0 -interealty.net,interealty.net,inbound,001,World,1 -internations.org,internations.org,inbound,001,World,1 -interweave.com,interweave.com,inbound,001,World,0 -interwell.gr,interwell.gr,inbound,001,World,0 -intliv2.net,internationalliving.com,inbound,001,World,0 -intuit.com,intuit.com,inbound,001,World,0.89114 -invalidemail.com,taleo.net,inbound,001,World,1 -investopedia.com,vclk.net,inbound,001,World,0.999999 -investorplace.com,investorplace.com,inbound,001,World,0.995093 -inx1and1.de,1and1.com,inbound,001,World,1 -inxserver.com,inxserver.de,inbound,001,World,0.952863 -inxserver.de,inxserver.de,inbound,001,World,0.980838 -ipcmedia.co.uk,ipcmedia.co.uk,inbound,001,World,0 -iqelite.com,iqelite.com,inbound,001,World,0 -irctcshopping.com,chtah.net,inbound,001,World,0 -iridium.com,iridium.com,inbound,001,World,0.997882 -isbank.com.tr,isbank.com.tr,inbound,001,World,0.009655 -isendservice.com.br,isendservice.com.br,inbound,001,World,0 -itau-unibanco.com.br,itau.com.br,inbound,001,World,0 -itms.in.ua,itms.in.ua,inbound,001,World,0 -itsmyascent.com,itsmyascent.com,inbound,001,World,0 -ittoolbox.com,ittoolbox.com,inbound,001,World,0 -ittoolbox.com,toolbox.com,inbound,001,World,0 -itunes.com,apple.com,inbound,001,World,0.082921 -itwhitepapers.com,itwhitepapers.com,inbound,001,World,0 -iwantoneofthose.com,thehut.com,inbound,001,World,0 -ixs1.net,ixs1.net,inbound,001,World,0.005131 -jackwills.com,jackwills.com,inbound,001,World,0 -jalag.de,jalag.de,inbound,001,World,1 -jane.com,jane.com,inbound,001,World,1 -jango.com,jango.com,inbound,001,World,0 -jared.com,jared.com,inbound,001,World,0 -jcity.com,jcity.com,inbound,001,World,0 -jcpenney.com,jcpenney.com,inbound,001,World,9e-06 -jdate.com,postdirect.com,inbound,001,World,0 -jeevansathi.com,jeevansathi.com,inbound,001,World,0 -jetprivilege.com,jetprivilege.com,inbound,001,World,0 -jetsetter.com,smartertravelmedia.com,inbound,001,World,0.041362 -jeuxvideo.com,jeuxvideo.com,inbound,001,World,0.148921 -jeweloscoemail.com,email-mywebgrocer2.com,inbound,001,World,0 -jibjab.com,storybots.com,inbound,001,World,0 -jira.com,uc-inf.net,inbound,001,World,1 -jiscmail.ac.uk,lsoft.se,inbound,001,World,0 -joann-mail.com,joann-mail.com,inbound,001,World,0 -jobinsider.com,jobinsider.com,inbound,001,World,0 -jobinthailand.com,jobinthailand.com,inbound,001,World,1 -jobisjob.com,jobisjob.com,inbound,001,World,0 -jobmaster.co.il,jobmaster1.co.il,inbound,001,World,0 -jobomas.com,jobomas.com,inbound,001,World,1 -jobrapidoalert.com,jobrapidoalert.com,inbound,001,World,0 -jobs2web.com,ondemand.com,inbound,001,World,1 -jobscentral.com.sg,mailgun.net,inbound,001,World,1 -jobsdbalert.co.id,jobsdbalert.co.id,inbound,001,World,0 -jobsdbalert.com,jobsdbalert.com,inbound,001,World,0 -jobsdbalert.com.hk,jobsdbalert.com.hk,inbound,001,World,0 -jobsdbalert.com.sg,jobsdbalert.com.sg,inbound,001,World,0 -jobserve.com,jobserve.com,inbound,001,World,0 -jobsindubai.com,jobsindubai.ca,inbound,001,World,0 -jobsite.co.uk,jobsite.co.uk,inbound,001,World,0.000509 -jobson.com,jobsonmail.com,inbound,001,World,0 -jobsradar.com,jobsradar.com,inbound,001,World,0 -jobstreet.com,jobstreet.com,inbound,001,World,0 -jockeycomfort.com,jockeycomfort.com,inbound,001,World,0 -johnstonandmurphy-email.com,johnstonandmurphy-email.com,inbound,001,World,0 -jomashop.com,lstrk.net,inbound,001,World,1 -joobmailer.com,joobmailer.com,inbound,001,World,0 -josbank.com,josbank.com,inbound,001,World,0 -joshin.co.jp,joshin.co.jp,inbound,001,World,8e-06 -jossandmain.com,jossandmain.com,inbound,001,World,0 -jpcycles.com,jpcycles.com,inbound,001,World,0.001716 -jtv.com,jtv.com,inbound,001,World,0 -jumia.com.ng,fagms.de,inbound,001,World,0 -jungleerummy.com,jungleerummy.com,inbound,001,World,1 -juno.com,untd.com,inbound,001,World,0 -juno.com,untd.com,outbound,001,World,0 -jusbrasil.com.br,jusbrasil.com.br,inbound,001,World,0 -just-eat.co.uk,ec-cluster.com,inbound,001,World,0 -justclick.ru,justclick.ru,inbound,001,World,0 -justdial.com,iaires.com,inbound,001,World,0 -justdial.com,mailurja.com,inbound,001,World,0 -justfab.com,bronto.com,inbound,001,World,0 -justfab.fr,bronto.com,inbound,001,World,0 -k1speed.com,k1speed.com,inbound,001,World,1 -kagoya.net,kagoya.net,inbound,001,World,0.013097 -kalunga.com.br,kalunga.com.br,inbound,001,World,0 -karvy.com,karvy.com,inbound,001,World,0.045186 -kasikornbank.com,kasikornbank.com,inbound,001,World,0 -kaskusnetworks.com,kaskus.com,inbound,001,World,0 -kay.com,kay.com,inbound,001,World,0 -keek.com,keek.com,inbound,001,World,1 -kernel.org,kernel.org,inbound,001,World,0 -kgbdeals.co.uk,email1-kgbdeals.com,inbound,001,World,0 -kgstores.com,kgstores.com,inbound,001,World,0 -kiabi.com,dms-02.net,inbound,001,World,0 -kickstarter.com,kickstarter.com,inbound,001,World,1 -kidsfootlocker.com,footlocker.com,inbound,001,World,0 -kijiji.ca,kijiji.com,inbound,001,World,0 -kik.com,kik.com,inbound,001,World,1 -kimblegroup.com,kimblegroup.com,inbound,001,World,1 -kintera.com,kintera.com,inbound,001,World,0 -kismia.com,kismia.com,inbound,001,World,1 -kiwari.com,kiwari.com,inbound,001,World,9e-06 -klaviyomail.com,klaviyomail.com,inbound,001,World,1 -kliksa.net,euromsg.net,inbound,001,World,0 -kliktoday.com,kliktoday.com,inbound,001,World,0 -klm-mail.com,klm-mail.com,inbound,001,World,0 -klove.com,emfbroadcasting.com,inbound,001,World,0 -kohls.com,kohls.com,inbound,001,World,0 -komando.com,komando.com,inbound,001,World,0 -kongregate.com,kongregate.com,inbound,001,World,0 -kotak.com,kotak.com,inbound,001,World,0.115651 -kp.org,kp.org,inbound,001,World,0.999975 -krogermail.com,bigfootinteractive.com,inbound,001,World,0 -krs.bz,tricorn.net,inbound,001,World,0 -kubra.com,kubra.com,inbound,001,World,1.8e-05 -kundenserver.de,kundenserver.de,inbound,001,World,1 -kvbmail.com,kvbmail.com,inbound,001,World,0 -la-meteo-mail.fr,splio.com,inbound,001,World,1 -laaptuemail.com,laaptuemail.com,inbound,001,World,0 -lakewoodchurch.com,lakewoodchurch.com,inbound,001,World,0 -lancers.jp,lancers.jp,inbound,001,World,0 -landmarketingmailer.com,zoothost.com,inbound,001,World,0 -landofnod.com,landofnod.com,inbound,001,World,0.002525 -landsend.com,email-landsend.com,inbound,001,World,0 -landsend.com,postdirect.com,inbound,001,World,0 -languagepod101.com,eclient10.com,inbound,001,World,0 -languagepod101.com,eddlvr.com,inbound,001,World,0 -languagepod101.com,ednwsltr3.com,inbound,001,World,0 -languagepod101.com,ednwsltr8.com,inbound,001,World,0 -languagepod101.com,emaildirect.net,inbound,001,World,0 -laposte.net,laposte.net,inbound,001,World,0.271722 -laposte.net,laposte.net,outbound,001,World,0 -laptuinvite.com,laptuinvite.com,inbound,001,World,0 -laredoute.fr,laredoute.fr,inbound,001,World,0 -lasenza.com,lasenza.com,inbound,001,World,0 -lastcallemail.com,lastcallemail.com,inbound,001,World,0 -lastminute.com,lastminute.com,inbound,001,World,0.00831 -laterooms.com,laterooms.com,inbound,001,World,0.014746 -latimes.com,latimes.com,inbound,001,World,0 -lauraashley.com,lauraashley.com,inbound,001,World,0 -lazerhits.com,lazerhits.com,inbound,001,World,1 -leadercontato.com.br,leadercontato.com.br,inbound,001,World,0 -leboncoin.fr,leboncoin.fr,inbound,001,World,0 -lefigaro.fr,splio.com,inbound,001,World,1 -leftlanesports.com,auspient.com,inbound,001,World,0.00705 -leftlanesports.com,leftlanesports.com,inbound,001,World,0 -legalshieldassociate.com,legalshield.com,inbound,001,World,0 -lelong.my,lelong.com.my,inbound,001,World,1 -lelong.my,lelong.net.my,inbound,001,World,1 -lemonde.fr,lemonde.fr,inbound,001,World,0.000111 -leparisien.fr,leparisien.fr,inbound,001,World,0 -lexico.com,lexico.com,inbound,001,World,0 -lexpress.fr,bp06.net,inbound,001,World,0 -libero.it,libero.it,inbound,001,World,0.00024 -libero.it,libero.it,outbound,001,World,0 -life360.com,life360.com,inbound,001,World,1 -lifecare-news.com,email-lifecare.com,inbound,001,World,0 -lifecooler.com,1-hostingservice.com,inbound,001,World,0 -lifemiles.com,bigfootinteractive.com,inbound,001,World,0 -lifescript.com,ilinkmd.com,inbound,001,World,0 -lindenlab.com,lindenlab.com,inbound,001,World,0.999444 -line.me,naver.com,inbound,001,World,1 -line6.com,line6.com,inbound,001,World,2.7e-05 -linkedin.com,linkedin.com,inbound,001,World,0.998882 -linkedin.com,postini.com,inbound,001,World,0.835872 -linkedin.com,yahoo.{...},inbound,001,World,0.999927 -linkshare.com,linksynergy.com,inbound,001,World,0 -liquidation.com,liquidation.com,inbound,001,World,6e-06 -listadventure.com,adlabsinc.com,inbound,001,World,0 -listbuildingmaximizer.com,listbuildingmaximizer.com,inbound,001,World,0.00023 -listeneremail.net,listeneremail.net,inbound,001,World,0 -listia.com,listia.com,inbound,001,World,1 -listjoe.com,adlabsinc.com,inbound,001,World,0 -listnerds.com,listnerds.com,inbound,001,World,0 -listreturn.com,zoothost.com,inbound,001,World,0 -listserve.com,listserve.com,inbound,001,World,0 -listvolta.com,listvolta.com,inbound,001,World,0 -listwire.com,listwire.com,inbound,001,World,0 -litres.ru,litres.ru,inbound,001,World,1 -live.{...},hotmail.{...},inbound,001,World,0.999954 -live.{...},hotmail.{...},outbound,001,World,1 -livedoor.com,livedoor.com,inbound,001,World,0 -livefyre.com,andbit.net,inbound,001,World,1 -livejournal.com,livejournal.com,inbound,001,World,0 -livemailservice.com,livemailservice.com,inbound,001,World,0 -livenation.com,exacttarget.com,inbound,001,World,0 -livescribe.com,bronto.com,inbound,001,World,0 -livingsocial.com,livingsocial.com,inbound,001,World,0 -livrariasaraiva.com.br,livrariasaraiva.com.br,inbound,001,World,0 -lmlmgv.com.br,gvarev.com.br,inbound,001,World,0 -localhires.com,localhires.com,inbound,001,World,1 -loccitane.com,neolane.net,inbound,001,World,0 -loft.com,anntaylor.com,inbound,001,World,0 -logentries.com,logentries.com,inbound,001,World,0 -logitech.com,dvsops.com,inbound,001,World,0 -logmein.com,logmein.com,inbound,001,World,0.031467 -lojasmarisa.com.br,lojasmarisa.com.br,inbound,001,World,0 -lolsolos.com,ultimateadsites.net,inbound,001,World,0.999996 -lombardipublishing.com,lombardipublishing.com,inbound,001,World,0 -lonelywifehookup.com,iverificationsystems.com,inbound,001,World,0 -lookout.com,lookout.com,inbound,001,World,1 -lordandtaylor.com,lordandtaylor.com,inbound,001,World,0 -loveaholics.com,ropot.net,inbound,001,World,0 -lovelywholesale.com,lovelywholesale.com,inbound,001,World,1 -loveplanet.ru,pochta.ru,inbound,001,World,0.640035 -lowcostholidays.co.uk,communicatoremail.com,inbound,001,World,0 -lrsmail.com,lrsmail.com,inbound,001,World,0 -lsi.com,postini.com,inbound,001,World,0.981121 -lt02.net,listrak.com,inbound,001,World,1 -lt02.net,lstrk.net,inbound,001,World,1 -ltdcommodities.com,ltdcomm.net,inbound,001,World,0 -lua.org,pepperfish.net,inbound,001,World,1 -luckymag.com,mkt4500.com,inbound,001,World,0 -ludokados.com,ludokado.com,inbound,001,World,0 -lulu.com,bronto.com,inbound,001,World,0 -lulus.com,lstrk.net,inbound,001,World,1 -lumosity.com,lumosity.com,inbound,001,World,1 -luxa.jp,luxa.jp,inbound,001,World,0 -lynxmail.in,iaires.com,inbound,001,World,0 -lyris.net,lyris.net,inbound,001,World,0 -lyst.com,lyst.com,inbound,001,World,1 -m1e.net,m1e.net,inbound,001,World,0.000342 -m3.com,m3.com,inbound,001,World,0 -mac.com,icloud.com,outbound,001,World,1 -mac.com,mac.com,inbound,001,World,1 -maccosmetics.com,esteelauder.com,inbound,001,World,0 -macromill.com,macromill.com,inbound,001,World,1e-06 -macupdate.com,mailgun.info,inbound,001,World,1 -macys.com,macys.com,inbound,001,World,0 -madmels.info,ultimateadsites.net,inbound,001,World,1 -madmimi.com,madmimi.com,inbound,001,World,0 -mag2.com,tandem-m.com,inbound,001,World,0 -magicbricks.com,tbsl.in,inbound,001,World,0 -magicjack.com,magicjack.com,inbound,001,World,1 -magix.net,magix.net,inbound,001,World,0.673176 -magnetdev.com,magnetmail.net,inbound,001,World,0 -mail-backcountry.com,email-bcmarketing.com,inbound,001,World,0 -mail-boss.com,mail-boss.com,inbound,001,World,0 -mail-cdiscount.com,mail-cdiscount.com,inbound,001,World,0 -mail-mbank.pl,mail-mbank.pl,inbound,001,World,0 -mail-route.com,mail-route.com,inbound,001,World,0 -mail-thestreet.com,mail-thestreet.com,inbound,001,World,0 -mail.mil,mail.mil,inbound,001,World,0 -mail.ru,mail.ru,inbound,001,World,0.987506 -mail.ru,mail.ru,outbound,001,World,0.00674 -mailaccurate.com,mgenie.in,inbound,001,World,0 -mailchimp.com,mailchimp.com,inbound,001,World,0.967415 -maileclipse.com,emce2.in,inbound,001,World,0 -mailengine1.com,mailengine1.com,inbound,001,World,0 -mailer-service.de,mailer-service.de,inbound,001,World,4.9e-05 -mailer4u.in,elabs10.com,inbound,001,World,0 -mailersend.com,mailersend.com,inbound,001,World,0 -mailfacil.com.br,md02.com,inbound,001,World,0 -mailfeast.com,mgenie.in,inbound,001,World,0 -mailgun.org,mailgun.info,inbound,001,World,1 -mailgun.org,mailgun.net,inbound,001,World,1 -mailgun.org,mailgun.us,inbound,001,World,1 -mailing-list.it,mailing-list.it,inbound,001,World,0 -mailingathome.net,mailingathome.net,inbound,001,World,0.999995 -mailjayde.com,mailjayde.com,inbound,001,World,0 -mailjet.com,mailjet.com,inbound,001,World,0.436025 -mailmachine1050.com,mailmachine1050.com,inbound,001,World,0 -mailmailmail.net,mailmailmail.net,inbound,001,World,0 -mailoct.in,tcmailer14.in,inbound,001,World,0 -mailoct1.in,mailoct1.in,inbound,001,World,0 -mailoct1.in,myntramail2.in,inbound,001,World,0 -mailorama.fr,mailorama.fr,inbound,001,World,0 -mailplus.nl,brightbase.net,inbound,001,World,1 -mailpost.in,iaires.com,inbound,001,World,0 -mailpv.net,pvmailer.net,inbound,001,World,1 -mailquant.com,iaires.com,inbound,001,World,0 -mailsend1.com,mailsend6.com,inbound,001,World,0 -mailsender.com.br,mailsender.com.br,inbound,001,World,0 -maisonsdumonde.com,bp06.net,inbound,001,World,0 -makro.nl,srv2.de,inbound,001,World,0.88256 -manager.com.br,manager.com.br,inbound,001,World,0 -mandrillapp.com,backpage.com,inbound,001,World,1 -mandrillapp.com,mandrillapp.com,inbound,001,World,1 -mandrillapp.com,mcsignup.com,inbound,001,World,1 -mandrillapp.com,myjobhelperalerts.com,inbound,001,World,1 -mango.com,emstechnology2.net,inbound,001,World,0 -manipal.edu,iaires.com,inbound,001,World,0 -manta.com,exacttarget.com,inbound,001,World,0 -mapfre.com,emv5.com,inbound,001,World,0 -mar0.net,mar0.net,inbound,001,World,0.976409 -marcustheatres.com,movio.co,inbound,001,World,0 -markandgraham.com,markandgraham.com,inbound,001,World,0 -markavip.com,markavip.com,inbound,001,World,0 -marketer-safelist.com,jsalfianmarketing.com,inbound,001,World,1 -marketinghq.net,elabs8.com,inbound,001,World,0 -marketingprofs.com,marketingprofs.com,inbound,001,World,0.004412 -marketingstudio.com,marketingstudio.com,inbound,001,World,0 -marksandspencer.com,marksandspencer.com,inbound,001,World,0 -marktplaats.nl,marktplaats.nl,inbound,001,World,0 -marlboro.com,marlboro.com,inbound,001,World,0 -maropost.com,biotrustnews.com,inbound,001,World,0 -maropost.com,mailing-truthaboutabs.com,inbound,001,World,0 -maropost.com,maropost.com,inbound,001,World,0 -maropost.com,mp2200.com,inbound,001,World,0 -maropost.com,mp2201.com,inbound,001,World,0 -maropost.com,survivallife.com,inbound,001,World,0 -marykay.com,marykay.com,inbound,001,World,0 -masivapp.com,masivapp.com,inbound,001,World,1 -massageenvyclinics.com,massageenvyclinics.com,inbound,001,World,0 -masterbase.com,masterbase.com,inbound,001,World,0 -mastercard-email.com,mastercard-email.com,inbound,001,World,0 -match.com,match.com,inbound,001,World,0 -matchwereld.nl,matchwereld.nl,inbound,001,World,0 -mate1.net,mate1.net,inbound,001,World,0 -matrixemailer.com,matrixemailer.com,inbound,001,World,0 -maxpark.com,gidepark.ru,inbound,001,World,1 -mbga.jp,mbga.jp,inbound,001,World,0 -mbna.co.uk,ec-cluster.com,inbound,001,World,0 -mbounces.com,emdbms.com,inbound,001,World,0 -mbstrm.com,mobilestorm.com,inbound,001,World,0 -mcafee.com,mcafee.com,inbound,001,World,0.963535 -mcarthurglen.com,mcarthurglen.com,inbound,001,World,0 -mcdlv.net,mcdlv.net,inbound,001,World,0 -mcdlv.net,postini.com,inbound,001,World,0.082163 -mckinsey.com,bigfootinteractive.com,inbound,001,World,0 -mcsv.net,mcsv.net,inbound,001,World,0 -mcsv.net,postini.com,inbound,001,World,0.101883 -mdirector.com,mdrctr.com,inbound,001,World,0 -mdlinx.com,mdlinx.com,inbound,001,World,0 -me.com,icloud.com,outbound,001,World,1 -me.com,mac.com,inbound,001,World,1 -mec.gov.br,mec.gov.br,inbound,001,World,0 -mecumauction.com,mecumauction.com,inbound,001,World,0 -medallia.com,medallia.com,inbound,001,World,0.999682 -mediabistro.com,iworld.com,inbound,001,World,0.006428 -mediapost.com,mediapost.com,inbound,001,World,0 -medium.com,messagebus.com,inbound,001,World,0 -medpagetoday.com,wc09.net,inbound,001,World,0 -medscape.com,medscape.com,inbound,001,World,0 -meetic.com,meetic.com,inbound,001,World,0 -meetmemail.com,meetmemail.com,inbound,001,World,0 -meetup.com,meetup.com,inbound,001,World,5e-06 -megasenders.com,megasenders.com,inbound,001,World,0.07662 -melaleuca.com,melaleuca.com,inbound,001,World,0.003493 -memberdealsusa.com,memberdealsusa.com,inbound,001,World,0 -menswearhouse.com,menswearhouse.com,inbound,001,World,0 -mequedouno.com,mequedouno.com,inbound,001,World,0 -mercadojobs.com,sendgrid.net,inbound,001,World,1 -mercadolibre.com,mercadolibre.com,inbound,001,World,0 -mercadolivre.com,mercadolibre.com,inbound,001,World,0 -merceworld.com,merceworld.com,inbound,001,World,0.996738 -mercola.com,mercola.com,inbound,001,World,0.000369 -merodea.me,sendgrid.net,inbound,001,World,1 -messagegears.net,messagegears.net,inbound,001,World,0 -met-art.com,hydentra.com,inbound,001,World,1 -metro.co.in,srv2.de,inbound,001,World,0.966947 -metrodeal.com,fagms.de,inbound,001,World,0 -mgmresorts.com,mgmresorts.com,inbound,001,World,0 -mgo.com,bronto.com,inbound,001,World,0 -michaels.com,chtah.net,inbound,001,World,0 -michaels.com,michaels.com,inbound,001,World,0 -microcentermedia.com,bfi0.com,inbound,001,World,0 -microsoft.com,hotmail.{...},inbound,001,World,1 -microsoft.com,msn.com,inbound,001,World,1 -microsoftemail.com,microsoftemail.com,inbound,001,World,0 -microsoftemail.com,microsoftstoreemail.com,inbound,001,World,0 -midnightsunsafelist.com,zoothost.com,inbound,001,World,0 -mightydeals.co.uk,mightydeals.co.uk,inbound,001,World,0 -mileageplusshoppingnews.com,mail-skymilesshoppingsupport.com,inbound,001,World,0 -milfaholic.com,iverificationsystems.com,inbound,001,World,0 -miltnews.com,miltnews.com,inbound,001,World,0 -mindbodyonline.com,mindbodyonline.com,inbound,001,World,1 -mindfieldonline.com,mindfieldonline.com,inbound,001,World,0 -mindmoviesmail.com,mindmoviesmail.com,inbound,001,World,0.004239 -mindvalleymail3.com,mindvalleymail3.com,inbound,001,World,0 -minhavida.com.br,minhavida.com.br,inbound,001,World,0 -mint.com,mint.com,inbound,001,World,0 -minted.com,messagelabs.com,inbound,001,World,0.999669 -mirtesen.ru,mtml.ru,inbound,001,World,0 -missselfridge.com,wallis-fashion.com,inbound,001,World,0 -mistersafelist.com,zoothost.com,inbound,001,World,0 -mit.edu,mit.edu,inbound,001,World,0.868705 -mitula.net,mitula.org,inbound,001,World,0 -mitula.org,mitula.org,inbound,001,World,0 -mixcloudmail.com,mixcloudmail.com,inbound,001,World,0.995482 -mixi.jp,mixi.jp,inbound,001,World,0 -mjinn.com,mailurja.com,inbound,001,World,0 -mkt015.com,mkt015.com,inbound,001,World,0 -mkt022.com,mkt022.com,inbound,001,World,0 -mkt063.com,mkt063.com,inbound,001,World,0 -mkt1136.com,mkt1136.com,inbound,001,World,0 -mkt1985.com,fmlinks.net,inbound,001,World,0 -mkt2010.com,mkt2010.com,inbound,001,World,0 -mkt2106.com,mkt2106.com,inbound,001,World,0 -mkt2170.com,mkt2170.com,inbound,001,World,0 -mkt2181.com,mkt2181.com,inbound,001,World,0 -mkt2615.com,mkt2615.com,inbound,001,World,0 -mkt2813.com,mkt2813.com,inbound,001,World,0 -mkt2944.com,mkt2944.com,inbound,001,World,0 -mkt3134.com,mkt3134.com,inbound,001,World,0 -mkt3142.com,mkt3142.com,inbound,001,World,0 -mkt3156.com,mkt3156.com,inbound,001,World,0 -mkt3203.com,mkt3203.com,inbound,001,World,0 -mkt346.com,mkt346.com,inbound,001,World,0 -mkt3544.com,mkt3544.com,inbound,001,World,0 -mkt3622.com,mkt3622.com,inbound,001,World,0 -mkt3682.com,mkt3682.com,inbound,001,World,0 -mkt3690.com,mkt3690.com,inbound,001,World,0 -mkt3695.com,mkt3695.com,inbound,001,World,0 -mkt3804.com,mkt3804.com,inbound,001,World,0 -mkt3815.com,mkt3815.com,inbound,001,World,0 -mkt3952.com,xoom.com,inbound,001,World,0 -mkt4355.com,mkt4355.com,inbound,001,World,0 -mkt4364.com,mkt4364.com,inbound,001,World,0 -mkt459.com,mkt459.com,inbound,001,World,0 -mkt4701.com,mkt4701.com,inbound,001,World,0 -mkt4728.com,mkt4728.com,inbound,001,World,0 -mkt4731.com,mkt4731.com,inbound,001,World,0 -mkt4738.com,mkt4738.com,inbound,001,World,0 -mkt5071.com,mkt5071.com,inbound,001,World,0 -mkt5098.com,mkt5098.com,inbound,001,World,0 -mkt5131.com,mkt5131.com,inbound,001,World,0 -mkt5144.com,mkt5144.com,inbound,001,World,0 -mkt5144.com,mkt5980.com,inbound,001,World,0 -mkt5144.com,mkt5981.com,inbound,001,World,0 -mkt5181.com,mkt5181.com,inbound,001,World,0 -mkt5269.com,mkt5269.com,inbound,001,World,0 -mkt529.com,mkt529.com,inbound,001,World,0 -mkt5297.com,mkt5297.com,inbound,001,World,0 -mkt5297.com,mkt5309.com,inbound,001,World,0 -mkt5371.com,mkt5371.com,inbound,001,World,0 -mkt5806.com,mkt5806.com,inbound,001,World,0 -mkt5934.com,mkt5934.com,inbound,001,World,0 -mkt5937.com,mkt5937.com,inbound,001,World,0 -mkt5970.com,mkt5970.com,inbound,001,World,0 -mkt6100.com,mkt6098.com,inbound,001,World,0 -mkt6276.com,mkt6276.com,inbound,001,World,0 -mkt6323.com,mkt6323.com,inbound,001,World,0 -mkt746.com,mkt746.com,inbound,001,World,0 -mkt824.com,mkt869.com,inbound,001,World,0 -mktdillards.com,mktdillards.com,inbound,001,World,0 -mktid10.com,1-hostingservice.com,inbound,001,World,0 -mktomail.com,mktdns.com,inbound,001,World,0 -mktomail.com,mktomail.com,inbound,001,World,0 -mktomail.com,mktroute.com,inbound,001,World,0 -ml.com,bankofamerica.com,inbound,001,World,1 -mlgns.com,mlgns.com,inbound,001,World,0 -mlgnserv.com,mlgnserv.com,inbound,001,World,0 -mlsend.com,mlsend.com,inbound,001,World,0 -mlsend2.com,mlsend2.com,inbound,001,World,0 -mlssoccer.com,mlssoccer.com,inbound,001,World,0 -mmaco.net,mmaco.net,inbound,001,World,0.999998 -mmagic.jp,mmagic.jp,inbound,001,World,0.000531 -mmks.it,mail-maker.it,inbound,001,World,0 -mmorpg.com,mmorpg.com,inbound,001,World,0.002979 -mmsecure.nl,donenad.nl,inbound,001,World,0 -mo1send.com,mo1send.com,inbound,001,World,0 -mobile01.com,mobile01.com,inbound,001,World,0 -mobly.com.br,mobly.com.br,inbound,001,World,0 -mocospace.com,mocospace.com,inbound,001,World,0 -modellsemail.com,n-email.net,inbound,001,World,0 -modnakasta.ua,emv5.com,inbound,001,World,0 -monex.co.jp,monex.co.jp,inbound,001,World,0.019424 -moneycontrol.com,active18.com,inbound,001,World,0 -moneyforward.com,moneyforward.com,inbound,001,World,0 -moneymorning.com,moneymappress.com,inbound,001,World,0 -moneysupermarketmail.com,moneysupermarketmail.com,inbound,001,World,0 -monipla.jp,aainc.co.jp,inbound,001,World,0 -monografias.com,elistas.net,inbound,001,World,0 -monster.co.in,monster.co.in,inbound,001,World,0 -monster.com,monster.com,inbound,001,World,0.000231 -monster.com,tmpw.net,inbound,001,World,0.000503 -monsterindia.com,monster.co.in,inbound,001,World,0 -moon-ray.com,moon-ray.com,inbound,001,World,0.001892 -mooply.co,mailendo.com,inbound,001,World,0 -mooresclothing.com,mooresclothing.com,inbound,001,World,0 -morhipo.com,euromsg.net,inbound,001,World,0 -morningstar.net,morningstar.net,inbound,001,World,0 -mothercaregroup.com,neolane.net,inbound,001,World,0 -motosnap.com,motosnap.com,inbound,001,World,0.994795 -moveon.org,moveon.org,inbound,001,World,0.99577 -moviestarplanet.com,moviestarplanet.com,inbound,001,World,0 -mozilla.org,mozilla.com,inbound,001,World,0.633237 -mpme.jp,mpme.jp,inbound,001,World,0 -mpse.jp,emsaqua.jp,inbound,001,World,0 -mpse.jp,emsbeige.jp,inbound,001,World,0 -mpse.jp,emsbrown.jp,inbound,001,World,0 -mpse.jp,emscyan.jp,inbound,001,World,0 -mpse.jp,emsgold.jp,inbound,001,World,0 -mpse.jp,emslime.jp,inbound,001,World,0 -mpse.jp,emsnavy.jp,inbound,001,World,0 -mpse.jp,emspink.jp,inbound,001,World,0 -mpse.jp,emssnow.jp,inbound,001,World,0 -mpse.jp,mpme.jp,inbound,001,World,0 -mpse.jp,yahoo.co.jp,inbound,001,World,0 -mpsnd.ch,agenceweb.net,inbound,001,World,0 -mrc.org,msgfocus.com,inbound,001,World,0 -mrmlsmatrix.com,mrmlsmatrix.com,inbound,001,World,0 -ms.com,ms.com,inbound,001,World,1 -ms00.net,ms00.net,inbound,001,World,0 -msdp1.com,msdp1.com,inbound,001,World,0 -msgfocus.com,msgfocus.com,inbound,001,World,0.011658 -msn.com,hotmail.{...},inbound,001,World,0.999964 -msn.com,hotmail.{...},outbound,001,World,1 -mta.info,ealert.com,inbound,001,World,0 -mtasv.net,mtasv.net,inbound,001,World,0.999999 -musiciansfriend.com,musiciansfriend.com,inbound,001,World,0 -musicnotes-alerts.com,mybuys.com,inbound,001,World,0 -mustanglist.com,mustanglist.com,inbound,001,World,0 -mxmfb.com,mxmfb.com,inbound,001,World,0 -mycheapoair.com,mycheapoair.com,inbound,001,World,0.957931 -mycolorscreen.com,mta4.net,inbound,001,World,0 -mydailymoment.biz,mydailymoment.biz,inbound,001,World,0 -mydailymoment.info,mydailymoment.info,inbound,001,World,0 -mydailymoment.net,mydailymoment.net,inbound,001,World,0 -mydailymoment.us,mydailymoment.us,inbound,001,World,0 -myfedloan.org,aessuccess.org,inbound,001,World,0.328917 -myfitnesspal.com,messagebus.com,inbound,001,World,0 -myfxbook.com,myfxbook.com,inbound,001,World,0 -mygreatlakes.org,glhec.org,inbound,001,World,0.000247 -mygroupon.co.th,grouponmail.{...},inbound,001,World,0 -myhealthwealthandhappiness.com,myhealthwealthandhappiness.com,inbound,001,World,0 -myheritage.com,myheritage.com,inbound,001,World,0 -myideeli.com,myideeli.com,inbound,001,World,0 -mymeijer.com,mymeijer.com,inbound,001,World,0 -mymms.com,fagms.de,inbound,001,World,0 -mynavi.jp,mynavi.jp,inbound,001,World,3.5e-05 -myngp.com,ngpweb.com,inbound,001,World,0 -myntramail.com,iaires.com,inbound,001,World,0 -myntramail.com,myntramail.com,inbound,001,World,0 -myntramails.in,icubes.in,inbound,001,World,0 -myoutlets.in,trustmailer.com,inbound,001,World,0 -myperfectsale.com,myperfectsale.com,inbound,001,World,0.999988 -mypoints.com,mypoints.com,inbound,001,World,0 -myprotein.com,thehut.com,inbound,001,World,0 -mysafelistmailer.com,mysafelistmailer.com,inbound,001,World,0.00033 -mysale.my,mysale.my,inbound,001,World,0 -mysale.ph,mysale.ph,inbound,001,World,0 -mysmartprice.com,itzwow.com,inbound,001,World,1 -mysupermarket.co.uk,mysupermarket.co.uk,inbound,001,World,0 -mysurvey.com,mysurvey.com,inbound,001,World,0 -mysurvey.eu,mysurvey.com,inbound,001,World,0 -myvegas.com,myvegas.com,inbound,001,World,1 -myzamanamail.com,myzamanamail.com,inbound,001,World,0 -n-email.net,n-email.net,inbound,001,World,0 -n-email1.net,n-email1.net,inbound,001,World,0 -n-email4.net,n-email4.net,inbound,001,World,0 -naaptoldeals.com,eccluster.com,inbound,001,World,0 -namorico.me,namorico.me,inbound,001,World,1 -nanomail.com.br,araie.com.br,inbound,001,World,1 -napitipp.hu,napitipp.hu,inbound,001,World,0 -nasa.gov,nasa.gov,inbound,001,World,0.082443 -nascar.com,nascar.com,inbound,001,World,0 -nastygal.com,bronto.com,inbound,001,World,0 -nasza-klasa.pl,nasza-klasa.pl,inbound,001,World,0 -nationalexpress.com,nationalexpress.com,inbound,001,World,0 -nationbuilder.com,nationbuilder.com,inbound,001,World,1 -nationwide-communications.co.uk,nationwide-communications.co.uk,inbound,001,World,0 -nature.com,nature.com,inbound,001,World,0 -naukri.com,naukri.com,inbound,001,World,0.002488 -nauta.cu,etecsa.net,inbound,001,World,0 -naver.com,naver.com,inbound,001,World,1 -naver.com,naver.com,outbound,001,World,1 -navy.mil,navy.mil,inbound,001,World,0.152107 -nba.com,nba.com,inbound,001,World,0.005828 -nbaa.org,nbaa.org,inbound,001,World,0 -ncl.com,ncl.com,inbound,001,World,0 -neimanmarcusemail.com,neimanmarcusemail.com,inbound,001,World,0 -nend.net,postini.com,inbound,001,World,0 -neolane.net,neolane.net,inbound,001,World,0.01682 -nesinemail.com,euromsg.net,inbound,001,World,0 -net-a-porter.com,net-a-porter.com,inbound,001,World,0 -net-empregos.com,net-empregos.com,inbound,001,World,0 -net-survey.jp,net-survey.jp,inbound,001,World,0 -netatlantic.com,netatlantic.com,inbound,001,World,0.001085 -netbk.co.jp,netbk.co.jp,inbound,001,World,0.010994 -netcommunity1.com,blackbaud.com,inbound,001,World,0 -netflix.com,amazonses.com,inbound,001,World,0.999999 -netflix.com,netflix.com,inbound,001,World,1 -netlogmail.com,netlogmail.com,inbound,001,World,0 -netopia.pt,netopia.pt,inbound,001,World,0.017294 -netprosoftmail.com,netprosoftmail.com,inbound,001,World,0 -netshoes.com.br,netshoes.com.br,inbound,001,World,0.078768 -netsuite.com,netsuite.com,inbound,001,World,0.57723 -networkworld.com,networkworld.com,inbound,001,World,0 -newegg.com,newegg.com,inbound,001,World,1e-06 -newgrounds.com,newgrounds.com,inbound,001,World,0 -newmarkethealth.com,newmarkethealth.com,inbound,001,World,0 -newrelic.com,sendlabs.com,inbound,001,World,0 -news-h5g.com,news-h5g.com,inbound,001,World,0 -newsletter-verychic.com,splio.es,inbound,001,World,0.9804 -newsmax.com,newsmax.com,inbound,001,World,0.004105 -newspaperdirect.com,newspaperdirect.com,inbound,001,World,0.000177 -newyorktimesinfo.com,newyorktimesinfo.com,inbound,001,World,0 -nexcess.net,nexcess.net,inbound,001,World,0.214803 -next-engine.org,next-engine.org,inbound,001,World,1 -nextdoor.com,mailgun.info,inbound,001,World,1 -nextdoor.com,mailgun.net,inbound,001,World,1 -nextdoor.com,nextdoor.com,inbound,001,World,1 -nfl.com,bfi0.com,inbound,001,World,0 -nflshop.com,nflshop.com,inbound,001,World,0 -nhs.jobs,nhscareersjobs.co.uk,inbound,001,World,0 -nic.in,relayout.nic.in,inbound,001,World,0 -nicovideo.jp,nicovideo.jp,inbound,001,World,0 -nieuwsblad.be,vummail.be,inbound,001,World,0 -nifty.com,nifty.com,inbound,001,World,0.762068 -nih.gov,nih.gov,inbound,001,World,8.8e-05 -nike.com,nike.com,inbound,001,World,0 -nikkei.com,nikkei.co.jp,inbound,001,World,0 -nikkeibp.co.jp,nikkeibp.co.jp,inbound,001,World,4.9e-05 -ninewestmail.com,ninewestmail.com,inbound,001,World,0 -ning.com,ning.com,inbound,001,World,0 -nissen.jp,nissen.jp,inbound,001,World,0 -nixle.com,nixle.com,inbound,001,World,0 -nl00.net,netline.com,inbound,001,World,5e-06 -nl00.net,nl00.net,inbound,001,World,0 -nmp1.com,nmp1.net,inbound,001,World,0 -nokia.com,nokia.com,inbound,001,World,0.001256 -nongnu.org,gnu.org,inbound,001,World,1 -nordstrom.com,taleo.net,inbound,001,World,1 -nortonfromsymantec.com,rsys1.com,inbound,001,World,0 -nos.pt,netcabo.pt,inbound,001,World,6.3e-05 -noticiasaominuto.com,ccmdcampaigns.net,inbound,001,World,0 -noticiasaominuto.com,noticiasaominuto.com,inbound,001,World,0 -novidadeslojasrenner.com.br,novidadeslojasrenner.com.br,inbound,001,World,0 -npr.org,npr.org,inbound,001,World,0 -nrholding.net,nrholding.net,inbound,001,World,0 -ns.nl,tripolis.com,inbound,001,World,0 -nsandi.com,mxmfb.com,inbound,001,World,0 -numbersusa.com,numbersusa.com,inbound,001,World,0 -nyandcompany.com,nyandcompany.com,inbound,001,World,0 -nytimes.com,nytimes.com,inbound,001,World,0.00472 -nzsale.co.nz,nzsale.co.nz,inbound,001,World,0 -oakley.com,oakley.com,inbound,001,World,0.000904 -ocadomail.com,ocadomail.com,inbound,001,World,0 -ocmail1.in,tcmail.in,inbound,001,World,0 -ocmail14.in,tcmailer5.in,inbound,001,World,0 -ocmail22.in,tcmailer15.in,inbound,001,World,0 -ocmail22.in,tcmailer4.in,inbound,001,World,0 -ocmail40.in,tcmailer15.in,inbound,001,World,0 -ocmail40.in,tcmailer4.in,inbound,001,World,0 -ocn.ad.jp,ocn.ad.jp,inbound,001,World,0 -ocn.ne.jp,ocn.ad.jp,inbound,001,World,0 -ocnmail.in,ocmail6.in,inbound,001,World,0 -ocnmail.in,tcmail3.in,inbound,001,World,0 -odisseias.com,emv4.net,inbound,001,World,0 -odnoklassniki.ru,odnoklassniki.ru,inbound,001,World,0 -ofertasbmc.com.br,ofertasbmc.com.br,inbound,001,World,0 -ofertasefacil.com.br,ofertasefacil.com.br,inbound,001,World,0 -ofertix.com,ofertix.com,inbound,001,World,0 -ofertop.pe,icommarketing.com,inbound,001,World,0 -offers.com,offers.com,inbound,001,World,1 -offerum.com,cccampaigns.com,inbound,001,World,0 -offerum.com,ccemails.com,inbound,001,World,0 -officedepot.com,officedepot.com,inbound,001,World,0.012483 -officemax.com,officemax.com,inbound,001,World,0 -officemax.com,officemaxworkplace.com,inbound,001,World,0 -ofsys.com,bulletin-metro.ca,inbound,001,World,0 -oknotify2.com,oknotify2.com,inbound,001,World,0 -oldnavy.ca,oldnavy.ca,inbound,001,World,0 -oldnavy.com,oldnavy.com,inbound,001,World,0 -olx.pt,fixeads.com,inbound,001,World,0 -olympiaedge.net,olympiaedge.net,inbound,001,World,0 -omahasteaks.com,omahasteaks.com,inbound,001,World,0.006139 -oneindia.in,infimail.com,inbound,001,World,0 -oneindia.in,mailurja.com,inbound,001,World,0 -onekingslane.com,onekingslane.com,inbound,001,World,0 -onepatriotplace.com,britecast.com,inbound,001,World,0 -onestopplus.com,neolane.net,inbound,001,World,0 -onetravelspecials.com,onetravelspecials.com,inbound,001,World,0.365386 -online.com,cnet.com,inbound,001,World,0 -onlive.com,ipost.com,inbound,001,World,0 -onmicrosoft.com,outlook.com,inbound,001,World,1 -onthecitymail.org,onthecitymail.org,inbound,001,World,1 -oo155.com,bsftransmit7.com,inbound,001,World,0 -oo155.com,oo155.com,inbound,001,World,0 -openstack.org,openstack.org,inbound,001,World,0.996884 -openstackmail.com,infimail.com,inbound,001,World,0 -opentable.com,opentable.com,inbound,001,World,0.000662 -opinionoutpost.com,opinionoutpost.com,inbound,001,World,0 -opinionsquare.com,opinionsquare.com,inbound,001,World,0 -oprah.com,oprah.com,inbound,001,World,0 -opticsplanet.com,opticsplanet.com,inbound,001,World,0 -optimusmail.in,iaires.com,inbound,001,World,0 -optonline.net,cv.net,inbound,001,World,0 -optonline.net,optonline.net,outbound,001,World,0 -orange.fr,orange.fr,inbound,001,World,0 -orange.fr,orange.fr,outbound,001,World,0 -orderscatalog.com,orderscatalog.com,inbound,001,World,0 -oriental-trading.com,oriental-trading.com,inbound,001,World,0 -oroscopofree.com,adsender.us,inbound,001,World,0 -oroscopofree.com,oroscopofree.com,inbound,001,World,0 -orsay.com,emp-mail.de,inbound,001,World,0 -os-email.com,os-email.com,inbound,001,World,0 -oshkoshbgosh.com,oshkoshbgosh.com,inbound,001,World,6e-06 -osu.edu,outlook.com,inbound,001,World,1 -otto.de,eccluster.com,inbound,001,World,1 -ouffer.com,ouffer.com,inbound,001,World,0.01022 -ourtime.com,seniorpeoplemeet.com,inbound,001,World,0 -outback.com,outback.com,inbound,001,World,0 -outlook.com,hotmail.{...},inbound,001,World,0.999929 -outlook.com,hotmail.{...},outbound,001,World,1 -outspot.be,teneo.be,inbound,001,World,0 -outspot.nl,teneo.be,inbound,001,World,0 -ovenmail.com,iaires.com,inbound,001,World,0 -overnightprints.com,chtah.net,inbound,001,World,0 -overstock.com,overstock.com,inbound,001,World,0 -ovh.net,ovh.net,inbound,001,World,0.207527 -ovuline.com,ovuline.com,inbound,001,World,1 -oxfam.org.uk,msgfocus.com,inbound,001,World,0 -ozsale.com.au,ozsale.com.au,inbound,001,World,0.000192 -p-world.co.jp,p-world.co.jp,inbound,001,World,0 -pagoda.com,zales.com,inbound,001,World,0 -pagseguro.com.br,uol.com.br,inbound,001,World,0 -pair.com,pair.com,inbound,001,World,0.880779 -palmscasinoresort.com,palmscasinoresort.com,inbound,001,World,0 -pampers.com,bfi0.com,inbound,001,World,0 -panasonic.jp,panasonic.jp,inbound,001,World,0 -pandaresearch.com,pandaresearch.com,inbound,001,World,0 -pandora.com,pandora.com,inbound,001,World,1 -pandora.net,pandora.net,inbound,001,World,0.999666 -panelplace.com,smtp.com,inbound,001,World,0 -panerabreadnews.com,panerabreadnews.com,inbound,001,World,0 -pantaloondirect.net,iaires.com,inbound,001,World,0 -papajohns-specials.com,papajohns-specials.com,inbound,001,World,0 -paradisepublishers.com,paradisepublishers.com,inbound,001,World,0.999626 -parents.com,meredith.com,inbound,001,World,0 -parkmobileglobal.com,parkmobile.us,inbound,001,World,0 -path.com,path.com,inbound,001,World,1 -patriotupdate.com,inboxfirst.com,inbound,001,World,0 -payback.de,artegic.net,inbound,001,World,0.999986 -payback.in,chtah.net,inbound,001,World,0 -payback.in,eccluster.com,inbound,001,World,0 -payback.in,ecm-cluster.com,inbound,001,World,0 -payback.in,ecmcluster.com,inbound,001,World,0 -paypal.co.uk,paypal.com,inbound,001,World,1 -paypal.com,paypal.com,inbound,001,World,0.608856 -paypal.com.au,paypal.com,inbound,001,World,1 -paypal.de,paypal.com,inbound,001,World,1 -paytm.com,paytm.com,inbound,001,World,1 -pbteen.com,pbteen.com,inbound,001,World,0 -pccomponentes.com,pccomponentes.com,inbound,001,World,0 -pch.com,ed10.com,inbound,001,World,0 -pchfrontpage.com,ed10.com,inbound,001,World,0 -pchlotto.com,ed10.com,inbound,001,World,0 -pchplayandwin.com,ed10.com,inbound,001,World,0 -pchsearch.com,ed10.com,inbound,001,World,0 -pcmag.com,ittoolbox.com,inbound,001,World,0 -pcworld.com,pcworld.com,inbound,001,World,0 -pd25.com,pd25.com,inbound,001,World,1 -pd25.com,pd27.com,inbound,001,World,1 -peanuthome.info,adopterc.info,inbound,001,World,0 -peanuthome.info,aguitytr.info,inbound,001,World,0 -peanuthome.info,bevest.info,inbound,001,World,0 -peanuthome.info,bluester.info,inbound,001,World,0 -peanuthome.info,burror.info,inbound,001,World,0 -peanuthome.info,bursion.info,inbound,001,World,0 -peanuthome.info,cantexi.info,inbound,001,World,0 -peanuthome.info,caserhi.info,inbound,001,World,0 -peanuthome.info,celect.info,inbound,001,World,0 -peanuthome.info,chintone.info,inbound,001,World,0 -peanuthome.info,citery.info,inbound,001,World,0 -peanuthome.info,cleathal.info,inbound,001,World,0 -peanuthome.info,coherentrequittal.info,inbound,001,World,0 -peanuthome.info,colicom.info,inbound,001,World,0 -peanuthome.info,complec.info,inbound,001,World,0 -peanuthome.info,cyprinoidkaiserdom.info,inbound,001,World,0 -peanuthome.info,deciarc.info,inbound,001,World,0 -peanuthome.info,declaws.info,inbound,001,World,0 -peanuthome.info,dewest.info,inbound,001,World,0 -peanuthome.info,epconce.info,inbound,001,World,0 -peanuthome.info,fnotec.info,inbound,001,World,0 -peanuthome.info,folkswor.info,inbound,001,World,0 -peanuthome.info,forepert.info,inbound,001,World,0 -peanuthome.info,gurgaro.info,inbound,001,World,0 -peanuthome.info,heallyps.info,inbound,001,World,0 -peanuthome.info,holeph.info,inbound,001,World,0 -peanuthome.info,homewor.info,inbound,001,World,0 -peanuthome.info,hydroni.info,inbound,001,World,0 -peanuthome.info,ingenbu.info,inbound,001,World,0 -peanuthome.info,kinklybotaurus.info,inbound,001,World,0 -peanuthome.info,ninetiethwhiffet.info,inbound,001,World,0 -peanuthome.info,unglibshudder.info,inbound,001,World,0 -peanutwebmaster.info,adcrent.info,inbound,001,World,0 -peanutwebmaster.info,addmiel.info,inbound,001,World,0 -peanutwebmaster.info,agilhe.info,inbound,001,World,0 -peanutwebmaster.info,allegap.info,inbound,001,World,0 -peanutwebmaster.info,andvore.info,inbound,001,World,0 -peanutwebmaster.info,angogl.info,inbound,001,World,0 -peanutwebmaster.info,animass.info,inbound,001,World,0 -peanutwebmaster.info,arettery.info,inbound,001,World,0 -peanutwebmaster.info,aribank.info,inbound,001,World,0 -peanutwebmaster.info,arkefoc.info,inbound,001,World,0 -peanutwebmaster.info,avenog.info,inbound,001,World,0 -peanutwebmaster.info,barrave.info,inbound,001,World,0 -peanutwebmaster.info,bindowmo.info,inbound,001,World,0 -peanutwebmaster.info,bitravit.info,inbound,001,World,0 -peanutwebmaster.info,borsand.info,inbound,001,World,0 -peanutwebmaster.info,branti.info,inbound,001,World,0 -peanutwebmaster.info,breaserp.info,inbound,001,World,0 -peanutwebmaster.info,bredogly.info,inbound,001,World,0 -peanutwebmaster.info,briantra.info,inbound,001,World,0 -peanutwebmaster.info,bridea.info,inbound,001,World,0 -peanutwebmaster.info,carial.info,inbound,001,World,0 -peanutwebmaster.info,castac.info,inbound,001,World,0 -peanutwebmaster.info,chedoner.info,inbound,001,World,0 -peanutwebmaster.info,chiquent.info,inbound,001,World,0 -peanutwebmaster.info,cinchoi.info,inbound,001,World,0 -peanutwebmaster.info,cliate.info,inbound,001,World,0 -peanutwebmaster.info,cognn.info,inbound,001,World,0 -peanutwebsite.info,abjibbin.info,inbound,001,World,0 -peanutwebsite.info,audiette.info,inbound,001,World,0 -peanutwebsite.info,blancer.info,inbound,001,World,0 -peanutwebsite.info,bluester.info,inbound,001,World,0 -peanutwebsite.info,burror.info,inbound,001,World,0 -peanutwebsite.info,bursion.info,inbound,001,World,0 -peanutwebsite.info,caserhi.info,inbound,001,World,0 -peanutwebsite.info,celect.info,inbound,001,World,0 -peanutwebsite.info,cleathal.info,inbound,001,World,0 -peanutwebsite.info,coherentrequittal.info,inbound,001,World,0 -peanutwebsite.info,complec.info,inbound,001,World,0 -peanutwebsite.info,condost.info,inbound,001,World,0 -peanutwebsite.info,cyprinoidkaiserdom.info,inbound,001,World,0 -peanutwebsite.info,deciarc.info,inbound,001,World,0 -peanutwebsite.info,declaws.info,inbound,001,World,0 -peanutwebsite.info,epconce.info,inbound,001,World,0 -peanutwebsite.info,ferrayer.info,inbound,001,World,0 -peanutwebsite.info,fnotec.info,inbound,001,World,0 -peanutwebsite.info,folkswor.info,inbound,001,World,0 -peanutwebsite.info,forepert.info,inbound,001,World,0 -peanutwebsite.info,gurgaro.info,inbound,001,World,0 -peanutwebsite.info,holeph.info,inbound,001,World,0 -peanutwebsite.info,homewor.info,inbound,001,World,0 -peanutwebsite.info,hydroni.info,inbound,001,World,0 -peanutwebsite.info,ingenbu.info,inbound,001,World,0 -peanutwebsite.info,kinklybotaurus.info,inbound,001,World,0 -peanutwebsite.info,ninetiethwhiffet.info,inbound,001,World,0 -pearlsofwealth.com,pearlsofwealth.com,inbound,001,World,1 -peartreegreetings.com,rexcraft.com,inbound,001,World,0 -peixeurbano.com.br,peixeurbano.com.br,inbound,001,World,0 -pennwell.com,pennwell.com,inbound,001,World,0 -pepabo.com,pepabo.com,inbound,001,World,0 -pepboys.com,pepboys.com,inbound,001,World,0 -peperoni.de,peperoni.de,inbound,001,World,1 -pepperfry.com,epidm.net,inbound,001,World,0 -perfectpriceindia.com,infimail.com,inbound,001,World,0 -perfectworld.com,perfectworld.com,inbound,001,World,0.000162 -perfora.net,perfora.net,inbound,001,World,0.920896 -permissionresearch.com,permissionresearch.com,inbound,001,World,0 -personalliberty.com,personalliberty.com,inbound,001,World,1 -personare.com.br,personare.com.br,inbound,001,World,0 -peytz.dk,peytz.dk,inbound,001,World,4e-06 -pga.com,pga.com,inbound,001,World,0 -pge.com,pge.com,inbound,001,World,0.149792 -pgeveryday.com,bfi0.com,inbound,001,World,0 -philosophy.com,philosophy.com,inbound,001,World,0 -phoenix.edu,phoenix.edu,inbound,001,World,0 -photobox.com,photobox.com,inbound,001,World,0 -photoprintit.com,photoprintit.com,inbound,001,World,0 -phpclasses.org,phpclasses.org,inbound,001,World,0 -phsmtpbox.com,phsmtpbox.com,inbound,001,World,0 -pia.jp,pia.jp,inbound,001,World,0 -pinger.com,pinger.com,inbound,001,World,0 -pinterest.com,pinterest.com,inbound,001,World,1 -pivotaltracker.com,pivotaltracker.com,inbound,001,World,1 -pixable.com,pixable.com,inbound,001,World,1 -pixum.com,pixum.com,inbound,001,World,0 -pizzahut.com,quikorder.com,inbound,001,World,0 -pizzahutoffers.com,pizzahutoffers.com,inbound,001,World,0 -placedestendances.com,placedestendances.com,inbound,001,World,0 -plaisio.gr,fagms.de,inbound,001,World,0 -planeo.com,planeo.com,inbound,001,World,0 -planeo.pt,planeo.pt,inbound,001,World,0 -playstation.com,playstation.com,inbound,001,World,0 -playstationmail.net,playstationmail.net,inbound,001,World,0 -playtika.com,emv8.com,inbound,001,World,0 -plexapp.com,plex.tv,inbound,001,World,1 -plumdistrict.com,plumdistrict.com,inbound,001,World,1 -pmailus.com,patrontechnology.com,inbound,001,World,0 -pnc.com,messagelabs.com,inbound,001,World,0.997194 -pnetweb.co.za,hosting.co.za,inbound,001,World,0 -pnetweb.co.za,salesnet.co.za,inbound,001,World,0 -pobox.com,pobox.com,inbound,001,World,0.975372 -pof.com,plentyoffish.co.uk,inbound,001,World,0 -pogo.com,pogo.com,inbound,001,World,0 -pointtown.com,gmo-media.jp,inbound,001,World,0 -poinx.com,poinx.com,inbound,001,World,0 -pokerstars.com,pokerstars.eu,inbound,001,World,0 -pokerstars.eu,pokerstars.eu,inbound,001,World,0 -pokupon.by,mailersend.com,inbound,001,World,0 -pokupon.ua,mailersend.com,inbound,001,World,0 -politicoemail.com,politicoemail.com,inbound,001,World,0 -polyvore.com,polyvore.com,inbound,001,World,1 -pontofrio.com.br,emv8.com,inbound,001,World,0 -popsugar.com,popsugar.com,inbound,001,World,0 -postcardfromhell.com,cyberthugs.com,inbound,001,World,1 -postgresql.org,postgresql.org,inbound,001,World,0.996805 -potterybarn.com,potterybarn.com,inbound,001,World,0 -potterybarnkids.com,potterybarnkids.com,inbound,001,World,0 -praca.pl,praca.pl,inbound,001,World,1 -pracuj.pl,pracuj.pl,inbound,001,World,0 -preferredpetclub.com,preferredpetclub.com,inbound,001,World,0 -presslaff.net,dat-e-baseonline.com,inbound,001,World,0 -pressmartmail.com,pressmartmail.com,inbound,001,World,0 -priceline.com,priceline.com,inbound,001,World,1 -princess.com,princess.com,inbound,001,World,0 -printvenue.com,fagms.de,inbound,001,World,0 -priorityoneemail.com,priorityoneemail.com,inbound,001,World,0 -privalia.com,privalia.com,inbound,001,World,3.94913202027326e-07 -private-elist.com,private-elist.com,inbound,001,World,0 -privoscite.si,privoscite.si,inbound,001,World,0 -profitcenteronline.com,groupdealtools.com,inbound,001,World,1 -progressive.com,progressive.com,inbound,001,World,0.897291 -progressiveagent.com,progressive.com,inbound,001,World,1 -promedmail.org,childrenshospital.org,inbound,001,World,1 -promod-news.fr,promod-news.com,inbound,001,World,0 -propertysolutions.com,propertysolutions.com,inbound,001,World,1 -prospectgeysercoop.com,prospectgeysercoop.com,inbound,001,World,1 -protopmail.com,protopmail.com,inbound,001,World,0 -providesupport.com,providesupport.com,inbound,001,World,0.000103 -proxyvote.com,adp-ics.com,inbound,001,World,0.908635 -psu.edu,psu.edu,inbound,001,World,0.073843 -pttplc.com,pttgrp.com,inbound,001,World,0 -publicators.com,publicators.com,inbound,001,World,0 -publix.com,publix.com,inbound,001,World,0.002567 -pucp.edu.pe,pucp.edu.pe,inbound,001,World,0.225541 -puffinmailer.com,zoothost.com,inbound,001,World,0 -pur3.net,pur3.net,inbound,001,World,0.001111 -purewow.com,purewow.com,inbound,001,World,0 -puritan.com,email-nbtyinc.com,inbound,001,World,0 -purlsmail.com,purlsmail.com,inbound,001,World,0 -pxsmail.com,pxsmail.com,inbound,001,World,0 -python.org,python.org,inbound,001,World,1 -q.com,synacor.com,inbound,001,World,0.999729 -qemailserver.com,qemailserver.com,inbound,001,World,0 -qoinpro.com,qoinpro.com,inbound,001,World,1 -qoo10.jp,qoo10.jp,inbound,001,World,2e-06 -qoo10.sg,qoo10.co.id,inbound,001,World,1.9e-05 -qoo10.sg,qoo10.com,inbound,001,World,0 -qoo10.sg,qoo10.my,inbound,001,World,2.2e-05 -qoo10.sg,qoo10.sg,inbound,001,World,8e-06 -qq.com,qq.com,inbound,001,World,0.999978 -qq.com,qq.com,outbound,001,World,1 -qtropnews.com,qtropnews.com,inbound,001,World,1.7e-05 -qualicorp.com.br,qualicorp.com.br,inbound,001,World,1 -quality.net.ua,quality.net.ua,inbound,001,World,0 -qualitysafelist.com,zoothost.com,inbound,001,World,0 -queopinas.com,confirmit.com,inbound,001,World,1 -quickbooks.com,intuit.com,inbound,001,World,0.99908 -quickrewards.net,quickrewards.net,inbound,001,World,0 -quikr.com,quikr.com,inbound,001,World,0.026599 -quinstreet.com,neoquin.com,inbound,001,World,0 -quora.com,quora.com,inbound,001,World,1 -quoramail.com,quoramail.com,inbound,001,World,1 -qvcemail.com,qvcemail.com,inbound,001,World,0 -r-project.org,ethz.ch,inbound,001,World,0.99999 -r51.it,musvc.com,inbound,001,World,0.092498 -r52.it,musvc.com,inbound,001,World,0.000221 -r57.it,musvc.com,inbound,001,World,0.139425 -r67.it,musvc.com,inbound,001,World,0.199845 -r70.it,musvc.com,inbound,001,World,0.311983 -rabota.ua,rabota.ua,inbound,001,World,0 -rackroom-email.com,rackroom-email.com,inbound,001,World,0 -radarsystems.net,radarsystems.net,inbound,001,World,1 -radiantretailapps.com,radiantretailapps.com,inbound,001,World,0 -radioshack.com,radioshack.com,inbound,001,World,0 -railcard-daysoutguide.co.uk,railcard-daysoutguide.co.uk,inbound,001,World,0 -rakuten.co.jp,rakuten.co.jp,inbound,001,World,0 -rakuten.co.jp,shareee.jp,inbound,001,World,0 -rakuten.co.jp,yahoo.co.jp,inbound,001,World,0 -rakuten.com,rakuten.com,inbound,001,World,0 -rakuten.ne.jp,rakuten.co.jp,inbound,001,World,0 -rambler.ru,rambler.ru,inbound,001,World,0.08173 -randomhouse.com,randomhouse.com,inbound,001,World,0 -rapattoni.com,rapmls.com,inbound,001,World,0 -ratedpeople.com,ratedpeople.com,inbound,001,World,0.000979 -rax.ru,rax.ru,inbound,001,World,0.000258 -razerzone.com,chtah.net,inbound,001,World,0 -rbc.com,rbc.com,inbound,001,World,0.001897 -rdio.com,rdio.com,inbound,001,World,1 -reactiveadz.com,downlinebuilderdirect.com,inbound,001,World,0 -realage-mail.com,postdirect.com,inbound,001,World,0 -realestate.com.au,realestate.com.au,inbound,001,World,0 -realtor.org,realtor.org,inbound,001,World,0 -realtytrac.com,realtytrac.com,inbound,001,World,0.001681 -realus.co.jp,realus.co.jp,inbound,001,World,0 -recipe.com,meredith.com,inbound,001,World,0 -recochoku.jp,recochoku.jp,inbound,001,World,0 -recruit.net,recruit.net,inbound,001,World,0 -redbox.com,exacttarget.com,inbound,001,World,0 -redbox.com,redbox.com,inbound,001,World,4e-06 -redcross.org.uk,redcross.org.uk,inbound,001,World,0 -redfin.com,redfin.com,inbound,001,World,0 -rediffmail.com,akadns.net,outbound,001,World,0 -rediffmail.com,rediffmail.com,inbound,001,World,0 -redtri.com,redtri.com,inbound,001,World,0 -reebokusnews.com,reebokusnews.com,inbound,001,World,0 -reebonz.com,ed10.com,inbound,001,World,0 -reebonz.com,reebonz.com,inbound,001,World,0.857615 -reed.co.uk,reed.co.uk,inbound,001,World,0 -regie11.net,odiso.net,inbound,001,World,0 -regionalhelpwanted.com,regionalhelpwanted.com,inbound,001,World,1 -registrar-servers.com,registrar-servers.com,inbound,001,World,0.053619 -registro.br,registro.br,inbound,001,World,0 -relax7.hu,gruppi.hu,inbound,001,World,0 -relianceada.com,relianceada.com,inbound,001,World,0.276515 -rent.com,rent.com,inbound,001,World,0.000397 -rentalcars.com,rentalcars.com,inbound,001,World,1 -renweb.com,renweb.com,inbound,001,World,0 -repica.jp,kakaku.com,inbound,001,World,0 -repica.jp,repica.jp,inbound,001,World,0 -republicwireless.com,republicwireless.com,inbound,001,World,0.033564 -research-panel.jp,research-panel.jp,inbound,001,World,0 -researchgate.net,researchgate.net,inbound,001,World,0 -responder.co.il,responder.co.il,inbound,001,World,1 -restorationhardware.com,restorationhardware.com,inbound,001,World,0 -retailjobinsider.com,retailjobinsider.com,inbound,001,World,0 -retailmenot.com,retailmenot.com,inbound,001,World,3.54930373308668e-07 -reverbnation.com,reverbnation.com,inbound,001,World,0 -revolutiongolf.com,revolutiongolf.com,inbound,001,World,0 -rewardme.in,bfi0.com,inbound,001,World,0 -reyrey.net,reyrey.net,inbound,001,World,0.946402 -ricardoeletro.com.br,allin.com.br,inbound,001,World,0 -richersoundsvip.com,ibwmail.com,inbound,001,World,0 -richyrichmailer.com,maddog-productions.info,inbound,001,World,1 -rightmove.com,rightmove.com,inbound,001,World,0 -rigzonemail.com,rigzonemail.com,inbound,001,World,0 -rikunabi.com,rikunabi.com,inbound,001,World,1e-05 -ringcentral.com,ringcentral.com,inbound,001,World,1 -ripleyperu.com.pe,icommarketing.com,inbound,001,World,0 -riseup.net,riseup.net,inbound,001,World,1 -rivamail.com,mailurja.com,inbound,001,World,0 -rmtr.de,rapidmail.de,inbound,001,World,0 -rnmk.com,rnmk.com,inbound,001,World,0 -roadrunner.com,rr.com,inbound,001,World,0.005479 -roamans.com,neolane.net,inbound,001,World,0 -rocketmail.com,yahoo.{...},inbound,001,World,1 -rocketmail.com,yahoodns.net,outbound,001,World,1 -rockpath.info,rockpath.info,inbound,001,World,1 -rockwellcollins.com,rockwellcollins.com,inbound,001,World,1 -rogers.com,yahoo.{...},inbound,001,World,1 -rogers.com,yahoodns.net,outbound,001,World,1 -rookiestewsemails.com,rookiestewsemails.com,inbound,001,World,0 -roulartamail.be,roulartamail.be,inbound,001,World,0 -royalcaribbeanmarketing.com,royalcaribbeanmarketing.com,inbound,001,World,0 -rpinow.org,app-info.net,inbound,001,World,0 -rpo9usa.email,rpo9usa.email,inbound,001,World,0 -rr.com,rr.com,inbound,001,World,0.008342 -rr.com,rr.com,outbound,001,World,0 -rsgsv.net,postini.com,inbound,001,World,0.093513 -rsgsv.net,rsgsv.net,inbound,001,World,0 -rsvpsv.net,rsvpsv.net,inbound,001,World,0 -rsvpsv.net,send.esp.br,inbound,001,World,0 -rsys2.com,amfam.com,inbound,001,World,0 -rsys2.com,cheaptickets.com,inbound,001,World,0 -rsys2.com,dishnetworkmail.com,inbound,001,World,0 -rsys2.com,e-comms.net,inbound,001,World,0 -rsys2.com,eharmony.com,inbound,001,World,0 -rsys2.com,fathead.com,inbound,001,World,0 -rsys2.com,intuit.com,inbound,001,World,0 -rsys2.com,kmart.com,inbound,001,World,0 -rsys2.com,kohlernews.com,inbound,001,World,0 -rsys2.com,lego.com,inbound,001,World,0 -rsys2.com,lenovo.com,inbound,001,World,0 -rsys2.com,modcloth.com,inbound,001,World,0 -rsys2.com,moxieinteractive.com,inbound,001,World,0 -rsys2.com,orbitz.com,inbound,001,World,0 -rsys2.com,payless.com,inbound,001,World,0 -rsys2.com,petsathome.com,inbound,001,World,0 -rsys2.com,quizzle.com,inbound,001,World,0 -rsys2.com,robeez.com,inbound,001,World,0 -rsys2.com,rsys1.com,inbound,001,World,0 -rsys2.com,rsys2.com,inbound,001,World,0 -rsys2.com,rsys3.com,inbound,001,World,0 -rsys2.com,rsys4.com,inbound,001,World,0 -rsys2.com,saucony.com,inbound,001,World,0 -rsys2.com,sears.com,inbound,001,World,0 -rsys2.com,shopbop.com,inbound,001,World,0 -rsys2.com,southwest.com,inbound,001,World,0 -rsys2.com,speeddatemail.com,inbound,001,World,0 -rsys2.com,thecompanystore.com,inbound,001,World,0 -rsys2.com,theknot.com,inbound,001,World,0 -rsys5.com,alibris.com,inbound,001,World,0 -rsys5.com,allstate-email.com,inbound,001,World,0 -rsys5.com,beachmint.com,inbound,001,World,0 -rsys5.com,belleandclive.com,inbound,001,World,0 -rsys5.com,br.dk,inbound,001,World,0 -rsys5.com,charlotterusse.com,inbound,001,World,0 -rsys5.com,comixology.com,inbound,001,World,0 -rsys5.com,cottonon.com,inbound,001,World,0 -rsys5.com,ediblearrangements.com,inbound,001,World,0 -rsys5.com,emailworldmarket.com,inbound,001,World,0 -rsys5.com,farfetch.com,inbound,001,World,0 -rsys5.com,frhiemailcommunications.com,inbound,001,World,0 -rsys5.com,harryanddavid.com,inbound,001,World,0 -rsys5.com,hollandandbarrett.com,inbound,001,World,0 -rsys5.com,icing.com,inbound,001,World,0 -rsys5.com,indigo.ca,inbound,001,World,0 -rsys5.com,jabong.com,inbound,001,World,0 -rsys5.com,jcrew.com,inbound,001,World,0 -rsys5.com,jjill.com,inbound,001,World,0 -rsys5.com,kanui.com.br,inbound,001,World,0 -rsys5.com,kirklands.com,inbound,001,World,0 -rsys5.com,lanebryant.com,inbound,001,World,0 -rsys5.com,lazada.com,inbound,001,World,0 -rsys5.com,leapfrog.com,inbound,001,World,0 -rsys5.com,llbean.com,inbound,001,World,0 -rsys5.com,lojascolombo.com.br,inbound,001,World,0 -rsys5.com,madewell.com,inbound,001,World,0 -rsys5.com,magazineluiza.com.br,inbound,001,World,0 -rsys5.com,missguided.co.uk,inbound,001,World,0 -rsys5.com,moma.org,inbound,001,World,0 -rsys5.com,nationalgeographic.com,inbound,001,World,0 -rsys5.com,neat.com,inbound,001,World,0 -rsys5.com,newbalance.com,inbound,001,World,0 -rsys5.com,news-voeazul.com.br,inbound,001,World,0 -rsys5.com,nordstrom.com,inbound,001,World,0 -rsys5.com,normthompson.com,inbound,001,World,0 -rsys5.com,novomundo.com.br,inbound,001,World,0 -rsys5.com,ourdeal.com.au,inbound,001,World,0 -rsys5.com,pier1.com,inbound,001,World,0 -rsys5.com,postini.com,inbound,001,World,0.0697 -rsys5.com,productmadness.com,inbound,001,World,0 -rsys5.com,rainbowshops.com,inbound,001,World,0 -rsys5.com,rei.com,inbound,001,World,0 -rsys5.com,roadrunnersports.com,inbound,001,World,0 -rsys5.com,rosettastone.com,inbound,001,World,0 -rsys5.com,seamless.com,inbound,001,World,0 -rsys5.com,serenaandlily.com,inbound,001,World,0 -rsys5.com,smiles.com.br,inbound,001,World,0 -rsys5.com,soubarato.com.br,inbound,001,World,0 -rsys5.com,strava.com,inbound,001,World,0 -rsys5.com,submarino.com.br,inbound,001,World,0 -rsys5.com,thewalkingcompany.com,inbound,001,World,0 -rsys5.com,tigerdirect.com,inbound,001,World,0 -rsys5.com,udemy.com,inbound,001,World,0 -rsys5.com,vitaminshoppe.com,inbound,001,World,0 -rsys5.com,vpusa.com,inbound,001,World,0 -rsys5.com,walmart.com.br,inbound,001,World,0 -rsys5.com,worldofwatches.com,inbound,001,World,0 -rsys5.com,xfinity.com,inbound,001,World,0 -rue21email.com,rue21email.com,inbound,001,World,0 -rueducommerce.com,groupe-rueducommerce.fr,inbound,001,World,0 -rummycirclemails.com,eccluster.com,inbound,001,World,0 -runkeeper.com,runkeeper.com,inbound,001,World,0 -runnet.jp,runnet.jp,inbound,001,World,0 -runtastic.com,runtastic.com,inbound,001,World,0 -rutenmail.com.tw,rutenmail.com.tw,inbound,001,World,0 -ruum.com,ruum.com,inbound,001,World,0 -ryanairmail.com,ryanairmail.com,inbound,001,World,0 -rzone.de,rzone.de,inbound,001,World,1 -s3s-br1.net,splio.com.br,inbound,001,World,0.908187 -s3s-main.net,splio.com,inbound,001,World,0.970428 -s4s-pl1.pl,splio.com,inbound,001,World,0.939032 -saavn.com,saavn.com,inbound,001,World,1 -safe-sender.net,safe-sender.net,inbound,001,World,0 -safelistextreme.com,quantumsafelist.com,inbound,001,World,0 -safelistpro.com,safelistpro.com,inbound,001,World,0.00014 -safeway.com,chtah.com,inbound,001,World,0 -safeway.com,safeway.com,inbound,001,World,0.000382 -sahibinden.com,sahibinden.com,inbound,001,World,0 -sailthru.com,sailthru.com,inbound,001,World,0 -saimails.in,infimail.com,inbound,001,World,0 -sainsburys.co.uk,emv5.com,inbound,001,World,0 -saisoncard.co.jp,saisoncard.co.jp,inbound,001,World,0 -saks.com,saks.com,inbound,001,World,0 -saksoff5th.com,saksoff5th.com,inbound,001,World,0 -sakura.ne.jp,sakura.ne.jp,inbound,001,World,0.640465 -salememail.net,salememail.net,inbound,001,World,0 -salesforce.com,postini.com,inbound,001,World,0.866057 -salesforce.com,salesforce.com,inbound,001,World,0.983322 -salesforce.com,salesforce.com,outbound,001,World,1 -salesmanago.pl,salesmanago.pl,inbound,001,World,0 -salliemae.com,salliemae.com,inbound,001,World,1 -salsalabs.net,salsalabs.net,inbound,001,World,0 -samashmusic.com,wc09.net,inbound,001,World,0 -samsclub.com,m0.net,inbound,001,World,0 -samsung.com,samsung.com,inbound,001,World,0.043941 -samsung.ru,samsung.ru,inbound,001,World,0 -samsungusa.com,samsungusa.com,inbound,001,World,0 -sanmina-sci.com,postini.com,inbound,001,World,0.999991 -sanmina.com,postini.com,inbound,001,World,0.9996 -sans.org,sans.org,inbound,001,World,0.497629 -santander.cl,santander.cl,inbound,001,World,0.999992 -santander.cl,santandersantiago.cl,inbound,001,World,1 -sapnetworkmail.com,sap-ag.de,inbound,001,World,1 -sapo.pt,sapo.pt,inbound,001,World,0.242839 -sapo.pt,sapo.pt,outbound,001,World,0 -saramin.co.kr,saramin.co.kr,inbound,001,World,0 -sassieshop.com,sassieshop.com,inbound,001,World,0.025887 -saturday.com,saturday.com,inbound,001,World,0 -savelivefresh.com,livesavemail.com,inbound,001,World,1 -savingdeals.in,infimail.com,inbound,001,World,0 -savingstar.com,savingstar.com,inbound,001,World,1 -sbcglobal.net,yahoo.{...},inbound,001,World,0.999991 -sbcglobal.net,yahoodns.net,outbound,001,World,1 -sbi.co.in,sbi.co.in,inbound,001,World,0 -sbr-inc.co.jp,hdemail.jp,inbound,001,World,0.000528 -sc.com,messagelabs.com,inbound,001,World,0.996156 -sc.com,sc.com,inbound,001,World,0.99683 -schwab.com,schwab.com,inbound,001,World,0.025055 -scmp.com,emarsys.net,inbound,001,World,0 -scoop.it,scoop.it,inbound,001,World,0 -scoopon.com.au,inxserver.de,inbound,001,World,1 -screwfix.info,fwdto.net,inbound,001,World,0 -sears.ca,sears.ca,inbound,001,World,0.005447 -searscard.com,searscard.com,inbound,001,World,1 -seaworld.com,seaworld.com,inbound,001,World,0 -secretescapes.com,secretescapes.com,inbound,001,World,0 -secure.ne.jp,secure.ne.jp,inbound,001,World,0.000356 -securence.com,securence.com,inbound,001,World,0.667957 -secureserver.net,secureserver.net,inbound,001,World,3.6e-05 -seek.com.au,seek.com.au,inbound,001,World,0 -seekingalpha.com,seekingalpha.com,inbound,001,World,1 -seekingalpha.com,sendgrid.net,inbound,001,World,1 -selectacast.net,selectacast.net,inbound,001,World,0.000561 -selection-priceminister.com,selection-priceminister.com,inbound,001,World,0 -semana.com,semana.com,inbound,001,World,0.005867 -senate.gov,senate.gov,inbound,001,World,0.992994 -sendearnings.com,sendearnings.com,inbound,001,World,0 -sender.lt,sritis.lt,inbound,001,World,0.000352 -sendgrid.info,sendgrid.net,inbound,001,World,0.999966 -sendgrid.me,sendgrid.net,inbound,001,World,1 -sendlane.com,sendlane.com,inbound,001,World,0 -sendpal.in,sendpal.in,inbound,001,World,0 -sendsmaily.info,sendsmaily.info,inbound,001,World,0 -seniorplanet.fr,seniorplanet.fr,inbound,001,World,0 -serpadres.es,chtah.net,inbound,001,World,0 -service-now.com,postini.com,inbound,001,World,0.988878 -service-now.com,service-now.com,inbound,001,World,0.998853 -serviciobancomer.com,serviciobancomer.com,inbound,001,World,0 -seznam.cz,seznam.cz,inbound,001,World,0.001781 -seznam.cz,seznam.cz,outbound,001,World,0.001741 -sfid01.com,sfid01.com,inbound,001,World,0 -sfimg.com,sfimarketing.com,inbound,001,World,0 -sfly.com,shutterfly.com,inbound,001,World,0 -sfr.fr,sfr.fr,inbound,001,World,0.236539 -sfr.fr,sfr.fr,outbound,001,World,0.004753 -shaadi.com,shaadi.com,inbound,001,World,0.000154 -shadowshopper.com,shadowshopper.com,inbound,001,World,5.6e-05 -shaw.ca,shaw.ca,inbound,001,World,0 -shaw.ca,shaw.ca,outbound,001,World,1 -sheplers.com,sheplers.com,inbound,001,World,0 -shiftplanning.com,shiftplanning.com,inbound,001,World,0 -shiksha.com,shiksha.com,inbound,001,World,0 -shinseibank.com,shinseibank.com,inbound,001,World,0 -shoedazzle.com,shoedazzle.com,inbound,001,World,0 -shoes.com,famousfootwear.com,inbound,001,World,0 -shop2gether.com.br,shop2gether.com.br,inbound,001,World,0 -shopbonton.com,shopbonton.com,inbound,001,World,0 -shopcluesemail.com,shopcluesemail.com,inbound,001,World,0 -shopcluesmail.com,shopcluesmail.com,inbound,001,World,0 -shophq.com,shophq.com,inbound,001,World,0 -shopjustice.com,shopjustice.com,inbound,001,World,0 -shopkick.com,shopkick.com,inbound,001,World,0 -shopko.com,shopko.com,inbound,001,World,0 -shopnineteenmails.in,iaires.com,inbound,001,World,0 -shoppersoptimum.ca,thindata.net,inbound,001,World,0 -shoppersstop.com,shoppersstop.com,inbound,001,World,0 -shoprite-email.com,email-mywebgrocer.com,inbound,001,World,0 -shoptime.com,shoptime.com,inbound,001,World,0 -shopto.net,shopto.net,inbound,001,World,1 -showingtime.com,showingtime.com,inbound,001,World,0 -showroomprive.com,showroomprive.be,inbound,001,World,0 -showroomprive.com,showroomprive.com,inbound,001,World,0.007102 -showroomprive.com,showroomprive.nl,inbound,001,World,0 -showroomprive.es,showroomprive.es,inbound,001,World,0 -showroomprive.it,showroomprive.pt,inbound,001,World,0 -showroomprive.pt,showroomprive.co.uk,inbound,001,World,0 -shtyle.fm,shtyle.fm,inbound,001,World,0 -shukatsu.jp,shukatsu.jp,inbound,001,World,0 -siella.jp,siella.jp,inbound,001,World,0.000199 -sierratradingpost.com,sierratradingpost.com,inbound,001,World,0.000885 -sigmabeauty.com,lstrk.net,inbound,001,World,1 -sii.cl,sii.cl,inbound,001,World,0 -simplesafelist.com,adminforfree.com,inbound,001,World,1 -simpletextadz.com,web-hosting.com,inbound,001,World,1 -simplyhired.com,simplyhired.com,inbound,001,World,0 -simplymarry.com,tbsl.in,inbound,001,World,0 -singsale.com.sg,singsale.com.sg,inbound,001,World,0 -siriusxm.com,xmradio.com,inbound,001,World,0 -sitecore-mailer.com,sendlabs.com,inbound,001,World,0 -sittercity.com,sittercity.com,inbound,001,World,0 -sixflags.com,sixflags.com,inbound,001,World,0 -skillpages-mailer.com,dynect.net,inbound,001,World,0 -skillpages-mailer.com,sendlabs.com,inbound,001,World,0 -skillpages-mailer.com,skillpagesmail.com,inbound,001,World,0 -sky.com,sky.com,inbound,001,World,8.8e-05 -skymall.com,skymall.com,inbound,001,World,0.001135 -skynet.be,belgacom.be,inbound,001,World,0.005903 -skype.com,delivery.net,inbound,001,World,0 -skype.com,skype.com,inbound,001,World,0 -skyscanner.net,skyscanner.net,inbound,001,World,1 -sld.cu,sld.cu,inbound,001,World,1 -slickdeals.net,slickdeals.net,inbound,001,World,4.9e-05 -slidesharemail.com,newslettergrid.com,inbound,001,World,1 -slidesharemail.com,slideshare.net,inbound,001,World,1 -slidesharemail.com,slidesharemail.com,inbound,001,World,1 -smartbrief.com,smartbrief.com,inbound,001,World,0 -smartdraw.com,smartdraw.com,inbound,001,World,0 -smartertravel.com,smartertravelmedia.com,inbound,001,World,0.021388 -smartphoneexperts.com,mailgun.net,inbound,001,World,1 -smartresponder.ru,smartresponder.ru,inbound,001,World,1 -smp.ne.jp,smp.ne.jp,inbound,001,World,0 -snagajob-email.com,snagajob-email.com,inbound,001,World,0 -snapdeal.com,snapdeal.com,inbound,001,World,0 -snapdealmail.in,snapdealmail.in,inbound,001,World,0 -snaphire.com,snaphire.com,inbound,001,World,0 -snapretail.com,snapretail.com,inbound,001,World,1 -socialappsmail.com,socialappsmail.com,inbound,001,World,1 -socialsex.biz,infinitypersonals.com,inbound,001,World,0 -sofmap.com,sofmap.com,inbound,001,World,0.0092 -softbank.jp,softbank.jp,inbound,001,World,0 -softbank.jp,softbank.jp,outbound,001,World,0 -softbank.ne.jp,softbank.ne.jp,inbound,001,World,0 -softbank.ne.jp,softbank.ne.jp,outbound,001,World,0 -solesociety.com,bronto.com,inbound,001,World,0 -solosenders.com,megasenders.com,inbound,001,World,8.2e-05 -solosenders.com,traxweb.org,inbound,001,World,0 -solveerrors.com,infimail.com,inbound,001,World,0 -soma.com,soma.com,inbound,001,World,0 -someecards.com,someecards.com,inbound,001,World,0 -songkick.com,songkick.com,inbound,001,World,1 -sony-latin.com,sony-latin.com,inbound,001,World,0.01735 -sony.com,sony.com,inbound,001,World,0.020225 -sony.jp,sony.jp,inbound,001,World,0.000654 -sonyentertainmentnetwork.com,sonyentertainmentnetwork.com,inbound,001,World,0 -sonyrewards.com,sonyrewards.com,inbound,001,World,0 -soundcloudmail.com,soundcloudmail.com,inbound,001,World,0.999996 -sourceforge.net,sourceforge.net,inbound,001,World,1 -sourcenext.info,sourcenext.info,inbound,001,World,0 -southwest.com,southwest.com,inbound,001,World,0 -sp.gov.br,sp.gov.br,inbound,001,World,0.485842 -spanishdict.com,spanishdict.com,inbound,001,World,0.002698 -spareroom.co.uk,spareroom.co.uk,inbound,001,World,1 -sparklist.com,sparklist.com,inbound,001,World,0 -sparkpeople.com,sparkpeople.com,inbound,001,World,0 -spartoo.com,spartoo.com,inbound,001,World,0 -spectersoft.com,spectersoft.com,inbound,001,World,0 -speedyrewards-email.com,speedyrewards-email.com,inbound,001,World,0 -spencersonline.com,spencersonline.com,inbound,001,World,0 -spiritairlines.com,ctd004.net,inbound,001,World,0 -spiritairlines.com,ctd005.net,inbound,001,World,0 -splitwise.com,splitwise.com,inbound,001,World,1 -sportlobster.com,sportlobster.com,inbound,001,World,1 -sportsdirect.com,sportsdirect.com,inbound,001,World,0 -sportsline.com,cbsig.net,inbound,001,World,1 -sportsmansguide.com,sportsmansguide.com,inbound,001,World,0.736903 -spotifymail.com,spotifymail.com,inbound,001,World,1 -sprint.com,m0.net,inbound,001,World,0 -sqlservercentral.com,sqlservercentral.com,inbound,001,World,0 -square-enix.com,messagelabs.com,inbound,001,World,0.004493 -squareup.com,squareup.com,inbound,001,World,0.986452 -ssgadm.com,ssg.com,inbound,001,World,0 -staffeazymailers.com,iaires.com,inbound,001,World,0 -stakemail.com,iaires.com,inbound,001,World,0 -stampmail.in,iaires.com,inbound,001,World,0 -standaard.be,vummail.be,inbound,001,World,0 -standardbank.co.za,standardbank.co.za,inbound,001,World,0 -stanford.edu,highwire.org,inbound,001,World,1 -stanford.edu,stanford.edu,inbound,001,World,0.93025 -stansberryresearch.com,stansberry-re.net,inbound,001,World,0 -stansberryresearch.com,stansberryresearch.com,inbound,001,World,0.001008 -staples-pt.com,1-hostingservice.com,inbound,001,World,0 -staples.co.uk,ncrwebhost.de,inbound,001,World,0 -staples.com,staples.com,inbound,001,World,0.00638 -starbucks.com,iphmx.com,inbound,001,World,0.999476 -starbucks.com,starbucks.com,inbound,001,World,0 -stardockcorporation.com,stardockcorporation.com,inbound,001,World,0 -stardockentertainment.info,stardockentertainment.info,inbound,001,World,0 -starsports.com,eccluster.com,inbound,001,World,0 -startribune.com,startribune.com,inbound,001,World,0.001728 -startwire.com,jobsreport.com,inbound,001,World,1 -startwire.com,startwire.com,inbound,001,World,1 -starwoodhotels.com,outlook.com,inbound,001,World,1 -state-of-the-art-mailer.com,futurebanners.net,inbound,001,World,0 -state.gov,state.gov,inbound,001,World,0 -statefarm.com,statefarm.com,inbound,001,World,1 -stayfriends.de,stayfriends.de,inbound,001,World,0 -steampowered.com,steampowered.com,inbound,001,World,1 -steinmart.com,steinmart.com,inbound,001,World,0 -stelladot.com,stelladot.com,inbound,001,World,0 -stepstone.de,stepstone.com,inbound,001,World,0.001689 -stevemadden.com,stevemadden.com,inbound,001,World,0 -stjobs.sg,st701.com,inbound,001,World,1 -stjude.org,stjude.org,inbound,001,World,0.006716 -strava.com,strava.com,inbound,001,World,1 -streetauthoritydaily.com,streetauthoritydaily.com,inbound,001,World,0 -streeteasy.com,streeteasy.com,inbound,001,World,0 -striata.com,striata.com,inbound,001,World,0 -stubhub.com,stubhub.com,inbound,001,World,1 -studentbeans.com,emv8.com,inbound,001,World,0 -stumblemail.com,stumblemail.com,inbound,001,World,1 -stylecareers.com,stylecareers.com,inbound,001,World,0 -suafaturanet.com.br,suafaturanet.com.br,inbound,001,World,0.995846 -subito.it,subito.it,inbound,001,World,0 -subscribe.ru,subscribe.ru,inbound,001,World,0 -subscribermail.com,subscribermail.com,inbound,001,World,0 -subtend.info,subtend.info,inbound,001,World,1 -subway.com,subway.com,inbound,001,World,0 -sungard.com,postini.com,inbound,001,World,0.499946 -sunwingvacationinfo.ca,sunwingvacationinfo.ca,inbound,001,World,1 -superbalist.com,sailthru.com,inbound,001,World,0 -superdeal.com.ua,mailersend.com,inbound,001,World,0 -superdrug.com,superdrug.com,inbound,001,World,0 -superjob.ru,superjob.ru,inbound,001,World,0 -supersafemailer.com,zoothost.com,inbound,001,World,0 -support-love.com,support-love.com,inbound,001,World,0 -supremelist.com,onlinehome-server.com,inbound,001,World,1 -surfmandelivery.com,surfmandelivery.com,inbound,001,World,0 -surlatable.com,surlatable.com,inbound,001,World,0 -surveyhelpcenter.com,jsmtp.net,inbound,001,World,0 -surveyjobopportunities.com,surveyjobopportunities.com,inbound,001,World,3.7e-05 -surveymonkey.com,surveymonkey.com,inbound,001,World,0 -surveysavvy.com,surveysavvy.com,inbound,001,World,0 -surveyspot.com,ssisurveys.com,inbound,001,World,0 -sut1.co.uk,sut1.co.uk,inbound,001,World,0.001789 -sut5.co.uk,sut5.co.uk,inbound,001,World,0 -swanson-vitamins.com,emv5.com,inbound,001,World,0 -sweepstakesalerts.com,sweepstakesalerts.com,inbound,001,World,0 -swimoutlet.com,isport.com,inbound,001,World,0 -sylectus.com,sylectus.com,inbound,001,World,0.361297 -sympatico.ca,hotmail.{...},inbound,001,World,1 -sympatico.ca,hotmail.{...},outbound,001,World,1 -synchronyfinancial.com,bigfootinteractive.com,inbound,001,World,0 -synergy360.jp,crmstyle.com,inbound,001,World,0 -t-online.de,t-online.de,inbound,001,World,1 -t-online.de,t-online.de,outbound,001,World,0.999939 -tadtopmails.com,tadtopmails.com,inbound,001,World,0 -taggedmail.com,taggedmail.com,inbound,001,World,0 -taipeifubon.com.tw,taipeifubon.com.tw,inbound,001,World,0 -taishinbank.com.tw,taishinbank.com.tw,inbound,001,World,0 -take2games.com,take2games.com,inbound,001,World,0 -talkmatch.com,talkmatch.com,inbound,001,World,0 -tamu.edu,tamu.edu,inbound,001,World,0.249656 -tanga.com,tanga.com,inbound,001,World,0 -tangeroutletsusa.com,bronto.com,inbound,001,World,0 -tanningmail.com,tanningmail.com,inbound,001,World,0 -tappingsolutionemail.com,tappingsolutionemail.com,inbound,001,World,0 -target-safelist.com,safelistpro.com,inbound,001,World,0.000215 -target.com,bigfootinteractive.com,inbound,001,World,0 -targetproblaster.com,targetproblaster.com,inbound,001,World,0 -targetx.com,targetx.com,inbound,001,World,0 -tarot.com,tarot.com,inbound,001,World,0 -tastefullysimpleparty.com,bigfootinteractive.com,inbound,001,World,0 -tasteofhome.com,tasteofhome.com,inbound,001,World,0 -tastingtable.com,tastingtable.com,inbound,001,World,0 -tatrabanka.sk,tatrabanka.sk,inbound,001,World,0 -taxi4sure.net,infimail.com,inbound,001,World,0 -tchibo.com.tr,euromsg.net,inbound,001,World,0 -tchibo.de,srv2.de,inbound,001,World,0.980445 -teach12.net,teach12.net,inbound,001,World,0 -teambuymail.com,teambuymail.com,inbound,001,World,0 -teamo.ru,teamo.ru,inbound,001,World,0 -teamsnap.com,teamsnap.com,inbound,001,World,1 -teamviewer.com,teamviewer.com,inbound,001,World,0 -teapartyinfo.org,teapartyinfo.org,inbound,001,World,0 -techgig.com,tbsl.in,inbound,001,World,0 -technolutions.net,technolutions.net,inbound,001,World,1 -techtarget.com,techtarget.com,inbound,001,World,0.001771 -telefonica.com,telefonica.com,inbound,001,World,0.998662 -telegraph.co.uk,telegraph.co.uk,inbound,001,World,0 -telenet.be,telenet-ops.be,inbound,001,World,0.000128 -teleportmyjob.com,clara.net,inbound,001,World,0 -telus.com,telus.com,inbound,001,World,0.000118 -telus.net,telus.net,inbound,001,World,0.006226 -templeandwebster.com.au,templeandwebster.com.au,inbound,001,World,5e-06 -ten24mail.com,ten24mail.com,inbound,001,World,0 -terra.com,terra.com,inbound,001,World,0.000463 -terra.com.br,terra.com,inbound,001,World,0 -terra.com.br,terra.com,outbound,001,World,0 -tesco.com,tesco.com,inbound,001,World,0 -testfunda.com,testfunda.com,inbound,001,World,0 -texasjobdepartment.com,texasjobdepartment.com,inbound,001,World,0 -textnow.me,textnow.me,inbound,001,World,0 -tgw.com,tgw.com,inbound,001,World,0 -theanimalrescuesite.com,theanimalrescuesite.com,inbound,001,World,0 -theatermania.com,wc09.net,inbound,001,World,0 -thebay.com,thebay.com,inbound,001,World,0 -thebodyshop-usa.com,email-bodyshop.com,inbound,001,World,0 -thebodyshop-usa.com,postdirect.com,inbound,001,World,0 -thecarousell.com,thecarousell.com,inbound,001,World,1 -thegrommet.com,lstrk.net,inbound,001,World,1 -theguardian.com,theguardian.com,inbound,001,World,0 -thehut.com,thehut.com,inbound,001,World,0 -theleadmagnet.com,your-server.de,inbound,001,World,1 -thelimited.com,thelimited.com,inbound,001,World,0 -themailbagsafelist.com,thomas-j-brown.com,inbound,001,World,0 -theoutnet.com,theoutnet.com,inbound,001,World,0 -thepamperedchef.com,thepamperedchef.com,inbound,001,World,0 -thephonehouse.es,splio.com,inbound,001,World,0.983578 -thephonehouse.es,splio.es,inbound,001,World,0.983266 -therealreal.com,email-realreal.com,inbound,001,World,0 -theskimm.com,theskimm.com,inbound,001,World,0 -thesource.ca,thesource.ca,inbound,001,World,0.00923 -thesovereigninvestor.com,sovereignsociety.com,inbound,001,World,0 -thewarehouse.co.nz,thewarehouse.co.nz,inbound,001,World,0 -thinkgeek.com,thinkgeek.com,inbound,001,World,1e-06 -thinkvidya.com,thinkvidya.com,inbound,001,World,0 -thirtyonegifts.com,thirtyonegifts.com,inbound,001,World,0 -thomascook.com,eccluster.com,inbound,001,World,0 -thoughtful-mind.com,thoughtful-mind.com,inbound,001,World,0 -thumbtack.com,thumbtack.com,inbound,001,World,1 -ticketmaster.com,ticketmaster.com,inbound,001,World,0.251337 -ticketmasterbiletix.com,ticketmasterbiletix.com,inbound,001,World,0 -ticketmonster.co.kr,ticketmonster.co.kr,inbound,001,World,0 -timehop.com,timehop.com,inbound,001,World,1 -timeout.com,ec-cluster.com,inbound,001,World,0 -timesjobs.com,tbsl.in,inbound,001,World,0 -timesjobsmail.com,tbsl.in,inbound,001,World,0 -timesofindia.com,indiatimes.com,inbound,001,World,0 -timewarnercable.com,bigfootinteractive.com,inbound,001,World,0 -timeweb.ru,timeweb.ru,inbound,001,World,1 -tinyletterapp.com,tinyletterapp.com,inbound,001,World,0 -tiscali.it,tiscali.it,outbound,001,World,0 -tmart.com,chtah.net,inbound,001,World,0 -tmp.com,tmpw.com,inbound,001,World,0 -tobi.com,messagebus.com,inbound,001,World,0 -tobizaru.jp,tobizaru.jp,inbound,001,World,0 -tocoo.jp,aics.ne.jp,inbound,001,World,0 -toluna.com,toluna.com,inbound,001,World,0 -tomtommailer.com,tomtommailer.com,inbound,001,World,0 -topface.com,topface.com,inbound,001,World,1e-06 -topica.com,topica-silver-y.com,inbound,001,World,0 -topqpon.si,topqpon.si,inbound,001,World,0 -topspin.net,topspin.net,inbound,001,World,1 -totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,001,World,0 -touchbase2.com,infimail.com,inbound,001,World,0 -touchbase2.com,mailurja.com,inbound,001,World,0 -touchbasepro.com,touchbasepro.com,inbound,001,World,0 -tower.jp,tower.jp,inbound,001,World,0 -townhallmail.com,townhallmail.com,inbound,001,World,0 -townnews-mail.com,townnews-mail.com,inbound,001,World,0 -townsquaremedia.info,sailthru.com,inbound,001,World,0 -toysrus.com,epsl1.com,inbound,001,World,0 -trabajar.com,trabajo.org,inbound,001,World,0.999997 -trabalhar.com,trabajo.org,inbound,001,World,0.999994 -tradeloop.com,tradeloop.com,inbound,001,World,1 -trademe.co.nz,trademe.co.nz,inbound,001,World,0.991916 -trafficboostermailer.com,trafficboostermailer.com,inbound,001,World,1 -trafficleads2incomevm.com,zoothost.com,inbound,001,World,0 -trafficprolist.com,thomas-j-brown.com,inbound,001,World,0 -trafficwave.net,trafficwave.net,inbound,001,World,0 -transittraveljobinsider.com,transittraveljobinsider.com,inbound,001,World,0 -transportexchangegroup.com,transportexchangegroup.com,inbound,001,World,0.998703 -transversal.net,transversal.net,inbound,001,World,1 -travelchannel.com,travelchannel.com,inbound,001,World,0 -travelocity.com,travelocity.com,inbound,001,World,0.000194 -travelzoo.com,travelzoo.com,inbound,001,World,0 -travisperkins.co.uk,travisperkins.co.uk,inbound,001,World,0 -trclient.com,trclient.com,inbound,001,World,0 -treemall.com.tw,symphox.com,inbound,001,World,0 -trello.com,mandrillapp.com,inbound,001,World,1 -trialsmith.com,membercentral.com,inbound,001,World,0 -tricaemidia.com.br,tricaemidia.com.br,inbound,001,World,0 -triongames.com,triongames.com,inbound,001,World,0.085718 -tripadvisor.com,tripadvisor.com,inbound,001,World,0.000588 -tripit.com,tripit.com,inbound,001,World,0 -tripolis.com,tripolis.com,inbound,001,World,0 -trovit.com,trovit.com,inbound,001,World,0 -trulia.com,trulia.com,inbound,001,World,0 -tsite.jp,tsite.jp,inbound,001,World,0 -tsmmail.com,tsmmail.com,inbound,001,World,0 -tsutaya.co.jp,tsutaya.co.jp,inbound,001,World,0 -tucasa.com,grupodtm.com,inbound,001,World,0 -tuesdaymorningmail.com,tuesdaymorningmail.com,inbound,001,World,0 -tumblr.com,tumblr.com,inbound,001,World,1 -turbine.com,turbine.com,inbound,001,World,0.013592 -turkcell.com.tr,turkcell.com.tr,inbound,001,World,0.043492 -turner.com,cnn.com,inbound,001,World,0 -twe-safelist.com,adminforfree.com,inbound,001,World,1 -twitch.tv,justin.tv,inbound,001,World,0 -twitter.com,postini.com,inbound,001,World,0.765163 -twitter.com,twitter.com,inbound,001,World,0.999969 -twoomail.com,netlogmail.com,inbound,001,World,0 -twoomail.com,twoomail.com,inbound,001,World,0 -type.jp,type.jp,inbound,001,World,0 -u-shopping.com.tw,u-shopping.com.tw,inbound,001,World,0 -uber.com,uber.com,inbound,001,World,1 -ubi.com,ubi.com,inbound,001,World,0 -ubivox.com,ubivox.com,inbound,001,World,0.956275 -ubuntu.com,canonical.com,inbound,001,World,0.000129 -ucla.edu,ucla.edu,inbound,001,World,0.806204 -udnpaper.com,udnpaper.com,inbound,001,World,0.998858 -udnshopping.com,udnshopping.com,inbound,001,World,0 -uga.edu,outlook.com,inbound,001,World,1 -uhaul.com,uhaul.com,inbound,001,World,0.997947 -uhcmedicaresolutions.com,uhcmedicaresolutions.com,inbound,001,World,0 -uiuc.edu,illinois.edu,inbound,001,World,0.999815 -ukr.net,fwdcdn.com,inbound,001,World,1 -ukr.net,ukr.net,outbound,001,World,0.999992 -ulta.com,exacttarget.com,inbound,001,World,0 -ulta.com,ulta.com,inbound,001,World,0.034861 -ulteem.com,ulteem.com,inbound,001,World,0 -ultimateadsites.net,ultimateadsites.net,inbound,001,World,1 -umd.edu,umd.edu,inbound,001,World,0.021709 -umn.edu,umn.edu,inbound,001,World,0.966992 -umpiredigital.com,inboxmarketer.com,inbound,001,World,0 -unilever.com,mxlogic.net,inbound,001,World,1 -uniqlo-usa.com,uniqlo-usa.com,inbound,001,World,0 -united.com,coair.com,inbound,001,World,1 -united.com,united.com,inbound,001,World,0 -unitedrepublic.org,unitedrepublic.org,inbound,001,World,1 -universalorlando.com,universalorlando.com,inbound,001,World,0 -unosinsidersclub.com,unosinsidersclub.com,inbound,001,World,0 -unrollmail.com,unrollmail.com,inbound,001,World,1 -uol.com.br,uol.com.br,inbound,001,World,0 -uol.com.br,uol.com.br,outbound,001,World,0 -upenn.edu,upenn.edu,inbound,001,World,0.16521 -upromise.com,delivery.net,inbound,001,World,0 -ups.com,ups.com,inbound,001,World,0.997955 -urbanoutfitters.com,freepeople.com,inbound,001,World,0 -urx.com.br,urx.com.br,inbound,001,World,0 -usaa.com,usaa.com,inbound,001,World,0.639434 -usafisnews.org,usafisnews.org,inbound,001,World,0 -usahockey-email.com,usahockey-email.com,inbound,001,World,0 -usajobs.gov,opm.gov,inbound,001,World,0.931948 -usc.edu,usc.edu,inbound,001,World,0.300314 -uscourts.gov,uscourts.gov,inbound,001,World,0 -uslargestsafelist.com,zoothost.com,inbound,001,World,0 -usndr.com,unisender.com,inbound,001,World,1 -usndr.com,usndr.com,inbound,001,World,1 -usp.br,usp.br,inbound,001,World,0.044176 -usps.com,usps.gov,inbound,001,World,0.909588 -usps.gov,usps.gov,inbound,001,World,0.940315 -ustream.tv,mailgun.net,inbound,001,World,1 -ustream.tv,mailgun.us,inbound,001,World,1 -usx.com.br,uqx.com.br,inbound,001,World,0 -usx.com.br,usx.com.br,inbound,001,World,0 -usx.com.br,utx.com.br,inbound,001,World,0 -utfsm.cl,utfsm.cl,inbound,001,World,0.002318 -utilitiesjobinsider.com,utilitiesjobinsider.com,inbound,001,World,0 -utx.com.br,utx.com.br,inbound,001,World,0 -uvarosa.com.br,uvarosa.com.br,inbound,001,World,0 -vacationstogo.com,vacationstogo.com,inbound,001,World,0 -vagas.com.br,vagas.com.br,inbound,001,World,0 -vakifbank.com.tr,vakifbank.com.tr,inbound,001,World,1 -valuedopinions.co.uk,researchnow-usa.com,inbound,001,World,1 -vanheusenrewards.com,vanheusenrewards.com,inbound,001,World,0 -vd.nl,emsecure.net,inbound,001,World,0 -velocityfrequentflyer.com,virginaustralia.com,inbound,001,World,0.003442 -venca.es,eccluster.com,inbound,001,World,0 -venere.com,kiwari.com,inbound,001,World,0 -vente-exclusive.com,vente-exclusive.com,inbound,001,World,0.000463 -venteprivee.com,venteprivee.com,inbound,001,World,0 -venusswimwear.net,venusswimwear.net,inbound,001,World,0 -verabradleymail.com,verabradleymail.com,inbound,001,World,0 -verizon.com,verizon.com,inbound,001,World,0.999793 -verizon.net,verizon.net,inbound,001,World,0.00713 -verizon.net,verizon.net,outbound,001,World,0 -verizon.net,yahoo.{...},inbound,001,World,0.999435 -verizonwireless.com,verizonwireless.com,inbound,001,World,0.972245 -vfoutletvip.com,vfoutletvip.com,inbound,001,World,0 -vhmnetworkemail.com,jobdiagnosis.com,inbound,001,World,0 -viagogo.com,chtah.net,inbound,001,World,0 -viajanet.com.br,viajanet.com.br,inbound,001,World,0.001345 -vicinity.nl,picsrv.net,inbound,001,World,0.022107 -victoriassecret.com,victoriassecret.com,inbound,001,World,0 -videotron.ca,videotron.ca,inbound,001,World,0.005886 -vietcombank.com.vn,vietcombank.com.vn,inbound,001,World,1 -vikingrivercruises.com,bfi0.com,inbound,001,World,0 -vimeo.com,vimeo.com,inbound,001,World,0 -vindale.com,vindale.com,inbound,001,World,0 -vipvoice.com,npdor.com,inbound,001,World,0 -viraladmagnet.com,viraladmagnet.com,inbound,001,World,1 -viralsender.com,viralsender.com,inbound,001,World,0 -virgilio.it,virgilio.net,inbound,001,World,0 -virginia.edu,virginia.edu,inbound,001,World,0.055153 -virtualtarget.com.br,virtualtarget.com.br,inbound,001,World,0 -vistaprint.com,vistaprint.com,inbound,001,World,0 -vistaprint.com.au,vistaprint.com.au,inbound,001,World,0 -visualsoft.co.uk,visualsoft.co.uk,inbound,001,World,0 -vitacost.com,vitacost.com,inbound,001,World,0 -vitaladviews.com,zoothost.com,inbound,001,World,0 -vitaminworld.com,email-nbtyinc.com,inbound,001,World,0 -vivastreet.com,viwii.net,inbound,001,World,0 -vk.com,vkontakte.ru,inbound,001,World,0 -vocus.com,vocus.com,inbound,001,World,0 -vodafone.com,vodafone.in,inbound,001,World,0.617518 -vonage.com,vonagenetworks.net,inbound,001,World,0.006531 -votervoice.net,votervoice.net,inbound,001,World,0 -vouchercloud.com,vouchercloud.com,inbound,001,World,0 -vovici.com,vovici.com,inbound,001,World,0 -voyageprive.com,cccampaigns.net,inbound,001,World,0 -voyageprive.es,ccmdcampaigns.net,inbound,001,World,0 -voyageprive.it,ccmdcampaigns.net,inbound,001,World,0 -voyages-sncf.com,neolane.net,inbound,001,World,0 -vpass.ne.jp,clickmailer.jp,inbound,001,World,0 -vpcontact.com,vpcontact.com,inbound,001,World,0 -vresp.com,verticalresponse.com,inbound,001,World,0 -vt.edu,vt.edu,inbound,001,World,0.978548 -vtext.com,vtext.com,inbound,001,World,0 -vtext.com,vtext.com,outbound,001,World,1 -vudu.com,vudu.com,inbound,001,World,0 -vueling.com,vueling.com,inbound,001,World,0 -vuezone.com,vuezone.com,inbound,001,World,0 -vzwpix.com,vtext.com,inbound,001,World,0 -wagjag.com,wagjag.com,inbound,001,World,0 -walgreens.com,walgreens.com,inbound,001,World,0.006128 -wallst.com,wallst.com,inbound,001,World,0 -wallstreetdaily.com,wallstreetdaily.com,inbound,001,World,0 -walmart.ca,walmart.ca,inbound,001,World,0 -walmart.com,walmart.com,inbound,001,World,0.315059 -wanadoo.fr,orange.fr,inbound,001,World,0 -wanadoo.fr,orange.fr,outbound,001,World,0 -warehouselogisticsjobinsider.com,warehouselogisticsjobinsider.com,inbound,001,World,0 -waterstones.com,waterstones.com,inbound,001,World,0 -wattpad.com,wattpad.com,inbound,001,World,1 -waves-audio.com,emv8.com,inbound,001,World,0 -way2movies.net,way2movies.net,inbound,001,World,0 -way2sms.biz,way2sms.biz,inbound,001,World,0 -way2sms.in,way2sms.in,inbound,001,World,0 -way2smsemail.com,way2smsemail.com,inbound,001,World,0 -way2smsemails.com,way2smsemails.com,inbound,001,World,0 -way2smsmail.in,way2smsmail.in,inbound,001,World,0 -way2smsmails.com,way2smsmails.com,inbound,001,World,0 -wayfair.com,csnstores.com,inbound,001,World,0 -wealthyaffiliate.com,wealthyaffiliate.com,inbound,001,World,1 -web.de,web.de,inbound,001,World,0.999986 -web.de,web.de,outbound,001,World,1 -webcas.net,webcas.net,inbound,001,World,0 -webmd.com,webmd.com,inbound,001,World,2e-06 -webs.com,epsl1.com,inbound,001,World,0 -websaver.ca,websaver.ca,inbound,001,World,0 -websitesettings.com,stabletransit.com,inbound,001,World,0 -websitewelcome.com,websitewelcome.com,inbound,001,World,1 -webstars2k.com,webstars2k.com,inbound,001,World,1 -wechat.com,qq.com,inbound,001,World,1 -weebly.com,weeblymail.com,inbound,001,World,0 -wegottickets.com,wegottickets.com,inbound,001,World,0 -weheartit.com,weheartit.com,inbound,001,World,1 -wehkamp.nl,wehkamp.nl,inbound,001,World,0 -wellsfargo.com,wellsfargo.com,inbound,001,World,1.0 -wellsfargoadvisors.com,wellsfargo.com,inbound,001,World,1 -wemakeprice.com,wemakeprice.com,inbound,001,World,0 -westelm.com,westelm.com,inbound,001,World,0 -westmarine.com,westmarine.com,inbound,001,World,0 -westwing.com.br,cust-cluster.com,inbound,001,World,0 -westwing.es,ecm-cluster.com,inbound,001,World,0 -westwing.ru,ecm-cluster.com,inbound,001,World,0 -wetransfer.com,wetransfer.com,inbound,001,World,0.999751 -wetsealnewsletter.com,wetsealnewsletter.com,inbound,001,World,0 -wgbh.org,wgbh.org,inbound,001,World,0 -whaakky.com,whaakky.com,inbound,001,World,0 -whatcounts.com,wc09.net,inbound,001,World,0 -whentowork.com,whentowork.com,inbound,001,World,0 -whereareyounow.com,wayn.net,inbound,001,World,0 -whitehouse.gov,whitehouse.gov,inbound,001,World,0 -whitelabelpros.com,whitelabelpros.com,inbound,001,World,0 -wiggle.com,wiggle.com,inbound,001,World,0 -wikia.com,wikia.com,inbound,001,World,0.550228 -wikimedia.org,wikimedia.org,inbound,001,World,0 -william-reed.com,neolane.net,inbound,001,World,0 -williamhill.com,williamhill.com,inbound,001,World,0 -williams-sonoma.com,williams-sonoma.com,inbound,001,World,0 -windstream.net,windstream.net,inbound,001,World,0.002172 -wine.com,wine.com,inbound,001,World,0 -winkalmail.com,fnbox.com,inbound,001,World,0 -wisdomitservices.com,infimail.com,inbound,001,World,0 -wldemail-mailer.com,wldemail.com,inbound,001,World,0 -wldemail.com,emarsys.net,inbound,001,World,0 -wmtransfer.com,wmtransfer.com,inbound,001,World,0 -wnd.com,emv4.net,inbound,001,World,0 -wnd.com,worldnetdaily.com,inbound,001,World,0 -wolfmedia.us,wolfmedia.us,inbound,001,World,0 -womanwithin.com,womanwithin.com,inbound,001,World,0 -woodforest.com,woodforest.com,inbound,001,World,1 -wordfly.com,wordfly.com,inbound,001,World,0 -work.ua,work.ua,inbound,001,World,1 -workcircle.com,workcircle.net,inbound,001,World,0 -workhunter.net,workhunter.net,inbound,001,World,1 -workingincanada.gc.ca,sdc-dsc.gc.ca,inbound,001,World,0 -worldsingles.co,worldsingles.com,inbound,001,World,0 -worldwinner.com,worldwinner.com,inbound,001,World,0.112191 -wotif.com,whatcounts.com,inbound,001,World,0 -wowcher.co.uk,wowcher.co.uk,inbound,001,World,0.000373 -wp.com,wordpress.com,inbound,001,World,0 -wp.pl,wp.pl,inbound,001,World,0.998027 -wp.pl,wp.pl,outbound,001,World,1 -wpengine.com,wpengine.com,inbound,001,World,1 -writers-community.com,writers-community.com,inbound,001,World,0 -writersstore.com,writersstore.com,inbound,001,World,0 -wsjemail.com,wsjemail.com,inbound,001,World,0 -wuaki.tv,chtah.net,inbound,001,World,0 -wustl.edu,app-info.net,inbound,001,World,0 -wwe.com,wwe.com,inbound,001,World,8e-06 -www.gov.tw,hinet.net,inbound,001,World,8e-05 -wyndhamhotelgroup.com,wyndhamhotelgroup.com,inbound,001,World,0 -xbox.com,xbox.com,inbound,001,World,0 -xcelenergy-emailnews.com,xcelenergy-emailnews.com,inbound,001,World,0 -xen.org,xen.org,inbound,001,World,1 -xing.com,xing.com,inbound,001,World,0 -xmailix.com,xmailix.com,inbound,001,World,0 -xmeeting.com,xmeeting.com,inbound,001,World,1 -xmr3.com,messagereach.com,inbound,001,World,0.999933 -xoom.com,xoom.com,inbound,001,World,0 -xpnews.com.br,xpnews.com.br,inbound,001,World,1 -xxxconnect.com,infinitypersonals.com,inbound,001,World,0 -yahoo-inc.com,yahoo.{...},inbound,001,World,0.999974 -yahoo.co.jp,yahoo.co.jp,inbound,001,World,1.5e-05 -yahoo.co.jp,yahoo.co.jp,outbound,001,World,0 -yahoo.{...},postini.com,inbound,001,World,0.767368 -yahoo.{...},yahoo.co.jp,inbound,001,World,0 -yahoo.{...},yahoo.{...},inbound,001,World,0.999416 -yahoo.{...},yahoodns.net,outbound,001,World,1 -yahoogroups.com,yahoodns.net,outbound,001,World,1 -yakala.co,euromsg.net,inbound,001,World,0 -yammer.com,yammer.com,inbound,001,World,1 -yandex.ru,yandex.net,inbound,001,World,0.999698 -yandex.ru,yandex.ru,outbound,001,World,1 -yapikredi.com.tr,yapikredi.com.tr,inbound,001,World,1 -yapstone.com,yapstone.com,inbound,001,World,0 -yelp.com,yelpcorp.com,inbound,001,World,0 -yesbank.in,yesbank.in,inbound,001,World,0.108676 -yipit.com,yipit.com,inbound,001,World,1 -ymail.com,yahoo.{...},inbound,001,World,1 -ymail.com,yahoodns.net,outbound,001,World,1 -ymlpserver.net,ymlpserver.net,inbound,001,World,0 -ymlpsrv.net,ymlpsrv.net,inbound,001,World,0 -yodobashi.com,yodobashi.com,inbound,001,World,0 -yoox.com,yoox.com,inbound,001,World,0 -youmail.com,youmail.com,inbound,001,World,0 -youravon.com,email-avonglobal.com,inbound,001,World,0 -youreletters3.com,equitymaster.com,inbound,001,World,0 -yourezads.com,yourezads.com,inbound,001,World,0.002974 -yourezlist.com,simplicityads.com,inbound,001,World,9.5e-05 -yourhostingaccount.com,yourhostingaccount.com,inbound,001,World,0 -yournewsletters.net,everydayhealth.com,inbound,001,World,0 -youversion.com,youversion.com,inbound,001,World,1 -zacks.com,zacks.com,inbound,001,World,0.999188 -zalando.be,fagms.de,inbound,001,World,0 -zalando.dk,fagms.de,inbound,001,World,0 -zalando.fi,fagms.de,inbound,001,World,0 -zalando.it,fagms.de,inbound,001,World,0 -zalando.nl,fagms.de,inbound,001,World,0 -zalando.pl,fagms.de,inbound,001,World,0 -zappos.com,zappos.com,inbound,001,World,0.626758 -zara.com,cheetahmail.com,inbound,001,World,0 -zattoo.com,sendnode.com,inbound,001,World,0 -zelonews.com.br,zelonews.com.br,inbound,001,World,0 -zendesk.com,zdsys.com,inbound,001,World,1 -zgalleriestyle.com,zgalleriestyle.com,inbound,001,World,0 -zibmail.info,zibmail.info,inbound,001,World,2e-06 -zillow.com,zillow.com,inbound,001,World,2.82542783334609e-07 -zinio.com,zinio.com,inbound,001,World,0.006193 -zinio.net,zinio.com,inbound,001,World,1 -zipalerts.com,sendgrid.net,inbound,001,World,1 -zipalerts.com,zipalerts.com,inbound,001,World,1 -ziprealty.com,ziprealty.com,inbound,001,World,0.994545 -ziprecruiter.com,ziprecruiter.com,inbound,001,World,1 -zivamewear.com,infimail.com,inbound,001,World,0 -zizigo.com,euromsg.net,inbound,001,World,0 -zlavadna.sk,zlavadna.sk,inbound,001,World,0 -zoom.com.br,zoom.com.br,inbound,001,World,0 -zoominternet.net,synacor.com,inbound,001,World,0 -zoosk.com,zoosk.com,inbound,001,World,0 -zoothost.com,zoothost.com,inbound,001,World,0.107168 -zorpia.com,zorpia.com,inbound,001,World,0.56104 -zovifashion.com,eccluster.com,inbound,001,World,0 -zulily.com,zulily.com,inbound,001,World,0 -zumzi.com,neogen.ro,inbound,001,World,0 -zumzi.com,zumzi.com,inbound,001,World,0 -zyngamail.com,zyngamail.com,inbound,001,World,0 -zzounds.com,zzounds.com,inbound,001,World,0 -careers24.com,careers24.com,inbound,002,Africa,0 -cpm.co.ma,cpm.co.ma,inbound,002,Africa,0 -fnb.co.za,fnb.co.za,inbound,002,Africa,0 -gmail.com,telkomadsl.co.za,inbound,002,Africa,0.999989 -gmail.com,vodacom.co.za,inbound,002,Africa,1 -gtbank.com,gtbank.com,inbound,002,Africa,0.056121 -pnetweb.co.za,hosting.co.za,inbound,002,Africa,0 -pnetweb.co.za,salesnet.co.za,inbound,002,Africa,0 -bigpond.com,bigpond.com,inbound,009,Oceania,0 -bigpond.com,bigpond.com,outbound,009,Oceania,1 -empoweredcomms.com.au,empoweredcomms.com.au,inbound,009,Oceania,0 -gmail.com,bigpond.net.au,inbound,009,Oceania,0.999907 -gmail.com,iinet.net.au,inbound,009,Oceania,0.966945 -gmail.com,optusnet.com.au,inbound,009,Oceania,0.992845 -gmail.com,tpgi.com.au,inbound,009,Oceania,0.999648 -mbounces.com,emdbms.com,inbound,009,Oceania,0 -realestate.com.au,realestate.com.au,inbound,009,Oceania,0 -snaphire.com,snaphire.com,inbound,009,Oceania,0 -trademe.co.nz,trademe.co.nz,inbound,009,Oceania,0.991916 -1-day.co.nz,1-day.co.nz,inbound,019,Americas,0 -12manage.com,netarrest.com,inbound,019,Americas,0.99998 -1800petmeds.com,1800petmeds.com,inbound,019,Americas,0.00599 -2touchbase.com,infimail.com,inbound,019,Americas,0 -4wheelparts.com,4wheelparts.com,inbound,019,Americas,0 -99acres.com,99acres.com,inbound,019,Americas,0 -aafes.com,aafes.com,inbound,019,Americas,0 -abercrombie-email.com,abercrombie-email.com,inbound,019,Americas,0 -abercrombiekids-email.com,abercrombie-email.com,inbound,019,Americas,0 -about.com,about.com,inbound,019,Americas,0 -about.com,sailthru.com,inbound,019,Americas,0 -acemserv.com,acemserv.com,inbound,019,Americas,0 -activesafelist.com,zoothost.com,inbound,019,Americas,0 -adidasusnews.com,adidasusnews.com,inbound,019,Americas,0 -adjockeys.com,thomas-j-brown.com,inbound,019,Americas,0 -admastersafelist.com,zoothost.com,inbound,019,Americas,0 -adorama.com,adorama.com,inbound,019,Americas,0 -adpirate.net,thomas-j-brown.com,inbound,019,Americas,0 -adtpulse.com,adtpulse.com,inbound,019,Americas,0 -ae.com,ae.com,inbound,019,Americas,0 -aexp.com,aexp.com,inbound,019,Americas,1 -affairalert.com,iverificationsystems.com,inbound,019,Americas,0 -agorafinancial.com,agorafinancial.com,inbound,019,Americas,0 -airbnb.com,airbnb.com,inbound,019,Americas,0.867975 -airbrake.io,mailgun.net,inbound,019,Americas,1 -airfarewatchdog.com,smartertravelmedia.com,inbound,019,Americas,0.012002 -airmiles.ca,bigfootinteractive.com,inbound,019,Americas,0 -akcijatau.lt,akcijatau.lt,inbound,019,Americas,0 -alarm.com,alarm.com,inbound,019,Americas,0 -alarmnet.com,alarmnet.com,inbound,019,Americas,0 -alaskaair.com,alaskaair.com,inbound,019,Americas,0 -alertid.com,alertid.com,inbound,019,Americas,0 -allheart.com,allheart.com,inbound,019,Americas,0 -allmodern.com,allmodern.com,inbound,019,Americas,0 -allout.org,allout.org,inbound,019,Americas,1 -allrecipes.com,allrecipes.com,inbound,019,Americas,0 -allstate.com,rsys1.com,inbound,019,Americas,0 -alm.com,sailthru.com,inbound,019,Americas,0 -alumniclass.com,alumniclass.com,inbound,019,Americas,0 -alumniconnections.com,alumniconnections.com,inbound,019,Americas,0 -amazon.{...},postini.com,inbound,019,Americas,0.658136 -amazonses.com,postini.com,inbound,019,Americas,0.733998 -americanas.com,americanas.com,inbound,019,Americas,0 -americanbar.org,abanet.org,inbound,019,Americas,0.00574 -amubm.com,amubm.com,inbound,019,Americas,1 -ancestry.com,ancestry.com,inbound,019,Americas,0 -angelbroking.in,infimail.com,inbound,019,Americas,0 -anghami.com,mailgun.net,inbound,019,Americas,1 -anthropologie.com,freepeople.com,inbound,019,Americas,0 -aol.com,aol.com,inbound,019,Americas,0.999528 -aol.com,aol.com,outbound,019,Americas,0.999984 -aol.com,sailthru.com,inbound,019,Americas,0 -aol.net,aol.com,inbound,019,Americas,1 -apache.org,apache.org,inbound,019,Americas,0 -apnacomplex.com,apnacomplex.com,inbound,019,Americas,0.999981 -apply-4-jobs.com,apply-4-jobs.com,inbound,019,Americas,0 -aptmail.in,mailurja.com,inbound,019,Americas,0 -arcamax.com,arcamax.com,inbound,019,Americas,1.4e-05 -aritzia.com,aritzia.com,inbound,019,Americas,0 -armaniexchange.com,bronto.com,inbound,019,Americas,0 -asadventure.com,asadventure.com,inbound,019,Americas,0 -asana.com,asana.com,inbound,019,Americas,1 -ashleymadison.com,ashleymadison.com,inbound,019,Americas,1 -asos.com,asos.com,inbound,019,Americas,0 -assembla.com,assembla.com,inbound,019,Americas,1 -astrology.com,astrology.com,inbound,019,Americas,0 -astrology.com,hsnlmailsvc.com,inbound,019,Americas,0 -astrology.com,webstakes.com,inbound,019,Americas,0 -astrology.com,wsafmailsvc.com,inbound,019,Americas,0 -atlassian.net,uc-inf.net,inbound,019,Americas,1 -atrapalo.cl,atrapalo.com,inbound,019,Americas,0 -atrapalo.com,atrapalo.com,inbound,019,Americas,0 -att-mail.com,att-mail.com,inbound,019,Americas,1.9e-05 -att-mail.com,att.com,inbound,019,Americas,0.999966 -att.net,att.net,outbound,019,Americas,0.204629 -att.net,mycingular.net,inbound,019,Americas,0.00021 -att.net,yahoo.{...},inbound,019,Americas,1 -australiagsm.net,australiagsm.net,inbound,019,Americas,0 -autoloop.us,loop28.com,inbound,019,Americas,0 -avaaz.org,avaaz.org,inbound,019,Americas,0 -avalanchesafelist.com,zoothost.com,inbound,019,Americas,0 -aveda.com,esteelauder.com,inbound,019,Americas,0 -avenue.com,avenue.com,inbound,019,Americas,0 -avg.com,avg.com,inbound,019,Americas,0 -avomail.com,avomail.com,inbound,019,Americas,0 -b2b-mail.net,b2b-mail.net,inbound,019,Americas,0 -b2b-mail.net,contact-list.net,inbound,019,Americas,0 -babycenter.com,rsys3.com,inbound,019,Americas,0 -babyoye.com,babyoye.com,inbound,019,Americas,0.011564 -badoo.com,monopost.com,inbound,019,Americas,1 -baligam.co.il,baligam.co.il,inbound,019,Americas,1 -banamex.com,ibrands.es,inbound,019,Americas,0 -bancoahorrofamsa.com,avantel.net.mx,inbound,019,Americas,1 -bancomercorreo.com,bancomercorreo.com,inbound,019,Americas,0 -bandsintown.com,bandsintown.com,inbound,019,Americas,1 -barclaycard.co.uk,barclays.co.uk,inbound,019,Americas,0 -barenecessities.com,barenecessities.com,inbound,019,Americas,0 -barleyment.ca,barleyment.ca,inbound,019,Americas,0 -barneys.com,barneys.com,inbound,019,Americas,0 -baseballsavings.com,baseballsavings.com,inbound,019,Americas,0 -basspronews.com,basspronews.com,inbound,019,Americas,0 -bathandbodyworks.com,bathandbodyworks.com,inbound,019,Americas,0 -baublebar.com,baublebar.com,inbound,019,Americas,0.011219 -bayt.com,bayt.com,inbound,019,Americas,2e-06 -bcp.com.pe,bcp.com.pe,inbound,019,Americas,1 -bellsouth.net,att.net,outbound,019,Americas,0 -bellsouth.net,yahoo.{...},inbound,019,Americas,1 -bergdorfgoodmanemail.com,neimanmarcusemail.com,inbound,019,Americas,0 -bespokeoffers.co.uk,chtah.net,inbound,019,Americas,0 -bestbuy.ca,bestbuy.ca,inbound,019,Americas,0 -bestdealsforyou.in,elabs5.com,inbound,019,Americas,0 -bevmo.com,bevmo.com,inbound,019,Americas,0.000967 -bhcosmetics.com,bronto.com,inbound,019,Americas,0 -bhg.com,meredith.com,inbound,019,Americas,0 -bigfishgames.com,bigfishgames.com,inbound,019,Americas,0 -biglist.com,biglist.com,inbound,019,Americas,0 -bigtent.com,carezen.net,inbound,019,Americas,0 -bionexo.com,bionexo.com.br,inbound,019,Americas,0.999594 -birthdayalarm.com,monkeyinferno.net,inbound,019,Americas,0 -bitbucket.org,bitbucket.org,inbound,019,Americas,0 -bitlysupport.com,mailgun.info,inbound,019,Americas,1 -bitlysupport.com,mailgun.us,inbound,019,Americas,1 -bitslane.email,bitslane.email,inbound,019,Americas,0 -bitstatement.org,bitstatement.org,inbound,019,Americas,1 -bizjournals.com,bizjournals.com,inbound,019,Americas,0 -bizmailtoday.com,bizmailtoday.com,inbound,019,Americas,0 -bjs.com,bjs.com,inbound,019,Americas,0 -blablacar.com,blablacar.com,inbound,019,Americas,1 -blackberry.com,blackberry.com,inbound,019,Americas,0 -blackboard.com,blackboard.com,inbound,019,Americas,1 -blissworld.com,lstrk.net,inbound,019,Americas,1 -bloomingdales.com,bloomingdales.com,inbound,019,Americas,0 -bloomingdalesoutlets.com,bloomingdalesoutlets.com,inbound,019,Americas,0 -bluehost.com,bluehost.com,inbound,019,Americas,0.000971 -bluehost.com,hostmonster.com,inbound,019,Americas,0 -bluehost.com,unifiedlayer.com,inbound,019,Americas,0 -blueshellgames.com,blueshellgames.com,inbound,019,Americas,0 -bluestatedigital.com,bluestatedigital.com,inbound,019,Americas,0 -bluestonemx.com,bluestonemx.com,inbound,019,Americas,1 -bm23.com,bronto.com,inbound,019,Americas,0 -bm324.com,bronto.com,inbound,019,Americas,0 -bmdeda99.com,bmdeda99.com,inbound,019,Americas,0 -bn.com,bn.com,inbound,019,Americas,0 -bnetmail.com,bnetmail.com,inbound,019,Americas,0 -bol.com.br,bol.com.br,inbound,019,Americas,0 -bol.com.br,bol.com.br,outbound,019,Americas,0 -boletinrenuevo.com,boletinrenuevo.com,inbound,019,Americas,0 -bomnegocio.com,bomnegocio.com,inbound,019,Americas,0.588708 -bonobos.com,bronto.com,inbound,019,Americas,0 -bookbub.com,bookbub.com,inbound,019,Americas,1 -booking.com,booking.com,inbound,019,Americas,1 -bookingbuddy.com,smartertravelmedia.com,inbound,019,Americas,0.000487 -boomtownroi.com,boomtownroi.com,inbound,019,Americas,0 -boscovs.com,boscovs.com,inbound,019,Americas,0 -bostonproper.com,bostonproper.com,inbound,019,Americas,0 -boutiquesecret.com,chtah.net,inbound,019,Americas,0 -bradfordexchange.com,bradfordexchange.com,inbound,019,Americas,0 -bradsdeals.com,bradsdeals.com,inbound,019,Americas,0 -brassring.com,brassring.com,inbound,019,Americas,1 -briantracyintl.com,briantracyintl.com,inbound,019,Americas,0 -brijj.com,brijj.com,inbound,019,Americas,0 -brincltd.com,brincltd.com,inbound,019,Americas,0 -bronto.com,bronto.com,inbound,019,Americas,0 -bsf01.com,bsftransmit33.com,inbound,019,Americas,0 -buffalo.edu,buffalo.edu,inbound,019,Americas,0.001059 -bumeran.com,bumeran.com,inbound,019,Americas,0 -burlingtoncoatfactory.com,burlingtoncoatfactory.com,inbound,019,Americas,0 -burton.co.uk,burton.co.uk,inbound,019,Americas,0 -buscojobs.com,amazonaws.com,inbound,019,Americas,0 -buy123.com.tw,buy123.com.tw,inbound,019,Americas,1 -bzm.mobi,nmsrv.com,inbound,019,Americas,1 -c21stores.com,c21stores.com,inbound,019,Americas,0 -ca.gov,ca.gov,inbound,019,Americas,0.702758 -cafepress.com,cafepress.com,inbound,019,Americas,0.000778 -caixa.gov.br,caixa.gov.br,inbound,019,Americas,0 -californiapsychicsemail.com,californiapsychicsemail.com,inbound,019,Americas,0 -calottery.com,calottery.com,inbound,019,Americas,0.999426 -camel.com,rjrsignup.com,inbound,019,Americas,0 -canadianvisaexpert.net,canadianvisaexpert.net,inbound,019,Americas,0 -cancer.org,delivery.net,inbound,019,Americas,0 -capillary.co.in,capillary.co.in,inbound,019,Americas,1 -capitalone.com,bigfootinteractive.com,inbound,019,Americas,0 -capitalone360.com,ingdirect.com,inbound,019,Americas,0 -care.com,care.com,inbound,019,Americas,0 -care2.com,care2.com,inbound,019,Americas,0 -careerage.com,careerage.com,inbound,019,Americas,0 -careerflash.net,careerflash.net,inbound,019,Americas,1 -carmamail.com,carmamail.com,inbound,019,Americas,0 -carnivalfunmail.com,carnivalfunmail.com,inbound,019,Americas,0 -carolsdaughter.com,carolsdaughter.com,inbound,019,Americas,0 -carwale.com,carwale.com,inbound,019,Americas,0 -case.edu,cwru.edu,inbound,019,Americas,0.999942 -castingnetworks.com,castingnetworks.com,inbound,019,Americas,0.000102 -causes.com,causes.com,inbound,019,Americas,1 -cb2.com,cb2.com,inbound,019,Americas,0 -cbsig.net,cbsig.net,inbound,019,Americas,1 -ccbchurch.com,ccbchurch.com,inbound,019,Americas,1 -ccialerts.com,ccialerts.com,inbound,019,Americas,0 -ccs.com,footlocker.com,inbound,019,Americas,2.5e-05 -cenlat.com,cenlat.com,inbound,019,Americas,0.064459 -cerberusapp.com,cerberusapp.com,inbound,019,Americas,1 -cfmvmail.com,cfmvmail.com,inbound,019,Americas,0 -chabad.org,chabad.org,inbound,019,Americas,0 -champssports.com,footlocker.com,inbound,019,Americas,0.000131 -change.org,change.org,inbound,019,Americas,1 -charlestyrwhitt.com,charlestyrwhitt.com,inbound,019,Americas,0 -charter.net,charter.net,inbound,019,Americas,0 -charter.net,charter.net,outbound,019,Americas,0 -chase.com,jpmchase.com,inbound,019,Americas,0.999999 -chatcitynotifications.com,chatcitynotifications.com,inbound,019,Americas,0 -chaturbate.com,chaturbate.com,inbound,019,Americas,1 -cheapairmailer.com,cheapairmailer.com,inbound,019,Americas,0 -check.me,check.me,inbound,019,Americas,0 -cheekylovers.com,ropot.net,inbound,019,Americas,0 -chess.com,chess.com,inbound,019,Americas,1 -chicagotribune.com,latimes.com,inbound,019,Americas,0 -chicos.com,chicos.com,inbound,019,Americas,0.000156 -childrensplace.com,childrensplace.com,inbound,019,Americas,0 -christianbook.com,christianbook.com,inbound,019,Americas,1 -christianmingle.com,christianmingle.com,inbound,019,Americas,0 -chtah.com,chtah.net,inbound,019,Americas,0 -chtah.net,chtah.net,inbound,019,Americas,0 -cincghq.com,searchhomesingta.com,inbound,019,Americas,1 -circleofmomsmail.com,circleofmomsmail.com,inbound,019,Americas,0 -citibank.com,bigfootinteractive.com,inbound,019,Americas,0 -ck.com,ck.com,inbound,019,Americas,0 -clarks.com,clarks.com,inbound,019,Americas,0 -clickdimensions.com,clickdimensions.com,inbound,019,Americas,0 -clickexperts.net,clickexperts.net,inbound,019,Americas,0 -clicktoviewthisurl.org,clicktoviewthisurl.org,inbound,019,Americas,0 -climber.com,climber.com,inbound,019,Americas,0 -clinique.com,esteelauder.com,inbound,019,Americas,0 -clubcupon.com.ar,clubcupon.com.ar,inbound,019,Americas,0 -cmm01.com,coremotivesmarketing.com,inbound,019,Americas,0 -coach.com,delivery.net,inbound,019,Americas,0 -codeproject.com,codeproject.com,inbound,019,Americas,0 -coldwatercreek.com,coldwatercreek.com,inbound,019,Americas,0 -collectionsetc.com,collectionsetc.com,inbound,019,Americas,0 -columbia.edu,columbia.edu,inbound,019,Americas,0.762355 -comcast.net,comcast.net,inbound,019,Americas,0.919244 -comcast.net,comcast.net,outbound,019,Americas,0.999998 -comenity.net,alldata.net,inbound,019,Americas,1 -comenity.net,bigfootinteractive.com,inbound,019,Americas,0 -commonfloor.com,commonfloor.com,inbound,019,Americas,1 -compute.internal,amazonaws.com,inbound,019,Americas,0.875148 -computerworld.com,computerworld.com,inbound,019,Americas,0 -comunicacaodemkt.com,locaweb.com.br,inbound,019,Americas,0 -constantcontact.com,confirmedcc.com,inbound,019,Americas,0 -constantcontact.com,constantcontact.com,inbound,019,Americas,5.3e-05 -constantcontact.com,postini.com,inbound,019,Americas,0.042128 -containerstore.com,containerstore.com,inbound,019,Americas,0 -convio.net,convio.net,inbound,019,Americas,0 -coremotivesmarketing.com,coremotivesmarketing.com,inbound,019,Americas,0 -cornell.edu,cornell.edu,inbound,019,Americas,0.192285 -correosocc.com,correosocc.com,inbound,019,Americas,1 -costco.co.uk,costco.com,inbound,019,Americas,0 -costco.com,costco.com,inbound,019,Americas,7e-06 -costcophotocenter.com,wc09.net,inbound,019,Americas,0 -costcoservices.com,costco.com,inbound,019,Americas,0 -cotswoldoutdoor.com,cotswoldoutdoor.com,inbound,019,Americas,0 -couchsurfing.org,couchsurfing.com,inbound,019,Americas,0 -couponamama.com,couponamama.com,inbound,019,Americas,1 -cox.com,cox.com,inbound,019,Americas,0.001665 -cox.net,cox.net,inbound,019,Americas,0.009187 -cox.net,cox.net,outbound,019,Americas,0 -coyotelogistics.com,postini.com,inbound,019,Americas,0 -cp20.com,cp20.com,inbound,019,Americas,0 -cpbnc.com,cpbnc.com,inbound,019,Americas,0 -cpbnc.com,fye.com,inbound,019,Americas,0 -crackle.com,crackle.com,inbound,019,Americas,0 -craigslist.org,craigslist.org,inbound,019,Americas,0 -craigslist.org,craigslist.org,outbound,019,Americas,1 -crashlytics.com,crashlytics.com,inbound,019,Americas,1 -crashlytics.com,sendgrid.net,inbound,019,Americas,1 -crateandbarrel.com,crateandbarrel.com,inbound,019,Americas,0 -creationsrewards.net,creationsrewards.net,inbound,019,Americas,0 -creditkarma.com,creditkarma.com,inbound,019,Americas,1 -crosswalkmail.com,crosswalkmail.com,inbound,019,Americas,0 -crowdcut.com,crowdcut.com,inbound,019,Americas,1 -crunchyroll.com,crunchyroll.com,inbound,019,Americas,0 -cumulusdist.net,cumulusdist.net,inbound,019,Americas,0 -cuponatic.com.pe,cuponatic.com.pe,inbound,019,Americas,1 -cuponicamail.com,fnbox.com,inbound,019,Americas,0 -curbednetwork.com,curbednetwork.com,inbound,019,Americas,1 -cuspemail.com,neimanmarcusemail.com,inbound,019,Americas,0 -custombriefings.com,custombriefings.com,inbound,019,Americas,0 -customercenter.net,customercenter.net,inbound,019,Americas,0.996453 -customeriomail.com,customeriomail.com,inbound,019,Americas,1 -cxomedia.com,cxomedia.com,inbound,019,Americas,0 -cybercoders.com,cybercoders.com,inbound,019,Americas,0 -dafiti.cl,dafiti.cl,inbound,019,Americas,0 -dailyhoroscope.com,tarot.com,inbound,019,Americas,0 -datehookup.com,datehookup.com,inbound,019,Americas,0 -datingvipnotifications.com,datingvipnotifications.com,inbound,019,Americas,0 -daviacalendar.com,daviacalendar.com,inbound,019,Americas,1 -davidsbridal.com,davidsbridal.com,inbound,019,Americas,0 -davidstea.com,bronto.com,inbound,019,Americas,0 -daz3d.com,bronto.com,inbound,019,Americas,0 -dealersocket.com,dealersocket.com,inbound,019,Americas,0 -dealsaver.com,secondstreetmedia.com,inbound,019,Americas,0.999823 -debshops.com,lstrk.net,inbound,019,Americas,1 -deliasshopemail.com,deliasshopemail.com,inbound,019,Americas,0 -delivery.net,delivery.net,inbound,019,Americas,0 -delivery.net,m0.net,inbound,019,Americas,0 -dell.com,bfi0.com,inbound,019,Americas,0 -dentalsenders.com,dentalsenders.com,inbound,019,Americas,0 -descontos.pt,descontos.pt,inbound,019,Americas,0 -designerapparel.com,myperfectsale.com,inbound,019,Americas,1 -despegar.com,despegar.com,inbound,019,Americas,0 -dhgate.com,chtah.net,inbound,019,Americas,0 -dice.com,dice.com,inbound,019,Americas,0 -digitalmailer.com,digitalmailer.com,inbound,019,Americas,0 -digitalmedia-comunicacion.es,chtah.net,inbound,019,Americas,0 -digitalromanceinc.com,digitalromanceinc.com,inbound,019,Americas,1 -directv.com,directv.com,inbound,019,Americas,0.026649 -discover.com,discoverfinancial.com,inbound,019,Americas,1 -disparadordeemails.com,locaweb.com.br,inbound,019,Americas,0 -disqus.net,disqus.net,inbound,019,Americas,0 -dn.net,naukri.com,inbound,019,Americas,0 -docusign.net,docusign.net,inbound,019,Americas,0.985435 -donationnet.net,donationnet.net,inbound,019,Americas,0 -dorothyperkins.com,dorothyperkins.com,inbound,019,Americas,0 -dowjones.info,dowjones.info,inbound,019,Americas,0 -dptagent.biz,dptagent.biz,inbound,019,Americas,0 -dptagent.net,dptagent.net,inbound,019,Americas,0 -dreamhost.com,dreamhost.com,inbound,019,Americas,0 -dreamwidth.org,dreamwidth.org,inbound,019,Americas,0 -drhinternet.net,drhinternet.net,inbound,019,Americas,0 -driftem.com,emce2.in,inbound,019,Americas,0 -driftem.com,mailurja.com,inbound,019,Americas,0 -dropbox.com,dropbox.com,inbound,019,Americas,1 -dropboxmail.com,dropbox.com,inbound,019,Americas,1 -dsw.com,dsw.com,inbound,019,Americas,0 -ducks.org,uptilt.com,inbound,019,Americas,0 -duke.edu,duke.edu,inbound,019,Americas,0.308101 -dukecareers.com,dukecareers.com,inbound,019,Americas,1 -dvor.com,dvor.com,inbound,019,Americas,0 -dynamite-safelist.com,thomas-j-brown.com,inbound,019,Americas,0 -dynect-mailer.net,sendlabs.com,inbound,019,Americas,0 -e-activist.com,e-activist.com,inbound,019,Americas,0 -e-beallsonline.com,e-stagestores.com,inbound,019,Americas,0 -e-costco.mx,costco.com,inbound,019,Americas,0 -e-goodysonline.com,e-stagestores.com,inbound,019,Americas,0 -e-peebles.com,e-stagestores.com,inbound,019,Americas,0 -e-rewards.net,e-rewards.net,inbound,019,Americas,1 -e-stagestores.com,e-stagestores.com,inbound,019,Americas,0 -e-travelclub.es,e-travelclub.es,inbound,019,Americas,0 -e2ma.net,e2ma.net,inbound,019,Americas,1 -ea.com,ea.com,inbound,019,Americas,0.001232 -eaccess.net,postini.com,inbound,019,Americas,0 -earn-e-miles.com,earn-e-miles.com,inbound,019,Americas,0 -earnerslist.com,traxweb.net,inbound,019,Americas,9e-06 -earthfare-email.com,edclient2.com,inbound,019,Americas,0 -earthlink.net,earthlink.net,inbound,019,Americas,0.031648 -earthlink.net,earthlink.net,outbound,019,Americas,0 -eastbay.com,footlocker.com,inbound,019,Americas,0 -easyhealthoptions.com,easyhealthoptions.com,inbound,019,Americas,1 -easyroommate.com,easyroommate.com,inbound,019,Americas,0 -ebates.com,bfi0.com,inbound,019,Americas,0 -ebay.{...},ebay.{...},inbound,019,Americas,0.99941 -ebizac2.com,ebizac2.com,inbound,019,Americas,0 -eblastengine.com,secondstreetmedia.com,inbound,019,Americas,0.999827 -ec2.internal,amazonaws.com,inbound,019,Americas,0.769271 -ecasend.com,ecasend.com,inbound,019,Americas,0 -ed.gov,leepfrog.com,inbound,019,Americas,0.106381 -ed10.net,ed10.com,inbound,019,Americas,0 -edirect1.com,ivytech.edu,inbound,019,Americas,0 -edmodo.com,edmodo.com,inbound,019,Americas,1.1e-05 -educationzone.co.in,iaires.com,inbound,019,Americas,0 -effectivesafelist.com,zoothost.com,inbound,019,Americas,0 -eharmony.com,eharmony.com,inbound,019,Americas,1e-06 -eigbox.net,eigbox.net,inbound,019,Americas,0 -elabs3.com,elabs3.com,inbound,019,Americas,0 -elabs3.com,meritline.com,inbound,019,Americas,0 -elabs5.com,elabs5.com,inbound,019,Americas,0 -elabs6.com,elabs6.com,inbound,019,Americas,0 -elanceonline.com,elanceonline.com,inbound,019,Americas,0 -eleadtrack.net,eleadtrack.net,inbound,019,Americas,0 -elitesafelist.com,elitesafelist.com,inbound,019,Americas,0 -email-cooking.com,email-cooking.com,inbound,019,Americas,0 -email-galls.com,email-galls.com,inbound,019,Americas,1 -email-od.com,smtprelayserver.com,inbound,019,Americas,0.999779 -email-ticketdada.com,email-ticketdada.com,inbound,019,Americas,1 -email4-beyond.com,email4-beyond.com,inbound,019,Americas,0 -emailcounts.com,secureserver.net,inbound,019,Americas,0 -emaildir2.com,emaildirect.net,inbound,019,Americas,0 -emaildir2.com,espsnd.com,inbound,019,Americas,0 -emailnotify.net,emailnotify.net,inbound,019,Americas,0.961424 -emailsbancoestado.cl,emailsbancoestado.cl,inbound,019,Americas,0 -emailsripley.cl,etarget.cl,inbound,019,Americas,0 -embluejet.com,embluejet.com,inbound,019,Americas,0 -embluejet.com,emblueuser.com,inbound,019,Americas,0 -emcsend.com,emcsend.com,inbound,019,Americas,0 -emergencyemail.org,emergencyemail.org,inbound,019,Americas,0 -emktsender.net,locaweb.com.br,inbound,019,Americas,0 -emma.cl,emma.cl,inbound,019,Americas,0.996895 -emobile.ad.jp,postini.com,inbound,019,Americas,0 -employboard.com,employboard.com,inbound,019,Americas,1 -entregadeemails.com,locaweb.com.br,inbound,019,Americas,0 -entregadordecampanhas.net,locaweb.com.br,inbound,019,Americas,0 -enviodecampanhas.net,locaweb.com.br,inbound,019,Americas,0 -enviodemkt.com.br,locaweb.com.br,inbound,019,Americas,0 -epriority.com,epriority.com,inbound,019,Americas,0 -equifax.com,equifax.com,inbound,019,Americas,1 -equussafelist.com,equussafelist.com,inbound,019,Americas,0.000265 -esri.com,esri.com,inbound,019,Americas,0.983104 -esteelauder.com,esteelauder.com,inbound,019,Americas,0 -evanguard.com,evanguard.com,inbound,019,Americas,0 -eventbrite.com,eventbrite.com,inbound,019,Americas,0 -eversavelocal.com,eversavelocal.com,inbound,019,Americas,0 -everydayhealthinc.com,waterfrontmedia.net,inbound,019,Americas,0 -everyjobforme.com,everyjobforme.com,inbound,019,Americas,0 -exchangesolutions.com,exchangesolutions.com,inbound,019,Americas,0.000143 -exec-u-net-mail.com,exec-u-net-mail.com,inbound,019,Americas,0 -exprpt.com,exprpt.com,inbound,019,Americas,0 -expvtinboxhub.net,expvtinboxhub.net,inbound,019,Americas,0 -fabletics.com,bronto.com,inbound,019,Americas,0 -facebook.com,facebook.com,inbound,019,Americas,0.719445 -facebook.com,facebook.com,outbound,019,Americas,1 -facebookappmail.com,facebook.com,inbound,019,Americas,1 -facebookmail.com,facebook.com,inbound,019,Americas,1 -facebookmail.com,postini.com,inbound,019,Americas,0.592681 -facebookmail.com,yahoo.{...},inbound,019,Americas,1 -familychristianmail.com,familychristianmail.com,inbound,019,Americas,0 -famousfootwear.com,famousfootwear.com,inbound,019,Americas,0 -fanfiction.com,fictionpress.com,inbound,019,Americas,1 -farmersonly.com,mailgun.us,inbound,019,Americas,1 -fashion2hub.in,mgenie.in,inbound,019,Americas,0 -fastgb.com,fastgb.com,inbound,019,Americas,0 -fastlistmailer.com,zoothost.com,inbound,019,Americas,0 -fastweb.com,fastweb.com,inbound,019,Americas,0 -fbi.gov,fbi.gov,inbound,019,Americas,0 -fbmta.com,fbmta.com,inbound,019,Americas,0 -fc2.com,fc2.com,inbound,019,Americas,0.000601 -fedoraproject.org,fedoraproject.org,inbound,019,Americas,0 -feedblitz.com,feedblitz.com,inbound,019,Americas,0 -fetlifemail.com,fetlifemail.com,inbound,019,Americas,0 -fibertel.com.ar,fibertel.com.ar,inbound,019,Americas,0.003898 -fidelizador.org,fidelizador.org,inbound,019,Americas,0 -findexpvtinbox.com,findexpvtinbox.com,inbound,019,Americas,0 -finishline.com,finishline.com,inbound,019,Americas,0 -firemountaingems.com,firemountaingems.com,inbound,019,Americas,0 -fisher-price.com,fisher-price.com,inbound,019,Americas,0 -fitbit.com,fitbit.com,inbound,019,Americas,1 -fitnessmagazine.com,meredith.com,inbound,019,Americas,0 -fiverr.com,fiverr.com,inbound,019,Americas,0 -flexmls.com,flexmls.com,inbound,019,Americas,0.999992 -flightaware.com,flightaware.com,inbound,019,Americas,0.020698 -flipkart.com,flipkart.com,inbound,019,Americas,1 -flirt.com,ropot.net,inbound,019,Americas,0 -flirthookup.com,flirthookup.com,inbound,019,Americas,1 -flyceb.com,flyceb.com,inbound,019,Americas,0 -flyfrontier.com,flyfrontier.com,inbound,019,Americas,0 -foolsubs.com,foolcs.com,inbound,019,Americas,0 -foolsubs.com,foolsubs.com,inbound,019,Americas,0 -footaction.com,footlocker.com,inbound,019,Americas,0 -footlocker.com,footlocker.com,inbound,019,Americas,0.000605 -forever21.com,forever21.com,inbound,019,Americas,0 -fortisbusinessmedia.com,fortisbusinessmedia.com,inbound,019,Americas,0 -foursquare.com,foursquare.com,inbound,019,Americas,1 -foxnews.com,foxnews.com,inbound,019,Americas,0.0139 -fragrancenet.com,fragrancenet.com,inbound,019,Americas,0.000427 -francescas.com,bronto.com,inbound,019,Americas,0 -freeadsmailer.com,zoothost.com,inbound,019,Americas,0 -freebeesafelist.com,zoothost.com,inbound,019,Americas,0 -freebizmag.com,delivery.net,inbound,019,Americas,0 -freebsd.org,freebsd.org,inbound,019,Americas,0.999845 -freecycle.org,freecycle.org,inbound,019,Americas,1 -freedesktop.org,freedesktop.org,inbound,019,Americas,0 -freeflys.com,freeflys.com,inbound,019,Americas,0 -freelancer.com,freelancer.com,inbound,019,Americas,0 -freelancer.com,freelancernotify.com,inbound,019,Americas,0 -freelancer.com,getafreelancer.com,inbound,019,Americas,0 -freelists.org,iquest.net,inbound,019,Americas,0 -freelotto.com,plasmanetinc.com,inbound,019,Americas,0 -freepeople.com,freepeople.com,inbound,019,Americas,0 -freesafelistking.com,zoothost.com,inbound,019,Americas,0 -freshdesk.com,freshdesk.com,inbound,019,Americas,1 -freshers2015.com,secureserver.net,inbound,019,Americas,0 -freshlatesave.com,freshlatesave.com,inbound,019,Americas,1 -friskone.com,mailurja.com,inbound,019,Americas,0 -frontsight.com,frontsight.com,inbound,019,Americas,0 -frys.com,frys.com,inbound,019,Americas,0.00388 -frysmail.com,frysmail.com,inbound,019,Americas,0 -fspeletters.com,agorapub.co.uk,inbound,019,Americas,0 -fuelrewards.com,britecast.com,inbound,019,Americas,0 -futureshop.com,futureshop.com,inbound,019,Americas,0 -gaiaonline.com,gaiaonline.com,inbound,019,Americas,0 -gamehouse.com,gamehouse.com,inbound,019,Americas,0 -gbyguess.com,guess.com,inbound,019,Americas,0.001787 -gemoney.com,rsys1.com,inbound,019,Americas,0 -generalmills.com,boxtops4education.com,inbound,019,Americas,0 -generalmills.com,pillsbury.com,inbound,019,Americas,0 -gentoo.org,gentoo.org,inbound,019,Americas,1 -get-me-jobs.com,get-me-jobs.com,inbound,019,Americas,0 -gethired.com,gethired.com,inbound,019,Americas,1 -getitfree.us,getitfree.us,inbound,019,Americas,0 -getpaidsolutions.com,getpaidsolutions.com,inbound,019,Americas,1 -getpocket.com,bronto.com,inbound,019,Americas,0 -ghin.com,ghinconnect.com,inbound,019,Americas,0 -ghup.in,mgenie.in,inbound,019,Americas,0 -gillyhicks-email.com,abercrombie-email.com,inbound,019,Americas,0 -github.com,github.com,inbound,019,Americas,1 -github.com,postini.com,inbound,019,Americas,0.837872 -glassdoor.com,glassdoor.com,inbound,019,Americas,1 -glasses.com,glasses.com,inbound,019,Americas,0 -gliq.com,gliq.com,inbound,019,Americas,0.99852 -globalsafelist.com,globalsafelist.com,inbound,019,Americas,0 -globaltestmarket.com,globaltestmarket.com,inbound,019,Americas,0 -gmail.com,amazonaws.com,inbound,019,Americas,0.994381 -gmail.com,anteldata.net.uy,inbound,019,Americas,0.998653 -gmail.com,bell.ca,inbound,019,Americas,0.992481 -gmail.com,bellsouth.net,inbound,019,Americas,0.9996 -gmail.com,blackberry.com,inbound,019,Americas,0.992207 -gmail.com,brasiltelecom.net.br,inbound,019,Americas,0.99995 -gmail.com,centurytel.net,inbound,019,Americas,0.999415 -gmail.com,cgocable.net,inbound,019,Americas,0.99829 -gmail.com,charter.com,inbound,019,Americas,0.999109 -gmail.com,claro.net.br,inbound,019,Americas,1 -gmail.com,comcast.net,inbound,019,Americas,0.999621 -gmail.com,comcastbusiness.net,inbound,019,Americas,0.985462 -gmail.com,cox.net,inbound,019,Americas,0.962619 -gmail.com,embarqhsd.net,inbound,019,Americas,0.999554 -gmail.com,franchiseindia.com,inbound,019,Americas,1 -gmail.com,frontiernet.net,inbound,019,Americas,0.995233 -gmail.com,gvt.net.br,inbound,019,Americas,0.999513 -gmail.com,lorexddns.net,inbound,019,Americas,0 -gmail.com,majesticmoneymailer.com,inbound,019,Americas,1 -gmail.com,mchsi.com,inbound,019,Americas,0.999951 -gmail.com,movistar.cl,inbound,019,Americas,0.999361 -gmail.com,mycingular.net,inbound,019,Americas,0.999918 -gmail.com,myvzw.com,inbound,019,Americas,0.99992 -gmail.com,naukri.com,inbound,019,Americas,0.000998 -gmail.com,optonline.net,inbound,019,Americas,0.999776 -gmail.com,postini.com,inbound,019,Americas,0.650888 -gmail.com,qwest.net,inbound,019,Americas,0.997574 -gmail.com,rcn.com,inbound,019,Americas,0.999275 -gmail.com,rogers.com,inbound,019,Americas,0.999916 -gmail.com,rr.com,inbound,019,Americas,0.986894 -gmail.com,sbcglobal.net,inbound,019,Americas,0.998817 -gmail.com,shawcable.net,inbound,019,Americas,0.999998 -gmail.com,spcsdns.net,inbound,019,Americas,0.999998 -gmail.com,suddenlink.net,inbound,019,Americas,0.961593 -gmail.com,telecom.net.ar,inbound,019,Americas,0.999664 -gmail.com,telesp.net.br,inbound,019,Americas,0.999743 -gmail.com,telus.com,inbound,019,Americas,1 -gmail.com,telus.net,inbound,019,Americas,0.974663 -gmail.com,tmodns.net,inbound,019,Americas,1 -gmail.com,veloxzone.com.br,inbound,019,Americas,0.999969 -gmail.com,verizon.net,inbound,019,Americas,0.990214 -gmail.com,videotron.ca,inbound,019,Americas,0.967196 -gmail.com,vtr.net,inbound,019,Americas,0.999072 -gmail.com,websitewelcome.com,inbound,019,Americas,1 -gmail.com,wideopenwest.com,inbound,019,Americas,0.999729 -gmail.com,windstream.net,inbound,019,Americas,0.951847 -gmail.com,yahoo.{...},inbound,019,Americas,0.999992 -gmail.com,zoothost.com,inbound,019,Americas,0.033858 -gob.ar,gob.ar,inbound,019,Americas,0.160006 -gob.ec,gob.ec,inbound,019,Americas,0.623867 -godaddy.com,secureserver.net,inbound,019,Americas,0 -gogecapital.com,rsys1.com,inbound,019,Americas,0 -goldenopsafelist.com,zoothost.com,inbound,019,Americas,0 -goldstar.com,goldstar.com,inbound,019,Americas,1 -golfmnb.com,golfmnb.com,inbound,019,Americas,0 -google.com,postini.com,inbound,019,Americas,0.584887 -gopusamedia.com,gopusamedia.com,inbound,019,Americas,0 -govdelivery.com,govdelivery.com,inbound,019,Americas,0 -governmentjobs.com,governmentjobs.com,inbound,019,Americas,0 -gpmailer.com.br,parperfeito.com,inbound,019,Americas,0 -grassrootsaction.com,grassfire.net,inbound,019,Americas,0 -greatergood.com,greatergood.com,inbound,019,Americas,0 -groupon.{...},chtah.net,inbound,019,Americas,0 -groupon.{...},groupon.{...},inbound,019,Americas,1.0 -groupon.{...},postini.com,inbound,019,Americas,0.886672 -grouponmail.{...},grouponmail.{...},inbound,019,Americas,0 -grupos.com.br,grupos.com.br,inbound,019,Americas,0 -guess.ca,guess.com,inbound,019,Americas,0.000807 -guess.com,guess.com,inbound,019,Americas,0.003805 -guessfactory.com,guess.com,inbound,019,Americas,0.00164 -gustazos.com,cityoferta.com,inbound,019,Americas,1 -hallmark.com,hallmark.com,inbound,019,Americas,0 -hannaandersson.com,hannaandersson.com,inbound,019,Americas,0.013533 -harristeetermail.com,harristeetermail.com,inbound,019,Americas,0.99673 -harvard.edu,harvard.edu,inbound,019,Americas,0.274906 -hayneedle.com,hayneedle.com,inbound,019,Americas,0 -helpareporter.net,helpareporter.com,inbound,019,Americas,0 -herculist.com,herculist.com,inbound,019,Americas,0 -hilton.com,hiltonemail.com,inbound,019,Americas,0 -hipchat.com,hipchat.com,inbound,019,Americas,1 -hispavista.com,hispavista.com,inbound,019,Americas,0 -hollister-email.com,abercrombie-email.com,inbound,019,Americas,0 -homeaway.com,haspf.com,inbound,019,Americas,0 -homedecorators.com,homedecorators.com,inbound,019,Americas,0 -homedepot.com,homedepot.com,inbound,019,Americas,1 -hootsuite.com,hootsuite.com,inbound,019,Americas,1 -horchowemail.com,horchowemail.com,inbound,019,Americas,0 -hostelworld.com,bronto.com,inbound,019,Americas,0 -hostgator.com,hostgator.com,inbound,019,Americas,0.98061 -hostgator.com,websitewelcome.com,inbound,019,Americas,1 -hotmail.{...},hotmail.{...},inbound,019,Americas,1 -hotmail.{...},hotmail.{...},outbound,019,Americas,1 -hotmail.{...},postini.com,inbound,019,Americas,0.723143 -hotornot.com,monopost.com,inbound,019,Americas,1 -hotschedules.com,hotschedules.com,inbound,019,Americas,0 -house.gov,house.gov,inbound,019,Americas,0.999966 -houseoffraser.co.uk,houseoffraser.co.uk,inbound,019,Americas,0 -houzz.com,houzz.com,inbound,019,Americas,1 -hubspot.com,hubspot.com,inbound,019,Americas,1 -hungry-girl.com,hungry-girl.com,inbound,019,Americas,0 -iamlgnd2.com,iamlgnd2.com,inbound,019,Americas,1 -ibsys.com,ibsys.com,inbound,019,Americas,9e-05 -icbc.com.ar,clickexperts.net,inbound,019,Americas,0 -icbc.com.ar,standardbank.com.ar,inbound,019,Americas,0 -icims.com,icims.com,inbound,019,Americas,0.999939 -icors.org,lsoft.us,inbound,019,Americas,0 -icpbounce.com,icpbounce.com,inbound,019,Americas,0 -idc.email,nmsrv.com,inbound,019,Americas,1 -idgconnect-resources.com,idgconnect-resources.com,inbound,019,Americas,0 -ieee.org,ieee.org,inbound,019,Americas,0.999912 -ig.com.br,ig.com.br,inbound,019,Americas,0 -ig.com.br,ig.com.br,outbound,019,Americas,0 -igot-mails.com,zoothost.com,inbound,019,Americas,0 -iimjobs.com,iimjobs.com,inbound,019,Americas,1 -ikmultimedianews.com,ikmultimedianews.com,inbound,019,Americas,0.993319 -illinois.edu,illinois.edu,inbound,019,Americas,0.866481 -imageshost.ca,imageshost.ca,inbound,019,Americas,0 -imakenews.net,imakenews.com,inbound,019,Americas,0 -imo.im,imo.im,inbound,019,Americas,1 -imodules.com,imodules.com,inbound,019,Americas,0 -imvu.com,imvu.com,inbound,019,Americas,7e-06 -inboxdollars.com,inboxdollars.com,inbound,019,Americas,0 -inboxfirst.com,inboxfirst.com,inbound,019,Americas,0 -inboxmarketer-mail.com,inboxmarketer-mail.com,inbound,019,Americas,0.999877 -inboxpays.com,inboxpays.com,inbound,019,Americas,0 -inboxpounds.co.uk,inboxpounds.co.uk,inbound,019,Americas,0 -indeed.com,indeed.com,inbound,019,Americas,0.000121 -indeedemail.com,indeedemail.com,inbound,019,Americas,0 -independentlivingbullion.com,independentlivingbullion.com,inbound,019,Americas,0 -infobradesco.com.br,infobradesco.com.br,inbound,019,Americas,0 -infojobs.com.br,anuntis.com,inbound,019,Americas,0 -infomoney.com.br,infomoney.com.br,inbound,019,Americas,1 -informz.net,informz.net,inbound,019,Americas,0 -infradead.org,infradead.org,inbound,019,Americas,1 -inman.com,inman.com,inbound,019,Americas,0 -innovyx.net,innovyx.net,inbound,019,Americas,0 -insidehook.com,sailthru.com,inbound,019,Americas,0 -instagram.com,facebook.com,inbound,019,Americas,1 -instantprofitlist.com,screenshotads.com,inbound,019,Americas,0 -interac.ca,certapay.com,inbound,019,Americas,0 -interactivebrokers.com,interactivebrokers.com,inbound,019,Americas,1 -interactiverealtyservices.com,interactiverealtyservices.com,inbound,019,Americas,0 -intercom.io,mailgun.info,inbound,019,Americas,1 -interealty.net,interealty.net,inbound,019,Americas,1 -interweave.com,interweave.com,inbound,019,Americas,0 -intliv2.net,internationalliving.com,inbound,019,Americas,0 -invalidemail.com,taleo.net,inbound,019,Americas,1 -investopedia.com,vclk.net,inbound,019,Americas,0.999999 -investorplace.com,investorplace.com,inbound,019,Americas,0.995093 -irctcshopping.com,chtah.net,inbound,019,Americas,0 -iridium.com,iridium.com,inbound,019,Americas,0.997882 -isendservice.com.br,isendservice.com.br,inbound,019,Americas,0 -itau-unibanco.com.br,itau.com.br,inbound,019,Americas,0 -ittoolbox.com,ittoolbox.com,inbound,019,Americas,0 -ittoolbox.com,toolbox.com,inbound,019,Americas,0 -itwhitepapers.com,itwhitepapers.com,inbound,019,Americas,0 -iwantoneofthose.com,thehut.com,inbound,019,Americas,0 -ixs1.net,ixs1.net,inbound,019,Americas,0.005131 -jcpenney.com,jcpenney.com,inbound,019,Americas,9e-06 -jeevansathi.com,jeevansathi.com,inbound,019,Americas,0 -jetsetter.com,smartertravelmedia.com,inbound,019,Americas,0.041888 -jibjab.com,storybots.com,inbound,019,Americas,0 -jira.com,uc-inf.net,inbound,019,Americas,1 -jobscentral.com.sg,mailgun.net,inbound,019,Americas,1 -jobson.com,jobsonmail.com,inbound,019,Americas,0 -jobsradar.com,jobsradar.com,inbound,019,Americas,0 -jockeycomfort.com,jockeycomfort.com,inbound,019,Americas,0 -johnstonandmurphy-email.com,johnstonandmurphy-email.com,inbound,019,Americas,0 -jomashop.com,lstrk.net,inbound,019,Americas,1 -josbank.com,josbank.com,inbound,019,Americas,0 -jossandmain.com,jossandmain.com,inbound,019,Americas,0 -jtv.com,jtv.com,inbound,019,Americas,0 -juno.com,untd.com,inbound,019,Americas,0 -juno.com,untd.com,outbound,019,Americas,0 -justdial.com,mailurja.com,inbound,019,Americas,0 -justfab.com,bronto.com,inbound,019,Americas,0 -justfab.fr,bronto.com,inbound,019,Americas,0 -keek.com,keek.com,inbound,019,Americas,1 -kernel.org,kernel.org,inbound,019,Americas,0 -kgstores.com,kgstores.com,inbound,019,Americas,0 -kickstarter.com,kickstarter.com,inbound,019,Americas,1 -kidsfootlocker.com,footlocker.com,inbound,019,Americas,0 -kik.com,kik.com,inbound,019,Americas,1 -kimblegroup.com,kimblegroup.com,inbound,019,Americas,1 -kintera.com,kintera.com,inbound,019,Americas,0 -klaviyomail.com,klaviyomail.com,inbound,019,Americas,1 -klove.com,emfbroadcasting.com,inbound,019,Americas,0 -komando.com,komando.com,inbound,019,Americas,0 -kp.org,kp.org,inbound,019,Americas,0.999975 -krogermail.com,bigfootinteractive.com,inbound,019,Americas,0 -landmarketingmailer.com,zoothost.com,inbound,019,Americas,0 -landofnod.com,landofnod.com,inbound,019,Americas,0.002525 -languagepod101.com,eclient10.com,inbound,019,Americas,0 -languagepod101.com,eddlvr.com,inbound,019,Americas,0 -languagepod101.com,ednwsltr3.com,inbound,019,Americas,0 -languagepod101.com,ednwsltr8.com,inbound,019,Americas,0 -languagepod101.com,emaildirect.net,inbound,019,Americas,0 -lasenza.com,lasenza.com,inbound,019,Americas,0 -lastcallemail.com,lastcallemail.com,inbound,019,Americas,0 -latimes.com,latimes.com,inbound,019,Americas,0 -lauraashley.com,lauraashley.com,inbound,019,Americas,0 -leftlanesports.com,auspient.com,inbound,019,Americas,0.00705 -leftlanesports.com,leftlanesports.com,inbound,019,Americas,0 -legalshieldassociate.com,legalshield.com,inbound,019,Americas,0 -lexico.com,lexico.com,inbound,019,Americas,0 -life360.com,life360.com,inbound,019,Americas,1 -lindenlab.com,lindenlab.com,inbound,019,Americas,0.999444 -linkedin.com,linkedin.com,inbound,019,Americas,0.999873 -linkedin.com,postini.com,inbound,019,Americas,0.713391 -listeneremail.net,listeneremail.net,inbound,019,Americas,0 -listia.com,listia.com,inbound,019,Americas,1 -listnerds.com,listnerds.com,inbound,019,Americas,0 -listreturn.com,zoothost.com,inbound,019,Americas,0 -listserve.com,listserve.com,inbound,019,Americas,0 -listvolta.com,listvolta.com,inbound,019,Americas,0 -listwire.com,listwire.com,inbound,019,Americas,0 -live.{...},hotmail.{...},inbound,019,Americas,1 -live.{...},hotmail.{...},outbound,019,Americas,1 -livefyre.com,andbit.net,inbound,019,Americas,1 -livescribe.com,bronto.com,inbound,019,Americas,0 -livingsocial.com,livingsocial.com,inbound,019,Americas,0 -livrariasaraiva.com.br,livrariasaraiva.com.br,inbound,019,Americas,0 -localhires.com,localhires.com,inbound,019,Americas,1 -logitech.com,dvsops.com,inbound,019,Americas,0 -lojasmarisa.com.br,lojasmarisa.com.br,inbound,019,Americas,0 -lolsolos.com,ultimateadsites.net,inbound,019,Americas,0.999996 -lonelywifehookup.com,iverificationsystems.com,inbound,019,Americas,0 -lordandtaylor.com,lordandtaylor.com,inbound,019,Americas,0 -loveaholics.com,ropot.net,inbound,019,Americas,0 -lovelywholesale.com,lovelywholesale.com,inbound,019,Americas,1 -lrsmail.com,lrsmail.com,inbound,019,Americas,0 -lt02.net,listrak.com,inbound,019,Americas,1 -lt02.net,lstrk.net,inbound,019,Americas,1 -ltdcommodities.com,ltdcomm.net,inbound,019,Americas,0 -luckymag.com,mkt4500.com,inbound,019,Americas,0 -lulu.com,bronto.com,inbound,019,Americas,0 -lulus.com,lstrk.net,inbound,019,Americas,1 -lumosity.com,lumosity.com,inbound,019,Americas,1 -lyst.com,lyst.com,inbound,019,Americas,1 -maccosmetics.com,esteelauder.com,inbound,019,Americas,0 -macupdate.com,mailgun.info,inbound,019,Americas,1 -madmels.info,ultimateadsites.net,inbound,019,Americas,1 -madmimi.com,madmimi.com,inbound,019,Americas,0 -magicjack.com,magicjack.com,inbound,019,Americas,1 -magnetdev.com,magnetmail.net,inbound,019,Americas,0 -mail-route.com,mail-route.com,inbound,019,Americas,0 -mail-thestreet.com,mail-thestreet.com,inbound,019,Americas,0 -mail.mil,mail.mil,inbound,019,Americas,0 -mailaccurate.com,mgenie.in,inbound,019,Americas,0 -mailfacil.com.br,md02.com,inbound,019,Americas,0 -mailfeast.com,mgenie.in,inbound,019,Americas,0 -mailgun.org,mailgun.info,inbound,019,Americas,1 -mailgun.org,mailgun.net,inbound,019,Americas,1 -mailgun.org,mailgun.us,inbound,019,Americas,1 -mailingathome.net,mailingathome.net,inbound,019,Americas,0.999995 -mailjayde.com,mailjayde.com,inbound,019,Americas,0 -mailmachine1050.com,mailmachine1050.com,inbound,019,Americas,0 -mailsend1.com,mailsend6.com,inbound,019,Americas,0 -mailsender.com.br,mailsender.com.br,inbound,019,Americas,0 -manager.com.br,manager.com.br,inbound,019,Americas,0 -mandrillapp.com,mandrillapp.com,inbound,019,Americas,1 -mandrillapp.com,myjobhelperalerts.com,inbound,019,Americas,1 -marcustheatres.com,movio.co,inbound,019,Americas,0 -markandgraham.com,markandgraham.com,inbound,019,Americas,0 -marketer-safelist.com,jsalfianmarketing.com,inbound,019,Americas,1 -marketinghq.net,elabs8.com,inbound,019,Americas,0 -marketingprofs.com,marketingprofs.com,inbound,019,Americas,0.004412 -marlboro.com,marlboro.com,inbound,019,Americas,0 -maropost.com,biotrustnews.com,inbound,019,Americas,0 -maropost.com,mailing-truthaboutabs.com,inbound,019,Americas,0 -maropost.com,maropost.com,inbound,019,Americas,0 -maropost.com,mp2201.com,inbound,019,Americas,0 -masivapp.com,masivapp.com,inbound,019,Americas,1 -massageenvyclinics.com,massageenvyclinics.com,inbound,019,Americas,0 -masterbase.com,masterbase.com,inbound,019,Americas,0 -mastercard-email.com,mastercard-email.com,inbound,019,Americas,0 -mate1.net,mate1.net,inbound,019,Americas,0 -matrixemailer.com,matrixemailer.com,inbound,019,Americas,0 -mbstrm.com,mobilestorm.com,inbound,019,Americas,0 -mcafee.com,mcafee.com,inbound,019,Americas,0.979126 -mcarthurglen.com,mcarthurglen.com,inbound,019,Americas,0 -mcdlv.net,mcdlv.net,inbound,019,Americas,0 -mckinsey.com,bigfootinteractive.com,inbound,019,Americas,0 -mcsv.net,mcsv.net,inbound,019,Americas,0 -mdlinx.com,mdlinx.com,inbound,019,Americas,0 -mec.gov.br,mec.gov.br,inbound,019,Americas,0 -mediabistro.com,iworld.com,inbound,019,Americas,0.006428 -medpagetoday.com,wc09.net,inbound,019,Americas,0 -meetmemail.com,meetmemail.com,inbound,019,Americas,0 -megasenders.com,megasenders.com,inbound,019,Americas,0.07662 -memberdealsusa.com,memberdealsusa.com,inbound,019,Americas,0 -menswearhouse.com,menswearhouse.com,inbound,019,Americas,0 -mercadojobs.com,sendgrid.net,inbound,019,Americas,1 -mercola.com,mercola.com,inbound,019,Americas,0.000369 -messagegears.net,messagegears.net,inbound,019,Americas,0 -met-art.com,hydentra.com,inbound,019,Americas,1 -mgo.com,bronto.com,inbound,019,Americas,0 -michaels.com,chtah.net,inbound,019,Americas,0 -michaels.com,michaels.com,inbound,019,Americas,0 -microcentermedia.com,bfi0.com,inbound,019,Americas,0 -microsoft.com,hotmail.{...},inbound,019,Americas,1 -microsoft.com,msn.com,inbound,019,Americas,1 -midnightsunsafelist.com,zoothost.com,inbound,019,Americas,0 -milfaholic.com,iverificationsystems.com,inbound,019,Americas,0 -miltnews.com,miltnews.com,inbound,019,Americas,0 -mindbodyonline.com,mindbodyonline.com,inbound,019,Americas,1 -mindfieldonline.com,mindfieldonline.com,inbound,019,Americas,0 -mindmoviesmail.com,mindmoviesmail.com,inbound,019,Americas,0.004239 -mindvalleymail3.com,mindvalleymail3.com,inbound,019,Americas,0 -mint.com,mint.com,inbound,019,Americas,0 -minted.com,messagelabs.com,inbound,019,Americas,0.999669 -missselfridge.com,wallis-fashion.com,inbound,019,Americas,0 -mistersafelist.com,zoothost.com,inbound,019,Americas,0 -mit.edu,mit.edu,inbound,019,Americas,0.869568 -mjinn.com,mailurja.com,inbound,019,Americas,0 -mkt015.com,mkt015.com,inbound,019,Americas,0 -mkt022.com,mkt022.com,inbound,019,Americas,0 -mkt063.com,mkt063.com,inbound,019,Americas,0 -mkt1136.com,mkt1136.com,inbound,019,Americas,0 -mkt1985.com,fmlinks.net,inbound,019,Americas,0 -mkt2010.com,mkt2010.com,inbound,019,Americas,0 -mkt2106.com,mkt2106.com,inbound,019,Americas,0 -mkt2170.com,mkt2170.com,inbound,019,Americas,0 -mkt2181.com,mkt2181.com,inbound,019,Americas,0 -mkt2615.com,mkt2615.com,inbound,019,Americas,0 -mkt2813.com,mkt2813.com,inbound,019,Americas,0 -mkt2944.com,mkt2944.com,inbound,019,Americas,0 -mkt3134.com,mkt3134.com,inbound,019,Americas,0 -mkt3142.com,mkt3142.com,inbound,019,Americas,0 -mkt3156.com,mkt3156.com,inbound,019,Americas,0 -mkt3203.com,mkt3203.com,inbound,019,Americas,0 -mkt346.com,mkt346.com,inbound,019,Americas,0 -mkt3544.com,mkt3544.com,inbound,019,Americas,0 -mkt3622.com,mkt3622.com,inbound,019,Americas,0 -mkt3682.com,mkt3682.com,inbound,019,Americas,0 -mkt3690.com,mkt3690.com,inbound,019,Americas,0 -mkt3695.com,mkt3695.com,inbound,019,Americas,0 -mkt3804.com,mkt3804.com,inbound,019,Americas,0 -mkt3815.com,mkt3815.com,inbound,019,Americas,0 -mkt3952.com,xoom.com,inbound,019,Americas,0 -mkt4355.com,mkt4355.com,inbound,019,Americas,0 -mkt4364.com,mkt4364.com,inbound,019,Americas,0 -mkt459.com,mkt459.com,inbound,019,Americas,0 -mkt4701.com,mkt4701.com,inbound,019,Americas,0 -mkt4728.com,mkt4728.com,inbound,019,Americas,0 -mkt4731.com,mkt4731.com,inbound,019,Americas,0 -mkt4738.com,mkt4738.com,inbound,019,Americas,0 -mkt5071.com,mkt5071.com,inbound,019,Americas,0 -mkt5098.com,mkt5098.com,inbound,019,Americas,0 -mkt5131.com,mkt5131.com,inbound,019,Americas,0 -mkt5144.com,mkt5144.com,inbound,019,Americas,0 -mkt5144.com,mkt5980.com,inbound,019,Americas,0 -mkt5144.com,mkt5981.com,inbound,019,Americas,0 -mkt5181.com,mkt5181.com,inbound,019,Americas,0 -mkt5269.com,mkt5269.com,inbound,019,Americas,0 -mkt529.com,mkt529.com,inbound,019,Americas,0 -mkt5297.com,mkt5297.com,inbound,019,Americas,0 -mkt5297.com,mkt5309.com,inbound,019,Americas,0 -mkt5371.com,mkt5371.com,inbound,019,Americas,0 -mkt5806.com,mkt5806.com,inbound,019,Americas,0 -mkt5934.com,mkt5934.com,inbound,019,Americas,0 -mkt5937.com,mkt5937.com,inbound,019,Americas,0 -mkt5970.com,mkt5970.com,inbound,019,Americas,0 -mkt6100.com,mkt6098.com,inbound,019,Americas,0 -mkt6276.com,mkt6276.com,inbound,019,Americas,0 -mkt6323.com,mkt6323.com,inbound,019,Americas,0 -mkt746.com,mkt746.com,inbound,019,Americas,0 -mkt824.com,mkt869.com,inbound,019,Americas,0 -mktdillards.com,mktdillards.com,inbound,019,Americas,0 -mo1send.com,mo1send.com,inbound,019,Americas,0 -mobly.com.br,mobly.com.br,inbound,019,Americas,0 -modellsemail.com,n-email.net,inbound,019,Americas,0 -moneymorning.com,moneymappress.com,inbound,019,Americas,0 -monster.com,monster.com,inbound,019,Americas,0 -monster.com,tmpw.net,inbound,019,Americas,0.000503 -moon-ray.com,moon-ray.com,inbound,019,Americas,0 -mooresclothing.com,mooresclothing.com,inbound,019,Americas,0 -moveon.org,moveon.org,inbound,019,Americas,0.996147 -mrmlsmatrix.com,mrmlsmatrix.com,inbound,019,Americas,0 -ms.com,ms.com,inbound,019,Americas,1 -msn.com,hotmail.{...},inbound,019,Americas,1 -msn.com,hotmail.{...},outbound,019,Americas,1 -mta.info,ealert.com,inbound,019,Americas,0 -mtasv.net,mtasv.net,inbound,019,Americas,0.999999 -musicnotes-alerts.com,mybuys.com,inbound,019,Americas,0 -mustanglist.com,mustanglist.com,inbound,019,Americas,0 -mycheapoair.com,mycheapoair.com,inbound,019,Americas,0.957931 -mydailymoment.biz,mydailymoment.biz,inbound,019,Americas,0 -mydailymoment.info,mydailymoment.info,inbound,019,Americas,0 -mydailymoment.net,mydailymoment.net,inbound,019,Americas,0 -mydailymoment.us,mydailymoment.us,inbound,019,Americas,0 -myfedloan.org,aessuccess.org,inbound,019,Americas,0.328917 -myfxbook.com,myfxbook.com,inbound,019,Americas,0 -mygreatlakes.org,glhec.org,inbound,019,Americas,0.000247 -myhealthwealthandhappiness.com,myhealthwealthandhappiness.com,inbound,019,Americas,0 -mymeijer.com,mymeijer.com,inbound,019,Americas,0 -myngp.com,ngpweb.com,inbound,019,Americas,0 -myperfectsale.com,myperfectsale.com,inbound,019,Americas,1 -myprotein.com,thehut.com,inbound,019,Americas,0 -mysafelistmailer.com,mysafelistmailer.com,inbound,019,Americas,0.00033 -mysmartprice.com,itzwow.com,inbound,019,Americas,1 -myzamanamail.com,myzamanamail.com,inbound,019,Americas,0 -n-email.net,n-email.net,inbound,019,Americas,0 -n-email1.net,n-email1.net,inbound,019,Americas,0 -n-email4.net,n-email4.net,inbound,019,Americas,0 -nanomail.com.br,araie.com.br,inbound,019,Americas,1 -napitipp.hu,napitipp.hu,inbound,019,Americas,0 -nasa.gov,nasa.gov,inbound,019,Americas,0.101289 -nastygal.com,bronto.com,inbound,019,Americas,0 -nationbuilder.com,nationbuilder.com,inbound,019,Americas,1 -nature.com,nature.com,inbound,019,Americas,0 -naukri.com,naukri.com,inbound,019,Americas,0.000533 -nauta.cu,etecsa.net,inbound,019,Americas,0 -nba.com,nba.com,inbound,019,Americas,0.005829 -nbaa.org,nbaa.org,inbound,019,Americas,0 -ncl.com,ncl.com,inbound,019,Americas,0 -neimanmarcusemail.com,neimanmarcusemail.com,inbound,019,Americas,0 -net-a-porter.com,net-a-porter.com,inbound,019,Americas,0 -net-empregos.com,net-empregos.com,inbound,019,Americas,0 -netcommunity1.com,blackbaud.com,inbound,019,Americas,0 -netflix.com,netflix.com,inbound,019,Americas,1 -netopia.pt,netopia.pt,inbound,019,Americas,0 -netprosoftmail.com,netprosoftmail.com,inbound,019,Americas,0 -netsuite.com,netsuite.com,inbound,019,Americas,0.60682 -networkworld.com,networkworld.com,inbound,019,Americas,0 -newgrounds.com,newgrounds.com,inbound,019,Americas,0 -newrelic.com,sendlabs.com,inbound,019,Americas,0 -newspaperdirect.com,newspaperdirect.com,inbound,019,Americas,0.000177 -newyorktimesinfo.com,newyorktimesinfo.com,inbound,019,Americas,0 -nexcess.net,nexcess.net,inbound,019,Americas,0.039513 -nextdoor.com,mailgun.info,inbound,019,Americas,1 -nfl.com,bfi0.com,inbound,019,Americas,0 -nih.gov,nih.gov,inbound,019,Americas,8.8e-05 -ninewestmail.com,ninewestmail.com,inbound,019,Americas,0 -ning.com,ning.com,inbound,019,Americas,0 -nixle.com,nixle.com,inbound,019,Americas,0 -nl00.net,netline.com,inbound,019,Americas,5e-06 -nl00.net,nl00.net,inbound,019,Americas,0 -nongnu.org,gnu.org,inbound,019,Americas,1 -nordstrom.com,taleo.net,inbound,019,Americas,1 -nortonfromsymantec.com,rsys1.com,inbound,019,Americas,0 -novidadeslojasrenner.com.br,novidadeslojasrenner.com.br,inbound,019,Americas,0 -numbersusa.com,numbersusa.com,inbound,019,Americas,0 -nyandcompany.com,nyandcompany.com,inbound,019,Americas,0 -ocadomail.com,ocadomail.com,inbound,019,Americas,0 -ofertasbmc.com.br,ofertasbmc.com.br,inbound,019,Americas,0 -ofertasefacil.com.br,ofertasefacil.com.br,inbound,019,Americas,0 -ofertop.pe,icommarketing.com,inbound,019,Americas,0 -officedepot.com,officedepot.com,inbound,019,Americas,2.6e-05 -olympiaedge.net,olympiaedge.net,inbound,019,Americas,0 -oneindia.in,infimail.com,inbound,019,Americas,0 -oneindia.in,mailurja.com,inbound,019,Americas,0 -onepatriotplace.com,britecast.com,inbound,019,Americas,0 -onestopplus.com,neolane.net,inbound,019,Americas,0 -onetravelspecials.com,onetravelspecials.com,inbound,019,Americas,0.365386 -online.com,cnet.com,inbound,019,Americas,0 -onthecitymail.org,onthecitymail.org,inbound,019,Americas,1 -oo155.com,bsftransmit7.com,inbound,019,Americas,0 -oo155.com,oo155.com,inbound,019,Americas,0 -openstack.org,openstack.org,inbound,019,Americas,0.997933 -openstackmail.com,infimail.com,inbound,019,Americas,0 -opentable.com,opentable.com,inbound,019,Americas,2e-06 -opinionoutpost.com,opinionoutpost.com,inbound,019,Americas,0 -opinionsquare.com,opinionsquare.com,inbound,019,Americas,0 -oprah.com,oprah.com,inbound,019,Americas,0 -opticsplanet.com,opticsplanet.com,inbound,019,Americas,0 -optonline.net,cv.net,inbound,019,Americas,0 -optonline.net,optonline.net,outbound,019,Americas,0 -oriental-trading.com,oriental-trading.com,inbound,019,Americas,0 -outlook.com,hotmail.{...},inbound,019,Americas,1 -outlook.com,hotmail.{...},outbound,019,Americas,1 -overnightprints.com,chtah.net,inbound,019,Americas,0 -ovuline.com,ovuline.com,inbound,019,Americas,1 -pagoda.com,zales.com,inbound,019,Americas,0 -pagseguro.com.br,uol.com.br,inbound,019,Americas,0 -pair.com,pair.com,inbound,019,Americas,0.893803 -palmscasinoresort.com,palmscasinoresort.com,inbound,019,Americas,0 -pampers.com,bfi0.com,inbound,019,Americas,0 -pandaresearch.com,pandaresearch.com,inbound,019,Americas,0 -pandora.com,pandora.com,inbound,019,Americas,1 -pandora.net,pandora.net,inbound,019,Americas,1 -parents.com,meredith.com,inbound,019,Americas,0 -parkmobileglobal.com,parkmobile.us,inbound,019,Americas,0 -path.com,path.com,inbound,019,Americas,1 -patriotupdate.com,inboxfirst.com,inbound,019,Americas,0 -payback.in,chtah.net,inbound,019,Americas,0 -paytm.com,paytm.com,inbound,019,Americas,1 -pbteen.com,pbteen.com,inbound,019,Americas,0 -pch.com,ed10.com,inbound,019,Americas,0 -pchfrontpage.com,ed10.com,inbound,019,Americas,0 -pchlotto.com,ed10.com,inbound,019,Americas,0 -pchplayandwin.com,ed10.com,inbound,019,Americas,0 -pchsearch.com,ed10.com,inbound,019,Americas,0 -pcmag.com,ittoolbox.com,inbound,019,Americas,0 -pcworld.com,pcworld.com,inbound,019,Americas,0 -pd25.com,pd25.com,inbound,019,Americas,1 -pearlsofwealth.com,pearlsofwealth.com,inbound,019,Americas,1 -peartreegreetings.com,rexcraft.com,inbound,019,Americas,0 -peixeurbano.com.br,peixeurbano.com.br,inbound,019,Americas,0 -pepboys.com,pepboys.com,inbound,019,Americas,0 -pepperfry.com,epidm.net,inbound,019,Americas,0 -perfectpriceindia.com,infimail.com,inbound,019,Americas,0 -perfora.net,perfora.net,inbound,019,Americas,1 -permissionresearch.com,permissionresearch.com,inbound,019,Americas,0 -personalliberty.com,personalliberty.com,inbound,019,Americas,1 -pga.com,pga.com,inbound,019,Americas,0 -pgeveryday.com,bfi0.com,inbound,019,Americas,0 -phoenix.edu,phoenix.edu,inbound,019,Americas,0 -phsmtpbox.com,phsmtpbox.com,inbound,019,Americas,0 -pinterest.com,pinterest.com,inbound,019,Americas,1 -pivotaltracker.com,pivotaltracker.com,inbound,019,Americas,1 -pixable.com,pixable.com,inbound,019,Americas,1 -pizzahut.com,quikorder.com,inbound,019,Americas,0 -plexapp.com,plex.tv,inbound,019,Americas,1 -pmailus.com,patrontechnology.com,inbound,019,Americas,0 -pnc.com,messagelabs.com,inbound,019,Americas,0.997194 -pobox.com,pobox.com,inbound,019,Americas,0.975372 -pof.com,plentyoffish.co.uk,inbound,019,Americas,0 -pogo.com,pogo.com,inbound,019,Americas,0 -polyvore.com,polyvore.com,inbound,019,Americas,1 -postcardfromhell.com,cyberthugs.com,inbound,019,Americas,1 -potterybarn.com,potterybarn.com,inbound,019,Americas,0 -potterybarnkids.com,potterybarnkids.com,inbound,019,Americas,0 -preferredpetclub.com,preferredpetclub.com,inbound,019,Americas,0 -presslaff.net,dat-e-baseonline.com,inbound,019,Americas,0 -pressmartmail.com,pressmartmail.com,inbound,019,Americas,0 -priorityoneemail.com,priorityoneemail.com,inbound,019,Americas,0 -private-elist.com,private-elist.com,inbound,019,Americas,0 -progressive.com,progressive.com,inbound,019,Americas,0.999893 -promedmail.org,childrenshospital.org,inbound,019,Americas,1 -propertysolutions.com,propertysolutions.com,inbound,019,Americas,1 -prospectgeysercoop.com,prospectgeysercoop.com,inbound,019,Americas,1 -providesupport.com,providesupport.com,inbound,019,Americas,0.000103 -proxyvote.com,adp-ics.com,inbound,019,Americas,0.908635 -psu.edu,psu.edu,inbound,019,Americas,0.073843 -puffinmailer.com,zoothost.com,inbound,019,Americas,0 -purewow.com,purewow.com,inbound,019,Americas,0 -purlsmail.com,purlsmail.com,inbound,019,Americas,0 -pxsmail.com,pxsmail.com,inbound,019,Americas,0 -q.com,synacor.com,inbound,019,Americas,0.999734 -qemailserver.com,qemailserver.com,inbound,019,Americas,0 -qtropnews.com,qtropnews.com,inbound,019,Americas,1.7e-05 -qualicorp.com.br,qualicorp.com.br,inbound,019,Americas,1 -qualitysafelist.com,zoothost.com,inbound,019,Americas,0 -queopinas.com,confirmit.com,inbound,019,Americas,1 -quickrewards.net,quickrewards.net,inbound,019,Americas,0 -quikr.com,quikr.com,inbound,019,Americas,0 -quora.com,quora.com,inbound,019,Americas,1 -qvcemail.com,qvcemail.com,inbound,019,Americas,0 -radarsystems.net,radarsystems.net,inbound,019,Americas,1 -radiantretailapps.com,radiantretailapps.com,inbound,019,Americas,0 -radioshack.com,radioshack.com,inbound,019,Americas,0 -rapattoni.com,rapmls.com,inbound,019,Americas,0 -razerzone.com,chtah.net,inbound,019,Americas,0 -rbc.com,rbc.com,inbound,019,Americas,0.003061 -rdio.com,rdio.com,inbound,019,Americas,1 -realtor.org,realtor.org,inbound,019,Americas,0 -realtytrac.com,realtytrac.com,inbound,019,Americas,0.001681 -recipe.com,meredith.com,inbound,019,Americas,0 -recruit.net,recruit.net,inbound,019,Americas,0 -redbox.com,redbox.com,inbound,019,Americas,0 -redfin.com,redfin.com,inbound,019,Americas,0 -redtri.com,redtri.com,inbound,019,Americas,0 -reebokusnews.com,reebokusnews.com,inbound,019,Americas,0 -reebonz.com,ed10.com,inbound,019,Americas,0 -reebonz.com,reebonz.com,inbound,019,Americas,1 -registro.br,registro.br,inbound,019,Americas,0 -rent.com,rent.com,inbound,019,Americas,0.000397 -rentalcars.com,rentalcars.com,inbound,019,Americas,1 -renweb.com,renweb.com,inbound,019,Americas,0 -researchgate.net,researchgate.net,inbound,019,Americas,0 -restorationhardware.com,restorationhardware.com,inbound,019,Americas,0 -retailmenot.com,retailmenot.com,inbound,019,Americas,0 -reverbnation.com,reverbnation.com,inbound,019,Americas,0 -rewardme.in,bfi0.com,inbound,019,Americas,0 -ricardoeletro.com.br,allin.com.br,inbound,019,Americas,0 -rigzonemail.com,rigzonemail.com,inbound,019,Americas,0 -ripleyperu.com.pe,icommarketing.com,inbound,019,Americas,0 -riseup.net,riseup.net,inbound,019,Americas,1 -rivamail.com,mailurja.com,inbound,019,Americas,0 -rnmk.com,rnmk.com,inbound,019,Americas,0 -roamans.com,neolane.net,inbound,019,Americas,0 -rockwellcollins.com,rockwellcollins.com,inbound,019,Americas,1 -rpinow.org,app-info.net,inbound,019,Americas,0 -rr.com,rr.com,inbound,019,Americas,0.03696 -rr.com,rr.com,outbound,019,Americas,0 -rsgsv.net,rsgsv.net,inbound,019,Americas,0 -rsvpsv.net,rsvpsv.net,inbound,019,Americas,0 -rsvpsv.net,send.esp.br,inbound,019,Americas,0 -rsys2.com,amfam.com,inbound,019,Americas,0 -rsys2.com,cheaptickets.com,inbound,019,Americas,0 -rsys2.com,dishnetworkmail.com,inbound,019,Americas,0 -rsys2.com,e-comms.net,inbound,019,Americas,0 -rsys2.com,eharmony.com,inbound,019,Americas,0 -rsys2.com,fathead.com,inbound,019,Americas,0 -rsys2.com,intuit.com,inbound,019,Americas,0 -rsys2.com,kmart.com,inbound,019,Americas,0 -rsys2.com,kohlernews.com,inbound,019,Americas,0 -rsys2.com,lego.com,inbound,019,Americas,0 -rsys2.com,lenovo.com,inbound,019,Americas,0 -rsys2.com,modcloth.com,inbound,019,Americas,0 -rsys2.com,moxieinteractive.com,inbound,019,Americas,0 -rsys2.com,orbitz.com,inbound,019,Americas,0 -rsys2.com,payless.com,inbound,019,Americas,0 -rsys2.com,petsathome.com,inbound,019,Americas,0 -rsys2.com,quizzle.com,inbound,019,Americas,0 -rsys2.com,robeez.com,inbound,019,Americas,0 -rsys2.com,rsys1.com,inbound,019,Americas,0 -rsys2.com,rsys2.com,inbound,019,Americas,0 -rsys2.com,rsys3.com,inbound,019,Americas,0 -rsys2.com,rsys4.com,inbound,019,Americas,0 -rsys2.com,saucony.com,inbound,019,Americas,0 -rsys2.com,sears.com,inbound,019,Americas,0 -rsys2.com,shopbop.com,inbound,019,Americas,0 -rsys2.com,southwest.com,inbound,019,Americas,0 -rsys2.com,speeddatemail.com,inbound,019,Americas,0 -rsys2.com,thecompanystore.com,inbound,019,Americas,0 -rsys2.com,theknot.com,inbound,019,Americas,0 -rsys5.com,alibris.com,inbound,019,Americas,0 -rsys5.com,allstate-email.com,inbound,019,Americas,0 -rsys5.com,beachmint.com,inbound,019,Americas,0 -rsys5.com,belleandclive.com,inbound,019,Americas,0 -rsys5.com,br.dk,inbound,019,Americas,0 -rsys5.com,charlotterusse.com,inbound,019,Americas,0 -rsys5.com,comixology.com,inbound,019,Americas,0 -rsys5.com,cottonon.com,inbound,019,Americas,0 -rsys5.com,ediblearrangements.com,inbound,019,Americas,0 -rsys5.com,emailworldmarket.com,inbound,019,Americas,0 -rsys5.com,farfetch.com,inbound,019,Americas,0 -rsys5.com,frhiemailcommunications.com,inbound,019,Americas,0 -rsys5.com,harryanddavid.com,inbound,019,Americas,0 -rsys5.com,hollandandbarrett.com,inbound,019,Americas,0 -rsys5.com,icing.com,inbound,019,Americas,0 -rsys5.com,indigo.ca,inbound,019,Americas,0 -rsys5.com,jabong.com,inbound,019,Americas,0 -rsys5.com,jcrew.com,inbound,019,Americas,0 -rsys5.com,jjill.com,inbound,019,Americas,0 -rsys5.com,kanui.com.br,inbound,019,Americas,0 -rsys5.com,kirklands.com,inbound,019,Americas,0 -rsys5.com,lanebryant.com,inbound,019,Americas,0 -rsys5.com,lazada.com,inbound,019,Americas,0 -rsys5.com,leapfrog.com,inbound,019,Americas,0 -rsys5.com,llbean.com,inbound,019,Americas,0 -rsys5.com,lojascolombo.com.br,inbound,019,Americas,0 -rsys5.com,madewell.com,inbound,019,Americas,0 -rsys5.com,magazineluiza.com.br,inbound,019,Americas,0 -rsys5.com,missguided.co.uk,inbound,019,Americas,0 -rsys5.com,moma.org,inbound,019,Americas,0 -rsys5.com,nationalgeographic.com,inbound,019,Americas,0 -rsys5.com,neat.com,inbound,019,Americas,0 -rsys5.com,newbalance.com,inbound,019,Americas,0 -rsys5.com,news-voeazul.com.br,inbound,019,Americas,0 -rsys5.com,nordstrom.com,inbound,019,Americas,0 -rsys5.com,normthompson.com,inbound,019,Americas,0 -rsys5.com,novomundo.com.br,inbound,019,Americas,0 -rsys5.com,ourdeal.com.au,inbound,019,Americas,0 -rsys5.com,pier1.com,inbound,019,Americas,0 -rsys5.com,productmadness.com,inbound,019,Americas,0 -rsys5.com,rainbowshops.com,inbound,019,Americas,0 -rsys5.com,rei.com,inbound,019,Americas,0 -rsys5.com,roadrunnersports.com,inbound,019,Americas,0 -rsys5.com,rosettastone.com,inbound,019,Americas,0 -rsys5.com,seamless.com,inbound,019,Americas,0 -rsys5.com,serenaandlily.com,inbound,019,Americas,0 -rsys5.com,smiles.com.br,inbound,019,Americas,0 -rsys5.com,soubarato.com.br,inbound,019,Americas,0 -rsys5.com,strava.com,inbound,019,Americas,0 -rsys5.com,submarino.com.br,inbound,019,Americas,0 -rsys5.com,thewalkingcompany.com,inbound,019,Americas,0 -rsys5.com,tigerdirect.com,inbound,019,Americas,0 -rsys5.com,udemy.com,inbound,019,Americas,0 -rsys5.com,vitaminshoppe.com,inbound,019,Americas,0 -rsys5.com,vpusa.com,inbound,019,Americas,0 -rsys5.com,walmart.com.br,inbound,019,Americas,0 -rsys5.com,worldofwatches.com,inbound,019,Americas,0 -rsys5.com,xfinity.com,inbound,019,Americas,0 -rue21email.com,rue21email.com,inbound,019,Americas,0 -ruum.com,ruum.com,inbound,019,Americas,0 -saavn.com,saavn.com,inbound,019,Americas,1 -safelistextreme.com,quantumsafelist.com,inbound,019,Americas,0 -safelistpro.com,safelistpro.com,inbound,019,Americas,0.00014 -safeway.com,chtah.com,inbound,019,Americas,0 -sailthru.com,sailthru.com,inbound,019,Americas,0 -saks.com,saks.com,inbound,019,Americas,0 -saksoff5th.com,saksoff5th.com,inbound,019,Americas,0 -salememail.net,salememail.net,inbound,019,Americas,0 -salesforce.com,postini.com,inbound,019,Americas,0.816952 -salesforce.com,salesforce.com,inbound,019,Americas,1 -salesforce.com,salesforce.com,outbound,019,Americas,1 -salliemae.com,salliemae.com,inbound,019,Americas,1 -salsalabs.net,salsalabs.net,inbound,019,Americas,0 -samashmusic.com,wc09.net,inbound,019,Americas,0 -samsclub.com,m0.net,inbound,019,Americas,0 -sans.org,sans.org,inbound,019,Americas,0.497629 -santander.cl,santander.cl,inbound,019,Americas,0.999992 -santander.cl,santandersantiago.cl,inbound,019,Americas,1 -sassieshop.com,sassieshop.com,inbound,019,Americas,0.025887 -savelivefresh.com,livesavemail.com,inbound,019,Americas,1 -savingstar.com,savingstar.com,inbound,019,Americas,1 -sbcglobal.net,yahoo.{...},inbound,019,Americas,1 -sbcglobal.net,yahoodns.net,outbound,019,Americas,1 -sc.com,messagelabs.com,inbound,019,Americas,0.996156 -schwab.com,schwab.com,inbound,019,Americas,0.025055 -seaworld.com,seaworld.com,inbound,019,Americas,0 -securence.com,securence.com,inbound,019,Americas,0.670246 -secureserver.net,secureserver.net,inbound,019,Americas,4.4e-05 -seekingalpha.com,seekingalpha.com,inbound,019,Americas,1 -seekingalpha.com,sendgrid.net,inbound,019,Americas,1 -senate.gov,senate.gov,inbound,019,Americas,0.992994 -sendearnings.com,sendearnings.com,inbound,019,Americas,0 -sendgrid.info,sendgrid.net,inbound,019,Americas,1 -sendgrid.me,sendgrid.net,inbound,019,Americas,1 -sendlane.com,sendlane.com,inbound,019,Americas,0 -serpadres.es,chtah.net,inbound,019,Americas,0 -service-now.com,postini.com,inbound,019,Americas,0.9858 -service-now.com,service-now.com,inbound,019,Americas,0.998562 -sfimg.com,sfimarketing.com,inbound,019,Americas,0 -sfly.com,shutterfly.com,inbound,019,Americas,0 -shaadi.com,shaadi.com,inbound,019,Americas,0.00037 -shadowshopper.com,shadowshopper.com,inbound,019,Americas,5.6e-05 -shaw.ca,shaw.ca,inbound,019,Americas,0 -shaw.ca,shaw.ca,outbound,019,Americas,1 -sheplers.com,sheplers.com,inbound,019,Americas,0 -shiftplanning.com,shiftplanning.com,inbound,019,Americas,0 -shiksha.com,shiksha.com,inbound,019,Americas,0 -shoedazzle.com,shoedazzle.com,inbound,019,Americas,0 -shoes.com,famousfootwear.com,inbound,019,Americas,0 -shopbonton.com,shopbonton.com,inbound,019,Americas,0 -shopcluesemail.com,shopcluesemail.com,inbound,019,Americas,0 -shopcluesmail.com,shopcluesmail.com,inbound,019,Americas,0 -shophq.com,shophq.com,inbound,019,Americas,0 -shopkick.com,shopkick.com,inbound,019,Americas,0 -shopko.com,shopko.com,inbound,019,Americas,0 -shoppersoptimum.ca,thindata.net,inbound,019,Americas,0 -shoptime.com,shoptime.com,inbound,019,Americas,0 -shtyle.fm,shtyle.fm,inbound,019,Americas,0 -sierratradingpost.com,sierratradingpost.com,inbound,019,Americas,0.000885 -sigmabeauty.com,lstrk.net,inbound,019,Americas,1 -sii.cl,sii.cl,inbound,019,Americas,0 -simplyhired.com,simplyhired.com,inbound,019,Americas,0 -siriusxm.com,xmradio.com,inbound,019,Americas,0 -sitecore-mailer.com,sendlabs.com,inbound,019,Americas,0 -sittercity.com,sittercity.com,inbound,019,Americas,0 -sixflags.com,sixflags.com,inbound,019,Americas,0 -skillpages-mailer.com,sendlabs.com,inbound,019,Americas,0 -skillpages-mailer.com,skillpagesmail.com,inbound,019,Americas,0 -sky.com,sky.com,inbound,019,Americas,0 -skype.com,delivery.net,inbound,019,Americas,0 -sld.cu,sld.cu,inbound,019,Americas,1 -slidesharemail.com,newslettergrid.com,inbound,019,Americas,1 -slidesharemail.com,slidesharemail.com,inbound,019,Americas,1 -smartbrief.com,smartbrief.com,inbound,019,Americas,0 -smartdraw.com,smartdraw.com,inbound,019,Americas,0 -smartertravel.com,smartertravelmedia.com,inbound,019,Americas,0.021434 -smartphoneexperts.com,mailgun.net,inbound,019,Americas,1 -snapretail.com,snapretail.com,inbound,019,Americas,1 -socialappsmail.com,socialappsmail.com,inbound,019,Americas,1 -solesociety.com,bronto.com,inbound,019,Americas,0 -solosenders.com,megasenders.com,inbound,019,Americas,8.2e-05 -solosenders.com,traxweb.org,inbound,019,Americas,0 -soma.com,soma.com,inbound,019,Americas,0 -someecards.com,someecards.com,inbound,019,Americas,0 -songkick.com,songkick.com,inbound,019,Americas,1 -sony-latin.com,sony-latin.com,inbound,019,Americas,0.01735 -sonyentertainmentnetwork.com,sonyentertainmentnetwork.com,inbound,019,Americas,0 -sourceforge.net,sourceforge.net,inbound,019,Americas,1 -southwest.com,southwest.com,inbound,019,Americas,0 -sp.gov.br,sp.gov.br,inbound,019,Americas,0.496357 -sparkpeople.com,sparkpeople.com,inbound,019,Americas,0 -spectersoft.com,spectersoft.com,inbound,019,Americas,0 -spencersonline.com,spencersonline.com,inbound,019,Americas,0 -spiritairlines.com,ctd004.net,inbound,019,Americas,0 -spiritairlines.com,ctd005.net,inbound,019,Americas,0 -splitwise.com,splitwise.com,inbound,019,Americas,1 -sportlobster.com,sportlobster.com,inbound,019,Americas,1 -sportsdirect.com,sportsdirect.com,inbound,019,Americas,0 -sportsline.com,cbsig.net,inbound,019,Americas,1 -sportsmansguide.com,sportsmansguide.com,inbound,019,Americas,0.736903 -sprint.com,m0.net,inbound,019,Americas,0 -squareup.com,squareup.com,inbound,019,Americas,0.986452 -stanford.edu,highwire.org,inbound,019,Americas,1 -stanford.edu,stanford.edu,inbound,019,Americas,0.93025 -stansberryresearch.com,stansberryresearch.com,inbound,019,Americas,0.001541 -staples.com,staples.com,inbound,019,Americas,0.006379 -starbucks.com,starbucks.com,inbound,019,Americas,0 -stardockcorporation.com,stardockcorporation.com,inbound,019,Americas,0 -stardockentertainment.info,stardockentertainment.info,inbound,019,Americas,0 -startribune.com,startribune.com,inbound,019,Americas,0.001728 -startwire.com,jobsreport.com,inbound,019,Americas,1 -startwire.com,startwire.com,inbound,019,Americas,1 -state.gov,state.gov,inbound,019,Americas,0 -statefarm.com,statefarm.com,inbound,019,Americas,1 -steinmart.com,steinmart.com,inbound,019,Americas,0 -stevemadden.com,stevemadden.com,inbound,019,Americas,0 -streetauthoritydaily.com,streetauthoritydaily.com,inbound,019,Americas,0 -stumblemail.com,stumblemail.com,inbound,019,Americas,1 -suafaturanet.com.br,suafaturanet.com.br,inbound,019,Americas,0.995846 -subscribermail.com,subscribermail.com,inbound,019,Americas,0 -sungard.com,postini.com,inbound,019,Americas,0.498265 -sunwingvacationinfo.ca,sunwingvacationinfo.ca,inbound,019,Americas,1 -superbalist.com,sailthru.com,inbound,019,Americas,0 -supersafemailer.com,zoothost.com,inbound,019,Americas,0 -supremelist.com,onlinehome-server.com,inbound,019,Americas,1 -surlatable.com,surlatable.com,inbound,019,Americas,0 -surveyjobopportunities.com,surveyjobopportunities.com,inbound,019,Americas,3.7e-05 -surveymonkey.com,surveymonkey.com,inbound,019,Americas,0 -surveysavvy.com,surveysavvy.com,inbound,019,Americas,0 -sylectus.com,sylectus.com,inbound,019,Americas,0.361297 -sympatico.ca,hotmail.{...},outbound,019,Americas,1 -taggedmail.com,taggedmail.com,inbound,019,Americas,0 -tamu.edu,tamu.edu,inbound,019,Americas,0.249876 -tangeroutletsusa.com,bronto.com,inbound,019,Americas,0 -target-safelist.com,safelistpro.com,inbound,019,Americas,0.000215 -targetproblaster.com,targetproblaster.com,inbound,019,Americas,0 -targetx.com,targetx.com,inbound,019,Americas,0 -tarot.com,tarot.com,inbound,019,Americas,0 -tastefullysimpleparty.com,bigfootinteractive.com,inbound,019,Americas,0 -tastingtable.com,tastingtable.com,inbound,019,Americas,0 -taxi4sure.net,infimail.com,inbound,019,Americas,0 -teach12.net,teach12.net,inbound,019,Americas,0 -techtarget.com,techtarget.com,inbound,019,Americas,0.001771 -telus.net,telus.net,inbound,019,Americas,0.006226 -ten24mail.com,ten24mail.com,inbound,019,Americas,0 -terra.com,terra.com,inbound,019,Americas,0.000463 -terra.com.br,terra.com,inbound,019,Americas,0 -terra.com.br,terra.com,outbound,019,Americas,0 -tesco.com,tesco.com,inbound,019,Americas,0 -testfunda.com,testfunda.com,inbound,019,Americas,0 -textnow.me,textnow.me,inbound,019,Americas,0 -tgw.com,tgw.com,inbound,019,Americas,0 -theanimalrescuesite.com,theanimalrescuesite.com,inbound,019,Americas,0 -theatermania.com,wc09.net,inbound,019,Americas,0 -thebay.com,thebay.com,inbound,019,Americas,0 -thegrommet.com,lstrk.net,inbound,019,Americas,1 -thehut.com,thehut.com,inbound,019,Americas,0 -thelimited.com,thelimited.com,inbound,019,Americas,0 -themailbagsafelist.com,thomas-j-brown.com,inbound,019,Americas,0 -theoutnet.com,theoutnet.com,inbound,019,Americas,0 -theskimm.com,theskimm.com,inbound,019,Americas,0 -thesovereigninvestor.com,sovereignsociety.com,inbound,019,Americas,0 -thirtyonegifts.com,thirtyonegifts.com,inbound,019,Americas,0 -thoughtful-mind.com,thoughtful-mind.com,inbound,019,Americas,0 -thumbtack.com,thumbtack.com,inbound,019,Americas,1 -ticketmaster.com,ticketmaster.com,inbound,019,Americas,0.769059 -tmart.com,chtah.net,inbound,019,Americas,0 -tmp.com,tmpw.com,inbound,019,Americas,0 -toluna.com,toluna.com,inbound,019,Americas,0 -tomtommailer.com,tomtommailer.com,inbound,019,Americas,0 -topspin.net,topspin.net,inbound,019,Americas,1 -totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,019,Americas,0 -touchbase2.com,infimail.com,inbound,019,Americas,0 -touchbase2.com,mailurja.com,inbound,019,Americas,0 -touchbasepro.com,touchbasepro.com,inbound,019,Americas,0 -townhallmail.com,townhallmail.com,inbound,019,Americas,0 -townsquaremedia.info,sailthru.com,inbound,019,Americas,0 -toysrus.com,epsl1.com,inbound,019,Americas,0 -trafficboostermailer.com,trafficboostermailer.com,inbound,019,Americas,1 -trafficleads2incomevm.com,zoothost.com,inbound,019,Americas,0 -trafficprolist.com,thomas-j-brown.com,inbound,019,Americas,0 -trialsmith.com,membercentral.com,inbound,019,Americas,0 -tricaemidia.com.br,tricaemidia.com.br,inbound,019,Americas,0 -tripit.com,tripit.com,inbound,019,Americas,0 -tuesdaymorningmail.com,tuesdaymorningmail.com,inbound,019,Americas,0 -tumblr.com,tumblr.com,inbound,019,Americas,1 -twitch.tv,justin.tv,inbound,019,Americas,0 -uber.com,uber.com,inbound,019,Americas,1 -ubi.com,ubi.com,inbound,019,Americas,0 -ubivox.com,ubivox.com,inbound,019,Americas,0.935106 -ucla.edu,ucla.edu,inbound,019,Americas,0.806204 -uhaul.com,uhaul.com,inbound,019,Americas,0.997947 -uiuc.edu,illinois.edu,inbound,019,Americas,0.999815 -ultimateadsites.net,ultimateadsites.net,inbound,019,Americas,1 -umd.edu,umd.edu,inbound,019,Americas,0.021709 -umn.edu,umn.edu,inbound,019,Americas,0.966964 -umpiredigital.com,inboxmarketer.com,inbound,019,Americas,0 -united.com,coair.com,inbound,019,Americas,1 -united.com,united.com,inbound,019,Americas,0 -universalorlando.com,universalorlando.com,inbound,019,Americas,0 -unrollmail.com,unrollmail.com,inbound,019,Americas,1 -uol.com.br,uol.com.br,inbound,019,Americas,0 -uol.com.br,uol.com.br,outbound,019,Americas,0 -upenn.edu,upenn.edu,inbound,019,Americas,0.16521 -upromise.com,delivery.net,inbound,019,Americas,0 -ups.com,ups.com,inbound,019,Americas,0.997955 -urbanoutfitters.com,freepeople.com,inbound,019,Americas,0 -usaa.com,usaa.com,inbound,019,Americas,0.072606 -usafisnews.org,usafisnews.org,inbound,019,Americas,0 -usajobs.gov,opm.gov,inbound,019,Americas,0.931948 -usc.edu,usc.edu,inbound,019,Americas,0.300314 -uscourts.gov,uscourts.gov,inbound,019,Americas,0 -uslargestsafelist.com,zoothost.com,inbound,019,Americas,0 -usndr.com,unisender.com,inbound,019,Americas,1 -usp.br,usp.br,inbound,019,Americas,0.044595 -usps.com,usps.gov,inbound,019,Americas,0.909591 -usps.gov,usps.gov,inbound,019,Americas,0.940315 -ustream.tv,mailgun.net,inbound,019,Americas,1 -ustream.tv,mailgun.us,inbound,019,Americas,1 -utfsm.cl,utfsm.cl,inbound,019,Americas,0.000352 -vacationstogo.com,vacationstogo.com,inbound,019,Americas,0 -vagas.com.br,vagas.com.br,inbound,019,Americas,0 -valuedopinions.co.uk,researchnow-usa.com,inbound,019,Americas,1 -vanheusenrewards.com,vanheusenrewards.com,inbound,019,Americas,0 -velocityfrequentflyer.com,virginaustralia.com,inbound,019,Americas,0 -vente-exclusive.com,vente-exclusive.com,inbound,019,Americas,0 -venusswimwear.net,venusswimwear.net,inbound,019,Americas,0 -verabradleymail.com,verabradleymail.com,inbound,019,Americas,0 -verizon.net,verizon.net,inbound,019,Americas,0.00713 -verizon.net,verizon.net,outbound,019,Americas,0 -verizonwireless.com,verizonwireless.com,inbound,019,Americas,0.972245 -vhmnetworkemail.com,jobdiagnosis.com,inbound,019,Americas,0 -viagogo.com,chtah.net,inbound,019,Americas,0 -viajanet.com.br,viajanet.com.br,inbound,019,Americas,0 -victoriassecret.com,victoriassecret.com,inbound,019,Americas,0 -videotron.ca,videotron.ca,inbound,019,Americas,0.005886 -vikingrivercruises.com,bfi0.com,inbound,019,Americas,0 -vimeo.com,vimeo.com,inbound,019,Americas,0 -vindale.com,vindale.com,inbound,019,Americas,0 -vipvoice.com,npdor.com,inbound,019,Americas,0 -viraladmagnet.com,viraladmagnet.com,inbound,019,Americas,1 -virginia.edu,virginia.edu,inbound,019,Americas,0.055153 -virtualtarget.com.br,virtualtarget.com.br,inbound,019,Americas,0 -vitacost.com,vitacost.com,inbound,019,Americas,0 -vitaladviews.com,zoothost.com,inbound,019,Americas,0 -vivastreet.com,viwii.net,inbound,019,Americas,0 -votervoice.net,votervoice.net,inbound,019,Americas,0 -vresp.com,verticalresponse.com,inbound,019,Americas,0 -vt.edu,vt.edu,inbound,019,Americas,0.978548 -vtext.com,vtext.com,inbound,019,Americas,0 -vtext.com,vtext.com,outbound,019,Americas,1 -vuezone.com,vuezone.com,inbound,019,Americas,0 -vzwpix.com,vtext.com,inbound,019,Americas,0 -wagjag.com,wagjag.com,inbound,019,Americas,0 -walgreens.com,walgreens.com,inbound,019,Americas,0.006128 -wallst.com,wallst.com,inbound,019,Americas,0 -wallstreetdaily.com,wallstreetdaily.com,inbound,019,Americas,0 -waterstones.com,waterstones.com,inbound,019,Americas,0 -wattpad.com,wattpad.com,inbound,019,Americas,1 -way2movies.net,way2movies.net,inbound,019,Americas,0 -wayfair.com,csnstores.com,inbound,019,Americas,0 -webs.com,epsl1.com,inbound,019,Americas,0 -websaver.ca,websaver.ca,inbound,019,Americas,0 -websitesettings.com,stabletransit.com,inbound,019,Americas,0 -websitewelcome.com,websitewelcome.com,inbound,019,Americas,1 -webstars2k.com,webstars2k.com,inbound,019,Americas,1 -weebly.com,weeblymail.com,inbound,019,Americas,0 -wellsfargo.com,wellsfargo.com,inbound,019,Americas,1.0 -wellsfargoadvisors.com,wellsfargo.com,inbound,019,Americas,1 -westelm.com,westelm.com,inbound,019,Americas,0 -westmarine.com,westmarine.com,inbound,019,Americas,0 -wetransfer.com,wetransfer.com,inbound,019,Americas,1 -wetsealnewsletter.com,wetsealnewsletter.com,inbound,019,Americas,0 -whatcounts.com,wc09.net,inbound,019,Americas,0 -whentowork.com,whentowork.com,inbound,019,Americas,0 -wikia.com,wikia.com,inbound,019,Americas,1 -williams-sonoma.com,williams-sonoma.com,inbound,019,Americas,0 -windstream.net,windstream.net,inbound,019,Americas,0.002172 -wine.com,wine.com,inbound,019,Americas,0 -winkalmail.com,fnbox.com,inbound,019,Americas,0 -wisdomitservices.com,infimail.com,inbound,019,Americas,0 -wldemail-mailer.com,wldemail.com,inbound,019,Americas,0 -womanwithin.com,womanwithin.com,inbound,019,Americas,0 -woodforest.com,woodforest.com,inbound,019,Americas,1 -workingincanada.gc.ca,sdc-dsc.gc.ca,inbound,019,Americas,0 -worldsingles.co,worldsingles.com,inbound,019,Americas,0 -wotif.com,whatcounts.com,inbound,019,Americas,0 -wp.com,wordpress.com,inbound,019,Americas,0 -wuaki.tv,chtah.net,inbound,019,Americas,0 -wustl.edu,app-info.net,inbound,019,Americas,0 -wwe.com,wwe.com,inbound,019,Americas,8e-06 -xen.org,xen.org,inbound,019,Americas,1 -xmeeting.com,xmeeting.com,inbound,019,Americas,1 -xmr3.com,messagereach.com,inbound,019,Americas,0.999933 -xoom.com,xoom.com,inbound,019,Americas,0 -xpnews.com.br,xpnews.com.br,inbound,019,Americas,1 -yahoo.{...},postini.com,inbound,019,Americas,0.664066 -yahoo.{...},yahoo.{...},inbound,019,Americas,0.999 -yahoo.{...},yahoodns.net,outbound,019,Americas,1 -yelp.com,yelpcorp.com,inbound,019,Americas,0 -yipit.com,yipit.com,inbound,019,Americas,1 -ymail.com,yahoo.{...},inbound,019,Americas,1 -ymail.com,yahoodns.net,outbound,019,Americas,1 -yoox.com,yoox.com,inbound,019,Americas,0 -youmail.com,youmail.com,inbound,019,Americas,0 -youreletters3.com,equitymaster.com,inbound,019,Americas,0 -yourezads.com,yourezads.com,inbound,019,Americas,0.002974 -yourezlist.com,simplicityads.com,inbound,019,Americas,9.5e-05 -yourhostingaccount.com,yourhostingaccount.com,inbound,019,Americas,0 -youversion.com,youversion.com,inbound,019,Americas,1 -zacks.com,zacks.com,inbound,019,Americas,0.999687 -zara.com,cheetahmail.com,inbound,019,Americas,0 -zendesk.com,zdsys.com,inbound,019,Americas,1 -zgalleriestyle.com,zgalleriestyle.com,inbound,019,Americas,0 -zibmail.info,zibmail.info,inbound,019,Americas,9e-06 -zinio.com,zinio.com,inbound,019,Americas,0 -zipalerts.com,zipalerts.com,inbound,019,Americas,1 -ziprealty.com,ziprealty.com,inbound,019,Americas,0.994545 -ziprecruiter.com,ziprecruiter.com,inbound,019,Americas,1 -zivamewear.com,infimail.com,inbound,019,Americas,0 -zoothost.com,zoothost.com,inbound,019,Americas,0.107168 -zorpia.com,zorpia.com,inbound,019,Americas,1 -zulily.com,zulily.com,inbound,019,Americas,0 -zzounds.com,zzounds.com,inbound,019,Americas,0 -0101.co.jp,0101.co.jp,inbound,142,Asia,0 -04auto.biz,01auto.biz,inbound,142,Asia,0 -123.com.tw,123.com.tw,inbound,142,Asia,0 -160by2.us,160by2.us,inbound,142,Asia,0 -163.com,163.com,inbound,142,Asia,0.534088 -163.com,netease.com,outbound,142,Asia,1 -17life.com.tw,17life.com.tw,inbound,142,Asia,0 -1lejend.com,asumeru.com,inbound,142,Asia,0 -1lejend.com,asumeru001.com,inbound,142,Asia,0 -33go.com.tw,33go.com.tw,inbound,142,Asia,0 -518.com.tw,518.com.tw,inbound,142,Asia,0 -7net.com.tw,7net.com.tw,inbound,142,Asia,0 -ab0.jp,altovision.co.jp,inbound,142,Asia,0 -activetrail.com,atmailsvr.net,inbound,142,Asia,0 -activetrail.com,mymarketing.co.il,inbound,142,Asia,0 -adchiever.com,kinder-rash-marketing.com,inbound,142,Asia,0 -adityabirla.com,adityabirla.com,inbound,142,Asia,0.00615 -agora.co.il,1host.co.il,inbound,142,Asia,0 -airtel.com,airtel.in,inbound,142,Asia,0.064377 -alertsindia.in,alertsindia.in,inbound,142,Asia,1 -alibaba.com,alibaba.com,inbound,142,Asia,0 -aliexpress.com,alibaba.com,inbound,142,Asia,0 -alipay.com,alipay.com,inbound,142,Asia,1 -alljob.co.il,alljob.co.il,inbound,142,Asia,0 -amazon.{...},amazon.{...},inbound,142,Asia,0 -ana.co.jp,ana.co.jp,inbound,142,Asia,0.534416 -anghami.com,mailgun.net,inbound,142,Asia,1 -apple.com,apple.com,inbound,142,Asia,0.999817 -artscow.com,dyxnet.com,inbound,142,Asia,0.000355 -asus.com,asus.com,inbound,142,Asia,0 -baycrews.co.jp,webcas.net,inbound,142,Asia,0 -beamtele.com,beamtele.com,inbound,142,Asia,0 -beanfun.com,beanfun.com,inbound,142,Asia,1 -belluna.net,belluna.net,inbound,142,Asia,0 -betrend.com,betrend.com,inbound,142,Asia,0 -bharatmatrimony.com,bharatmatrimony.com,inbound,142,Asia,1 -blayn.jp,bserver.jp,inbound,142,Asia,0 -bme.jp,bserver.jp,inbound,142,Asia,0 -bookoffonline.co.jp,bookoffonline.co.jp,inbound,142,Asia,0 -brands4friends.jp,webcas.net,inbound,142,Asia,0 -brandsfever.com,mailgun.net,inbound,142,Asia,1 -buyma.com,buyma.com,inbound,142,Asia,0 -cam2life.com,hinet.net,inbound,142,Asia,0 -camsonline.com,camsonline.com,inbound,142,Asia,0.136261 -careesma.in,careesma.in,inbound,142,Asia,0 -ccavenue.com,avenues.info,inbound,142,Asia,1 -chance.com,data-hotel.net,inbound,142,Asia,0 -chiangcn.com,chiangcn.com,inbound,142,Asia,0 -chinatrust.com.tw,chinatrust.com.tw,inbound,142,Asia,0.001272 -cityheaven.net,cityheaven.net,inbound,142,Asia,0 -clickmailer.jp,clickmailer.jp,inbound,142,Asia,9e-05 -cocacola.co.jp,cocacola.co.jp,inbound,142,Asia,0 -combzmail.jp,combzmail.jp,inbound,142,Asia,0 -communitymatrimony.com,communitymatrimony.com,inbound,142,Asia,1 -conrepmail.com,conrepmail.com,inbound,142,Asia,0 -cookpad.com,cookpad.com,inbound,142,Asia,0 -cpc.gov.in,cpc.gov.in,inbound,142,Asia,0 -crmstyle.com,crmstyle.com,inbound,142,Asia,0 -crocos.jp,crocos.jp,inbound,142,Asia,0 -ctrip.com,ctrip.com,inbound,142,Asia,0.019448 -cuenote.jp,cuenote.jp,inbound,142,Asia,0 -cw.com.tw,cw.com.tw,inbound,142,Asia,0.002535 -cyberlinkmember.com,cyberlinkmember.com,inbound,142,Asia,0 -dena.ne.jp,dena.ne.jp,inbound,142,Asia,0.000249 -dietnavi.com,data-hotel.net,inbound,142,Asia,0 -dip-net.co.jp,dip-net.co.jp,inbound,142,Asia,0 -directresponsemanager.com,wide.ne.jp,inbound,142,Asia,0 -disc.co.jp,disc.co.jp,inbound,142,Asia,0.001051 -dishtv.co.in,dishtv.co.in,inbound,142,Asia,0.047664 -disqus.net,disqus.net,inbound,142,Asia,0 -dks.com.tw,dks.com.tw,inbound,142,Asia,0.018134 -dmm.com,dmm.com,inbound,142,Asia,0 -docomo.ne.jp,docomo.ne.jp,inbound,142,Asia,0 -docomo.ne.jp,docomo.ne.jp,outbound,142,Asia,0 -dreammail.ne.jp,dreammail.jp,inbound,142,Asia,0 -drushim.co.il,drushim.co.il,inbound,142,Asia,0 -dstyleweb.com,dstyleweb.com,inbound,142,Asia,0.001099 -ec21.com,ec21.com,inbound,142,Asia,0.002263 -ecnavi.jp,ecnavi.jp,inbound,142,Asia,0 -en-japan.com,en-japan.com,inbound,142,Asia,0.000204 -eonet.ne.jp,eonet.ne.jp,inbound,142,Asia,0.99955 -epaper.com.tw,epaper.com.tw,inbound,142,Asia,0 -eplus.jp,eplus.jp,inbound,142,Asia,0 -eslitebooks.com,eslitebooks.com,inbound,142,Asia,0 -euromsg.net,euromsg.net,inbound,142,Asia,0 -evaair.com,evaair.com,inbound,142,Asia,0.007363 -ezweb.ne.jp,ezweb.ne.jp,inbound,142,Asia,0.282076 -ezweb.ne.jp,ezweb.ne.jp,outbound,142,Asia,0 -farmersonly.com,mailgun.net,inbound,142,Asia,1 -felissimo.jp,felissimo.jp,inbound,142,Asia,0 -finansbank.com.tr,finansbank.com.tr,inbound,142,Asia,0.927 -fmworld.net,fmworld.net,inbound,142,Asia,0 -fofa.jp,mpme.jp,inbound,142,Asia,0 -freeml.com,gmo-media.jp,inbound,142,Asia,0 -ftchinese.com,ftchinese.com,inbound,142,Asia,0 -fubonshop.com,fubonshop.com,inbound,142,Asia,0 -gamecity.ne.jp,gamecity.ne.jp,inbound,142,Asia,0 -garanti.com.tr,garanti.com.tr,inbound,142,Asia,0.421936 -gilt.jp,gilt.jp,inbound,142,Asia,0 -globalsources.com,globalsources.com,inbound,142,Asia,0.003024 -globetel.com.ph,globetel.com.ph,inbound,142,Asia,1 -gmail.com,asianet.co.th,inbound,142,Asia,0.998511 -gmail.com,au-net.ne.jp,inbound,142,Asia,1 -gmail.com,bbtec.net,inbound,142,Asia,1 -gmail.com,data-hotel.net,inbound,142,Asia,0.000607 -gmail.com,hinet.net,inbound,142,Asia,0.973114 -gmail.com,mtnl.net.in,inbound,142,Asia,0.999527 -gmail.com,netvigator.com,inbound,142,Asia,0.818263 -gmail.com,ocn.ne.jp,inbound,142,Asia,0.99466 -gmail.com,panda-world.ne.jp,inbound,142,Asia,1 -gmail.com,seed.net.tw,inbound,142,Asia,0.992252 -gmail.com,singnet.com.sg,inbound,142,Asia,0.968389 -gmail.com,totbb.net,inbound,142,Asia,0.999876 -gmo.jp,gmo-media.jp,inbound,142,Asia,0 -gmoes.jp,gmoes.jp,inbound,142,Asia,0 -gmt.ne.jp,gmt.ne.jp,inbound,142,Asia,0 -gnavi.co.jp,gnavi.co.jp,inbound,142,Asia,0.002441 -gomaji.com,gomaji.com,inbound,142,Asia,0 -gree.jp,gree.jp,inbound,142,Asia,0 -groupon.{...},groupon.{...},inbound,142,Asia,0 -gunosy.com,gunosy.com,inbound,142,Asia,0.998682 -gurunavi.jp,gurunavi.jp,inbound,142,Asia,0 -hdfcbank.com,powerelay.com,inbound,142,Asia,1 -hdfcbank.net,powerelay.com,inbound,142,Asia,1 -hdfcbank.net,quickvmail.com,inbound,142,Asia,0 -heteml.jp,heteml.jp,inbound,142,Asia,0.950296 -hinet.net,hinet.net,inbound,142,Asia,0.007064 -hinet.net,hinet.net,outbound,142,Asia,0.00565 -home.ne.jp,zaq.ne.jp,inbound,142,Asia,9e-06 -i-part.com.tw,i-part.com.tw,inbound,142,Asia,0.001865 -ibps.in,sify.net,inbound,142,Asia,0 -ibpsorg.org,sify.net,inbound,142,Asia,0 -icicibank.com,icicibank.com,inbound,142,Asia,0.009835 -icicisecurities.com,icicibank.com,inbound,142,Asia,0.000803 -icloud.com,apple.com,inbound,142,Asia,1 -imi.ne.jp,lifemedia.jp,inbound,142,Asia,0 -indiaproperty.com,indiaproperty.com,inbound,142,Asia,0 -intage.co.jp,intage.co.jp,inbound,142,Asia,0.00557 -intuit.com,intuit.com,inbound,142,Asia,0.983698 -isbank.com.tr,isbank.com.tr,inbound,142,Asia,0.009655 -itsmyascent.com,itsmyascent.com,inbound,142,Asia,0 -itunes.com,apple.com,inbound,142,Asia,1 -jcity.com,jcity.com,inbound,142,Asia,0 -jobinthailand.com,jobinthailand.com,inbound,142,Asia,1 -jobmaster.co.il,jobmaster1.co.il,inbound,142,Asia,0 -jobsdbalert.co.id,jobsdbalert.co.id,inbound,142,Asia,0 -jobsdbalert.com,jobsdbalert.com,inbound,142,Asia,0 -jobsdbalert.com.hk,jobsdbalert.com.hk,inbound,142,Asia,0 -jobsdbalert.com.sg,jobsdbalert.com.sg,inbound,142,Asia,0 -jobstreet.com,jobstreet.com,inbound,142,Asia,0 -joshin.co.jp,joshin.co.jp,inbound,142,Asia,8e-06 -kagoya.net,kagoya.net,inbound,142,Asia,0.013052 -karvy.com,karvy.com,inbound,142,Asia,0.045186 -kasikornbank.com,kasikornbank.com,inbound,142,Asia,0 -kotak.com,kotak.com,inbound,142,Asia,0.005566 -krs.bz,tricorn.net,inbound,142,Asia,0 -kvbmail.com,kvbmail.com,inbound,142,Asia,0 -lancers.jp,lancers.jp,inbound,142,Asia,0 -lelong.my,lelong.com.my,inbound,142,Asia,1 -lelong.my,lelong.net.my,inbound,142,Asia,1 -line.me,naver.com,inbound,142,Asia,1 -livedoor.com,livedoor.com,inbound,142,Asia,0 -luxa.jp,luxa.jp,inbound,142,Asia,0 -m3.com,m3.com,inbound,142,Asia,0 -mag2.com,tandem-m.com,inbound,142,Asia,0 -magicbricks.com,tbsl.in,inbound,142,Asia,0 -mail-boss.com,mail-boss.com,inbound,142,Asia,0 -mailgun.org,mailgun.net,inbound,142,Asia,1 -mbga.jp,mbga.jp,inbound,142,Asia,0 -mixi.jp,mixi.jp,inbound,142,Asia,0 -mmagic.jp,mmagic.jp,inbound,142,Asia,0.000531 -mobile01.com,mobile01.com,inbound,142,Asia,0 -monex.co.jp,monex.co.jp,inbound,142,Asia,0.019424 -moneycontrol.com,active18.com,inbound,142,Asia,0 -moneyforward.com,moneyforward.com,inbound,142,Asia,0 -monipla.jp,aainc.co.jp,inbound,142,Asia,0 -monster.co.in,monster.co.in,inbound,142,Asia,0 -morhipo.com,euromsg.net,inbound,142,Asia,0 -mpme.jp,mpme.jp,inbound,142,Asia,0 -mpse.jp,emsaqua.jp,inbound,142,Asia,0 -mpse.jp,emsbeige.jp,inbound,142,Asia,0 -mpse.jp,emsbrown.jp,inbound,142,Asia,0 -mpse.jp,emscyan.jp,inbound,142,Asia,0 -mpse.jp,emsgold.jp,inbound,142,Asia,0 -mpse.jp,emslime.jp,inbound,142,Asia,0 -mpse.jp,emsnavy.jp,inbound,142,Asia,0 -mpse.jp,emspink.jp,inbound,142,Asia,0 -mpse.jp,emssnow.jp,inbound,142,Asia,0 -mpse.jp,mpme.jp,inbound,142,Asia,0 -mpse.jp,yahoo.co.jp,inbound,142,Asia,0 -mynavi.jp,mynavi.jp,inbound,142,Asia,3.5e-05 -naver.com,naver.com,inbound,142,Asia,1 -naver.com,naver.com,outbound,142,Asia,1 -nesinemail.com,euromsg.net,inbound,142,Asia,0 -net-survey.jp,net-survey.jp,inbound,142,Asia,0 -netbk.co.jp,netbk.co.jp,inbound,142,Asia,0.010995 -next-engine.org,next-engine.org,inbound,142,Asia,1 -nextdoor.com,nextdoor.com,inbound,142,Asia,1 -nic.in,relayout.nic.in,inbound,142,Asia,0 -nicovideo.jp,nicovideo.jp,inbound,142,Asia,0 -nifty.com,nifty.com,inbound,142,Asia,0.762068 -nikkei.com,nikkei.co.jp,inbound,142,Asia,0 -nikkeibp.co.jp,nikkeibp.co.jp,inbound,142,Asia,4.9e-05 -nissen.jp,nissen.jp,inbound,142,Asia,0 -ocn.ad.jp,ocn.ad.jp,inbound,142,Asia,0 -ocn.ne.jp,ocn.ad.jp,inbound,142,Asia,0 -p-world.co.jp,p-world.co.jp,inbound,142,Asia,0 -panasonic.jp,panasonic.jp,inbound,142,Asia,0 -pepabo.com,pepabo.com,inbound,142,Asia,0 -pia.jp,pia.jp,inbound,142,Asia,0 -playstation.com,playstation.com,inbound,142,Asia,0 -pointtown.com,gmo-media.jp,inbound,142,Asia,0 -pttplc.com,pttgrp.com,inbound,142,Asia,0 -publicators.com,publicators.com,inbound,142,Asia,0 -qoo10.jp,qoo10.jp,inbound,142,Asia,0 -qq.com,qq.com,inbound,142,Asia,0.999973 -quickbooks.com,intuit.com,inbound,142,Asia,0.99908 -rakuten.co.jp,rakuten.co.jp,inbound,142,Asia,0 -rakuten.co.jp,yahoo.co.jp,inbound,142,Asia,0 -rakuten.ne.jp,rakuten.co.jp,inbound,142,Asia,0 -realus.co.jp,realus.co.jp,inbound,142,Asia,0 -recochoku.jp,recochoku.jp,inbound,142,Asia,0 -rediffmail.com,akadns.net,outbound,142,Asia,0 -rediffmail.com,rediffmail.com,inbound,142,Asia,0 -relianceada.com,relianceada.com,inbound,142,Asia,0.276515 -research-panel.jp,research-panel.jp,inbound,142,Asia,0 -responder.co.il,responder.co.il,inbound,142,Asia,1 -runnet.jp,runnet.jp,inbound,142,Asia,0 -rutenmail.com.tw,rutenmail.com.tw,inbound,142,Asia,0 -sahibinden.com,sahibinden.com,inbound,142,Asia,0 -saisoncard.co.jp,saisoncard.co.jp,inbound,142,Asia,0 -sakura.ne.jp,sakura.ne.jp,inbound,142,Asia,0.673305 -samsung.com,samsung.com,inbound,142,Asia,0.008685 -saramin.co.kr,saramin.co.kr,inbound,142,Asia,0 -sbi.co.in,sbi.co.in,inbound,142,Asia,0 -sbr-inc.co.jp,hdemail.jp,inbound,142,Asia,0 -sc.com,sc.com,inbound,142,Asia,0.99683 -secure.ne.jp,secure.ne.jp,inbound,142,Asia,3.7e-05 -secureserver.net,secureserver.net,inbound,142,Asia,0.000386 -shinseibank.com,shinseibank.com,inbound,142,Asia,0 -shukatsu.jp,shukatsu.jp,inbound,142,Asia,0 -simplymarry.com,tbsl.in,inbound,142,Asia,0 -smartphoneexperts.com,mailgun.net,inbound,142,Asia,1 -smp.ne.jp,smp.ne.jp,inbound,142,Asia,0 -snapdealmail.in,snapdealmail.in,inbound,142,Asia,0 -sofmap.com,sofmap.com,inbound,142,Asia,0.0092 -softbank.jp,softbank.jp,inbound,142,Asia,0 -sony.jp,sony.jp,inbound,142,Asia,0.000654 -sourcenext.info,sourcenext.info,inbound,142,Asia,0 -surfmandelivery.com,surfmandelivery.com,inbound,142,Asia,0 -synergy360.jp,crmstyle.com,inbound,142,Asia,0 -taipeifubon.com.tw,taipeifubon.com.tw,inbound,142,Asia,0 -techgig.com,tbsl.in,inbound,142,Asia,0 -thinkvidya.com,thinkvidya.com,inbound,142,Asia,0 -ticketmonster.co.kr,ticketmonster.co.kr,inbound,142,Asia,0 -timesjobs.com,tbsl.in,inbound,142,Asia,0 -timesjobsmail.com,tbsl.in,inbound,142,Asia,0 -timesofindia.com,indiatimes.com,inbound,142,Asia,0 -tobizaru.jp,tobizaru.jp,inbound,142,Asia,0 -tocoo.jp,aics.ne.jp,inbound,142,Asia,0 -tower.jp,tower.jp,inbound,142,Asia,0 -treemall.com.tw,symphox.com,inbound,142,Asia,0 -tsite.jp,tsite.jp,inbound,142,Asia,0 -tsutaya.co.jp,tsutaya.co.jp,inbound,142,Asia,0 -turkcell.com.tr,turkcell.com.tr,inbound,142,Asia,0.043492 -type.jp,type.jp,inbound,142,Asia,0 -u-shopping.com.tw,u-shopping.com.tw,inbound,142,Asia,0 -udnpaper.com,udnpaper.com,inbound,142,Asia,0.998858 -udnshopping.com,udnshopping.com,inbound,142,Asia,0 -vodafone.com,vodafone.in,inbound,142,Asia,0.617518 -vpass.ne.jp,clickmailer.jp,inbound,142,Asia,0 -vpcontact.com,vpcontact.com,inbound,142,Asia,0 -way2sms.biz,way2sms.biz,inbound,142,Asia,0 -way2sms.in,way2sms.in,inbound,142,Asia,0 -webcas.net,webcas.net,inbound,142,Asia,0 -wechat.com,qq.com,inbound,142,Asia,1 -www.gov.tw,hinet.net,inbound,142,Asia,8e-05 -yahoo.co.jp,yahoo.co.jp,inbound,142,Asia,8e-06 -yahoo.co.jp,yahoo.co.jp,outbound,142,Asia,0 -yahoo.{...},yahoo.co.jp,inbound,142,Asia,0 -yakala.co,euromsg.net,inbound,142,Asia,0 -yesbank.in,yesbank.in,inbound,142,Asia,0.241591 -yodobashi.com,yodobashi.com,inbound,142,Asia,0 -zizigo.com,euromsg.net,inbound,142,Asia,0 -3suisses.be,3suisses.be,inbound,150,Europe,0 -3suisses.fr,3suisses.fr,inbound,150,Europe,0 -aanotifier.nl,aanotifier.nl,inbound,150,Europe,0 -adidas.com,neolane.net,inbound,150,Europe,0 -admail.hu,sanomaonline.hu,inbound,150,Europe,0 -adsender.us,adsender.us,inbound,150,Europe,0 -adverts.ie,adverts.ie,inbound,150,Europe,1 -advfn.com,advfn.com,inbound,150,Europe,0.635382 -agnitas.de,agnitas.de,inbound,150,Europe,0.999265 -airliquide.com,airliquide.com,inbound,150,Europe,1 -alerteimmo.com,alerteimmo.com,inbound,150,Europe,0 -alinea.fr,bp06.net,inbound,150,Europe,0 -allegro.pl,allegro.pl,inbound,150,Europe,0 -allegroup.hu,allegroup.hu,inbound,150,Europe,0 -alza.cz,alza.cz,inbound,150,Europe,0.039449 -alza.sk,alza.cz,inbound,150,Europe,0.027725 -andrewchristian.com,emv8.com,inbound,150,Europe,0 -anpasia.com,anpasia.com,inbound,150,Europe,0 -aprovaconcursos.com.br,eadunicid.com.br,inbound,150,Europe,0 -aruba.it,aruba.it,inbound,150,Europe,0.055666 -ashampoo.com,ashampoo.com,inbound,150,Europe,1 -aswatson.com,emarsys.net,inbound,150,Europe,0 -avira.com,avira.com,inbound,150,Europe,0.042528 -avito.ru,avito.ru,inbound,150,Europe,0.000631 -badoo.com,monopost.com,inbound,150,Europe,1 -balsamik.fr,balsamik.fr,inbound,150,Europe,0 -bancomer.com,postini.com,inbound,150,Europe,1e-05 -bbvacompass.com,postini.com,inbound,150,Europe,0.997006 -be2.com,nmp1.net,inbound,150,Europe,0 -biglion.ru,biglion.ru,inbound,150,Europe,0.999775 -bigmailsender.com,bigmailsender.com,inbound,150,Europe,0 -bioagri.com.br,postini.com,inbound,150,Europe,0.991765 -biomedcentral.com,emv5.com,inbound,150,Europe,0 -blackberry.com,blackberry.com,inbound,150,Europe,0 -blinkboxmusic.com,mediagraft.com,inbound,150,Europe,1 -blogtrottr.com,blogtrottr.com,inbound,150,Europe,0 -blue-compass.com,blue-compass.com,inbound,150,Europe,0 -bmdeda99.com,bmdeda99.com,inbound,150,Europe,0 -bolsfr.fr,colt.net,inbound,150,Europe,0 -bonuszbrigad.hu,bonuszbrigad.hu,inbound,150,Europe,0 -boohooemail.com,smartfocusdigital.net,inbound,150,Europe,0 -booking.com,booking.com,inbound,150,Europe,1 -bouncemanager.it,musvc.com,inbound,150,Europe,0.362026 -br.com,cmailsys.com,inbound,150,Europe,0 -brandalley.com,brandalley.com,inbound,150,Europe,0 -brands4friends.de,emv5.com,inbound,150,Europe,0 -brandsvillage.net,brandsvillage.net,inbound,150,Europe,0 -bt.com,bt.com,inbound,150,Europe,0.409404 -bweeble.com,adlabsinc.com,inbound,150,Europe,0 -cabestan.com,cab07.net,inbound,150,Europe,0 -cadremploi.fr,cadremploi.fr,inbound,150,Europe,0 -cardsys.at,cardsys.at,inbound,150,Europe,1 -carmamail.com,carmamail.com,inbound,150,Europe,0 -casasbahia.com.br,casasbahia.com.br,inbound,150,Europe,0 -catchoftheday.com.au,inxserver.de,inbound,150,Europe,1 -catererglobal.com,madgexjb.com,inbound,150,Europe,0 -caterermail.com,totaljobsmail.co.uk,inbound,150,Europe,0 -cathkidston.com,cathkidston.co.uk,inbound,150,Europe,0 -cccampaigns.com,emv5.com,inbound,150,Europe,0 -cccampaigns.com,emv8.com,inbound,150,Europe,0 -cccampaigns.net,01net.com,inbound,150,Europe,0 -cccampaigns.net,cccampaigns.net,inbound,150,Europe,0 -cccampaigns.net,emv4.net,inbound,150,Europe,0 -ccmbg.com,benchmark.fr,inbound,150,Europe,0 -cdongroup.com,cdongroup.com,inbound,150,Europe,0.000147 -cheapflights.co.uk,cheapflights.co.uk,inbound,150,Europe,0 -cheapflights.com,cheapflights.com,inbound,150,Europe,0 -chelseafc.com,chelseafc.com,inbound,150,Europe,0.003566 -cinesa.es,cccampaigns.com,inbound,150,Europe,0 -cipherzone.com,infimail.com,inbound,150,Europe,0 -citybrands.hu,webinform.hu,inbound,150,Europe,1 -clickon.com.br,clickon.com.br,inbound,150,Europe,0 -clicplan.com,dmdelivery.com,inbound,150,Europe,0 -cobone.com,emarsys.net,inbound,150,Europe,0 -communicatoremail.com,communicatoremail.com,inbound,150,Europe,0 -compute.internal,amazonaws.com,inbound,150,Europe,0.81478 -confirmedoptin.com,confirmedoptin.com,inbound,150,Europe,0 -continente.pt,1-hostingservice.com,inbound,150,Europe,0 -cratusservices.in,ramcorp.in,inbound,150,Europe,0 -cricinfo.com,cricinfo.com,inbound,150,Europe,0 -critsend.com,critsend.com,inbound,150,Europe,0 -crsend.com,crsend.com,inbound,150,Europe,0.008688 -csas.cz,csas.cz,inbound,150,Europe,0.999971 -cupomturbinado.com.br,cupomnaweb.com.br,inbound,150,Europe,1 -cv-library.co.uk,cv-library.co.uk,inbound,150,Europe,0 -cvbankas.lt,efadm.eu,inbound,150,Europe,0 -cwjobsmail.co.uk,totaljobsmail.co.uk,inbound,150,Europe,0 -d-reizen.nl,dmdelivery.com,inbound,150,Europe,0 -dafiti.com.br,fagms.de,inbound,150,Europe,0 -datingfactory.com,caerussolutions.net,inbound,150,Europe,0 -dbgi.co.uk,emc1.co.uk,inbound,150,Europe,0 -deal.com.sg,emarsys.net,inbound,150,Europe,0 -debian.org,debian.org,inbound,150,Europe,1 -deezer.com,dms30.com,inbound,150,Europe,0 -directcrm.ru,directcrm.ru,inbound,150,Europe,0 -disney.co.uk,emv9.com,inbound,150,Europe,0 -dominosemail.co.uk,dominosemail.co.uk,inbound,150,Europe,0 -doodle.com,doodle.com,inbound,150,Europe,1 -dotmailer-email.com,dotmailer.com,inbound,150,Europe,0 -dotmailer.co.uk,dotmailer.com,inbound,150,Europe,0 -dpapp.nl,prikbordmailer.nl,inbound,150,Europe,0 -dpapp.nl,sslsecuref.nl,inbound,150,Europe,0 -dreivip.com,dreivip.com,inbound,150,Europe,0.000301 -dress-for-less.de,privalia.com,inbound,150,Europe,0 -drweb.com,drweb.com,inbound,150,Europe,0.969315 -e-boks.dk,e-boks.dk,inbound,150,Europe,1 -e-ebuyer.com,e-ebuyer.com,inbound,150,Europe,0 -e-mark.nl,e-mark.nl,inbound,150,Europe,0 -e-ngine.nl,e-ngine.nl,inbound,150,Europe,0 -ebay-kleinanzeigen.de,mobile.de,inbound,150,Europe,1 -ecommzone.com,ecommzone.com,inbound,150,Europe,0 -edarling.fr,fagms.de,inbound,150,Europe,0 -edima.hu,edima.hu,inbound,150,Europe,0 -efox-shop.com,dmdelivery.com,inbound,150,Europe,0 -ejobs.ro,ejobs.ro,inbound,150,Europe,8.5e-05 -elaine-asp.de,artegic.net,inbound,150,Europe,0.999997 -elcorteingles.es,elcorteingles.es,inbound,150,Europe,0 -elektronskaposta.si,eprvak.si,inbound,150,Europe,0 -elettershop.de,servicemail24.de,inbound,150,Europe,1 -emag.ro,emag.ro,inbound,150,Europe,0.005013 -email-comparethemarket.com,smartfocusdigital.net,inbound,150,Europe,0 -email360api.com,email360api.com,inbound,150,Europe,0 -emarsys.net,emarsys.net,inbound,150,Europe,0 -embluejet.com,emblueuser.com,inbound,150,Europe,0 -emsecure.net,emsecure.net,inbound,150,Europe,0 -emsmtp.com,emsmtp.com,inbound,150,Europe,0 -enewsletter.pl,enewsletter.pl,inbound,150,Europe,0.007349 -enewsletter.pl,sare25.com,inbound,150,Europe,0 -espmp-agfr.net,bp06.net,inbound,150,Europe,0 -esprit-friends.com,esprit-friends.com,inbound,150,Europe,0 -evanscycles.com,msgfocus.com,inbound,150,Europe,0 -experteer.com,experteer.com,inbound,150,Europe,0 -extra.com.br,emv8.com,inbound,150,Europe,0 -eyepin.com,eyepin.com,inbound,150,Europe,0 -fabfurnish.com,fagms.de,inbound,150,Europe,0 -facilisimo.com,facilisimo.com,inbound,150,Europe,1 -fagms.net,fagms.de,inbound,150,Europe,0 -finn.no,schibsted-it.no,inbound,150,Europe,0.002893 -fixeads.com,fixeads.com,inbound,150,Europe,0 -flirchi.com,flirchi.com,inbound,150,Europe,1.0 -flymonarchemail.com,flymonarchemail.com,inbound,150,Europe,0 -follow-up.se,follow-up.se,inbound,150,Europe,1 -fotocasa.es,fotocasa.es,inbound,150,Europe,0 -fotostrana.ru,fotocdn.net,inbound,150,Europe,3.4e-05 -free-lance.ru,free-lance.ru,inbound,150,Europe,0 -free.fr,free.fr,inbound,150,Europe,0.984012 -free.fr,free.fr,outbound,150,Europe,6.9e-05 -freecycle.org,freecycle.org,inbound,150,Europe,0.999865 -freemail.hu,freemail.hu,outbound,150,Europe,0 -freshmail.pl,freshmail.pl,inbound,150,Europe,0 -gardeningclubmail.co.uk,msgfocus.com,inbound,150,Europe,0 -giffgaff.com,giffgaff.com,inbound,150,Europe,0 -globasemail.com,globasemail.com,inbound,150,Europe,0.951088 -gmail.com,02.net,inbound,150,Europe,0.999617 -gmail.com,as13285.net,inbound,150,Europe,0.999943 -gmail.com,bbox.fr,inbound,150,Europe,0.919849 -gmail.com,belgacom.be,inbound,150,Europe,0.999444 -gmail.com,blackberry.com,inbound,150,Europe,0.998923 -gmail.com,bluewin.ch,inbound,150,Europe,0.93294 -gmail.com,btcentralplus.com,inbound,150,Europe,0.999969 -gmail.com,chello.nl,inbound,150,Europe,0.999951 -gmail.com,fastwebnet.it,inbound,150,Europe,0.984706 -gmail.com,jazztel.es,inbound,150,Europe,0.999701 -gmail.com,net24.it,inbound,150,Europe,0.999964 -gmail.com,netcabo.pt,inbound,150,Europe,0.998164 -gmail.com,numericable.fr,inbound,150,Europe,0.999723 -gmail.com,ono.com,inbound,150,Europe,0.995991 -gmail.com,orange.es,inbound,150,Europe,0.998742 -gmail.com,orange.fr,inbound,150,Europe,0 -gmail.com,otenet.gr,inbound,150,Europe,0.957917 -gmail.com,postini.com,inbound,150,Europe,0.924066 -gmail.com,proxad.net,inbound,150,Europe,0.998094 -gmail.com,rima-tde.net,inbound,150,Europe,0.99915 -gmail.com,sfr.net,inbound,150,Europe,0.999877 -gmail.com,skybroadband.com,inbound,150,Europe,0.999854 -gmail.com,t-ipconnect.de,inbound,150,Europe,0.999841 -gmail.com,tdc.net,inbound,150,Europe,0.999591 -gmail.com,telecomitalia.it,inbound,150,Europe,0.997 -gmail.com,telekom.hu,inbound,150,Europe,0.999977 -gmail.com,telenet.be,inbound,150,Europe,1 -gmail.com,telepac.pt,inbound,150,Europe,0.999584 -gmail.com,telia.com,inbound,150,Europe,1 -gmail.com,threembb.co.uk,inbound,150,Europe,1 -gmail.com,tpnet.pl,inbound,150,Europe,0.999761 -gmail.com,virginm.net,inbound,150,Europe,0.99661 -gmail.com,vodafone-ip.de,inbound,150,Europe,1 -gmail.com,vodafone.pt,inbound,150,Europe,0.999563 -gmail.com,vodafonedsl.it,inbound,150,Europe,0.999006 -gmail.com,wanadoo.fr,inbound,150,Europe,0.999752 -gmail.com,ziggo.nl,inbound,150,Europe,1 -gmx.de,gmx.net,inbound,150,Europe,1 -gmx.de,gmx.net,outbound,150,Europe,1 -gmx.net,gmx.net,inbound,150,Europe,1 -goalunited.org,ccmdcampaigns.net,inbound,150,Europe,0 -gog.com,gog.com,inbound,150,Europe,0 -gogroopie.com,gogroopie.com,inbound,150,Europe,0.000283 -goldenline.pl,goldenline.pl,inbound,150,Europe,1 -goodgame.com,emsmtp.com,inbound,150,Europe,0 -goodlife.pt,emv8.com,inbound,150,Europe,0 -google.com,postini.com,inbound,150,Europe,0.810567 -googlemail.com,t-ipconnect.de,inbound,150,Europe,0.999957 -gumtree.com,marktplaats.nl,inbound,150,Europe,0 -gumtree.com.au,kijiji.com,inbound,150,Europe,0 -gymglish.com,gymglish.com,inbound,150,Europe,0.000788 -haskell.org,haskell.org,inbound,150,Europe,0.000703 -hazteoir.org,hazteoir.org,inbound,150,Europe,0.31478 -hh.ru,hh.ru,inbound,150,Europe,0.996236 -hotel.de,emp-mail.de,inbound,150,Europe,0 -hotornot.com,monopost.com,inbound,150,Europe,0.983953 -hotukdeals.com,hotukdeals.com,inbound,150,Europe,1 -hpnotifier.nl,hpnotifier.nl,inbound,150,Europe,0 -icelandmail.co.uk,emsg-live.co.uk,inbound,150,Europe,0 -idealista.com,idealista.com,inbound,150,Europe,0.001627 -ideascost.com,ramcorp.in,inbound,150,Europe,0 -inboxair.com,inboxair.com,inbound,150,Europe,0 -infoempleo.com,infoempleo.com,inbound,150,Europe,0 -infojobs.it,infojobs.it,inbound,150,Europe,0 -infojobs.net,infojobs.net,inbound,150,Europe,0 -infopraca.pl,careesma.com,inbound,150,Europe,0 -ingdirect.es,ingdirect.es,inbound,150,Europe,1 -inter-chat.com,inter-chat.com,inbound,150,Europe,0 -interdatesa.com,fagms.net,inbound,150,Europe,0 -internations.org,internations.org,inbound,150,Europe,1 -inx1and1.de,1and1.com,inbound,150,Europe,1 -inxserver.com,inxserver.de,inbound,150,Europe,0.952863 -inxserver.de,inxserver.de,inbound,150,Europe,0.980838 -itms.in.ua,itms.in.ua,inbound,150,Europe,0 -jiscmail.ac.uk,lsoft.se,inbound,150,Europe,0 -jobisjob.com,jobisjob.com,inbound,150,Europe,0 -jobrapidoalert.com,jobrapidoalert.com,inbound,150,Europe,0 -jobs2web.com,ondemand.com,inbound,150,Europe,1 -jobserve.com,jobserve.com,inbound,150,Europe,0 -joobmailer.com,joobmailer.com,inbound,150,Europe,0 -jumia.com.ng,fagms.de,inbound,150,Europe,0 -justclick.ru,justclick.ru,inbound,150,Europe,0 -kalunga.com.br,kalunga.com.br,inbound,150,Europe,0 -kiabi.com,dms-02.net,inbound,150,Europe,0 -kijiji.ca,kijiji.com,inbound,150,Europe,0 -kismia.com,kismia.com,inbound,150,Europe,1 -kiwari.com,kiwari.com,inbound,150,Europe,9e-06 -kundenserver.de,kundenserver.de,inbound,150,Europe,1 -laposte.net,laposte.net,inbound,150,Europe,0.271722 -laposte.net,laposte.net,outbound,150,Europe,0 -laredoute.fr,laredoute.fr,inbound,150,Europe,0 -laterooms.com,laterooms.com,inbound,150,Europe,0.014746 -leboncoin.fr,leboncoin.fr,inbound,150,Europe,0 -leparisien.fr,leparisien.fr,inbound,150,Europe,0 -lexpress.fr,bp06.net,inbound,150,Europe,0 -libero.it,libero.it,inbound,150,Europe,0.00024 -libero.it,libero.it,outbound,150,Europe,0 -lifecooler.com,1-hostingservice.com,inbound,150,Europe,0 -listadventure.com,adlabsinc.com,inbound,150,Europe,0 -listjoe.com,adlabsinc.com,inbound,150,Europe,0 -litres.ru,litres.ru,inbound,150,Europe,1 -loccitane.com,neolane.net,inbound,150,Europe,0 -logentries.com,logentries.com,inbound,150,Europe,0 -loveplanet.ru,pochta.ru,inbound,150,Europe,0.640035 -lowcostholidays.co.uk,communicatoremail.com,inbound,150,Europe,0 -lua.org,pepperfish.net,inbound,150,Europe,1 -ludokados.com,ludokado.com,inbound,150,Europe,0 -mail-cdiscount.com,mail-cdiscount.com,inbound,150,Europe,0 -mail-mbank.pl,mail-mbank.pl,inbound,150,Europe,0 -mail.ru,mail.ru,inbound,150,Europe,0.991269 -mail.ru,mail.ru,outbound,150,Europe,0.006918 -mailer-service.de,mailer-service.de,inbound,150,Europe,4.9e-05 -mailersend.com,mailersend.com,inbound,150,Europe,0 -mailing-list.it,mailing-list.it,inbound,150,Europe,0 -mailjet.com,mailjet.com,inbound,150,Europe,0 -mailplus.nl,brightbase.net,inbound,150,Europe,1 -mailpv.net,pvmailer.net,inbound,150,Europe,1 -maisonsdumonde.com,bp06.net,inbound,150,Europe,0 -makro.nl,srv2.de,inbound,150,Europe,0.888692 -mapfre.com,emv5.com,inbound,150,Europe,0 -marktplaats.nl,marktplaats.nl,inbound,150,Europe,0 -matchwereld.nl,matchwereld.nl,inbound,150,Europe,0 -maxpark.com,gidepark.ru,inbound,150,Europe,1 -mdirector.com,mdrctr.com,inbound,150,Europe,0 -mecumauction.com,mecumauction.com,inbound,150,Europe,0 -meetic.com,meetic.com,inbound,150,Europe,0 -mequedouno.com,mequedouno.com,inbound,150,Europe,0 -metrodeal.com,fagms.de,inbound,150,Europe,0 -mightydeals.co.uk,mightydeals.co.uk,inbound,150,Europe,0 -mirtesen.ru,mtml.ru,inbound,150,Europe,0 -mitula.net,mitula.org,inbound,150,Europe,0 -mitula.org,mitula.org,inbound,150,Europe,0 -mixcloudmail.com,mixcloudmail.com,inbound,150,Europe,0.995482 -mlgns.com,mlgns.com,inbound,150,Europe,0 -mlgnserv.com,mlgnserv.com,inbound,150,Europe,0 -mmks.it,mail-maker.it,inbound,150,Europe,0 -mmsecure.nl,donenad.nl,inbound,150,Europe,0 -modnakasta.ua,emv5.com,inbound,150,Europe,0 -mooply.co,mailendo.com,inbound,150,Europe,0 -moviestarplanet.com,moviestarplanet.com,inbound,150,Europe,0 -mrc.org,msgfocus.com,inbound,150,Europe,0 -msdp1.com,msdp1.com,inbound,150,Europe,0 -msgfocus.com,msgfocus.com,inbound,150,Europe,0.011658 -mymms.com,fagms.de,inbound,150,Europe,0 -namorico.me,namorico.me,inbound,150,Europe,1 -nasza-klasa.pl,nasza-klasa.pl,inbound,150,Europe,0 -nationalexpress.com,nationalexpress.com,inbound,150,Europe,0 -neolane.net,neolane.net,inbound,150,Europe,0 -netopia.pt,netopia.pt,inbound,150,Europe,0.028429 -nhs.jobs,nhscareersjobs.co.uk,inbound,150,Europe,0 -nieuwsblad.be,vummail.be,inbound,150,Europe,0 -nmp1.com,nmp1.net,inbound,150,Europe,0 -nos.pt,netcabo.pt,inbound,150,Europe,6.3e-05 -noticiasaominuto.com,ccmdcampaigns.net,inbound,150,Europe,0 -noticiasaominuto.com,noticiasaominuto.com,inbound,150,Europe,0 -nrholding.net,nrholding.net,inbound,150,Europe,0 -odisseias.com,emv4.net,inbound,150,Europe,0 -odnoklassniki.ru,odnoklassniki.ru,inbound,150,Europe,0 -offerum.com,cccampaigns.com,inbound,150,Europe,0 -offerum.com,ccemails.com,inbound,150,Europe,0 -olx.pt,fixeads.com,inbound,150,Europe,0 -orange.fr,orange.fr,inbound,150,Europe,0 -orange.fr,orange.fr,outbound,150,Europe,0 -oroscopofree.com,adsender.us,inbound,150,Europe,0 -oroscopofree.com,oroscopofree.com,inbound,150,Europe,0 -orsay.com,emp-mail.de,inbound,150,Europe,0 -ovh.net,ovh.net,inbound,150,Europe,0.165188 -oxfam.org.uk,msgfocus.com,inbound,150,Europe,0 -payback.de,artegic.net,inbound,150,Europe,0.999986 -pccomponentes.com,pccomponentes.com,inbound,150,Europe,0 -peixeurbano.com.br,peixeurbano.com.br,inbound,150,Europe,0 -peperoni.de,peperoni.de,inbound,150,Europe,1 -peytz.dk,peytz.dk,inbound,150,Europe,4e-06 -photobox.com,photobox.com,inbound,150,Europe,0 -photoprintit.com,photoprintit.com,inbound,150,Europe,0 -pixum.com,pixum.com,inbound,150,Europe,0 -placedestendances.com,placedestendances.com,inbound,150,Europe,0 -plaisio.gr,fagms.de,inbound,150,Europe,0 -planeo.com,planeo.com,inbound,150,Europe,0 -planeo.pt,planeo.pt,inbound,150,Europe,0 -playtika.com,emv8.com,inbound,150,Europe,0 -poinx.com,poinx.com,inbound,150,Europe,0 -pokerstars.com,pokerstars.eu,inbound,150,Europe,0 -pokerstars.eu,pokerstars.eu,inbound,150,Europe,0 -pontofrio.com.br,emv8.com,inbound,150,Europe,0 -postgresql.org,postgresql.org,inbound,150,Europe,1 -praca.pl,praca.pl,inbound,150,Europe,1 -pracuj.pl,pracuj.pl,inbound,150,Europe,0 -printvenue.com,fagms.de,inbound,150,Europe,0 -privalia.com,privalia.com,inbound,150,Europe,3.94913202027326e-07 -promod-news.fr,promod-news.com,inbound,150,Europe,0 -protopmail.com,protopmail.com,inbound,150,Europe,0 -pur3.net,pur3.net,inbound,150,Europe,0.001123 -python.org,python.org,inbound,150,Europe,1 -quality.net.ua,quality.net.ua,inbound,150,Europe,0 -r-project.org,ethz.ch,inbound,150,Europe,0.99999 -r51.it,musvc.com,inbound,150,Europe,0.092498 -r52.it,musvc.com,inbound,150,Europe,0.000221 -r57.it,musvc.com,inbound,150,Europe,0.139425 -r67.it,musvc.com,inbound,150,Europe,0.199845 -r70.it,musvc.com,inbound,150,Europe,0.311983 -rakuten.co.jp,shareee.jp,inbound,150,Europe,0 -rambler.ru,rambler.ru,inbound,150,Europe,0.08173 -ratedpeople.com,ratedpeople.com,inbound,150,Europe,0.000979 -rax.ru,rax.ru,inbound,150,Europe,0.000258 -regie11.net,odiso.net,inbound,150,Europe,0 -relax7.hu,gruppi.hu,inbound,150,Europe,0 -richersoundsvip.com,ibwmail.com,inbound,150,Europe,0 -rightmove.com,rightmove.com,inbound,150,Europe,0 -roulartamail.be,roulartamail.be,inbound,150,Europe,0 -rueducommerce.com,groupe-rueducommerce.fr,inbound,150,Europe,0 -runtastic.com,runtastic.com,inbound,150,Europe,0 -ryanairmail.com,ryanairmail.com,inbound,150,Europe,0 -rzone.de,rzone.de,inbound,150,Europe,1 -saimails.in,infimail.com,inbound,150,Europe,0 -sainsburys.co.uk,emv5.com,inbound,150,Europe,0 -salesmanago.pl,salesmanago.pl,inbound,150,Europe,0 -samsung.ru,samsung.ru,inbound,150,Europe,0 -sapnetworkmail.com,sap-ag.de,inbound,150,Europe,1 -sapo.pt,sapo.pt,inbound,150,Europe,0.242839 -sapo.pt,sapo.pt,outbound,150,Europe,0 -savingdeals.in,infimail.com,inbound,150,Europe,0 -scmp.com,emarsys.net,inbound,150,Europe,0 -scoop.it,scoop.it,inbound,150,Europe,0 -scoopon.com.au,inxserver.de,inbound,150,Europe,1 -screwfix.info,fwdto.net,inbound,150,Europe,0 -secureserver.net,secureserver.net,inbound,150,Europe,0 -selection-priceminister.com,selection-priceminister.com,inbound,150,Europe,0 -sender.lt,sritis.lt,inbound,150,Europe,0.000339 -sendsmaily.info,sendsmaily.info,inbound,150,Europe,0 -seniorplanet.fr,seniorplanet.fr,inbound,150,Europe,0 -seznam.cz,seznam.cz,inbound,150,Europe,0.001781 -seznam.cz,seznam.cz,outbound,150,Europe,0.001741 -sfr.fr,sfr.fr,inbound,150,Europe,0.236539 -sfr.fr,sfr.fr,outbound,150,Europe,0.004753 -shopto.net,shopto.net,inbound,150,Europe,1 -skype.com,skype.com,inbound,150,Europe,0 -solveerrors.com,infimail.com,inbound,150,Europe,0 -spareroom.co.uk,spareroom.co.uk,inbound,150,Europe,1 -sqlservercentral.com,sqlservercentral.com,inbound,150,Europe,0 -staples-pt.com,1-hostingservice.com,inbound,150,Europe,0 -stepstone.de,stepstone.com,inbound,150,Europe,0.001689 -studentbeans.com,emv8.com,inbound,150,Europe,0 -subito.it,subito.it,inbound,150,Europe,0 -subscribe.ru,subscribe.ru,inbound,150,Europe,0 -superdrug.com,superdrug.com,inbound,150,Europe,0 -superjob.ru,superjob.ru,inbound,150,Europe,0 -support-love.com,support-love.com,inbound,150,Europe,0 -sut1.co.uk,sut1.co.uk,inbound,150,Europe,0.001789 -sut5.co.uk,sut5.co.uk,inbound,150,Europe,0 -swanson-vitamins.com,emv5.com,inbound,150,Europe,0 -t-online.de,t-online.de,inbound,150,Europe,1 -t-online.de,t-online.de,outbound,150,Europe,0.999939 -tatrabanka.sk,tatrabanka.sk,inbound,150,Europe,0 -tchibo.de,srv2.de,inbound,150,Europe,0.980447 -teamo.ru,teamo.ru,inbound,150,Europe,0 -teamviewer.com,teamviewer.com,inbound,150,Europe,0 -teapartyinfo.org,teapartyinfo.org,inbound,150,Europe,0 -telenet.be,telenet-ops.be,inbound,150,Europe,1.5e-05 -teleportmyjob.com,clara.net,inbound,150,Europe,0 -theleadmagnet.com,your-server.de,inbound,150,Europe,1 -timeweb.ru,timeweb.ru,inbound,150,Europe,1 -tiscali.it,tiscali.it,outbound,150,Europe,0 -totaljobsmail.co.uk,totaljobsmail.co.uk,inbound,150,Europe,0 -transversal.net,transversal.net,inbound,150,Europe,1 -travisperkins.co.uk,travisperkins.co.uk,inbound,150,Europe,0 -trovit.com,trovit.com,inbound,150,Europe,0 -tucasa.com,grupodtm.com,inbound,150,Europe,0 -twoomail.com,twoomail.com,inbound,150,Europe,0 -ubuntu.com,canonical.com,inbound,150,Europe,0 -ukr.net,fwdcdn.com,inbound,150,Europe,1 -ukr.net,ukr.net,outbound,150,Europe,0.999992 -ulteem.com,ulteem.com,inbound,150,Europe,0 -usndr.com,usndr.com,inbound,150,Europe,1 -venere.com,kiwari.com,inbound,150,Europe,0 -venteprivee.com,venteprivee.com,inbound,150,Europe,0 -virgilio.it,virgilio.net,inbound,150,Europe,0 -visualsoft.co.uk,visualsoft.co.uk,inbound,150,Europe,0 -vouchercloud.com,vouchercloud.com,inbound,150,Europe,0 -voyageprive.com,cccampaigns.net,inbound,150,Europe,0 -voyageprive.es,ccmdcampaigns.net,inbound,150,Europe,0 -voyageprive.it,ccmdcampaigns.net,inbound,150,Europe,0 -voyages-sncf.com,neolane.net,inbound,150,Europe,0 -vueling.com,vueling.com,inbound,150,Europe,0 -wanadoo.fr,orange.fr,inbound,150,Europe,0 -wanadoo.fr,orange.fr,outbound,150,Europe,0 -waves-audio.com,emv8.com,inbound,150,Europe,0 -web.de,web.de,inbound,150,Europe,0.999986 -web.de,web.de,outbound,150,Europe,1 -whereareyounow.com,wayn.net,inbound,150,Europe,0 -wiggle.com,wiggle.com,inbound,150,Europe,0 -william-reed.com,neolane.net,inbound,150,Europe,0 -williamhill.com,williamhill.com,inbound,150,Europe,0 -wldemail.com,emarsys.net,inbound,150,Europe,0 -wmtransfer.com,wmtransfer.com,inbound,150,Europe,0 -wnd.com,emv4.net,inbound,150,Europe,0 -wnd.com,worldnetdaily.com,inbound,150,Europe,0 -work.ua,work.ua,inbound,150,Europe,1 -workcircle.com,workcircle.net,inbound,150,Europe,0 -wp.pl,wp.pl,inbound,150,Europe,0.998027 -wp.pl,wp.pl,outbound,150,Europe,1 -xmailix.com,xmailix.com,inbound,150,Europe,0 -yandex.ru,yandex.net,inbound,150,Europe,0.999658 -yandex.ru,yandex.ru,outbound,150,Europe,1 -ymlpserver.net,ymlpserver.net,inbound,150,Europe,0 -ymlpsrv.net,ymlpsrv.net,inbound,150,Europe,0 -zalando.be,fagms.de,inbound,150,Europe,0 -zalando.dk,fagms.de,inbound,150,Europe,0 -zalando.fi,fagms.de,inbound,150,Europe,0 -zalando.it,fagms.de,inbound,150,Europe,0 -zalando.nl,fagms.de,inbound,150,Europe,0 -zalando.pl,fagms.de,inbound,150,Europe,0 -zumzi.com,neogen.ro,inbound,150,Europe,0 -zumzi.com,zumzi.com,inbound,150,Europe,0 -0bz.biz,hmts.jp,inbound,ZZ,Unknown Region,0 -104.com.tw,104.com.tw,inbound,ZZ,Unknown Region,0.091133 -1105info.com,1105info.com,inbound,ZZ,Unknown Region,0 -1111.com.tw,1111.com.tw,inbound,ZZ,Unknown Region,0 -160by2inbox.com,160by2inbox.com,inbound,ZZ,Unknown Region,0 -160by2invite.com,160by2invite.com,inbound,ZZ,Unknown Region,0 -160by2mail.com,160by2mail.com,inbound,ZZ,Unknown Region,0 -163.com,163.com,inbound,ZZ,Unknown Region,0.996685 -1800flowersinc.com,1800flowersinc.com,inbound,ZZ,Unknown Region,0 -1sale.com,1sale.com,inbound,ZZ,Unknown Region,0 -1v1y.com,euromsg.net,inbound,ZZ,Unknown Region,0 -4shared.com,4shared.com,inbound,ZZ,Unknown Region,1 -6pm.com,6pm.com,inbound,ZZ,Unknown Region,1 -6pm.com,zappos.com,inbound,ZZ,Unknown Region,0.782581 -a8.net,a8.net,inbound,ZZ,Unknown Region,0 -aaa.com,nextjump.com,inbound,ZZ,Unknown Region,0 -aaas-science.org,aaas-science.org,inbound,ZZ,Unknown Region,0 -aarp.org,aarp.org,inbound,ZZ,Unknown Region,0 -about.com,about.com,inbound,ZZ,Unknown Region,8.2e-05 -academy-enews.com,academy-enews.com,inbound,ZZ,Unknown Region,0 -accenture.com,outlook.com,inbound,ZZ,Unknown Region,1 -accountonline.com,accountonline.com,inbound,ZZ,Unknown Region,0.348991 -acehelpfulemails.com,teradatadmc.com,inbound,ZZ,Unknown Region,0 -actorsaccess.com,nonfatmedia.com,inbound,ZZ,Unknown Region,0 -adminforfree.com,adminforfree.com,inbound,ZZ,Unknown Region,1 -adminforfree.net,adminforfree.com,inbound,ZZ,Unknown Region,1 -administrativejobinsider.com,administrativejobinsider.com,inbound,ZZ,Unknown Region,0 -adobe.com,obsmtp.com,inbound,ZZ,Unknown Region,1 -adobesystems.com,adobesystems.com,inbound,ZZ,Unknown Region,0 -adoreme.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -adp.com,adp.com,inbound,ZZ,Unknown Region,1 -adsender.us,adsender.us,inbound,ZZ,Unknown Region,0 -adsolutionline.com,adsolutionline.com,inbound,ZZ,Unknown Region,0 -adultfriendfinder.com,friendfinder.com,inbound,ZZ,Unknown Region,0 -advanceauto.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -advantagebusinessmedia.com,advantagebusinessmedia.com,inbound,ZZ,Unknown Region,0 -af.mil,af.mil,inbound,ZZ,Unknown Region,0.997561 -agoda-emails.com,agoda-emails.com,inbound,ZZ,Unknown Region,0 -agrupemonos.cl,agrupemonos.cl,inbound,ZZ,Unknown Region,1 -albertsonsemail.com,email4-mywebgrocer.com,inbound,ZZ,Unknown Region,0 -alibaba.com,alibaba.com,inbound,ZZ,Unknown Region,0 -alice.it,alice.it,inbound,ZZ,Unknown Region,0 -alice.it,aliceposta.it,outbound,ZZ,Unknown Region,0 -aliexpress.com,alibaba.com,inbound,ZZ,Unknown Region,0 -allegro.pl,allegro.pl,inbound,ZZ,Unknown Region,0 -allegrogroup.ua,allegrogroup.ua,inbound,ZZ,Unknown Region,0 -allsaints.com,allsaints.com,inbound,ZZ,Unknown Region,0 -ama-assn.org,elabs10.com,inbound,ZZ,Unknown Region,0 -amadeus.com,amadeus.net,inbound,ZZ,Unknown Region,0 -amazon.{...},amazon.{...},inbound,ZZ,Unknown Region,0.021685 -amazon.{...},amazonses.com,inbound,ZZ,Unknown Region,0.999971 -amazonses.com,amazonses.com,inbound,ZZ,Unknown Region,0.997919 -amazonses.com,postini.com,inbound,ZZ,Unknown Region,0.924067 -amctheatres.com,amctheatres.com,inbound,ZZ,Unknown Region,0 -americanpublicmediagroup.org,americanpublicmediagroup.org,inbound,ZZ,Unknown Region,0 -ancestry.com,ancestry.com,inbound,ZZ,Unknown Region,0 -angieslist.com,angieslist.com,inbound,ZZ,Unknown Region,0 -anntaylor.com,anntaylor.com,inbound,ZZ,Unknown Region,0 -anpdm.com,anpdm.com,inbound,ZZ,Unknown Region,4e-06 -aol.com,aol.com,outbound,ZZ,Unknown Region,1 -apple.com,apple.com,inbound,ZZ,Unknown Region,0.915839 -argos.co.uk,argos.co.uk,inbound,ZZ,Unknown Region,1 -argos.co.uk,exacttarget.com,inbound,ZZ,Unknown Region,1 -artists-hub.com,artists-hub.com,inbound,ZZ,Unknown Region,0 -asda.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 -ask.fm,ask.fm,inbound,ZZ,Unknown Region,1e-05 -askmen.com,askmen.com,inbound,ZZ,Unknown Region,0 -astrocenter.com,center.com,inbound,ZZ,Unknown Region,0 -athleta.com,athleta.com,inbound,ZZ,Unknown Region,0 -atlassian.net,uc-inf.net,inbound,ZZ,Unknown Region,1 -att.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999956 -auctionzip-email.com,email-auctionholdings.com,inbound,ZZ,Unknown Region,0 -auinmeio.com.br,fnac.com.br,inbound,ZZ,Unknown Region,0 -authorize.net,authorize.net,inbound,ZZ,Unknown Region,0 -authorize.net,visa.com,inbound,ZZ,Unknown Region,0.993555 -autoreply.com,autoreply.com,inbound,ZZ,Unknown Region,0 -avomail.com,avomail.com,inbound,ZZ,Unknown Region,0 -avon.com,email-avonglobal.com,inbound,ZZ,Unknown Region,0 -avon.com,postdirect.com,inbound,ZZ,Unknown Region,0 -aweber.com,aweber.com,inbound,ZZ,Unknown Region,3e-06 -ayi.com,ayi.com,inbound,ZZ,Unknown Region,0 -backcountry.com,backcountry.com,inbound,ZZ,Unknown Region,0 -backlog.jp,backlog.jp,inbound,ZZ,Unknown Region,0 -bagitgetitmailer.in,emce2.in,inbound,ZZ,Unknown Region,0 -banamex.com,citi.com,inbound,ZZ,Unknown Region,0.999958 -bananarepublic.com,bananarepublic.com,inbound,ZZ,Unknown Region,3.48869418874254e-07 -bancochile.cl,bancochile.cl,inbound,ZZ,Unknown Region,0.999504 -bancofalabella.com,bancofalabella.com,inbound,ZZ,Unknown Region,0 -banesco.com,banesco.com,inbound,ZZ,Unknown Region,0 -bankofamerica.com,bankofamerica.com,inbound,ZZ,Unknown Region,0.971142 -banorte.com,gfnorte.com.mx,inbound,ZZ,Unknown Region,0.994999 -barclaycardus.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -basecamp.com,basecamp.com,inbound,ZZ,Unknown Region,1 -basecamphq.com,basecamphq.com,inbound,ZZ,Unknown Region,1 -baskinrobbins.com,baskinrobbins.com,inbound,ZZ,Unknown Region,0 -bazarchic-invitations.com,bazarchic-emstech.com,inbound,ZZ,Unknown Region,0 -bcbg.com,bcbg.com,inbound,ZZ,Unknown Region,0 -beatport-email.com,beatport-email.com,inbound,ZZ,Unknown Region,0 -beautylish.com,beautylish.com,inbound,ZZ,Unknown Region,1 -bebe.com,ed10.com,inbound,ZZ,Unknown Region,0 -befrugal.com,befrugal.com,inbound,ZZ,Unknown Region,0 -belkemail.com,belkemail.com,inbound,ZZ,Unknown Region,0 -bellsouth.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999951 -benihana-news.com,benihana-news.com,inbound,ZZ,Unknown Region,0 -bestbuy.com,bestbuy.com,inbound,ZZ,Unknown Region,0.003289 -beta.lt,mailersend3.com,inbound,ZZ,Unknown Region,0 -beyondtherack.com,beyondtherack.com,inbound,ZZ,Unknown Region,0 -bigfishgames.com,bigfishgames.com,inbound,ZZ,Unknown Region,0 -biglots.com,biglots.com,inbound,ZZ,Unknown Region,0 -bjsrestaurants.com,bjsrestaurants.com,inbound,ZZ,Unknown Region,0 -blackberry.com,blackberry.com,inbound,ZZ,Unknown Region,0 -blackboard.com,notification.com,inbound,ZZ,Unknown Region,0 -blackpeoplemeet.com,blackpeoplemeet.com,inbound,ZZ,Unknown Region,0 -bloglovin.com,bloglovin.com,inbound,ZZ,Unknown Region,0 -blogtrottr.com,blogtrottr.com,inbound,ZZ,Unknown Region,0 -bloomberg.com,bloomberg.com,inbound,ZZ,Unknown Region,0.001463 -bloomberg.net,bloomberg.net,inbound,ZZ,Unknown Region,1 -bluediamondhost3.com,web-hosting.com,inbound,ZZ,Unknown Region,1 -bluehornet.com,bluehornet.com,inbound,ZZ,Unknown Region,0 -bluenile.com,bluenile.com,inbound,ZZ,Unknown Region,0 -bluestatedigital.com,bluestatedigital.com,inbound,ZZ,Unknown Region,0 -bm05.net,bm05.net,inbound,ZZ,Unknown Region,0 -bmnt.jp,bmnt.jp,inbound,ZZ,Unknown Region,0 -bmsend.com,bmsend.com,inbound,ZZ,Unknown Region,0 -bn.com,bn.com,inbound,ZZ,Unknown Region,0 -bncollegemail.com,bncollegemail.com,inbound,ZZ,Unknown Region,0 -booking.com,booking.com,inbound,ZZ,Unknown Region,1 -bookmyshow.com,eccluster.com,inbound,ZZ,Unknown Region,0 -boots.com,boots.com,inbound,ZZ,Unknown Region,0 -box.com,box.com,inbound,ZZ,Unknown Region,0.955607 -brierleycrm.com,brierleycrm.com,inbound,ZZ,Unknown Region,0 -brooksbrothers.com,brooksbrothers.com,inbound,ZZ,Unknown Region,0 -btinternet.com,cpcloud.co.uk,inbound,ZZ,Unknown Region,0 -btinternet.com,cpcloud.co.uk,outbound,ZZ,Unknown Region,0 -btinternet.com,yahoo.{...},inbound,ZZ,Unknown Region,1 -budgettravel.com,email-budgettravel.com,inbound,ZZ,Unknown Region,0 -buyinvite.com.au,buyinvite.com.au,inbound,ZZ,Unknown Region,0 -bv.com.br,bv.com.br,inbound,ZZ,Unknown Region,0 -byway.it,byway.it,inbound,ZZ,Unknown Region,0 -cabelas.com,cabelas.com,inbound,ZZ,Unknown Region,0 -californiajobdepartment.com,californiajobdepartment.com,inbound,ZZ,Unknown Region,0 -callcommand.com,callcommand.com,inbound,ZZ,Unknown Region,0 -calottery.com,calottery.com,inbound,ZZ,Unknown Region,1 -canadiantire.ca,canadiantire.ca,inbound,ZZ,Unknown Region,0 -canalplus.es,canalplus.es,inbound,ZZ,Unknown Region,0 -capitalone.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -capitaloneemail.com,capitaloneemail.com,inbound,ZZ,Unknown Region,0 -career-hub.net,career-hub.net,inbound,ZZ,Unknown Region,1 -careerbuilder-email.com,careerbuilder-email.com,inbound,ZZ,Unknown Region,0 -careerbuilder.com,careerbuilder.com,inbound,ZZ,Unknown Region,0 -careerflash.net,careerflash.net,inbound,ZZ,Unknown Region,1 -carrefour.fr,carrefour.fr,inbound,ZZ,Unknown Region,0 -carters.com,carters.com,inbound,ZZ,Unknown Region,2e-06 -caseyresearch.com,caseyresearch.com,inbound,ZZ,Unknown Region,1 -catchyfreebies.net,mmsend53.com,inbound,ZZ,Unknown Region,0 -cccampaigns.net,emv9.net,inbound,ZZ,Unknown Region,0 -cecentertainment.com,cecentertainment.com,inbound,ZZ,Unknown Region,0 -celebritycruises.com,celebritycruises.com,inbound,ZZ,Unknown Region,0 -centaur.co.uk,centaur.co.uk,inbound,ZZ,Unknown Region,0 -centauro.com.br,centauro.com.br,inbound,ZZ,Unknown Region,0 -centerparcs.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 -cfmailer.com,elabs11.com,inbound,ZZ,Unknown Region,0 -change.org,change.org,inbound,ZZ,Unknown Region,1 -channel4.com,channel4.com,inbound,ZZ,Unknown Region,0 -chase.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -cheaperthandirt.com,cheaperthandirt.com,inbound,ZZ,Unknown Region,0 -chefscatalog.com,chefscatalog.com,inbound,ZZ,Unknown Region,0 -chemistdirect.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 -chemistry.com,chemistry.com,inbound,ZZ,Unknown Region,0 -chick-fil-ainsiders.com,chick-fil-ainsiders.com,inbound,ZZ,Unknown Region,0 -chopra.com,chopra.com,inbound,ZZ,Unknown Region,1 -christianmingle.com,postdirect.com,inbound,ZZ,Unknown Region,0 -cir.ca,cir.ca,inbound,ZZ,Unknown Region,1 -citi.com,citi.com,inbound,ZZ,Unknown Region,0.999941 -citibank.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -citibank.com,citi.com,inbound,ZZ,Unknown Region,0.999997 -citicorp.com,citi.com,inbound,ZZ,Unknown Region,0.999999 -citruslane.com,citruslane.com,inbound,ZZ,Unknown Region,5e-06 -clarisonic.com,clarisonic.com,inbound,ZZ,Unknown Region,0 -classmates.com,classmates.com,inbound,ZZ,Unknown Region,0 -clickon.com.ar,clickon.com.ar,inbound,ZZ,Unknown Region,0 -cmail1.com,createsend.com,inbound,ZZ,Unknown Region,0 -cmail2.com,createsend.com,inbound,ZZ,Unknown Region,0 -cmrfalabella.com,cmrfalabella.com,inbound,ZZ,Unknown Region,0 -codebreak.info,codebreak.info,inbound,ZZ,Unknown Region,1 -comcast.net,comcast.net,outbound,ZZ,Unknown Region,1 -confirmsignup.com,mmsend53.com,inbound,ZZ,Unknown Region,0 -constantcontact.com,postini.com,inbound,ZZ,Unknown Region,0.139551 -constantcontact.com,yahoo.{...},inbound,ZZ,Unknown Region,0.999541 -contact-darty.com,mm-send.com,inbound,ZZ,Unknown Region,0 -contactlab.it,contactlab.it,inbound,ZZ,Unknown Region,0 -converse.com,converse.com,inbound,ZZ,Unknown Region,1 -cookingchanneltv.com,cookingchanneltv.com,inbound,ZZ,Unknown Region,0 -copernica.nl,picsrv.net,inbound,ZZ,Unknown Region,0.011507 -copernica.nl,vicinity.nl,inbound,ZZ,Unknown Region,0.011753 -coppel.com,coppel.com,inbound,ZZ,Unknown Region,0 -corporateperks.com,nextjump.com,inbound,ZZ,Unknown Region,0 -countrycurtainscatalog.com,countrycurtainscatalog.com,inbound,ZZ,Unknown Region,0 -coupondunia.in,coupondunia.in,inbound,ZZ,Unknown Region,1 -crabtree-evelyn.com,crabtree-evelyn.com,inbound,ZZ,Unknown Region,0 -crainnewsalerts.com,crainnewsalerts.com,inbound,ZZ,Unknown Region,0 -crashlytics.com,sendgrid.net,inbound,ZZ,Unknown Region,1 -cricut.com,elabs12.com,inbound,ZZ,Unknown Region,0 -criticalimpactinc.com,criticalimpactinc.com,inbound,ZZ,Unknown Region,0 -critsend.com,critsend.com,inbound,ZZ,Unknown Region,0 -crocs-email.com,crocs-email.com,inbound,ZZ,Unknown Region,0 -crunchyroll.com,crunchyroll.com,inbound,ZZ,Unknown Region,0 -cudo.com.au,exacttarget.com,inbound,ZZ,Unknown Region,0 -cuenote.jp,cuenote.jp,inbound,ZZ,Unknown Region,0 -cupomturbinado.com.br,cupomnaweb.com.br,inbound,ZZ,Unknown Region,1 -cuppon.pl,cuppon.pl,inbound,ZZ,Unknown Region,0 -curriculum.com.br,curriculum.com.br,inbound,ZZ,Unknown Region,0 -currys.co.uk,currys.co.uk,inbound,ZZ,Unknown Region,0 -custom-emailing.com,elabs12.com,inbound,ZZ,Unknown Region,0 -cvent-planner.com,cvent-planner.com,inbound,ZZ,Unknown Region,0 -cyberdiet.com.br,allinmedia.com.br,inbound,ZZ,Unknown Region,0 -dabmail.com,iaires.com,inbound,ZZ,Unknown Region,0 -dailyom.com,dailyom.com,inbound,ZZ,Unknown Region,1 -dairyqueen.com,dairyqueen.com,inbound,ZZ,Unknown Region,0 -datadrivenemail.com,datadrivenemail.com,inbound,ZZ,Unknown Region,0 -daveramsey.com,daveramsey.com,inbound,ZZ,Unknown Region,0 -ddc-emails.com,ddc-emails.com,inbound,ZZ,Unknown Region,0 -dealchicken.com,dealchicken.com,inbound,ZZ,Unknown Region,0 -dealchicken.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -dealfind.com,dealfind.com,inbound,ZZ,Unknown Region,0 -dealnews.com,dealnews.com,inbound,ZZ,Unknown Region,0 -dealsdirect.com.au,dealsdirect.com.au,inbound,ZZ,Unknown Region,0 -dealspl.us,dealspl.us,inbound,ZZ,Unknown Region,0 -delta.com,delta.com,inbound,ZZ,Unknown Region,0.040177 -dermstore.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -dhl.com,dhl.com,inbound,ZZ,Unknown Region,0.994107 -dietaesaude.com.br,dietaesaude.com.br,inbound,ZZ,Unknown Region,0 -dinda.com.br,dinda.com.br,inbound,ZZ,Unknown Region,0 -directvla.com,directvla.com,inbound,ZZ,Unknown Region,0 -discover.com,discover.com,inbound,ZZ,Unknown Region,0 -disneydestinations.com,disneyparks.com,inbound,ZZ,Unknown Region,0 -disneydestinations.com,disneyworld.com,inbound,ZZ,Unknown Region,0 -diynetwork.com,diynetwork.com,inbound,ZZ,Unknown Region,0 -doctoroz.com,email-sharecare2.com,inbound,ZZ,Unknown Region,0 -dollartree.com,email-dollartree.com,inbound,ZZ,Unknown Region,0 -dominos.com,dominos.com,inbound,ZZ,Unknown Region,0.011861 -dominos.com.au,dominos.com.au,inbound,ZZ,Unknown Region,0 -donuts.ne.jp,dnuts.jp,inbound,ZZ,Unknown Region,0 -dotz.com.br,dotz.com.br,inbound,ZZ,Unknown Region,0 -doubletakeoffers.com,doubletakeoffers.com,inbound,ZZ,Unknown Region,0 -downlinebuilderdirect.com,downlinebuilderdirect.com,inbound,ZZ,Unknown Region,0 -dptagent.net,dptagent.net,inbound,ZZ,Unknown Region,0 -draftkings.com,draftkings.com,inbound,ZZ,Unknown Region,0 -dreamhost.com,dreamhost.com,inbound,ZZ,Unknown Region,0 -driftem.com,emce2.in,inbound,ZZ,Unknown Region,0 -drjays-mail.com,drjays-mail.com,inbound,ZZ,Unknown Region,0 -dromadaire-news.com,ecmcluster.com,inbound,ZZ,Unknown Region,0 -dukecareers.com,dukecareers.com,inbound,ZZ,Unknown Region,1 -duluthtradingemail.com,email-duluthtrading.com,inbound,ZZ,Unknown Region,0 -dynect-mailer.net,dynect.net,inbound,ZZ,Unknown Region,0 -dynect-mailer.net,sendlabs.com,inbound,ZZ,Unknown Region,0 -e-bodyc.com,email-bodycentral.com,inbound,ZZ,Unknown Region,0 -e-jobs-ville.com,e-jobs-ville.com,inbound,ZZ,Unknown Region,1 -e-leclerc.com,e-leclerc.com,inbound,ZZ,Unknown Region,0 -easycanvasprints.com,easycanvasprints.com,inbound,ZZ,Unknown Region,0 -easyhits4u.com,easyhits4u.com,inbound,ZZ,Unknown Region,1 -easyhits4u.com,relmax.net,inbound,ZZ,Unknown Region,0 -ebags.com,ebags.com,inbound,ZZ,Unknown Region,0 -ebay-kleinanzeigen.de,mobile.de,inbound,ZZ,Unknown Region,1 -ebay.{...},ebay.{...},inbound,ZZ,Unknown Region,0.999648 -ebay.{...},emarsys.net,inbound,ZZ,Unknown Region,0 -ebay.{...},postdirect.com,inbound,ZZ,Unknown Region,0 -ebizac3.com,ebizac3.com,inbound,ZZ,Unknown Region,0 -ebuildabear.com,ebuildabear.com,inbound,ZZ,Unknown Region,8e-06 -ed10.net,ed10.com,inbound,ZZ,Unknown Region,0 -eddiebauer.com,eddiebauer.com,inbound,ZZ,Unknown Region,0 -eduk.com,eduk.com,inbound,ZZ,Unknown Region,0 -efamilydollar.com,efamilydollar.com,inbound,ZZ,Unknown Region,0 -elabs10.com,elabs10.com,inbound,ZZ,Unknown Region,0 -elabs12.com,elabs12.com,inbound,ZZ,Unknown Region,0 -elistas.net,elistas.net,inbound,ZZ,Unknown Region,0 -elkjop.no,ec-cluster.com,inbound,ZZ,Unknown Region,0 -elkjop.no,eccluster.com,inbound,ZZ,Unknown Region,0 -elo7.com.br,elo7.com.br,inbound,ZZ,Unknown Region,0 -email-1800contacts.com,email-1800contacts.com,inbound,ZZ,Unknown Region,0 -email-aaa.com,email-aaa.com,inbound,ZZ,Unknown Region,0 -email-aeriagames.com,email-aeriagames.com,inbound,ZZ,Unknown Region,0 -email-dressbarn.com,email-dressbarn.com,inbound,ZZ,Unknown Region,0 -email-firestone.com,reminder-firestone.com,inbound,ZZ,Unknown Region,0 -email-honest.com,email-honest.com,inbound,ZZ,Unknown Region,0 -email-od.com,email-od.com,inbound,ZZ,Unknown Region,0.999752 -email-petsmart.com,email-petsmart.com,inbound,ZZ,Unknown Region,0 -email-sportchalet.com,email-sportchalet.com,inbound,ZZ,Unknown Region,0 -email-telekom.de,ecm-cluster.com,inbound,ZZ,Unknown Region,0 -email-totalwine.com,email-totalwine.com,inbound,ZZ,Unknown Region,0 -email-wildstar-online.com,email-carbine.com,inbound,ZZ,Unknown Region,0 -email2-beyond.com,messagebus.com,inbound,ZZ,Unknown Region,0 -email360api.com,email360api.com,inbound,ZZ,Unknown Region,0 -email365inc.com,email365inc.com,inbound,ZZ,Unknown Region,0 -email3m.com,email3m.com,inbound,ZZ,Unknown Region,0 -emailrestaurant.com,emailrestaurant.com,inbound,ZZ,Unknown Region,0 -emailtoryburch.com,emailtoryburch.com,inbound,ZZ,Unknown Region,0 -emarsys.net,emarsys.net,inbound,ZZ,Unknown Region,0.265197 -embarqmail.com,centurylink.net,inbound,ZZ,Unknown Region,0.999918 -emergencyemail.org,emergencyemail.org,inbound,ZZ,Unknown Region,0 -eminentinc.com,eminentinc.com,inbound,ZZ,Unknown Region,0 -emktviajarbarato.com.br,splio.com.br,inbound,ZZ,Unknown Region,0.875902 -employboard.com,employboard.com,inbound,ZZ,Unknown Region,1 -emsecure.net,emsecure.net,inbound,ZZ,Unknown Region,0 -emsmtp.com,emsmtp.com,inbound,ZZ,Unknown Region,0.44284 -en25.com,kqed.org,inbound,ZZ,Unknown Region,0 -enewscartes.net,bp06.net,inbound,ZZ,Unknown Region,0 -enewsletter.pl,mydeal.pl,inbound,ZZ,Unknown Region,0 -enewsletter.pl,sare25.com,inbound,ZZ,Unknown Region,0 -enplenitud.com,enplenitud.com,inbound,ZZ,Unknown Region,0 -entrepreneur.com,entrepreneur.com,inbound,ZZ,Unknown Region,0 -ethingsremembered.com,ethingsremembered.com,inbound,ZZ,Unknown Region,0 -etrade.com,etrade.com,inbound,ZZ,Unknown Region,0 -etransmail.com,etransmail.com,inbound,ZZ,Unknown Region,0 -etransmail.com,ptransmail.com,inbound,ZZ,Unknown Region,0 -etrmailbox.com,etrmailbox.com,inbound,ZZ,Unknown Region,0 -etsy.com,etsy.com,inbound,ZZ,Unknown Region,0.020849 -evernote.com,evernote.com,inbound,ZZ,Unknown Region,1 -everydayfamily.com,everydayfamily.com,inbound,ZZ,Unknown Region,0 -everytown.org,everytown.org,inbound,ZZ,Unknown Region,1 -exacttarget.com,bazaarvoice.com,inbound,ZZ,Unknown Region,0 -exacttarget.com,booksamillion.com,inbound,ZZ,Unknown Region,0 -exacttarget.com,exacttarget.com,inbound,ZZ,Unknown Region,0.000325 -exacttarget.com,msg.com,inbound,ZZ,Unknown Region,0 -exacttarget.com,redboxinstant.com,inbound,ZZ,Unknown Region,0 -exacttarget.com,skylinetechnologies.com,inbound,ZZ,Unknown Region,0 -expediamail.com,airasiago.com,inbound,ZZ,Unknown Region,1 -expediamail.com,exacttarget.com,inbound,ZZ,Unknown Region,1 -expediamail.com,expediamail.com,inbound,ZZ,Unknown Region,0.839662 -expediamail.com,quotitmail.com,inbound,ZZ,Unknown Region,0 -experteer.com,experteer.com,inbound,ZZ,Unknown Region,0 -express.com,expressfashion.com,inbound,ZZ,Unknown Region,0 -facebook.com,facebook.com,inbound,ZZ,Unknown Region,0 -facebook.com,facebook.com,outbound,ZZ,Unknown Region,1 -facebookmail.com,postini.com,inbound,ZZ,Unknown Region,0.918705 -facebookmail.com,yahoo.{...},inbound,ZZ,Unknown Region,0.999846 -falabella.com,falabella.com,inbound,ZZ,Unknown Region,0 -fanatics.com,fanatics.com,inbound,ZZ,Unknown Region,0 -fanaticsretailgroup.com,fanaticsretailgroup.com,inbound,ZZ,Unknown Region,0 -fanbridge.com,fanbridge.com,inbound,ZZ,Unknown Region,0 -fanofannas.com,fanofannas.com,inbound,ZZ,Unknown Region,0 -fansedge.com,fansedge.com,inbound,ZZ,Unknown Region,0 -farmers.com,farmers.com,inbound,ZZ,Unknown Region,0.999984 -fastcompany.com,fastcompany.com,inbound,ZZ,Unknown Region,0 -fedex.com,fedex.com,inbound,ZZ,Unknown Region,0.919932 -feld-ent.com,postdirect.com,inbound,ZZ,Unknown Region,0 -fellowshiponemail.com,fellowshiponemail.com,inbound,ZZ,Unknown Region,0 -fetlifemail.com,fetlifemail.com,inbound,ZZ,Unknown Region,0 -fidelity.com,fidelity.com,inbound,ZZ,Unknown Region,1 -financialfreedommail.com,financialfreedommail.com,inbound,ZZ,Unknown Region,0 -fingerhut.com,fingerhut.com,inbound,ZZ,Unknown Region,0 -flets.com,flets.com,inbound,ZZ,Unknown Region,0 -flirtlocal.com,flirtlocal.com,inbound,ZZ,Unknown Region,1 -flmsecure.com,fling.com,inbound,ZZ,Unknown Region,0 -flmsecure.com,flmsecure.com,inbound,ZZ,Unknown Region,0 -floridajobdepartment.com,floridajobdepartment.com,inbound,ZZ,Unknown Region,0 -fnac.com,fnac.com,inbound,ZZ,Unknown Region,0.025375 -fnb.co.za,fnb.co.za,inbound,ZZ,Unknown Region,0.325259 -foodnetwork.com,foodnetwork.com,inbound,ZZ,Unknown Region,0 -forcemail.in,iaires.com,inbound,ZZ,Unknown Region,0 -foreseegame.com,iaires.com,inbound,ZZ,Unknown Region,0 -fotffamily.com,fotffamily.com,inbound,ZZ,Unknown Region,0 -fotolivro.com.br,fotolivro.com.br,inbound,ZZ,Unknown Region,0 -fpmailerbr.com,fpmailerbr.com,inbound,ZZ,Unknown Region,0 -freecycle.org,freecycle.org,inbound,ZZ,Unknown Region,1 -freelancer.com,getafreelancer.com,inbound,ZZ,Unknown Region,0 -freesafelistmailer.com,waters-advertising.com,inbound,ZZ,Unknown Region,0 -freshmail.pl,freshmail.pl,inbound,ZZ,Unknown Region,0 -fridays.com,fridays.com,inbound,ZZ,Unknown Region,0 -frk.com,frk.com,inbound,ZZ,Unknown Region,1 -frontdoor.com,frontdoor.com,inbound,ZZ,Unknown Region,0 -frontgate-email.com,frontgate-email.com,inbound,ZZ,Unknown Region,0 -fuckbooknet.net,infinitypersonals.com,inbound,ZZ,Unknown Region,0 -fundplaza.co.in,arrowsignindia.com,inbound,ZZ,Unknown Region,0 -fundplaza.in,fundplaza.in,inbound,ZZ,Unknown Region,0 -funonthenet.in,funonthenet.in,inbound,ZZ,Unknown Region,1 -futurmailer.pt,futurmailer.pt,inbound,ZZ,Unknown Region,0 -gabbar.info,gabbar.info,inbound,ZZ,Unknown Region,1 -gamefly.com,gamefly.com,inbound,ZZ,Unknown Region,0.014317 -gamingmails.com,gamingmails.com,inbound,ZZ,Unknown Region,0 -gap.com,gap.com,inbound,ZZ,Unknown Region,0 -gap.eu,gap.eu,inbound,ZZ,Unknown Region,0 -gapcanada.ca,gapcanada.ca,inbound,ZZ,Unknown Region,0 -garanti.com.tr,euromsg.net,inbound,ZZ,Unknown Region,0 -garnethill-email.com,garnethill-email.com,inbound,ZZ,Unknown Region,0 -gaylordalert.com,gaylordalert.com,inbound,ZZ,Unknown Region,0 -gcast.com.au,systemsserver.net,inbound,ZZ,Unknown Region,0 -gdtsuccess.com,groupdealtools.com,inbound,ZZ,Unknown Region,1 -geico.com,geico.com,inbound,ZZ,Unknown Region,0.096795 -gene.com,roche.com,inbound,ZZ,Unknown Region,1 -geocaching.com,groundspeak.com,inbound,ZZ,Unknown Region,1 -getinbox.net,getinbox.net,inbound,ZZ,Unknown Region,0 -getkeepsafe.com,getkeepsafe.com,inbound,ZZ,Unknown Region,1 -getmein.com,getmein.com,inbound,ZZ,Unknown Region,0 -getresponse.com,getresponse.com,inbound,ZZ,Unknown Region,0 -gfsmarketplace-email.com,gfsmarketplace-email.com,inbound,ZZ,Unknown Region,0 -gilt.com,gilt.com,inbound,ZZ,Unknown Region,1e-06 -github.com,github.net,inbound,ZZ,Unknown Region,1 -glassdoor.com,glassdoor.com,inbound,ZZ,Unknown Region,0 -globalmembersupport.com,globalmembersupport.com,inbound,ZZ,Unknown Region,0 -globalspec.com,globalspec.com,inbound,ZZ,Unknown Region,0 -gmail.com,blackberry.com,inbound,ZZ,Unknown Region,0.998326 -gmail.com,postini.com,inbound,ZZ,Unknown Region,0.891175 -gmail.com,yahoo.{...},inbound,ZZ,Unknown Region,0.998661 -go.com,starwave.com,inbound,ZZ,Unknown Region,0.006276 -godtubemail.com,godtubemail.com,inbound,ZZ,Unknown Region,0 -godvinemail.com,godvinemail.com,inbound,ZZ,Unknown Region,0 -gohappy.com.tw,gohappy.com.tw,inbound,ZZ,Unknown Region,0 -goldenbrands.gr,goldenbrands.gr,inbound,ZZ,Unknown Region,1 -golfnow.com,email-golfnow.com,inbound,ZZ,Unknown Region,0 -google.com,postini.com,inbound,ZZ,Unknown Region,0.81059 -gop.com,gop.com,inbound,ZZ,Unknown Region,0 -grabone-mail-ie.com,grabone-mail-ie.com,inbound,ZZ,Unknown Region,0 -grabone-mail.com,grabone-mail.com,inbound,ZZ,Unknown Region,0 -gratka.pl,gratka.pl,inbound,ZZ,Unknown Region,0 -grocerycouponnetwork.com,grocerycouponnetwork.com,inbound,ZZ,Unknown Region,0 -groopdealz.com,groopdealz.com,inbound,ZZ,Unknown Region,1 -groupalia.es,groupalia.es,inbound,ZZ,Unknown Region,0 -groupalia.it,groupalia.it,inbound,ZZ,Unknown Region,0 -groupon.jp,data-hotel.net,inbound,ZZ,Unknown Region,0 -groupon.{...},groupon.{...},inbound,ZZ,Unknown Region,0.990176 -grouponmail.{...},grouponmail.{...},inbound,ZZ,Unknown Region,0 -grubhubmail.com,grubhubmail.com,inbound,ZZ,Unknown Region,0 -grupanya.com,euromsg.net,inbound,ZZ,Unknown Region,0 -guruin.info,guru.net.in,inbound,ZZ,Unknown Region,1 -habitaclia.com,splio.es,inbound,ZZ,Unknown Region,0.951406 -harborfreightemail.com,harborfreightemail.com,inbound,ZZ,Unknown Region,0 -hautelook.com,hautelook.com,inbound,ZZ,Unknown Region,0 -hepsiburada.com,euromsg.net,inbound,ZZ,Unknown Region,0 -herbalifemail.com,herbalifemail.com,inbound,ZZ,Unknown Region,0 -herculist.com,herculist.com,inbound,ZZ,Unknown Region,0 -hgtv.com,hgtv.com,inbound,ZZ,Unknown Region,0 -hhgreggemail.com,hhgreggemail.com,inbound,ZZ,Unknown Region,0 -hipmunk.com,hipmunk.com,inbound,ZZ,Unknown Region,0 -hln.be,persgroep-ops.net,inbound,ZZ,Unknown Region,0 -hm-f.jp,hm-f.jp,inbound,ZZ,Unknown Region,0 -hobsonsmail.com,hobsonsmail.com,inbound,ZZ,Unknown Region,0 -homebaselife.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 -homechoice.co.za,homechoice.co.za,inbound,ZZ,Unknown Region,0 -homedepotemail.com,homedepotemail.com,inbound,ZZ,Unknown Region,0 -honto.jp,honto.jp,inbound,ZZ,Unknown Region,0 -horoscope.com,center.com,inbound,ZZ,Unknown Region,0 -hotels.com,hotels.com,inbound,ZZ,Unknown Region,0 -hotelurbano.com.br,allin.com.br,inbound,ZZ,Unknown Region,0 -hotmail.{...},hotmail.{...},inbound,ZZ,Unknown Region,0.999944 -hotmail.{...},hotmail.{...},outbound,ZZ,Unknown Region,1 -hotspotmailer.com,hotspotmailer.com,inbound,ZZ,Unknown Region,1 -hp.com,hp.com,inbound,ZZ,Unknown Region,0.198696 -hsn.com,hsn.com,inbound,ZZ,Unknown Region,0 -htcampusmailer.com,eccluster.com,inbound,ZZ,Unknown Region,0 -hubspot.com,hubspot.com,inbound,ZZ,Unknown Region,1 -huinforma.com.br,huinforma.com.br,inbound,ZZ,Unknown Region,0 -hulumail.com,hulumail.com,inbound,ZZ,Unknown Region,0 -hungryhouse.co.uk,mxmfb.com,inbound,ZZ,Unknown Region,0 -huntington.com,huntington.com,inbound,ZZ,Unknown Region,0.986937 -i-say.com,ipsos-interactive.com,inbound,ZZ,Unknown Region,1 -icloud.com,apple.com,inbound,ZZ,Unknown Region,1 -icloud.com,icloud.com,outbound,ZZ,Unknown Region,1 -icloud.com,mac.com,inbound,ZZ,Unknown Region,1 -icloud.com,me.com,inbound,ZZ,Unknown Region,0.999995 -ifttt.com,ifttt.com,inbound,ZZ,Unknown Region,1 -ign.com,ign.com,inbound,ZZ,Unknown Region,0 -ignitionsender.com,ignitionsender.com,inbound,ZZ,Unknown Region,0 -iheart.com,iheart.com,inbound,ZZ,Unknown Region,0 -immobilienscout24.de,immobilienscout24.de,inbound,ZZ,Unknown Region,1 -in-boxpays.com,in-boxpays.com,inbound,ZZ,Unknown Region,0 -indiamart.com,indiamart.com,inbound,ZZ,Unknown Region,1 -indiatimes.com,speakingtree.in,inbound,ZZ,Unknown Region,0 -indiatimeshop.com,sendpal.in,inbound,ZZ,Unknown Region,0 -indieroyale.com,desura.com,inbound,ZZ,Unknown Region,1 -infibeam.com,eccluster.com,inbound,ZZ,Unknown Region,0 -infopanel.jp,mailds.jp,inbound,ZZ,Unknown Region,0 -infos-micromania.com,infos-micromania.com,inbound,ZZ,Unknown Region,0 -infosephora.com,splio.com,inbound,ZZ,Unknown Region,0.962167 -infoworld.com,infoworld.com,inbound,ZZ,Unknown Region,0 -infusionmail.com,infusionmail.com,inbound,ZZ,Unknown Region,0 -inmotionhosting.com,inmotionhosting.com,inbound,ZZ,Unknown Region,1 -ino.com,ino.com,inbound,ZZ,Unknown Region,0.999981 -interwell.gr,interwell.gr,inbound,ZZ,Unknown Region,0 -ipcmedia.co.uk,ipcmedia.co.uk,inbound,ZZ,Unknown Region,0 -itunes.com,apple.com,inbound,ZZ,Unknown Region,0.043012 -jackwills.com,jackwills.com,inbound,ZZ,Unknown Region,0 -jalag.de,jalag.de,inbound,ZZ,Unknown Region,1 -jane.com,jane.com,inbound,ZZ,Unknown Region,1 -jango.com,jango.com,inbound,ZZ,Unknown Region,0 -jared.com,jared.com,inbound,ZZ,Unknown Region,0 -jdate.com,postdirect.com,inbound,ZZ,Unknown Region,0 -jetprivilege.com,jetprivilege.com,inbound,ZZ,Unknown Region,0 -jeuxvideo.com,jeuxvideo.com,inbound,ZZ,Unknown Region,0.148921 -jeweloscoemail.com,email-mywebgrocer2.com,inbound,ZZ,Unknown Region,0 -joann-mail.com,joann-mail.com,inbound,ZZ,Unknown Region,0 -jobinsider.com,jobinsider.com,inbound,ZZ,Unknown Region,0 -jobisjob.com,jobisjob.com,inbound,ZZ,Unknown Region,0 -jobomas.com,jobomas.com,inbound,ZZ,Unknown Region,1 -jobstreet.com,jobstreet.com,inbound,ZZ,Unknown Region,0 -jpcycles.com,jpcycles.com,inbound,ZZ,Unknown Region,0.001716 -jungleerummy.com,jungleerummy.com,inbound,ZZ,Unknown Region,1 -jusbrasil.com.br,jusbrasil.com.br,inbound,ZZ,Unknown Region,0 -just-eat.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 -justclick.ru,justclick.ru,inbound,ZZ,Unknown Region,0 -justdial.com,iaires.com,inbound,ZZ,Unknown Region,0 -k1speed.com,k1speed.com,inbound,ZZ,Unknown Region,1 -kaskusnetworks.com,kaskus.com,inbound,ZZ,Unknown Region,0 -kay.com,kay.com,inbound,ZZ,Unknown Region,0 -keek.com,keek.com,inbound,ZZ,Unknown Region,1 -kgbdeals.co.uk,email1-kgbdeals.com,inbound,ZZ,Unknown Region,0 -kliksa.net,euromsg.net,inbound,ZZ,Unknown Region,0 -kliktoday.com,kliktoday.com,inbound,ZZ,Unknown Region,0 -klm-mail.com,klm-mail.com,inbound,ZZ,Unknown Region,0 -kohls.com,kohls.com,inbound,ZZ,Unknown Region,0 -kongregate.com,kongregate.com,inbound,ZZ,Unknown Region,0 -krs.bz,tricorn.net,inbound,ZZ,Unknown Region,0 -la-meteo-mail.fr,splio.com,inbound,ZZ,Unknown Region,1 -laaptuemail.com,laaptuemail.com,inbound,ZZ,Unknown Region,0 -lakewoodchurch.com,lakewoodchurch.com,inbound,ZZ,Unknown Region,0 -landsend.com,email-landsend.com,inbound,ZZ,Unknown Region,0 -landsend.com,postdirect.com,inbound,ZZ,Unknown Region,0 -laptuinvite.com,laptuinvite.com,inbound,ZZ,Unknown Region,0 -lastminute.com,lastminute.com,inbound,ZZ,Unknown Region,0 -lazerhits.com,lazerhits.com,inbound,ZZ,Unknown Region,1 -leadercontato.com.br,leadercontato.com.br,inbound,ZZ,Unknown Region,0 -lefigaro.fr,splio.com,inbound,ZZ,Unknown Region,1 -lemonde.fr,lemonde.fr,inbound,ZZ,Unknown Region,0 -life360.com,life360.com,inbound,ZZ,Unknown Region,1 -lifecare-news.com,email-lifecare.com,inbound,ZZ,Unknown Region,0 -lifemiles.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -lifescript.com,ilinkmd.com,inbound,ZZ,Unknown Region,0 -line6.com,line6.com,inbound,ZZ,Unknown Region,0 -linkedin.com,linkedin.com,inbound,ZZ,Unknown Region,0.995201 -linkedin.com,postini.com,inbound,ZZ,Unknown Region,0.940251 -liquidation.com,liquidation.com,inbound,ZZ,Unknown Region,0 -listbuildingmaximizer.com,listbuildingmaximizer.com,inbound,ZZ,Unknown Region,0.00023 -live.{...},hotmail.{...},inbound,ZZ,Unknown Region,0.999921 -live.{...},hotmail.{...},outbound,ZZ,Unknown Region,1 -livejournal.com,livejournal.com,inbound,ZZ,Unknown Region,0 -livemailservice.com,livemailservice.com,inbound,ZZ,Unknown Region,0 -livenation.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -lmlmgv.com.br,gvarev.com.br,inbound,ZZ,Unknown Region,0 -loccitane.com,neolane.net,inbound,ZZ,Unknown Region,0 -loft.com,anntaylor.com,inbound,ZZ,Unknown Region,0 -lombardipublishing.com,lombardipublishing.com,inbound,ZZ,Unknown Region,0 -lookout.com,lookout.com,inbound,ZZ,Unknown Region,1 -lsi.com,postini.com,inbound,ZZ,Unknown Region,0.981115 -lynxmail.in,iaires.com,inbound,ZZ,Unknown Region,0 -lyris.net,lyris.net,inbound,ZZ,Unknown Region,0 -m1e.net,m1e.net,inbound,ZZ,Unknown Region,0.000342 -mac.com,icloud.com,outbound,ZZ,Unknown Region,1 -mac.com,mac.com,inbound,ZZ,Unknown Region,1 -macromill.com,macromill.com,inbound,ZZ,Unknown Region,0 -macys.com,macys.com,inbound,ZZ,Unknown Region,0 -magix.net,magix.net,inbound,ZZ,Unknown Region,0.673176 -mail-backcountry.com,email-bcmarketing.com,inbound,ZZ,Unknown Region,0 -mail.ru,mail.ru,inbound,ZZ,Unknown Region,0.986526 -mail.ru,mail.ru,outbound,ZZ,Unknown Region,0.006561 -maileclipse.com,emce2.in,inbound,ZZ,Unknown Region,0 -mailengine1.com,mailengine1.com,inbound,ZZ,Unknown Region,0 -mailer4u.in,elabs10.com,inbound,ZZ,Unknown Region,0 -mailersend.com,mailersend.com,inbound,ZZ,Unknown Region,0 -mailjet.com,mailjet.com,inbound,ZZ,Unknown Region,0.803083 -mailmailmail.net,mailmailmail.net,inbound,ZZ,Unknown Region,0 -mailoct.in,tcmailer14.in,inbound,ZZ,Unknown Region,0 -mailoct1.in,mailoct1.in,inbound,ZZ,Unknown Region,0 -mailoct1.in,myntramail2.in,inbound,ZZ,Unknown Region,0 -mailorama.fr,mailorama.fr,inbound,ZZ,Unknown Region,0 -mailpost.in,iaires.com,inbound,ZZ,Unknown Region,0 -mailquant.com,iaires.com,inbound,ZZ,Unknown Region,0 -mandrillapp.com,backpage.com,inbound,ZZ,Unknown Region,1 -mandrillapp.com,mandrillapp.com,inbound,ZZ,Unknown Region,1 -mandrillapp.com,mcsignup.com,inbound,ZZ,Unknown Region,1 -mandrillapp.com,myjobhelperalerts.com,inbound,ZZ,Unknown Region,1 -mango.com,emstechnology2.net,inbound,ZZ,Unknown Region,0 -manipal.edu,iaires.com,inbound,ZZ,Unknown Region,0 -manta.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -mar0.net,mar0.net,inbound,ZZ,Unknown Region,0.976409 -markavip.com,markavip.com,inbound,ZZ,Unknown Region,0 -marketingstudio.com,marketingstudio.com,inbound,ZZ,Unknown Region,0 -marksandspencer.com,marksandspencer.com,inbound,ZZ,Unknown Region,0 -maropost.com,mp2200.com,inbound,ZZ,Unknown Region,0 -maropost.com,survivallife.com,inbound,ZZ,Unknown Region,0 -marykay.com,marykay.com,inbound,ZZ,Unknown Region,0 -masivapp.com,masivapp.com,inbound,ZZ,Unknown Region,1 -match.com,match.com,inbound,ZZ,Unknown Region,0 -mbga.jp,mbga.jp,inbound,ZZ,Unknown Region,0 -mbna.co.uk,ec-cluster.com,inbound,ZZ,Unknown Region,0 -mcdlv.net,mcdlv.net,inbound,ZZ,Unknown Region,0 -mcsv.net,mcsv.net,inbound,ZZ,Unknown Region,0 -me.com,icloud.com,outbound,ZZ,Unknown Region,1 -me.com,mac.com,inbound,ZZ,Unknown Region,1 -medallia.com,medallia.com,inbound,ZZ,Unknown Region,1 -mediapost.com,mediapost.com,inbound,ZZ,Unknown Region,0 -medium.com,messagebus.com,inbound,ZZ,Unknown Region,0 -medscape.com,medscape.com,inbound,ZZ,Unknown Region,0 -meetup.com,meetup.com,inbound,ZZ,Unknown Region,0 -melaleuca.com,melaleuca.com,inbound,ZZ,Unknown Region,0 -mercadojobs.com,sendgrid.net,inbound,ZZ,Unknown Region,1 -mercadolibre.com,mercadolibre.com,inbound,ZZ,Unknown Region,0 -mercadolivre.com,mercadolibre.com,inbound,ZZ,Unknown Region,0 -merceworld.com,merceworld.com,inbound,ZZ,Unknown Region,0.996737 -merodea.me,sendgrid.net,inbound,ZZ,Unknown Region,1 -metro.co.in,srv2.de,inbound,ZZ,Unknown Region,0.966947 -mgmresorts.com,mgmresorts.com,inbound,ZZ,Unknown Region,0 -microsoft.com,msn.com,inbound,ZZ,Unknown Region,1 -microsoftemail.com,microsoftemail.com,inbound,ZZ,Unknown Region,0 -microsoftemail.com,microsoftstoreemail.com,inbound,ZZ,Unknown Region,0 -mileageplusshoppingnews.com,mail-skymilesshoppingsupport.com,inbound,ZZ,Unknown Region,0 -minhavida.com.br,minhavida.com.br,inbound,ZZ,Unknown Region,0 -mixi.jp,mixi.jp,inbound,ZZ,Unknown Region,0 -mjinn.com,mailurja.com,inbound,ZZ,Unknown Region,0 -mktomail.com,mktdns.com,inbound,ZZ,Unknown Region,0 -mktomail.com,mktomail.com,inbound,ZZ,Unknown Region,0 -mktomail.com,mktroute.com,inbound,ZZ,Unknown Region,0 -mlsend.com,mlsend.com,inbound,ZZ,Unknown Region,0 -mlsend2.com,mlsend2.com,inbound,ZZ,Unknown Region,0 -mlssoccer.com,mlssoccer.com,inbound,ZZ,Unknown Region,0 -mmaco.net,mmaco.net,inbound,ZZ,Unknown Region,0.999998 -mmorpg.com,mmorpg.com,inbound,ZZ,Unknown Region,0.002979 -mocospace.com,mocospace.com,inbound,ZZ,Unknown Region,0 -moneyforward.com,moneyforward.com,inbound,ZZ,Unknown Region,0 -moneysupermarketmail.com,moneysupermarketmail.com,inbound,ZZ,Unknown Region,0 -monografias.com,elistas.net,inbound,ZZ,Unknown Region,0 -monster.com,monster.com,inbound,ZZ,Unknown Region,0.000503 -monsterindia.com,monster.co.in,inbound,ZZ,Unknown Region,0 -mooply.co,mailendo.com,inbound,ZZ,Unknown Region,0 -morningstar.net,morningstar.net,inbound,ZZ,Unknown Region,0 -mothercaregroup.com,neolane.net,inbound,ZZ,Unknown Region,0 -mozilla.org,mozilla.com,inbound,ZZ,Unknown Region,0.633241 -mpse.jp,mpme.jp,inbound,ZZ,Unknown Region,0 -ms00.net,ms00.net,inbound,ZZ,Unknown Region,0 -msdp1.com,msdp1.com,inbound,ZZ,Unknown Region,0 -msn.com,hotmail.{...},inbound,ZZ,Unknown Region,0.999946 -msn.com,hotmail.{...},outbound,ZZ,Unknown Region,1 -musiciansfriend.com,musiciansfriend.com,inbound,ZZ,Unknown Region,0 -mxmfb.com,mxmfb.com,inbound,ZZ,Unknown Region,0 -mycolorscreen.com,mta4.net,inbound,ZZ,Unknown Region,0 -myfitnesspal.com,messagebus.com,inbound,ZZ,Unknown Region,0 -mygroupon.co.th,grouponmail.{...},inbound,ZZ,Unknown Region,0 -myheritage.com,myheritage.com,inbound,ZZ,Unknown Region,0 -myideeli.com,myideeli.com,inbound,ZZ,Unknown Region,0 -myntramail.com,iaires.com,inbound,ZZ,Unknown Region,0 -myntramail.com,myntramail.com,inbound,ZZ,Unknown Region,0 -myntramails.in,icubes.in,inbound,ZZ,Unknown Region,0 -myoutlets.in,trustmailer.com,inbound,ZZ,Unknown Region,0 -mypoints.com,mypoints.com,inbound,ZZ,Unknown Region,0 -mysale.my,mysale.my,inbound,ZZ,Unknown Region,0 -mysale.ph,mysale.ph,inbound,ZZ,Unknown Region,0 -mysupermarket.co.uk,mysupermarket.co.uk,inbound,ZZ,Unknown Region,0 -mysurvey.com,mysurvey.com,inbound,ZZ,Unknown Region,0 -mysurvey.eu,mysurvey.com,inbound,ZZ,Unknown Region,0 -myvegas.com,myvegas.com,inbound,ZZ,Unknown Region,1 -naaptoldeals.com,eccluster.com,inbound,ZZ,Unknown Region,0 -nanomail.com.br,araie.com.br,inbound,ZZ,Unknown Region,1 -nascar.com,nascar.com,inbound,ZZ,Unknown Region,0 -nationbuilder.com,nationbuilder.com,inbound,ZZ,Unknown Region,1 -nationwide-communications.co.uk,nationwide-communications.co.uk,inbound,ZZ,Unknown Region,0 -naukri.com,naukri.com,inbound,ZZ,Unknown Region,0 -navy.mil,navy.mil,inbound,ZZ,Unknown Region,0.000243 -nend.net,postini.com,inbound,ZZ,Unknown Region,0 -netatlantic.com,netatlantic.com,inbound,ZZ,Unknown Region,0.001085 -netflix.com,amazonses.com,inbound,ZZ,Unknown Region,0.999999 -netflix.com,netflix.com,inbound,ZZ,Unknown Region,1 -netlogmail.com,netlogmail.com,inbound,ZZ,Unknown Region,0 -netprosoftmail.com,netprosoftmail.com,inbound,ZZ,Unknown Region,0 -netshoes.com.br,netshoes.com.br,inbound,ZZ,Unknown Region,0 -newegg.com,newegg.com,inbound,ZZ,Unknown Region,2e-06 -newmarkethealth.com,newmarkethealth.com,inbound,ZZ,Unknown Region,0 -news-h5g.com,news-h5g.com,inbound,ZZ,Unknown Region,0 -newsletter-verychic.com,splio.es,inbound,ZZ,Unknown Region,0.9804 -newsmax.com,newsmax.com,inbound,ZZ,Unknown Region,0 -nflshop.com,nflshop.com,inbound,ZZ,Unknown Region,0 -nieuwsblad.be,vummail.be,inbound,ZZ,Unknown Region,0 -nike.com,nike.com,inbound,ZZ,Unknown Region,0 -ninewestmail.com,ninewestmail.com,inbound,ZZ,Unknown Region,0 -nokia.com,nokia.com,inbound,ZZ,Unknown Region,0.001256 -npr.org,npr.org,inbound,ZZ,Unknown Region,0 -ns.nl,tripolis.com,inbound,ZZ,Unknown Region,0 -nsandi.com,mxmfb.com,inbound,ZZ,Unknown Region,0 -nytimes.com,nytimes.com,inbound,ZZ,Unknown Region,0 -nzsale.co.nz,nzsale.co.nz,inbound,ZZ,Unknown Region,0 -oakley.com,oakley.com,inbound,ZZ,Unknown Region,0 -ocmail1.in,tcmail.in,inbound,ZZ,Unknown Region,0 -ocmail14.in,tcmailer5.in,inbound,ZZ,Unknown Region,0 -ocmail22.in,tcmailer15.in,inbound,ZZ,Unknown Region,0 -ocmail22.in,tcmailer4.in,inbound,ZZ,Unknown Region,0 -ocmail40.in,tcmailer15.in,inbound,ZZ,Unknown Region,0 -ocmail40.in,tcmailer4.in,inbound,ZZ,Unknown Region,0 -ocnmail.in,ocmail6.in,inbound,ZZ,Unknown Region,0 -ocnmail.in,tcmail3.in,inbound,ZZ,Unknown Region,0 -ofertasbmc.com.br,ofertasbmc.com.br,inbound,ZZ,Unknown Region,0 -ofertix.com,ofertix.com,inbound,ZZ,Unknown Region,0 -offers.com,offers.com,inbound,ZZ,Unknown Region,1 -officedepot.com,officedepot.com,inbound,ZZ,Unknown Region,0.019269 -officemax.com,officemax.com,inbound,ZZ,Unknown Region,0 -officemax.com,officemaxworkplace.com,inbound,ZZ,Unknown Region,0 -ofsys.com,bulletin-metro.ca,inbound,ZZ,Unknown Region,0 -oknotify2.com,oknotify2.com,inbound,ZZ,Unknown Region,0 -oldnavy.ca,oldnavy.ca,inbound,ZZ,Unknown Region,0 -oldnavy.com,oldnavy.com,inbound,ZZ,Unknown Region,0 -omahasteaks.com,omahasteaks.com,inbound,ZZ,Unknown Region,0 -oneindia.in,mailurja.com,inbound,ZZ,Unknown Region,0 -onekingslane.com,onekingslane.com,inbound,ZZ,Unknown Region,0 -onlive.com,ipost.com,inbound,ZZ,Unknown Region,0 -onmicrosoft.com,outlook.com,inbound,ZZ,Unknown Region,1 -optimusmail.in,iaires.com,inbound,ZZ,Unknown Region,0 -orderscatalog.com,orderscatalog.com,inbound,ZZ,Unknown Region,0 -oroscopofree.com,adsender.us,inbound,ZZ,Unknown Region,0 -os-email.com,os-email.com,inbound,ZZ,Unknown Region,0 -oshkoshbgosh.com,oshkoshbgosh.com,inbound,ZZ,Unknown Region,6e-06 -osu.edu,outlook.com,inbound,ZZ,Unknown Region,1 -otto.de,eccluster.com,inbound,ZZ,Unknown Region,1 -ouffer.com,ouffer.com,inbound,ZZ,Unknown Region,0 -ourtime.com,seniorpeoplemeet.com,inbound,ZZ,Unknown Region,0 -outback.com,outback.com,inbound,ZZ,Unknown Region,0 -outlook.com,hotmail.{...},inbound,ZZ,Unknown Region,0.999843 -outlook.com,hotmail.{...},outbound,ZZ,Unknown Region,1 -outspot.be,teneo.be,inbound,ZZ,Unknown Region,0 -outspot.nl,teneo.be,inbound,ZZ,Unknown Region,0 -ovenmail.com,iaires.com,inbound,ZZ,Unknown Region,0 -overstock.com,overstock.com,inbound,ZZ,Unknown Region,0 -ovh.net,ovh.net,inbound,ZZ,Unknown Region,0.352531 -ozsale.com.au,ozsale.com.au,inbound,ZZ,Unknown Region,0.000192 -panelplace.com,smtp.com,inbound,ZZ,Unknown Region,0 -panerabreadnews.com,panerabreadnews.com,inbound,ZZ,Unknown Region,0 -pantaloondirect.net,iaires.com,inbound,ZZ,Unknown Region,0 -papajohns-specials.com,papajohns-specials.com,inbound,ZZ,Unknown Region,0 -paradisepublishers.com,paradisepublishers.com,inbound,ZZ,Unknown Region,0.99957 -path.com,path.com,inbound,ZZ,Unknown Region,1 -payback.in,eccluster.com,inbound,ZZ,Unknown Region,0 -payback.in,ecm-cluster.com,inbound,ZZ,Unknown Region,0 -payback.in,ecmcluster.com,inbound,ZZ,Unknown Region,0 -paypal.co.uk,paypal.com,inbound,ZZ,Unknown Region,1 -paypal.com,paypal.com,inbound,ZZ,Unknown Region,0.608834 -paypal.com.au,paypal.com,inbound,ZZ,Unknown Region,1 -paypal.de,paypal.com,inbound,ZZ,Unknown Region,1 -pd25.com,pd25.com,inbound,ZZ,Unknown Region,1 -peanuthome.info,adopterc.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,aguitytr.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,bevest.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,bluester.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,burror.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,bursion.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,cantexi.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,caserhi.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,celect.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,chintone.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,citery.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,cleathal.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,coherentrequittal.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,colicom.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,complec.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,cyprinoidkaiserdom.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,deciarc.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,declaws.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,dewest.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,epconce.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,fnotec.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,folkswor.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,forepert.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,gurgaro.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,heallyps.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,holeph.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,homewor.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,hydroni.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,ingenbu.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,kinklybotaurus.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,ninetiethwhiffet.info,inbound,ZZ,Unknown Region,0 -peanuthome.info,unglibshudder.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,adcrent.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,addmiel.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,agilhe.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,allegap.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,andvore.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,angogl.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,animass.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,arettery.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,aribank.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,arkefoc.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,avenog.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,barrave.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,bindowmo.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,bitravit.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,borsand.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,branti.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,breaserp.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,bredogly.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,briantra.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,bridea.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,carial.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,castac.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,chedoner.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,chiquent.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,cinchoi.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,cliate.info,inbound,ZZ,Unknown Region,0 -peanutwebmaster.info,cognn.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,abjibbin.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,audiette.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,blancer.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,bluester.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,burror.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,bursion.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,caserhi.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,celect.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,cleathal.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,coherentrequittal.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,complec.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,condost.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,cyprinoidkaiserdom.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,deciarc.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,declaws.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,epconce.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,ferrayer.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,fnotec.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,folkswor.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,forepert.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,gurgaro.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,holeph.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,homewor.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,hydroni.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,ingenbu.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,kinklybotaurus.info,inbound,ZZ,Unknown Region,0 -peanutwebsite.info,ninetiethwhiffet.info,inbound,ZZ,Unknown Region,0 -peixeurbano.com.br,peixeurbano.com.br,inbound,ZZ,Unknown Region,0 -pennwell.com,pennwell.com,inbound,ZZ,Unknown Region,0 -perfectworld.com,perfectworld.com,inbound,ZZ,Unknown Region,0 -personare.com.br,personare.com.br,inbound,ZZ,Unknown Region,0 -pge.com,pge.com,inbound,ZZ,Unknown Region,0.149792 -philosophy.com,philosophy.com,inbound,ZZ,Unknown Region,0 -phpclasses.org,phpclasses.org,inbound,ZZ,Unknown Region,0 -pinger.com,pinger.com,inbound,ZZ,Unknown Region,0 -pinterest.com,pinterest.com,inbound,ZZ,Unknown Region,1 -pizzahutoffers.com,pizzahutoffers.com,inbound,ZZ,Unknown Region,0 -playstationmail.net,playstationmail.net,inbound,ZZ,Unknown Region,0 -plumdistrict.com,plumdistrict.com,inbound,ZZ,Unknown Region,1 -politicoemail.com,politicoemail.com,inbound,ZZ,Unknown Region,0 -polyvore.com,polyvore.com,inbound,ZZ,Unknown Region,1 -popsugar.com,popsugar.com,inbound,ZZ,Unknown Region,0 -priceline.com,priceline.com,inbound,ZZ,Unknown Region,1 -princess.com,princess.com,inbound,ZZ,Unknown Region,0 -privoscite.si,privoscite.si,inbound,ZZ,Unknown Region,0 -profitcenteronline.com,groupdealtools.com,inbound,ZZ,Unknown Region,1 -progressive.com,progressive.com,inbound,ZZ,Unknown Region,0.814003 -publix.com,publix.com,inbound,ZZ,Unknown Region,0 -puritan.com,email-nbtyinc.com,inbound,ZZ,Unknown Region,0 -qoinpro.com,qoinpro.com,inbound,ZZ,Unknown Region,1 -qoo10.jp,qoo10.jp,inbound,ZZ,Unknown Region,4e-06 -qoo10.sg,qoo10.co.id,inbound,ZZ,Unknown Region,1.9e-05 -qoo10.sg,qoo10.com,inbound,ZZ,Unknown Region,0 -qoo10.sg,qoo10.my,inbound,ZZ,Unknown Region,2.2e-05 -qoo10.sg,qoo10.sg,inbound,ZZ,Unknown Region,8e-06 -quinstreet.com,neoquin.com,inbound,ZZ,Unknown Region,0 -quora.com,quora.com,inbound,ZZ,Unknown Region,1 -rabota.ua,rabota.ua,inbound,ZZ,Unknown Region,0 -rackroom-email.com,rackroom-email.com,inbound,ZZ,Unknown Region,0 -railcard-daysoutguide.co.uk,railcard-daysoutguide.co.uk,inbound,ZZ,Unknown Region,0 -rakuten.co.jp,rakuten.co.jp,inbound,ZZ,Unknown Region,0 -rakuten.com,rakuten.com,inbound,ZZ,Unknown Region,0 -reactiveadz.com,downlinebuilderdirect.com,inbound,ZZ,Unknown Region,0 -realage-mail.com,postdirect.com,inbound,ZZ,Unknown Region,0 -redbox.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -redcross.org.uk,redcross.org.uk,inbound,ZZ,Unknown Region,0 -rediffmail.com,rediffmail.com,inbound,ZZ,Unknown Region,0 -reebonz.com,reebonz.com,inbound,ZZ,Unknown Region,0.759458 -reed.co.uk,reed.co.uk,inbound,ZZ,Unknown Region,0 -regie11.net,odiso.net,inbound,ZZ,Unknown Region,0 -regionalhelpwanted.com,regionalhelpwanted.com,inbound,ZZ,Unknown Region,1 -registrar-servers.com,registrar-servers.com,inbound,ZZ,Unknown Region,0.05163 -repica.jp,kakaku.com,inbound,ZZ,Unknown Region,0 -repica.jp,repica.jp,inbound,ZZ,Unknown Region,0 -republicwireless.com,republicwireless.com,inbound,ZZ,Unknown Region,0.033564 -retailjobinsider.com,retailjobinsider.com,inbound,ZZ,Unknown Region,0 -retailmenot.com,retailmenot.com,inbound,ZZ,Unknown Region,4.68294583517529e-07 -reverbnation.com,reverbnation.com,inbound,ZZ,Unknown Region,0 -revolutiongolf.com,revolutiongolf.com,inbound,ZZ,Unknown Region,0 -reyrey.net,reyrey.net,inbound,ZZ,Unknown Region,0.999904 -richyrichmailer.com,maddog-productions.info,inbound,ZZ,Unknown Region,1 -rikunabi.com,rikunabi.com,inbound,ZZ,Unknown Region,0 -ringcentral.com,ringcentral.com,inbound,ZZ,Unknown Region,1 -rmtr.de,rapidmail.de,inbound,ZZ,Unknown Region,0 -rnmk.com,rnmk.com,inbound,ZZ,Unknown Region,0 -rockpath.info,rockpath.info,inbound,ZZ,Unknown Region,1 -rogers.com,yahoo.{...},inbound,ZZ,Unknown Region,1 -rogers.com,yahoodns.net,outbound,ZZ,Unknown Region,1 -rookiestewsemails.com,rookiestewsemails.com,inbound,ZZ,Unknown Region,0 -royalcaribbeanmarketing.com,royalcaribbeanmarketing.com,inbound,ZZ,Unknown Region,0 -rpo9usa.email,rpo9usa.email,inbound,ZZ,Unknown Region,0 -rr.com,rr.com,inbound,ZZ,Unknown Region,2e-06 -rr.com,rr.com,outbound,ZZ,Unknown Region,0 -rsgsv.net,rsgsv.net,inbound,ZZ,Unknown Region,0 -rummycirclemails.com,eccluster.com,inbound,ZZ,Unknown Region,0 -runkeeper.com,runkeeper.com,inbound,ZZ,Unknown Region,0 -s3s-br1.net,splio.com.br,inbound,ZZ,Unknown Region,0.908187 -s3s-main.net,splio.com,inbound,ZZ,Unknown Region,0.970428 -s4s-pl1.pl,splio.com,inbound,ZZ,Unknown Region,0.939032 -safe-sender.net,safe-sender.net,inbound,ZZ,Unknown Region,0 -safeway.com,safeway.com,inbound,ZZ,Unknown Region,0.000382 -salesforce.com,postini.com,inbound,ZZ,Unknown Region,0.915635 -salesforce.com,salesforce.com,inbound,ZZ,Unknown Region,0.952721 -samsungusa.com,samsungusa.com,inbound,ZZ,Unknown Region,0 -sanmina-sci.com,postini.com,inbound,ZZ,Unknown Region,0.999991 -sanmina.com,postini.com,inbound,ZZ,Unknown Region,0.999828 -saturday.com,saturday.com,inbound,ZZ,Unknown Region,0 -sbcglobal.net,yahoo.{...},inbound,ZZ,Unknown Region,0.999985 -sears.ca,sears.ca,inbound,ZZ,Unknown Region,0.005447 -searscard.com,searscard.com,inbound,ZZ,Unknown Region,1 -secretescapes.com,secretescapes.com,inbound,ZZ,Unknown Region,0 -secure.ne.jp,secure.ne.jp,inbound,ZZ,Unknown Region,0.000618 -secureserver.net,secureserver.net,inbound,ZZ,Unknown Region,0 -seek.com.au,seek.com.au,inbound,ZZ,Unknown Region,0 -selectacast.net,selectacast.net,inbound,ZZ,Unknown Region,0.000561 -semana.com,semana.com,inbound,ZZ,Unknown Region,0 -sendgrid.info,sendgrid.net,inbound,ZZ,Unknown Region,0.999896 -sendgrid.me,sendgrid.net,inbound,ZZ,Unknown Region,1 -sendpal.in,sendpal.in,inbound,ZZ,Unknown Region,0 -serviciobancomer.com,serviciobancomer.com,inbound,ZZ,Unknown Region,0 -sfid01.com,sfid01.com,inbound,ZZ,Unknown Region,0 -shaadi.com,shaadi.com,inbound,ZZ,Unknown Region,0 -shop2gether.com.br,shop2gether.com.br,inbound,ZZ,Unknown Region,0 -shopjustice.com,shopjustice.com,inbound,ZZ,Unknown Region,0 -shopnineteenmails.in,iaires.com,inbound,ZZ,Unknown Region,0 -shoppersstop.com,shoppersstop.com,inbound,ZZ,Unknown Region,0 -shoprite-email.com,email-mywebgrocer.com,inbound,ZZ,Unknown Region,0 -showingtime.com,showingtime.com,inbound,ZZ,Unknown Region,0 -showroomprive.com,showroomprive.be,inbound,ZZ,Unknown Region,0 -showroomprive.com,showroomprive.nl,inbound,ZZ,Unknown Region,0 -showroomprive.es,showroomprive.es,inbound,ZZ,Unknown Region,0 -showroomprive.it,showroomprive.pt,inbound,ZZ,Unknown Region,0 -showroomprive.pt,showroomprive.co.uk,inbound,ZZ,Unknown Region,0 -shtyle.fm,shtyle.fm,inbound,ZZ,Unknown Region,0 -simplesafelist.com,adminforfree.com,inbound,ZZ,Unknown Region,1 -simpletextadz.com,web-hosting.com,inbound,ZZ,Unknown Region,1 -singsale.com.sg,singsale.com.sg,inbound,ZZ,Unknown Region,0 -skillpages-mailer.com,dynect.net,inbound,ZZ,Unknown Region,0 -skymall.com,skymall.com,inbound,ZZ,Unknown Region,0 -skynet.be,belgacom.be,inbound,ZZ,Unknown Region,0 -skype.com,skype.com,inbound,ZZ,Unknown Region,0 -skyscanner.net,skyscanner.net,inbound,ZZ,Unknown Region,1 -slickdeals.net,slickdeals.net,inbound,ZZ,Unknown Region,0 -slidesharemail.com,slideshare.net,inbound,ZZ,Unknown Region,1 -smartresponder.ru,smartresponder.ru,inbound,ZZ,Unknown Region,1 -snagajob-email.com,snagajob-email.com,inbound,ZZ,Unknown Region,0 -snapdeal.com,snapdeal.com,inbound,ZZ,Unknown Region,0 -socialsex.biz,infinitypersonals.com,inbound,ZZ,Unknown Region,0 -softbank.jp,softbank.jp,outbound,ZZ,Unknown Region,0 -softbank.ne.jp,softbank.ne.jp,inbound,ZZ,Unknown Region,0 -softbank.ne.jp,softbank.ne.jp,outbound,ZZ,Unknown Region,0 -sony.com,sony.com,inbound,ZZ,Unknown Region,0 -sonyrewards.com,sonyrewards.com,inbound,ZZ,Unknown Region,0 -soundcloudmail.com,soundcloudmail.com,inbound,ZZ,Unknown Region,0.999996 -spanishdict.com,spanishdict.com,inbound,ZZ,Unknown Region,0 -sparklist.com,sparklist.com,inbound,ZZ,Unknown Region,0 -spartoo.com,spartoo.com,inbound,ZZ,Unknown Region,0 -speedyrewards-email.com,speedyrewards-email.com,inbound,ZZ,Unknown Region,0 -spotifymail.com,spotifymail.com,inbound,ZZ,Unknown Region,1 -ssgadm.com,ssg.com,inbound,ZZ,Unknown Region,0 -staffeazymailers.com,iaires.com,inbound,ZZ,Unknown Region,0 -stakemail.com,iaires.com,inbound,ZZ,Unknown Region,0 -stampmail.in,iaires.com,inbound,ZZ,Unknown Region,0 -standaard.be,vummail.be,inbound,ZZ,Unknown Region,0 -stansberryresearch.com,stansberry-re.net,inbound,ZZ,Unknown Region,0 -stansberryresearch.com,stansberryresearch.com,inbound,ZZ,Unknown Region,0 -staples.co.uk,ncrwebhost.de,inbound,ZZ,Unknown Region,0 -starsports.com,eccluster.com,inbound,ZZ,Unknown Region,0 -startwire.com,jobsreport.com,inbound,ZZ,Unknown Region,1 -starwoodhotels.com,outlook.com,inbound,ZZ,Unknown Region,1 -state-of-the-art-mailer.com,futurebanners.net,inbound,ZZ,Unknown Region,0 -stayfriends.de,stayfriends.de,inbound,ZZ,Unknown Region,0 -steampowered.com,steampowered.com,inbound,ZZ,Unknown Region,1 -stelladot.com,stelladot.com,inbound,ZZ,Unknown Region,0 -stjobs.sg,st701.com,inbound,ZZ,Unknown Region,1 -stjude.org,stjude.org,inbound,ZZ,Unknown Region,0.006723 -strava.com,strava.com,inbound,ZZ,Unknown Region,1 -streeteasy.com,streeteasy.com,inbound,ZZ,Unknown Region,0 -stylecareers.com,stylecareers.com,inbound,ZZ,Unknown Region,0 -subtend.info,subtend.info,inbound,ZZ,Unknown Region,1 -subway.com,subway.com,inbound,ZZ,Unknown Region,0 -surveyspot.com,ssisurveys.com,inbound,ZZ,Unknown Region,0 -sweepstakesalerts.com,sweepstakesalerts.com,inbound,ZZ,Unknown Region,0 -swimoutlet.com,isport.com,inbound,ZZ,Unknown Region,0 -sympatico.ca,hotmail.{...},inbound,ZZ,Unknown Region,1 -synchronyfinancial.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -tadtopmails.com,tadtopmails.com,inbound,ZZ,Unknown Region,0 -taishinbank.com.tw,taishinbank.com.tw,inbound,ZZ,Unknown Region,0 -take2games.com,take2games.com,inbound,ZZ,Unknown Region,0 -talkmatch.com,talkmatch.com,inbound,ZZ,Unknown Region,0 -tanga.com,tanga.com,inbound,ZZ,Unknown Region,0 -tanningmail.com,tanningmail.com,inbound,ZZ,Unknown Region,0 -tappingsolutionemail.com,tappingsolutionemail.com,inbound,ZZ,Unknown Region,0 -target.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -tasteofhome.com,tasteofhome.com,inbound,ZZ,Unknown Region,0 -tchibo.com.tr,euromsg.net,inbound,ZZ,Unknown Region,0 -teambuymail.com,teambuymail.com,inbound,ZZ,Unknown Region,0 -teamsnap.com,teamsnap.com,inbound,ZZ,Unknown Region,1 -technolutions.net,technolutions.net,inbound,ZZ,Unknown Region,1 -telegraph.co.uk,telegraph.co.uk,inbound,ZZ,Unknown Region,0 -telus.com,telus.com,inbound,ZZ,Unknown Region,0 -templeandwebster.com.au,templeandwebster.com.au,inbound,ZZ,Unknown Region,0 -texasjobdepartment.com,texasjobdepartment.com,inbound,ZZ,Unknown Region,0 -thebodyshop-usa.com,email-bodyshop.com,inbound,ZZ,Unknown Region,0 -thebodyshop-usa.com,postdirect.com,inbound,ZZ,Unknown Region,0 -thecarousell.com,thecarousell.com,inbound,ZZ,Unknown Region,1 -theguardian.com,theguardian.com,inbound,ZZ,Unknown Region,0 -thepamperedchef.com,thepamperedchef.com,inbound,ZZ,Unknown Region,0 -thephonehouse.es,splio.com,inbound,ZZ,Unknown Region,0.983578 -thephonehouse.es,splio.es,inbound,ZZ,Unknown Region,0.983266 -therealreal.com,email-realreal.com,inbound,ZZ,Unknown Region,0 -thesource.ca,thesource.ca,inbound,ZZ,Unknown Region,0 -thewarehouse.co.nz,thewarehouse.co.nz,inbound,ZZ,Unknown Region,0 -thinkgeek.com,thinkgeek.com,inbound,ZZ,Unknown Region,1e-06 -thirtyonegifts.com,thirtyonegifts.com,inbound,ZZ,Unknown Region,0 -thomascook.com,eccluster.com,inbound,ZZ,Unknown Region,0 -ticketmaster.com,ticketmaster.com,inbound,ZZ,Unknown Region,0.001001 -ticketmasterbiletix.com,ticketmasterbiletix.com,inbound,ZZ,Unknown Region,0 -timehop.com,timehop.com,inbound,ZZ,Unknown Region,1 -timeout.com,ec-cluster.com,inbound,ZZ,Unknown Region,0 -timewarnercable.com,bigfootinteractive.com,inbound,ZZ,Unknown Region,0 -tinyletterapp.com,tinyletterapp.com,inbound,ZZ,Unknown Region,0 -tobi.com,messagebus.com,inbound,ZZ,Unknown Region,0 -topface.com,topface.com,inbound,ZZ,Unknown Region,1e-06 -topica.com,topica-silver-y.com,inbound,ZZ,Unknown Region,0 -topqpon.si,topqpon.si,inbound,ZZ,Unknown Region,0 -touchbase2.com,mailurja.com,inbound,ZZ,Unknown Region,0 -townnews-mail.com,townnews-mail.com,inbound,ZZ,Unknown Region,0 -trabajar.com,trabajo.org,inbound,ZZ,Unknown Region,0.999997 -trabalhar.com,trabajo.org,inbound,ZZ,Unknown Region,0.999994 -tradeloop.com,tradeloop.com,inbound,ZZ,Unknown Region,1 -trafficwave.net,trafficwave.net,inbound,ZZ,Unknown Region,0 -transittraveljobinsider.com,transittraveljobinsider.com,inbound,ZZ,Unknown Region,0 -transportexchangegroup.com,transportexchangegroup.com,inbound,ZZ,Unknown Region,0.998825 -travelchannel.com,travelchannel.com,inbound,ZZ,Unknown Region,0 -travelocity.com,travelocity.com,inbound,ZZ,Unknown Region,0.000195 -travelzoo.com,travelzoo.com,inbound,ZZ,Unknown Region,0 -trclient.com,trclient.com,inbound,ZZ,Unknown Region,0 -trello.com,mandrillapp.com,inbound,ZZ,Unknown Region,1 -triongames.com,triongames.com,inbound,ZZ,Unknown Region,0.085718 -tripadvisor.com,tripadvisor.com,inbound,ZZ,Unknown Region,0.000588 -tripolis.com,tripolis.com,inbound,ZZ,Unknown Region,0 -trulia.com,trulia.com,inbound,ZZ,Unknown Region,0 -tsmmail.com,tsmmail.com,inbound,ZZ,Unknown Region,0 -tumblr.com,tumblr.com,inbound,ZZ,Unknown Region,1 -turbine.com,turbine.com,inbound,ZZ,Unknown Region,0 -turner.com,cnn.com,inbound,ZZ,Unknown Region,0 -twe-safelist.com,adminforfree.com,inbound,ZZ,Unknown Region,1 -twitter.com,twitter.com,inbound,ZZ,Unknown Region,0.999969 -twoomail.com,netlogmail.com,inbound,ZZ,Unknown Region,0 -ubivox.com,ubivox.com,inbound,ZZ,Unknown Region,0.964085 -uga.edu,outlook.com,inbound,ZZ,Unknown Region,1 -uhcmedicaresolutions.com,uhcmedicaresolutions.com,inbound,ZZ,Unknown Region,0 -ulta.com,exacttarget.com,inbound,ZZ,Unknown Region,0 -ulta.com,ulta.com,inbound,ZZ,Unknown Region,0 -uniqlo-usa.com,uniqlo-usa.com,inbound,ZZ,Unknown Region,0 -unitedrepublic.org,unitedrepublic.org,inbound,ZZ,Unknown Region,1 -unosinsidersclub.com,unosinsidersclub.com,inbound,ZZ,Unknown Region,0 -urx.com.br,urx.com.br,inbound,ZZ,Unknown Region,0 -usaa.com,usaa.com,inbound,ZZ,Unknown Region,0.999997 -usahockey-email.com,usahockey-email.com,inbound,ZZ,Unknown Region,0 -usndr.com,usndr.com,inbound,ZZ,Unknown Region,1 -usx.com.br,uqx.com.br,inbound,ZZ,Unknown Region,0 -usx.com.br,usx.com.br,inbound,ZZ,Unknown Region,0 -usx.com.br,utx.com.br,inbound,ZZ,Unknown Region,0 -utilitiesjobinsider.com,utilitiesjobinsider.com,inbound,ZZ,Unknown Region,0 -utx.com.br,utx.com.br,inbound,ZZ,Unknown Region,0 -uvarosa.com.br,uvarosa.com.br,inbound,ZZ,Unknown Region,0 -vakifbank.com.tr,vakifbank.com.tr,inbound,ZZ,Unknown Region,1 -vd.nl,emsecure.net,inbound,ZZ,Unknown Region,0 -venca.es,eccluster.com,inbound,ZZ,Unknown Region,0 -verizon.com,verizon.com,inbound,ZZ,Unknown Region,0.999816 -vfoutletvip.com,vfoutletvip.com,inbound,ZZ,Unknown Region,0 -vicinity.nl,picsrv.net,inbound,ZZ,Unknown Region,0.022107 -vietcombank.com.vn,vietcombank.com.vn,inbound,ZZ,Unknown Region,1 -viralsender.com,viralsender.com,inbound,ZZ,Unknown Region,0 -vistaprint.com,vistaprint.com,inbound,ZZ,Unknown Region,0 -vistaprint.com.au,vistaprint.com.au,inbound,ZZ,Unknown Region,0 -vitaminworld.com,email-nbtyinc.com,inbound,ZZ,Unknown Region,0 -vk.com,vkontakte.ru,inbound,ZZ,Unknown Region,0 -vocus.com,vocus.com,inbound,ZZ,Unknown Region,0 -vovici.com,vovici.com,inbound,ZZ,Unknown Region,0 -vresp.com,verticalresponse.com,inbound,ZZ,Unknown Region,0 -vudu.com,vudu.com,inbound,ZZ,Unknown Region,0 -walmart.ca,walmart.ca,inbound,ZZ,Unknown Region,0 -walmart.com,walmart.com,inbound,ZZ,Unknown Region,0.315059 -warehouselogisticsjobinsider.com,warehouselogisticsjobinsider.com,inbound,ZZ,Unknown Region,0 -way2sms.biz,way2sms.biz,inbound,ZZ,Unknown Region,0 -way2sms.in,way2sms.in,inbound,ZZ,Unknown Region,0 -way2smsemail.com,way2smsemail.com,inbound,ZZ,Unknown Region,0 -way2smsemails.com,way2smsemails.com,inbound,ZZ,Unknown Region,0 -way2smsmail.in,way2smsmail.in,inbound,ZZ,Unknown Region,0 -way2smsmails.com,way2smsmails.com,inbound,ZZ,Unknown Region,0 -wealthyaffiliate.com,wealthyaffiliate.com,inbound,ZZ,Unknown Region,1 -webmd.com,webmd.com,inbound,ZZ,Unknown Region,0 -wegottickets.com,wegottickets.com,inbound,ZZ,Unknown Region,0 -weheartit.com,weheartit.com,inbound,ZZ,Unknown Region,1 -wehkamp.nl,wehkamp.nl,inbound,ZZ,Unknown Region,0 -wellsfargo.com,wellsfargo.com,inbound,ZZ,Unknown Region,1 -wemakeprice.com,wemakeprice.com,inbound,ZZ,Unknown Region,0 -westwing.com.br,cust-cluster.com,inbound,ZZ,Unknown Region,0 -westwing.es,ecm-cluster.com,inbound,ZZ,Unknown Region,0 -westwing.ru,ecm-cluster.com,inbound,ZZ,Unknown Region,0 -wgbh.org,wgbh.org,inbound,ZZ,Unknown Region,0 -whaakky.com,whaakky.com,inbound,ZZ,Unknown Region,0 -whereareyounow.com,wayn.net,inbound,ZZ,Unknown Region,0 -whitehouse.gov,whitehouse.gov,inbound,ZZ,Unknown Region,0 -whitelabelpros.com,whitelabelpros.com,inbound,ZZ,Unknown Region,0 -wikia.com,wikia.com,inbound,ZZ,Unknown Region,0.289222 -wisdomitservices.com,infimail.com,inbound,ZZ,Unknown Region,0 -wolfmedia.us,wolfmedia.us,inbound,ZZ,Unknown Region,0 -wordfly.com,wordfly.com,inbound,ZZ,Unknown Region,0 -workhunter.net,workhunter.net,inbound,ZZ,Unknown Region,1 -worldwinner.com,worldwinner.com,inbound,ZZ,Unknown Region,0 -wowcher.co.uk,wowcher.co.uk,inbound,ZZ,Unknown Region,0 -wp.com,wordpress.com,inbound,ZZ,Unknown Region,0 -wpengine.com,wpengine.com,inbound,ZZ,Unknown Region,1 -writers-community.com,writers-community.com,inbound,ZZ,Unknown Region,0 -writersstore.com,writersstore.com,inbound,ZZ,Unknown Region,0 -wsjemail.com,wsjemail.com,inbound,ZZ,Unknown Region,0 -wyndhamhotelgroup.com,wyndhamhotelgroup.com,inbound,ZZ,Unknown Region,0 -xbox.com,xbox.com,inbound,ZZ,Unknown Region,0 -xcelenergy-emailnews.com,xcelenergy-emailnews.com,inbound,ZZ,Unknown Region,0 -xing.com,xing.com,inbound,ZZ,Unknown Region,0 -xxxconnect.com,infinitypersonals.com,inbound,ZZ,Unknown Region,0 -yahoo-inc.com,yahoo.{...},inbound,ZZ,Unknown Region,1 -yahoo.{...},yahoo.{...},inbound,ZZ,Unknown Region,0.999989 -yahoo.{...},yahoodns.net,outbound,ZZ,Unknown Region,1 -yahoogroups.com,yahoodns.net,outbound,ZZ,Unknown Region,1 -yammer.com,yammer.com,inbound,ZZ,Unknown Region,1 -yapikredi.com.tr,yapikredi.com.tr,inbound,ZZ,Unknown Region,1 -yapstone.com,yapstone.com,inbound,ZZ,Unknown Region,0 -yesbank.in,yesbank.in,inbound,ZZ,Unknown Region,0 -yipit.com,yipit.com,inbound,ZZ,Unknown Region,1 -ymail.com,yahoo.{...},inbound,ZZ,Unknown Region,1 -ymail.com,yahoodns.net,outbound,ZZ,Unknown Region,1 -youravon.com,email-avonglobal.com,inbound,ZZ,Unknown Region,0 -yournewsletters.net,everydayhealth.com,inbound,ZZ,Unknown Region,0 -youversion.com,youversion.com,inbound,ZZ,Unknown Region,1 -zappos.com,zappos.com,inbound,ZZ,Unknown Region,0.625377 -zattoo.com,sendnode.com,inbound,ZZ,Unknown Region,0 -zelonews.com.br,zelonews.com.br,inbound,ZZ,Unknown Region,0 -zendesk.com,zdsys.com,inbound,ZZ,Unknown Region,1 -zibmail.info,zibmail.info,inbound,ZZ,Unknown Region,0 -zillow.com,zillow.com,inbound,ZZ,Unknown Region,2.82543102656668e-07 -zinio.net,zinio.com,inbound,ZZ,Unknown Region,1 -zipalerts.com,sendgrid.net,inbound,ZZ,Unknown Region,1 -zipalerts.com,zipalerts.com,inbound,ZZ,Unknown Region,1 -zlavadna.sk,zlavadna.sk,inbound,ZZ,Unknown Region,0 -zoom.com.br,zoom.com.br,inbound,ZZ,Unknown Region,0 -zoominternet.net,synacor.com,inbound,ZZ,Unknown Region,0 -zoosk.com,zoosk.com,inbound,ZZ,Unknown Region,0 -zorpia.com,zorpia.com,inbound,ZZ,Unknown Region,0.520147 -zovifashion.com,eccluster.com,inbound,ZZ,Unknown Region,0 -zyngamail.com,zyngamail.com,inbound,ZZ,Unknown Region,0 \ No newline at end of file diff --git a/tools/CheckSTARTTLS.py b/tools/CheckSTARTTLS.py deleted file mode 100755 index ef0bf2e5c..000000000 --- a/tools/CheckSTARTTLS.py +++ /dev/null @@ -1,191 +0,0 @@ -#!/usr/bin/env python -import sys -import os -import errno -import smtplib -import socket -import subprocess -import re -import json -import collections - -import dns.resolver -from M2Crypto import X509 -from publicsuffix import PublicSuffixList - -public_suffix_list = PublicSuffixList() -CERTS_OBSERVED = 'certs-observed' - -def mkdirp(path): - try: - os.makedirs(path) - except OSError as exc: - if exc.errno == errno.EEXIST and os.path.isdir(path): - pass - else: raise - -def extract_names(pem): - """Return a set of DNS subject names from PEM-encoded leaf cert.""" - leaf = X509.load_cert_string(pem, X509.FORMAT_PEM) - - subj = leaf.get_subject() - # Certs have a "subject" identified by a Distingushed Name (DN). - # Host certs should also have a Common Name (CN) with a DNS name. - common_names = subj.get_entries_by_nid(subj.nid['CN']) - common_names = [name.get_data().as_text() for name in common_names] - try: - # The SAN extension allows one cert to cover multiple domains - # and permits DNS wildcards. - # http://www.digicert.com/subject-alternative-name.htm - # The field is a comma delimited list, e.g.: - # >>> twitter_cert.get_ext('subjectAltName').get_value() - # 'DNS:www.twitter.com, DNS:twitter.com' - alt_names = leaf.get_ext('subjectAltName').get_value() - alt_names = alt_names.split(', ') - alt_names = [name.partition(':') for name in alt_names] - alt_names = [name for prot, _, name in alt_names if prot == 'DNS'] - except: - alt_names = [] - return set(common_names + alt_names) - -def tls_connect(mx_host, mail_domain): - """Attempt a STARTTLS connection with openssl and save the output.""" - if supports_starttls(mx_host): - # smtplib doesn't let us access certificate information, - # so shell out to openssl. - try: - output = subprocess.check_output( - """openssl s_client \ - -starttls smtp -connect %s:25 -showcerts /dev/null - """ % mx_host, shell = True) - except subprocess.CalledProcessError: - print "Failed s_client" - return - - # Save a copy of the certificate for later analysis - with open(os.path.join(CERTS_OBSERVED, mail_domain, mx_host), "w") as f: - f.write(output) - -def valid_cert(filename): - """Return true if the certificate is valid. - - Note: CApath must have hashed symlinks to the trust roots. - TODO: Include the -attime flag based on file modification time.""" - - if open(filename).read().find("-----BEGIN CERTIFICATE-----") == -1: - return False - try: - # The file contains both the leaf cert and any intermediates, so we pass it - # as both the cert to validate and as the "untrusted" chain. - output = subprocess.check_output("""openssl verify -CApath /home/jsha/mozilla/ -purpose sslserver \ - -untrusted "%s" \ - "%s" - """ % (filename, filename), shell = True) - return True - except subprocess.CalledProcessError: - return False - -def check_certs(mail_domain): - """ - Return "" if any certs for any mx domains pointed to by mail_domain - were invalid, and a public suffix for one if they were all valid - """ - dir = os.path.join(CERTS_OBSERVED, mail_domain) - if not os.path.exists(dir): - collect(mail_domain) - names = set() - for mx_hostname in os.listdir(dir): - filename = os.path.join(dir, mx_hostname) - if not valid_cert(filename): - return "" - else: - new_names = extract_names_from_openssl_output(filename) - new_names = set(public_suffix_list.get_public_suffix(n) for n in new_names) - names.update(new_names) - if len(names) >= 1: - # Hack: Just pick an arbitrary suffix for now. Do something cleverer later. - return names.pop() - else: - return "" - -def common_suffix(hosts): - num_components = min(len(h.split(".")) for h in hosts) - longest_suffix = "" - for i in range(1, num_components + 1): - suffixes = set(".".join(h.split(".")[-i:]) for h in hosts) - if len(suffixes) == 1: - longest_suffix = suffixes.pop() - else: - return longest_suffix - return longest_suffix - -def extract_names_from_openssl_output(certificates_file): - openssl_output = open(certificates_file, "r").read() - cert = re.findall("-----BEGIN CERTIFICATE-----.*?-----END CERTIFICATE-----", openssl_output, flags = re.DOTALL) - return extract_names(cert[0]) - -def supports_starttls(mx_host): - try: - smtpserver = smtplib.SMTP(mx_host, 25, timeout = 2) - smtpserver.ehlo() - smtpserver.starttls() - return True - print "Success: %s" % mx_host - except socket.error as e: - print "Connection to %s failed: %s" % (mx_host, e.strerror) - return False - except smtplib.SMTPException, e: - # In order to talk to some hosts, you need to run this from a host that has a - # reverse DNS entry. AWS instances all have reverse DNS, as an example. - if e[0] == 554: - print e[1] - else: - print "No STARTTLS support on %s" % mx_host, e[0] - return False - -def min_tls_version(mail_domain): - protocols = [] - for mx_hostname in os.listdir(os.path.join(CERTS_OBSERVED, mail_domain)): - filename = os.path.join(CERTS_OBSERVED, mail_domain, mx_hostname) - contents = open(filename).read() - protocol = re.findall("Protocol : (.*)", contents)[0] - protocols.append(protocol) - return min(protocols) - -def collect(mail_domain): - """ - Attempt to connect to each MX hostname for mail_doman and negotiate STARTTLS. - Store the output in a directory with the same name as mail_domain to make - subsequent analysis faster. - """ - print "Checking domain %s" % mail_domain - mkdirp(os.path.join(CERTS_OBSERVED, mail_domain)) - answers = dns.resolver.query(mail_domain, 'MX') - for rdata in answers: - mx_host = str(rdata.exchange).rstrip(".") - tls_connect(mx_host, mail_domain) - -if __name__ == '__main__': - """Consume a target list of domains and output a configuration file for those domains.""" - if len(sys.argv) < 2: - print("Usage: CheckSTARTTLS.py list-of-domains.txt > output.json") - - config = collections.defaultdict(dict) - - for input in sys.argv[1:]: - for domain in open(input).readlines(): - domain = domain.strip() - suffix = check_certs(domain) - if suffix != "": - min_version = min_tls_version(domain) - suffix_match = "." + suffix - config["acceptable-mxs"][domain] = { - "accept-mx-domains": [suffix_match] - } - config["tls-policies"][suffix_match] = { - "require-tls": True, - "min-tls-version": min_version - } - - print json.dumps(config, indent=2, sort_keys=True) diff --git a/tools/ProcessGoogleSTARTTLSDomains.py b/tools/ProcessGoogleSTARTTLSDomains.py deleted file mode 100755 index 815ec5d4e..000000000 --- a/tools/ProcessGoogleSTARTTLSDomains.py +++ /dev/null @@ -1,34 +0,0 @@ -#!/usr/bin/env python -""" -Process Google's TLS delivery data from -https://www.google.com/transparencyreport/saferemail/data/?hl=en -to look for outbound domains that can negotiate an encrypted -connection >99% of the time. - -Usage: - ./ProcessGoogleSTARTTLSDomains.py google-starttls-domains.csv -""" -import csv -import codecs -import sys -from collections import defaultdict - -csvreader = csv.reader(codecs.open(sys.argv[1], "rU", "utf-8"), delimiter=',', quotechar='"') -d = defaultdict(set) -# Google's report doesn't include gmail.com because it's local delivery, but we -# know they support STARTTLS, so manually include them. -d["gmail.com"] = set([1]) -for (address_suffix, hostname_suffix, direction, region, region_name, fraction_encrypted) in csvreader: - if direction == "outbound": - # Some domains exist in many TLDs and are summarized as, e.g. yahoo.{...}. - # We're tryingto get a solid list of the relevant TLDs, but in the meantime - # just use .com. - address_suffix = address_suffix.replace("{...}", "com") - try: - d[address_suffix].add(float(fraction_encrypted)) - except ValueError: - pass - -for address_suffix, fraction_encrypted in d.iteritems(): - if min(fraction_encrypted) >= 0.99: - print address_suffix diff --git a/vagrant-bootstrap.sh b/vagrant-bootstrap.sh deleted file mode 100755 index 82622edea..000000000 --- a/vagrant-bootstrap.sh +++ /dev/null @@ -1,31 +0,0 @@ -#!/usr/bin/env bash - -export DEBIAN_FRONTEND=noninteractive - -apt-get update -q -apt-get install -q -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \ - postfix dnsmasq mutt vim - -# Provide hostnames so the boxes can talk to each other. DNSMasq will also serve -# results to each box based on these contents. -cat >> /etc/hosts < /etc/dnsmasq.conf -# Not sure why restart is necessary, but otherwise dnsmasq doesn't use -# /etc/hosts to answer queries. -/etc/init.d/dnsmasq restart - -if [ "`hostname`" = "sender" ]; then - (while sleep 10; do - echo -e 'Subject: hi\n\nhi' | sendmail vagrant@valid-example-recipient.com - done) & - #ln -sf "/vagrant/postfix-config-sender-tls_policy.cf" /etc/postfix/tls_policy -fi - -#ln -sf "/vagrant/postfix-config-`hostname`.cf" /etc/postfix/main.cf -#ln -sf "/vagrant/certificates" /etc/certificates -postfix reload diff --git a/vagrant-shared/certificates/ca.crt b/vagrant-shared/certificates/ca.crt deleted file mode 100644 index dce966d32..000000000 --- a/vagrant-shared/certificates/ca.crt +++ /dev/null @@ -1,22 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDmzCCAoOgAwIBAgIJAIheS+k2UDobMA0GCSqGSIb3DQEBBQUAMGQxCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDDAKBgNVBAoMA0VGRjEt -MCsGA1UECwwkU1RBUlRUTFMgRXZlcnl3aGVyZSB0ZXN0IGNlcnRpZmljYXRlMB4X -DTE0MDYxMDE4MDg0OVoXDTE5MDYxMDE4MDg1MFowZDELMAkGA1UEBhMCVVMxCzAJ -BgNVBAgMAkNBMQswCQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMS0wKwYDVQQLDCRT -VEFSVFRMUyBFdmVyeXdoZXJlIHRlc3QgY2VydGlmaWNhdGUwggEiMA0GCSqGSIb3 -DQEBAQUAA4IBDwAwggEKAoIBAQDDYmUQUjaX6L3n9fNks2yQUFhKUBR1NYenx3w2 -DnaZiwpLzI3igJPMQfBdyJGLM1jXZZcpvpgt6yN4OMOLNS2QKBY20gDoQIh0Jmaj -KCoXUbX30H1FfTn+pyU02UpuFsFN3TAk5bQ/BQUYOlMouCowyZ25mnEzzHLeRHKH -Gi2uCH59T53rcgDwjq88pKMVUlndixkOKpeXZkTL++Edg0b5SUpRuzMs6kFmwLoQ -x4xG5lgaAHyu2/9KXhcqielE95s5FNGfi9U2q3nkmpa4dM266DWfkibfvCBP3hiO -Ks+IN+Hyohi2SY7NoDN6hMKcuUNlAK/xD+foA4Ck3R45HII3AgMBAAGjUDBOMB0G -A1UdDgQWBBRPlrBeFMPb27oWESmXykOW1XWLLDAfBgNVHSMEGDAWgBRPlrBeFMPb -27oWESmXykOW1XWLLDAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBY -lBQEuRKo927jJFzgvdTKJGIAzxBnC5vg+qKeZkduwxeVEwB13HPP1syvdpAK5dkl -JGuHCF/Yc39HX1OZv7huVRMnyrSKpMt25uqUHirH6Db17HRCS4ZA6rARJfxS6RWu -J31lfXvGRr0hI4yw3XpKGM/c8Gkzji6PsYn4TCPnXjJbRj1GjHFaAuIeyoO0zQjo -OuHnzxs4bIDaV32NHNetuDKSO1GNbenxRiiN1HvQ1vfhzpqerRRaPCHrW4eUcynQ -AAeuC+Ek925t9mH7Ni/kZ0eN7XUwvg3c2lm+LeV+ICP+NWv9r92kfXDZNMhlhNsf -Y8+m1Y9WL3CLj99voNQS ------END CERTIFICATE----- diff --git a/vagrant-shared/certificates/ca.key b/vagrant-shared/certificates/ca.key deleted file mode 100644 index 3ebf4159e..000000000 --- a/vagrant-shared/certificates/ca.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEAw2JlEFI2l+i95/XzZLNskFBYSlAUdTWHp8d8Ng52mYsKS8yN -4oCTzEHwXciRizNY12WXKb6YLesjeDjDizUtkCgWNtIA6ECIdCZmoygqF1G199B9 -RX05/qclNNlKbhbBTd0wJOW0PwUFGDpTKLgqMMmduZpxM8xy3kRyhxotrgh+fU+d -63IA8I6vPKSjFVJZ3YsZDiqXl2ZEy/vhHYNG+UlKUbszLOpBZsC6EMeMRuZYGgB8 -rtv/Sl4XKonpRPebORTRn4vVNqt55JqWuHTNuug1n5Im37wgT94YjirPiDfh8qIY -tkmOzaAzeoTCnLlDZQCv8Q/n6AOApN0eORyCNwIDAQABAoIBAQCwNXASDSNBU1zZ -8v3kZtDVQjCuLJSWtIU4cnd6RQb/KN9LRxr7GJyyzREbc4SXduJ7uBphQov6daMS -jJcGWBpUdWK7ZB//Vhv6LJvKL7HuP/oNmhEwd2SzXkj25bTznkANmhsOW794Sm2y -0P8orRcX0u0Vc8z+Ozepby+e2qQx29FXznberRv2rXmMeeQqF+sc2MBu34SlcLnK -KVSe7SmDc+DhWJ3XiPoEpiOTbv4EynndXC85owdse/eN/EahFtrfzqm6jDWVga8A -xA/7RD/Urc2L2IsZOB92xOk/tGs5Df8ZrHavzbSo+i0pzYAKvIxr+G2Krl1Tl/Lh -IXwjWPLZAoGBAOsbdxeZUHH6pk497ICIcmW/NDhAY/mSA6vBWZWLcYF7OU/wMzZ6 -Wlx9v6oz8tBTzQj/Xkpv0ZLIeQqGTuSQzQ7EcrOiTz4PIpM5y/nf/S0oSXwJ7mJw -Sx8w3XHqHEPCT9G83o7EV7xHuRy8/zQzJ9dkFxznA9sRcO7RhE/tsrMNAoGBANS/ -Ql140oyDqyABIlxswyvfJ8Ll4kmb52yNGaCJPSfrAVmSoN15AkbDkpVKFb6hsL6u -xqVPyeVxard4twddrV3GSvTibkGw4fZ8x0FDgDGvCgJ36e4NHb7jQVwwGfNXKMAP -qvYtnE28eAM+zrDHryEhgp4k59zApphr+IU7JQlTAoGAc1h5ODm+rvzTBMX6tyC6 -R1Lkcsicg//wDx8ALY9JM8ZZ2u80oQCsPn5vPzjXYwAKMuTexNRRVJtITzKPmDG2 -eQ1GXP0/tWnFg8eyXDhZRQNj8hgJPYBsSrQ1oMLD9TZq5LKt2gtYJAZoOkI7Tsfe -Px1a/ZIVYTAQYQqnyHMM3i0CgYAQNirWeJiCwJ3PqIZ3yInu0+hxv5bIySqPaQkk -5JBWdF/79WJwvgHgZpLK8YRKrIONZEAa5MObylK5fGdmFktZs/yOQJrqQpJVeBiu -7nfcUVxP59dZnoI/w419euTfWCrwx8DdVYhtnAkBJk4VxoGf4q/TYTiR59RKFSAw -9trRpQKBgDjFQ9mXJUUKoc61P3PIrSYOlnx89c0sznrwm2eeLLAwr/VQ+vNDGRkC -6kXbVLuTxRaFnLSZTlUd0nSXPbJEM5GII48zbGZ7t/ysPtA9390xk1efTO/ryf/j -pn4FBvpgXaneRs4ExyknLgFfJRUEu17fRbyRPZr0bUlTkKg/ZS5M ------END RSA PRIVATE KEY----- diff --git a/vagrant-shared/certificates/certificates b/vagrant-shared/certificates/certificates deleted file mode 120000 index d162b42af..000000000 --- a/vagrant-shared/certificates/certificates +++ /dev/null @@ -1 +0,0 @@ -/vagrant/certificates \ No newline at end of file diff --git a/vagrant-shared/certificates/valid.crt b/vagrant-shared/certificates/valid.crt deleted file mode 100644 index f5fe4c213..000000000 --- a/vagrant-shared/certificates/valid.crt +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDbTCCAlUCAQEwDQYJKoZIhvcNAQEFBQAwZDELMAkGA1UEBhMCVVMxCzAJBgNV -BAgMAkNBMQswCQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMS0wKwYDVQQLDCRTVEFS -VFRMUyBFdmVyeXdoZXJlIHRlc3QgY2VydGlmaWNhdGUwHhcNMTQwNjEwMTgxMTQ3 -WhcNMTkwNjEwMTgxMTQ3WjCBlDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQsw -CQYDVQQHDAJTRjEMMAoGA1UECgwDRUZGMTQwMgYDVQQLDCtTVEFSVFRMUyBFdmVy -eXdoZXJlIHRlc3QgY2VydGlmaWNhdGUgKGxlYWYpMScwJQYDVQQDDB5teC52YWxp -ZC1leGFtcGxlLXJlY2lwaWVudC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw -ggEKAoIBAQDZ2NdAwI0LUmXrV7bItKhP8NRzypkYHgApXaoZ6iB6TJnYb1FZyv2Y -wyBdsQQ8zcIgKRyl0rKvNPgHt3riM7nSoB16II6fIQDuR2UnXkhtDOfUd7Ye0wKX -l3A+qoEge42/TfRvzPC6IMa1KH7+dwayprIjLxFUzfMl6GqA/5auLZZtSsV6Pix3 -jXZYFPUHPoBJEyNo/bizcdvSZS/7Kwzfc64l7JLA/OGtRbQpcMAOpRRXCx32nt3N -2L1OXz8Q4It+J20oN8Vfin1a7GbAGdktRbz2bV8bmb0ux1NOnddigPUHRRYMIaKN -W7Nrxp2YQpqmsqBmVEVPA903yRc0ZvuRAgMBAAEwDQYJKoZIhvcNAQEFBQADggEB -AMJ3neFM+to/tFhTiAfUnIrQOKyfk+zYN8gC99HD2SUVbu+Cu1qCNJWxbE3bdxxX -y960yX+Or8E4nG9sWbFbzlGEzz0F8DAPEh4UCtb/5MRkhW158Y9LtbheQAQpZolQ -Sma6lnngCmSDr/OpDW34oM8S7+3VOawYv1e1ruCMqizBwilgcsGq2hY1hWca6LMP -X2FHQ+m4mYBV9wJ9WuKMs9uADz9cfMYuA/wMzNeMZyM82w+nSQGZ+mX7YPu+WBJM -k9OcFrUWxrC/uOQfsyqdjLvFjg4/b49jnusn9mZ/KbtLVmkz5P+5kwSn4kcd5Rlw -LLmEGiXiyEjo8UmEVyumrIQ= ------END CERTIFICATE----- diff --git a/vagrant-shared/certificates/valid.csr b/vagrant-shared/certificates/valid.csr deleted file mode 100644 index a58aab677..000000000 --- a/vagrant-shared/certificates/valid.csr +++ /dev/null @@ -1,18 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIC2jCCAcICAQAwgZQxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UE -BwwCU0YxDDAKBgNVBAoMA0VGRjE0MDIGA1UECwwrU1RBUlRUTFMgRXZlcnl3aGVy -ZSB0ZXN0IGNlcnRpZmljYXRlIChsZWFmKTEnMCUGA1UEAwwebXgudmFsaWQtZXhh -bXBsZS1yZWNpcGllbnQuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC -AQEA2djXQMCNC1Jl61e2yLSoT/DUc8qZGB4AKV2qGeogekyZ2G9RWcr9mMMgXbEE -PM3CICkcpdKyrzT4B7d64jO50qAdeiCOnyEA7kdlJ15IbQzn1He2HtMCl5dwPqqB -IHuNv030b8zwuiDGtSh+/ncGsqayIy8RVM3zJehqgP+Wri2WbUrFej4sd412WBT1 -Bz6ASRMjaP24s3Hb0mUv+ysM33OuJeySwPzhrUW0KXDADqUUVwsd9p7dzdi9Tl8/ -EOCLfidtKDfFX4p9WuxmwBnZLUW89m1fG5m9LsdTTp3XYoD1B0UWDCGijVuza8ad -mEKaprKgZlRFTwPdN8kXNGb7kQIDAQABoAAwDQYJKoZIhvcNAQEFBQADggEBAAhe -pMLNDAaA9fXZ/yqW4ov1pBKYZL1R1RX+YgZqUPoAlrTCiJ0UGIuPcTDGJDMdpZ7x -9gSqwsXrvzXafuHI4GuFjnbY5SIv8zvc+nMXib7IMlyMUcuSBZP8W0sl3ZGWnnpk -legC10c3+I9TfQ7Tl0mpdyf/6yLhM1plxLcIy5bguLJjbBK9JhKNfc84rivqrxUI -+cUqWU13WjMzWdKS6rK5m/Bfleg+jyZ11xYY0QfwNGwuPjfiEBjCs2iqJvdLFRem -FoDq3XBsrH5XohSwWZ6UrZY7wARkmHsYJeYTHulb3MkDPCQKlbU+2SMIpbNk43+/ -fN/ctxWXg3vd/q6eJiE= ------END CERTIFICATE REQUEST----- diff --git a/vagrant-shared/certificates/valid.key b/vagrant-shared/certificates/valid.key deleted file mode 100644 index b5e8371cd..000000000 --- a/vagrant-shared/certificates/valid.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEpAIBAAKCAQEA2djXQMCNC1Jl61e2yLSoT/DUc8qZGB4AKV2qGeogekyZ2G9R -Wcr9mMMgXbEEPM3CICkcpdKyrzT4B7d64jO50qAdeiCOnyEA7kdlJ15IbQzn1He2 -HtMCl5dwPqqBIHuNv030b8zwuiDGtSh+/ncGsqayIy8RVM3zJehqgP+Wri2WbUrF -ej4sd412WBT1Bz6ASRMjaP24s3Hb0mUv+ysM33OuJeySwPzhrUW0KXDADqUUVwsd -9p7dzdi9Tl8/EOCLfidtKDfFX4p9WuxmwBnZLUW89m1fG5m9LsdTTp3XYoD1B0UW -DCGijVuza8admEKaprKgZlRFTwPdN8kXNGb7kQIDAQABAoIBAHAZgUq0yt+UmxWr -oUdOj33zc5/SFU2vwm2G4U1MiUHlwRT602Xdavn9Dt6nhIK1bruV7EP4VDKMk0WF -SRq1e13DPuflcP65wPzciFTl02cqSPGwWGssMh1HtF7K5n+MlLhoqOwPDaD51MbL -++192lh8Jxar1cNJ52EOZB/VZfhiUZ88JAITWam6clId8KS4cy7SvQ9haptcPlfl -wIeCti2eI4nvC0IR0SCEqWAax6XqypA5k2fjQJklcnBK1R+H1muc00J5lMIz4U8q -qFb5RgxIDMcEeQZWmzfBjU5hO0q/51QyWFFFuBL00MkT4djCHjO/IPYc6DQoAoZR -TbMCWwECgYEA+i3W44tSY96Fdn1gDyYhDor9GPN0XwmRBHpl44TxBLG48I6cGLYI -l0InEh7pu7/0fw+cWylx2OLrl2HeGlWilEOpP2ucJcswcNibATtgSdnu7PjC4eAW -46a5+2hbFk/NONU5VTGClJHCvKzYPWMrAIkRT//WdkIVs23i7bRcOjkCgYEA3upr -cnMhnwVmZrGAIm+DtiDJCc4uVXeqLD2j9csCVNCw/CQAjJ3/5VlQDSjzerjijw/V -uoA+Su8xMoMCg6mAihqdxBMrbwdlh7vje23RaxbeQkIY5JIVAsdDr+UtwofaX3Zx -j3RW5jNeouVlvtExyKZZhyMwuh8d59m4V65/rBkCgYBH+f40EvZOQ0v0jhef5CFo -lLZCgnB9kzwEpM5BihLpfdQuaWkhduW71s102i321UAbejtKwv69HnQXZpHG09Jl -g53i4CvZd77lCHx3+0Q1mxyxUtSGtbkAIAyr9xcVsTni2v2WtBrUcacsLzI7XxeV -HNo9QObLuTGTIM9EAjryiQKBgQCIZEBX56/jn6c3IFX5O+gH8OlxEXFyI+TAavq+ -Mnd7s7EGpXSclTP0fYAofSz0otkklZi9Iyh6Kv4cHOLV8klOtthfFyeVKJ5rvX+D -jv76miRlwBGBEQzABXIZ1oz4IK1xiYQUNSfSdA3sd5WYemEOlxHiSJrQ1qcyrBlJ -tOAzSQKBgQDjLQIZ0rmSAMUCGi7WlDle/pnf6sUEFUPWUqzHOJbJk/CZIIf1IT6o -Evep9eeP6QjiupusY/uSlgjjjj7yxZU5q3VV/0cQl6QhwxG9wqpa8x32wwaM1WBZ -rJgsuSjcEoluAqfX/bqRtumNtQ213DSADzSCpOetlJb+ARANk7YULg== ------END RSA PRIVATE KEY----- diff --git a/vagrant-shared/postfix-config-sender-tls_policy b/vagrant-shared/postfix-config-sender-tls_policy deleted file mode 100644 index f4f1e80c5..000000000 --- a/vagrant-shared/postfix-config-sender-tls_policy +++ /dev/null @@ -1 +0,0 @@ -valid-example-recipient.com secure match=valid-example-recipient.com:.valid-example-recipient.com diff --git a/vagrant-shared/postfix-config-sender.cf b/vagrant-shared/postfix-config-sender.cf deleted file mode 100644 index b9f265058..000000000 --- a/vagrant-shared/postfix-config-sender.cf +++ /dev/null @@ -1,39 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# TLS parameters -smtpd_tls_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem -smtpd_tls_key_file=/etc/ssl/private/ssl-cert-snakeoil.key -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -myhostname = sender.example.com -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = sender.example.com, localhost.example.com, , localhost -relayhost = -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all diff --git a/vagrant-shared/postfix-config-valid-example-recipient.cf b/vagrant-shared/postfix-config-valid-example-recipient.cf deleted file mode 100644 index 1d08a20cd..000000000 --- a/vagrant-shared/postfix-config-valid-example-recipient.cf +++ /dev/null @@ -1,46 +0,0 @@ -# See /usr/share/postfix/main.cf.dist for a commented, more complete version - - -# Debian specific: Specifying a file name will cause the first -# line of that file to be used as the name. The Debian default -# is /etc/mailname. -#myorigin = /etc/mailname - -smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu) -biff = no - -# appending .domain is the MUA's job. -append_dot_mydomain = no - -# Uncomment the next line to generate "delayed mail" warnings -#delay_warning_time = 4h - -readme_directory = no - -# TLS parameters -smtpd_use_tls=yes -smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache -smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache - -# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for -# information on enabling SSL in the smtp client. - -myhostname = valid-example-recipient.com -alias_maps = hash:/etc/aliases -alias_database = hash:/etc/aliases -myorigin = /etc/mailname -mydestination = valid-example-recipient.com, localhost.example.com, , localhost -relayhost = -mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 -mailbox_size_limit = 0 -recipient_delimiter = + -inet_interfaces = all - -# STARTLS Everywhere recommended best-practice settings -smtpd_tls_session_cache_timeout = 3600s -smtpd_tls_received_header = yes - -#STARTTLS EVERYWHERE MAGIC STARTS HERE -smtp_tls_policy_maps = texthash:/etc/postfix/tls_policy -smtpd_tls_cert_file=/etc/certificates/valid.crt -smtpd_tls_key_file=/etc/certificates/valid.key From e48c653245bc08b7e517465aea32f678c5b9b64b Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Fri, 25 May 2018 21:00:37 +0300 Subject: [PATCH 204/256] Change GenericUpdater parameter to lineage (#6030) In order to give more flexibility for plugins using interfaces.GenericUpdater interface, lineage needs to be passed to the updater method instead of individual domains. All of the (present and potential) installers do not work on per domain basis, while the lineage does contain a list of them for installers which do. This also means that we don't unnecessarily run the updater method multiple times, potentially invoking expensive tooling up to $max_san_amount times. * Make GenericUpdater use lineage as parameter and get invoked only once per lineage --- certbot/interfaces.py | 18 +++++++++--------- certbot/tests/renewupdater_test.py | 11 ++++------- certbot/updater.py | 7 +++---- 3 files changed, 16 insertions(+), 20 deletions(-) diff --git a/certbot/interfaces.py b/certbot/interfaces.py index 6233e3592..a5fb426e6 100644 --- a/certbot/interfaces.py +++ b/certbot/interfaces.py @@ -604,10 +604,10 @@ class IReporter(zope.interface.Interface): # When "certbot renew" is run, Certbot will iterate over each lineage and check # if the selected installer for that lineage is a subclass of each updater # class. If it is and the update of that type is configured to be run for that -# lineage, the relevant update function will be called for each domain in the -# lineage. These functions are never called for other subcommands, so if an -# installer wants to perform an update during the run or install subcommand, it -# should do so when :func:`IInstaller.deploy_cert` is called. +# lineage, the relevant update function will be called for it. These functions +# are never called for other subcommands, so if an installer wants to perform +# an update during the run or install subcommand, it should do so when +# :func:`IInstaller.deploy_cert` is called. @six.add_metaclass(abc.ABCMeta) class GenericUpdater(object): @@ -623,7 +623,7 @@ class GenericUpdater(object): """ @abc.abstractmethod - def generic_updates(self, domain, *args, **kwargs): + def generic_updates(self, lineage, *args, **kwargs): """Perform any update types defined by the installer. If an installer is a subclass of the class containing this method, this @@ -631,9 +631,10 @@ class GenericUpdater(object): update defined by the installer should be run conditionally, the installer needs to handle checking the conditions itself. - This method is called once for each domain. + This method is called once for each lineage. - :param str domain: domain to handle the updates for + :param lineage: Certificate lineage object + :type lineage: storage.RenewableCert """ @@ -661,8 +662,7 @@ class RenewDeployer(object): This method is called once for each lineage renewed - :param lineage: Certificate lineage object that is set if certificate - was renewed on this run. + :param lineage: Certificate lineage object :type lineage: storage.RenewableCert """ diff --git a/certbot/tests/renewupdater_test.py b/certbot/tests/renewupdater_test.py index 9d0f8d515..ade8db390 100644 --- a/certbot/tests/renewupdater_test.py +++ b/certbot/tests/renewupdater_test.py @@ -19,7 +19,7 @@ class RenewUpdaterTest(unittest.TestCase): # pylint: disable=unused-argument self.restart = mock.MagicMock() self.callcounter = mock.MagicMock() - def generic_updates(self, domain, *args, **kwargs): + def generic_updates(self, lineage, *args, **kwargs): self.callcounter(*args, **kwargs) class MockInstallerRenewDeployer(interfaces.RenewDeployer): @@ -46,9 +46,7 @@ class RenewUpdaterTest(unittest.TestCase): def test_server_updates(self, _, mock_select, mock_getsave): config = self.get_config({"disable_renew_updates": False}) - lineage = mock.MagicMock() - lineage.names.return_value = ['firstdomain', 'seconddomain'] - mock_getsave.return_value = lineage + mock_getsave.return_value = mock.MagicMock() mock_generic_updater = self.generic_updater # Generic Updater @@ -59,14 +57,13 @@ class RenewUpdaterTest(unittest.TestCase): mock_generic_updater.restart.reset_mock() mock_generic_updater.callcounter.reset_mock() - updater.run_generic_updaters(config, None, lineage) - self.assertEqual(mock_generic_updater.callcounter.call_count, 2) + updater.run_generic_updaters(config, None, mock.MagicMock()) + self.assertEqual(mock_generic_updater.callcounter.call_count, 1) self.assertFalse(mock_generic_updater.restart.called) def test_renew_deployer(self): config = self.get_config({"disable_renew_updates": False}) lineage = mock.MagicMock() - lineage.names.return_value = ['firstdomain', 'seconddomain'] mock_deployer = self.renew_deployer updater.run_renewal_deployer(lineage, mock_deployer, config) self.assertTrue(mock_deployer.callcounter.called_with(lineage)) diff --git a/certbot/updater.py b/certbot/updater.py index f822c55ee..1216f38a6 100644 --- a/certbot/updater.py +++ b/certbot/updater.py @@ -61,7 +61,6 @@ def _run_updaters(lineage, installer, config): :returns: `None` :rtype: None """ - for domain in lineage.names(): - if not config.disable_renew_updates: - if isinstance(installer, interfaces.GenericUpdater): - installer.generic_updates(domain) + if not config.disable_renew_updates: + if isinstance(installer, interfaces.GenericUpdater): + installer.generic_updates(lineage) From 9f6b147d6f06e534351377195b4f28c61270115d Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Sat, 26 May 2018 18:31:23 +0300 Subject: [PATCH 205/256] Do not call updaters and deployers when run with --dry-run (#6038) When Certbot is run with --dry-run, skip running GenericUpdater and RenewDeployer interface methods. This PR also makes the parameter order of updater.run_generic_updaters and updater.run_renewal_deployer consistent. Fixes #5927 * Do not call updaters and deployers when run with --dry-run * Use ConfigTestCase instead of mocking config objects manually --- certbot/main.py | 2 +- certbot/renewal.py | 4 ++-- certbot/tests/main_test.py | 3 ++- certbot/tests/renewupdater_test.py | 35 ++++++++++++++++++------------ certbot/updater.py | 20 ++++++++++++----- 5 files changed, 41 insertions(+), 23 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index dad1b793e..8fa6ebfc6 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -1163,7 +1163,7 @@ def renew_cert(config, plugins, lineage): # In case of a renewal, reload server to pick up new certificate. # In principle we could have a configuration option to inhibit this # from happening. - updater.run_renewal_deployer(renewed_lineage, installer, config) + updater.run_renewal_deployer(config, renewed_lineage, installer) installer.restart() notify("new certificate deployed with reload of {0} server; fullchain is {1}".format( config.installer, lineage.fullchain), pause=False) diff --git a/certbot/renewal.py b/certbot/renewal.py index 0a6568426..236330a85 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -431,8 +431,8 @@ def handle_renewal_request(config): renew_skipped.append("%s expires on %s" % (renewal_candidate.fullchain, expiry.strftime("%Y-%m-%d"))) # Run updater interface methods - updater.run_generic_updaters(lineage_config, plugins, - renewal_candidate) + updater.run_generic_updaters(lineage_config, renewal_candidate, + plugins) except Exception as e: # pylint: disable=broad-except # obtain_cert (presumably) encountered an unanticipated problem. diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 8c9e24354..36821cf53 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -1464,7 +1464,8 @@ class MainTest(test_util.ConfigTestCase): # pylint: disable=too-many-public-met None, None, None) with mock.patch('certbot.updater.logger.warning') as mock_log: - updater.run_generic_updaters(None, None, None) + self.config.dry_run = False + updater.run_generic_updaters(self.config, None, None) self.assertTrue(mock_log.called) self.assertTrue("Could not choose appropriate plugin for updaters" in mock_log.call_args[0][0]) diff --git a/certbot/tests/renewupdater_test.py b/certbot/tests/renewupdater_test.py index ade8db390..bd1cd891e 100644 --- a/certbot/tests/renewupdater_test.py +++ b/certbot/tests/renewupdater_test.py @@ -9,10 +9,11 @@ from certbot import updater import certbot.tests.util as test_util -class RenewUpdaterTest(unittest.TestCase): +class RenewUpdaterTest(test_util.ConfigTestCase): """Tests for interfaces.RenewDeployer and interfaces.GenericUpdater""" def setUp(self): + super(RenewUpdaterTest, self).setUp() class MockInstallerGenericUpdater(interfaces.GenericUpdater): """Mock class that implements GenericUpdater""" def __init__(self, *args, **kwargs): @@ -33,41 +34,47 @@ class RenewUpdaterTest(unittest.TestCase): self.generic_updater = MockInstallerGenericUpdater() self.renew_deployer = MockInstallerRenewDeployer() - def get_config(self, args): - """Get mock config from dict of parameters""" - config = mock.MagicMock() - for key in args.keys(): - config.__dict__[key] = args[key] - return config - @mock.patch('certbot.main._get_and_save_cert') @mock.patch('certbot.plugins.selection.choose_configurator_plugins') @test_util.patch_get_utility() def test_server_updates(self, _, mock_select, mock_getsave): - config = self.get_config({"disable_renew_updates": False}) - mock_getsave.return_value = mock.MagicMock() mock_generic_updater = self.generic_updater # Generic Updater mock_select.return_value = (mock_generic_updater, None) with mock.patch('certbot.main._init_le_client'): - main.renew_cert(config, None, mock.MagicMock()) + main.renew_cert(self.config, None, mock.MagicMock()) self.assertTrue(mock_generic_updater.restart.called) mock_generic_updater.restart.reset_mock() mock_generic_updater.callcounter.reset_mock() - updater.run_generic_updaters(config, None, mock.MagicMock()) + updater.run_generic_updaters(self.config, mock.MagicMock(), None) self.assertEqual(mock_generic_updater.callcounter.call_count, 1) self.assertFalse(mock_generic_updater.restart.called) def test_renew_deployer(self): - config = self.get_config({"disable_renew_updates": False}) lineage = mock.MagicMock() mock_deployer = self.renew_deployer - updater.run_renewal_deployer(lineage, mock_deployer, config) + updater.run_renewal_deployer(self.config, lineage, mock_deployer) self.assertTrue(mock_deployer.callcounter.called_with(lineage)) + @mock.patch("certbot.updater.logger.debug") + def test_updater_skip_dry_run(self, mock_log): + self.config.dry_run = True + updater.run_generic_updaters(self.config, None, None) + self.assertTrue(mock_log.called) + self.assertEquals(mock_log.call_args[0][0], + "Skipping updaters in dry-run mode.") + + @mock.patch("certbot.updater.logger.debug") + def test_deployer_skip_dry_run(self, mock_log): + self.config.dry_run = True + updater.run_renewal_deployer(self.config, None, None) + self.assertTrue(mock_log.called) + self.assertEquals(mock_log.call_args[0][0], + "Skipping renewal deployer in dry-run mode.") + if __name__ == '__main__': unittest.main() # pragma: no cover diff --git a/certbot/updater.py b/certbot/updater.py index 1216f38a6..112cf06ef 100644 --- a/certbot/updater.py +++ b/certbot/updater.py @@ -8,21 +8,24 @@ from certbot.plugins import selection as plug_sel logger = logging.getLogger(__name__) -def run_generic_updaters(config, plugins, lineage): +def run_generic_updaters(config, lineage, plugins): """Run updaters that the plugin supports :param config: Configuration object :type config: interfaces.IConfig - :param plugins: List of plugins - :type plugins: `list` of `str` - :param lineage: Certificate lineage object :type lineage: storage.RenewableCert + :param plugins: List of plugins + :type plugins: `list` of `str` + :returns: `None` :rtype: None """ + if config.dry_run: + logger.debug("Skipping updaters in dry-run mode.") + return try: # installers are used in auth mode to determine domain names installer, _ = plug_sel.choose_configurator_plugins(config, plugins, "certonly") @@ -31,10 +34,13 @@ def run_generic_updaters(config, plugins, lineage): return _run_updaters(lineage, installer, config) -def run_renewal_deployer(lineage, installer, config): +def run_renewal_deployer(config, lineage, installer): """Helper function to run deployer interface method if supported by the used installer plugin. + :param config: Configuration object + :type config: interfaces.IConfig + :param lineage: Certificate lineage object :type lineage: storage.RenewableCert @@ -44,6 +50,10 @@ def run_renewal_deployer(lineage, installer, config): :returns: `None` :rtype: None """ + if config.dry_run: + logger.debug("Skipping renewal deployer in dry-run mode.") + return + if not config.disable_renew_updates and isinstance(installer, interfaces.RenewDeployer): installer.renew_deploy(lineage) From d53ef1f7c24c21d297a23349f3d566e24252b1fb Mon Sep 17 00:00:00 2001 From: ohemorange Date: Thu, 31 May 2018 13:57:23 -0700 Subject: [PATCH 206/256] Add mypy info to Certbot docs (#6033) * Add mypy info to Certbot docs * break up lines * link to mypy docs and links to https * Expand on import wording * be consistent about mypy styling --- docs/contributing.rst | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/docs/contributing.rst b/docs/contributing.rst index ed986c562..58db251d4 100644 --- a/docs/contributing.rst +++ b/docs/contributing.rst @@ -312,6 +312,40 @@ Please: .. _PEP 8 - Style Guide for Python Code: https://www.python.org/dev/peps/pep-0008 +Mypy type annotations +===================== + +Certbot uses the `mypy`_ static type checker. Python 3 natively supports official type annotations, +which can then be tested for consistency using mypy. Python 2 doesn’t, but type annotations can +be `added in comments`_. Mypy does some type checks even without type annotations; we can find +bugs in Certbot even without a fully annotated codebase. + +Certbot supports both Python 2 and 3, so we’re using Python 2-style annotations. + +Zulip wrote a `great guide`_ to using mypy. It’s useful, but you don’t have to read the whole thing +to start contributing to Certbot. + +To run mypy on Certbot, use ``tox -e mypy`` on a machine that has Python 3 installed. + +Note that instead of just importing ``typing``, due to packaging issues, in Certbot we import from +``acme.magic_typing`` and have to add some comments for pylint like this: + +.. code-block:: python + + from acme.magic_typing import Dict # pylint: disable=unused-import, no-name-in-module + +Also note that OpenSSL, which we rely on, has type definitions for crypto but not SSL. We use both. +Those imports should look like this: + +.. code-block:: python + + from OpenSSL import crypto + from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052 + +.. _mypy: https://mypy.readthedocs.io +.. _added in comments: https://mypy.readthedocs.io/en/latest/cheat_sheet.html +.. _great guide: https://blog.zulip.org/2016/10/13/static-types-in-python-oh-mypy/ + Submitting a pull request ========================= From fb0d2ec3d60cf29d2c8aff09a3adbf50ba7f938f Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Fri, 1 Jun 2018 18:09:02 -0400 Subject: [PATCH 207/256] Include missing space (#6061) --- certbot-apache/certbot_apache/configurator.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index bb82a9d3f..861fe4458 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -132,10 +132,10 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): default=cls.OS_DEFAULTS["challenge_location"], help="Directory path for challenge configuration.") add("handle-modules", default=cls.OS_DEFAULTS["handle_mods"], - help="Let installer handle enabling required modules for you." + + help="Let installer handle enabling required modules for you. " + "(Only Ubuntu/Debian currently)") add("handle-sites", default=cls.OS_DEFAULTS["handle_sites"], - help="Let installer handle enabling sites for you." + + help="Let installer handle enabling sites for you. " + "(Only Ubuntu/Debian currently)") util.add_deprecated_argument(add, argument_name="ctl", nargs=1) util.add_deprecated_argument( From e2d6faa8a95b05e11369f7ae646fa8216b2b883a Mon Sep 17 00:00:00 2001 From: schoen Date: Fri, 1 Jun 2018 15:21:02 -0700 Subject: [PATCH 208/256] Add --reuse-key feature (#5901) * Initial work on new version of --reuse-key * Test for reuse_key * Make lint happier * Also test a non-dry-run reuse_key renewal * Test --reuse-key in boulder integration test * Better reuse-key integration testing * Log fact that key was reused * Test that the certificates themselves are different * Change "oldkeypath" to "old_keypath" * Simply appearance of new-key generation logic * Reorganize new-key logic * Move awk logic into TotalAndDistinctLines function * After refactor, there's now explicit None rather than missing param * Indicate for MyPy that key can be None * Actually import the Optional type * magic_typing is too magical for pylint * Remove --no-reuse-key option * Correct pylint test disable --- certbot/cli.py | 6 ++++++ certbot/client.py | 32 +++++++++++++++++++++++++++----- certbot/constants.py | 1 + certbot/renewal.py | 7 +++++-- certbot/tests/main_test.py | 24 +++++++++++++++++++++--- tests/boulder-integration.sh | 28 ++++++++++++++++++++++++++++ 6 files changed, 88 insertions(+), 10 deletions(-) diff --git a/certbot/cli.py b/certbot/cli.py index 25319bbd8..05e316133 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -1017,6 +1017,12 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis "certificate already exists for the requested certificate name " "but does not match the requested domains, renew it now, " "regardless of whether it is near expiry.") + helpful.add( + "automation", "--reuse-key", dest="reuse_key", + action="store_true", default=flag_default("reuse_key"), + help="When renewing, use the same private key as the existing " + "certificate.") + helpful.add( ["automation", "renew", "certonly"], "--allow-subset-of-names", action="store_true", diff --git a/certbot/client.py b/certbot/client.py index dadc3a0f8..cc2f31d56 100644 --- a/certbot/client.py +++ b/certbot/client.py @@ -4,6 +4,7 @@ import logging import os import platform + from cryptography.hazmat.backends import default_backend # https://github.com/python/typeshed/blob/master/third_party/ # 2/cryptography/hazmat/primitives/asymmetric/rsa.pyi @@ -16,6 +17,7 @@ from acme import client as acme_client from acme import crypto_util as acme_crypto_util from acme import errors as acme_errors from acme import messages +from acme.magic_typing import Optional # pylint: disable=unused-import,no-name-in-module import certbot @@ -273,7 +275,7 @@ class Client(object): cert, chain = crypto_util.cert_and_chain_from_fullchain(orderr.fullchain_pem) return cert.encode(), chain.encode() - def obtain_certificate(self, domains): + def obtain_certificate(self, domains, old_keypath=None): """Obtains a certificate from the ACME server. `.register` must be called before `.obtain_certificate` @@ -286,16 +288,36 @@ class Client(object): :rtype: tuple """ + + # We need to determine the key path, key PEM data, CSR path, + # and CSR PEM data. For a dry run, the paths are None because + # they aren't permanently saved to disk. For a lineage with + # --reuse-key, the key path and PEM data are derived from an + # existing file. + + if old_keypath is not None: + # We've been asked to reuse a specific existing private key. + # Therefore, we'll read it now and not generate a new one in + # either case below. + with open(old_keypath, "r") as f: + keypath = old_keypath + keypem = f.read() + key = util.Key(file=keypath, pem=keypem) # type: Optional[util.Key] + logger.info("Reusing existing private key from %s.", old_keypath) + else: + # The key is set to None here but will be created below. + key = None + # Create CSR from names if self.config.dry_run: - key = util.Key(file=None, - pem=crypto_util.make_key(self.config.rsa_key_size)) + key = key or util.Key(file=None, + pem=crypto_util.make_key(self.config.rsa_key_size)) csr = util.CSR(file=None, form="pem", data=acme_crypto_util.make_csr( key.pem, domains, self.config.must_staple)) else: - key = crypto_util.init_save_key( - self.config.rsa_key_size, self.config.key_dir) + key = key or crypto_util.init_save_key(self.config.rsa_key_size, + self.config.key_dir) csr = crypto_util.init_save_csr(key, domains, self.config.csr_dir) orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) diff --git a/certbot/constants.py b/certbot/constants.py index 40557d287..1dd25e799 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -64,6 +64,7 @@ CLI_DEFAULTS = dict( pref_challs=[], validate_hooks=True, directory_hooks=True, + reuse_key=False, disable_renew_updates=False, # Subparsers diff --git a/certbot/renewal.py b/certbot/renewal.py index 236330a85..aa8c9722a 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -36,7 +36,7 @@ STR_CONFIG_ITEMS = ["config_dir", "logs_dir", "work_dir", "user_agent", "pre_hook", "post_hook", "tls_sni_01_address", "http01_address"] INT_CONFIG_ITEMS = ["rsa_key_size", "tls_sni_01_port", "http01_port"] -BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names"] +BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names", "reuse_key"] CONFIG_ITEMS = set(itertools.chain( BOOL_CONFIG_ITEMS, INT_CONFIG_ITEMS, STR_CONFIG_ITEMS, ('pref_challs',))) @@ -298,7 +298,10 @@ def renew_cert(config, domains, le_client, lineage): _avoid_invalidating_lineage(config, lineage, original_server) if not domains: domains = lineage.names() - new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains) + # The private key is the existing lineage private key if reuse_key is set. + # Otherwise, generate a fresh private key by passing None. + new_key = lineage.privkey if config.reuse_key else None + new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) if config.dry_run: logger.debug("Dry run: skipping updating lineage at %s", os.path.dirname(lineage.cert)) diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 36821cf53..4b251c421 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -1026,8 +1026,9 @@ class MainTest(test_util.ConfigTestCase): # pylint: disable=too-many-public-met def _test_renewal_common(self, due_for_renewal, extra_args, log_out=None, args=None, should_renew=True, error_expected=False, - quiet_mode=False, expiry_date=datetime.datetime.now()): - # pylint: disable=too-many-locals,too-many-arguments + quiet_mode=False, expiry_date=datetime.datetime.now(), + reuse_key=False): + # pylint: disable=too-many-locals,too-many-arguments,too-many-branches cert_path = test_util.vector_path('cert_512.pem') chain_path = '/etc/letsencrypt/live/foo.bar/fullchain.pem' mock_lineage = mock.MagicMock(cert=cert_path, fullchain=chain_path, @@ -1077,7 +1078,13 @@ class MainTest(test_util.ConfigTestCase): # pylint: disable=too-many-public-met traceback.format_exc()) if should_renew: - mock_client.obtain_certificate.assert_called_once_with(['isnot.org']) + if reuse_key: + # The location of the previous live privkey.pem is passed + # to obtain_certificate + mock_client.obtain_certificate.assert_called_once_with(['isnot.org'], + os.path.join(self.config.config_dir, "live/sample-renewal/privkey.pem")) + else: + mock_client.obtain_certificate.assert_called_once_with(['isnot.org'], None) else: self.assertEqual(mock_client.obtain_certificate.call_count, 0) except: @@ -1127,6 +1134,17 @@ class MainTest(test_util.ConfigTestCase): # pylint: disable=too-many-public-met args = ["renew", "--dry-run", "-tvv"] self._test_renewal_common(True, [], args=args, should_renew=True) + def test_reuse_key(self): + test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf') + args = ["renew", "--dry-run", "--reuse-key"] + self._test_renewal_common(True, [], args=args, should_renew=True, reuse_key=True) + + @mock.patch('certbot.storage.RenewableCert.save_successor') + def test_reuse_key_no_dry_run(self, unused_save_successor): + test_util.make_lineage(self.config.config_dir, 'sample-renewal.conf') + args = ["renew", "--reuse-key"] + self._test_renewal_common(True, [], args=args, should_renew=True, reuse_key=True) + @mock.patch('certbot.renewal.should_renew') def test_renew_skips_recent_certs(self, should_renew): should_renew.return_value = False diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index e931e30f3..ef611e743 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -166,6 +166,14 @@ CheckRenewHook() { CheckSavedRenewHook $1 } +# Return success only if input contains exactly $1 lines of text, of +# which $2 different values occur in the first field. +TotalAndDistinctLines() { + total=$1 + distinct=$2 + awk '{a[$1] = 1}; END {exit(NR !='$total' || length(a) !='$distinct')}' +} + # Cleanup coverage data coverage erase @@ -347,6 +355,26 @@ if common certificates | grep "fail\.dns1\.le\.wtf"; then exit 1 fi +# reuse-key +common --domains reusekey.le.wtf --reuse-key +common renew --cert-name reusekey.le.wtf +CheckCertCount "reusekey.le.wtf" 2 +ls -l "${root}/conf/archive/reusekey.le.wtf/privkey"* +# The final awk command here exits successfully if its input consists of +# exactly two lines with identical first fields, and unsuccessfully otherwise. +sha256sum "${root}/conf/archive/reusekey.le.wtf/privkey"* | TotalAndDistinctLines 2 1 + +# don't reuse key (just by forcing reissuance without --reuse-key) +common --cert-name reusekey.le.wtf --domains reusekey.le.wtf --force-renewal +CheckCertCount "reusekey.le.wtf" 3 +ls -l "${root}/conf/archive/reusekey.le.wtf/privkey"* +# Exactly three lines, of which exactly two identical first fields. +sha256sum "${root}/conf/archive/reusekey.le.wtf/privkey"* | TotalAndDistinctLines 3 2 + +# Nonetheless, all three certificates are different even though two of them +# share the same subject key. +sha256sum "${root}/conf/archive/reusekey.le.wtf/cert"* | TotalAndDistinctLines 3 3 + # ECDSA openssl ecparam -genkey -name secp384r1 -out "${root}/privkey-p384.pem" SAN="DNS:ecdsa.le.wtf" openssl req -new -sha256 \ From f19ebab44173b3ed70eb2aa81464fe1aa2fc0122 Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Mon, 4 Jun 2018 21:08:40 +0300 Subject: [PATCH 209/256] Make sure the pluginstorage file gets truncated when writing to it (#6062) --- certbot/plugins/storage.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/certbot/plugins/storage.py b/certbot/plugins/storage.py index 9472a1ebb..ae3ca1889 100644 --- a/certbot/plugins/storage.py +++ b/certbot/plugins/storage.py @@ -84,7 +84,8 @@ class PluginStorage(object): raise errors.PluginStorageError(errmsg) try: with os.fdopen(os.open(self._storagepath, - os.O_WRONLY | os.O_CREAT, 0o600), 'w') as fh: + os.O_WRONLY | os.O_CREAT | os.O_TRUNC, + 0o600), 'w') as fh: fh.write(serialized) except IOError as e: errmsg = "Could not write PluginStorage data to file {0} : {1}".format( From 4151737e171b9a73923d02dc746cb593fb1f6d33 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 4 Jun 2018 13:13:23 -0700 Subject: [PATCH 210/256] Read in bytes to fix --reuse-key on Python 3 (#6069) * Read bytes for now for compatibility * add clarifying comment --- certbot/client.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/certbot/client.py b/certbot/client.py index cc2f31d56..d97de0571 100644 --- a/certbot/client.py +++ b/certbot/client.py @@ -299,7 +299,10 @@ class Client(object): # We've been asked to reuse a specific existing private key. # Therefore, we'll read it now and not generate a new one in # either case below. - with open(old_keypath, "r") as f: + # + # We read in bytes here because the type of `key.pem` + # created below is also bytes. + with open(old_keypath, "rb") as f: keypath = old_keypath keypem = f.read() key = util.Key(file=keypath, pem=keypem) # type: Optional[util.Key] From 15f1405fff7083bf5d4f599a58c54a43be499740 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maciej=20D=C4=99bski?= Date: Mon, 4 Jun 2018 23:54:17 +0200 Subject: [PATCH 211/256] Implement TLS-ALPN-01 challenge and standalone TLS-ALPN server (#5894) The new challenge is described in https://github.com/rolandshoemaker/acme-tls-alpn. * TLS-ALPN tests * Implement TLS-ALPN challenge * Skip TLS-ALPN tests on old pyopenssl * make _selection methods private. --- acme/acme/challenges.py | 152 +++++++++++++++++++++++++++- acme/acme/challenges_test.py | 121 ++++++++++++++++++++++ acme/acme/crypto_util.py | 61 ++++++++--- acme/acme/crypto_util_test.py | 16 ++- acme/acme/standalone.py | 48 ++++++++- acme/acme/standalone_test.py | 57 +++++++++++ acme/acme/testdata/README | 6 +- acme/acme/testdata/rsa1024_cert.pem | 13 +++ 8 files changed, 453 insertions(+), 21 deletions(-) create mode 100644 acme/acme/testdata/rsa1024_cert.pem diff --git a/acme/acme/challenges.py b/acme/acme/challenges.py index 674f2c38f..ce788e2cc 100644 --- a/acme/acme/challenges.py +++ b/acme/acme/challenges.py @@ -1,5 +1,6 @@ """ACME Identifier Validation Challenges.""" import abc +import codecs import functools import hashlib import logging @@ -7,7 +8,7 @@ import socket from cryptography.hazmat.primitives import hashes # type: ignore import josepy as jose -import OpenSSL +from OpenSSL import crypto import requests import six @@ -411,8 +412,8 @@ class TLSSNI01Response(KeyAuthorizationChallengeResponse): """ if key is None: - key = OpenSSL.crypto.PKey() - key.generate_key(OpenSSL.crypto.TYPE_RSA, bits) + key = crypto.PKey() + key.generate_key(crypto.TYPE_RSA, bits) return crypto_util.gen_ss_cert(key, [ # z_domain is too big to fit into CN, hence first dummy domain 'dummy', self.z_domain.decode()], force_san=True), key @@ -507,6 +508,151 @@ class TLSSNI01(KeyAuthorizationChallenge): return self.response(account_key).gen_cert(key=kwargs.get('cert_key')) +@ChallengeResponse.register +class TLSALPN01Response(KeyAuthorizationChallengeResponse): + """ACME tls-alpn-01 challenge response.""" + typ = "tls-alpn-01" + + PORT = 443 + """Verification port as defined by the protocol. + + You can override it (e.g. for testing) by passing ``port`` to + `simple_verify`. + + """ + + ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1" + ACME_TLS_1_PROTOCOL = "acme-tls/1" + + @property + def h(self): + """Hash value stored in challenge certificate""" + return hashlib.sha256(self.key_authorization.encode('utf-8')).digest() + + def gen_cert(self, domain, key=None, bits=2048): + """Generate tls-alpn-01 certificate. + + :param unicode domain: Domain verified by the challenge. + :param OpenSSL.crypto.PKey key: Optional private key used in + certificate generation. If not provided (``None``), then + fresh key will be generated. + :param int bits: Number of bits for newly generated key. + + :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` + + """ + if key is None: + key = crypto.PKey() + key.generate_key(crypto.TYPE_RSA, bits) + + + der_value = b"DER:" + codecs.encode(self.h, 'hex') + acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1, + critical=True, value=der_value) + + return crypto_util.gen_ss_cert(key, [domain], force_san=True, + extensions=[acme_extension]), key + + def probe_cert(self, domain, host=None, port=None): + """Probe tls-alpn-01 challenge certificate. + + :param unicode domain: domain being validated, required. + :param string host: IP address used to probe the certificate. + :param int port: Port used to probe the certificate. + + """ + if host is None: + host = socket.gethostbyname(domain) + logger.debug('%s resolved to %s', domain, host) + if port is None: + port = self.PORT + + return crypto_util.probe_sni(host=host, port=port, name=domain, + alpn_protocols=[self.ACME_TLS_1_PROTOCOL]) + + def verify_cert(self, domain, cert): + """Verify tls-alpn-01 challenge certificate. + + :param unicode domain: Domain name being validated. + :param OpensSSL.crypto.X509 cert: Challenge certificate. + + :returns: Whether the certificate was successfully verified. + :rtype: bool + + """ + # pylint: disable=protected-access + names = crypto_util._pyopenssl_cert_or_req_all_names(cert) + logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names) + if len(names) != 1 or names[0].lower() != domain.lower(): + return False + + for i in range(cert.get_extension_count()): + ext = cert.get_extension(i) + # FIXME: assume this is the ACME extension. Currently there is no + # way to get full OID of an unknown extension from pyopenssl. + if ext.get_short_name() == b'UNDEF': + data = ext.get_data() + return data == self.h + + return False + + # pylint: disable=too-many-arguments + def simple_verify(self, chall, domain, account_public_key, + cert=None, host=None, port=None): + """Simple verify. + + Verify ``validation`` using ``account_public_key``, optionally + probe tls-alpn-01 certificate and check using `verify_cert`. + + :param .challenges.TLSALPN01 chall: Corresponding challenge. + :param str domain: Domain name being validated. + :param JWK account_public_key: + :param OpenSSL.crypto.X509 cert: Optional certificate. If not + provided (``None``) certificate will be retrieved using + `probe_cert`. + :param string host: IP address used to probe the certificate. + :param int port: Port used to probe the certificate. + + + :returns: ``True`` iff client's control of the domain has been + verified. + :rtype: bool + + """ + if not self.verify(chall, account_public_key): + logger.debug("Verification of key authorization in response failed") + return False + + if cert is None: + try: + cert = self.probe_cert(domain=domain, host=host, port=port) + except errors.Error as error: + logger.debug(str(error), exc_info=True) + return False + + return self.verify_cert(cert, domain) + + +@Challenge.register # pylint: disable=too-many-ancestors +class TLSALPN01(KeyAuthorizationChallenge): + """ACME tls-alpn-01 challenge.""" + response_cls = TLSALPN01Response + typ = response_cls.typ + + def validation(self, account_key, **kwargs): + """Generate validation. + + :param JWK account_key: + :param OpenSSL.crypto.PKey cert_key: Optional private key used + in certificate generation. If not provided (``None``), then + fresh key will be generated. + + :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` + + """ + return self.response(account_key).gen_cert(key=kwargs.get('cert_key')) + + @Challenge.register # pylint: disable=too-many-ancestors class DNS(_TokenChallenge): """ACME "dns" challenge.""" diff --git a/acme/acme/challenges_test.py b/acme/acme/challenges_test.py index 834d569aa..b929d4939 100644 --- a/acme/acme/challenges_test.py +++ b/acme/acme/challenges_test.py @@ -393,6 +393,127 @@ class TLSSNI01Test(unittest.TestCase): mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key) +class TLSALPN01ResponseTest(unittest.TestCase): + # pylint: disable=too-many-instance-attributes + + def setUp(self): + from acme.challenges import TLSALPN01 + self.chall = TLSALPN01( + token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e')) + self.domain = u'example.com' + self.domain2 = u'example2.com' + + self.response = self.chall.response(KEY) + self.jmsg = { + 'resource': 'challenge', + 'type': 'tls-alpn-01', + 'keyAuthorization': self.response.key_authorization, + } + + def test_to_partial_json(self): + self.assertEqual(self.jmsg, self.response.to_partial_json()) + + def test_from_json(self): + from acme.challenges import TLSALPN01Response + self.assertEqual(self.response, TLSALPN01Response.from_json(self.jmsg)) + + def test_from_json_hashable(self): + from acme.challenges import TLSALPN01Response + hash(TLSALPN01Response.from_json(self.jmsg)) + + def test_gen_verify_cert(self): + key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem') + cert, key2 = self.response.gen_cert(self.domain, key1) + self.assertEqual(key1, key2) + self.assertTrue(self.response.verify_cert(self.domain, cert)) + + def test_gen_verify_cert_gen_key(self): + cert, key = self.response.gen_cert(self.domain) + self.assertTrue(isinstance(key, OpenSSL.crypto.PKey)) + self.assertTrue(self.response.verify_cert(self.domain, cert)) + + def test_verify_bad_cert(self): + self.assertFalse(self.response.verify_cert(self.domain, + test_util.load_cert('cert.pem'))) + + def test_verify_bad_domain(self): + key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem') + cert, key2 = self.response.gen_cert(self.domain, key1) + self.assertEqual(key1, key2) + self.assertFalse(self.response.verify_cert(self.domain2, cert)) + + def test_simple_verify_bad_key_authorization(self): + key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem')) + self.response.simple_verify(self.chall, "local", key2.public_key()) + + @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True) + def test_simple_verify(self, mock_verify_cert): + mock_verify_cert.return_value = mock.sentinel.verification + self.assertEqual( + mock.sentinel.verification, self.response.simple_verify( + self.chall, self.domain, KEY.public_key(), + cert=mock.sentinel.cert)) + mock_verify_cert.assert_called_once_with( + self.response, mock.sentinel.cert, self.domain) + + @mock.patch('acme.challenges.socket.gethostbyname') + @mock.patch('acme.challenges.crypto_util.probe_sni') + def test_probe_cert(self, mock_probe_sni, mock_gethostbyname): + mock_gethostbyname.return_value = '127.0.0.1' + self.response.probe_cert('foo.com') + mock_gethostbyname.assert_called_once_with('foo.com') + mock_probe_sni.assert_called_once_with( + host='127.0.0.1', port=self.response.PORT, name='foo.com', + alpn_protocols=['acme-tls/1']) + + self.response.probe_cert('foo.com', host='8.8.8.8') + mock_probe_sni.assert_called_with( + host='8.8.8.8', port=mock.ANY, name='foo.com', + alpn_protocols=['acme-tls/1']) + + @mock.patch('acme.challenges.TLSALPN01Response.probe_cert') + def test_simple_verify_false_on_probe_error(self, mock_probe_cert): + mock_probe_cert.side_effect = errors.Error + self.assertFalse(self.response.simple_verify( + self.chall, self.domain, KEY.public_key())) + + +class TLSALPN01Test(unittest.TestCase): + + def setUp(self): + from acme.challenges import TLSALPN01 + self.msg = TLSALPN01( + token=jose.b64decode('a82d5ff8ef740d12881f6d3c2277ab2e')) + self.jmsg = { + 'type': 'tls-alpn-01', + 'token': 'a82d5ff8ef740d12881f6d3c2277ab2e', + } + + def test_to_partial_json(self): + self.assertEqual(self.jmsg, self.msg.to_partial_json()) + + def test_from_json(self): + from acme.challenges import TLSALPN01 + self.assertEqual(self.msg, TLSALPN01.from_json(self.jmsg)) + + def test_from_json_hashable(self): + from acme.challenges import TLSALPN01 + hash(TLSALPN01.from_json(self.jmsg)) + + def test_from_json_invalid_token_length(self): + from acme.challenges import TLSALPN01 + self.jmsg['token'] = jose.encode_b64jose(b'abcd') + self.assertRaises( + jose.DeserializationError, TLSALPN01.from_json, self.jmsg) + + @mock.patch('acme.challenges.TLSALPN01Response.gen_cert') + def test_validation(self, mock_gen_cert): + mock_gen_cert.return_value = ('cert', 'key') + self.assertEqual(('cert', 'key'), self.msg.validation( + KEY, cert_key=mock.sentinel.cert_key)) + mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key) + + class DNSTest(unittest.TestCase): def setUp(self): diff --git a/acme/acme/crypto_util.py b/acme/acme/crypto_util.py index d0e203417..d25c2340b 100644 --- a/acme/acme/crypto_util.py +++ b/acme/acme/crypto_util.py @@ -31,6 +31,15 @@ logger = logging.getLogger(__name__) _DEFAULT_TLSSNI01_SSL_METHOD = SSL.SSLv23_METHOD # type: ignore +class _DefaultCertSelection(object): + def __init__(self, certs): + self.certs = certs + + def __call__(self, connection): + server_name = connection.get_servername() + return self.certs.get(server_name, None) + + class SSLSocket(object): # pylint: disable=too-few-public-methods """SSL wrapper for sockets. @@ -38,12 +47,25 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. + :ivar alpn_selection: Hook to select negotiated ALPN protocol for + connection. + :ivar cert_selection: Hook to select certificate for connection. If given, + `certs` parameter would be ignored, and therefore must be empty. """ - def __init__(self, sock, certs, method=_DEFAULT_TLSSNI01_SSL_METHOD): + def __init__(self, sock, certs=None, + method=_DEFAULT_TLSSNI01_SSL_METHOD, alpn_selection=None, + cert_selection=None): self.sock = sock - self.certs = certs + self.alpn_selection = alpn_selection self.method = method + if not cert_selection and not certs: + raise ValueError("Neither cert_selection or certs specified.") + if cert_selection and certs: + raise ValueError("Both cert_selection and certs specified.") + if cert_selection is None: + cert_selection = _DefaultCertSelection(certs) + self.cert_selection = cert_selection def __getattr__(self, name): return getattr(self.sock, name) @@ -60,18 +82,19 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods :type connection: :class:`OpenSSL.Connection` """ - server_name = connection.get_servername() - try: - key, cert = self.certs[server_name] - except KeyError: - logger.debug("Server name (%s) not recognized, dropping SSL", - server_name) + pair = self.cert_selection(connection) + if pair is None: + logger.debug("Certificate selection for server name %s failed, dropping SSL", + connection.get_servername()) return + key, cert = pair new_context = SSL.Context(self.method) new_context.set_options(SSL.OP_NO_SSLv2) new_context.set_options(SSL.OP_NO_SSLv3) new_context.use_privatekey(key) new_context.use_certificate(cert) + if self.alpn_selection is not None: + new_context.set_alpn_select_callback(self.alpn_selection) connection.set_context(new_context) class FakeConnection(object): @@ -96,6 +119,8 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods context.set_options(SSL.OP_NO_SSLv2) context.set_options(SSL.OP_NO_SSLv3) context.set_tlsext_servername_callback(self._pick_certificate_cb) + if self.alpn_selection is not None: + context.set_alpn_select_callback(self.alpn_selection) ssl_sock = self.FakeConnection(SSL.Connection(context, sock)) ssl_sock.set_accept_state() @@ -111,8 +136,9 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods return ssl_sock, addr -def probe_sni(name, host, port=443, timeout=300, - method=_DEFAULT_TLSSNI01_SSL_METHOD, source_address=('', 0)): +def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-arguments + method=_DEFAULT_TLSSNI01_SSL_METHOD, source_address=('', 0), + alpn_protocols=None): """Probe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the @@ -124,6 +150,8 @@ def probe_sni(name, host, port=443, timeout=300, :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. + :param alpn_protocols: Protocols to request using ALPN. + :type alpn_protocols: `list` of `bytes` :raises acme.errors.Error: In case of any problems. @@ -160,6 +188,8 @@ def probe_sni(name, host, port=443, timeout=300, client_ssl = SSL.Connection(context, client) client_ssl.set_connect_state() client_ssl.set_tlsext_host_name(name) # pyOpenSSL>=0.13 + if alpn_protocols is not None: + client_ssl.set_alpn_protos(alpn_protocols) try: client_ssl.do_handshake() client_ssl.shutdown() @@ -251,12 +281,14 @@ def _pyopenssl_cert_or_req_san(cert_or_req): def gen_ss_cert(key, domains, not_before=None, - validity=(7 * 24 * 60 * 60), force_san=True): + validity=(7 * 24 * 60 * 60), force_san=True, extensions=None): """Generate new self-signed certificate. :type domains: `list` of `unicode` :param OpenSSL.crypto.PKey key: :param bool force_san: + :param extensions: List of additional extensions to include in the cert. + :type extensions: `list` of `OpenSSL.crypto.X509Extension` If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the @@ -269,10 +301,13 @@ def gen_ss_cert(key, domains, not_before=None, cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16)) cert.set_version(2) - extensions = [ + if extensions is None: + extensions = [] + + extensions.append( crypto.X509Extension( b"basicConstraints", True, b"CA:TRUE, pathlen:0"), - ] + ) cert.get_subject().CN = domains[0] # TODO: what to put into cert.get_subject()? diff --git a/acme/acme/crypto_util_test.py b/acme/acme/crypto_util_test.py index 36d62b324..b661e4e70 100644 --- a/acme/acme/crypto_util_test.py +++ b/acme/acme/crypto_util_test.py @@ -19,7 +19,6 @@ from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-m class SSLSocketAndProbeSNITest(unittest.TestCase): """Tests for acme.crypto_util.SSLSocket/probe_sni.""" - def setUp(self): self.cert = test_util.load_comparable_cert('rsa2048_cert.pem') key = test_util.load_pyopenssl_private_key('rsa2048_key.pem') @@ -34,7 +33,8 @@ class SSLSocketAndProbeSNITest(unittest.TestCase): # six.moves.* | pylint: disable=attribute-defined-outside-init,no-init def server_bind(self): # pylint: disable=missing-docstring - self.socket = SSLSocket(socket.socket(), certs=certs) + self.socket = SSLSocket(socket.socket(), + certs) socketserver.TCPServer.server_bind(self) self.server = _TestServer(('', 0), socketserver.BaseRequestHandler) @@ -66,6 +66,18 @@ class SSLSocketAndProbeSNITest(unittest.TestCase): # self.assertRaises(errors.Error, self._probe, b'bar') +class SSLSocketTest(unittest.TestCase): + """Tests for acme.crypto_util.SSLSocket.""" + + def test_ssl_socket_invalid_arguments(self): + from acme.crypto_util import SSLSocket + with self.assertRaises(ValueError): + _ = SSLSocket(None, {'sni': ('key', 'cert')}, + cert_selection=lambda _: None) + with self.assertRaises(ValueError): + _ = SSLSocket(None) + + class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase): """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names.""" diff --git a/acme/acme/standalone.py b/acme/acme/standalone.py index ff9159933..3bcb0b230 100644 --- a/acme/acme/standalone.py +++ b/acme/acme/standalone.py @@ -43,7 +43,14 @@ class TLSServer(socketserver.TCPServer): def _wrap_sock(self): self.socket = crypto_util.SSLSocket( - self.socket, certs=self.certs, method=self.method) + self.socket, cert_selection=self._cert_selection, + alpn_selection=getattr(self, '_alpn_selection', None), + method=self.method) + + def _cert_selection(self, connection): + """Callback selecting certificate for connection.""" + server_name = connection.get_servername() + return self.certs.get(server_name, None) def server_bind(self): # pylint: disable=missing-docstring self._wrap_sock() @@ -147,6 +154,45 @@ class TLSSNI01DualNetworkedServers(BaseDualNetworkedServers): BaseDualNetworkedServers.__init__(self, TLSSNI01Server, *args, **kwargs) +class BadALPNProtos(Exception): + """Error raised when cannot negotiate ALPN protocol.""" + pass + + +class TLSALPN01Server(TLSServer, ACMEServerMixin): + """TLSALPN01 Server.""" + + ACME_TLS_1_PROTOCOL = b"acme-tls/1" + + def __init__(self, server_address, certs, challenge_certs, ipv6=False): + TLSServer.__init__( + self, server_address, BaseRequestHandlerWithLogging, certs=certs, + ipv6=ipv6) + self.challenge_certs = challenge_certs + + def _cert_selection(self, connection): + # TODO: We would like to serve challenge cert only if asked for it via + # ALPN. To do this, we need to retrieve the list of protos from client + # hello, but this is currently impossible with openssl [0], and ALPN + # negotiation is done after cert selection. + # Therefore, currently we always return challenge cert, and terminate + # handshake in alpn_selection() if ALPN protos are not what we expect. + # [0] https://github.com/openssl/openssl/issues/4952 + server_name = connection.get_servername() + logger.debug("Serving challenge cert for server name %s", server_name) + return self.challenge_certs.get(server_name, None) + + def _alpn_selection(self, _connection, alpn_protos): + """Callback to select alpn protocol.""" + if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL: + logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL) + return self.ACME_TLS_1_PROTOCOL + # Raising an exception causes openssl to terminate handshake and + # send fatal tls alert. + logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos)) + raise BadALPNProtos("Got: %s" % str(alpn_protos)) + + class BaseRequestHandlerWithLogging(socketserver.BaseRequestHandler): """BaseRequestHandler with logging.""" diff --git a/acme/acme/standalone_test.py b/acme/acme/standalone_test.py index 1591187e5..aee592187 100644 --- a/acme/acme/standalone_test.py +++ b/acme/acme/standalone_test.py @@ -10,6 +10,7 @@ import unittest from six.moves import http_client # pylint: disable=import-error from six.moves import socketserver # type: ignore # pylint: disable=import-error +from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052 import josepy as jose import mock import requests @@ -119,6 +120,62 @@ class HTTP01ServerTest(unittest.TestCase): self.assertFalse(self._test_http01(add=False)) +@unittest.skipUnless( + hasattr(SSL.Connection, "set_alpn_protos") and + hasattr(SSL.Context, "set_alpn_select_callback"), + "pyOpenSSL too old") +class TLSALPN01ServerTest(unittest.TestCase): + """Test for acme.standalone.TLSALPN01Server.""" + + def setUp(self): + self.certs = {b'localhost': ( + test_util.load_pyopenssl_private_key('rsa2048_key.pem'), + test_util.load_cert('rsa2048_cert.pem'), + )} + # Use different certificate for challenge. + self.challenge_certs = {b'localhost': ( + test_util.load_pyopenssl_private_key('rsa1024_key.pem'), + test_util.load_cert('rsa1024_cert.pem'), + )} + from acme.standalone import TLSALPN01Server + self.server = TLSALPN01Server(("", 0), certs=self.certs, + challenge_certs=self.challenge_certs) + # pylint: disable=no-member + self.thread = threading.Thread(target=self.server.serve_forever) + self.thread.start() + + def tearDown(self): + self.server.shutdown() # pylint: disable=no-member + self.thread.join() + + #TODO: This is not implemented yet, see comments in standalone.py + #def test_certs(self): + # host, port = self.server.socket.getsockname()[:2] + # cert = crypto_util.probe_sni( + # b'localhost', host=host, port=port, timeout=1) + # # Expect normal cert when connecting without ALPN. + # self.assertEqual(jose.ComparableX509(cert), + # jose.ComparableX509(self.certs[b'localhost'][1])) + + def test_challenge_certs(self): + host, port = self.server.socket.getsockname()[:2] + cert = crypto_util.probe_sni( + b'localhost', host=host, port=port, timeout=1, + alpn_protocols=[b"acme-tls/1"]) + # Expect challenge cert when connecting with ALPN. + self.assertEqual( + jose.ComparableX509(cert), + jose.ComparableX509(self.challenge_certs[b'localhost'][1]) + ) + + def test_bad_alpn(self): + host, port = self.server.socket.getsockname()[:2] + with self.assertRaises(errors.Error): + crypto_util.probe_sni( + b'localhost', host=host, port=port, timeout=1, + alpn_protocols=[b"bad-alpn"]) + + class BaseDualNetworkedServersTest(unittest.TestCase): """Test for acme.standalone.BaseDualNetworkedServers.""" diff --git a/acme/acme/testdata/README b/acme/acme/testdata/README index dfe3f5405..d65cc3018 100644 --- a/acme/acme/testdata/README +++ b/acme/acme/testdata/README @@ -10,6 +10,8 @@ and for the CSR: openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der -and for the certificate: +and for the certificates: - openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der + openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der + openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem + openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem diff --git a/acme/acme/testdata/rsa1024_cert.pem b/acme/acme/testdata/rsa1024_cert.pem new file mode 100644 index 000000000..1b7912181 --- /dev/null +++ b/acme/acme/testdata/rsa1024_cert.pem @@ -0,0 +1,13 @@ +-----BEGIN CERTIFICATE----- +MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV +BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow +FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ +AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr +Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW +l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G +A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X +XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB +ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI +Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY +qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x +-----END CERTIFICATE----- From 236f9630e074ad45aa2b834483cbf373aae18566 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Mon, 4 Jun 2018 15:04:56 -0700 Subject: [PATCH 212/256] Remove unneeded sys import (#5873) * Remove unneeded sys import. Once upon a time we needed this in some of these setup.py files because we were using sys in the file, but we aren't anymore so let's remove the import. * use setuptools instead of distutils --- acme/setup.py | 2 -- certbot-apache/setup.py | 2 -- certbot-dns-cloudflare/setup.py | 2 -- certbot-dns-cloudxns/setup.py | 2 -- certbot-dns-digitalocean/setup.py | 2 -- certbot-dns-dnsimple/setup.py | 2 -- certbot-dns-dnsmadeeasy/setup.py | 2 -- certbot-dns-google/setup.py | 2 -- certbot-dns-luadns/setup.py | 2 -- certbot-dns-nsone/setup.py | 2 -- certbot-dns-rfc2136/setup.py | 2 -- certbot-dns-route53/setup.py | 4 +--- certbot-nginx/setup.py | 2 -- letshelp-certbot/setup.py | 2 -- setup.py | 1 - 15 files changed, 1 insertion(+), 30 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index e91c36b3d..f8196e953 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 0e4304300..59ca3ed4a 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-cloudflare/setup.py b/certbot-dns-cloudflare/setup.py index 8e1f9d28b..d80a1ae20 100644 --- a/certbot-dns-cloudflare/setup.py +++ b/certbot-dns-cloudflare/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-cloudxns/setup.py b/certbot-dns-cloudxns/setup.py index 05998ee6a..3bb7457e3 100644 --- a/certbot-dns-cloudxns/setup.py +++ b/certbot-dns-cloudxns/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-digitalocean/setup.py b/certbot-dns-digitalocean/setup.py index cd3b0613e..1d7c34197 100644 --- a/certbot-dns-digitalocean/setup.py +++ b/certbot-dns-digitalocean/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-dnsimple/setup.py b/certbot-dns-dnsimple/setup.py index 10ee710cd..9c678ec60 100644 --- a/certbot-dns-dnsimple/setup.py +++ b/certbot-dns-dnsimple/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-dnsmadeeasy/setup.py b/certbot-dns-dnsmadeeasy/setup.py index a7f44b989..66f3edd55 100644 --- a/certbot-dns-dnsmadeeasy/setup.py +++ b/certbot-dns-dnsmadeeasy/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-google/setup.py b/certbot-dns-google/setup.py index c171e5014..64b332b04 100644 --- a/certbot-dns-google/setup.py +++ b/certbot-dns-google/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-luadns/setup.py b/certbot-dns-luadns/setup.py index 2c0e35308..8df4f1735 100644 --- a/certbot-dns-luadns/setup.py +++ b/certbot-dns-luadns/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-nsone/setup.py b/certbot-dns-nsone/setup.py index 821a40655..4425ace16 100644 --- a/certbot-dns-nsone/setup.py +++ b/certbot-dns-nsone/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-rfc2136/setup.py b/certbot-dns-rfc2136/setup.py index 21d9dec29..6ced18b5d 100644 --- a/certbot-dns-rfc2136/setup.py +++ b/certbot-dns-rfc2136/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index 083cd15ae..9ee587c4e 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -1,6 +1,4 @@ -import sys - -from distutils.core import setup +from setuptools import setup from setuptools import find_packages version = '0.25.0.dev0' diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index 6889d06e4..067f280d4 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/letshelp-certbot/setup.py b/letshelp-certbot/setup.py index b5be07a59..28ce0e962 100644 --- a/letshelp-certbot/setup.py +++ b/letshelp-certbot/setup.py @@ -1,5 +1,3 @@ -import sys - from setuptools import setup from setuptools import find_packages diff --git a/setup.py b/setup.py index ee0470d3a..e32925583 100644 --- a/setup.py +++ b/setup.py @@ -1,7 +1,6 @@ import codecs import os import re -import sys from setuptools import setup from setuptools import find_packages From 8e4303af9f30f514fce04b88bff70b6bbb9d43c8 Mon Sep 17 00:00:00 2001 From: ohemorange Date: Mon, 4 Jun 2018 16:04:47 -0700 Subject: [PATCH 213/256] Reuse ACMEv1 accounts for ACMEv2 (#5902) * Reuse ACMEv1 accounts for ACMEv2 * Correct behavior * add unit tests * add _find_all_inner to comply with interface * acme-staging-v01 --> acme-staging * only create symlink to previous account if there is one there * recurse on server path * update tests and change internal use of load to use server_path * fail gracefully on corrupted account file by returning [] when rmdir fails * only reuse accounts in staging for now --- certbot/account.py | 42 ++++++++++++++++++++---- certbot/configuration.py | 6 +++- certbot/constants.py | 6 ++++ certbot/tests/account_test.py | 62 ++++++++++++++++++++++++++++++++++- 4 files changed, 108 insertions(+), 8 deletions(-) diff --git a/certbot/account.py b/certbot/account.py index 70d9a7fc3..c4eeb1388 100644 --- a/certbot/account.py +++ b/certbot/account.py @@ -16,6 +16,7 @@ import zope.component from acme import fields as acme_fields from acme import messages +from certbot import constants from certbot import errors from certbot import interfaces from certbot import util @@ -142,7 +143,11 @@ class AccountFileStorage(interfaces.AccountStorage): self.config.strict_permissions) def _account_dir_path(self, account_id): - return os.path.join(self.config.accounts_dir, account_id) + return self._account_dir_path_for_server_path(account_id, self.config.server_path) + + def _account_dir_path_for_server_path(self, account_id, server_path): + accounts_dir = self.config.accounts_dir_for_server_path(server_path) + return os.path.join(accounts_dir, account_id) @classmethod def _regr_path(cls, account_dir_path): @@ -156,22 +161,44 @@ class AccountFileStorage(interfaces.AccountStorage): def _metadata_path(cls, account_dir_path): return os.path.join(account_dir_path, "meta.json") - def find_all(self): + def _find_all_for_server_path(self, server_path): + accounts_dir = self.config.accounts_dir_for_server_path(server_path) try: - candidates = os.listdir(self.config.accounts_dir) + candidates = os.listdir(accounts_dir) except OSError: return [] accounts = [] for account_id in candidates: try: - accounts.append(self.load(account_id)) + accounts.append(self._load_for_server_path(account_id, server_path)) except errors.AccountStorageError: logger.debug("Account loading problem", exc_info=True) + + + if not accounts and server_path in constants.LE_REUSE_SERVERS: + # find all for the next link down + prev_server_path = constants.LE_REUSE_SERVERS[server_path] + prev_accounts = self._find_all_for_server_path(prev_server_path) + # if we found something, link to that + if prev_accounts: + if os.path.islink(accounts_dir): + os.unlink(accounts_dir) + else: + try: + os.rmdir(accounts_dir) + except OSError: + return [] + prev_account_dir = self.config.accounts_dir_for_server_path(prev_server_path) + os.symlink(prev_account_dir, accounts_dir) + accounts = prev_accounts return accounts - def load(self, account_id): - account_dir_path = self._account_dir_path(account_id) + def find_all(self): + return self._find_all_for_server_path(self.config.server_path) + + def _load_for_server_path(self, account_id, server_path): + account_dir_path = self._account_dir_path_for_server_path(account_id, server_path) if not os.path.isdir(account_dir_path): raise errors.AccountNotFound( "Account at %s does not exist" % account_dir_path) @@ -193,6 +220,9 @@ class AccountFileStorage(interfaces.AccountStorage): account_id, acc.id)) return acc + def load(self, account_id): + return self._load_for_server_path(account_id, self.config.server_path) + def save(self, account, acme): self._save(account, acme, regr_only=False) diff --git a/certbot/configuration.py b/certbot/configuration.py index 297795609..daf514be8 100644 --- a/certbot/configuration.py +++ b/certbot/configuration.py @@ -65,8 +65,12 @@ class NamespaceConfig(object): @property def accounts_dir(self): # pylint: disable=missing-docstring + return self.accounts_dir_for_server_path(self.server_path) + + def accounts_dir_for_server_path(self, server_path): + """Path to accounts directory based on server_path""" return os.path.join( - self.namespace.config_dir, constants.ACCOUNTS_DIR, self.server_path) + self.namespace.config_dir, constants.ACCOUNTS_DIR, server_path) @property def backup_dir(self): # pylint: disable=missing-docstring diff --git a/certbot/constants.py b/certbot/constants.py index 1dd25e799..c6746e888 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -158,6 +158,12 @@ CONFIG_DIRS_MODE = 0o755 ACCOUNTS_DIR = "accounts" """Directory where all accounts are saved.""" +LE_REUSE_SERVERS = { + 'acme-staging-v02.api.letsencrypt.org/directory': + 'acme-staging.api.letsencrypt.org/directory' +} +"""Servers that can reuse accounts from other servers.""" + BACKUP_DIR = "backups" """Directory (relative to `IConfig.work_dir`) where backups are kept.""" diff --git a/certbot/tests/account_test.py b/certbot/tests/account_test.py index 8ebda56af..a8059fbcf 100644 --- a/certbot/tests/account_test.py +++ b/certbot/tests/account_test.py @@ -95,6 +95,7 @@ class AccountMemoryStorageTest(unittest.TestCase): class AccountFileStorageTest(test_util.ConfigTestCase): """Tests for certbot.account.AccountFileStorage.""" + #pylint: disable=too-many-public-methods def setUp(self): super(AccountFileStorageTest, self).setUp() @@ -159,7 +160,8 @@ class AccountFileStorageTest(test_util.ConfigTestCase): self.assertEqual([], self.storage.find_all()) def test_find_all_load_skips(self): - self.storage.load = mock.MagicMock( + # pylint: disable=protected-access + self.storage._load_for_server_path = mock.MagicMock( side_effect=["x", errors.AccountStorageError, "z"]) with mock.patch("certbot.account.os.listdir") as mock_listdir: mock_listdir.return_value = ["x", "y", "z"] @@ -175,6 +177,64 @@ class AccountFileStorageTest(test_util.ConfigTestCase): self.assertRaises(errors.AccountStorageError, self.storage.load, "x" + self.acc.id) + def _set_server(self, server): + self.config.server = server + from certbot.account import AccountFileStorage + self.storage = AccountFileStorage(self.config) + + def test_find_all_neither_exists(self): + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.assertEqual([], self.storage.find_all()) + self.assertEqual([], self.storage.find_all()) + self.assertFalse(os.path.islink(self.config.accounts_dir)) + + def test_find_all_find_before_save(self): + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.assertEqual([], self.storage.find_all()) + self.storage.save(self.acc, self.mock_client) + self.assertEqual([self.acc], self.storage.find_all()) + self.assertEqual([self.acc], self.storage.find_all()) + self.assertFalse(os.path.islink(self.config.accounts_dir)) + # we shouldn't have created a v1 account + prev_server_path = 'https://acme-staging.api.letsencrypt.org/directory' + self.assertFalse(os.path.isdir(self.config.accounts_dir_for_server_path(prev_server_path))) + + def test_find_all_save_before_find(self): + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.storage.save(self.acc, self.mock_client) + self.assertEqual([self.acc], self.storage.find_all()) + self.assertEqual([self.acc], self.storage.find_all()) + self.assertFalse(os.path.islink(self.config.accounts_dir)) + self.assertTrue(os.path.isdir(self.config.accounts_dir)) + prev_server_path = 'https://acme-staging.api.letsencrypt.org/directory' + self.assertFalse(os.path.isdir(self.config.accounts_dir_for_server_path(prev_server_path))) + + def test_find_all_server_downgrade(self): + # don't use v2 accounts with a v1 url + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.assertEqual([], self.storage.find_all()) + self.storage.save(self.acc, self.mock_client) + self.assertEqual([self.acc], self.storage.find_all()) + self._set_server('https://acme-staging.api.letsencrypt.org/directory') + self.assertEqual([], self.storage.find_all()) + + def test_upgrade_version(self): + self._set_server('https://acme-staging.api.letsencrypt.org/directory') + self.storage.save(self.acc, self.mock_client) + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.assertEqual([self.acc], self.storage.find_all()) + + @mock.patch('os.rmdir') + def test_corrupted_account(self, mock_rmdir): + # pylint: disable=protected-access + self._set_server('https://acme-staging.api.letsencrypt.org/directory') + self.storage.save(self.acc, self.mock_client) + mock_rmdir.side_effect = OSError + self.storage._load_for_server_path = mock.MagicMock( + side_effect=errors.AccountStorageError) + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + self.assertEqual([], self.storage.find_all()) + def test_load_ioerror(self): self.storage.save(self.acc, self.mock_client) mock_open = mock.mock_open() From 09a28c7a27fd01d1517e6381ffb37501bffca292 Mon Sep 17 00:00:00 2001 From: sydneyli Date: Mon, 4 Jun 2018 17:44:51 -0700 Subject: [PATCH 214/256] Allow multiple add_headers directives (#6068) * fix(nginx-hsts): allow multiple add_headers * test(nginx): fix nginx tests --- certbot-nginx/certbot_nginx/parser.py | 2 +- .../certbot_nginx/tests/configurator_test.py | 15 ++++++++++++--- certbot-nginx/certbot_nginx/tests/parser_test.py | 5 +++-- .../testdata/etc_nginx/sites-enabled/headers.com | 4 ++++ 4 files changed, 20 insertions(+), 6 deletions(-) create mode 100644 certbot-nginx/certbot_nginx/tests/testdata/etc_nginx/sites-enabled/headers.com diff --git a/certbot-nginx/certbot_nginx/parser.py b/certbot-nginx/certbot_nginx/parser.py index 5bc7946dc..7d1da2e73 100644 --- a/certbot-nginx/certbot_nginx/parser.py +++ b/certbot-nginx/certbot_nginx/parser.py @@ -566,7 +566,7 @@ def _update_or_add_directives(directives, insert_at_top, block): INCLUDE = 'include' -REPEATABLE_DIRECTIVES = set(['server_name', 'listen', INCLUDE, 'rewrite']) +REPEATABLE_DIRECTIVES = set(['server_name', 'listen', INCLUDE, 'rewrite', 'add_header']) COMMENT = ' managed by Certbot' COMMENT_BLOCK = [' ', '#', COMMENT] diff --git a/certbot-nginx/certbot_nginx/tests/configurator_test.py b/certbot-nginx/certbot_nginx/tests/configurator_test.py index e88dcb8e0..0668a38c9 100644 --- a/certbot-nginx/certbot_nginx/tests/configurator_test.py +++ b/certbot-nginx/certbot_nginx/tests/configurator_test.py @@ -47,7 +47,7 @@ class NginxConfiguratorTest(util.NginxTest): def test_prepare(self): self.assertEqual((1, 6, 2), self.config.version) - self.assertEqual(10, len(self.config.parser.parsed)) + self.assertEqual(11, len(self.config.parser.parsed)) @mock.patch("certbot_nginx.configurator.util.exe_exists") @mock.patch("certbot_nginx.configurator.subprocess.Popen") @@ -91,7 +91,8 @@ class NginxConfiguratorTest(util.NginxTest): self.assertEqual(names, set( ["155.225.50.69.nephoscale.net", "www.example.org", "another.alias", "migration.com", "summer.com", "geese.com", "sslon.com", - "globalssl.com", "globalsslsetssl.com", "ipv6.com", "ipv6ssl.com"])) + "globalssl.com", "globalsslsetssl.com", "ipv6.com", "ipv6ssl.com", + "headers.com"])) def test_supported_enhancements(self): self.assertEqual(['redirect', 'ensure-http-header', 'staple-ocsp'], @@ -548,6 +549,14 @@ class NginxConfiguratorTest(util.NginxTest): generated_conf = self.config.parser.parsed[example_conf] self.assertTrue(util.contains_at_depth(generated_conf, expected, 2)) + def test_multiple_headers_hsts(self): + headers_conf = self.config.parser.abs_path('sites-enabled/headers.com') + self.config.enhance("headers.com", "ensure-http-header", + "Strict-Transport-Security") + expected = ['add_header', 'Strict-Transport-Security', '"max-age=31536000"', 'always'] + generated_conf = self.config.parser.parsed[headers_conf] + self.assertTrue(util.contains_at_depth(generated_conf, expected, 2)) + def test_http_header_hsts_twice(self): self.config.enhance("www.example.com", "ensure-http-header", "Strict-Transport-Security") @@ -852,7 +861,7 @@ class NginxConfiguratorTest(util.NginxTest): prefer_ssl=False, no_ssl_filter_port='80') # Check that the dialog was called with only port 80 vhosts - self.assertEqual(len(mock_select_vhs.call_args[0][0]), 4) + self.assertEqual(len(mock_select_vhs.call_args[0][0]), 5) class InstallSslOptionsConfTest(util.NginxTest): diff --git a/certbot-nginx/certbot_nginx/tests/parser_test.py b/certbot-nginx/certbot_nginx/tests/parser_test.py index 5a37c9565..f6f28e42b 100644 --- a/certbot-nginx/certbot_nginx/tests/parser_test.py +++ b/certbot-nginx/certbot_nginx/tests/parser_test.py @@ -49,6 +49,7 @@ class NginxParserTest(util.NginxTest): #pylint: disable=too-many-public-methods ['foo.conf', 'nginx.conf', 'server.conf', 'sites-enabled/default', 'sites-enabled/example.com', + 'sites-enabled/headers.com', 'sites-enabled/migration.com', 'sites-enabled/sslon.com', 'sites-enabled/globalssl.com', @@ -77,7 +78,7 @@ class NginxParserTest(util.NginxTest): #pylint: disable=too-many-public-methods parsed = nparser._parse_files(nparser.abs_path( 'sites-enabled/example.com.test')) self.assertEqual(3, len(glob.glob(nparser.abs_path('*.test')))) - self.assertEqual(7, len( + self.assertEqual(8, len( glob.glob(nparser.abs_path('sites-enabled/*.test')))) self.assertEqual([[['server'], [['listen', '69.50.225.155:9000'], ['listen', '127.0.0.1'], @@ -160,7 +161,7 @@ class NginxParserTest(util.NginxTest): #pylint: disable=too-many-public-methods '*.www.example.com']), [], [2, 1, 0]) - self.assertEqual(12, len(vhosts)) + self.assertEqual(13, len(vhosts)) example_com = [x for x in vhosts if 'example.com' in x.filep][0] self.assertEqual(vhost3, example_com) default = [x for x in vhosts if 'default' in x.filep][0] diff --git a/certbot-nginx/certbot_nginx/tests/testdata/etc_nginx/sites-enabled/headers.com b/certbot-nginx/certbot_nginx/tests/testdata/etc_nginx/sites-enabled/headers.com new file mode 100644 index 000000000..6c032928c --- /dev/null +++ b/certbot-nginx/certbot_nginx/tests/testdata/etc_nginx/sites-enabled/headers.com @@ -0,0 +1,4 @@ +server { + server_name headers.com; + add_header X-Content-Type-Options nosniff; +} From d905886f4c63d1546ff723a909a088ab9334b91f Mon Sep 17 00:00:00 2001 From: ohemorange Date: Tue, 5 Jun 2018 13:40:48 -0700 Subject: [PATCH 215/256] Automatically select among default vhosts if we have a port preference in nginx (#5944) * automatically select among default vhosts if we have a port preference * ports should be strings in the nginx plugin * clarify port vs preferred_port behavior by adding allow_port_mismatch flag * update all instances of default_vhosts to all_default_vhosts * require port * port should never be None in _get_default_vhost --- certbot-nginx/certbot_nginx/configurator.py | 31 ++++++++++++------- .../certbot_nginx/tests/configurator_test.py | 7 +++++ 2 files changed, 27 insertions(+), 11 deletions(-) diff --git a/certbot-nginx/certbot_nginx/configurator.py b/certbot-nginx/certbot_nginx/configurator.py index 293f7378e..41b5124b8 100644 --- a/certbot-nginx/certbot_nginx/configurator.py +++ b/certbot-nginx/certbot_nginx/configurator.py @@ -289,7 +289,8 @@ class NginxConfigurator(common.Installer): if not vhosts: if create_if_no_match: # result will not be [None] because it errors on failure - vhosts = [self._vhost_from_duplicated_default(target_name)] + vhosts = [self._vhost_from_duplicated_default(target_name, True, + str(self.config.tls_sni_01_port))] else: # No matches. Raise a misconfiguration error. raise errors.MisconfigurationError( @@ -332,9 +333,12 @@ class NginxConfigurator(common.Installer): ipv6only_present = True return (ipv6_active, ipv6only_present) - def _vhost_from_duplicated_default(self, domain, port=None): + def _vhost_from_duplicated_default(self, domain, allow_port_mismatch, port): + """if allow_port_mismatch is False, only server blocks with matching ports will be + used as a default server block template. + """ if self.new_vhost is None: - default_vhost = self._get_default_vhost(port, domain) + default_vhost = self._get_default_vhost(domain, allow_port_mismatch, port) self.new_vhost = self.parser.duplicate_vhost(default_vhost, remove_singleton_listen_params=True) self.new_vhost.names = set() @@ -350,19 +354,24 @@ class NginxConfigurator(common.Installer): name_block[0].append(name) self.parser.update_or_add_server_directives(vhost, name_block) - def _get_default_vhost(self, port, domain): + def _get_default_vhost(self, domain, allow_port_mismatch, port): + """Helper method for _vhost_from_duplicated_default; see argument documentation there""" vhost_list = self.parser.get_vhosts() # if one has default_server set, return that one - default_vhosts = [] + all_default_vhosts = [] + port_matching_vhosts = [] for vhost in vhost_list: for addr in vhost.addrs: if addr.default: - if port is None or self._port_matches(port, addr.get_port()): - default_vhosts.append(vhost) - break + all_default_vhosts.append(vhost) + if self._port_matches(port, addr.get_port()): + port_matching_vhosts.append(vhost) + break - if len(default_vhosts) == 1: - return default_vhosts[0] + if len(port_matching_vhosts) == 1: + return port_matching_vhosts[0] + elif len(all_default_vhosts) == 1 and allow_port_mismatch: + return all_default_vhosts[0] # TODO: present a list of vhosts for user to choose from @@ -471,7 +480,7 @@ class NginxConfigurator(common.Installer): matches = self._get_redirect_ranked_matches(target_name, port) vhosts = [x for x in [self._select_best_name_match(matches)]if x is not None] if not vhosts and create_if_no_match: - vhosts = [self._vhost_from_duplicated_default(target_name, port=port)] + vhosts = [self._vhost_from_duplicated_default(target_name, False, port)] return vhosts def _port_matches(self, test_port, matching_port): diff --git a/certbot-nginx/certbot_nginx/tests/configurator_test.py b/certbot-nginx/certbot_nginx/tests/configurator_test.py index 0668a38c9..9386c3cd9 100644 --- a/certbot-nginx/certbot_nginx/tests/configurator_test.py +++ b/certbot-nginx/certbot_nginx/tests/configurator_test.py @@ -731,6 +731,13 @@ class NginxConfiguratorTest(util.NginxTest): "www.nomatch.com", "example/cert.pem", "example/key.pem", "example/chain.pem", "example/fullchain.pem") + def test_deploy_no_match_multiple_defaults_ok(self): + foo_conf = self.config.parser.abs_path('foo.conf') + self.config.parser.parsed[foo_conf][2][1][0][1][0][1] = '*:5001' + self.config.version = (1, 3, 1) + self.config.deploy_cert("www.nomatch.com", "example/cert.pem", "example/key.pem", + "example/chain.pem", "example/fullchain.pem") + def test_deploy_no_match_add_redirect(self): default_conf = self.config.parser.abs_path('sites-enabled/default') foo_conf = self.config.parser.abs_path('foo.conf') From 868e5b831b27ac07cb4a73e04ed9e6fac5987fc7 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 5 Jun 2018 17:59:11 -0700 Subject: [PATCH 216/256] Make python setup.py test use pytest for acme (#6072) --- acme/setup.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/acme/setup.py b/acme/setup.py index f8196e953..0fb4d8fff 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -1,6 +1,7 @@ from setuptools import setup from setuptools import find_packages - +from setuptools.command.test import test as TestCommand +import sys version = '0.25.0.dev0' @@ -33,6 +34,19 @@ docs_extras = [ 'sphinx_rtd_theme', ] +class PyTest(TestCommand): + user_options = [] + + def initialize_options(self): + TestCommand.initialize_options(self) + self.pytest_args = '' + + def run_tests(self): + import shlex + # import here, cause outside the eggs aren't loaded + import pytest + errno = pytest.main(shlex.split(self.pytest_args)) + sys.exit(errno) setup( name='acme', @@ -65,5 +79,7 @@ setup( 'dev': dev_extras, 'docs': docs_extras, }, + tests_require=["pytest"], test_suite='acme', + cmdclass={"test": PyTest}, ) From 3cffe1449c4e9166b65eaed75022d73b7ad79328 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 6 Jun 2018 07:58:50 -0700 Subject: [PATCH 217/256] Revert "switch signature verification to use pure cryptography (#6000)" (#6074) This reverts commit 366c50e28ee865f697f9e32e5b86e49dbf3ec5a2. --- certbot/crypto_util.py | 36 +++++-------------- certbot/tests/crypto_util_test.py | 10 ------ .../tests/testdata/cert-nosans_nistp256.pem | 11 ------ .../tests/testdata/csr-nosans_nistp256.pem | 8 ----- certbot/tests/testdata/nistp256_key.pem | 5 --- 5 files changed, 9 insertions(+), 61 deletions(-) delete mode 100644 certbot/tests/testdata/cert-nosans_nistp256.pem delete mode 100644 certbot/tests/testdata/csr-nosans_nistp256.pem delete mode 100644 certbot/tests/testdata/nistp256_key.pem diff --git a/certbot/crypto_util.py b/certbot/crypto_util.py index 71f6c990c..b5ad16db1 100644 --- a/certbot/crypto_util.py +++ b/certbot/crypto_util.py @@ -12,16 +12,11 @@ import os import pyrfc3339 import six import zope.component -from cryptography.exceptions import InvalidSignature -from cryptography.hazmat.backends import default_backend -from cryptography.hazmat.primitives.asymmetric.ec import ECDSA -from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey -from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 -from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey -# https://github.com/python/typeshed/tree/master/third_party/2/cryptography -from cryptography import x509 # type: ignore from OpenSSL import crypto from OpenSSL import SSL # type: ignore +from cryptography.hazmat.backends import default_backend +# https://github.com/python/typeshed/tree/master/third_party/2/cryptography +from cryptography import x509 # type: ignore from acme import crypto_util as acme_crypto_util from acme.magic_typing import IO # pylint: disable=unused-import, no-name-in-module @@ -233,26 +228,13 @@ def verify_renewable_cert_sig(renewable_cert): """ try: with open(renewable_cert.chain, 'rb') as chain_file: # type: IO[bytes] - chain = x509.load_pem_x509_certificate(chain_file.read(), default_backend()) + chain, _ = pyopenssl_load_certificate(chain_file.read()) with open(renewable_cert.cert, 'rb') as cert_file: # type: IO[bytes] - cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend()) - pk = chain.public_key() - if isinstance(pk, RSAPublicKey): - # https://github.com/python/typeshed/blob/master/third_party/2/cryptography/hazmat/primitives/asymmetric/rsa.pyi - verifier = pk.verifier( # type: ignore - cert.signature, PKCS1v15(), cert.signature_hash_algorithm - ) - verifier.update(cert.tbs_certificate_bytes) - verifier.verify() - elif isinstance(pk, EllipticCurvePublicKey): - verifier = pk.verifier( - cert.signature, ECDSA(cert.signature_hash_algorithm) - ) - verifier.update(cert.tbs_certificate_bytes) - verifier.verify() - else: - raise errors.Error("Unsupported public key type") - except (IOError, ValueError, InvalidSignature) as e: + cert = x509.load_pem_x509_certificate( + cert_file.read(), default_backend()) + hash_name = cert.signature_hash_algorithm.name + crypto.verify(chain, cert.signature, cert.tbs_certificate_bytes, hash_name) + except (IOError, ValueError, crypto.Error) as e: error_str = "verifying the signature of the cert located at {0} has failed. \ Details: {1}".format(renewable_cert.cert, e) logger.exception(error_str) diff --git a/certbot/tests/crypto_util_test.py b/certbot/tests/crypto_util_test.py index baf14b2ef..2fe0e3d30 100644 --- a/certbot/tests/crypto_util_test.py +++ b/certbot/tests/crypto_util_test.py @@ -21,9 +21,6 @@ CERT_PATH = test_util.vector_path('cert_512.pem') CERT = test_util.load_vector('cert_512.pem') SS_CERT_PATH = test_util.vector_path('cert_2048.pem') SS_CERT = test_util.load_vector('cert_2048.pem') -P256_KEY = test_util.load_vector('nistp256_key.pem') -P256_CERT_PATH = test_util.vector_path('cert-nosans_nistp256.pem') -P256_CERT = test_util.load_vector('cert-nosans_nistp256.pem') class InitSaveKeyTest(test_util.TempDirTestCase): """Tests for certbot.crypto_util.init_save_key.""" @@ -220,13 +217,6 @@ class VerifyRenewableCertSigTest(VerifyCertSetup): def test_cert_sig_match(self): self.assertEqual(None, self._call(self.renewable_cert)) - def test_cert_sig_match_ec(self): - renewable_cert = mock.MagicMock() - renewable_cert.cert = P256_CERT_PATH - renewable_cert.chain = P256_CERT_PATH - renewable_cert.privkey = P256_KEY - self.assertEqual(None, self._call(renewable_cert)) - def test_cert_sig_mismatch(self): self.bad_renewable_cert.cert = test_util.vector_path('cert_512_bad.pem') self.assertRaises(errors.Error, self._call, self.bad_renewable_cert) diff --git a/certbot/tests/testdata/cert-nosans_nistp256.pem b/certbot/tests/testdata/cert-nosans_nistp256.pem deleted file mode 100644 index 4ec3f24ce..000000000 --- a/certbot/tests/testdata/cert-nosans_nistp256.pem +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIBoDCCAUYCCQDCnzfUZ7TQdDAKBggqhkjOPQQDAjBYMQswCQYDVQQGEwJVUzER -MA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwD -RUZGMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xODA1MTUxNzIyMzlaFw0xODA2 -MTQxNzIyMzlaMFgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaWNoaWdhbjESMBAG -A1UEBwwJQW5uIEFyYm9yMQwwCgYDVQQKDANFRkYxFDASBgNVBAMMC2V4YW1wbGUu -Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPl0JauSZukvAUWv4l5VNLAY -QXhuPXYQBf4dVET3s0E5q9ZCbSe+pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tzAK -BggqhkjOPQQDAgNIADBFAiEAv8S2GXmWJqZ+j3DBfm72E1YK+HkOf+TOUHsbVR+O -Z1oCIFWNt1SPdIgRp4QAyzVk2pcTF8jDNajEMLWETDtxgRvM ------END CERTIFICATE----- diff --git a/certbot/tests/testdata/csr-nosans_nistp256.pem b/certbot/tests/testdata/csr-nosans_nistp256.pem deleted file mode 100644 index 2f0a671ed..000000000 --- a/certbot/tests/testdata/csr-nosans_nistp256.pem +++ /dev/null @@ -1,8 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBFDCBugIBADBYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITWljaGlnYW4xEjAQ -BgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwDRUZGMRQwEgYDVQQDDAtleGFtcGxl -LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDz5dCWrkmbpLwFFr+JeVTSw -GEF4bj12EAX+HVRE97NBOavWQm0nvqTVG5KPRfkxZLnO11Y0D7H5A24dCPZw9Leg -ADAKBggqhkjOPQQDAgNJADBGAiEAuoZHrYA5sy2DRTdLAxJTBNHKFFKbtaGt+QaJ -A62qa8sCIQCUkSgSAiNaEnJ7r5fKphdjeORHqhpl6flYkLE3lGmGdg== ------END CERTIFICATE REQUEST----- diff --git a/certbot/tests/testdata/nistp256_key.pem b/certbot/tests/testdata/nistp256_key.pem deleted file mode 100644 index 4be37e49b..000000000 --- a/certbot/tests/testdata/nistp256_key.pem +++ /dev/null @@ -1,5 +0,0 @@ ------BEGIN EC PRIVATE KEY----- -MHcCAQEEIOvXH384CyNNv2lfxvjc7hg2f7ScYoLvlk/VpINLJlGBoAoGCCqGSM49 -AwEHoUQDQgAEPPl0JauSZukvAUWv4l5VNLAYQXhuPXYQBf4dVET3s0E5q9ZCbSe+ -pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tw== ------END EC PRIVATE KEY----- From 4ae2390c441f5e2e276ffb0460f097af1c325846 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 6 Jun 2018 13:50:30 -0700 Subject: [PATCH 218/256] Release 0.25.0 --- acme/setup.py | 2 +- certbot-apache/setup.py | 2 +- certbot-auto | 47 +++++++++++------- certbot-compatibility-test/setup.py | 2 +- certbot-dns-cloudflare/setup.py | 2 +- certbot-dns-cloudxns/setup.py | 2 +- certbot-dns-digitalocean/setup.py | 2 +- certbot-dns-dnsimple/setup.py | 2 +- certbot-dns-dnsmadeeasy/setup.py | 2 +- certbot-dns-google/setup.py | 2 +- certbot-dns-luadns/setup.py | 2 +- certbot-dns-nsone/setup.py | 2 +- certbot-dns-rfc2136/setup.py | 2 +- certbot-dns-route53/setup.py | 2 +- certbot-nginx/setup.py | 2 +- certbot/__init__.py | 2 +- docs/cli-help.txt | 29 +++++++---- letsencrypt-auto | 47 +++++++++++------- letsencrypt-auto-source/certbot-auto.asc | 16 +++--- letsencrypt-auto-source/letsencrypt-auto | 26 +++++----- letsencrypt-auto-source/letsencrypt-auto.sig | Bin 256 -> 256 bytes .../pieces/certbot-requirements.txt | 24 ++++----- 22 files changed, 124 insertions(+), 95 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index 0fb4d8fff..e24f4297b 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -3,7 +3,7 @@ from setuptools import find_packages from setuptools.command.test import test as TestCommand import sys -version = '0.25.0.dev0' +version = '0.25.0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 59ca3ed4a..18e10223d 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-auto b/certbot-auto index 0848080b3..c15a851db 100755 --- a/certbot-auto +++ b/certbot-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.24.0" +LE_AUTO_VERSION="0.25.0" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1055,9 +1055,11 @@ cffi==1.10.0 \ --hash=sha256:5576644b859197da7bbd8f8c7c2fb5dcc6cd505cadb42992d5f104c013f8a214 \ --hash=sha256:b3b02911eb1f6ada203b0763ba924234629b51586f72a21faacc638269f4ced5 ConfigArgParse==0.12.0 \ - --hash=sha256:28cd7d67669651f2a4518367838c49539457504584a139709b2b8f6c208ef339 + --hash=sha256:28cd7d67669651f2a4518367838c49539457504584a139709b2b8f6c208ef339 \ + --no-binary ConfigArgParse configobj==5.0.6 \ - --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 + --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 \ + --no-binary configobj cryptography==2.0.2 \ --hash=sha256:187ae17358436d2c760f28c2aeb02fefa3f37647a9c5b6f7f7c3e83cd1c5a972 \ --hash=sha256:19e43a13bbf52028dd1e810c803f2ad8880d0692d772f98d42e1eaf34bdee3d6 \ @@ -1112,7 +1114,8 @@ mock==1.3.0 \ --hash=sha256:3f573a18be94de886d1191f27c168427ef693e8dcfcecf95b170577b2eb69cbb \ --hash=sha256:1e247dbecc6ce057299eb7ee019ad68314bb93152e81d9a6110d35f4d5eca0f6 ordereddict==1.1 \ - --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f + --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f \ + --no-binary ordereddict packaging==16.8 \ --hash=sha256:99276dc6e3a7851f32027a68f1095cd3f77c148091b092ea867a351811cfe388 \ --hash=sha256:5d50835fdf0a7edf0b55e311b7c887786504efea1177abd7e69329a8e5ea619e @@ -1138,7 +1141,8 @@ pyRFC3339==1.0 \ --hash=sha256:eea31835c56e2096af4363a5745a784878a61d043e247d3a6d6a0a32a9741f56 \ --hash=sha256:8dfbc6c458b8daba1c0f3620a8c78008b323a268b27b7359e92a4ae41325f535 python-augeas==0.5.0 \ - --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2 + --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2 \ + --no-binary python-augeas pytz==2015.7 \ --hash=sha256:3abe6a6d3fc2fbbe4c60144211f45da2edbe3182a6f6511af6bbba0598b1f992 \ --hash=sha256:939ef9c1e1224d980405689a97ffcf7828c56d1517b31d73464356c1f2b7769e \ @@ -1166,9 +1170,11 @@ unittest2==1.1.0 \ --hash=sha256:13f77d0875db6d9b435e1d4f41e74ad4cc2eb6e1d5c824996092b3430f088bb8 \ --hash=sha256:22882a0e418c284e1f718a822b3b022944d53d2d908e1690b319a9d3eb2c0579 zope.component==4.2.2 \ - --hash=sha256:282c112b55dd8e3c869a3571f86767c150ab1284a9ace2bdec226c592acaf81a + --hash=sha256:282c112b55dd8e3c869a3571f86767c150ab1284a9ace2bdec226c592acaf81a \ + --no-binary zope.component zope.event==4.1.0 \ - --hash=sha256:dc7a59a2fd91730d3793131a5d261b29e93ec4e2a97f1bc487ce8defee2fe786 + --hash=sha256:dc7a59a2fd91730d3793131a5d261b29e93ec4e2a97f1bc487ce8defee2fe786 \ + --no-binary zope.event zope.interface==4.1.3 \ --hash=sha256:f07b631f7a601cd8cbd3332d54f43142c7088a83299f859356f08d1d4d4259b3 \ --hash=sha256:de5cca083b9439d8002fb76bbe6b4998c5a5a721fab25b84298967f002df4c94 \ @@ -1187,6 +1193,9 @@ zope.interface==4.1.3 \ --hash=sha256:928138365245a0e8869a5999fbcc2a45475a0a6ed52a494d60dbdc540335fedd \ --hash=sha256:0d841ba1bb840eea0e6489dc5ecafa6125554971f53b5acb87764441e61bceba \ --hash=sha256:b09c8c1d47b3531c400e0195697f1414a63221de6ef478598a4f1460f7d9a392 +requests-toolbelt==0.8.0 \ + --hash=sha256:42c9c170abc2cacb78b8ab23ac957945c7716249206f90874651971a4acff237 \ + --hash=sha256:f6a531936c6fa4c6cfce1b9c10d5c4f498d16528d2a54a22ca00011205a187b5 # Contains the requirements for the letsencrypt package. # @@ -1199,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.24.0 \ - --hash=sha256:a3fc41fde4f0dbb35f7ebec2f9e00339580b3f4298850411eac0719223073b27 \ - --hash=sha256:a072d4528bb3ac4184f5c961a96931795ddfe4b7cb0f3a98954bdd4cce5f6d70 -acme==0.24.0 \ - --hash=sha256:b92b16102051f447abb52917638fbfb34b646ac07267fee85961b360a0149e32 \ - --hash=sha256:d655e0627c0830114ab3f6732d8bf2f4a2c36f602e0cde10988684e229b501cb -certbot-apache==0.24.0 \ - --hash=sha256:fe54db3e7e09ffe1139041c23ff5123e80aa1526d6fcd40b2a593d005cfcf152 \ - --hash=sha256:686c6c0af5ae8d06e37cc762de7ffa0dc5c3b1ba06ff7653ef61713fa016f891 -certbot-nginx==0.24.0 \ - --hash=sha256:d44c419f72c2cc30de3b138a2cf92e0531696dcb048f287036e229dce2131c00 \ - --hash=sha256:3283d1db057261f05537fa408baee20e0ab9e81c3d55cfba70afe3805cd6f941 +certbot==0.25.0 \ + --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ + --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 +acme==0.25.0 \ + --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ + --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 +certbot-apache==0.25.0 \ + --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ + --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 +certbot-nginx==0.25.0 \ + --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ + --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/certbot-compatibility-test/setup.py b/certbot-compatibility-test/setup.py index 50df2a56e..e739c4924 100644 --- a/certbot-compatibility-test/setup.py +++ b/certbot-compatibility-test/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' install_requires = [ 'certbot', diff --git a/certbot-dns-cloudflare/setup.py b/certbot-dns-cloudflare/setup.py index d80a1ae20..861ad12d7 100644 --- a/certbot-dns-cloudflare/setup.py +++ b/certbot-dns-cloudflare/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-cloudxns/setup.py b/certbot-dns-cloudxns/setup.py index 3bb7457e3..52aebb374 100644 --- a/certbot-dns-cloudxns/setup.py +++ b/certbot-dns-cloudxns/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-digitalocean/setup.py b/certbot-dns-digitalocean/setup.py index 1d7c34197..c32a2d003 100644 --- a/certbot-dns-digitalocean/setup.py +++ b/certbot-dns-digitalocean/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-dnsimple/setup.py b/certbot-dns-dnsimple/setup.py index 9c678ec60..026eb3ed2 100644 --- a/certbot-dns-dnsimple/setup.py +++ b/certbot-dns-dnsimple/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-dnsmadeeasy/setup.py b/certbot-dns-dnsmadeeasy/setup.py index 66f3edd55..799163d1d 100644 --- a/certbot-dns-dnsmadeeasy/setup.py +++ b/certbot-dns-dnsmadeeasy/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-google/setup.py b/certbot-dns-google/setup.py index 64b332b04..ef4ae0f8c 100644 --- a/certbot-dns-google/setup.py +++ b/certbot-dns-google/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-luadns/setup.py b/certbot-dns-luadns/setup.py index 8df4f1735..838d323af 100644 --- a/certbot-dns-luadns/setup.py +++ b/certbot-dns-luadns/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-nsone/setup.py b/certbot-dns-nsone/setup.py index 4425ace16..75d3c25e4 100644 --- a/certbot-dns-nsone/setup.py +++ b/certbot-dns-nsone/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-rfc2136/setup.py b/certbot-dns-rfc2136/setup.py index 6ced18b5d..6042365e7 100644 --- a/certbot-dns-rfc2136/setup.py +++ b/certbot-dns-rfc2136/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index 9ee587c4e..b6e8293b0 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -1,7 +1,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index 067f280d4..be057a928 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0.dev0' +version = '0.25.0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot/__init__.py b/certbot/__init__.py index 27c63e266..85b4d9fd8 100644 --- a/certbot/__init__.py +++ b/certbot/__init__.py @@ -1,4 +1,4 @@ """Certbot client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.25.0.dev0' +__version__ = '0.25.0' diff --git a/docs/cli-help.txt b/docs/cli-help.txt index 259142e62..f40a9aa4c 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -108,9 +108,9 @@ optional arguments: case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to - "". (default: CertbotACMEClient/0.24.0 (certbot; - darwin 10.13.4) Authenticator/XXX Installer/YYY - (SUBCOMMAND; flags: FLAGS) Py/2.7.14). The flags + "". (default: CertbotACMEClient/0.25.0 (certbot; + darwin 10.13.5) Authenticator/XXX Installer/YYY + (SUBCOMMAND; flags: FLAGS) Py/2.7.15). The flags encoded in the user agent are: --duplicate, --force- renew, --allow-subset-of-names, -n, and whether any hooks are set. @@ -143,6 +143,8 @@ automation: certificate name but does not match the requested domains, renew it now, regardless of whether it is near expiry. (default: False) + --reuse-key When renewing, use the same private key as the + existing certificate. (default: False) --allow-subset-of-names When performing domain validation, do not consider it a failure if authorizations can not be obtained for a @@ -319,6 +321,13 @@ renew: disable it. (default: False) --no-directory-hooks Disable running executables found in Certbot's hook directories during renewal. (default: False) + --disable-renew-updates + Disable automatic updates to your server configuration + that would otherwise be done by the selected installer + plugin, and triggered when the user executes "certbot + renew", regardless of if the certificate is renewed. + This setting does not apply to important TLS + configuration updates. (default: False) certificates: List certificates managed by Certbot @@ -360,8 +369,9 @@ register: e-mail address, should be updated, rather than registering a new account. (default: False) -m EMAIL, --email EMAIL - Email used for registration and recovery contact. - (default: Ask) + Email used for registration and recovery contact. Use + comma to register multiple emails, ex: + u1@example.com,u2@example.com. (default: Ask). --eff-email Share your e-mail address with EFF (default: None) --no-eff-email Don't share your e-mail address with EFF (default: None) @@ -399,7 +409,7 @@ update_symlinks: changed them by hand or edited a renewal configuration file enhance: - Helps to harden the TLS configration by adding security enhancements to + Helps to harden the TLS configuration by adding security enhancements to already existing configuration. plugins: @@ -472,9 +482,9 @@ apache: /etc/apache2/other) --apache-handle-modules APACHE_HANDLE_MODULES Let installer handle enabling required modules for - you.(Only Ubuntu/Debian currently) (default: False) + you. (Only Ubuntu/Debian currently) (default: False) --apache-handle-sites APACHE_HANDLE_SITES - Let installer handle enabling sites for you.(Only + Let installer handle enabling sites for you. (Only Ubuntu/Debian currently) (default: False) certbot-route53:auth: @@ -628,7 +638,8 @@ nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT - Nginx server root directory. (default: /etc/nginx) + Nginx server root directory. (default: + /usr/local/etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and retrieving nginx version number. (default: nginx) diff --git a/letsencrypt-auto b/letsencrypt-auto index 0848080b3..c15a851db 100755 --- a/letsencrypt-auto +++ b/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.24.0" +LE_AUTO_VERSION="0.25.0" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1055,9 +1055,11 @@ cffi==1.10.0 \ --hash=sha256:5576644b859197da7bbd8f8c7c2fb5dcc6cd505cadb42992d5f104c013f8a214 \ --hash=sha256:b3b02911eb1f6ada203b0763ba924234629b51586f72a21faacc638269f4ced5 ConfigArgParse==0.12.0 \ - --hash=sha256:28cd7d67669651f2a4518367838c49539457504584a139709b2b8f6c208ef339 + --hash=sha256:28cd7d67669651f2a4518367838c49539457504584a139709b2b8f6c208ef339 \ + --no-binary ConfigArgParse configobj==5.0.6 \ - --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 + --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 \ + --no-binary configobj cryptography==2.0.2 \ --hash=sha256:187ae17358436d2c760f28c2aeb02fefa3f37647a9c5b6f7f7c3e83cd1c5a972 \ --hash=sha256:19e43a13bbf52028dd1e810c803f2ad8880d0692d772f98d42e1eaf34bdee3d6 \ @@ -1112,7 +1114,8 @@ mock==1.3.0 \ --hash=sha256:3f573a18be94de886d1191f27c168427ef693e8dcfcecf95b170577b2eb69cbb \ --hash=sha256:1e247dbecc6ce057299eb7ee019ad68314bb93152e81d9a6110d35f4d5eca0f6 ordereddict==1.1 \ - --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f + --hash=sha256:1c35b4ac206cef2d24816c89f89cf289dd3d38cf7c449bb3fab7bf6d43f01b1f \ + --no-binary ordereddict packaging==16.8 \ --hash=sha256:99276dc6e3a7851f32027a68f1095cd3f77c148091b092ea867a351811cfe388 \ --hash=sha256:5d50835fdf0a7edf0b55e311b7c887786504efea1177abd7e69329a8e5ea619e @@ -1138,7 +1141,8 @@ pyRFC3339==1.0 \ --hash=sha256:eea31835c56e2096af4363a5745a784878a61d043e247d3a6d6a0a32a9741f56 \ --hash=sha256:8dfbc6c458b8daba1c0f3620a8c78008b323a268b27b7359e92a4ae41325f535 python-augeas==0.5.0 \ - --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2 + --hash=sha256:67d59d66cdba8d624e0389b87b2a83a176f21f16a87553b50f5703b23f29bac2 \ + --no-binary python-augeas pytz==2015.7 \ --hash=sha256:3abe6a6d3fc2fbbe4c60144211f45da2edbe3182a6f6511af6bbba0598b1f992 \ --hash=sha256:939ef9c1e1224d980405689a97ffcf7828c56d1517b31d73464356c1f2b7769e \ @@ -1166,9 +1170,11 @@ unittest2==1.1.0 \ --hash=sha256:13f77d0875db6d9b435e1d4f41e74ad4cc2eb6e1d5c824996092b3430f088bb8 \ --hash=sha256:22882a0e418c284e1f718a822b3b022944d53d2d908e1690b319a9d3eb2c0579 zope.component==4.2.2 \ - --hash=sha256:282c112b55dd8e3c869a3571f86767c150ab1284a9ace2bdec226c592acaf81a + --hash=sha256:282c112b55dd8e3c869a3571f86767c150ab1284a9ace2bdec226c592acaf81a \ + --no-binary zope.component zope.event==4.1.0 \ - --hash=sha256:dc7a59a2fd91730d3793131a5d261b29e93ec4e2a97f1bc487ce8defee2fe786 + --hash=sha256:dc7a59a2fd91730d3793131a5d261b29e93ec4e2a97f1bc487ce8defee2fe786 \ + --no-binary zope.event zope.interface==4.1.3 \ --hash=sha256:f07b631f7a601cd8cbd3332d54f43142c7088a83299f859356f08d1d4d4259b3 \ --hash=sha256:de5cca083b9439d8002fb76bbe6b4998c5a5a721fab25b84298967f002df4c94 \ @@ -1187,6 +1193,9 @@ zope.interface==4.1.3 \ --hash=sha256:928138365245a0e8869a5999fbcc2a45475a0a6ed52a494d60dbdc540335fedd \ --hash=sha256:0d841ba1bb840eea0e6489dc5ecafa6125554971f53b5acb87764441e61bceba \ --hash=sha256:b09c8c1d47b3531c400e0195697f1414a63221de6ef478598a4f1460f7d9a392 +requests-toolbelt==0.8.0 \ + --hash=sha256:42c9c170abc2cacb78b8ab23ac957945c7716249206f90874651971a4acff237 \ + --hash=sha256:f6a531936c6fa4c6cfce1b9c10d5c4f498d16528d2a54a22ca00011205a187b5 # Contains the requirements for the letsencrypt package. # @@ -1199,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.24.0 \ - --hash=sha256:a3fc41fde4f0dbb35f7ebec2f9e00339580b3f4298850411eac0719223073b27 \ - --hash=sha256:a072d4528bb3ac4184f5c961a96931795ddfe4b7cb0f3a98954bdd4cce5f6d70 -acme==0.24.0 \ - --hash=sha256:b92b16102051f447abb52917638fbfb34b646ac07267fee85961b360a0149e32 \ - --hash=sha256:d655e0627c0830114ab3f6732d8bf2f4a2c36f602e0cde10988684e229b501cb -certbot-apache==0.24.0 \ - --hash=sha256:fe54db3e7e09ffe1139041c23ff5123e80aa1526d6fcd40b2a593d005cfcf152 \ - --hash=sha256:686c6c0af5ae8d06e37cc762de7ffa0dc5c3b1ba06ff7653ef61713fa016f891 -certbot-nginx==0.24.0 \ - --hash=sha256:d44c419f72c2cc30de3b138a2cf92e0531696dcb048f287036e229dce2131c00 \ - --hash=sha256:3283d1db057261f05537fa408baee20e0ab9e81c3d55cfba70afe3805cd6f941 +certbot==0.25.0 \ + --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ + --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 +acme==0.25.0 \ + --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ + --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 +certbot-apache==0.25.0 \ + --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ + --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 +certbot-nginx==0.25.0 \ + --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ + --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/certbot-auto.asc b/letsencrypt-auto-source/certbot-auto.asc index 641ebaef8..11e9750b5 100644 --- a/letsencrypt-auto-source/certbot-auto.asc +++ b/letsencrypt-auto-source/certbot-auto.asc @@ -1,11 +1,11 @@ -----BEGIN PGP SIGNATURE----- -iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAlro/1AACgkQTRfJlc2X -dfLm5ggAxCrWU9dmYZKllcFzp7TFOdRap0pmarfL4gwSYj7B/bSceD7ysOyoQ8Ra -7UHuZKAQyurZn1seN49d88Kgor9KWZQ1jZiGkfiEpp8qAkdWzFR8UqYa2/CZtk2l -bExm8YQDwhuKvCObGLDGi3ydcIQpfg/rsBkSTphKYXN/Zebx9mAelZN4CgGRy03Y -3z2UqqnyqFPAg4wUGcNfCgUEbJ5bUPr733vQzjBS2IVUbDbu06/1Y8oYzurezXNS -6lEyvTfC5G8RGlSWupNu7yWviD14M4LnAo6WXWEVH+C+ssJaPrZVhZ6KfEt/Erg3 -k06WZSPDCtOm5EfhDm0Rumqm1owA2g== -=Bc4G +iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAlsYSPUACgkQTRfJlc2X +dfKOzQgAhyWglFSdc2VTdqL5FDkg9yv5HzlpwUKp+Q3Q0Tq7/fecZeMybUnj8aJZ +6kiIQ0TE7vlQiKknxCg883hjoW/g0ZMemHsyVIAB6yi69Xltf/maxwwVdDPd+ens +db3/mRiefW+WE2tf5xPKc5xcch1Ej0H9bTIOyj7sgod/bFMuLEtyT/Y58Sb5gWIK +hIrfpWl0L3IP1EAFGSTbRhhxDPsMI6jveHMAQdh5uYgvDneUMVDwcuF4HW+qpvxG +lVQJqDTCSYpIg2bpzI8KHqsiHoe37Au5KbxewPb7Mmx91QE9u3deuPLM/jutHqQ7 +kGs5isnImrtQODSfAnWQbkq9BQocdA== +=EBXk -----END PGP SIGNATURE----- diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index 28281e20d..c15a851db 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.25.0.dev0" +LE_AUTO_VERSION="0.25.0" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1208,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.24.0 \ - --hash=sha256:a3fc41fde4f0dbb35f7ebec2f9e00339580b3f4298850411eac0719223073b27 \ - --hash=sha256:a072d4528bb3ac4184f5c961a96931795ddfe4b7cb0f3a98954bdd4cce5f6d70 -acme==0.24.0 \ - --hash=sha256:b92b16102051f447abb52917638fbfb34b646ac07267fee85961b360a0149e32 \ - --hash=sha256:d655e0627c0830114ab3f6732d8bf2f4a2c36f602e0cde10988684e229b501cb -certbot-apache==0.24.0 \ - --hash=sha256:fe54db3e7e09ffe1139041c23ff5123e80aa1526d6fcd40b2a593d005cfcf152 \ - --hash=sha256:686c6c0af5ae8d06e37cc762de7ffa0dc5c3b1ba06ff7653ef61713fa016f891 -certbot-nginx==0.24.0 \ - --hash=sha256:d44c419f72c2cc30de3b138a2cf92e0531696dcb048f287036e229dce2131c00 \ - --hash=sha256:3283d1db057261f05537fa408baee20e0ab9e81c3d55cfba70afe3805cd6f941 +certbot==0.25.0 \ + --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ + --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 +acme==0.25.0 \ + --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ + --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 +certbot-apache==0.25.0 \ + --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ + --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 +certbot-nginx==0.25.0 \ + --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ + --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig index 4a937e7e0c442056410a4d75bc6fc64fa7fc5ed8..12330ad162164927502aadb9e73375d8a40b3d1a 100644 GIT binary patch literal 256 zcmV+b0ssC$@8wI45>gS1>Vf-0?P)E}7cN~xWB;XyfZbYHf67R;8??@TB|A<6&Ymtv za~(Bb7VdlqKAz=5dK^kLhO%Pu%mcZ{cVC7weDiho<&%Nz(;*Xb*c(;*W-^&XC=|OD_~8fI^IFAUF~p|$&jhTt;E~D3eY}R9 z()EQT9^Wu3iJV-m%DTGS!1TdJ#YvLh-mJo<+p^7z6cnVGbv2Zai!|_#2965E&iQo& zOyxwu*TNkoH+8^qQvf_x;y1Sb&ZX_LL&2M~e^bphBFP!(!0Q2!3tl{Y_@sRtrU<`!&JJ7Yet?gj zP<-mLp*eOt8&aten_HT4Xaq=Kx#zQxgGH^wqLqmDbiNH^#Z>!uQ#lxbz9TmzQ``gA zepS_2=ZD+oI|Kl|@HhjznV9>uJqAGPzsGZ`_Tr$cOh5JZM+hOCqkF1gQK5rq?01Ha z$#L4=i}~HfWo>cf%K<$CERWB0i$y+n$+{zxu0TOGArrjm@c)#iwau&wz!kfWn^wMB GGm3kHFn Date: Wed, 6 Jun 2018 13:50:46 -0700 Subject: [PATCH 219/256] Bump version to 0.26.0 --- acme/setup.py | 2 +- certbot-apache/setup.py | 2 +- certbot-compatibility-test/setup.py | 2 +- certbot-dns-cloudflare/setup.py | 2 +- certbot-dns-cloudxns/setup.py | 2 +- certbot-dns-digitalocean/setup.py | 2 +- certbot-dns-dnsimple/setup.py | 2 +- certbot-dns-dnsmadeeasy/setup.py | 2 +- certbot-dns-google/setup.py | 2 +- certbot-dns-luadns/setup.py | 2 +- certbot-dns-nsone/setup.py | 2 +- certbot-dns-rfc2136/setup.py | 2 +- certbot-dns-route53/setup.py | 2 +- certbot-nginx/setup.py | 2 +- certbot/__init__.py | 2 +- letsencrypt-auto-source/letsencrypt-auto | 2 +- 16 files changed, 16 insertions(+), 16 deletions(-) diff --git a/acme/setup.py b/acme/setup.py index e24f4297b..ecafac61a 100644 --- a/acme/setup.py +++ b/acme/setup.py @@ -3,7 +3,7 @@ from setuptools import find_packages from setuptools.command.test import test as TestCommand import sys -version = '0.25.0' +version = '0.26.0.dev0' # Please update tox.ini when modifying dependency version requirements install_requires = [ diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 18e10223d..7a0dc43bf 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-compatibility-test/setup.py b/certbot-compatibility-test/setup.py index e739c4924..bf86df5da 100644 --- a/certbot-compatibility-test/setup.py +++ b/certbot-compatibility-test/setup.py @@ -4,7 +4,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' install_requires = [ 'certbot', diff --git a/certbot-dns-cloudflare/setup.py b/certbot-dns-cloudflare/setup.py index 861ad12d7..055a8cffc 100644 --- a/certbot-dns-cloudflare/setup.py +++ b/certbot-dns-cloudflare/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-cloudxns/setup.py b/certbot-dns-cloudxns/setup.py index 52aebb374..2c0c074be 100644 --- a/certbot-dns-cloudxns/setup.py +++ b/certbot-dns-cloudxns/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-digitalocean/setup.py b/certbot-dns-digitalocean/setup.py index c32a2d003..bd5f2ff26 100644 --- a/certbot-dns-digitalocean/setup.py +++ b/certbot-dns-digitalocean/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-dnsimple/setup.py b/certbot-dns-dnsimple/setup.py index 026eb3ed2..581c478b8 100644 --- a/certbot-dns-dnsimple/setup.py +++ b/certbot-dns-dnsimple/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-dnsmadeeasy/setup.py b/certbot-dns-dnsmadeeasy/setup.py index 799163d1d..c5d310d71 100644 --- a/certbot-dns-dnsmadeeasy/setup.py +++ b/certbot-dns-dnsmadeeasy/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-google/setup.py b/certbot-dns-google/setup.py index ef4ae0f8c..01d979c2b 100644 --- a/certbot-dns-google/setup.py +++ b/certbot-dns-google/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-luadns/setup.py b/certbot-dns-luadns/setup.py index 838d323af..44f67c0a7 100644 --- a/certbot-dns-luadns/setup.py +++ b/certbot-dns-luadns/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-nsone/setup.py b/certbot-dns-nsone/setup.py index 75d3c25e4..87a7da4cc 100644 --- a/certbot-dns-nsone/setup.py +++ b/certbot-dns-nsone/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-rfc2136/setup.py b/certbot-dns-rfc2136/setup.py index 6042365e7..c1fffc4a2 100644 --- a/certbot-dns-rfc2136/setup.py +++ b/certbot-dns-rfc2136/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index b6e8293b0..8e2821332 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -1,7 +1,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index be057a928..3de257a5f 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -2,7 +2,7 @@ from setuptools import setup from setuptools import find_packages -version = '0.25.0' +version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. diff --git a/certbot/__init__.py b/certbot/__init__.py index 85b4d9fd8..3ae0e315b 100644 --- a/certbot/__init__.py +++ b/certbot/__init__.py @@ -1,4 +1,4 @@ """Certbot client.""" # version number like 1.2.3a0, must have at least 2 parts, like 1.2 -__version__ = '0.25.0' +__version__ = '0.26.0.dev0' diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index c15a851db..cac73dcbd 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.25.0" +LE_AUTO_VERSION="0.26.0.dev0" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates From eec37f65a83ccf185a67378b6b8010b37f4fba1f Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 6 Jun 2018 19:01:55 -0700 Subject: [PATCH 220/256] Update changelog for 0.25.0 (#6076) --- CHANGELOG.md | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 64 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 044e55250..5facc5380 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,70 @@ Certbot adheres to [Semantic Versioning](http://semver.org/). +## 0.25.0 - 2018-06-06 + +### Added + +* Support for the ready status type was added to acme. Without this change, + Certbot and acme users will begin encountering errors when using Let's + Encrypt's ACMEv2 API starting on June 19th for the staging environment and + July 5th for production. See + https://community.letsencrypt.org/t/acmev2-order-ready-status/62866 for more + information. +* Certbot now accepts the flag --reuse-key which will cause the same key to be + used in the certificate when the lineage is renewed rather than generating a + new key. +* You can now add multiple email addresses to your ACME account with Certbot by + providing a comma separated list of emails to the --email flag. +* Support for Let's Encrypt's upcoming TLS-ALPN-01 challenge was added to acme. + For more information, see + https://community.letsencrypt.org/t/tls-alpn-validation-method/63814/1. +* acme now supports specifying the source address to bind to when sending + outgoing connections. You still cannot specify this address using Certbot. +* If you run Certbot against Let's Encrypt's ACMEv2 staging server but don't + already have an account registered at that server URL, Certbot will + automatically reuse your staging account from Let's Encrypt's ACMEv1 endpoint + if it exists. +* Interfaces were added to Certbot allowing plugins to be called at additional + points. The `GenericUpdater` interface allows plugins to perform actions + every time `certbot renew` is run, regardless of whether any certificates are + due for renewal, and the `RenewDeployer` interface allows plugins to perform + actions when a certificate is renewed. See `certbot.interfaces` for more + information. + +### Changed + +* When running Certbot with --dry-run and you don't already have a staging + account, the created account does not contain an email address even if one + was provided to avoid expiration emails from Let's Encrypt's staging server. +* certbot-nginx does a better job of automatically detecting the location of + Nginx's configuration files when run on BSD based systems. +* acme now requires and uses pytest when running tests with setuptools with + `python setup.py test`. +* `certbot config_changes` no longer waits for user input before exiting. + +### Fixed + +* Misleading log output that caused users to think that Certbot's standalone + plugin failed to bind to a port when performing a challenge has been + corrected. +* An issue where certbot-nginx would fail to enable HSTS if the server block + already had an `add_header` directive has been resolved. +* certbot-nginx now does a better job detecting the server block to base the + configuration for TLS-SNI challenges on. + +Despite us having broken lockstep, we are continuing to release new versions of +all Certbot components during releases for the time being, however, the only +packages with functional changes were: + +* acme +* certbot +* certbot-apache +* certbot-nginx + +More details about these changes can be found on our GitHub repo: +https://github.com/certbot/certbot/milestone/54?closed=1 + ## 0.24.0 - 2018-05-02 ### Added From da6320f4d1b816592991f144caa4d6197faafd14 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 7 Jun 2018 01:11:06 -0700 Subject: [PATCH 221/256] Stop testing against Debian 7. (#6077) Debian Wheezy is no longer supported (see https://wiki.debian.org/LTS) and Amazon shut down their Debian 7 mirrors so let's stop trying to use Debian 7 during testing. --- tests/letstest/targets.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/tests/letstest/targets.yaml b/tests/letstest/targets.yaml index 9c1aca24e..766b4ea09 100644 --- a/tests/letstest/targets.yaml +++ b/tests/letstest/targets.yaml @@ -22,24 +22,6 @@ targets: # #cloud-init # runcmd: # - [ apt-get, install, -y, curl ] - - ami: ami-e0efab88 - name: debian7.8.aws.1 - type: ubuntu - virt: hvm - user: admin - # userdata: | - # #cloud-init - # runcmd: - # - [ apt-get, install, -y, curl ] - - ami: ami-e6eeaa8e - name: debian7.8.aws.1_32bit - type: ubuntu - virt: pv - user: admin - # userdata: | - # #cloud-init - # runcmd: - # - [ apt-get, install, -y, curl ] #----------------------------------------------------------------------------- # Other Redhat Distros - ami: ami-60b6c60a From 780a1b3a26192f06c58fce157db5c2a32ecbdc23 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 7 Jun 2018 01:43:45 -0700 Subject: [PATCH 222/256] Don't require festival during signing. (#6079) Festival isn't available via Homebrew and is only needed to read the hash aloud, so let's not make it a strict requirement that it's installed. You can simply read the hash from the terminal instead. --- tools/offline-sigrequest.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tools/offline-sigrequest.sh b/tools/offline-sigrequest.sh index 7706796ef..6443ae8af 100755 --- a/tools/offline-sigrequest.sh +++ b/tools/offline-sigrequest.sh @@ -2,17 +2,17 @@ set -o errexit -if ! `which festival > /dev/null` ; then - echo Please install \'festival\'! - exit 1 -fi - function sayhash { # $1 <-- HASH ; $2 <---SIGFILEBALL while read -p "Press Enter to read the hash aloud or type 'done': " INP && [ "$INP" = "" ] ; do - cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \ - echo -n '(SayText "'; \ - sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \ - echo '")' ) | festival + if ! `which festival > /dev/null` ; then + echo \`festival\` is not installed! + echo Please install it to read the hash aloud + else + cat $1 | (echo "(Parameter.set 'Duration_Stretch 1.8)"; \ + echo -n '(SayText "'; \ + sha256sum | cut -c1-64 | fold -1 | sed 's/^a$/alpha/; s/^b$/bravo/; s/^c$/charlie/; s/^d$/delta/; s/^e$/echo/; s/^f$/foxtrot/'; \ + echo '")' ) | festival + fi done echo 'Paste in the data from the QR code, then type Ctrl-D:' From 3a8de6d172d3d91348cb4b817586869a756cc2a8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 7 Jun 2018 07:50:36 -0700 Subject: [PATCH 223/256] Upgrade pinned twine version. (#6078) For the past couple of releases, twine has errored while trying to upload packages and this is fixed by upgrading to a newer version of twine. This commit updates our pinned version installed when using tools/venv.sh to the latest available version. pkginfo had to be upgraded as well to support the latest version of twine. --- tools/dev_constraints.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/dev_constraints.txt b/tools/dev_constraints.txt index d965d4470..777222ffb 100644 --- a/tools/dev_constraints.txt +++ b/tools/dev_constraints.txt @@ -36,7 +36,7 @@ oauth2client==2.0.0 pathlib2==2.3.0 pexpect==4.2.1 pickleshare==0.7.4 -pkginfo==1.4.1 +pkginfo==1.4.2 pluggy==0.5.2 prompt-toolkit==1.0.15 ptyprocess==0.5.2 @@ -66,7 +66,7 @@ tldextract==2.2.0 tox==2.9.1 tqdm==4.19.4 traitlets==4.3.2 -twine==1.9.1 +twine==1.11.0 typed-ast==1.1.0 typing==3.6.4 uritemplate==0.6 From afa7e3fb8266fb6af7c36d46eb8ee20e844d8107 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 7 Jun 2018 14:45:23 -0700 Subject: [PATCH 224/256] Unrevert #6000 and silence deprecation warnings (#6082) * Revert "Revert "switch signature verification to use pure cryptography (#6000)" (#6074)" This reverts commit 3cffe1449c4e9166b65eaed75022d73b7ad79328. * Fixes #6073. This silences the deprecation warnings from cryptography. I looked into only silencing the cryptography warning specifically in the function, however, CryptographyDeprecationWarning doesn't seem to be publicly documented, so we probably shouldn't depend on it. --- certbot/crypto_util.py | 40 ++++++++++++++----- certbot/tests/crypto_util_test.py | 10 +++++ .../tests/testdata/cert-nosans_nistp256.pem | 11 +++++ .../tests/testdata/csr-nosans_nistp256.pem | 8 ++++ certbot/tests/testdata/nistp256_key.pem | 5 +++ 5 files changed, 64 insertions(+), 10 deletions(-) create mode 100644 certbot/tests/testdata/cert-nosans_nistp256.pem create mode 100644 certbot/tests/testdata/csr-nosans_nistp256.pem create mode 100644 certbot/tests/testdata/nistp256_key.pem diff --git a/certbot/crypto_util.py b/certbot/crypto_util.py index b5ad16db1..943e2c87f 100644 --- a/certbot/crypto_util.py +++ b/certbot/crypto_util.py @@ -7,16 +7,21 @@ import hashlib import logging import os - +import warnings import pyrfc3339 import six import zope.component +from cryptography.exceptions import InvalidSignature +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.asymmetric.ec import ECDSA +from cryptography.hazmat.primitives.asymmetric.ec import EllipticCurvePublicKey +from cryptography.hazmat.primitives.asymmetric.padding import PKCS1v15 +from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicKey +# https://github.com/python/typeshed/tree/master/third_party/2/cryptography +from cryptography import x509 # type: ignore from OpenSSL import crypto from OpenSSL import SSL # type: ignore -from cryptography.hazmat.backends import default_backend -# https://github.com/python/typeshed/tree/master/third_party/2/cryptography -from cryptography import x509 # type: ignore from acme import crypto_util as acme_crypto_util from acme.magic_typing import IO # pylint: disable=unused-import, no-name-in-module @@ -228,13 +233,28 @@ def verify_renewable_cert_sig(renewable_cert): """ try: with open(renewable_cert.chain, 'rb') as chain_file: # type: IO[bytes] - chain, _ = pyopenssl_load_certificate(chain_file.read()) + chain = x509.load_pem_x509_certificate(chain_file.read(), default_backend()) with open(renewable_cert.cert, 'rb') as cert_file: # type: IO[bytes] - cert = x509.load_pem_x509_certificate( - cert_file.read(), default_backend()) - hash_name = cert.signature_hash_algorithm.name - crypto.verify(chain, cert.signature, cert.tbs_certificate_bytes, hash_name) - except (IOError, ValueError, crypto.Error) as e: + cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend()) + pk = chain.public_key() + with warnings.catch_warnings(): + warnings.simplefilter("ignore") + if isinstance(pk, RSAPublicKey): + # https://github.com/python/typeshed/blob/master/third_party/2/cryptography/hazmat/primitives/asymmetric/rsa.pyi + verifier = pk.verifier( # type: ignore + cert.signature, PKCS1v15(), cert.signature_hash_algorithm + ) + verifier.update(cert.tbs_certificate_bytes) + verifier.verify() + elif isinstance(pk, EllipticCurvePublicKey): + verifier = pk.verifier( + cert.signature, ECDSA(cert.signature_hash_algorithm) + ) + verifier.update(cert.tbs_certificate_bytes) + verifier.verify() + else: + raise errors.Error("Unsupported public key type") + except (IOError, ValueError, InvalidSignature) as e: error_str = "verifying the signature of the cert located at {0} has failed. \ Details: {1}".format(renewable_cert.cert, e) logger.exception(error_str) diff --git a/certbot/tests/crypto_util_test.py b/certbot/tests/crypto_util_test.py index 2fe0e3d30..baf14b2ef 100644 --- a/certbot/tests/crypto_util_test.py +++ b/certbot/tests/crypto_util_test.py @@ -21,6 +21,9 @@ CERT_PATH = test_util.vector_path('cert_512.pem') CERT = test_util.load_vector('cert_512.pem') SS_CERT_PATH = test_util.vector_path('cert_2048.pem') SS_CERT = test_util.load_vector('cert_2048.pem') +P256_KEY = test_util.load_vector('nistp256_key.pem') +P256_CERT_PATH = test_util.vector_path('cert-nosans_nistp256.pem') +P256_CERT = test_util.load_vector('cert-nosans_nistp256.pem') class InitSaveKeyTest(test_util.TempDirTestCase): """Tests for certbot.crypto_util.init_save_key.""" @@ -217,6 +220,13 @@ class VerifyRenewableCertSigTest(VerifyCertSetup): def test_cert_sig_match(self): self.assertEqual(None, self._call(self.renewable_cert)) + def test_cert_sig_match_ec(self): + renewable_cert = mock.MagicMock() + renewable_cert.cert = P256_CERT_PATH + renewable_cert.chain = P256_CERT_PATH + renewable_cert.privkey = P256_KEY + self.assertEqual(None, self._call(renewable_cert)) + def test_cert_sig_mismatch(self): self.bad_renewable_cert.cert = test_util.vector_path('cert_512_bad.pem') self.assertRaises(errors.Error, self._call, self.bad_renewable_cert) diff --git a/certbot/tests/testdata/cert-nosans_nistp256.pem b/certbot/tests/testdata/cert-nosans_nistp256.pem new file mode 100644 index 000000000..4ec3f24ce --- /dev/null +++ b/certbot/tests/testdata/cert-nosans_nistp256.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBoDCCAUYCCQDCnzfUZ7TQdDAKBggqhkjOPQQDAjBYMQswCQYDVQQGEwJVUzER +MA8GA1UECAwITWljaGlnYW4xEjAQBgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwD +RUZGMRQwEgYDVQQDDAtleGFtcGxlLmNvbTAeFw0xODA1MTUxNzIyMzlaFw0xODA2 +MTQxNzIyMzlaMFgxCzAJBgNVBAYTAlVTMREwDwYDVQQIDAhNaWNoaWdhbjESMBAG +A1UEBwwJQW5uIEFyYm9yMQwwCgYDVQQKDANFRkYxFDASBgNVBAMMC2V4YW1wbGUu +Y29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPPl0JauSZukvAUWv4l5VNLAY +QXhuPXYQBf4dVET3s0E5q9ZCbSe+pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tzAK +BggqhkjOPQQDAgNIADBFAiEAv8S2GXmWJqZ+j3DBfm72E1YK+HkOf+TOUHsbVR+O +Z1oCIFWNt1SPdIgRp4QAyzVk2pcTF8jDNajEMLWETDtxgRvM +-----END CERTIFICATE----- diff --git a/certbot/tests/testdata/csr-nosans_nistp256.pem b/certbot/tests/testdata/csr-nosans_nistp256.pem new file mode 100644 index 000000000..2f0a671ed --- /dev/null +++ b/certbot/tests/testdata/csr-nosans_nistp256.pem @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBFDCBugIBADBYMQswCQYDVQQGEwJVUzERMA8GA1UECAwITWljaGlnYW4xEjAQ +BgNVBAcMCUFubiBBcmJvcjEMMAoGA1UECgwDRUZGMRQwEgYDVQQDDAtleGFtcGxl +LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABDz5dCWrkmbpLwFFr+JeVTSw +GEF4bj12EAX+HVRE97NBOavWQm0nvqTVG5KPRfkxZLnO11Y0D7H5A24dCPZw9Leg +ADAKBggqhkjOPQQDAgNJADBGAiEAuoZHrYA5sy2DRTdLAxJTBNHKFFKbtaGt+QaJ +A62qa8sCIQCUkSgSAiNaEnJ7r5fKphdjeORHqhpl6flYkLE3lGmGdg== +-----END CERTIFICATE REQUEST----- diff --git a/certbot/tests/testdata/nistp256_key.pem b/certbot/tests/testdata/nistp256_key.pem new file mode 100644 index 000000000..4be37e49b --- /dev/null +++ b/certbot/tests/testdata/nistp256_key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIOvXH384CyNNv2lfxvjc7hg2f7ScYoLvlk/VpINLJlGBoAoGCCqGSM49 +AwEHoUQDQgAEPPl0JauSZukvAUWv4l5VNLAYQXhuPXYQBf4dVET3s0E5q9ZCbSe+ +pNUbko9F+TFkuc7XVjQPsfkDbh0I9nD0tw== +-----END EC PRIVATE KEY----- From da028ca9c27acf31a6266ae5c0abe53922da86b4 Mon Sep 17 00:00:00 2001 From: Roland Bracewell Shoemaker Date: Mon, 11 Jun 2018 11:59:57 -0700 Subject: [PATCH 225/256] Wrap TLS-ALPN extension with ASN.1 (#6089) * Wrap TLS-ALPN extension with ASN.1 * Fix test --- acme/acme/challenges.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/acme/acme/challenges.py b/acme/acme/challenges.py index ce788e2cc..30983e28f 100644 --- a/acme/acme/challenges.py +++ b/acme/acme/challenges.py @@ -546,7 +546,9 @@ class TLSALPN01Response(KeyAuthorizationChallengeResponse): key.generate_key(crypto.TYPE_RSA, bits) - der_value = b"DER:" + codecs.encode(self.h, 'hex') + # Instead of using a ASN.1 encoding library just append the OCTET STRING tag (0x04) + # and the length of the SHA256 hash (0x20) since both of these should never change + der_value = b"DER:0420" + codecs.encode(self.h, 'hex') acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1, critical=True, value=der_value) @@ -592,7 +594,8 @@ class TLSALPN01Response(KeyAuthorizationChallengeResponse): # way to get full OID of an unknown extension from pyopenssl. if ext.get_short_name() == b'UNDEF': data = ext.get_data() - return data == self.h + # Add the ASN.1 tag/length prefix to the hash before comparison + return data == b'\x04\x20' + self.h return False From 95892cd4ab57636f39dfd5b31b69b810f42d7481 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 12 Jun 2018 17:24:19 -0700 Subject: [PATCH 226/256] Require acme>=0.25.0 for nginx (#6099) --- certbot-nginx/local-oldest-requirements.txt | 2 +- certbot-nginx/setup.py | 5 +---- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/certbot-nginx/local-oldest-requirements.txt b/certbot-nginx/local-oldest-requirements.txt index 65f5a758e..e70ac0c7f 100644 --- a/certbot-nginx/local-oldest-requirements.txt +++ b/certbot-nginx/local-oldest-requirements.txt @@ -1,2 +1,2 @@ --e acme[dev] +acme[dev]==0.25.0 -e .[dev] diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index 3de257a5f..d9cb4a9c2 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -7,10 +7,7 @@ version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. install_requires = [ - # This plugin works with an older version of acme, but Certbot does not. - # 0.22.0 is specified here to work around - # https://github.com/pypa/pip/issues/988. - 'acme>0.21.1', + 'acme>=0.25.0', 'certbot>0.21.1', 'mock', 'PyOpenSSL', From 9f20fa0ef969811803042be4a60f8127f6883e34 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 12 Jun 2018 17:31:22 -0700 Subject: [PATCH 227/256] Fixes #6085. (#6091) The value of norecusedirs is the default in newer versions of pytest which is listed at https://docs.pytest.org/en/3.0.0/customize.html#confval-norecursedirs. --- acme/MANIFEST.in | 1 + acme/pytest.ini | 2 ++ 2 files changed, 3 insertions(+) create mode 100644 acme/pytest.ini diff --git a/acme/MANIFEST.in b/acme/MANIFEST.in index 5367e484a..1619bef69 100644 --- a/acme/MANIFEST.in +++ b/acme/MANIFEST.in @@ -1,5 +1,6 @@ include LICENSE.txt include README.rst +include pytest.ini recursive-include docs * recursive-include examples * recursive-include acme/testdata * diff --git a/acme/pytest.ini b/acme/pytest.ini new file mode 100644 index 000000000..0c07ceac7 --- /dev/null +++ b/acme/pytest.ini @@ -0,0 +1,2 @@ +[pytest] +norecursedirs = .* build dist CVS _darcs {arch} *.egg From c9ae365f6678ae64134a9408185601e124cdf296 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 13 Jun 2018 14:20:15 -0700 Subject: [PATCH 228/256] 0.25.1 update for master (#6110) * Release 0.25.1 (cherry picked from commit 21b5e4eadb445d0a3dcd8cebb709a9fd15e18278) * Bump version to 0.26.0 --- certbot-auto | 26 +++++++++--------- docs/cli-help.txt | 2 +- letsencrypt-auto | 26 +++++++++--------- letsencrypt-auto-source/certbot-auto.asc | 16 +++++------ letsencrypt-auto-source/letsencrypt-auto | 24 ++++++++-------- letsencrypt-auto-source/letsencrypt-auto.sig | Bin 256 -> 256 bytes .../pieces/certbot-requirements.txt | 24 ++++++++-------- 7 files changed, 59 insertions(+), 59 deletions(-) diff --git a/certbot-auto b/certbot-auto index c15a851db..d2cfa672d 100755 --- a/certbot-auto +++ b/certbot-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.25.0" +LE_AUTO_VERSION="0.25.1" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1208,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.25.0 \ - --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ - --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 -acme==0.25.0 \ - --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ - --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 -certbot-apache==0.25.0 \ - --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ - --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 -certbot-nginx==0.25.0 \ - --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ - --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 +certbot==0.25.1 \ + --hash=sha256:01689015364685fef3f1e1fb7832ba84eb3b0aa85bc5a71c96661f6d4c59981f \ + --hash=sha256:5c23e5186133bb1afd805be5e0cd2fb7b95862a8b0459c9ecad4ae60f933e54e +acme==0.25.1 \ + --hash=sha256:26e641a01536705fe5f12d856703b8ef06e5a07981a7b6379d2771dcdb69a742 \ + --hash=sha256:47b5f3f73d69b7b1d13f918aa2cd75a8093069a68becf4af38e428e4613b2734 +certbot-apache==0.25.1 \ + --hash=sha256:a28b7c152cc11474bef5b5e7967aaea42b2c0aaf86fd82ee4082713d33cee5a9 \ + --hash=sha256:ed012465617073a0f1057fe854dc8d1eb6d2dd7ede1fb2eee765129fed2a095a +certbot-nginx==0.25.1 \ + --hash=sha256:83f82c3ba08c0b1d4bf449ac24018e8e7dd34a6248d35466f2de7da1cd312e15 \ + --hash=sha256:68f98b41c54e0bf4218ef293079597176617bee3837ae3aa6528ce2ff0bf4f9c UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/docs/cli-help.txt b/docs/cli-help.txt index f40a9aa4c..49821a7b5 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -108,7 +108,7 @@ optional arguments: case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to - "". (default: CertbotACMEClient/0.25.0 (certbot; + "". (default: CertbotACMEClient/0.25.1 (certbot; darwin 10.13.5) Authenticator/XXX Installer/YYY (SUBCOMMAND; flags: FLAGS) Py/2.7.15). The flags encoded in the user agent are: --duplicate, --force- diff --git a/letsencrypt-auto b/letsencrypt-auto index c15a851db..d2cfa672d 100755 --- a/letsencrypt-auto +++ b/letsencrypt-auto @@ -31,7 +31,7 @@ if [ -z "$VENV_PATH" ]; then fi VENV_BIN="$VENV_PATH/bin" BOOTSTRAP_VERSION_PATH="$VENV_PATH/certbot-auto-bootstrap-version.txt" -LE_AUTO_VERSION="0.25.0" +LE_AUTO_VERSION="0.25.1" BASENAME=$(basename $0) USAGE="Usage: $BASENAME [OPTIONS] A self-updating wrapper script for the Certbot ACME client. When run, updates @@ -1208,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.25.0 \ - --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ - --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 -acme==0.25.0 \ - --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ - --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 -certbot-apache==0.25.0 \ - --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ - --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 -certbot-nginx==0.25.0 \ - --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ - --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 +certbot==0.25.1 \ + --hash=sha256:01689015364685fef3f1e1fb7832ba84eb3b0aa85bc5a71c96661f6d4c59981f \ + --hash=sha256:5c23e5186133bb1afd805be5e0cd2fb7b95862a8b0459c9ecad4ae60f933e54e +acme==0.25.1 \ + --hash=sha256:26e641a01536705fe5f12d856703b8ef06e5a07981a7b6379d2771dcdb69a742 \ + --hash=sha256:47b5f3f73d69b7b1d13f918aa2cd75a8093069a68becf4af38e428e4613b2734 +certbot-apache==0.25.1 \ + --hash=sha256:a28b7c152cc11474bef5b5e7967aaea42b2c0aaf86fd82ee4082713d33cee5a9 \ + --hash=sha256:ed012465617073a0f1057fe854dc8d1eb6d2dd7ede1fb2eee765129fed2a095a +certbot-nginx==0.25.1 \ + --hash=sha256:83f82c3ba08c0b1d4bf449ac24018e8e7dd34a6248d35466f2de7da1cd312e15 \ + --hash=sha256:68f98b41c54e0bf4218ef293079597176617bee3837ae3aa6528ce2ff0bf4f9c UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/certbot-auto.asc b/letsencrypt-auto-source/certbot-auto.asc index 11e9750b5..67bab66d4 100644 --- a/letsencrypt-auto-source/certbot-auto.asc +++ b/letsencrypt-auto-source/certbot-auto.asc @@ -1,11 +1,11 @@ -----BEGIN PGP SIGNATURE----- -iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAlsYSPUACgkQTRfJlc2X -dfKOzQgAhyWglFSdc2VTdqL5FDkg9yv5HzlpwUKp+Q3Q0Tq7/fecZeMybUnj8aJZ -6kiIQ0TE7vlQiKknxCg883hjoW/g0ZMemHsyVIAB6yi69Xltf/maxwwVdDPd+ens -db3/mRiefW+WE2tf5xPKc5xcch1Ej0H9bTIOyj7sgod/bFMuLEtyT/Y58Sb5gWIK -hIrfpWl0L3IP1EAFGSTbRhhxDPsMI6jveHMAQdh5uYgvDneUMVDwcuF4HW+qpvxG -lVQJqDTCSYpIg2bpzI8KHqsiHoe37Au5KbxewPb7Mmx91QE9u3deuPLM/jutHqQ7 -kGs5isnImrtQODSfAnWQbkq9BQocdA== -=EBXk +iQEzBAABCAAdFiEEos+1H6J1pyhiNOeyTRfJlc2XdfIFAlsgc/cACgkQTRfJlc2X +dfLjBgf/bHZn/q+Dqn34uBXHymRSce7UxQn17izcKAt7hZBl4j4sebQ9+0jjuNur +zrW8b0XJ0PsI10GG9qHR3ajC+04pWfRritnK1g4Ycb/pDcUkWo+8uRwr7skAVcvC +oa8ToBS3iUbd3csFl1mu1BGACUHLvVs2cYdDtMuJj8wjsVZ7KnWBGKULAskwmU4Z +VVUxeUrG9f+2kT35meEJUk91FS+4tmqNIVsVlBzf0Q0ZU1iQnV56dMwTqFRzdDJ2 +DBecE0GwuYnKXo2I7kIYaqACQmk9YFh55Sh0K9PbQxyv7YEZXZtkcdqFqyhxy3Nh +EJ2kurFaM3/VmLljc/rW8QW8B3QNbw== +=pkDz -----END PGP SIGNATURE----- diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index cac73dcbd..dc9190630 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1208,18 +1208,18 @@ letsencrypt==0.7.0 \ --hash=sha256:105a5fb107e45bcd0722eb89696986dcf5f08a86a321d6aef25a0c7c63375ade \ --hash=sha256:c36e532c486a7e92155ee09da54b436a3c420813ec1c590b98f635d924720de9 -certbot==0.25.0 \ - --hash=sha256:6acd1e241785d73547803ca74bd1477eab6576e83eb035e0c343f1c8fc97b884 \ - --hash=sha256:bfdf0e2fe67f48034fa9a9bc16b12dd23ef3ac8bbac4e15ece876cd764eb40f8 -acme==0.25.0 \ - --hash=sha256:b20d27d6fd5b9d0e6fa4bf0528d7c6c2b9b301b49bdba4aad41fb9758fda1b3d \ - --hash=sha256:78c72b37d9ebc16ceb21df7f6b1037e80297abd61d0555c9d11f219a7118cef2 -certbot-apache==0.25.0 \ - --hash=sha256:e95eb8f24bd93d0c3e4e62a15ebe3042d411aaa1b107da5d869301472185924e \ - --hash=sha256:ca660d10e1945a78e0a00fd2be330be5acef97f215d3b03cb72cb0a996d63a64 -certbot-nginx==0.25.0 \ - --hash=sha256:8081edfe29943de54780e24c2a4ba7488e375177455f2cfad8bfe1b578bdd235 \ - --hash=sha256:0848642c28f3fad9759309f3e78652d8dd68062e068844a74f828155d2fda416 +certbot==0.25.1 \ + --hash=sha256:01689015364685fef3f1e1fb7832ba84eb3b0aa85bc5a71c96661f6d4c59981f \ + --hash=sha256:5c23e5186133bb1afd805be5e0cd2fb7b95862a8b0459c9ecad4ae60f933e54e +acme==0.25.1 \ + --hash=sha256:26e641a01536705fe5f12d856703b8ef06e5a07981a7b6379d2771dcdb69a742 \ + --hash=sha256:47b5f3f73d69b7b1d13f918aa2cd75a8093069a68becf4af38e428e4613b2734 +certbot-apache==0.25.1 \ + --hash=sha256:a28b7c152cc11474bef5b5e7967aaea42b2c0aaf86fd82ee4082713d33cee5a9 \ + --hash=sha256:ed012465617073a0f1057fe854dc8d1eb6d2dd7ede1fb2eee765129fed2a095a +certbot-nginx==0.25.1 \ + --hash=sha256:83f82c3ba08c0b1d4bf449ac24018e8e7dd34a6248d35466f2de7da1cd312e15 \ + --hash=sha256:68f98b41c54e0bf4218ef293079597176617bee3837ae3aa6528ce2ff0bf4f9c UNLIKELY_EOF # ------------------------------------------------------------------------- diff --git a/letsencrypt-auto-source/letsencrypt-auto.sig b/letsencrypt-auto-source/letsencrypt-auto.sig index 12330ad162164927502aadb9e73375d8a40b3d1a..f266c93e99a6c6b451a0dd066cf33fc069cac53c 100644 GIT binary patch literal 256 zcmV+b0ssDtYs3=1`HBT)24SsR1u@$W7ZPSU$S&OOtBrFsR+98n78ySvPt!!G z;8VuT@C4ln966cf7@p1|^2x*#OsORv*dICX|C;T?NkAcYvB#;S?b|v(@U=jc^F-3_=^g!<2^ko94v~{-OR8 zs(jE6oLCW6yS;4jMUbxlVGl~J&StH_A-KuM!mMbFXeL^Jnpkr41{l6#rWYsfUp^(i zzO<}YgQBPwyO%n@J11S;c~Voa9yf?}P0YBYWV5x#$dd)Xb67iJaEyXJESY09t?}#b GsB~g1X@A53 literal 256 zcmV+b0ssC$@8wI45>gS1>Vf-0?P)E}7cN~xWB;XyfZbYHf67R;8??@TB|A<6&Ymtv za~(Bb7VdlqKAz=5dK^kLhO%Pu%mcZ{cVC7weDiho<&%Nz(;*Xb*c(;*W-^&XC=|OD_~8fI^IFAUF~p|$&jhTt;E~D3eY}R9 z()EQT9^Wu3iJV-m%DTGS!1TdJ#YvLh-mJo<+p^7z6cnVGbv2Zai!|_#2965E&iQo& zOyxwu*TNkoH+8^qQvf_x;y1Sb&ZX_LL&2M~e^bphBFP!(!0Q2!3tl{Y_@sR Date: Wed, 13 Jun 2018 14:20:43 -0700 Subject: [PATCH 229/256] add 0.25.1 changelog (#6111) --- CHANGELOG.md | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5facc5380..88251e48a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,28 @@ Certbot adheres to [Semantic Versioning](http://semver.org/). +## 0.25.1 - 2018-06-13 + +### Fixed + +* TLS-ALPN-01 support has been removed from our acme library. Using our current + dependencies, we are unable to provide a correct implementation of this + challenge so we decided to remove it from the library until we can provide + proper support. +* Issues causing test failures when running the tests in the acme package with + pytest<3.0 has been resolved. +* certbot-nginx now correctly depends on acme>=0.25.0. + +Despite us having broken lockstep, we are continuing to release new versions of +all Certbot components during releases for the time being, however, the only +packages with changes other than their version number were: + +* acme +* certbot-nginx + +More details about these changes can be found on our GitHub repo: +https://github.com/certbot/certbot/milestone/56?closed=1 + ## 0.25.0 - 2018-06-06 ### Added From c4ae376279e90ef12b4461f958403d4e517e6348 Mon Sep 17 00:00:00 2001 From: r5d Date: Wed, 13 Jun 2018 18:24:51 -0400 Subject: [PATCH 230/256] Add autorenew option to `renew` subcommand (#5911) * Add autorenew option to `renew` subcommand. * Change default value for 'autorenew' cli option. * Update certbot.cli.prepare_and_parse_args (autorenew) Set `default` for --autorenew and --no-autorenew. * Update certbot.storage.RenewableCert.should_autorenew. - Remove `interactive` argument in RenewableCert.should_autorenew. - Update certbot.renewal.should_renew. * Move autorenew enable/disable check to certbot.storage. - Remove autorenew enable/disable check in `certbot.renewal.handle_renewal_request`. - Fix RenewableCert.autorenewal_is_enabled; autorenew is stored in 'renewalparams'. - Add autorenew enable/disable check in `RenewableCert.should_autorenew`. - Update tests test_time_interval_judgments, test_autorenewal_is_enabled, test_should_autorenew tests in storage_test.py * certbot: Update RenewableCert.should_autorenew Remove block that sets autorenew option in the renewal configuration file. * certbot: Update prepare_and_parse_args. Remove --autorenew option. * certbot: Update CLI_DEFAULTS. Set default of `autorenew` to True. * Remove unused imports in certbot.storage. --- certbot/cli.py | 4 ++++ certbot/constants.py | 1 + certbot/renewal.py | 5 +++-- certbot/storage.py | 12 ++++-------- certbot/tests/storage_test.py | 18 ++++++++++++------ 5 files changed, 24 insertions(+), 16 deletions(-) diff --git a/certbot/cli.py b/certbot/cli.py index 05e316133..24e0bddac 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -1220,6 +1220,10 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis " when the user executes \"certbot renew\", regardless of if the certificate" " is renewed. This setting does not apply to important TLS configuration" " updates.") + helpful.add( + "renew", "--no-autorenew", action="store_false", + default=flag_default("autorenew"), dest="autorenew", + help="Disable auto renewal of certificates.") helpful.add_deprecated_argument("--agree-dev-preview", 0) helpful.add_deprecated_argument("--dialog", 0) diff --git a/certbot/constants.py b/certbot/constants.py index c6746e888..93bc269af 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -37,6 +37,7 @@ CLI_DEFAULTS = dict( expand=False, renew_by_default=False, renew_with_new_domains=False, + autorenew=True, allow_subset_of_names=False, tos=False, account=None, diff --git a/certbot/renewal.py b/certbot/renewal.py index aa8c9722a..f50131028 100644 --- a/certbot/renewal.py +++ b/certbot/renewal.py @@ -36,7 +36,8 @@ STR_CONFIG_ITEMS = ["config_dir", "logs_dir", "work_dir", "user_agent", "pre_hook", "post_hook", "tls_sni_01_address", "http01_address"] INT_CONFIG_ITEMS = ["rsa_key_size", "tls_sni_01_port", "http01_port"] -BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names", "reuse_key"] +BOOL_CONFIG_ITEMS = ["must_staple", "allow_subset_of_names", "reuse_key", + "autorenew"] CONFIG_ITEMS = set(itertools.chain( BOOL_CONFIG_ITEMS, INT_CONFIG_ITEMS, STR_CONFIG_ITEMS, ('pref_challs',))) @@ -261,7 +262,7 @@ def should_renew(config, lineage): if config.renew_by_default: logger.debug("Auto-renewal forced with --force-renewal...") return True - if lineage.should_autorenew(interactive=True): + if lineage.should_autorenew(): logger.info("Cert is due for renewal, auto-renewing...") return True if config.dry_run: diff --git a/certbot/storage.py b/certbot/storage.py index c453e55b0..5b2293bd1 100644 --- a/certbot/storage.py +++ b/certbot/storage.py @@ -920,10 +920,10 @@ class RenewableCert(object): :rtype: bool """ - return ("autorenew" not in self.configuration or - self.configuration.as_bool("autorenew")) + return ("autorenew" not in self.configuration["renewalparams"] or + self.configuration["renewalparams"].as_bool("autorenew")) - def should_autorenew(self, interactive=False): + def should_autorenew(self): """Should we now try to autorenew the most recent cert version? This is a policy question and does not only depend on whether @@ -934,16 +934,12 @@ class RenewableCert(object): Note that this examines the numerically most recent cert version, not the currently deployed version. - :param bool interactive: set to True to examine the question - regardless of whether the renewal configuration allows - automated renewal (for interactive use). Default False. - :returns: whether an attempt should now be made to autorenew the most current cert version in this lineage :rtype: bool """ - if interactive or self.autorenewal_is_enabled(): + if self.autorenewal_is_enabled(): # Consider whether to attempt to autorenew this cert now # Renewals on the basis of revocation diff --git a/certbot/tests/storage_test.py b/certbot/tests/storage_test.py index 09c752ebe..aa6c52ad4 100644 --- a/certbot/tests/storage_test.py +++ b/certbot/tests/storage_test.py @@ -383,8 +383,9 @@ class RenewableCertTests(BaseRenewableCertTest): os.unlink(self.test_rc.cert) self.assertRaises(errors.CertStorageError, self.test_rc.names) + @mock.patch("certbot.storage.cli") @mock.patch("certbot.storage.datetime") - def test_time_interval_judgments(self, mock_datetime): + def test_time_interval_judgments(self, mock_datetime, mock_cli): """Test should_autodeploy() and should_autorenew() on the basis of expiry time windows.""" test_cert = test_util.load_vector("cert_512.pem") @@ -399,6 +400,8 @@ class RenewableCertTests(BaseRenewableCertTest): f.write(test_cert) mock_datetime.timedelta = datetime.timedelta + mock_cli.set_by_cli.return_value = False + self.test_rc.configuration["renewalparams"] = {} for (current_time, interval, result) in [ # 2014-12-13 12:00:00+00:00 (about 5 days prior to expiry) @@ -451,22 +454,25 @@ class RenewableCertTests(BaseRenewableCertTest): self.assertFalse(self.test_rc.should_autodeploy()) def test_autorenewal_is_enabled(self): + self.test_rc.configuration["renewalparams"] = {} self.assertTrue(self.test_rc.autorenewal_is_enabled()) - self.test_rc.configuration["autorenew"] = "1" + self.test_rc.configuration["renewalparams"]["autorenew"] = "True" self.assertTrue(self.test_rc.autorenewal_is_enabled()) - self.test_rc.configuration["autorenew"] = "0" + self.test_rc.configuration["renewalparams"]["autorenew"] = "False" self.assertFalse(self.test_rc.autorenewal_is_enabled()) + @mock.patch("certbot.storage.cli") @mock.patch("certbot.storage.RenewableCert.ocsp_revoked") - def test_should_autorenew(self, mock_ocsp): + def test_should_autorenew(self, mock_ocsp, mock_cli): """Test should_autorenew on the basis of reasons other than expiry time window.""" # pylint: disable=too-many-statements + mock_cli.set_by_cli.return_value = False # Autorenewal turned off - self.test_rc.configuration["autorenew"] = "0" + self.test_rc.configuration["renewalparams"] = {"autorenew": "False"} self.assertFalse(self.test_rc.should_autorenew()) - self.test_rc.configuration["autorenew"] = "1" + self.test_rc.configuration["renewalparams"]["autorenew"] = "True" for kind in ALL_FOUR: self._write_out_kind(kind, 12) # Mandatory renewal on the basis of OCSP revocation From 453eafb11e5a571e9c63f5e95f2f1bd81c39e89c Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 15 Jun 2018 01:41:38 -0700 Subject: [PATCH 231/256] Used packaged acme in oldest tests. (#6112) --- certbot-apache/local-oldest-requirements.txt | 2 +- certbot-dns-route53/local-oldest-requirements.txt | 2 +- local-oldest-requirements.txt | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/certbot-apache/local-oldest-requirements.txt b/certbot-apache/local-oldest-requirements.txt index 724b61d3f..4e4aadbd8 100644 --- a/certbot-apache/local-oldest-requirements.txt +++ b/certbot-apache/local-oldest-requirements.txt @@ -1,2 +1,2 @@ --e acme[dev] +acme[dev]==0.25.0 certbot[dev]==0.21.1 diff --git a/certbot-dns-route53/local-oldest-requirements.txt b/certbot-dns-route53/local-oldest-requirements.txt index 724b61d3f..4e4aadbd8 100644 --- a/certbot-dns-route53/local-oldest-requirements.txt +++ b/certbot-dns-route53/local-oldest-requirements.txt @@ -1,2 +1,2 @@ --e acme[dev] +acme[dev]==0.25.0 certbot[dev]==0.21.1 diff --git a/local-oldest-requirements.txt b/local-oldest-requirements.txt index 2346300a3..1f449acae 100644 --- a/local-oldest-requirements.txt +++ b/local-oldest-requirements.txt @@ -1 +1 @@ --e acme[dev] +acme[dev]==0.25.0 From 8b16a56de830a6aca19846fa9d4f234aea87b2d1 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 15 Jun 2018 01:43:48 -0700 Subject: [PATCH 232/256] remove comment about renewer (#6115) --- certbot/main.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index 8fa6ebfc6..089eab0c3 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -473,8 +473,7 @@ def _report_new_cert(config, cert_path, fullchain_path, key_path=None): def _determine_account(config): """Determine which account to use. - In order to make the renewer (configuration de/serialization) happy, - if ``config.account`` is ``None``, it will be updated based on the + If ``config.account`` is ``None``, it will be updated based on the user input. Same for ``config.email``. :param config: Configuration object From 3316eac178bd5a41ed75776159f79695a929aad3 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 15 Jun 2018 09:55:16 -0700 Subject: [PATCH 233/256] Separate integration coverage (#6113) * check coverage separately * Add coverage minimums for integration tests. --- certbot-nginx/tests/boulder-integration.sh | 2 ++ tests/boulder-integration.sh | 4 ++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/certbot-nginx/tests/boulder-integration.sh b/certbot-nginx/tests/boulder-integration.sh index d6bd767ce..980b5d45a 100755 --- a/certbot-nginx/tests/boulder-integration.sh +++ b/certbot-nginx/tests/boulder-integration.sh @@ -62,3 +62,5 @@ test_deployment_and_rollback nginx6.wtf # note: not reached if anything above fails, hence "killall" at the # top nginx -c $nginx_root/nginx.conf -s stop + +coverage report --fail-under 75 --include 'certbot-nginx/*' --show-missing diff --git a/tests/boulder-integration.sh b/tests/boulder-integration.sh index ef611e743..2f9130489 100755 --- a/tests/boulder-integration.sh +++ b/tests/boulder-integration.sh @@ -486,11 +486,11 @@ if [ "${BOULDER_INTEGRATION:-v1}" = "v2" ]; then --manual-cleanup-hook ./tests/manual-dns-cleanup.sh fi +coverage report --fail-under 65 --include 'certbot/*' --show-missing + # Most CI systems set this variable to true. # If the tests are running as part of CI, Nginx should be available. if ${CI:-false} || type nginx; then . ./certbot-nginx/tests/boulder-integration.sh fi - -coverage report --fail-under 67 -m From adc07ef933dea4526314f17a1b07b2f5c13715f3 Mon Sep 17 00:00:00 2001 From: sydneyli Date: Fri, 15 Jun 2018 15:03:58 -0700 Subject: [PATCH 234/256] fix(display): alternate spaces and dashes (#6119) * fix(display): alternate spaces and dashes * add comment --- certbot/display/util.py | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/certbot/display/util.py b/certbot/display/util.py index 5e97bca4e..e157a1123 100644 --- a/certbot/display/util.py +++ b/certbot/display/util.py @@ -29,6 +29,10 @@ HELP = "help" ESC = "esc" """Display exit code when the user hits Escape (UNUSED)""" +# Display constants +SIDE_FRAME = ("- " * 39) + "-" +"""Display boundary (alternates spaces, so when copy-pasted, markdown doesn't interpret +it as a heading)""" def _wrap_lines(msg): """Format lines nicely to 80 chars. @@ -111,12 +115,11 @@ class FileDisplay(object): because it won't cause any workflow regressions """ - side_frame = "-" * 79 if wrap: message = _wrap_lines(message) self.outfile.write( "{line}{frame}{line}{msg}{line}{frame}{line}".format( - line=os.linesep, frame=side_frame, msg=message)) + line=os.linesep, frame=SIDE_FRAME, msg=message)) self.outfile.flush() if pause: if self._can_interact(force_interactive): @@ -208,12 +211,10 @@ class FileDisplay(object): if self._return_default(message, default, cli_flag, force_interactive): return default - side_frame = ("-" * 79) + os.linesep - message = _wrap_lines(message) self.outfile.write("{0}{frame}{msg}{0}{frame}".format( - os.linesep, frame=side_frame, msg=message)) + os.linesep, frame=SIDE_FRAME + os.linesep, msg=message)) self.outfile.flush() while True: @@ -386,8 +387,7 @@ class FileDisplay(object): # Write out the message to the user self.outfile.write( "{new}{msg}{new}".format(new=os.linesep, msg=message)) - side_frame = ("-" * 79) + os.linesep - self.outfile.write(side_frame) + self.outfile.write(SIDE_FRAME + os.linesep) # Write out the menu choices for i, desc in enumerate(choices, 1): @@ -397,7 +397,7 @@ class FileDisplay(object): # Keep this outside of the textwrap self.outfile.write(os.linesep) - self.outfile.write(side_frame) + self.outfile.write(SIDE_FRAME + os.linesep) self.outfile.flush() def _get_valid_int_ans(self, max_): @@ -482,12 +482,11 @@ class NoninteractiveDisplay(object): :param bool wrap: Whether or not the application should wrap text """ - side_frame = "-" * 79 if wrap: message = _wrap_lines(message) self.outfile.write( "{line}{frame}{line}{msg}{line}{frame}{line}".format( - line=os.linesep, frame=side_frame, msg=message)) + line=os.linesep, frame=SIDE_FRAME, msg=message)) self.outfile.flush() def menu(self, message, choices, ok_label=None, cancel_label=None, From 5025b4ea9614f87b8e3f8d01c90066fdde664df3 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 24 Aug 2017 16:08:47 -0700 Subject: [PATCH 235/256] Add certbot-postfix to tools pep8ify Delint cover++ test more_info() Refactor get_config_var Don't duplicate changes to Postfix config document instance variables Always clear save_notes on save Test deploy_cert and save and add MockPostfix. Move mock and call to InstallerTest Add getters and setters Use postfix getters and setters protect get_config_var bump cover to 100% bump required coverage to 100 s/config_dir/config_utility Decrease minimum version to Postfix 2.6. This is the minimum version that allows us to set ciphers to be used with opportunistic TLS and is the oldest version packaged in any major distro. Use tls_security_level instead of use_tls. smtpd_tls_security_level should be used instead according to Postfix documentation. Test smtpd_tls_security_level conditional make dunder method an under method refactor postconf usage add check_all_output test check_all_output Add and test verify_exe_exists Add PostfixUtilBase Add ReadOnlyMainMap Use _get_output instead of _call Fix split strip typo --- certbot-postfix/certbot_postfix/installer.py | 211 ++++++++---- .../certbot_postfix/installer_test.py | 313 +++++++++++++----- certbot-postfix/certbot_postfix/postconf.py | 62 ++++ certbot-postfix/certbot_postfix/util.py | 122 ++++++- certbot-postfix/certbot_postfix/util_test.py | 92 +++++ tools/venv.sh | 1 + tools/venv3.sh | 1 + tox.cover.sh | 4 +- tox.ini | 2 + 9 files changed, 645 insertions(+), 163 deletions(-) create mode 100644 certbot-postfix/certbot_postfix/postconf.py diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 09e1cc18b..387f01051 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -1,9 +1,7 @@ """Certbot installer plugin for Postfix.""" import logging import os -import string import subprocess -import sys import zope.interface @@ -22,7 +20,15 @@ logger = logging.getLogger(__name__) @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) class Installer(plugins_common.Installer): - """Certbot installer plugin for Postfix.""" + """Certbot installer plugin for Postfix. + + :ivar str config_dir: Postfix configuration directory to modify + :ivar dict proposed_changes: configuration parameters and values to + be written to the Postfix config when save() is called + :ivar list save_notes: documentation for proposed changes. This is + cleared and stored in Certbot checkpoints when save() is called + + """ description = "Configure TLS with the Postfix MTA" @@ -53,7 +59,7 @@ class Installer(plugins_common.Installer): :raises errors.NotSupportedError: when version is not supported """ - for param in ("ctl", "config_dir",): + for param in ("ctl", "config_utility",): self._verify_executable_is_available(param) self._set_config_dir() self._check_version() @@ -85,7 +91,7 @@ class Installer(plugins_common.Installer): """ if self.conf("config-dir") is None: - self.config_dir = self.get_config_var("config_directory") + self.config_dir = self._get_config_var("config_directory") else: self.config_dir = self.conf("config-dir") @@ -95,7 +101,7 @@ class Installer(plugins_common.Installer): :raises errors.NotSupportedError: if the version is unsupported """ - if self._get_version() < (2, 11, 0): + if self._get_version() < (2, 6,): raise errors.NotSupportedError('Postfix version is too old') def _lock_config_dir(self): @@ -138,7 +144,7 @@ class Installer(plugins_common.Installer): :raises .PluginError: Unable to find Postfix version. """ - mail_version = self.get_config_var("mail_version", default=True) + mail_version = self._get_config_default("mail_version") return tuple(int(i) for i in mail_version.split('.')) def get_all_names(self): @@ -147,7 +153,7 @@ class Installer(plugins_common.Installer): :rtype: `set` of `str` """ - return set(self.get_config_var(var) + return set(self._get_config_var(var) for var in ('mydomain', 'myhostname', 'myorigin',)) def deploy_cert(self, domain, cert_path, @@ -164,12 +170,16 @@ class Installer(plugins_common.Installer): :raises .PluginError: when cert cannot be deployed """ + # pylint: disable=unused-argument self.save_notes.append("Configuring TLS for {0}".format(domain)) self._set_config_var("smtpd_tls_cert_file", fullchain_path) self._set_config_var("smtpd_tls_key_file", key_path) self._set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") self._set_config_var("smtpd_tls_protocols", "!SSLv2, !SSLv3") - self._set_config_var("smtpd_use_tls", "yes") + + # Don't configure opportunistic TLS if it's currently mandatory + if self._get_config_var("smtpd_tls_security_level") != "encrypt": + self._set_config_var("smtpd_tls_security_level", "may") def enhance(self, domain, enhancement, options=None): """Raises an exception for request for unsupported enhancement. @@ -178,6 +188,7 @@ class Installer(plugins_common.Installer): are currently supported """ + # pylint: disable=unused-argument raise errors.PluginError( "Unsupported enhancement: {0}".format(enhancement)) @@ -202,14 +213,13 @@ class Installer(plugins_common.Installer): :raises errors.PluginError: when save is unsuccessful """ - if not self.proposed_changes: - return + if self.proposed_changes: + save_files = set((os.path.join(self.config_dir, "main.cf"),)) + self.add_to_checkpoint(save_files, + "\n".join(self.save_notes), temporary) + self._write_config_changes() + self.proposed_changes.clear() - self.add_to_checkpoint(os.path.join(self.config_dir, "main.cf"), - "\n".join(self.save_notes), temporary) - self._write_config_changes() - - self.proposed_changes.clear() del self.save_notes[:] if title and not temporary: @@ -298,70 +308,67 @@ class Installer(plugins_common.Installer): util.check_call(cmd) - def get_config_var(self, name, default=False): + def _get_config_default(self, name): + """Return the default value of the specified config parameter. + + :param str name: name of the Postfix config default to return + + :returns: default for the specified configuration parameter if it + exists, otherwise, None + :rtype: str or types.NoneType + + :raises errors.PluginError: if an error occurs while running postconf + or parsing its output + + """ + try: + return self._get_value_from_postconf(("-d", name,)) + except (subprocess.CalledProcessError, errors.PluginError): + raise errors.PluginError("Unable to determine the default value of" + " the Postfix parameter {0}".format(name)) + + def _get_config_var(self, name): """Return the value of the specified Postfix config parameter. - :param str name: name of the Postfix config parameter to return - :param bool default: whether or not to return the default value - instead of the actual value + If there is an unsaved change modifying the value of the + specified config parameter, the value after this proposed change + is returned rather than the current value. If the value is + unset, `None` is returned. - :returns: value of the specified configuration parameter - :rtype: str + :param str name: name of the Postfix config parameter to return + + :returns: value of the parameter included in postconf_args + :rtype: str or types.NoneType + + :raises errors.PluginError: if an error occurs while running postconf + or parsing its output """ - cmd = self._build_cmd_for_config_var(name, default) + if name in self.proposed_changes: + return self.proposed_changes[name] try: - output = util.check_output(cmd) - except subprocess.CalledProcessError: - logger.debug("Encountered an error when running 'postconf'", - exc_info=True) - raise errors.PluginError( - "Unable to determine the value " - "of Postfix parameter {0}".format(name)) - - expected_prefix = name + " =" - if not output.startswith(expected_prefix): - raise errors.PluginError( - "Unexpected output '{0}' from '{1}'".format(output, - ' '.join(cmd))) - - return output[len(expected_prefix):].strip() - - def _build_cmd_for_config_var(self, name, default): - """Return a command to run to get a Postfix config parameter. - - :param str name: name of the Postfix config parameter to return - :param bool default: whether or not to return the default value - instead of the actual value - - :returns: command to run - :rtype: list - - """ - cmd = self._postconf_command_base() - - if default: - cmd.append("-d") - - cmd.append(name) - - return cmd + return self._get_value_from_postconf((name,)) + except (subprocess.CalledProcessError, errors.PluginError): + raise errors.PluginError("Unable to determine the value of" + " the Postfix parameter {0}".format(name)) def _set_config_var(self, name, value): """Set the Postfix config parameter name to value. This method only stores the requested change in memory. The Postfix configuration is not modified until save() is called. + If there's already an identical in progress change or the + Postfix configuration parameter already has the specified value, + no changes are made. :param str name: name of the Postfix config parameter :param str value: value to set the Postfix config parameter to """ - assert isinstance(name, str), "Invalid name value" - assert isinstance(value, str), "Invalid key value" - self.proposed_changes[name] = value - self.save_notes.append("\t* Set {0} to {1}".format(name, value)) + if self._get_config_var(name) != value: + self.proposed_changes[name] = value + self.save_notes.append("\t* Set {0} to {1}".format(name, value)) def _write_config_changes(self): """Write proposed changes to the Postfix config. @@ -369,21 +376,83 @@ class Installer(plugins_common.Installer): :raises errors.PluginError: if an error occurs """ - cmd = self._postconf_command_base() - cmd.extend("{0}={1}".format(name, value) - for name, value in self.proposed_changes.items()) - try: - util.check_call(cmd) + self._run_postconf_command( + "{0}={1}".format(name, value) + for name, value in self.proposed_changes.items()) except subprocess.CalledProcessError: raise errors.PluginError( "An error occurred while updating your Postfix config.") - def _postconf_command_base(self): - """Builds start of a postconf command using the selected config.""" - cmd = [self.conf("config-utility")] + def _get_value_from_postconf(self, postconf_args): + """Runs postconf and extracts the specified config value. + It is assumed that the name of the Postfix config parameter to + parse from the output is the last value in postconf_args. If the + value is unset, `None` is returned. If an error occurs, the + relevant information is logged before an exception is raised. + + :param collections.Iterable args: arguments to postconf + + :returns: value of the parameter included in postconf_args + :rtype: str or types.NoneType + + :raises errors.PluginError: if unable to parse postconf output + :raises subprocess.CalledProcessError: if postconf fails + + """ + name = postconf_args[-1] + output = self._run_postconf_command(postconf_args) + + try: + return self._parse_postconf_output(output, name) + except errors.PluginError: + logger.debug("An error occurred while parsing postconf output", + exc_info=True) + raise + + def _run_postconf_command(self, args): + """Runs a postconf command using the selected config. + + If postconf exits with a nonzero status, the error is logged + before an exception is raised. + + :param collections.Iterable args: additional arguments to postconf + + :returns: stdout output of postconf + :rtype: str + + :raises subprocess.CalledProcessError: if the command fails + + """ + + cmd = [self.conf("config-utility")] if self.conf("config-dir") is not None: cmd.extend(("-c", self.conf("config-dir"),)) + cmd.extend(args) - return cmd + return util.check_output(cmd) + + def _parse_postconf_output(self, output, name): + """Parses postconf output and returns the specified value. + + If the specified Postfix parameter is unset, `None` is returned. + It is assumed that most one configuration parameter will be + included in the given output. + + :param str output: output from postconf + :param str name: name of the Postfix config parameter to obtain + + :returns: value of the parameter included in postconf_args + :rtype: str or types.NoneType + + :raises errors.PluginError: if unable to parse postconf ouput + + """ + expected_prefix = name + " =" + if output.count("\n") != 1 or not output.startswith(expected_prefix): + raise errors.PluginError( + "Unexpected output '{0}' from postconf".format(output)) + + value = output[len(expected_prefix):].strip() + return value if value else None diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py index 69d999b31..c57eda746 100644 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ b/certbot-postfix/certbot_postfix/installer_test.py @@ -1,36 +1,25 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -from __future__ import absolute_import -from __future__ import division -from __future__ import print_function -from __future__ import unicode_literals - +"""Tests for certbot_postfix.installer.""" import functools -import logging import os import subprocess import unittest import mock -import six from certbot import errors from certbot.tests import util as certbot_test_util -# Fake Postfix Configs -names_only_config = """mydomain = fubard.org -myhostname = mail.fubard.org -myorigin = fubard.org""" - class InstallerTest(certbot_test_util.ConfigTestCase): + # pylint: disable=too-many-public-methods def setUp(self): super(InstallerTest, self).setUp() self.config.postfix_ctl = "postfix" self.config.postfix_config_dir = self.tempdir self.config.postfix_config_utility = "postconf" + self.mock_postfix = MockPostfix(self.tempdir, + {"mail_version": "3.1.4"}) def test_add_parser_arguments(self): options = set(('ctl', 'config-dir', 'config-utility',)) @@ -51,7 +40,29 @@ class InstallerTest(certbot_test_util.ConfigTestCase): with mock.patch(path_surgery_path, return_value=False): with mock.patch(exe_exists_path, return_value=False): - self.assertRaises(errors.NoInstallationError, installer.prepare) + self.assertRaises(errors.NoInstallationError, + installer.prepare) + + def test_postconf_error(self): + installer = self._create_installer() + + check_output_path = "certbot_postfix.installer.util.check_output" + exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" + with mock.patch(check_output_path) as mock_check_output: + mock_check_output.side_effect = subprocess.CalledProcessError(42, + "a") + with mock.patch(exe_exists_path, return_value=True): + self.assertRaises(errors.PluginError, installer.prepare) + + def test_unexpected_postconf(self): + installer = self._create_installer() + + check_output_path = "certbot_postfix.installer.util.check_output" + exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" + with mock.patch(check_output_path) as mock_check_output: + mock_check_output.return_value = "foobar" + with mock.patch(exe_exists_path, return_value=True): + self.assertRaises(errors.PluginError, installer.prepare) def test_set_config_dir(self): self.config.postfix_config_dir = os.path.join(self.tempdir, "subdir") @@ -61,32 +72,100 @@ class InstallerTest(certbot_test_util.ConfigTestCase): expected = self.config.postfix_config_dir self.config.postfix_config_dir = None - check_call_path = "certbot_postfix.installer.subprocess.check_call" - check_output_path = "certbot_postfix.installer.util.check_output" + self.mock_postfix.set_value("config_directory", expected) exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(check_output_path) as mock_check_output: - mock_check_output.side_effect = [ - "config_directory = " + expected, "mail_version = 3.1.4" - ] - with mock.patch(exe_exists_path, return_value=True): - with mock.patch(check_call_path): - installer.prepare() + with mock.patch(exe_exists_path, return_value=True): + self._mock_postfix_and_call(installer.prepare) self.assertEqual(installer.config_dir, expected) + @mock.patch("certbot_postfix.installer.certbot_util.exe_exists") + def test_old_version(self, mock_exe_exists): + installer = self._create_installer() + mock_exe_exists.return_value = True + self.mock_postfix.set_value("mail_version", "0.0.1") + self._mock_postfix_and_call( + self.assertRaises, errors.NotSupportedError, installer.prepare) + def test_lock_error(self): assert_raises = functools.partial(self.assertRaises, errors.PluginError, self._create_prepared_installer) certbot_test_util.lock_and_call(assert_raises, self.tempdir) - @mock.patch("certbot_postfix.installer.util.check_output") - def test_get_all_names(self, mock_check_output): + def test_more_info(self): installer = self._create_prepared_installer() - mock_check_output.side_effect = names_only_config.splitlines() + version = "3.1.2" + self.mock_postfix.set_value("mail_version", version) - result = installer.get_all_names() - self.assertTrue("fubard.org" in result) - self.assertTrue("mail.fubard.org" in result) + output = self._mock_postfix_and_call(installer.more_info) + self.assertTrue("Postfix" in output) + self.assertTrue(self.tempdir in output) + self.assertTrue(version in output) + + def test_get_all_names(self): + config = {"mydomain": "example.org", + "myhostname": "mail.example.org", + "myorigin": "example.org"} + for name, value in config.items(): + self.mock_postfix.set_value(name, value) + + installer = self._create_prepared_installer() + result = self._mock_postfix_and_call(installer.get_all_names) + self.assertEqual(result, set(config.values())) + + def test_deploy(self): + installer = self._create_prepared_installer() + + def deploy_cert(domain): + """Calls deploy_cert for the given domain. + + :param str domain: domain to deploy cert for + + """ + installer.deploy_cert(domain, "foo", "bar", "baz", "qux") + + self._mock_postfix_and_call(deploy_cert, "example.org") + # No calls to postconf are expected so mock isn't needed + deploy_cert("mail.example.org") + + def test_deploy_and_save(self): + self._test_deploy_and_save_common({"smtpd_tls_security_level": "may"}) + + def test_deploy_and_save2(self): + self.mock_postfix.set_value("smtpd_tls_security_level", "encrypt") + self._test_deploy_and_save_common({"smtpd_tls_security_level": + "encrypt"}) + + def _test_deploy_and_save_common(self, expected_config): + key_path = "key_path" + fullchain_path = "fullchain_path" + installer = self._create_prepared_installer() + + for i, domain in enumerate(("example.org", "mail.example.org",)): + self._mock_postfix_and_call( + installer.deploy_cert, domain, "unused", + key_path, "unused", fullchain_path) + if i: + # No mock because Postfix utilities aren't expected to be used + installer.save("noop") + else: + self._mock_postfix_and_call(installer.save, "real save") + + expected_config.setdefault("smtpd_tls_cert_file", fullchain_path) + expected_config.setdefault("smtpd_tls_key_file", key_path) + for key, value in expected_config.items(): + self.assertEqual(self.mock_postfix.get_value(key), value) + + def test_save_error(self): + installer = self._create_prepared_installer() + self._mock_postfix_and_call( + installer.deploy_cert, "example.org", "foo", "bar", "baz", "qux") + + check_call_path = "certbot_postfix.installer.util.check_output" + with mock.patch(check_call_path) as mock_check_call: + mock_check_call.side_effect = subprocess.CalledProcessError(42, + "foo") + self.assertRaises(errors.PluginError, installer.save) def test_enhance(self): self.assertRaises(errors.PluginError, @@ -111,10 +190,10 @@ class InstallerTest(certbot_test_util.ConfigTestCase): ] self.assertRaises(errors.PluginError, installer.restart) - @mock.patch("certbot_postfix.installer.subprocess.check_call") - def test_postfix_reload_success(self, mock_check_call): - installer = self._create_prepared_installer() - installer.restart() + def test_postfix_reload_success(self): + with mock.patch("certbot_postfix.installer.subprocess.check_call"): + installer = self._create_prepared_installer() + installer.restart() @mock.patch("certbot_postfix.installer.subprocess.check_call") def test_postfix_start_failure(self, mock_check_call): @@ -130,52 +209,6 @@ class InstallerTest(certbot_test_util.ConfigTestCase): ] installer.restart() - def test_get_config_var_success(self): - self.config.postfix_config_dir = None - - command = self._test_get_config_var_success_common('foo', False) - self.assertFalse("-c" in command) - self.assertFalse("-d" in command) - - def test_get_config_var_success_with_config(self): - command = self._test_get_config_var_success_common('foo', False) - self.assertTrue("-c" in command) - self.assertFalse("-d" in command) - - def test_get_config_var_success_with_default(self): - self.config.postfix_config_dir = None - - command = self._test_get_config_var_success_common('foo', True) - self.assertFalse("-c" in command) - self.assertTrue("-d" in command) - - @mock.patch("certbot_postfix.installer.logger") - @mock.patch("certbot_postfix.installer.util.check_output") - def test_get_config_var_failure(self, mock_check_output, mock_logger): - mock_check_output.side_effect = subprocess.CalledProcessError(42, "foo") - installer = self._create_installer() - self.assertRaises(errors.PluginError, installer.get_config_var, "foo") - self.assertTrue(mock_logger.debug.call_args[1]["exc_info"]) - - @mock.patch("certbot_postfix.installer.util.check_output") - def test_get_config_var_unexpected_output(self, mock_check_output): - self.config.postfix_config_dir = None - mock_check_output.return_value = "foo" - - installer = self._create_installer() - self.assertRaises(errors.PluginError, installer.get_config_var, "foo") - - def _test_get_config_var_success_common(self, name, default): - installer = self._create_installer() - - check_output_path = "certbot_postfix.installer.util.check_output" - with mock.patch(check_output_path) as mock_check_output: - value = "bar" - mock_check_output.return_value = name + " = " + value - self.assertEqual(installer.get_config_var(name, default), value) - - return mock_check_output.call_args[0][0] - def _create_prepared_installer(self): """Creates and returns a new prepared Postfix Installer. @@ -188,14 +221,9 @@ class InstallerTest(certbot_test_util.ConfigTestCase): """ installer = self._create_installer() - check_call_path = "certbot_postfix.installer.subprocess.check_call" - check_output_path = "certbot_postfix.installer.util.check_output" exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(check_output_path) as mock_check_output: - with mock.patch(exe_exists_path, return_value=True): - with mock.patch(check_call_path): - mock_check_output.return_value = "mail_version = 3.1.4" - installer.prepare() + with mock.patch(exe_exists_path, return_value=True): + self._mock_postfix_and_call(installer.prepare) return installer @@ -211,6 +239,113 @@ class InstallerTest(certbot_test_util.ConfigTestCase): from certbot_postfix import installer return installer.Installer(self.config, name) + def _mock_postfix_and_call(self, func, *args, **kwargs): + """Calls func with mocked responses from Postfix utilities. + + :param callable func: function to call with mocked args + :param tuple args: positional arguments to func + :param dict kwargs: keyword arguments to func + + :returns: the return value of func + + """ + check_call_path = "certbot_postfix.installer.subprocess.check_call" + check_output_path = "certbot_postfix.installer.util.check_output" + + with mock.patch(check_call_path) as mock_check_call: + mock_check_call.side_effect = self.mock_postfix + with mock.patch(check_output_path) as mock_check_output: + mock_check_output.side_effect = self.mock_postfix + return func(*args, **kwargs) + + +class MockPostfix(object): + """A callable to mimic Postfix command line utilities. + + This is best used a side effect to a mock object. All calls to + 'postfix' are noops. For calls to 'postconf', values that are set in + the constructor or through mocked out runs of postconf are + remembered and properly returned if the installer attempts to fetch + the value. If the Postfix installer attempts to obtain a value that + hasn't yet been set, a dummy value is returned. + + :ivar str config_path: path to Postfix main.cf file + + """ + def __init__(self, config_dir, initial_values): + """Create Postfix configuration. + + :param str config_dir: path for Postfix config dir + :param dict initial_values: initial Postfix config values + + """ + initial_values["config_directory"] = config_dir + + self.config_path = os.path.join(config_dir, "main.cf") + self._write_config(initial_values) + + def __call__(self, args, *unused_args, **unused_kwargs): + cmd = os.path.basename(args[0]) + if cmd == "postfix": + return + elif cmd != "postconf": # pragma: no cover + assert False, "Unexpected command '{0}'".format(''.join(args)) + + output = [] + + skip = False + for arg in args[1:]: + if skip: + skip = False + elif arg[0] == "-": + if arg == "-c": + skip = True + elif "=" in arg: + name, _, value = arg.partition("=") + self.set_value(name, value) + else: + output.append("{0} = {1}\n".format(arg, self.get_value(arg))) + + return "\n".join(output) + + def get_value(self, name): + """Returns the value for the Postfix config parameter name. + + If the value isn't set, an empty string is returned. + + :param str name: name of the Postfix config parameter + + :returns: value of the named parameter + :rtype: str + + """ + return self._read_config().get(name, "") + + def set_value(self, name, value): + """Sets the value for a Postfix config parameter. + + :param str name: name of the Postfix config parameter + :param str value: value ot set the parameter to + + """ + config = self._read_config() + config[name] = value + self._write_config(config) + + def _read_config(self): + config = {} + with open(self.config_path) as f: + for line in f: + key, _, value = line.strip().partition(" = ") + config[key] = value + + return config + + def _write_config(self, config): + with open(self.config_path, "w") as f: + f.writelines("{0} = {1}\n".format(key, value) + for key, value in config.items()) + if __name__ == '__main__': - unittest.main() + unittest.main() # pragma: no cover diff --git a/certbot-postfix/certbot_postfix/postconf.py b/certbot-postfix/certbot_postfix/postconf.py new file mode 100644 index 000000000..7738562dd --- /dev/null +++ b/certbot-postfix/certbot_postfix/postconf.py @@ -0,0 +1,62 @@ +"""Classes that wrap the postconf command line utility. + +These classes allow you to interact with a Postfix config like it is a +dictionary, with the getting and setting of values in the config being +handled automatically by the class. + +""" +import collections + +from certbot_postfix import util + + +class ReadOnlyMainMap(util.PostfixUtilBase, collections.Mapping): + """A read-only view of a Postfix main.cf file.""" + + _modifiers = None + """An iterable containing additional CLI flags for postconf.""" + + def __getitem__(self, name): + return next(_parse_main_output(self._get_output([name])))[1] + + def __iter__(self): + for name, _ in _parse_main_output(self._get_output()): + yield name + + def __len__(self): + return sum(1 for _ in _parse_main_output(self._get_output())) + + def _call(self, extra_args=None): + """Runs Postconf and returns the result. + + If self._modifiers is set, it is provided on the command line to + postconf before any values in extra_args. + + :param list extra_args: additional arguments for the command + + :returns: data written to stdout and stderr + :rtype: `tuple` of `str` + + :raises subprocess.CalledProcessError: if the command fails + + """ + all_extra_args = [] + for args_list in (self._modifiers, extra_args,): + if args_list is not None: + all_extra_args.extend(args_list) + + return super(ReadOnlyMainMap, self)._call(all_extra_args) + + +def _parse_main_output(output): + """Parses the raw output from Postconf about main.cf. + + :param str output: data postconf wrote to stdout about main.cf + + :returns: generator providing key-value pairs from main.cf + :rtype: generator + + """ + for line in output.splitlines(): + name, _, value = line.partition(" =") + yield name, value.strip() diff --git a/certbot-postfix/certbot_postfix/util.py b/certbot-postfix/certbot_postfix/util.py index b65e4231e..57196017f 100644 --- a/certbot-postfix/certbot_postfix/util.py +++ b/certbot-postfix/certbot_postfix/util.py @@ -1,12 +1,129 @@ """Utility functions for use in the Postfix installer.""" - import logging import subprocess +from certbot import errors +from certbot import util as certbot_util +from certbot.plugins import util as plugins_util + logger = logging.getLogger(__name__) +class PostfixUtilBase(object): + """A base class for wrapping Postfix command line utilities.""" + + def __init__(self, executable, config_dir=None): + """Sets up the Postfix utility class. + + :param str executable: name or path of the Postfix utility + :param str config_dir: path to an alternative Postfix config + + :raises .NoInstallationError: when the executable isn't found + + """ + verify_exe_exists(executable) + + self._base_command = [executable] + if config_dir is not None: + self._base_command.extend(('-c', config_dir,)) + + def _call(self, extra_args=None): + """Runs the Postfix utility and returns the result. + + :param list extra_args: additional arguments for the command + + :returns: data written to stdout and stderr + :rtype: `tuple` of `str` + + :raises subprocess.CalledProcessError: if the command fails + + """ + args = list(self._base_command) + if extra_args is not None: + args.extend(extra_args) + return check_all_output(args) + + def _get_output(self, extra_args=None): + """Runs the Postfix utility and returns only stdout output. + + This function relies on self._call for running the utility. + + :param list extra_args: additional arguments for the command + + :returns: data written to stdout + :rtype: str + + :raises subprocess.CalledProcessError: if the command fails + + """ + return self._call(extra_args)[0] + + +def check_all_output(*args, **kwargs): + """A version of subprocess.check_output that also captures stderr. + + This is the same as :func:`subprocess.check_output` except output + written to stderr is also captured and returned to the caller. The + return value is a tuple of two strings (rather than byte strings). + To accomplish this, the caller cannot set the stdout, stderr, or + universal_newlines parameters to :class:`subprocess.Popen`. + + Additionally, if the command exits with a nonzero status, output is + not included in the raised :class:`subprocess.CalledProcessError` + because Python 2.6 does not support this. Instead, the failure + including the output is logged. + + :param tuple args: positional arguments for Popen + :param dict kwargs: keyword arguments for Popen + + :returns: data written to stdout and stderr + :rtype: `tuple` of `str` + + :raises ValueError: if arguments are invalid + :raises subprocess.CalledProcessError: if the command fails + + """ + for keyword in ('stdout', 'stderr', 'universal_newlines',): + if keyword in kwargs: + raise ValueError( + keyword + ' argument not allowed, it will be overridden.') + + kwargs['stdout'] = subprocess.PIPE + kwargs['stderr'] = subprocess.PIPE + kwargs['universal_newlines'] = True + + process = subprocess.Popen(*args, **kwargs) + output, err = process.communicate() + retcode = process.poll() + if retcode: + cmd = kwargs.get('args') + if cmd is None: + cmd = args[0] + logger.debug( + "'%s' exited with %d. stdout output was:\n%s\nstderr output was:\n%s", + cmd, retcode, output, err) + raise subprocess.CalledProcessError(retcode, cmd) + return (output, err) + + +def verify_exe_exists(exe): + """Ensures an executable with the given name is available. + + If an executable isn't found for the given path or name, extra + directories are added to the user's PATH to help find system + utilities that may not be available in the default cron PATH. + + :param str exe: executable path or name + + :raises .NoInstallationError: when the executable isn't found + + """ + if not (certbot_util.exe_exists(exe) or plugins_util.path_surgery(exe)): + raise errors.NoInstallationError( + "Cannot find executable '{0}'.".format(exe)) + + def check_call(*args, **kwargs): """A simple wrapper of subprocess.check_call that logs errors. @@ -63,7 +180,8 @@ def check_output(*args, **kwargs): if retcode: cmd = _get_cmd(*args, **kwargs) logger.debug( - "'%s' exited with %d. Output was:\n%s", cmd, retcode, output) + "'%s' exited with %d. Output was:\n%s", + cmd, retcode, output, exc_info=True) raise subprocess.CalledProcessError(retcode, cmd) return output diff --git a/certbot-postfix/certbot_postfix/util_test.py b/certbot-postfix/certbot_postfix/util_test.py index 95253e1fd..4a014ca9b 100644 --- a/certbot-postfix/certbot_postfix/util_test.py +++ b/certbot-postfix/certbot_postfix/util_test.py @@ -5,6 +5,98 @@ import unittest import mock +from certbot import errors + + +class PostfixUtilBaseTest(unittest.TestCase): + """Tests for certbot_postfix.util.PostfixUtilBase.""" + + @classmethod + def _create_object(cls, *args, **kwargs): + from certbot_postfix.util import PostfixUtilBase + return PostfixUtilBase(*args, **kwargs) + + @mock.patch('certbot_postfix.util.verify_exe_exists') + def test_no_exe(self, mock_verify): + expected_error = errors.NoInstallationError + mock_verify.side_effect = expected_error + self.assertRaises(expected_error, self._create_object, 'nonexistent') + + def test_object_creation(self): + with mock.patch('certbot_postfix.util.verify_exe_exists'): + self._create_object('existent') + + +class CheckAllOutputTest(unittest.TestCase): + """Tests for certbot_postfix.util.check_all_output.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import check_all_output + return check_all_output(*args, **kwargs) + + @mock.patch('certbot_postfix.util.logger') + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_command_error(self, mock_popen, mock_logger): + command = 'foo' + retcode = 42 + output = 'bar' + err = 'baz' + + mock_popen().communicate.return_value = (output, err) + mock_popen().poll.return_value = 42 + + self.assertRaises(subprocess.CalledProcessError, self._call, command) + log_args = mock_logger.debug.call_args[0] + for value in (command, retcode, output, err,): + self.assertTrue(value in log_args) + + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_success(self, mock_popen): + command = 'foo' + expected = ('bar', '') + mock_popen().communicate.return_value = expected + mock_popen().poll.return_value = 0 + + self.assertEqual(self._call(command), expected) + + def test_stdout_error(self): + self.assertRaises(ValueError, self._call, stdout=None) + + def test_stderr_error(self): + self.assertRaises(ValueError, self._call, stderr=None) + + def test_universal_newlines_error(self): + self.assertRaises(ValueError, self._call, universal_newlines=False) + + +class VerifyExeExistsTest(unittest.TestCase): + """Tests for certbot_postfix.util.verify_exe_exists.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import verify_exe_exists + return verify_exe_exists(*args, **kwargs) + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + @mock.patch('certbot_postfix.util.plugins_util.path_surgery') + def test_failure(self, mock_exe_exists, mock_path_surgery): + mock_exe_exists.return_value = mock_path_surgery.return_value = False + self.assertRaises(errors.NoInstallationError, self._call, 'foo') + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + def test_simple_success(self, mock_exe_exists): + mock_exe_exists.return_value = True + self._call('foo') + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + @mock.patch('certbot_postfix.util.plugins_util.path_surgery') + def test_successful_surgery(self, mock_exe_exists, mock_path_surgery): + mock_exe_exists.return_value = False + mock_path_surgery.return_value = True + self._call('foo') + + class CheckCallTest(unittest.TestCase): """Tests for certbot_postfix.util.check_call.""" diff --git a/tools/venv.sh b/tools/venv.sh index 1533f0e1f..a623ec529 100755 --- a/tools/venv.sh +++ b/tools/venv.sh @@ -25,5 +25,6 @@ fi -e certbot-dns-rfc2136 \ -e certbot-dns-route53 \ -e certbot-nginx \ + -e certbot-postfix \ -e letshelp-certbot \ -e certbot-compatibility-test diff --git a/tools/venv3.sh b/tools/venv3.sh index da56c2249..602118004 100755 --- a/tools/venv3.sh +++ b/tools/venv3.sh @@ -23,5 +23,6 @@ fi -e certbot-dns-nsone \ -e certbot-dns-route53 \ -e certbot-nginx \ + -e certbot-postfix \ -e letshelp-certbot \ -e certbot-compatibility-test diff --git a/tox.cover.sh b/tox.cover.sh index fc0c9f476..4f6ea2dab 100755 --- a/tox.cover.sh +++ b/tox.cover.sh @@ -9,7 +9,7 @@ # -e makes sure we fail fast and don't submit coveralls submit if [ "xxx$1" = "xxx" ]; then - pkgs="certbot acme certbot_apache certbot_dns_cloudflare certbot_dns_cloudxns certbot_dns_digitalocean certbot_dns_dnsimple certbot_dns_dnsmadeeasy certbot_dns_google certbot_dns_luadns certbot_dns_nsone certbot_dns_rfc2136 certbot_dns_route53 certbot_nginx letshelp_certbot" + pkgs="certbot acme certbot_apache certbot_dns_cloudflare certbot_dns_cloudxns certbot_dns_digitalocean certbot_dns_dnsimple certbot_dns_dnsmadeeasy certbot_dns_google certbot_dns_luadns certbot_dns_nsone certbot_dns_rfc2136 certbot_dns_route53 certbot_nginx certbot_postfix letshelp_certbot" else pkgs="$@" fi @@ -43,6 +43,8 @@ cover () { min=99 elif [ "$1" = "certbot_nginx" ]; then min=97 + elif [ "$1" = "certbot_postfix" ]; then + min=100 elif [ "$1" = "letshelp_certbot" ]; then min=100 else diff --git a/tox.ini b/tox.ini index dee14b8b3..87eb77338 100644 --- a/tox.ini +++ b/tox.ini @@ -28,6 +28,7 @@ py26_packages = certbot-dns-rfc2136 \ certbot-dns-route53 \ certbot-nginx \ + certbot-postfix \ letshelp-certbot non_py26_packages = certbot-dns-cloudxns \ @@ -55,6 +56,7 @@ source_paths = certbot-dns-rfc2136/certbot_dns_rfc2136 certbot-dns-route53/certbot_dns_route53 certbot-nginx/certbot_nginx + certbot-postfix/certbot_postfix letshelp-certbot/letshelp_certbot tests/lock_test.py From 4ba153949de4fb6c4cfeda3d6400bf2bd6a33a73 Mon Sep 17 00:00:00 2001 From: Sydney Li Date: Wed, 14 Feb 2018 16:20:16 -0800 Subject: [PATCH 236/256] Fixing up postfix plugin - Finishing refactor of postconf/postfix command-line utilities - Plugin uses starttls_policy plugin to specify per-domain policies Cleaning up TLS policy code. Print warning when setting configuration parameter that is overridden by master. Update client to use new policy API Cleanup and test fixes Documentation fix smaller fixes Policy is now an enhancement and reverting works Added a README, and small documentation fixes throughout Moving testing infra from starttls repo to certbot-postfix fixing tests and lint Changes against new policy API starttls-everywhere => starttls-policy testing(postfix): Added more varieties of certificates to test against. Moar fixes against policy API. Address comments on README and setup.py Address small comments on postconf and util Address comments in installer Python 3 fixes and Postconf tester extends TempDir test class Mock out postconf calls from tests and test coverage for master overrides More various fixes. Everything minus testing done Remove STARTTLS policy enhancement from this branch. sphinx quickstart 99% test coverage some cleanup and testfixing cleanup leftover files Remove print statement testfix for python 3.4 Revert dockerfile change mypy fix fix(postfix): brad's comments test(postfix): coverage to 100 test(postfix): mypy import mypy types fix(postfix docs): add .rst files and fix build fix(postfix): tls_only and server_only params behave nicely together some cleanup lint fix more comments bump version number --- certbot-postfix/MANIFEST.in | 2 + certbot-postfix/README.rst | 9 + certbot-postfix/certbot_postfix/constants.py | 63 +++ certbot-postfix/certbot_postfix/installer.py | 434 ++++++------------ .../certbot_postfix/installer_test.py | 351 -------------- certbot-postfix/certbot_postfix/postconf.py | 172 +++++-- .../certbot_postfix/tests/__init__.py | 1 + .../certbot_postfix/tests/installer_test.py | 314 +++++++++++++ .../certbot_postfix/tests/postconf_test.py | 107 +++++ .../certbot_postfix/tests/util_test.py | 205 +++++++++ certbot-postfix/certbot_postfix/util.py | 231 +++++++--- certbot-postfix/certbot_postfix/util_test.py | 165 ------- certbot-postfix/docs/.gitignore | 1 + certbot-postfix/docs/Makefile | 20 + certbot-postfix/docs/api.rst | 8 + certbot-postfix/docs/api/installer.rst | 5 + certbot-postfix/docs/api/postconf.rst | 5 + certbot-postfix/docs/conf.py | 190 ++++++++ certbot-postfix/docs/index.rst | 28 ++ certbot-postfix/docs/make.bat | 36 ++ certbot-postfix/local-oldest-requirements.txt | 2 + certbot-postfix/setup.py | 24 +- certbot/constants.py | 2 +- certbot/plugins/disco.py | 1 + 24 files changed, 1438 insertions(+), 938 deletions(-) create mode 100644 certbot-postfix/certbot_postfix/constants.py delete mode 100644 certbot-postfix/certbot_postfix/installer_test.py create mode 100644 certbot-postfix/certbot_postfix/tests/__init__.py create mode 100644 certbot-postfix/certbot_postfix/tests/installer_test.py create mode 100644 certbot-postfix/certbot_postfix/tests/postconf_test.py create mode 100644 certbot-postfix/certbot_postfix/tests/util_test.py delete mode 100644 certbot-postfix/certbot_postfix/util_test.py create mode 100644 certbot-postfix/docs/.gitignore create mode 100644 certbot-postfix/docs/Makefile create mode 100644 certbot-postfix/docs/api.rst create mode 100644 certbot-postfix/docs/api/installer.rst create mode 100644 certbot-postfix/docs/api/postconf.rst create mode 100644 certbot-postfix/docs/conf.py create mode 100644 certbot-postfix/docs/index.rst create mode 100644 certbot-postfix/docs/make.bat create mode 100644 certbot-postfix/local-oldest-requirements.txt diff --git a/certbot-postfix/MANIFEST.in b/certbot-postfix/MANIFEST.in index 97e2ad3df..273381403 100644 --- a/certbot-postfix/MANIFEST.in +++ b/certbot-postfix/MANIFEST.in @@ -1,2 +1,4 @@ include LICENSE.txt include README.rst +recursive-include certbot_postfix/testdata * +recursive-include certbot_postfix/docs * diff --git a/certbot-postfix/README.rst b/certbot-postfix/README.rst index ee88648d3..78fd9a421 100644 --- a/certbot-postfix/README.rst +++ b/certbot-postfix/README.rst @@ -1 +1,10 @@ +========================== Postfix plugin for Certbot +========================== + +To install your certs with this plugin, run: + +``certbot install --installer postfix --cert-path --key-path -d `` + +And there you go! If you'd like to obtain these certificates via certbot, there's more documentation on how to do this `here `_. + diff --git a/certbot-postfix/certbot_postfix/constants.py b/certbot-postfix/certbot_postfix/constants.py new file mode 100644 index 000000000..40a263a53 --- /dev/null +++ b/certbot-postfix/certbot_postfix/constants.py @@ -0,0 +1,63 @@ +"""Postfix plugin constants.""" + +# pylint: disable=unused-import, no-name-in-module +from acme.magic_typing import Dict, Tuple, Union +# pylint: enable=unused-import, no-name-in-module + +MINIMUM_VERSION = (2, 11,) + +# If the value of a default VAR is a tuple, then the values which +# come LATER in the tuple are more strict/more secure. +# Certbot will default to the first value in the tuple, but will +# not override "more secure" settings. + +ACCEPTABLE_SERVER_SECURITY_LEVELS = ("may", "encrypt") +ACCEPTABLE_CLIENT_SECURITY_LEVELS = ("may", "encrypt", + "dane", "dane-only", + "fingerprint", + "verify", "secure") +ACCEPTABLE_CIPHER_LEVELS = ("medium", "high") + +# Exporting certain ciphers to prevent logjam: https://weakdh.org/sysadmin.html +EXCLUDE_CIPHERS = ("aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, " + "EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CBC3-SHA, KRB5-DES, CBC3-SHA",) + + +TLS_VERSIONS = ("SSLv2", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2") +# Should NOT use SSLv2/3. +ACCEPTABLE_TLS_VERSIONS = ("TLSv1", "TLSv1.1", "TLSv1.2") + +# Variables associated with enabling opportunistic TLS. +TLS_SERVER_VARS = { + "smtpd_tls_security_level": ACCEPTABLE_SERVER_SECURITY_LEVELS, +} # type:Dict[str, Tuple[str, ...]] +TLS_CLIENT_VARS = { + "smtp_tls_security_level": ACCEPTABLE_CLIENT_SECURITY_LEVELS, +} # type:Dict[str, Tuple[str, ...]] +# Default variables for a secure MTA server [receiver]. +DEFAULT_SERVER_VARS = { + "smtpd_tls_auth_only": ("yes",), + "smtpd_tls_mandatory_protocols": ("!SSLv2, !SSLv3",), + "smtpd_tls_protocols": ("!SSLv2, !SSLv3",), + "smtpd_tls_ciphers": ACCEPTABLE_CIPHER_LEVELS, + "smtpd_tls_mandatory_ciphers": ACCEPTABLE_CIPHER_LEVELS, + "smtpd_tls_exclude_ciphers": EXCLUDE_CIPHERS, + "smtpd_tls_eecdh_grade": ("strong",), +} # type:Dict[str, Tuple[str, ...]] + +# Default variables for a secure MTA client [sender]. +DEFAULT_CLIENT_VARS = { + "smtp_tls_ciphers": ACCEPTABLE_CIPHER_LEVELS, + "smtp_tls_exclude_ciphers": EXCLUDE_CIPHERS, + "smtp_tls_mandatory_ciphers": ACCEPTABLE_CIPHER_LEVELS, +} # type:Dict[str, Tuple[str, ...]] + +CLI_DEFAULTS = dict( + config_dir="/etc/postfix", + ctl="postfix", + config_utility="postconf", + tls_only=False, + ignore_master_overrides=False, + server_only=False, +) +"""CLI defaults.""" diff --git a/certbot-postfix/certbot_postfix/installer.py b/certbot-postfix/certbot_postfix/installer.py index 387f01051..9ba92ef8f 100644 --- a/certbot-postfix/certbot_postfix/installer.py +++ b/certbot-postfix/certbot_postfix/installer.py @@ -1,127 +1,139 @@ -"""Certbot installer plugin for Postfix.""" +"""certbot installer plugin for postfix.""" import logging import os -import subprocess import zope.interface +import zope.component +import six from certbot import errors from certbot import interfaces from certbot import util as certbot_util from certbot.plugins import common as plugins_common -from certbot.plugins import util as plugins_util +from certbot_postfix import constants +from certbot_postfix import postconf from certbot_postfix import util +# pylint: disable=unused-import, no-name-in-module +from acme.magic_typing import Callable, Dict, List +# pylint: enable=unused-import, no-name-in-module logger = logging.getLogger(__name__) - @zope.interface.implementer(interfaces.IInstaller) @zope.interface.provider(interfaces.IPluginFactory) class Installer(plugins_common.Installer): """Certbot installer plugin for Postfix. :ivar str config_dir: Postfix configuration directory to modify - :ivar dict proposed_changes: configuration parameters and values to - be written to the Postfix config when save() is called :ivar list save_notes: documentation for proposed changes. This is cleared and stored in Certbot checkpoints when save() is called + :ivar postconf: Wrapper for Postfix configuration command-line tool. + :type postconf: :class: `certbot_postfix.postconf.ConfigMain` + :ivar postfix: Wrapper for Postfix command-line tool. + :type postfix: :class: `certbot_postfix.util.PostfixUtil` """ description = "Configure TLS with the Postfix MTA" @classmethod def add_parser_arguments(cls, add): - add("ctl", default="postfix", + add("ctl", default=constants.CLI_DEFAULTS["ctl"], help="Path to the 'postfix' control program.") - add("config-dir", help="Path to the directory containing the " + # This directory points to Postfix's configuration directory. + add("config-dir", default=constants.CLI_DEFAULTS["config_dir"], + help="Path to the directory containing the " "Postfix main.cf file to modify instead of using the " "default configuration paths.") - add("config-utility", default="postconf", + add("config-utility", default=constants.CLI_DEFAULTS["config_utility"], help="Path to the 'postconf' executable.") + add("tls-only", action="store_true", default=constants.CLI_DEFAULTS["tls_only"], + help="Only set params to enable opportunistic TLS and install certificates.") + add("server-only", action="store_true", default=constants.CLI_DEFAULTS["server_only"], + help="Only set server params (prefixed with smtpd*)") + add("ignore-master-overrides", action="store_true", + default=constants.CLI_DEFAULTS["ignore_master_overrides"], + help="Ignore errors reporting overridden TLS parameters in master.cf.") def __init__(self, *args, **kwargs): super(Installer, self).__init__(*args, **kwargs) - self.config_dir = None - self.proposed_changes = {} - self.save_notes = [] + # Wrapper around postconf commands + self.postfix = None + self.postconf = None + + # Files to save + self.save_notes = [] # type: List[str] + + self._enhance_func = {} # type: Dict[str, Callable[[str, str], None]] + # Since we only need to enable TLS once for all domains, + # keep track of whether this enhancement was already called. + self._tls_enabled = False def prepare(self): """Prepare the installer. - Finish up any additional initialization. - :raises errors.PluginError: when an unexpected error occurs :raises errors.MisconfigurationError: when the config is invalid :raises errors.NoInstallationError: when can't find installation :raises errors.NotSupportedError: when version is not supported - """ + # Verify postfix and postconf are installed for param in ("ctl", "config_utility",): - self._verify_executable_is_available(param) - self._set_config_dir() - self._check_version() - self.config_test() - self._lock_config_dir() - - def _verify_executable_is_available(self, config_name): - """Asserts the program in the specified config param is found. - - :param str config_name: name of the config param - - :raises .NoInstallationError: when the executable isn't found - - """ - if not certbot_util.exe_exists(self.conf(config_name)): - if not plugins_util.path_surgery(self.conf(config_name)): - raise errors.NoInstallationError( + util.verify_exe_exists(self.conf(param), "Cannot find executable '{0}'. You can provide the " "path to this command with --{1}".format( - self.conf(config_name), - self.option_name(config_name))) + self.conf(param), + self.option_name(param))) - def _set_config_dir(self): - """Ensure self.config_dir is set to the correct path. + # Set up CLI tools + self.postfix = util.PostfixUtil(self.conf('config-dir')) + self.postconf = postconf.ConfigMain(self.conf('config-utility'), + self.conf('ignore-master-overrides'), + self.conf('config-dir')) - If the configuration directory to use was set by the user, we'll - use that value, otherwise, we'll find the default path using - 'postconf'. + # Ensure current configuration is valid. + self.config_test() + # Check Postfix version + self._check_version() + self._lock_config_dir() + self.install_ssl_dhparams() + + def config_test(self): + """Test to see that the current Postfix configuration is valid. + + :raises errors.MisconfigurationError: If the configuration is invalid. """ - if self.conf("config-dir") is None: - self.config_dir = self._get_config_var("config_directory") - else: - self.config_dir = self.conf("config-dir") + self.postfix.test() def _check_version(self): """Verifies that the installed Postfix version is supported. :raises errors.NotSupportedError: if the version is unsupported - """ - if self._get_version() < (2, 6,): - raise errors.NotSupportedError('Postfix version is too old') + if self._get_version() < constants.MINIMUM_VERSION: + version_string = '.'.join([str(n) for n in constants.MINIMUM_VERSION]) + raise errors.NotSupportedError('Postfix version must be at least %s' % version_string) def _lock_config_dir(self): """Stop two Postfix plugins from modifying the config at once. :raises .PluginError: if unable to acquire the lock - """ try: - certbot_util.lock_dir_until_exit(self.config_dir) + certbot_util.lock_dir_until_exit(self.conf('config-dir')) except (OSError, errors.LockError): logger.debug("Encountered error:", exc_info=True) raise errors.PluginError( - "Unable to lock %s", self.config_dir) + "Unable to lock %s" % self.conf('config-dir')) def more_info(self): - """Human-readable string to help the user. - Should describe the steps taken and any relevant info to help the user - decide which plugin to use. - :rtype str: + """Human-readable string to help the user. Describes steps taken and any relevant + info to help the user decide which plugin to use. + + :rtype: str """ return ( "Configures Postfix to try to authenticate mail servers, use " @@ -129,22 +141,19 @@ class Installer(plugins_common.Installer): "Server root: {root}{0}" "Version: {version}".format( os.linesep, - root=self.config_dir, + root=self.conf('config-dir'), version='.'.join([str(i) for i in self._get_version()])) ) def _get_version(self): - """Return the mail version of Postfix. - - Version is returned as a tuple. (e.g. '2.11.3' is (2, 11, 3)) + """Return the version of Postfix, as a tuple. (e.g. '2.11.3' is (2, 11, 3)) :returns: version :rtype: tuple - :raises .PluginError: Unable to find Postfix version. - + :raises errors.PluginError: Unable to find Postfix version. """ - mail_version = self._get_config_default("mail_version") + mail_version = self.postconf.get_default("mail_version") return tuple(int(i) for i in mail_version.split('.')) def get_all_names(self): @@ -153,9 +162,34 @@ class Installer(plugins_common.Installer): :rtype: `set` of `str` """ - return set(self._get_config_var(var) + return certbot_util.get_filtered_names(self.postconf.get(var) for var in ('mydomain', 'myhostname', 'myorigin',)) + def _set_vars(self, var_dict): + """Sets all parameters in var_dict to config file. If current value is already set + as more secure (acceptable), then don't set/overwrite it. + """ + for param, acceptable in six.iteritems(var_dict): + if not util.is_acceptable_value(param, self.postconf.get(param), acceptable): + self.postconf.set(param, acceptable[0], acceptable) + + def _confirm_changes(self): + """Confirming outstanding updates for configuration parameters. + + :raises errors.PluginError: when user rejects the configuration changes. + """ + updates = self.postconf.get_changes() + output_string = "Postfix TLS configuration parameters to update in main.cf:\n" + for name, value in six.iteritems(updates): + output_string += "{0} = {1}\n".format(name, value) + output_string += "Is this okay?\n" + if not zope.component.getUtility(interfaces.IDisplay).yesno(output_string, + force_interactive=True, default=True): + raise errors.PluginError( + "Manually rejected configuration changes.\n" + "Try using --tls-only or --server-only to change a particular" + "subset of configuration parameters.") + def deploy_cert(self, domain, cert_path, key_path, chain_path, fullchain_path): """Configure the Postfix SMTP server to use the given TLS cert. @@ -171,22 +205,26 @@ class Installer(plugins_common.Installer): """ # pylint: disable=unused-argument + if self._tls_enabled: + return + self._tls_enabled = True self.save_notes.append("Configuring TLS for {0}".format(domain)) - self._set_config_var("smtpd_tls_cert_file", fullchain_path) - self._set_config_var("smtpd_tls_key_file", key_path) - self._set_config_var("smtpd_tls_mandatory_protocols", "!SSLv2, !SSLv3") - self._set_config_var("smtpd_tls_protocols", "!SSLv2, !SSLv3") - - # Don't configure opportunistic TLS if it's currently mandatory - if self._get_config_var("smtpd_tls_security_level") != "encrypt": - self._set_config_var("smtpd_tls_security_level", "may") + self.postconf.set("smtpd_tls_cert_file", cert_path) + self.postconf.set("smtpd_tls_key_file", key_path) + self._set_vars(constants.TLS_SERVER_VARS) + if not self.conf('server_only'): + self._set_vars(constants.TLS_CLIENT_VARS) + if not self.conf('tls_only'): + self._set_vars(constants.DEFAULT_SERVER_VARS) + if not self.conf('server_only'): + self._set_vars(constants.DEFAULT_CLIENT_VARS) + # Despite the name, this option also supports 2048-bit DH params. + # http://www.postfix.org/FORWARD_SECRECY_README.html#server_fs + self.postconf.set("smtpd_tls_dh1024_param_file", self.ssl_dhparams) + self._confirm_changes() def enhance(self, domain, enhancement, options=None): - """Raises an exception for request for unsupported enhancement. - - :raises .PluginError: this is always raised as no enhancements - are currently supported - + """Raises an exception since this installer doesn't support any enhancements. """ # pylint: disable=unused-argument raise errors.PluginError( @@ -211,248 +249,40 @@ class Installer(plugins_common.Installer): be quickly reversed in the future (challenges) :raises errors.PluginError: when save is unsuccessful - """ - if self.proposed_changes: - save_files = set((os.path.join(self.config_dir, "main.cf"),)) - self.add_to_checkpoint(save_files, - "\n".join(self.save_notes), temporary) - self._write_config_changes() - self.proposed_changes.clear() + save_files = set((os.path.join(self.conf('config-dir'), "main.cf"),)) + self.add_to_checkpoint(save_files, + "\n".join(self.save_notes), temporary) + self.postconf.flush() del self.save_notes[:] if title and not temporary: self.finalize_checkpoint(title) - def config_test(self): - """Make sure the configuration is valid. + def recovery_routine(self): + super(Installer, self).recovery_routine() + self.postconf = postconf.ConfigMain(self.conf('config-utility'), + self.conf('ignore-master-overrides'), + self.conf('config-dir')) - :raises .MisconfigurationError: if the config is invalid + def rollback_checkpoints(self, rollback=1): + """Rollback saved checkpoints. + :param int rollback: Number of checkpoints to revert + + :raises .errors.PluginError: If there is a problem with the input or + the function is unable to correctly revert the configuration """ - try: - self._run_postfix_subcommand("check") - except subprocess.CalledProcessError: - raise errors.MisconfigurationError( - "Postfix failed internal configuration check.") + super(Installer, self).rollback_checkpoints(rollback) + self.postconf = postconf.ConfigMain(self.conf('config-utility'), + self.conf('ignore-master-overrides'), + self.conf('config-dir')) def restart(self): """Restart or refresh the server content. :raises .PluginError: when server cannot be restarted - """ - logger.info("Reloading Postfix configuration...") - if self._is_postfix_running(): - self._reload() - else: - self._start() + self.postfix.restart() - def _is_postfix_running(self): - """Is Postfix currently running? - - Uses the 'postfix status' command to determine if Postfix is - currently running using the specified configuration files. - - :returns: True if Postfix is running, otherwise, False - :rtype: bool - - """ - try: - self._run_postfix_subcommand("status") - except subprocess.CalledProcessError: - return False - return True - - def _reload(self): - """Instructions Postfix to reload its configuration. - - If Postfix isn't currently running, this method will fail. - - :raises .PluginError: when Postfix cannot reload - - """ - try: - self._run_postfix_subcommand("reload") - except subprocess.CalledProcessError: - raise errors.PluginError( - "Postfix failed to reload its configuration.") - - def _start(self): - """Instructions Postfix to start running. - - :raises .PluginError: when Postfix cannot start - - """ - try: - self._run_postfix_subcommand("start") - except subprocess.CalledProcessError: - raise errors.PluginError("Postfix failed to start") - - def _run_postfix_subcommand(self, subcommand): - """Runs a subcommand of the 'postfix' control program. - - If the command fails, the exception is logged at the DEBUG - level. - - :param str subcommand: subcommand to run - - :raises subprocess.CalledProcessError: if the command fails - - """ - cmd = [self.conf("ctl")] - if self.conf("config-dir") is not None: - cmd.extend(("-c", self.conf("config-dir"),)) - cmd.append(subcommand) - - util.check_call(cmd) - - def _get_config_default(self, name): - """Return the default value of the specified config parameter. - - :param str name: name of the Postfix config default to return - - :returns: default for the specified configuration parameter if it - exists, otherwise, None - :rtype: str or types.NoneType - - :raises errors.PluginError: if an error occurs while running postconf - or parsing its output - - """ - try: - return self._get_value_from_postconf(("-d", name,)) - except (subprocess.CalledProcessError, errors.PluginError): - raise errors.PluginError("Unable to determine the default value of" - " the Postfix parameter {0}".format(name)) - - def _get_config_var(self, name): - """Return the value of the specified Postfix config parameter. - - If there is an unsaved change modifying the value of the - specified config parameter, the value after this proposed change - is returned rather than the current value. If the value is - unset, `None` is returned. - - :param str name: name of the Postfix config parameter to return - - :returns: value of the parameter included in postconf_args - :rtype: str or types.NoneType - - :raises errors.PluginError: if an error occurs while running postconf - or parsing its output - - """ - if name in self.proposed_changes: - return self.proposed_changes[name] - - try: - return self._get_value_from_postconf((name,)) - except (subprocess.CalledProcessError, errors.PluginError): - raise errors.PluginError("Unable to determine the value of" - " the Postfix parameter {0}".format(name)) - - def _set_config_var(self, name, value): - """Set the Postfix config parameter name to value. - - This method only stores the requested change in memory. The - Postfix configuration is not modified until save() is called. - If there's already an identical in progress change or the - Postfix configuration parameter already has the specified value, - no changes are made. - - :param str name: name of the Postfix config parameter - :param str value: value to set the Postfix config parameter to - - """ - if self._get_config_var(name) != value: - self.proposed_changes[name] = value - self.save_notes.append("\t* Set {0} to {1}".format(name, value)) - - def _write_config_changes(self): - """Write proposed changes to the Postfix config. - - :raises errors.PluginError: if an error occurs - - """ - try: - self._run_postconf_command( - "{0}={1}".format(name, value) - for name, value in self.proposed_changes.items()) - except subprocess.CalledProcessError: - raise errors.PluginError( - "An error occurred while updating your Postfix config.") - - def _get_value_from_postconf(self, postconf_args): - """Runs postconf and extracts the specified config value. - - It is assumed that the name of the Postfix config parameter to - parse from the output is the last value in postconf_args. If the - value is unset, `None` is returned. If an error occurs, the - relevant information is logged before an exception is raised. - - :param collections.Iterable args: arguments to postconf - - :returns: value of the parameter included in postconf_args - :rtype: str or types.NoneType - - :raises errors.PluginError: if unable to parse postconf output - :raises subprocess.CalledProcessError: if postconf fails - - """ - name = postconf_args[-1] - output = self._run_postconf_command(postconf_args) - - try: - return self._parse_postconf_output(output, name) - except errors.PluginError: - logger.debug("An error occurred while parsing postconf output", - exc_info=True) - raise - - def _run_postconf_command(self, args): - """Runs a postconf command using the selected config. - - If postconf exits with a nonzero status, the error is logged - before an exception is raised. - - :param collections.Iterable args: additional arguments to postconf - - :returns: stdout output of postconf - :rtype: str - - :raises subprocess.CalledProcessError: if the command fails - - """ - - cmd = [self.conf("config-utility")] - if self.conf("config-dir") is not None: - cmd.extend(("-c", self.conf("config-dir"),)) - cmd.extend(args) - - return util.check_output(cmd) - - def _parse_postconf_output(self, output, name): - """Parses postconf output and returns the specified value. - - If the specified Postfix parameter is unset, `None` is returned. - It is assumed that most one configuration parameter will be - included in the given output. - - :param str output: output from postconf - :param str name: name of the Postfix config parameter to obtain - - :returns: value of the parameter included in postconf_args - :rtype: str or types.NoneType - - :raises errors.PluginError: if unable to parse postconf ouput - - """ - expected_prefix = name + " =" - if output.count("\n") != 1 or not output.startswith(expected_prefix): - raise errors.PluginError( - "Unexpected output '{0}' from postconf".format(output)) - - value = output[len(expected_prefix):].strip() - return value if value else None diff --git a/certbot-postfix/certbot_postfix/installer_test.py b/certbot-postfix/certbot_postfix/installer_test.py deleted file mode 100644 index c57eda746..000000000 --- a/certbot-postfix/certbot_postfix/installer_test.py +++ /dev/null @@ -1,351 +0,0 @@ -"""Tests for certbot_postfix.installer.""" -import functools -import os -import subprocess -import unittest - -import mock - -from certbot import errors -from certbot.tests import util as certbot_test_util - - -class InstallerTest(certbot_test_util.ConfigTestCase): - # pylint: disable=too-many-public-methods - - def setUp(self): - super(InstallerTest, self).setUp() - self.config.postfix_ctl = "postfix" - self.config.postfix_config_dir = self.tempdir - self.config.postfix_config_utility = "postconf" - self.mock_postfix = MockPostfix(self.tempdir, - {"mail_version": "3.1.4"}) - - def test_add_parser_arguments(self): - options = set(('ctl', 'config-dir', 'config-utility',)) - mock_add = mock.MagicMock() - - from certbot_postfix import installer - installer.Installer.add_parser_arguments(mock_add) - - for call in mock_add.call_args_list: - self.assertTrue(call[0][0] in options) - - def test_no_postconf_prepare(self): - installer = self._create_installer() - - installer_path = "certbot_postfix.installer" - exe_exists_path = installer_path + ".certbot_util.exe_exists" - path_surgery_path = installer_path + ".plugins_util.path_surgery" - - with mock.patch(path_surgery_path, return_value=False): - with mock.patch(exe_exists_path, return_value=False): - self.assertRaises(errors.NoInstallationError, - installer.prepare) - - def test_postconf_error(self): - installer = self._create_installer() - - check_output_path = "certbot_postfix.installer.util.check_output" - exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(check_output_path) as mock_check_output: - mock_check_output.side_effect = subprocess.CalledProcessError(42, - "a") - with mock.patch(exe_exists_path, return_value=True): - self.assertRaises(errors.PluginError, installer.prepare) - - def test_unexpected_postconf(self): - installer = self._create_installer() - - check_output_path = "certbot_postfix.installer.util.check_output" - exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(check_output_path) as mock_check_output: - mock_check_output.return_value = "foobar" - with mock.patch(exe_exists_path, return_value=True): - self.assertRaises(errors.PluginError, installer.prepare) - - def test_set_config_dir(self): - self.config.postfix_config_dir = os.path.join(self.tempdir, "subdir") - os.mkdir(self.config.postfix_config_dir) - installer = self._create_installer() - - expected = self.config.postfix_config_dir - self.config.postfix_config_dir = None - - self.mock_postfix.set_value("config_directory", expected) - exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(exe_exists_path, return_value=True): - self._mock_postfix_and_call(installer.prepare) - self.assertEqual(installer.config_dir, expected) - - @mock.patch("certbot_postfix.installer.certbot_util.exe_exists") - def test_old_version(self, mock_exe_exists): - installer = self._create_installer() - mock_exe_exists.return_value = True - self.mock_postfix.set_value("mail_version", "0.0.1") - self._mock_postfix_and_call( - self.assertRaises, errors.NotSupportedError, installer.prepare) - - def test_lock_error(self): - assert_raises = functools.partial(self.assertRaises, - errors.PluginError, - self._create_prepared_installer) - certbot_test_util.lock_and_call(assert_raises, self.tempdir) - - def test_more_info(self): - installer = self._create_prepared_installer() - version = "3.1.2" - self.mock_postfix.set_value("mail_version", version) - - output = self._mock_postfix_and_call(installer.more_info) - self.assertTrue("Postfix" in output) - self.assertTrue(self.tempdir in output) - self.assertTrue(version in output) - - def test_get_all_names(self): - config = {"mydomain": "example.org", - "myhostname": "mail.example.org", - "myorigin": "example.org"} - for name, value in config.items(): - self.mock_postfix.set_value(name, value) - - installer = self._create_prepared_installer() - result = self._mock_postfix_and_call(installer.get_all_names) - self.assertEqual(result, set(config.values())) - - def test_deploy(self): - installer = self._create_prepared_installer() - - def deploy_cert(domain): - """Calls deploy_cert for the given domain. - - :param str domain: domain to deploy cert for - - """ - installer.deploy_cert(domain, "foo", "bar", "baz", "qux") - - self._mock_postfix_and_call(deploy_cert, "example.org") - # No calls to postconf are expected so mock isn't needed - deploy_cert("mail.example.org") - - def test_deploy_and_save(self): - self._test_deploy_and_save_common({"smtpd_tls_security_level": "may"}) - - def test_deploy_and_save2(self): - self.mock_postfix.set_value("smtpd_tls_security_level", "encrypt") - self._test_deploy_and_save_common({"smtpd_tls_security_level": - "encrypt"}) - - def _test_deploy_and_save_common(self, expected_config): - key_path = "key_path" - fullchain_path = "fullchain_path" - installer = self._create_prepared_installer() - - for i, domain in enumerate(("example.org", "mail.example.org",)): - self._mock_postfix_and_call( - installer.deploy_cert, domain, "unused", - key_path, "unused", fullchain_path) - if i: - # No mock because Postfix utilities aren't expected to be used - installer.save("noop") - else: - self._mock_postfix_and_call(installer.save, "real save") - - expected_config.setdefault("smtpd_tls_cert_file", fullchain_path) - expected_config.setdefault("smtpd_tls_key_file", key_path) - for key, value in expected_config.items(): - self.assertEqual(self.mock_postfix.get_value(key), value) - - def test_save_error(self): - installer = self._create_prepared_installer() - self._mock_postfix_and_call( - installer.deploy_cert, "example.org", "foo", "bar", "baz", "qux") - - check_call_path = "certbot_postfix.installer.util.check_output" - with mock.patch(check_call_path) as mock_check_call: - mock_check_call.side_effect = subprocess.CalledProcessError(42, - "foo") - self.assertRaises(errors.PluginError, installer.save) - - def test_enhance(self): - self.assertRaises(errors.PluginError, - self._create_prepared_installer().enhance, - "example.org", "redirect") - - def test_supported_enhancements(self): - self.assertEqual( - self._create_prepared_installer().supported_enhancements(), []) - - @mock.patch("certbot_postfix.installer.subprocess.check_call") - def test_config_test_failure(self, mock_check_call): - installer = self._create_prepared_installer() - mock_check_call.side_effect = subprocess.CalledProcessError(42, "foo") - self.assertRaises(errors.MisconfigurationError, installer.config_test) - - @mock.patch("certbot_postfix.installer.subprocess.check_call") - def test_postfix_reload_failure(self, mock_check_call): - installer = self._create_prepared_installer() - mock_check_call.side_effect = [ - None, subprocess.CalledProcessError(42, "foo") - ] - self.assertRaises(errors.PluginError, installer.restart) - - def test_postfix_reload_success(self): - with mock.patch("certbot_postfix.installer.subprocess.check_call"): - installer = self._create_prepared_installer() - installer.restart() - - @mock.patch("certbot_postfix.installer.subprocess.check_call") - def test_postfix_start_failure(self, mock_check_call): - installer = self._create_prepared_installer() - mock_check_call.side_effect = subprocess.CalledProcessError(42, "foo") - self.assertRaises(errors.PluginError, installer.restart) - - @mock.patch("certbot_postfix.installer.subprocess.check_call") - def test_postfix_start_success(self, mock_check_call): - installer = self._create_prepared_installer() - mock_check_call.side_effect = [ - subprocess.CalledProcessError(42, "foo"), None - ] - installer.restart() - - def _create_prepared_installer(self): - """Creates and returns a new prepared Postfix Installer. - - Calls in prepare() are mocked out so the Postfix version check - is successful. - - :returns: a prepared Postfix installer - :rtype: certbot_postfix.installer.Installer - - """ - installer = self._create_installer() - - exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" - with mock.patch(exe_exists_path, return_value=True): - self._mock_postfix_and_call(installer.prepare) - - return installer - - def _create_installer(self): - """Creates and returns a new Postfix Installer. - - :returns: a new Postfix installer - :rtype: certbot_postfix.installer.Installer - - """ - name = "postfix" - - from certbot_postfix import installer - return installer.Installer(self.config, name) - - def _mock_postfix_and_call(self, func, *args, **kwargs): - """Calls func with mocked responses from Postfix utilities. - - :param callable func: function to call with mocked args - :param tuple args: positional arguments to func - :param dict kwargs: keyword arguments to func - - :returns: the return value of func - - """ - check_call_path = "certbot_postfix.installer.subprocess.check_call" - check_output_path = "certbot_postfix.installer.util.check_output" - - with mock.patch(check_call_path) as mock_check_call: - mock_check_call.side_effect = self.mock_postfix - with mock.patch(check_output_path) as mock_check_output: - mock_check_output.side_effect = self.mock_postfix - return func(*args, **kwargs) - - -class MockPostfix(object): - """A callable to mimic Postfix command line utilities. - - This is best used a side effect to a mock object. All calls to - 'postfix' are noops. For calls to 'postconf', values that are set in - the constructor or through mocked out runs of postconf are - remembered and properly returned if the installer attempts to fetch - the value. If the Postfix installer attempts to obtain a value that - hasn't yet been set, a dummy value is returned. - - :ivar str config_path: path to Postfix main.cf file - - """ - def __init__(self, config_dir, initial_values): - """Create Postfix configuration. - - :param str config_dir: path for Postfix config dir - :param dict initial_values: initial Postfix config values - - """ - initial_values["config_directory"] = config_dir - - self.config_path = os.path.join(config_dir, "main.cf") - self._write_config(initial_values) - - def __call__(self, args, *unused_args, **unused_kwargs): - cmd = os.path.basename(args[0]) - if cmd == "postfix": - return - elif cmd != "postconf": # pragma: no cover - assert False, "Unexpected command '{0}'".format(''.join(args)) - - output = [] - - skip = False - for arg in args[1:]: - if skip: - skip = False - elif arg[0] == "-": - if arg == "-c": - skip = True - elif "=" in arg: - name, _, value = arg.partition("=") - self.set_value(name, value) - else: - output.append("{0} = {1}\n".format(arg, self.get_value(arg))) - - return "\n".join(output) - - def get_value(self, name): - """Returns the value for the Postfix config parameter name. - - If the value isn't set, an empty string is returned. - - :param str name: name of the Postfix config parameter - - :returns: value of the named parameter - :rtype: str - - """ - return self._read_config().get(name, "") - - def set_value(self, name, value): - """Sets the value for a Postfix config parameter. - - :param str name: name of the Postfix config parameter - :param str value: value ot set the parameter to - - """ - config = self._read_config() - config[name] = value - self._write_config(config) - - def _read_config(self): - config = {} - with open(self.config_path) as f: - for line in f: - key, _, value = line.strip().partition(" = ") - config[key] = value - - return config - - def _write_config(self, config): - with open(self.config_path, "w") as f: - f.writelines("{0} = {1}\n".format(key, value) - for key, value in config.items()) - - -if __name__ == '__main__': - unittest.main() # pragma: no cover diff --git a/certbot-postfix/certbot_postfix/postconf.py b/certbot-postfix/certbot_postfix/postconf.py index 7738562dd..466e0e63e 100644 --- a/certbot-postfix/certbot_postfix/postconf.py +++ b/certbot-postfix/certbot_postfix/postconf.py @@ -1,62 +1,152 @@ """Classes that wrap the postconf command line utility. - -These classes allow you to interact with a Postfix config like it is a -dictionary, with the getting and setting of values in the config being -handled automatically by the class. - """ -import collections - +import six +from certbot import errors from certbot_postfix import util +# pylint: disable=unused-import, no-name-in-module +from acme.magic_typing import Dict, List, Tuple +# pylint: enable=unused-import, no-name-in-module -class ReadOnlyMainMap(util.PostfixUtilBase, collections.Mapping): - """A read-only view of a Postfix main.cf file.""" +class ConfigMain(util.PostfixUtilBase): + """A parser for Postfix's main.cf file.""" - _modifiers = None - """An iterable containing additional CLI flags for postconf.""" - - def __getitem__(self, name): - return next(_parse_main_output(self._get_output([name])))[1] - - def __iter__(self): - for name, _ in _parse_main_output(self._get_output()): - yield name - - def __len__(self): - return sum(1 for _ in _parse_main_output(self._get_output())) - - def _call(self, extra_args=None): - """Runs Postconf and returns the result. - - If self._modifiers is set, it is provided on the command line to - postconf before any values in extra_args. - - :param list extra_args: additional arguments for the command - - :returns: data written to stdout and stderr - :rtype: `tuple` of `str` - - :raises subprocess.CalledProcessError: if the command fails + def __init__(self, executable, ignore_master_overrides=False, config_dir=None): + super(ConfigMain, self).__init__(executable, config_dir) + # Whether to ignore overrides from master. + self._ignore_master_overrides = ignore_master_overrides + # List of all current Postfix parameters, from `postconf` command. + self._db = {} # type: Dict[str, str] + # List of current master.cf overrides from Postfix config. Dictionary + # of parameter name => list of tuples (service name, paramter value) + # Note: We should never modify master without explicit permission. + self._master_db = {} # type: Dict[str, List[Tuple[str, str]]] + # List of all changes requested to the Postfix parameters as they are now + # in _db. These changes are flushed to `postconf` on `flush`. + self._updated = {} # type: Dict[str, str] + self._read_from_conf() + def _read_from_conf(self): + """Reads initial parameter state from `main.cf` into this object. """ - all_extra_args = [] - for args_list in (self._modifiers, extra_args,): - if args_list is not None: - all_extra_args.extend(args_list) + out = self._get_output() + for name, value in _parse_main_output(out): + self._db[name] = value + out = self._get_output_master() + for name, value in _parse_main_output(out): + service, param_name = name.rsplit("/", 1) + if param_name not in self._master_db: + self._master_db[param_name] = [] + self._master_db[param_name].append((service, value)) - return super(ReadOnlyMainMap, self)._call(all_extra_args) + def _get_output_master(self): + """Retrieves output for `master.cf` parameters.""" + return self._get_output('-P') + def get_default(self, name): + """Retrieves default value of parameter `name` from postfix parameters. + + :param str name: The name of the parameter to fetch. + :returns: The default value of parameter `name`. + :rtype: str + """ + out = self._get_output(['-d', name]) + _, value = next(_parse_main_output(out), (None, None)) + return value + + def get(self, name): + """Retrieves working value of parameter `name` from postfix parameters. + + :param str name: The name of the parameter to fetch. + :returns: The value of parameter `name`. + :rtype: str + """ + if name in self._updated: + return self._updated[name] + return self._db[name] + + def get_master_overrides(self, name): + """Retrieves list of overrides for parameter `name` in postfix's Master config + file. + + :returns: List of tuples (service, value), meaning that parameter `name` + is overridden as `value` for `service`. + :rtype: `list` of `tuple` of `str` + """ + if name in self._master_db: + return self._master_db[name] + return None + + def set(self, name, value, acceptable_overrides=None): + """Sets parameter `name` to `value`. If `name` is overridden by a particular service in + `master.cf`, reports any of these parameter conflicts as long as + `ignore_master_overrides` was not set. + + .. note:: that this function does not flush these parameter values to main.cf; + To do that, use `flush`. + + :param str name: The name of the parameter to set. + :param str value: The value of the parameter. + :param tuple acceptable_overrides: If the master configuration file overrides `value` + with a value in acceptable_overrides. + """ + if name not in self._db: + raise KeyError("Parameter name %s is not a valid Postfix parameter name.", name) + # Check to see if this parameter is overridden by master. + overrides = self.get_master_overrides(name) + if not self._ignore_master_overrides and overrides is not None: + util.report_master_overrides(name, overrides, acceptable_overrides) + if value != self._db[name]: + # _db contains the "original" state of parameters. We only care about + # writes if they cause a delta from the original state. + self._updated[name] = value + elif name in self._updated: + # If this write reverts a previously updated parameter back to the + # original DB's state, we don't have to keep track of it in _updated. + del self._updated[name] + + def flush(self): + """Flushes all parameter changes made using `self.set`, to `main.cf` + + :raises error.PluginError: When flush to main.cf fails for some reason. + """ + if len(self._updated) == 0: + return + args = ['-e'] + for name, value in six.iteritems(self._updated): + args.append('{0}={1}'.format(name, value)) + try: + self._get_output(args) + except IOError as e: + raise errors.PluginError("Unable to save to Postfix config: %v", e) + for name, value in six.iteritems(self._updated): + self._db[name] = value + self._updated = {} + + def get_changes(self): + """ Return queued changes to main.cf. + + :rtype: dict[str, str] + """ + return self._updated def _parse_main_output(output): """Parses the raw output from Postconf about main.cf. + Expects the output to look like: + + .. code-block:: none + + name1 = value1 + name2 = value2 + :param str output: data postconf wrote to stdout about main.cf :returns: generator providing key-value pairs from main.cf - :rtype: generator - + :rtype: Iterator[tuple(str, str)] """ for line in output.splitlines(): name, _, value = line.partition(" =") yield name, value.strip() + + diff --git a/certbot-postfix/certbot_postfix/tests/__init__.py b/certbot-postfix/certbot_postfix/tests/__init__.py new file mode 100644 index 000000000..7316b5888 --- /dev/null +++ b/certbot-postfix/certbot_postfix/tests/__init__.py @@ -0,0 +1 @@ +""" Certbot Postfix Tests """ diff --git a/certbot-postfix/certbot_postfix/tests/installer_test.py b/certbot-postfix/certbot_postfix/tests/installer_test.py new file mode 100644 index 000000000..1bdd2c8b3 --- /dev/null +++ b/certbot-postfix/certbot_postfix/tests/installer_test.py @@ -0,0 +1,314 @@ +"""Tests for certbot_postfix.installer.""" +from contextlib import contextmanager +import copy +import functools +import os +import pkg_resources +import six +import unittest + +import mock + +from certbot import errors +from certbot.tests import util as certbot_test_util + +# pylint: disable=unused-import, no-name-in-module +from acme.magic_typing import Dict, Tuple, Union +# pylint: enable=unused-import, no-name-in-module + +DEFAULT_MAIN_CF = { + "smtpd_tls_cert_file": "", + "smtpd_tls_key_file": "", + "smtpd_tls_dh1024_param_file": "", + "smtpd_tls_security_level": "none", + "smtpd_tls_auth_only": "", + "smtpd_tls_mandatory_protocols": "", + "smtpd_tls_protocols": "", + "smtpd_tls_ciphers": "", + "smtpd_tls_exclude_ciphers": "", + "smtpd_tls_mandatory_ciphers": "", + "smtpd_tls_eecdh_grade": "medium", + "smtp_tls_security_level": "", + "smtp_tls_ciphers": "", + "smtp_tls_exclude_ciphers": "", + "smtp_tls_mandatory_ciphers": "", + "mail_version": "3.2.3" +} + +def _main_cf_with(obj): + main_cf = copy.copy(DEFAULT_MAIN_CF) + main_cf.update(obj) + return main_cf + +class InstallerTest(certbot_test_util.ConfigTestCase): + # pylint: disable=too-many-public-methods + + def setUp(self): + super(InstallerTest, self).setUp() + _config_file = pkg_resources.resource_filename("certbot_postfix.tests", + os.path.join("testdata", "config.json")) + self.config.postfix_ctl = "postfix" + self.config.postfix_config_dir = self.tempdir + self.config.postfix_config_utility = "postconf" + self.config.postfix_tls_only = False + self.config.postfix_server_only = False + self.config.config_dir = self.tempdir + + @mock.patch("certbot_postfix.installer.util.is_acceptable_value") + def test_set_vars(self, mock_is_acceptable_value): + mock_is_acceptable_value.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + mock_is_acceptable_value.return_value = False + + @mock.patch("certbot_postfix.installer.util.is_acceptable_value") + def test_acceptable_value(self, mock_is_acceptable_value): + mock_is_acceptable_value.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + mock_is_acceptable_value.return_value = False + + @certbot_test_util.patch_get_utility() + def test_confirm_changes_no_raises_error(self, mock_util): + mock_util().yesno.return_value = False + with create_installer(self.config) as installer: + installer.prepare() + self.assertRaises(errors.PluginError, installer.deploy_cert, + "example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + + @certbot_test_util.patch_get_utility() + def test_save(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.postconf.flush = mock.Mock() + installer.reverter = mock.Mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + installer.save() + self.assertEqual(installer.save_notes, []) + self.assertEqual(installer.postconf.flush.call_count, 1) + self.assertEqual(installer.reverter.add_to_checkpoint.call_count, 1) + + @certbot_test_util.patch_get_utility() + def test_save_with_title(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.postconf.flush = mock.Mock() + installer.reverter = mock.Mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + installer.save(title="new_file!") + self.assertEqual(installer.reverter.finalize_checkpoint.call_count, 1) + + @certbot_test_util.patch_get_utility() + def test_rollback_checkpoints_resets_postconf(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + installer.rollback_checkpoints() + self.assertEqual(installer.postconf.get_changes(), {}) + + @certbot_test_util.patch_get_utility() + def test_recovery_routine_resets_postconf(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + installer.recovery_routine() + self.assertEqual(installer.postconf.get_changes(), {}) + + def test_restart(self): + with create_installer(self.config) as installer: + installer.prepare() + installer.restart() + self.assertEqual(installer.postfix.restart.call_count, 1) + + def test_add_parser_arguments(self): + options = set(("ctl", "config-dir", "config-utility", + "tls-only", "server-only", "ignore-master-overrides")) + mock_add = mock.MagicMock() + + from certbot_postfix import installer + installer.Installer.add_parser_arguments(mock_add) + + for call in mock_add.call_args_list: + self.assertTrue(call[0][0] in options) + + def test_no_postconf_prepare(self): + with create_installer(self.config) as installer: + installer_path = "certbot_postfix.installer" + exe_exists_path = installer_path + ".certbot_util.exe_exists" + path_surgery_path = "certbot_postfix.util.plugins_util.path_surgery" + with mock.patch(path_surgery_path, return_value=False): + with mock.patch(exe_exists_path, return_value=False): + self.assertRaises(errors.NoInstallationError, + installer.prepare) + + def test_old_version(self): + with create_installer(self.config, main_cf=_main_cf_with({"mail_version": "0.0.1"}))\ + as installer: + self.assertRaises(errors.NotSupportedError, installer.prepare) + + def test_lock_error(self): + with create_installer(self.config) as installer: + assert_raises = functools.partial(self.assertRaises, + errors.PluginError, + installer.prepare) + certbot_test_util.lock_and_call(assert_raises, self.tempdir) + + + @mock.patch('certbot.util.lock_dir_until_exit') + def test_dir_locked(self, lock_dir): + with create_installer(self.config) as installer: + lock_dir.side_effect = errors.LockError + self.assertRaises(errors.PluginError, installer.prepare) + + def test_more_info(self): + with create_installer(self.config) as installer: + installer.prepare() + output = installer.more_info() + self.assertTrue("Postfix" in output) + self.assertTrue(self.tempdir in output) + self.assertTrue(DEFAULT_MAIN_CF["mail_version"] in output) + + def test_get_all_names(self): + config = {"mydomain": "example.org", + "myhostname": "mail.example.org", + "myorigin": "example.org"} + with create_installer(self.config, main_cf=_main_cf_with(config)) as installer: + installer.prepare() + result = installer.get_all_names() + self.assertEqual(result, set(config.values())) + + @certbot_test_util.patch_get_utility() + def test_deploy(self, mock_util): + mock_util().yesno.return_value = True + from certbot_postfix import constants + with create_installer(self.config) as installer: + installer.prepare() + + # pylint: disable=protected-access + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + changes = installer.postconf.get_changes() + expected = {} # type: Dict[str, Tuple[str, ...]] + expected.update(constants.TLS_SERVER_VARS) + expected.update(constants.DEFAULT_SERVER_VARS) + expected.update(constants.DEFAULT_CLIENT_VARS) + self.assertEqual(changes["smtpd_tls_key_file"], "key_path") + self.assertEqual(changes["smtpd_tls_cert_file"], "cert_path") + for name, value in six.iteritems(expected): + self.assertEqual(changes[name], value[0]) + + @certbot_test_util.patch_get_utility() + def test_tls_only(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.conf = lambda x: x == "tls_only" + installer.postconf.set = mock.Mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + self.assertEqual(installer.postconf.set.call_count, 4) + + @certbot_test_util.patch_get_utility() + def test_server_only(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.conf = lambda x: x == "server_only" + installer.postconf.set = mock.Mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + self.assertEqual(installer.postconf.set.call_count, 11) + + @certbot_test_util.patch_get_utility() + def test_tls_and_server_only(self, mock_util): + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + installer.conf = lambda x: True + installer.postconf.set = mock.Mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + self.assertEqual(installer.postconf.set.call_count, 3) + + @certbot_test_util.patch_get_utility() + def test_deploy_twice(self, mock_util): + # Deploying twice on the same installer shouldn't do anything! + mock_util().yesno.return_value = True + with create_installer(self.config) as installer: + installer.prepare() + from certbot_postfix.postconf import ConfigMain + with mock.patch.object(ConfigMain, "set", wraps=installer.postconf.set) as fake_set: + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + self.assertEqual(fake_set.call_count, 15) + fake_set.reset_mock() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + fake_set.assert_not_called() + + @certbot_test_util.patch_get_utility() + def test_deploy_already_secure(self, mock_util): + # Should not overwrite "more-secure" parameters + mock_util().yesno.return_value = True + more_secure = { + "smtpd_tls_security_level": "encrypt", + "smtpd_tls_protocols": "!SSLv3, !SSLv2, !TLSv1", + "smtpd_tls_eecdh_grade": "strong" + } + with create_installer(self.config,\ + main_cf=_main_cf_with(more_secure)) as installer: + installer.prepare() + installer.deploy_cert("example.com", "cert_path", "key_path", + "chain_path", "fullchain_path") + for param in more_secure.keys(): + self.assertFalse(param in installer.postconf.get_changes()) + + def test_enhance(self): + with create_installer(self.config) as installer: + installer.prepare() + self.assertRaises(errors.PluginError, + installer.enhance, + "example.org", "redirect") + + def test_supported_enhancements(self): + with create_installer(self.config) as installer: + installer.prepare() + self.assertEqual(installer.supported_enhancements(), []) + +@contextmanager +def create_installer(config, main_cf=DEFAULT_MAIN_CF): +# pylint: disable=dangerous-default-value + """Creates a Postfix installer with calls to `postconf` and `postfix` mocked out. + + In particular, creates a ConfigMain object that does regular things, but seeds it + with values from `main_cf` and `master_cf` dicts. + """ + from certbot_postfix.postconf import ConfigMain + from certbot_postfix import installer + def _mock_init_postconf(postconf, executable, ignore_master_overrides=False, config_dir=None): + # pylint: disable=protected-access,unused-argument + postconf._ignore_master_overrides = ignore_master_overrides + postconf._db = main_cf + postconf._master_db = {} + postconf._updated = {} + # override get_default to get from main + postconf.get_default = lambda name: main_cf[name] + with mock.patch.object(ConfigMain, "__init__", _mock_init_postconf): + exe_exists_path = "certbot_postfix.installer.certbot_util.exe_exists" + with mock.patch(exe_exists_path, return_value=True): + with mock.patch("certbot_postfix.installer.util.PostfixUtil", + return_value=mock.Mock()): + yield installer.Installer(config, "postfix") + +if __name__ == "__main__": + unittest.main() # pragma: no cover + diff --git a/certbot-postfix/certbot_postfix/tests/postconf_test.py b/certbot-postfix/certbot_postfix/tests/postconf_test.py new file mode 100644 index 000000000..91617d410 --- /dev/null +++ b/certbot-postfix/certbot_postfix/tests/postconf_test.py @@ -0,0 +1,107 @@ +"""Tests for certbot_postfix.postconf.""" + +import mock +import unittest + +from certbot import errors + +class PostConfTest(unittest.TestCase): + """Tests for certbot_postfix.util.PostConf.""" + def setUp(self): + from certbot_postfix.postconf import ConfigMain + super(PostConfTest, self).setUp() + with mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') as mock_call: + with mock.patch('certbot_postfix.postconf.ConfigMain._get_output_master') as \ + mock_master_call: + with mock.patch('certbot_postfix.postconf.util.verify_exe_exists') as verify_exe: + verify_exe.return_value = True + mock_call.return_value = ('default_parameter = value\n' + 'extra_param =\n' + 'overridden_by_master = default\n') + mock_master_call.return_value = ( + 'service/type/overridden_by_master = master_value\n' + 'service2/type/overridden_by_master = master_value2\n' + ) + self.config = ConfigMain('postconf', False) + + @mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') + @mock.patch('certbot_postfix.postconf.util.verify_exe_exists') + def test_get_output_master(self, mock_verify_exe, mock_get_output): + from certbot_postfix.postconf import ConfigMain + mock_verify_exe.return_value = True + ConfigMain('postconf', lambda x, y, z: None) + mock_get_output.assert_called_with('-P') + + @mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') + def test_read_default(self, mock_get_output): + mock_get_output.return_value = 'param = default_value' + self.assertEqual(self.config.get_default('param'), 'default_value') + + @mock.patch('certbot_postfix.util.PostfixUtilBase._call') + def test_set(self, mock_call): + self.config.set('extra_param', 'other_value') + self.assertEqual(self.config.get('extra_param'), 'other_value') + self.config.flush() + mock_call.assert_called_with(['-e', 'extra_param=other_value']) + + def test_set_bad_param_name(self): + self.assertRaises(KeyError, self.config.set, 'nonexistent_param', 'some_value') + + @mock.patch('certbot_postfix.util.PostfixUtilBase._call') + def test_write_revert(self, mock_call): + self.config.set('default_parameter', 'fake_news') + # revert config set + self.config.set('default_parameter', 'value') + self.config.flush() + mock_call.assert_not_called() + + @mock.patch('certbot_postfix.util.PostfixUtilBase._call') + def test_write_default(self, mock_call): + self.config.set('default_parameter', 'value') + self.config.flush() + mock_call.assert_not_called() + + def test_master_overrides(self): + self.assertEqual(self.config.get_master_overrides('overridden_by_master'), + [('service/type', 'master_value'), + ('service2/type', 'master_value2')]) + + def test_set_check_override(self): + self.assertRaises(errors.PluginError, self.config.set, + 'overridden_by_master', 'new_value') + + def test_ignore_check_override(self): + # pylint: disable=protected-access + self.config._ignore_master_overrides = True + self.config.set('overridden_by_master', 'new_value') + + def test_check_acceptable_overrides(self): + self.config.set('overridden_by_master', 'new_value', + ('master_value', 'master_value2')) + + @mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') + def test_flush(self, mock_out): + self.config.set('default_parameter', 'new_value') + self.config.set('extra_param', 'another_value') + self.config.flush() + arguments = mock_out.call_args_list[-1][0][0] + self.assertEquals('-e', arguments[0]) + self.assertTrue('default_parameter=new_value' in arguments) + self.assertTrue('extra_param=another_value' in arguments) + + @mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') + def test_flush_updates_object(self, mock_out): + self.config.set('default_parameter', 'new_value') + self.config.flush() + mock_out.reset_mock() + self.config.set('default_parameter', 'new_value') + mock_out.assert_not_called() + + @mock.patch('certbot_postfix.util.PostfixUtilBase._get_output') + def test_flush_throws_error_on_fail(self, mock_out): + mock_out.side_effect = [IOError("oh no!")] + self.config.set('default_parameter', 'new_value') + self.assertRaises(errors.PluginError, self.config.flush) + +if __name__ == '__main__': # pragma: no cover + unittest.main() diff --git a/certbot-postfix/certbot_postfix/tests/util_test.py b/certbot-postfix/certbot_postfix/tests/util_test.py new file mode 100644 index 000000000..fa38f83ab --- /dev/null +++ b/certbot-postfix/certbot_postfix/tests/util_test.py @@ -0,0 +1,205 @@ +"""Tests for certbot_postfix.util.""" + +import subprocess +import unittest + +import mock + +from certbot import errors + + +class PostfixUtilBaseTest(unittest.TestCase): + """Tests for certbot_postfix.util.PostfixUtilBase.""" + + @classmethod + def _create_object(cls, *args, **kwargs): + from certbot_postfix.util import PostfixUtilBase + return PostfixUtilBase(*args, **kwargs) + + @mock.patch('certbot_postfix.util.verify_exe_exists') + def test_no_exe(self, mock_verify): + expected_error = errors.NoInstallationError + mock_verify.side_effect = expected_error + self.assertRaises(expected_error, self._create_object, 'nonexistent') + + def test_object_creation(self): + with mock.patch('certbot_postfix.util.verify_exe_exists'): + self._create_object('existent') + + @mock.patch('certbot_postfix.util.check_all_output') + def test_call_extends_args(self, mock_output): + # pylint: disable=protected-access + with mock.patch('certbot_postfix.util.verify_exe_exists'): + mock_output.return_value = 'expected' + postfix = self._create_object('executable') + postfix._call(['many', 'extra', 'args']) + mock_output.assert_called_with(['executable', 'many', 'extra', 'args']) + postfix._call() + mock_output.assert_called_with(['executable']) + + def test_create_with_config(self): + # pylint: disable=protected-access + with mock.patch('certbot_postfix.util.verify_exe_exists'): + postfix = self._create_object('exec', 'config_dir') + self.assertEqual(postfix._base_command, ['exec', '-c', 'config_dir']) + +class PostfixUtilTest(unittest.TestCase): + def setUp(self): + # pylint: disable=protected-access + from certbot_postfix.util import PostfixUtil + with mock.patch('certbot_postfix.util.verify_exe_exists'): + self.postfix = PostfixUtil() + self.postfix._call = mock.Mock() + self.mock_call = self.postfix._call + + def test_test(self): + self.postfix.test() + self.mock_call.assert_called_with(['check']) + + def test_test_raises_error_when_check_fails(self): + self.mock_call.side_effect = [subprocess.CalledProcessError(1, "")] + self.assertRaises(errors.MisconfigurationError, self.postfix.test) + self.mock_call.assert_called_with(['check']) + + def test_restart_while_running(self): + self.mock_call.side_effect = [subprocess.CalledProcessError(1, ""), None] + self.postfix.restart() + self.mock_call.assert_called_with(['start']) + + def test_restart_while_not_running(self): + self.postfix.restart() + self.mock_call.assert_called_with(['reload']) + + def test_restart_raises_error_when_reload_fails(self): + self.mock_call.side_effect = [None, subprocess.CalledProcessError(1, "")] + self.assertRaises(errors.PluginError, self.postfix.restart) + self.mock_call.assert_called_with(['reload']) + + def test_restart_raises_error_when_start_fails(self): + self.mock_call.side_effect = [ + subprocess.CalledProcessError(1, ""), + subprocess.CalledProcessError(1, "")] + self.assertRaises(errors.PluginError, self.postfix.restart) + self.mock_call.assert_called_with(['start']) + +class CheckAllOutputTest(unittest.TestCase): + """Tests for certbot_postfix.util.check_all_output.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import check_all_output + return check_all_output(*args, **kwargs) + + @mock.patch('certbot_postfix.util.logger') + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_command_error(self, mock_popen, mock_logger): + command = 'foo' + retcode = 42 + output = 'bar' + err = 'baz' + + mock_popen().communicate.return_value = (output, err) + mock_popen().poll.return_value = 42 + + self.assertRaises(subprocess.CalledProcessError, self._call, command) + log_args = mock_logger.debug.call_args[0] + for value in (command, retcode, output, err,): + self.assertTrue(value in log_args) + + @mock.patch('certbot_postfix.util.subprocess.Popen') + def test_success(self, mock_popen): + command = 'foo' + expected = ('bar', '') + mock_popen().communicate.return_value = expected + mock_popen().poll.return_value = 0 + + self.assertEqual(self._call(command), expected) + + def test_stdout_error(self): + self.assertRaises(ValueError, self._call, stdout=None) + + def test_stderr_error(self): + self.assertRaises(ValueError, self._call, stderr=None) + + def test_universal_newlines_error(self): + self.assertRaises(ValueError, self._call, universal_newlines=False) + + +class VerifyExeExistsTest(unittest.TestCase): + """Tests for certbot_postfix.util.verify_exe_exists.""" + + @classmethod + def _call(cls, *args, **kwargs): + from certbot_postfix.util import verify_exe_exists + return verify_exe_exists(*args, **kwargs) + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + @mock.patch('certbot_postfix.util.plugins_util.path_surgery') + def test_failure(self, mock_exe_exists, mock_path_surgery): + mock_exe_exists.return_value = mock_path_surgery.return_value = False + self.assertRaises(errors.NoInstallationError, self._call, 'foo') + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + def test_simple_success(self, mock_exe_exists): + mock_exe_exists.return_value = True + self._call('foo') + + @mock.patch('certbot_postfix.util.certbot_util.exe_exists') + @mock.patch('certbot_postfix.util.plugins_util.path_surgery') + def test_successful_surgery(self, mock_exe_exists, mock_path_surgery): + mock_exe_exists.return_value = False + mock_path_surgery.return_value = True + self._call('foo') + +class TestUtils(unittest.TestCase): + """ Testing random utility functions in util.py + """ + def test_report_master_overrides(self): + from certbot_postfix.util import report_master_overrides + self.assertRaises(errors.PluginError, report_master_overrides, 'name', + [('service/type', 'value')]) + # Shouldn't raise error + report_master_overrides('name', [('service/type', 'value')], + acceptable_overrides=('value',)) + + def test_no_acceptable_value(self): + from certbot_postfix.util import is_acceptable_value + self.assertFalse(is_acceptable_value('name', 'value', None)) + + def test_is_acceptable_value(self): + from certbot_postfix.util import is_acceptable_value + self.assertTrue(is_acceptable_value('name', 'value', ('value',))) + self.assertFalse(is_acceptable_value('name', 'bad', ('value',))) + + def test_is_acceptable_tuples(self): + from certbot_postfix.util import is_acceptable_value + self.assertTrue(is_acceptable_value('name', 'value', ('value', 'value1'))) + self.assertFalse(is_acceptable_value('name', 'bad', ('value', 'value1'))) + + def test_is_acceptable_protocols(self): + from certbot_postfix.util import is_acceptable_value + # SSLv2 and SSLv3 are both not supported, unambiguously + self.assertFalse(is_acceptable_value('tls_mandatory_protocols_lol', + 'SSLv2, SSLv3', None)) + self.assertFalse(is_acceptable_value('tls_protocols_lol', + 'SSLv2, SSLv3', None)) + self.assertFalse(is_acceptable_value('tls_protocols_lol', + '!SSLv2, !TLSv1', None)) + self.assertFalse(is_acceptable_value('tls_protocols_lol', + '!SSLv2, SSLv3, !SSLv3, ', None)) + self.assertTrue(is_acceptable_value('tls_protocols_lol', + '!SSLv2, !SSLv3', None)) + self.assertTrue(is_acceptable_value('tls_protocols_lol', + '!SSLv3, !TLSv1, !SSLv2', None)) + # TLSv1.2 is supported unambiguously + self.assertFalse(is_acceptable_value('tls_protocols_lol', + 'TLSv1, TLSv1.1,', None)) + self.assertFalse(is_acceptable_value('tls_protocols_lol', + 'TLSv1.2, !TLSv1.2,', None)) + self.assertTrue(is_acceptable_value('tls_protocols_lol', + 'TLSv1.2, ', None)) + self.assertTrue(is_acceptable_value('tls_protocols_lol', + 'TLSv1, TLSv1.1, TLSv1.2', None)) + +if __name__ == '__main__': # pragma: no cover + unittest.main() diff --git a/certbot-postfix/certbot_postfix/util.py b/certbot-postfix/certbot_postfix/util.py index 57196017f..f06989903 100644 --- a/certbot-postfix/certbot_postfix/util.py +++ b/certbot-postfix/certbot_postfix/util.py @@ -1,14 +1,16 @@ """Utility functions for use in the Postfix installer.""" import logging +import re import subprocess from certbot import errors from certbot import util as certbot_util from certbot.plugins import util as plugins_util - +from certbot_postfix import constants logger = logging.getLogger(__name__) +COMMAND = "postfix" class PostfixUtilBase(object): """A base class for wrapping Postfix command line utilities.""" @@ -22,9 +24,13 @@ class PostfixUtilBase(object): :raises .NoInstallationError: when the executable isn't found """ + self.executable = executable verify_exe_exists(executable) + self._set_base_command(config_dir) + self.config_dir = None - self._base_command = [executable] + def _set_base_command(self, config_dir): + self._base_command = [self.executable] if config_dir is not None: self._base_command.extend(('-c', config_dir,)) @@ -59,6 +65,77 @@ class PostfixUtilBase(object): """ return self._call(extra_args)[0] +class PostfixUtil(PostfixUtilBase): + """Wrapper around Postfix CLI tool. + """ + + def __init__(self, config_dir=None): + super(PostfixUtil, self).__init__(COMMAND, config_dir) + + def test(self): + """Make sure the configuration is valid. + + :raises .MisconfigurationError: if the config is invalid + """ + try: + self._call(["check"]) + except subprocess.CalledProcessError as e: + logger.debug("Could not check postfix configuration:\n%s", e) + raise errors.MisconfigurationError( + "Postfix failed internal configuration check.") + + def restart(self): + """Restart or refresh the server content. + + :raises .PluginError: when server cannot be restarted + + """ + logger.info("Reloading Postfix configuration...") + if self._is_running(): + self._reload() + else: + self._start() + + + def _is_running(self): + """Is Postfix currently running? + + Uses the 'postfix status' command to determine if Postfix is + currently running using the specified configuration files. + + :returns: True if Postfix is running, otherwise, False + :rtype: bool + + """ + try: + self._call(["status"]) + except subprocess.CalledProcessError: + return False + return True + + def _start(self): + """Instructions Postfix to start running. + + :raises .PluginError: when Postfix cannot start + + """ + try: + self._call(["start"]) + except subprocess.CalledProcessError: + raise errors.PluginError("Postfix failed to start") + + def _reload(self): + """Instructs Postfix to reload its configuration. + + If Postfix isn't currently running, this method will fail. + + :raises .PluginError: when Postfix cannot reload + """ + try: + self._call(["reload"]) + except subprocess.CalledProcessError: + raise errors.PluginError( + "Postfix failed to reload its configuration") def check_all_output(*args, **kwargs): """A version of subprocess.check_output that also captures stderr. @@ -107,7 +184,7 @@ def check_all_output(*args, **kwargs): return (output, err) -def verify_exe_exists(exe): +def verify_exe_exists(exe, message=None): """Ensures an executable with the given name is available. If an executable isn't found for the given path or name, extra @@ -115,83 +192,101 @@ def verify_exe_exists(exe): utilities that may not be available in the default cron PATH. :param str exe: executable path or name + :param str message: Error message to print. :raises .NoInstallationError: when the executable isn't found """ + if message is None: + message = "Cannot find executable '{0}'.".format(exe) if not (certbot_util.exe_exists(exe) or plugins_util.path_surgery(exe)): - raise errors.NoInstallationError( - "Cannot find executable '{0}'.".format(exe)) + raise errors.NoInstallationError(message) +def report_master_overrides(name, overrides, acceptable_overrides=None): + """If the value for a parameter `name` is overridden by other services, + report a warning to notify the user. If `parameter` is a TLS version parameter + (i.e., `parameter` contains 'tls_protocols' or 'tls_mandatory_protocols'), then + `acceptable_overrides` isn't used each value in overrides is inspected for secure TLS + versions. -def check_call(*args, **kwargs): - """A simple wrapper of subprocess.check_call that logs errors. - - :param tuple args: positional arguments to subprocess.check_call - :param dict kargs: keyword arguments to subprocess.check_call - - :raises subprocess.CalledProcessError: if the call fails - + :param str name: The name of the parameter that is being overridden. + :param list overrides: The values that other services are setting for `name`. + Each override is a tuple: (service name, value) + :param tuple acceptable_overrides: Override values that are acceptable. For instance, if + another service is overriding our parameter with a more secure option, we don't have + to warn. If this is set to None, errors are raised for *any* overrides of `name`! """ - try: - subprocess.check_call(*args, **kwargs) - except subprocess.CalledProcessError: - cmd = _get_cmd(*args, **kwargs) - logger.debug("%s exited with a non-zero status.", - "".join(cmd), exc_info=True) - raise + error_string = "" + for override in overrides: + service, value = override + # If this override is acceptable: + if acceptable_overrides is not None and \ + is_acceptable_value(name, value, acceptable_overrides): + continue + error_string += " {0}: {1}\n".format(service, value) + if error_string: + raise errors.PluginError("{0} is overridden with less secure options by the " + "following services in master.cf:\n".format(name) + error_string) -def check_output(*args, **kwargs): - """Backported version of subprocess.check_output for Python 2.6+. - - This is the same as subprocess.check_output from newer versions of - Python, except: - - 1. The return value is a string rather than a byte string. To - accomplish this, the caller cannot set the parameter - universal_newlines. - 2. If the command exits with a nonzero status, output is not - included in the raised subprocess.CalledProcessError because - subprocess.CalledProcessError on Python 2.6 does not support this. - Instead, the failure including the output is logged. - - :param tuple args: positional arguments for Popen - :param dict kwargs: keyword arguments for Popen - - :returns: data printed to stdout - :rtype: str - - :raises ValueError: if arguments are invalid - :raises subprocess.CalledProcessError: if the command fails +def is_acceptable_value(parameter, value, acceptable=None): + """ Returns whether the `value` for this `parameter` is acceptable, + given a tuple of `acceptable` values. If `parameter` is a TLS version parameter + (i.e., `parameter` contains 'tls_protocols' or 'tls_mandatory_protocols'), then + `acceptable` isn't used and `value` is inspected for secure TLS versions. + :param str parameter: The name of the parameter being set. + :param str value: Proposed new value for parameter. + :param tuple acceptable: List of acceptable values for parameter. """ - for keyword in ('stdout', 'universal_newlines',): - if keyword in kwargs: - raise ValueError( - keyword + ' argument not allowed, it will be overridden.') - - kwargs['stdout'] = subprocess.PIPE - kwargs['universal_newlines'] = True - - process = subprocess.Popen(*args, **kwargs) - output, unused_err = process.communicate() - retcode = process.poll() - if retcode: - cmd = _get_cmd(*args, **kwargs) - logger.debug( - "'%s' exited with %d. Output was:\n%s", - cmd, retcode, output, exc_info=True) - raise subprocess.CalledProcessError(retcode, cmd) - return output + # Check if param value is a comma-separated list of protocols. + # Otherwise, just check whether the value is in the acceptable list. + if 'tls_protocols' in parameter or 'tls_mandatory_protocols' in parameter: + return _has_acceptable_tls_versions(value) + if acceptable is not None: + return value in acceptable + return False -def _get_cmd(*args, **kwargs): - """Return the command from Popen args. - - :param tuple args: Popen args - :param dict kwargs: Popen kwargs - +def _has_acceptable_tls_versions(parameter_string): """ - cmd = kwargs.get('args') - return args[0] if cmd is None else cmd + Checks to see if the list of TLS protocols is acceptable. + This requires that TLSv1.2 is supported, and neither SSLv2 nor SSLv3 are supported. + + Should be a string of protocol names delimited by commas, spaces, or colons. + + Postfix's documents suggest listing protocols to exclude, like "!SSLv2, !SSLv3". + Listing the protocols to include, like "TLSv1, TLSv1.1, TLSv1.2" is okay as well, + though not recommended + + When these two modes are interspersed, the presence of a single non-negated protocol name + (i.e. "TLSv1" rather than "!TLSv1") automatically excludes all other unnamed protocols. + + In addition, the presence of both a protocol name inclusion and exclusion isn't explicitly + documented, so this method should return False if it encounters contradicting statements + about TLSv1.2, SSLv2, or SSLv3. (for instance, "SSLv3, !SSLv3"). + """ + if not parameter_string: + return False + bad_versions = list(constants.TLS_VERSIONS) + for version in constants.ACCEPTABLE_TLS_VERSIONS: + del bad_versions[bad_versions.index(version)] + supported_version_list = re.split("[, :]+", parameter_string) + # The presence of any non-"!" protocol listing excludes the others by default. + inclusion_list = False + for version in supported_version_list: + if not version: + continue + if version in bad_versions: # short-circuit if we recognize any bad version + return False + if version[0] != "!": + inclusion_list = True + if inclusion_list: # For any inclusion list, we still require TLS 1.2. + if "TLSv1.2" not in supported_version_list or "!TLSv1.2" in supported_version_list: + return False + else: + for bad_version in bad_versions: + if "!" + bad_version not in supported_version_list: + return False + return True + diff --git a/certbot-postfix/certbot_postfix/util_test.py b/certbot-postfix/certbot_postfix/util_test.py deleted file mode 100644 index 4a014ca9b..000000000 --- a/certbot-postfix/certbot_postfix/util_test.py +++ /dev/null @@ -1,165 +0,0 @@ -"""Tests for certbot_postfix.util.""" - -import subprocess -import unittest - -import mock - -from certbot import errors - - -class PostfixUtilBaseTest(unittest.TestCase): - """Tests for certbot_postfix.util.PostfixUtilBase.""" - - @classmethod - def _create_object(cls, *args, **kwargs): - from certbot_postfix.util import PostfixUtilBase - return PostfixUtilBase(*args, **kwargs) - - @mock.patch('certbot_postfix.util.verify_exe_exists') - def test_no_exe(self, mock_verify): - expected_error = errors.NoInstallationError - mock_verify.side_effect = expected_error - self.assertRaises(expected_error, self._create_object, 'nonexistent') - - def test_object_creation(self): - with mock.patch('certbot_postfix.util.verify_exe_exists'): - self._create_object('existent') - - -class CheckAllOutputTest(unittest.TestCase): - """Tests for certbot_postfix.util.check_all_output.""" - - @classmethod - def _call(cls, *args, **kwargs): - from certbot_postfix.util import check_all_output - return check_all_output(*args, **kwargs) - - @mock.patch('certbot_postfix.util.logger') - @mock.patch('certbot_postfix.util.subprocess.Popen') - def test_command_error(self, mock_popen, mock_logger): - command = 'foo' - retcode = 42 - output = 'bar' - err = 'baz' - - mock_popen().communicate.return_value = (output, err) - mock_popen().poll.return_value = 42 - - self.assertRaises(subprocess.CalledProcessError, self._call, command) - log_args = mock_logger.debug.call_args[0] - for value in (command, retcode, output, err,): - self.assertTrue(value in log_args) - - @mock.patch('certbot_postfix.util.subprocess.Popen') - def test_success(self, mock_popen): - command = 'foo' - expected = ('bar', '') - mock_popen().communicate.return_value = expected - mock_popen().poll.return_value = 0 - - self.assertEqual(self._call(command), expected) - - def test_stdout_error(self): - self.assertRaises(ValueError, self._call, stdout=None) - - def test_stderr_error(self): - self.assertRaises(ValueError, self._call, stderr=None) - - def test_universal_newlines_error(self): - self.assertRaises(ValueError, self._call, universal_newlines=False) - - -class VerifyExeExistsTest(unittest.TestCase): - """Tests for certbot_postfix.util.verify_exe_exists.""" - - @classmethod - def _call(cls, *args, **kwargs): - from certbot_postfix.util import verify_exe_exists - return verify_exe_exists(*args, **kwargs) - - @mock.patch('certbot_postfix.util.certbot_util.exe_exists') - @mock.patch('certbot_postfix.util.plugins_util.path_surgery') - def test_failure(self, mock_exe_exists, mock_path_surgery): - mock_exe_exists.return_value = mock_path_surgery.return_value = False - self.assertRaises(errors.NoInstallationError, self._call, 'foo') - - @mock.patch('certbot_postfix.util.certbot_util.exe_exists') - def test_simple_success(self, mock_exe_exists): - mock_exe_exists.return_value = True - self._call('foo') - - @mock.patch('certbot_postfix.util.certbot_util.exe_exists') - @mock.patch('certbot_postfix.util.plugins_util.path_surgery') - def test_successful_surgery(self, mock_exe_exists, mock_path_surgery): - mock_exe_exists.return_value = False - mock_path_surgery.return_value = True - self._call('foo') - - -class CheckCallTest(unittest.TestCase): - """Tests for certbot_postfix.util.check_call.""" - - @classmethod - def _call(cls, *args, **kwargs): - from certbot_postfix.util import check_call - return check_call(*args, **kwargs) - - @mock.patch('certbot_postfix.util.logger') - @mock.patch('certbot_postfix.util.subprocess.check_call') - def test_failure(self, mock_check_call, mock_logger): - cmd = "postconf smtpd_use_tls=yes".split() - mock_check_call.side_effect = subprocess.CalledProcessError(42, cmd) - self.assertRaises(subprocess.CalledProcessError, self._call, cmd) - self.assertTrue(mock_logger.method_calls) - - @mock.patch('certbot_postfix.util.subprocess.check_call') - def test_success(self, mock_check_call): - cmd = "postconf smtpd_use_tls=yes".split() - self._call(cmd) - mock_check_call.assert_called_once_with(cmd) - - -class CheckOutputTest(unittest.TestCase): - """Tests for certbot_postfix.util.check_output.""" - - @classmethod - def _call(cls, *args, **kwargs): - from certbot_postfix.util import check_output - return check_output(*args, **kwargs) - - @mock.patch('certbot_postfix.util.logger') - @mock.patch('certbot_postfix.util.subprocess.Popen') - def test_command_error(self, mock_popen, mock_logger): - command = 'foo' - retcode = 42 - output = 'bar' - - mock_popen().communicate.return_value = (output, '') - mock_popen().poll.return_value = 42 - - self.assertRaises(subprocess.CalledProcessError, self._call, command) - - log_args = mock_logger.debug.call_args[0] - self.assertTrue(command in log_args) - self.assertTrue(retcode in log_args) - self.assertTrue(output in log_args) - - @mock.patch('certbot_postfix.util.subprocess.Popen') - def test_success(self, mock_popen): - command = 'foo' - output = 'bar' - mock_popen().communicate.return_value = (output, '') - mock_popen().poll.return_value = 0 - - self.assertEqual(self._call(command), output) - - def test_stdout_error(self): - self.assertRaises(ValueError, self._call, stdout=None) - - def test_universal_newlines_error(self): - self.assertRaises(ValueError, self._call, universal_newlines=False) - - -if __name__ == '__main__': # pragma: no cover - unittest.main() diff --git a/certbot-postfix/docs/.gitignore b/certbot-postfix/docs/.gitignore new file mode 100644 index 000000000..ba65b13af --- /dev/null +++ b/certbot-postfix/docs/.gitignore @@ -0,0 +1 @@ +/_build/ diff --git a/certbot-postfix/docs/Makefile b/certbot-postfix/docs/Makefile new file mode 100644 index 000000000..717ff654f --- /dev/null +++ b/certbot-postfix/docs/Makefile @@ -0,0 +1,20 @@ +# Minimal makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +SPHINXPROJ = certbot-postfix +SOURCEDIR = . +BUILDDIR = _build + +# Put it first so that "make" without argument is like "make help". +help: + @$(SPHINXBUILD) -M help "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) + +.PHONY: help Makefile + +# Catch-all target: route all unknown targets to Sphinx using the new +# "make mode" option. $(O) is meant as a shortcut for $(SPHINXOPTS). +%: Makefile + @$(SPHINXBUILD) -M $@ "$(SOURCEDIR)" "$(BUILDDIR)" $(SPHINXOPTS) $(O) \ No newline at end of file diff --git a/certbot-postfix/docs/api.rst b/certbot-postfix/docs/api.rst new file mode 100644 index 000000000..8668ec5d8 --- /dev/null +++ b/certbot-postfix/docs/api.rst @@ -0,0 +1,8 @@ +================= +API Documentation +================= + +.. toctree:: + :glob: + + api/** diff --git a/certbot-postfix/docs/api/installer.rst b/certbot-postfix/docs/api/installer.rst new file mode 100644 index 000000000..121d58d5b --- /dev/null +++ b/certbot-postfix/docs/api/installer.rst @@ -0,0 +1,5 @@ +:mod:`certbot_postfix.installer` +-------------------------------------- + +.. automodule:: certbot_postfix.installer + :members: diff --git a/certbot-postfix/docs/api/postconf.rst b/certbot-postfix/docs/api/postconf.rst new file mode 100644 index 000000000..917150e45 --- /dev/null +++ b/certbot-postfix/docs/api/postconf.rst @@ -0,0 +1,5 @@ +:mod:`certbot_postfix.postconf` +------------------------------- + +.. automodule:: certbot_postfix.postconf + :members: diff --git a/certbot-postfix/docs/conf.py b/certbot-postfix/docs/conf.py new file mode 100644 index 000000000..51d99aab5 --- /dev/null +++ b/certbot-postfix/docs/conf.py @@ -0,0 +1,190 @@ +# -*- coding: utf-8 -*- +# +# Configuration file for the Sphinx documentation builder. +# +# This file does only contain a selection of the most common options. For a +# full list see the documentation: +# http://www.sphinx-doc.org/en/master/config + +# -- Path setup -------------------------------------------------------------- + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +# +import os +# import sys +# sys.path.insert(0, os.path.abspath('.')) + + +# -- Project information ----------------------------------------------------- + +project = u'certbot-postfix' +copyright = u'2018, Certbot Project' +author = u'Certbot Project' + +# The short X.Y version +version = u'0' +# The full version, including alpha/beta/rc tags +release = u'0' + + +# -- General configuration --------------------------------------------------- + +# If your documentation needs a minimal Sphinx version, state it here. +# +needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ + 'sphinx.ext.autodoc', + 'sphinx.ext.intersphinx', + 'sphinx.ext.todo', + 'sphinx.ext.coverage', + 'sphinx.ext.viewcode', +] + +autodoc_member_order = 'bysource' +autodoc_default_flags = ['show-inheritance', 'private-members'] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix(es) of source filenames. +# You can specify multiple suffix as a list of string: +# +# source_suffix = ['.rst', '.md'] +source_suffix = '.rst' + +# The master toctree document. +master_doc = 'index' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +# +# This is also used if you do content translation via gettext catalogs. +# Usually you set "language" from the command line for these cases. +language = u'en' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +# This pattern also affects html_static_path and html_extra_path . +exclude_patterns = [u'_build', 'Thumbs.db', '.DS_Store'] + +default_role = 'py:obj' + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + + +# -- Options for HTML output ------------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +# + +# http://docs.readthedocs.org/en/latest/theme.html#how-do-i-use-this-locally-and-on-read-the-docs +# on_rtd is whether we are on readthedocs.org +on_rtd = os.environ.get('READTHEDOCS', None) == 'True' +if not on_rtd: # only import and set the theme if we're building docs locally + import sphinx_rtd_theme + html_theme = 'sphinx_rtd_theme' + html_theme_path = [sphinx_rtd_theme.get_html_theme_path()] +# otherwise, readthedocs.org uses their theme by default, so no need to specify it + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +# +# html_theme_options = {} + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +# html_static_path = ['_static'] + +# Custom sidebar templates, must be a dictionary that maps document names +# to template names. +# +# The default sidebars (for documents that don't match any pattern) are +# defined by theme itself. Builtin themes are using these templates by +# default: ``['localtoc.html', 'relations.html', 'sourcelink.html', +# 'searchbox.html']``. +# +# html_sidebars = {} + + +# -- Options for HTMLHelp output --------------------------------------------- + +# Output file base name for HTML help builder. +htmlhelp_basename = 'certbot-postfixdoc' + + +# -- Options for LaTeX output ------------------------------------------------ + +latex_elements = { + # The paper size ('letterpaper' or 'a4paper'). + # + # 'papersize': 'letterpaper', + + # The font size ('10pt', '11pt' or '12pt'). + # + # 'pointsize': '10pt', + + # Additional stuff for the LaTeX preamble. + # + # 'preamble': '', + + # Latex figure (float) alignment + # + # 'figure_align': 'htbp', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + (master_doc, 'certbot-postfix.tex', u'certbot-postfix Documentation', + u'Certbot Project', 'manual'), +] + + +# -- Options for manual page output ------------------------------------------ + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + (master_doc, 'certbot-postfix', u'certbot-postfix Documentation', + [author], 1) +] + + +# -- Options for Texinfo output ---------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + (master_doc, 'certbot-postfix', u'certbot-postfix Documentation', + author, 'certbot-postfix', 'One line description of project.', + 'Miscellaneous'), +] + + +# -- Extension configuration ------------------------------------------------- + +# -- Options for intersphinx extension --------------------------------------- + +# Example configuration for intersphinx: refer to the Python standard library. +intersphinx_mapping = { + 'python': ('https://docs.python.org/', None), + 'acme': ('https://acme-python.readthedocs.org/en/latest/', None), + 'certbot': ('https://certbot.eff.org/docs/', None), +} + +# -- Options for todo extension ---------------------------------------------- + +# If true, `todo` and `todoList` produce output, else they produce nothing. +todo_include_todos = True diff --git a/certbot-postfix/docs/index.rst b/certbot-postfix/docs/index.rst new file mode 100644 index 000000000..3d6697bcb --- /dev/null +++ b/certbot-postfix/docs/index.rst @@ -0,0 +1,28 @@ +.. certbot-postfix documentation master file, created by + sphinx-quickstart on Wed May 2 16:01:06 2018. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +Welcome to certbot-postfix's documentation! +=========================================== + +.. toctree:: + :maxdepth: 2 + :caption: Contents: + +.. automodule:: certbot_postfix + :members: + +.. toctree:: + :maxdepth: 1 + + api + + + +Indices and tables +================== + +* :ref:`genindex` +* :ref:`modindex` +* :ref:`search` diff --git a/certbot-postfix/docs/make.bat b/certbot-postfix/docs/make.bat new file mode 100644 index 000000000..23fbdc93c --- /dev/null +++ b/certbot-postfix/docs/make.bat @@ -0,0 +1,36 @@ +@ECHO OFF + +pushd %~dp0 + +REM Command file for Sphinx documentation + +if "%SPHINXBUILD%" == "" ( + set SPHINXBUILD=sphinx-build +) +set SOURCEDIR=. +set BUILDDIR=_build +set SPHINXPROJ=certbot-postfix + +if "%1" == "" goto help + +%SPHINXBUILD% >NUL 2>NUL +if errorlevel 9009 ( + echo. + echo.The 'sphinx-build' command was not found. Make sure you have Sphinx + echo.installed, then set the SPHINXBUILD environment variable to point + echo.to the full path of the 'sphinx-build' executable. Alternatively you + echo.may add the Sphinx directory to PATH. + echo. + echo.If you don't have Sphinx installed, grab it from + echo.http://sphinx-doc.org/ + exit /b 1 +) + +%SPHINXBUILD% -M %1 %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% +goto end + +:help +%SPHINXBUILD% -M help %SOURCEDIR% %BUILDDIR% %SPHINXOPTS% + +:end +popd diff --git a/certbot-postfix/local-oldest-requirements.txt b/certbot-postfix/local-oldest-requirements.txt new file mode 100644 index 000000000..bc0cdbf00 --- /dev/null +++ b/certbot-postfix/local-oldest-requirements.txt @@ -0,0 +1,2 @@ +acme[dev]==0.25.0 +certbot[dev]==0.23.0 diff --git a/certbot-postfix/setup.py b/certbot-postfix/setup.py index 2fdcd46aa..cde1ac7c2 100644 --- a/certbot-postfix/setup.py +++ b/certbot-postfix/setup.py @@ -1,21 +1,23 @@ -import sys - from setuptools import setup from setuptools import find_packages -version = '0.18.0.dev0' +version = '0.26.0.dev0' install_requires = [ - 'acme=={0}'.format(version), - 'certbot=={0}'.format(version), - # For pkg_resources. >=1.0 so pip resolves it to a version cryptography - # will tolerate; see #2599: - 'setuptools>=1.0', + 'acme>=0.25.0', + 'certbot>0.23.0', + 'setuptools', 'six', + 'zope.component', 'zope.interface', ] +docs_extras = [ + 'Sphinx>=1.0', # autodoc_member_order = 'bysource', autodoc_default_flags + 'sphinx_rtd_theme', +] + setup( name='certbot-postfix', version=version, @@ -24,6 +26,7 @@ setup( author="Certbot Project", author_email='client-dev@letsencrypt.org', license='Apache License 2.0', + python_requires='>=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*', classifiers=[ 'Development Status :: 3 - Alpha', 'Environment :: Plugins', @@ -32,10 +35,8 @@ setup( 'Operating System :: POSIX :: Linux', 'Programming Language :: Python', 'Programming Language :: Python :: 2', - 'Programming Language :: Python :: 2.6', 'Programming Language :: Python :: 2.7', 'Programming Language :: Python :: 3', - 'Programming Language :: Python :: 3.3', 'Programming Language :: Python :: 3.4', 'Programming Language :: Python :: 3.5', 'Programming Language :: Python :: 3.6', @@ -50,6 +51,9 @@ setup( packages=find_packages(), include_package_data=True, install_requires=install_requires, + extras_require={ + 'docs': docs_extras, + }, entry_points={ 'certbot.plugins': [ 'postfix = certbot_postfix:Installer', diff --git a/certbot/constants.py b/certbot/constants.py index dfdfcc0e8..cd77fb72d 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -64,7 +64,7 @@ RENEWER_DEFAULTS = dict( """Defaults for renewer script.""" -ENHANCEMENTS = ["redirect", "http-header", "ocsp-stapling", "spdy"] +ENHANCEMENTS = ["redirect", "ensure-http-header", "ocsp-stapling", "spdy", "starttls-policy"] """List of possible :class:`certbot.interfaces.IInstaller` enhancements. diff --git a/certbot/plugins/disco.py b/certbot/plugins/disco.py index 37baf98f7..01b6ad5e9 100644 --- a/certbot/plugins/disco.py +++ b/certbot/plugins/disco.py @@ -39,6 +39,7 @@ class PluginEntryPoint(object): "certbot-dns-rfc2136", "certbot-dns-route53", "certbot-nginx", + "certbot-postfix", ] """Distributions for which prefix will be omitted.""" From 3877af6619f690e64fa750f83e12c7a744336a25 Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Thu, 21 Jun 2018 17:27:19 +0300 Subject: [PATCH 237/256] Gradually increasing HSTS max-age (#5912) This PR adds the functionality to enhance Apache configuration to include HTTP Strict Transport Security header with a low initial max-age value. The max-age value will get increased on every (scheduled) run of certbot renew regardless of the certificate actually getting renewed, if the last increase took place longer than ten hours ago. The increase steps are visible in constants.AUTOHSTS_STEPS. Upon the first actual renewal after reaching the maximum increase step, the max-age value will be made "permanent" and will get value of one year. To achieve accurate VirtualHost discovery on subsequent runs, a comment with unique id string will be added to each enhanced VirtualHost. * AutoHSTS code rebased on master * Fixes to match the changes in master * Make linter happy with metaclass registration * Address small review comments * Use new enhancement interfaces * New style enhancement changes * Do not allow --hsts and --auto-hsts simultaneuously * MyPy annotation fixes and added test * Change oldest requrements to point to local certbot core version * Enable new style enhancements for run and install verbs * Test refactor * New test class for main.install tests * Move a test to a correct test class --- certbot-apache/certbot_apache/apache_util.py | 6 + certbot-apache/certbot_apache/configurator.py | 312 +++++++++++++++++- certbot-apache/certbot_apache/constants.py | 13 + certbot-apache/certbot_apache/parser.py | 32 ++ .../certbot_apache/tests/autohsts_test.py | 181 ++++++++++ .../certbot_apache/tests/configurator_test.py | 15 + .../certbot_apache/tests/parser_test.py | 7 + certbot-apache/local-oldest-requirements.txt | 2 +- certbot-apache/setup.py | 2 +- certbot/cli.py | 8 + certbot/constants.py | 1 + certbot/main.py | 44 ++- certbot/plugins/enhancements.py | 159 +++++++++ certbot/plugins/enhancements_test.py | 65 ++++ certbot/tests/main_test.py | 82 ++++- certbot/tests/renewupdater_test.py | 87 +++-- certbot/updater.py | 46 +++ 17 files changed, 1027 insertions(+), 35 deletions(-) create mode 100644 certbot-apache/certbot_apache/tests/autohsts_test.py create mode 100644 certbot/plugins/enhancements.py create mode 100644 certbot/plugins/enhancements_test.py diff --git a/certbot-apache/certbot_apache/apache_util.py b/certbot-apache/certbot_apache/apache_util.py index f03c9da87..62342004f 100644 --- a/certbot-apache/certbot_apache/apache_util.py +++ b/certbot-apache/certbot_apache/apache_util.py @@ -1,4 +1,5 @@ """ Utility functions for certbot-apache plugin """ +import binascii import os from certbot import util @@ -98,3 +99,8 @@ def parse_define_file(filepath, varname): var_parts = v[2:].partition("=") return_vars[var_parts[0]] = var_parts[2] return return_vars + + +def unique_id(): + """ Returns an unique id to be used as a VirtualHost identifier""" + return binascii.hexlify(os.urandom(16)).decode("utf-8") diff --git a/certbot-apache/certbot_apache/configurator.py b/certbot-apache/certbot_apache/configurator.py index 861fe4458..ab83a5332 100644 --- a/certbot-apache/certbot_apache/configurator.py +++ b/certbot-apache/certbot_apache/configurator.py @@ -13,7 +13,7 @@ import zope.component import zope.interface from acme import challenges -from acme.magic_typing import DefaultDict, Dict, List, Set # pylint: disable=unused-import, no-name-in-module +from acme.magic_typing import Any, DefaultDict, Dict, List, Set, Union # pylint: disable=unused-import, no-name-in-module from certbot import errors from certbot import interfaces @@ -22,6 +22,7 @@ from certbot import util from certbot.achallenges import KeyAuthorizationAnnotatedChallenge # pylint: disable=unused-import from certbot.plugins import common from certbot.plugins.util import path_surgery +from certbot.plugins.enhancements import AutoHSTSEnhancement from certbot_apache import apache_util from certbot_apache import augeas_configurator @@ -160,6 +161,8 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): self._wildcard_vhosts = dict() # type: Dict[str, List[obj.VirtualHost]] # Maps enhancements to vhosts we've enabled the enhancement for self._enhanced_vhosts = defaultdict(set) # type: DefaultDict[str, Set[obj.VirtualHost]] + # Temporary state for AutoHSTS enhancement + self._autohsts = {} # type: Dict[str, Dict[str, Union[int, float]]] # These will be set in the prepare function self.parser = None @@ -1472,6 +1475,67 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): if need_to_save: self.save() + def find_vhost_by_id(self, id_str): + """ + Searches through VirtualHosts and tries to match the id in a comment + + :param str id_str: Id string for matching + + :returns: The matched VirtualHost or None + :rtype: :class:`~certbot_apache.obj.VirtualHost` or None + + :raises .errors.PluginError: If no VirtualHost is found + """ + + for vh in self.vhosts: + if self._find_vhost_id(vh) == id_str: + return vh + msg = "No VirtualHost with ID {} was found.".format(id_str) + logger.warning(msg) + raise errors.PluginError(msg) + + def _find_vhost_id(self, vhost): + """Tries to find the unique ID from the VirtualHost comments. This is + used for keeping track of VirtualHost directive over time. + + :param vhost: Virtual host to add the id + :type vhost: :class:`~certbot_apache.obj.VirtualHost` + + :returns: The unique ID or None + :rtype: str or None + """ + + # Strip the {} off from the format string + search_comment = constants.MANAGED_COMMENT_ID.format("") + + id_comment = self.parser.find_comments(search_comment, vhost.path) + if id_comment: + # Use the first value, multiple ones shouldn't exist + comment = self.parser.get_arg(id_comment[0]) + return comment.split(" ")[-1] + return None + + def add_vhost_id(self, vhost): + """Adds an unique ID to the VirtualHost as a comment for mapping back + to it on later invocations, as the config file order might have changed. + If ID already exists, returns that instead. + + :param vhost: Virtual host to add or find the id + :type vhost: :class:`~certbot_apache.obj.VirtualHost` + + :returns: The unique ID for vhost + :rtype: str or None + """ + + vh_id = self._find_vhost_id(vhost) + if vh_id: + return vh_id + + id_string = apache_util.unique_id() + comment = constants.MANAGED_COMMENT_ID.format(id_string) + self.parser.add_comment(vhost.path, comment) + return id_string + def _escape(self, fp): fp = fp.replace(",", "\\,") fp = fp.replace("[", "\\[") @@ -1531,6 +1595,78 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): logger.warning("Failed %s for %s", enhancement, domain) raise + def _autohsts_increase(self, vhost, id_str, nextstep): + """Increase the AutoHSTS max-age value + + :param vhost: Virtual host object to modify + :type vhost: :class:`~certbot_apache.obj.VirtualHost` + + :param str id_str: The unique ID string of VirtualHost + + :param int nextstep: Next AutoHSTS max-age value index + + """ + nextstep_value = constants.AUTOHSTS_STEPS[nextstep] + self._autohsts_write(vhost, nextstep_value) + self._autohsts[id_str] = {"laststep": nextstep, "timestamp": time.time()} + + def _autohsts_write(self, vhost, nextstep_value): + """ + Write the new HSTS max-age value to the VirtualHost file + """ + + hsts_dirpath = None + header_path = self.parser.find_dir("Header", None, vhost.path) + if header_path: + pat = '(?:[ "]|^)(strict-transport-security)(?:[ "]|$)' + for match in header_path: + if re.search(pat, self.aug.get(match).lower()): + hsts_dirpath = match + if not hsts_dirpath: + err_msg = ("Certbot was unable to find the existing HSTS header " + "from the VirtualHost at path {0}.").format(vhost.filep) + raise errors.PluginError(err_msg) + + # Prepare the HSTS header value + hsts_maxage = "\"max-age={0}\"".format(nextstep_value) + + # Update the header + # Our match statement was for string strict-transport-security, but + # we need to update the value instead. The next index is for the value + hsts_dirpath = hsts_dirpath.replace("arg[3]", "arg[4]") + self.aug.set(hsts_dirpath, hsts_maxage) + note_msg = ("Increasing HSTS max-age value to {0} for VirtualHost " + "in {1}\n".format(nextstep_value, vhost.filep)) + logger.debug(note_msg) + self.save_notes += note_msg + self.save(note_msg) + + def _autohsts_fetch_state(self): + """ + Populates the AutoHSTS state from the pluginstorage + """ + try: + self._autohsts = self.storage.fetch("autohsts") + except KeyError: + self._autohsts = dict() + + def _autohsts_save_state(self): + """ + Saves the state of AutoHSTS object to pluginstorage + """ + self.storage.put("autohsts", self._autohsts) + self.storage.save() + + def _autohsts_vhost_in_lineage(self, vhost, lineage): + """ + Searches AutoHSTS managed VirtualHosts that belong to the lineage. + Matches the private key path. + """ + + return bool( + self.parser.find_dir("SSLCertificateKeyFile", + lineage.key_path, vhost.path)) + def _enable_ocsp_stapling(self, ssl_vhost, unused_options): """Enables OCSP Stapling @@ -2158,3 +2294,177 @@ class ApacheConfigurator(augeas_configurator.AugeasConfigurator): # to be modified. return common.install_version_controlled_file(options_ssl, options_ssl_digest, self.constant("MOD_SSL_CONF_SRC"), constants.ALL_SSL_OPTIONS_HASHES) + + def enable_autohsts(self, _unused_lineage, domains): + """ + Enable the AutoHSTS enhancement for defined domains + + :param _unused_lineage: Certificate lineage object, unused + :type _unused_lineage: certbot.storage.RenewableCert + + :param domains: List of domains in certificate to enhance + :type domains: str + """ + + self._autohsts_fetch_state() + _enhanced_vhosts = [] + for d in domains: + matched_vhosts = self.choose_vhosts(d, create_if_no_ssl=False) + # We should be handling only SSL vhosts for AutoHSTS + vhosts = [vhost for vhost in matched_vhosts if vhost.ssl] + + if not vhosts: + msg_tmpl = ("Certbot was not able to find SSL VirtualHost for a " + "domain {0} for enabling AutoHSTS enhancement.") + msg = msg_tmpl.format(d) + logger.warning(msg) + raise errors.PluginError(msg) + for vh in vhosts: + try: + self._enable_autohsts_domain(vh) + _enhanced_vhosts.append(vh) + except errors.PluginEnhancementAlreadyPresent: + if vh in _enhanced_vhosts: + continue + msg = ("VirtualHost for domain {0} in file {1} has a " + + "String-Transport-Security header present, exiting.") + raise errors.PluginEnhancementAlreadyPresent( + msg.format(d, vh.filep)) + if _enhanced_vhosts: + note_msg = "Enabling AutoHSTS" + self.save(note_msg) + logger.info(note_msg) + self.restart() + + # Save the current state to pluginstorage + self._autohsts_save_state() + + def _enable_autohsts_domain(self, ssl_vhost): + """Do the initial AutoHSTS deployment to a vhost + + :param ssl_vhost: The VirtualHost object to deploy the AutoHSTS + :type ssl_vhost: :class:`~certbot_apache.obj.VirtualHost` or None + + :raises errors.PluginEnhancementAlreadyPresent: When already enhanced + + """ + # This raises the exception + self._verify_no_matching_http_header(ssl_vhost, + "Strict-Transport-Security") + + if "headers_module" not in self.parser.modules: + self.enable_mod("headers") + # Prepare the HSTS header value + hsts_header = constants.HEADER_ARGS["Strict-Transport-Security"][:-1] + initial_maxage = constants.AUTOHSTS_STEPS[0] + hsts_header.append("\"max-age={0}\"".format(initial_maxage)) + + # Add ID to the VirtualHost for mapping back to it later + uniq_id = self.add_vhost_id(ssl_vhost) + self.save_notes += "Adding unique ID {0} to VirtualHost in {1}\n".format( + uniq_id, ssl_vhost.filep) + # Add the actual HSTS header + self.parser.add_dir(ssl_vhost.path, "Header", hsts_header) + note_msg = ("Adding gradually increasing HSTS header with initial value " + "of {0} to VirtualHost in {1}\n".format( + initial_maxage, ssl_vhost.filep)) + self.save_notes += note_msg + + # Save the current state to pluginstorage + self._autohsts[uniq_id] = {"laststep": 0, "timestamp": time.time()} + + def update_autohsts(self, _unused_domain): + """ + Increase the AutoHSTS values of VirtualHosts that the user has enabled + this enhancement for. + + :param _unused_domain: Not currently used + :type _unused_domain: Not Available + + """ + self._autohsts_fetch_state() + if not self._autohsts: + # No AutoHSTS enabled for any domain + return + curtime = time.time() + save_and_restart = False + for id_str, config in list(self._autohsts.items()): + if config["timestamp"] + constants.AUTOHSTS_FREQ > curtime: + # Skip if last increase was < AUTOHSTS_FREQ ago + continue + nextstep = config["laststep"] + 1 + if nextstep < len(constants.AUTOHSTS_STEPS): + # Have not reached the max value yet + try: + vhost = self.find_vhost_by_id(id_str) + except errors.PluginError: + msg = ("Could not find VirtualHost with ID {0}, disabling " + "AutoHSTS for this VirtualHost").format(id_str) + logger.warning(msg) + # Remove the orphaned AutoHSTS entry from pluginstorage + self._autohsts.pop(id_str) + continue + self._autohsts_increase(vhost, id_str, nextstep) + msg = ("Increasing HSTS max-age value for VirtualHost with id " + "{0}").format(id_str) + self.save_notes += msg + save_and_restart = True + + if save_and_restart: + self.save("Increased HSTS max-age values") + self.restart() + + self._autohsts_save_state() + + def deploy_autohsts(self, lineage): + """ + Checks if autohsts vhost has reached maximum auto-increased value + and changes the HSTS max-age to a high value. + + :param lineage: Certificate lineage object + :type lineage: certbot.storage.RenewableCert + """ + self._autohsts_fetch_state() + if not self._autohsts: + # No autohsts enabled for any vhost + return + + vhosts = [] + affected_ids = [] + # Copy, as we are removing from the dict inside the loop + for id_str, config in list(self._autohsts.items()): + if config["laststep"]+1 >= len(constants.AUTOHSTS_STEPS): + # max value reached, try to make permanent + try: + vhost = self.find_vhost_by_id(id_str) + except errors.PluginError: + msg = ("VirtualHost with id {} was not found, unable to " + "make HSTS max-age permanent.").format(id_str) + logger.warning(msg) + self._autohsts.pop(id_str) + continue + if self._autohsts_vhost_in_lineage(vhost, lineage): + vhosts.append(vhost) + affected_ids.append(id_str) + + save_and_restart = False + for vhost in vhosts: + self._autohsts_write(vhost, constants.AUTOHSTS_PERMANENT) + msg = ("Strict-Transport-Security max-age value for " + "VirtualHost in {0} was made permanent.").format(vhost.filep) + logger.debug(msg) + self.save_notes += msg+"\n" + save_and_restart = True + + if save_and_restart: + self.save("Made HSTS max-age permanent") + self.restart() + + for id_str in affected_ids: + self._autohsts.pop(id_str) + + # Update AutoHSTS storage (We potentially removed vhosts from managed) + self._autohsts_save_state() + + +AutoHSTSEnhancement.register(ApacheConfigurator) # pylint: disable=no-member diff --git a/certbot-apache/certbot_apache/constants.py b/certbot-apache/certbot_apache/constants.py index fd6a9eb11..23a7b7afd 100644 --- a/certbot-apache/certbot_apache/constants.py +++ b/certbot-apache/certbot_apache/constants.py @@ -48,3 +48,16 @@ UIR_ARGS = ["always", "set", "Content-Security-Policy", HEADER_ARGS = {"Strict-Transport-Security": HSTS_ARGS, "Upgrade-Insecure-Requests": UIR_ARGS} + +AUTOHSTS_STEPS = [60, 300, 900, 3600, 21600, 43200, 86400] +"""AutoHSTS increase steps: 1min, 5min, 15min, 1h, 6h, 12h, 24h""" + +AUTOHSTS_PERMANENT = 31536000 +"""Value for the last max-age of HSTS""" + +AUTOHSTS_FREQ = 172800 +"""Minimum time since last increase to perform a new one: 48h""" + +MANAGED_COMMENT = "DO NOT REMOVE - Managed by Certbot" +MANAGED_COMMENT_ID = MANAGED_COMMENT+", VirtualHost id: {0}" +"""Managed by Certbot comments and the VirtualHost identification template""" diff --git a/certbot-apache/certbot_apache/parser.py b/certbot-apache/certbot_apache/parser.py index 43878eda2..02337f8d4 100644 --- a/certbot-apache/certbot_apache/parser.py +++ b/certbot-apache/certbot_apache/parser.py @@ -16,6 +16,7 @@ logger = logging.getLogger(__name__) class ApacheParser(object): + # pylint: disable=too-many-public-methods """Class handles the fine details of parsing the Apache Configuration. .. todo:: Make parsing general... remove sites-available etc... @@ -350,6 +351,37 @@ class ApacheParser(object): else: self.aug.set(first_dir + "/arg", args) + def add_comment(self, aug_conf_path, comment): + """Adds the comment to the augeas path + + :param str aug_conf_path: Augeas configuration path to add directive + :param str comment: Comment content + + """ + self.aug.set(aug_conf_path + "/#comment[last() + 1]", comment) + + def find_comments(self, arg, start=None): + """Finds a comment with specified content from the provided DOM path + + :param str arg: Comment content to search + :param str start: Beginning Augeas path to begin looking + + :returns: List of augeas paths containing the comment content + :rtype: list + + """ + if not start: + start = get_aug_path(self.root) + + comments = self.aug.match("%s//*[label() = '#comment']" % start) + + results = [] + for comment in comments: + c_content = self.aug.get(comment) + if c_content and arg in c_content: + results.append(comment) + return results + def find_dir(self, directive, arg=None, start=None, exclude=True): """Finds directive in the configuration. diff --git a/certbot-apache/certbot_apache/tests/autohsts_test.py b/certbot-apache/certbot_apache/tests/autohsts_test.py new file mode 100644 index 000000000..86d985079 --- /dev/null +++ b/certbot-apache/certbot_apache/tests/autohsts_test.py @@ -0,0 +1,181 @@ +# pylint: disable=too-many-public-methods,too-many-lines +"""Test for certbot_apache.configurator AutoHSTS functionality""" +import re +import unittest +import mock +# six is used in mock.patch() +import six # pylint: disable=unused-import + +from certbot import errors +from certbot_apache import constants +from certbot_apache.tests import util + + +class AutoHSTSTest(util.ApacheTest): + """Tests for AutoHSTS feature""" + # pylint: disable=protected-access + + def setUp(self): # pylint: disable=arguments-differ + super(AutoHSTSTest, self).setUp() + + self.config = util.get_apache_configurator( + self.config_path, self.vhost_path, self.config_dir, self.work_dir) + self.config.parser.modules.add("headers_module") + self.config.parser.modules.add("mod_headers.c") + self.config.parser.modules.add("ssl_module") + self.config.parser.modules.add("mod_ssl.c") + + self.vh_truth = util.get_vh_truth( + self.temp_dir, "debian_apache_2_4/multiple_vhosts") + + def get_autohsts_value(self, vh_path): + """ Get value from Strict-Transport-Security header """ + header_path = self.config.parser.find_dir("Header", None, vh_path) + if header_path: + pat = '(?:[ "]|^)(strict-transport-security)(?:[ "]|$)' + for head in header_path: + if re.search(pat, self.config.parser.aug.get(head).lower()): + return self.config.parser.aug.get(head.replace("arg[3]", + "arg[4]")) + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + @mock.patch("certbot_apache.configurator.ApacheConfigurator.enable_mod") + def test_autohsts_enable_headers_mod(self, mock_enable, _restart): + self.config.parser.modules.discard("headers_module") + self.config.parser.modules.discard("mod_header.c") + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + self.assertTrue(mock_enable.called) + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + def test_autohsts_deploy_already_exists(self, _restart): + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + self.assertRaises(errors.PluginEnhancementAlreadyPresent, + self.config.enable_autohsts, + mock.MagicMock(), ["ocspvhost.com"]) + + @mock.patch("certbot_apache.constants.AUTOHSTS_FREQ", 0) + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + def test_autohsts_increase(self, _mock_restart): + maxage = "\"max-age={0}\"" + initial_val = maxage.format(constants.AUTOHSTS_STEPS[0]) + inc_val = maxage.format(constants.AUTOHSTS_STEPS[1]) + + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + # Verify initial value + self.assertEquals(self.get_autohsts_value(self.vh_truth[7].path), + initial_val) + # Increase + self.config.update_autohsts(mock.MagicMock()) + # Verify increased value + self.assertEquals(self.get_autohsts_value(self.vh_truth[7].path), + inc_val) + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + @mock.patch("certbot_apache.configurator.ApacheConfigurator._autohsts_increase") + def test_autohsts_increase_noop(self, mock_increase, _restart): + maxage = "\"max-age={0}\"" + initial_val = maxage.format(constants.AUTOHSTS_STEPS[0]) + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + # Verify initial value + self.assertEquals(self.get_autohsts_value(self.vh_truth[7].path), + initial_val) + + self.config.update_autohsts(mock.MagicMock()) + # Freq not patched, so value shouldn't increase + self.assertFalse(mock_increase.called) + + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + @mock.patch("certbot_apache.constants.AUTOHSTS_FREQ", 0) + def test_autohsts_increase_no_header(self, _restart): + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + # Remove the header + dir_locs = self.config.parser.find_dir("Header", None, + self.vh_truth[7].path) + dir_loc = "/".join(dir_locs[0].split("/")[:-1]) + self.config.parser.aug.remove(dir_loc) + self.assertRaises(errors.PluginError, + self.config.update_autohsts, + mock.MagicMock()) + + @mock.patch("certbot_apache.constants.AUTOHSTS_FREQ", 0) + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + def test_autohsts_increase_and_make_permanent(self, _mock_restart): + maxage = "\"max-age={0}\"" + max_val = maxage.format(constants.AUTOHSTS_PERMANENT) + mock_lineage = mock.MagicMock() + mock_lineage.key_path = "/etc/apache2/ssl/key-certbot_15.pem" + self.config.enable_autohsts(mock.MagicMock(), ["ocspvhost.com"]) + for i in range(len(constants.AUTOHSTS_STEPS)-1): + # Ensure that value is not made permanent prematurely + self.config.deploy_autohsts(mock_lineage) + self.assertNotEquals(self.get_autohsts_value(self.vh_truth[7].path), + max_val) + self.config.update_autohsts(mock.MagicMock()) + # Value should match pre-permanent increment step + cur_val = maxage.format(constants.AUTOHSTS_STEPS[i+1]) + self.assertEquals(self.get_autohsts_value(self.vh_truth[7].path), + cur_val) + # Make permanent + self.config.deploy_autohsts(mock_lineage) + self.assertEquals(self.get_autohsts_value(self.vh_truth[7].path), + max_val) + + def test_autohsts_update_noop(self): + with mock.patch("time.time") as mock_time: + # Time mock is used to make sure that the execution does not + # continue when no autohsts entries exist in pluginstorage + self.config.update_autohsts(mock.MagicMock()) + self.assertFalse(mock_time.called) + + def test_autohsts_make_permanent_noop(self): + self.config.storage.put = mock.MagicMock() + self.config.deploy_autohsts(mock.MagicMock()) + # Make sure that the execution does not continue when no entries in store + self.assertFalse(self.config.storage.put.called) + + @mock.patch("certbot_apache.display_ops.select_vhost") + def test_autohsts_no_ssl_vhost(self, mock_select): + mock_select.return_value = self.vh_truth[0] + with mock.patch("certbot_apache.configurator.logger.warning") as mock_log: + self.assertRaises(errors.PluginError, + self.config.enable_autohsts, + mock.MagicMock(), "invalid.example.com") + self.assertTrue( + "Certbot was not able to find SSL" in mock_log.call_args[0][0]) + + @mock.patch("certbot_apache.configurator.ApacheConfigurator.restart") + @mock.patch("certbot_apache.configurator.ApacheConfigurator.add_vhost_id") + def test_autohsts_dont_enhance_twice(self, mock_id, _restart): + mock_id.return_value = "1234567" + self.config.enable_autohsts(mock.MagicMock(), + ["ocspvhost.com", "ocspvhost.com"]) + self.assertEquals(mock_id.call_count, 1) + + def test_autohsts_remove_orphaned(self): + # pylint: disable=protected-access + self.config._autohsts_fetch_state() + self.config._autohsts["orphan_id"] = {"laststep": 0, "timestamp": 0} + + self.config._autohsts_save_state() + self.config.update_autohsts(mock.MagicMock()) + self.assertFalse("orphan_id" in self.config._autohsts) + # Make sure it's removed from the pluginstorage file as well + self.config._autohsts = None + self.config._autohsts_fetch_state() + self.assertFalse(self.config._autohsts) + + def test_autohsts_make_permanent_vhost_not_found(self): + # pylint: disable=protected-access + self.config._autohsts_fetch_state() + self.config._autohsts["orphan_id"] = {"laststep": 999, "timestamp": 0} + self.config._autohsts_save_state() + with mock.patch("certbot_apache.configurator.logger.warning") as mock_log: + self.config.deploy_autohsts(mock.MagicMock()) + self.assertTrue(mock_log.called) + self.assertTrue( + "VirtualHost with id orphan_id was not" in mock_log.call_args[0][0]) + + +if __name__ == "__main__": + unittest.main() # pragma: no cover diff --git a/certbot-apache/certbot_apache/tests/configurator_test.py b/certbot-apache/certbot_apache/tests/configurator_test.py index 23c1ee82b..350262634 100644 --- a/certbot-apache/certbot_apache/tests/configurator_test.py +++ b/certbot-apache/certbot_apache/tests/configurator_test.py @@ -1487,6 +1487,21 @@ class MultipleVhostsTest(util.ApacheTest): "Upgrade-Insecure-Requests") self.assertTrue(mock_choose.called) + def test_add_vhost_id(self): + for vh in [self.vh_truth[0], self.vh_truth[1], self.vh_truth[2]]: + vh_id = self.config.add_vhost_id(vh) + self.assertEqual(vh, self.config.find_vhost_by_id(vh_id)) + + def test_find_vhost_by_id_404(self): + self.assertRaises(errors.PluginError, + self.config.find_vhost_by_id, + "nonexistent") + + def test_add_vhost_id_already_exists(self): + first_id = self.config.add_vhost_id(self.vh_truth[0]) + second_id = self.config.add_vhost_id(self.vh_truth[0]) + self.assertEqual(first_id, second_id) + class AugeasVhostsTest(util.ApacheTest): """Test vhosts with illegal names dependent on augeas version.""" diff --git a/certbot-apache/certbot_apache/tests/parser_test.py b/certbot-apache/certbot_apache/tests/parser_test.py index 4496781c9..f95f1b346 100644 --- a/certbot-apache/certbot_apache/tests/parser_test.py +++ b/certbot-apache/certbot_apache/tests/parser_test.py @@ -299,6 +299,13 @@ class BasicParserTest(util.ParserTest): errors.MisconfigurationError, self.parser.update_runtime_variables) + def test_add_comment(self): + from certbot_apache.parser import get_aug_path + self.parser.add_comment(get_aug_path(self.parser.loc["name"]), "123456") + comm = self.parser.find_comments("123456") + self.assertEquals(len(comm), 1) + self.assertTrue(self.parser.loc["name"] in comm[0]) + class ParserInitTest(util.ApacheTest): def setUp(self): # pylint: disable=arguments-differ diff --git a/certbot-apache/local-oldest-requirements.txt b/certbot-apache/local-oldest-requirements.txt index 4e4aadbd8..e70ac0c7f 100644 --- a/certbot-apache/local-oldest-requirements.txt +++ b/certbot-apache/local-oldest-requirements.txt @@ -1,2 +1,2 @@ acme[dev]==0.25.0 -certbot[dev]==0.21.1 +-e .[dev] diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 7a0dc43bf..8d15e7971 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -8,7 +8,7 @@ version = '0.26.0.dev0' # acme/certbot version. install_requires = [ 'acme>0.24.0', - 'certbot>=0.21.1', + 'certbot>0.25.1', 'mock', 'python-augeas', 'setuptools', diff --git a/certbot/cli.py b/certbot/cli.py index 24e0bddac..81e926e2f 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -32,6 +32,7 @@ from certbot import util from certbot.display import util as display_util from certbot.plugins import disco as plugins_disco +import certbot.plugins.enhancements as enhancements import certbot.plugins.selection as plugin_selection logger = logging.getLogger(__name__) @@ -627,6 +628,10 @@ class HelpfulArgumentParser(object): raise errors.Error("Using --allow-subset-of-names with a" " wildcard domain is not supported.") + if parsed_args.hsts and parsed_args.auto_hsts: + raise errors.Error( + "Parameters --hsts and --auto-hsts cannot be used simultaneously.") + possible_deprecation_warning(parsed_args) return parsed_args @@ -1228,6 +1233,9 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis helpful.add_deprecated_argument("--agree-dev-preview", 0) helpful.add_deprecated_argument("--dialog", 0) + # Populate the command line parameters for new style enhancements + enhancements.populate_cli(helpful.add) + _create_subparsers(helpful) _paths_parser(helpful) # _plugins_parsing should be the last thing to act upon the main diff --git a/certbot/constants.py b/certbot/constants.py index 93bc269af..7047424e5 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -58,6 +58,7 @@ CLI_DEFAULTS = dict( rsa_key_size=2048, must_staple=False, redirect=None, + auto_hsts=False, hsts=None, uir=None, staple=None, diff --git a/certbot/main.py b/certbot/main.py index 089eab0c3..a457919d4 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -36,7 +36,7 @@ from certbot import util from certbot.display import util as display_util, ops as display_ops from certbot.plugins import disco as plugins_disco from certbot.plugins import selection as plug_sel - +from certbot.plugins import enhancements USER_CANCELLED = ("User chose to cancel the operation and may " "reinvoke the client.") @@ -750,8 +750,8 @@ def _install_cert(config, le_client, domains, lineage=None): :param le_client: Client object :type le_client: client.Client - :param plugins: List of domains - :type plugins: `list` of `str` + :param domains: List of domains + :type domains: `list` of `str` :param lineage: Certificate lineage object. Defaults to `None` :type lineage: storage.RenewableCert @@ -789,11 +789,19 @@ def install(config, plugins): except errors.PluginSelectionError as e: return str(e) + if not enhancements.are_supported(config, installer): + raise errors.NotSupportedError("One ore more of the requested enhancements " + "are not supported by the selected installer") # If cert-path is defined, populate missing (ie. not overridden) values. # Unfortunately this can't be done in argument parser, as certificate # manager needs the access to renewal directory paths if config.certname: config = _populate_from_certname(config) + elif enhancements.are_requested(config): + # Preflight config check + raise errors.ConfigurationError("One or more of the requested enhancements " + "require --cert-name to be provided") + if config.key_path and config.cert_path: _check_certificate_and_key(config) domains, _ = _find_domains_or_certname(config, installer) @@ -804,6 +812,11 @@ def install(config, plugins): "If your certificate is managed by Certbot, please use --cert-name " "to define which certificate you would like to install.") + if enhancements.are_requested(config): + # In the case where we don't have certname, we have errored out already + lineage = cert_manager.lineage_for_certname(config, config.certname) + enhancements.enable(lineage, domains, installer, config) + def _populate_from_certname(config): """Helper function for install to populate missing config values from lineage defined by --cert-name.""" @@ -881,7 +894,8 @@ def enhance(config, plugins): """ supported_enhancements = ["hsts", "redirect", "uir", "staple"] # Check that at least one enhancement was requested on command line - if not any([getattr(config, enh) for enh in supported_enhancements]): + oldstyle_enh = any([getattr(config, enh) for enh in supported_enhancements]) + if not enhancements.are_requested(config) and not oldstyle_enh: msg = ("Please specify one or more enhancement types to configure. To list " "the available enhancement types, run:\n\n%s --help enhance\n") logger.warning(msg, sys.argv[0]) @@ -892,6 +906,10 @@ def enhance(config, plugins): except errors.PluginSelectionError as e: return str(e) + if not enhancements.are_supported(config, installer): + raise errors.NotSupportedError("One ore more of the requested enhancements " + "are not supported by the selected installer") + certname_question = ("Which certificate would you like to use to enhance " "your configuration?") config.certname = cert_manager.get_certnames( @@ -907,11 +925,15 @@ def enhance(config, plugins): if not domains: raise errors.Error("User cancelled the domain selection. No domains " "defined, exiting.") + + lineage = cert_manager.lineage_for_certname(config, config.certname) if not config.chain_path: - lineage = cert_manager.lineage_for_certname(config, config.certname) config.chain_path = lineage.chain_path - le_client = _init_le_client(config, authenticator=None, installer=installer) - le_client.enhance_config(domains, config.chain_path, ask_redirect=False) + if oldstyle_enh: + le_client = _init_le_client(config, authenticator=None, installer=installer) + le_client.enhance_config(domains, config.chain_path, ask_redirect=False) + if enhancements.are_requested(config): + enhancements.enable(lineage, domains, installer, config) def rollback(config, plugins): @@ -1073,6 +1095,11 @@ def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals except errors.PluginSelectionError as e: return str(e) + # Preflight check for enhancement support by the selected installer + if not enhancements.are_supported(config, installer): + raise errors.NotSupportedError("One ore more of the requested enhancements " + "are not supported by the selected installer") + # TODO: Handle errors from _init_le_client? le_client = _init_le_client(config, authenticator, installer) @@ -1091,6 +1118,9 @@ def run(config, plugins): # pylint: disable=too-many-branches,too-many-locals _install_cert(config, le_client, domains, new_lineage) + if enhancements.are_requested(config) and new_lineage: + enhancements.enable(new_lineage, domains, installer, config) + if lineage is None or not should_get_cert: display_ops.success_installation(domains) else: diff --git a/certbot/plugins/enhancements.py b/certbot/plugins/enhancements.py new file mode 100644 index 000000000..506abe433 --- /dev/null +++ b/certbot/plugins/enhancements.py @@ -0,0 +1,159 @@ +"""New interface style Certbot enhancements""" +import abc +import six + +from certbot import constants + +from acme.magic_typing import Dict, List, Any # pylint: disable=unused-import, no-name-in-module + +def enabled_enhancements(config): + """ + Generator to yield the enabled new style enhancements. + + :param config: Configuration. + :type config: :class:`certbot.interfaces.IConfig` + """ + for enh in _INDEX: + if getattr(config, enh["cli_dest"]): + yield enh + +def are_requested(config): + """ + Checks if one or more of the requested enhancements are those of the new + enhancement interfaces. + + :param config: Configuration. + :type config: :class:`certbot.interfaces.IConfig` + """ + return any(enabled_enhancements(config)) + +def are_supported(config, installer): + """ + Checks that all of the requested enhancements are supported by the + installer. + + :param config: Configuration. + :type config: :class:`certbot.interfaces.IConfig` + + :param installer: Installer object + :type installer: interfaces.IInstaller + + :returns: If all the requested enhancements are supported by the installer + :rtype: bool + """ + for enh in enabled_enhancements(config): + if not isinstance(installer, enh["class"]): + return False + return True + +def enable(lineage, domains, installer, config): + """ + Run enable method for each requested enhancement that is supported. + + :param lineage: Certificate lineage object + :type lineage: certbot.storage.RenewableCert + + :param domains: List of domains in certificate to enhance + :type domains: str + + :param installer: Installer object + :type installer: interfaces.IInstaller + + :param config: Configuration. + :type config: :class:`certbot.interfaces.IConfig` + """ + for enh in enabled_enhancements(config): + getattr(installer, enh["enable_function"])(lineage, domains) + +def populate_cli(add): + """ + Populates the command line flags for certbot.cli.HelpfulParser + + :param add: Add function of certbot.cli.HelpfulParser + :type add: func + """ + for enh in _INDEX: + add(enh["cli_groups"], enh["cli_flag"], action=enh["cli_action"], + dest=enh["cli_dest"], default=enh["cli_flag_default"], + help=enh["cli_help"]) + + +@six.add_metaclass(abc.ABCMeta) +class AutoHSTSEnhancement(object): + """ + Enhancement interface that installer plugins can implement in order to + provide functionality that configures the software to have a + 'Strict-Transport-Security' with initially low max-age value that will + increase over time. + + The plugins implementing new style enhancements are responsible of handling + the saving of configuration checkpoints as well as calling possible restarts + of managed software themselves. + + Methods: + enable_autohsts is called when the header is initially installed using a + low max-age value. + + update_autohsts is called every time when Certbot is run using 'renew' + verb. The max-age value should be increased over time using this method. + + deploy_autohsts is called for every lineage that has had its certificate + renewed. A long HSTS max-age value should be set here, as we should be + confident that the user is able to automatically renew their certificates. + + + """ + + @abc.abstractmethod + def update_autohsts(self, lineage, *args, **kwargs): + """ + Gets called for each lineage every time Certbot is run with 'renew' verb. + Implementation of this method should increase the max-age value. + + :param lineage: Certificate lineage object + :type lineage: certbot.storage.RenewableCert + """ + + @abc.abstractmethod + def deploy_autohsts(self, lineage, *args, **kwargs): + """ + Gets called for a lineage when its certificate is successfully renewed. + Long max-age value should be set in implementation of this method. + + :param lineage: Certificate lineage object + :type lineage: certbot.storage.RenewableCert + """ + + @abc.abstractmethod + def enable_autohsts(self, lineage, domains, *args, **kwargs): + """ + Enables the AutoHSTS enhancement, installing + Strict-Transport-Security header with a low initial value to be increased + over the subsequent runs of Certbot renew. + + :param lineage: Certificate lineage object + :type lineage: certbot.storage.RenewableCert + + :param domains: List of domains in certificate to enhance + :type domains: str + """ + +# This is used to configure internal new style enhancements in Certbot. These +# enhancement interfaces need to be defined in this file. Please do not modify +# this list from plugin code. +_INDEX = [ + { + "name": "AutoHSTS", + "cli_help": "Gradually increasing max-age value for HTTP Strict Transport "+ + "Security security header", + "cli_flag": "--auto-hsts", + "cli_flag_default": constants.CLI_DEFAULTS["auto_hsts"], + "cli_groups": ["security", "enhance"], + "cli_dest": "auto_hsts", + "cli_action": "store_true", + "class": AutoHSTSEnhancement, + "updater_function": "update_autohsts", + "deployer_function": "deploy_autohsts", + "enable_function": "enable_autohsts" + } +] # type: List[Dict[str, Any]] diff --git a/certbot/plugins/enhancements_test.py b/certbot/plugins/enhancements_test.py new file mode 100644 index 000000000..b69dc9836 --- /dev/null +++ b/certbot/plugins/enhancements_test.py @@ -0,0 +1,65 @@ +"""Tests for new style enhancements""" +import unittest +import mock + +from certbot.plugins import enhancements +from certbot.plugins import null + +import certbot.tests.util as test_util + + +class EnhancementTest(test_util.ConfigTestCase): + """Tests for new style enhancements in certbot.plugins.enhancements""" + + def setUp(self): + super(EnhancementTest, self).setUp() + self.mockinstaller = mock.MagicMock(spec=enhancements.AutoHSTSEnhancement) + + + @test_util.patch_get_utility() + def test_enhancement_enabled_enhancements(self, _): + FAKEINDEX = [ + { + "name": "autohsts", + "cli_dest": "auto_hsts", + }, + { + "name": "somethingelse", + "cli_dest": "something", + } + ] + with mock.patch("certbot.plugins.enhancements._INDEX", FAKEINDEX): + self.config.auto_hsts = True + self.config.something = True + enabled = list(enhancements.enabled_enhancements(self.config)) + self.assertEqual(len(enabled), 2) + self.assertTrue([i for i in enabled if i["name"] == "autohsts"]) + self.assertTrue([i for i in enabled if i["name"] == "somethingelse"]) + + def test_are_requested(self): + self.assertEquals( + len([i for i in enhancements.enabled_enhancements(self.config)]), 0) + self.assertFalse(enhancements.are_requested(self.config)) + self.config.auto_hsts = True + self.assertEquals( + len([i for i in enhancements.enabled_enhancements(self.config)]), 1) + self.assertTrue(enhancements.are_requested(self.config)) + + def test_are_supported(self): + self.config.auto_hsts = True + unsupported = null.Installer(self.config, "null") + self.assertTrue(enhancements.are_supported(self.config, self.mockinstaller)) + self.assertFalse(enhancements.are_supported(self.config, unsupported)) + + def test_enable(self): + self.config.auto_hsts = True + domains = ["example.com", "www.example.com"] + lineage = "lineage" + enhancements.enable(lineage, domains, self.mockinstaller, self.config) + self.assertTrue(self.mockinstaller.enable_autohsts.called) + self.assertEquals(self.mockinstaller.enable_autohsts.call_args[0], + (lineage, domains)) + + +if __name__ == '__main__': + unittest.main() # pragma: no cover diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 4b251c421..24d059e53 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -29,7 +29,9 @@ from certbot import updater from certbot import util from certbot.plugins import disco +from certbot.plugins import enhancements from certbot.plugins import manual +from certbot.plugins import null import certbot.tests.util as test_util @@ -52,10 +54,11 @@ class TestHandleIdenticalCerts(unittest.TestCase): self.assertEqual(ret, ("reinstall", mock_lineage)) -class RunTest(unittest.TestCase): +class RunTest(test_util.ConfigTestCase): """Tests for certbot.main.run.""" def setUp(self): + super(RunTest, self).setUp() self.domain = 'example.org' self.patches = [ mock.patch('certbot.main._get_and_save_cert'), @@ -105,6 +108,15 @@ class RunTest(unittest.TestCase): self._call() self.mock_success_renewal.assert_called_once_with([self.domain]) + @mock.patch('certbot.main.plug_sel.choose_configurator_plugins') + def test_run_enhancement_not_supported(self, mock_choose): + mock_choose.return_value = (null.Installer(self.config, "null"), None) + plugins = disco.PluginsRegistry.find_all() + self.config.auto_hsts = True + self.assertRaises(errors.NotSupportedError, + main.run, + self.config, plugins) + class CertonlyTest(unittest.TestCase): """Tests for certbot.main.certonly.""" @@ -1573,12 +1585,14 @@ class MakeOrVerifyNeededDirs(test_util.ConfigTestCase): strict=self.config.strict_permissions) -class EnhanceTest(unittest.TestCase): +class EnhanceTest(test_util.ConfigTestCase): """Tests for certbot.main.enhance.""" def setUp(self): + super(EnhanceTest, self).setUp() self.get_utility_patch = test_util.patch_get_utility() self.mock_get_utility = self.get_utility_patch.start() + self.mockinstaller = mock.MagicMock(spec=enhancements.AutoHSTSEnhancement) def tearDown(self): self.get_utility_patch.stop() @@ -1670,7 +1684,7 @@ class EnhanceTest(unittest.TestCase): def test_no_enhancements_defined(self): self.assertRaises(errors.MisconfigurationError, - self._call, ['enhance']) + self._call, ['enhance', '-a', 'null']) @mock.patch('certbot.main.plug_sel.choose_configurator_plugins') @mock.patch('certbot.main.display_ops.choose_values') @@ -1682,5 +1696,67 @@ class EnhanceTest(unittest.TestCase): mock_client = self._call(['enhance', '--hsts']) self.assertFalse(mock_client.enhance_config.called) + @mock.patch('certbot.cert_manager.lineage_for_certname') + @mock.patch('certbot.main.display_ops.choose_values') + @mock.patch('certbot.main.plug_sel.pick_installer') + @mock.patch('certbot.main.plug_sel.record_chosen_plugins') + @test_util.patch_get_utility() + def test_enhancement_enable(self, _, _rec, mock_inst, mock_choose, mock_lineage): + mock_inst.return_value = self.mockinstaller + mock_choose.return_value = ["example.com", "another.tld"] + mock_lineage.return_value = mock.MagicMock(chain_path="/tmp/nonexistent") + self._call(['enhance', '--auto-hsts']) + self.assertTrue(self.mockinstaller.enable_autohsts.called) + self.assertEquals(self.mockinstaller.enable_autohsts.call_args[0][1], + ["example.com", "another.tld"]) + + @mock.patch('certbot.cert_manager.lineage_for_certname') + @mock.patch('certbot.main.display_ops.choose_values') + @mock.patch('certbot.main.plug_sel.pick_installer') + @mock.patch('certbot.main.plug_sel.record_chosen_plugins') + @test_util.patch_get_utility() + def test_enhancement_enable_not_supported(self, _, _rec, mock_inst, mock_choose, mock_lineage): + mock_inst.return_value = null.Installer(self.config, "null") + mock_choose.return_value = ["example.com", "another.tld"] + mock_lineage.return_value = mock.MagicMock(chain_path="/tmp/nonexistent") + self.assertRaises( + errors.NotSupportedError, + self._call, ['enhance', '--auto-hsts']) + + def test_enhancement_enable_conflict(self): + self.assertRaises( + errors.Error, + self._call, ['enhance', '--auto-hsts', '--hsts']) + + +class InstallTest(test_util.ConfigTestCase): + """Tests for certbot.main.install.""" + + def setUp(self): + super(InstallTest, self).setUp() + self.mockinstaller = mock.MagicMock(spec=enhancements.AutoHSTSEnhancement) + + @mock.patch('certbot.main.plug_sel.record_chosen_plugins') + @mock.patch('certbot.main.plug_sel.pick_installer') + def test_install_enhancement_not_supported(self, mock_inst, _rec): + mock_inst.return_value = null.Installer(self.config, "null") + plugins = disco.PluginsRegistry.find_all() + self.config.auto_hsts = True + self.assertRaises(errors.NotSupportedError, + main.install, + self.config, plugins) + + @mock.patch('certbot.main.plug_sel.record_chosen_plugins') + @mock.patch('certbot.main.plug_sel.pick_installer') + def test_install_enhancement_no_certname(self, mock_inst, _rec): + mock_inst.return_value = self.mockinstaller + plugins = disco.PluginsRegistry.find_all() + self.config.auto_hsts = True + self.config.certname = None + self.assertRaises(errors.ConfigurationError, + main.install, + self.config, plugins) + + if __name__ == '__main__': unittest.main() # pragma: no cover diff --git a/certbot/tests/renewupdater_test.py b/certbot/tests/renewupdater_test.py index bd1cd891e..c1b97843e 100644 --- a/certbot/tests/renewupdater_test.py +++ b/certbot/tests/renewupdater_test.py @@ -6,6 +6,8 @@ from certbot import interfaces from certbot import main from certbot import updater +from certbot.plugins import enhancements + import certbot.tests.util as test_util @@ -14,25 +16,10 @@ class RenewUpdaterTest(test_util.ConfigTestCase): def setUp(self): super(RenewUpdaterTest, self).setUp() - class MockInstallerGenericUpdater(interfaces.GenericUpdater): - """Mock class that implements GenericUpdater""" - def __init__(self, *args, **kwargs): - # pylint: disable=unused-argument - self.restart = mock.MagicMock() - self.callcounter = mock.MagicMock() - def generic_updates(self, lineage, *args, **kwargs): - self.callcounter(*args, **kwargs) - - class MockInstallerRenewDeployer(interfaces.RenewDeployer): - """Mock class that implements RenewDeployer""" - def __init__(self, *args, **kwargs): - # pylint: disable=unused-argument - self.callcounter = mock.MagicMock() - def renew_deploy(self, lineage, *args, **kwargs): - self.callcounter(*args, **kwargs) - - self.generic_updater = MockInstallerGenericUpdater() - self.renew_deployer = MockInstallerRenewDeployer() + self.generic_updater = mock.MagicMock(spec=interfaces.GenericUpdater) + self.generic_updater.restart = mock.MagicMock() + self.renew_deployer = mock.MagicMock(spec=interfaces.RenewDeployer) + self.mockinstaller = mock.MagicMock(spec=enhancements.AutoHSTSEnhancement) @mock.patch('certbot.main._get_and_save_cert') @mock.patch('certbot.plugins.selection.choose_configurator_plugins') @@ -48,16 +35,16 @@ class RenewUpdaterTest(test_util.ConfigTestCase): self.assertTrue(mock_generic_updater.restart.called) mock_generic_updater.restart.reset_mock() - mock_generic_updater.callcounter.reset_mock() + mock_generic_updater.generic_updates.reset_mock() updater.run_generic_updaters(self.config, mock.MagicMock(), None) - self.assertEqual(mock_generic_updater.callcounter.call_count, 1) + self.assertEqual(mock_generic_updater.generic_updates.call_count, 1) self.assertFalse(mock_generic_updater.restart.called) def test_renew_deployer(self): lineage = mock.MagicMock() mock_deployer = self.renew_deployer updater.run_renewal_deployer(self.config, lineage, mock_deployer) - self.assertTrue(mock_deployer.callcounter.called_with(lineage)) + self.assertTrue(mock_deployer.renew_deploy.called_with(lineage)) @mock.patch("certbot.updater.logger.debug") def test_updater_skip_dry_run(self, mock_log): @@ -75,6 +62,62 @@ class RenewUpdaterTest(test_util.ConfigTestCase): self.assertEquals(mock_log.call_args[0][0], "Skipping renewal deployer in dry-run mode.") + @mock.patch('certbot.plugins.selection.choose_configurator_plugins') + def test_enhancement_updates(self, mock_select): + mock_select.return_value = (self.mockinstaller, None) + updater.run_generic_updaters(self.config, mock.MagicMock(), None) + self.assertTrue(self.mockinstaller.update_autohsts.called) + self.assertEqual(self.mockinstaller.update_autohsts.call_count, 1) + + def test_enhancement_deployer(self): + updater.run_renewal_deployer(self.config, mock.MagicMock(), + self.mockinstaller) + self.assertTrue(self.mockinstaller.deploy_autohsts.called) + + @mock.patch('certbot.plugins.selection.choose_configurator_plugins') + def test_enhancement_updates_not_called(self, mock_select): + self.config.disable_renew_updates = True + mock_select.return_value = (self.mockinstaller, None) + updater.run_generic_updaters(self.config, mock.MagicMock(), None) + self.assertFalse(self.mockinstaller.update_autohsts.called) + + def test_enhancement_deployer_not_called(self): + self.config.disable_renew_updates = True + updater.run_renewal_deployer(self.config, mock.MagicMock(), + self.mockinstaller) + self.assertFalse(self.mockinstaller.deploy_autohsts.called) + + @mock.patch('certbot.plugins.selection.choose_configurator_plugins') + def test_enhancement_no_updater(self, mock_select): + FAKEINDEX = [ + { + "name": "Test", + "class": enhancements.AutoHSTSEnhancement, + "updater_function": None, + "deployer_function": "deploy_autohsts", + "enable_function": "enable_autohsts" + } + ] + mock_select.return_value = (self.mockinstaller, None) + with mock.patch("certbot.plugins.enhancements._INDEX", FAKEINDEX): + updater.run_generic_updaters(self.config, mock.MagicMock(), None) + self.assertFalse(self.mockinstaller.update_autohsts.called) + + def test_enhancement_no_deployer(self): + FAKEINDEX = [ + { + "name": "Test", + "class": enhancements.AutoHSTSEnhancement, + "updater_function": "deploy_autohsts", + "deployer_function": None, + "enable_function": "enable_autohsts" + } + ] + with mock.patch("certbot.plugins.enhancements._INDEX", FAKEINDEX): + updater.run_renewal_deployer(self.config, mock.MagicMock(), + self.mockinstaller) + self.assertFalse(self.mockinstaller.deploy_autohsts.called) + if __name__ == '__main__': unittest.main() # pragma: no cover diff --git a/certbot/updater.py b/certbot/updater.py index 112cf06ef..fb7c52f77 100644 --- a/certbot/updater.py +++ b/certbot/updater.py @@ -5,6 +5,7 @@ from certbot import errors from certbot import interfaces from certbot.plugins import selection as plug_sel +import certbot.plugins.enhancements as enhancements logger = logging.getLogger(__name__) @@ -33,6 +34,7 @@ def run_generic_updaters(config, lineage, plugins): logger.warning("Could not choose appropriate plugin for updaters: %s", e) return _run_updaters(lineage, installer, config) + _run_enhancement_updaters(lineage, installer, config) def run_renewal_deployer(config, lineage, installer): """Helper function to run deployer interface method if supported by the used @@ -57,6 +59,7 @@ def run_renewal_deployer(config, lineage, installer): if not config.disable_renew_updates and isinstance(installer, interfaces.RenewDeployer): installer.renew_deploy(lineage) + _run_enhancement_deployers(lineage, installer, config) def _run_updaters(lineage, installer, config): """Helper function to run the updater interface methods if supported by the @@ -74,3 +77,46 @@ def _run_updaters(lineage, installer, config): if not config.disable_renew_updates: if isinstance(installer, interfaces.GenericUpdater): installer.generic_updates(lineage) + +def _run_enhancement_updaters(lineage, installer, config): + """Iterates through known enhancement interfaces. If the installer implements + an enhancement interface and the enhance interface has an updater method, the + updater method gets run. + + :param lineage: Certificate lineage object + :type lineage: storage.RenewableCert + + :param installer: Installer object + :type installer: interfaces.IInstaller + + :param config: Configuration object + :type config: interfaces.IConfig + """ + + if config.disable_renew_updates: + return + for enh in enhancements._INDEX: # pylint: disable=protected-access + if isinstance(installer, enh["class"]) and enh["updater_function"]: + getattr(installer, enh["updater_function"])(lineage) + + +def _run_enhancement_deployers(lineage, installer, config): + """Iterates through known enhancement interfaces. If the installer implements + an enhancement interface and the enhance interface has an deployer method, the + deployer method gets run. + + :param lineage: Certificate lineage object + :type lineage: storage.RenewableCert + + :param installer: Installer object + :type installer: interfaces.IInstaller + + :param config: Configuration object + :type config: interfaces.IConfig + """ + + if config.disable_renew_updates: + return + for enh in enhancements._INDEX: # pylint: disable=protected-access + if isinstance(installer, enh["class"]) and enh["deployer_function"]: + getattr(installer, enh["deployer_function"])(lineage) From 6771b8e05bfe438165df67d8cc671857510f3957 Mon Sep 17 00:00:00 2001 From: Harlan Lieberman-Berg Date: Thu, 21 Jun 2018 15:52:08 -0400 Subject: [PATCH 238/256] docs: move warning about distro provided renewal (#6133) Currently, you must read ten paragraphs about writing renewal hooks before you find that most distributions will automatically renew certs for you. This is burying the lede in a major way; moving it up to the header seems a better choice. --- docs/using.rst | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/using.rst b/docs/using.rst index 40d8f8452..46599a06e 100644 --- a/docs/using.rst +++ b/docs/using.rst @@ -454,6 +454,12 @@ Renewing certificates days). Make sure you renew the certificates at least once in 3 months. +.. seealso:: Many of the certbot clients obtained through a + distribution come with automatic renewal out of the box, + such as Debian and Ubuntu versions installed through `apt`, + CentOS/RHEL 7 through EPEL, etc. See `Automated Renewals`_ + for more details. + As of version 0.10.0, Certbot supports a ``renew`` action to check all installed certificates for impending expiry and attempt to renew them. The simplest form is simply @@ -560,12 +566,6 @@ can run on a regular basis, like every week or every day). In that case, you are likely to want to use the ``-q`` or ``--quiet`` quiet flag to silence all output except errors. -.. seealso:: Many of the certbot clients obtained through a - distribution come with automatic renewal out of the box, - such as Debian and Ubuntu versions installed through `apt`, - CentOS/RHEL 7 through EPEL, etc. See `Automated Renewals`_ - for more details. - If you are manually renewing all of your certificates, the ``--force-renewal`` flag may be helpful; it causes the expiration time of the certificate(s) to be ignored when considering renewal, and attempts to From 2ac0b5520833b83b093b10f02e5a02686842e17a Mon Sep 17 00:00:00 2001 From: ohemorange Date: Thu, 21 Jun 2018 13:23:09 -0700 Subject: [PATCH 239/256] Reuse ACMEv1 accounts for ACMEv2 in production (#6134) * Reuse accounts made with ACMEv1 when using an ACMEv2 Let's Encrypt server. This commit turns the feature on for the production server; the bulk of the work was done in 8e4303a. * add upgrade test for production server --- certbot/constants.py | 1 + certbot/tests/account_test.py | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/certbot/constants.py b/certbot/constants.py index 7047424e5..d31faa71c 100644 --- a/certbot/constants.py +++ b/certbot/constants.py @@ -161,6 +161,7 @@ ACCOUNTS_DIR = "accounts" """Directory where all accounts are saved.""" LE_REUSE_SERVERS = { + 'acme-v02.api.letsencrypt.org/directory': 'acme-v01.api.letsencrypt.org/directory', 'acme-staging-v02.api.letsencrypt.org/directory': 'acme-staging.api.letsencrypt.org/directory' } diff --git a/certbot/tests/account_test.py b/certbot/tests/account_test.py index a8059fbcf..a4fe5edb7 100644 --- a/certbot/tests/account_test.py +++ b/certbot/tests/account_test.py @@ -218,12 +218,18 @@ class AccountFileStorageTest(test_util.ConfigTestCase): self._set_server('https://acme-staging.api.letsencrypt.org/directory') self.assertEqual([], self.storage.find_all()) - def test_upgrade_version(self): + def test_upgrade_version_staging(self): self._set_server('https://acme-staging.api.letsencrypt.org/directory') self.storage.save(self.acc, self.mock_client) self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') self.assertEqual([self.acc], self.storage.find_all()) + def test_upgrade_version_production(self): + self._set_server('https://acme-v01.api.letsencrypt.org/directory') + self.storage.save(self.acc, self.mock_client) + self._set_server('https://acme-v02.api.letsencrypt.org/directory') + self.assertEqual([self.acc], self.storage.find_all()) + @mock.patch('os.rmdir') def test_corrupted_account(self, mock_rmdir): # pylint: disable=protected-access From 1e1e7d8e973be0b7376d96fb07c59816f694a83a Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 21 Jun 2018 15:40:43 -0700 Subject: [PATCH 240/256] Improve UA default in docs (#6120) * Use less informative UA values in docs. * set CERTBOT_DOCS during release --- certbot/client.py | 12 ++++++++++-- certbot/tests/client_test.py | 33 +++++++++++++++++++++++++++++++++ tools/release.sh | 3 ++- 3 files changed, 45 insertions(+), 3 deletions(-) diff --git a/certbot/client.py b/certbot/client.py index d97de0571..4d4915a27 100644 --- a/certbot/client.py +++ b/certbot/client.py @@ -65,9 +65,17 @@ def determine_user_agent(config): if config.user_agent is None: ua = ("CertbotACMEClient/{0} ({1}; {2}{8}) Authenticator/{3} Installer/{4} " "({5}; flags: {6}) Py/{7}") - ua = ua.format(certbot.__version__, cli.cli_command, util.get_os_info_ua(), + if os.environ.get("CERTBOT_DOCS") == "1": + cli_command = "certbot(-auto)" + os_info = "OS_NAME OS_VERSION" + python_version = "major.minor.patchlevel" + else: + cli_command = cli.cli_command + os_info = util.get_os_info_ua() + python_version = platform.python_version() + ua = ua.format(certbot.__version__, cli_command, os_info, config.authenticator, config.installer, config.verb, - ua_flags(config), platform.python_version(), + ua_flags(config), python_version, "; " + config.user_agent_comment if config.user_agent_comment else "") else: ua = config.user_agent diff --git a/certbot/tests/client_test.py b/certbot/tests/client_test.py index a4425bca9..70ab4c798 100644 --- a/certbot/tests/client_test.py +++ b/certbot/tests/client_test.py @@ -1,5 +1,6 @@ """Tests for certbot.client.""" import os +import platform import shutil import tempfile import unittest @@ -16,6 +17,38 @@ KEY = test_util.load_vector("rsa512_key.pem") CSR_SAN = test_util.load_vector("csr-san_512.pem") +class DetermineUserAgentTest(test_util.ConfigTestCase): + """Tests for certbot.client.determine_user_agent.""" + + def _call(self): + from certbot.client import determine_user_agent + return determine_user_agent(self.config) + + @mock.patch.dict(os.environ, {"CERTBOT_DOCS": "1"}) + def test_docs_value(self): + self._test(expect_doc_values=True) + + @mock.patch.dict(os.environ, {}) + def test_real_values(self): + self._test(expect_doc_values=False) + + def _test(self, expect_doc_values): + ua = self._call() + + if expect_doc_values: + doc_value_check = self.assertIn + real_value_check = self.assertNotIn + else: + doc_value_check = self.assertNotIn + real_value_check = self.assertIn + + doc_value_check("certbot(-auto)", ua) + doc_value_check("OS_NAME OS_VERSION", ua) + doc_value_check("major.minor.patchlevel", ua) + real_value_check(util.get_os_info_ua(), ua) + real_value_check(platform.python_version(), ua) + + class RegisterTest(test_util.ConfigTestCase): """Tests for certbot.client.register.""" diff --git a/tools/release.sh b/tools/release.sh index a8de208b5..069d311d1 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -153,7 +153,8 @@ kill $! cd ~- # get a snapshot of the CLI help for the docs -certbot --help all > docs/cli-help.txt +# We set CERTBOT_DOCS to use dummy values in example user-agent string. +CERTBOT_DOCS=1 certbot --help all > docs/cli-help.txt jws --help > acme/docs/jws-help.txt cd .. From 7890de62ecfd0a3de60b81fabba4659cf80605d1 Mon Sep 17 00:00:00 2001 From: sydneyli Date: Thu, 21 Jun 2018 16:11:02 -0700 Subject: [PATCH 241/256] doc(postfix): install instructions (#6136) fixes #6131 * doc(postfix): install instructions * address brad's comments --- certbot-postfix/README.rst | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/certbot-postfix/README.rst b/certbot-postfix/README.rst index 78fd9a421..e6367e365 100644 --- a/certbot-postfix/README.rst +++ b/certbot-postfix/README.rst @@ -2,9 +2,22 @@ Postfix plugin for Certbot ========================== -To install your certs with this plugin, run: +Note: this MTA installer is in **developer beta**-- we appreciate any testing, feedback, or +feature requests for this plugin. -``certbot install --installer postfix --cert-path --key-path -d `` +To install this plugin, in the root of this repo, run:: -And there you go! If you'd like to obtain these certificates via certbot, there's more documentation on how to do this `here `_. + ./tools/venv.sh + source venv/bin/activate +You can use this installer with any `authenticator plugin +`_. +For instance, with the `standalone authenticator +`_, which requires no extra server +software, you might run:: + + sudo ./venv/bin/certbot run --standalone -i postfix -d + +To just install existing certs with this plugin, run:: + + sudo ./venv/bin/certbot install -i postfix --cert-path --key-path -d From 80cd134847edd1b860315796d3accf1a46171b16 Mon Sep 17 00:00:00 2001 From: r5d Date: Mon, 25 Jun 2018 21:02:07 -0400 Subject: [PATCH 242/256] certbot.cli: Remove debug-challenges option for `renew` subcommand. (#6141) Addresses issue #5005. --- certbot/cli.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/certbot/cli.py b/certbot/cli.py index 81e926e2f..5c4313ea4 100644 --- a/certbot/cli.py +++ b/certbot/cli.py @@ -1082,7 +1082,7 @@ def prepare_and_parse_args(plugins, args, detect_defaults=False): # pylint: dis help="Show tracebacks in case of errors, and allow certbot-auto " "execution on experimental platforms") helpful.add( - [None, "certonly", "renew", "run"], "--debug-challenges", action="store_true", + [None, "certonly", "run"], "--debug-challenges", action="store_true", default=flag_default("debug_challenges"), help="After setting up challenges, wait for user input before " "submitting to CA") From 87e1912bf91cf91e8ff1d3e4d5928353ae1a294c Mon Sep 17 00:00:00 2001 From: ohemorange Date: Mon, 25 Jun 2018 18:09:30 -0700 Subject: [PATCH 243/256] Show both possible Nginx default server root values in docs (#6137) See https://github.com/certbot/website/pull/348#issuecomment-399257703. ``` $ certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and ``` ``` $ CERTBOT_DOCS=1 certbot --help all | grep -C 3 nginx-server-root nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL ``` * Show both possible Nginx default server root values in docs * add test * check that exactly one server root is in the default * use default magic --- certbot-nginx/certbot_nginx/configurator.py | 11 +++++++- certbot-nginx/certbot_nginx/constants.py | 7 +++-- .../certbot_nginx/tests/configurator_test.py | 26 +++++++++++++++++++ 3 files changed, 41 insertions(+), 3 deletions(-) diff --git a/certbot-nginx/certbot_nginx/configurator.py b/certbot-nginx/certbot_nginx/configurator.py index 41b5124b8..b80d95613 100644 --- a/certbot-nginx/certbot_nginx/configurator.py +++ b/certbot-nginx/certbot_nginx/configurator.py @@ -69,8 +69,9 @@ class NginxConfigurator(common.Installer): @classmethod def add_parser_arguments(cls, add): + default_server_root = _determine_default_server_root() add("server-root", default=constants.CLI_DEFAULTS["server_root"], - help="Nginx server root directory.") + help="Nginx server root directory. (default: %s)" % default_server_root) add("ctl", default=constants.CLI_DEFAULTS["ctl"], help="Path to the " "'nginx' binary, used for 'configtest' and retrieving nginx " "version number.") @@ -1129,3 +1130,11 @@ def install_ssl_options_conf(options_ssl, options_ssl_digest): """Copy Certbot's SSL options file into the system's config dir if required.""" return common.install_version_controlled_file(options_ssl, options_ssl_digest, constants.MOD_SSL_CONF_SRC, constants.ALL_SSL_OPTIONS_HASHES) + +def _determine_default_server_root(): + if os.environ.get("CERTBOT_DOCS") == "1": + default_server_root = "%s or %s" % (constants.LINUX_SERVER_ROOT, + constants.FREEBSD_DARWIN_SERVER_ROOT) + else: + default_server_root = constants.CLI_DEFAULTS["server_root"] + return default_server_root diff --git a/certbot-nginx/certbot_nginx/constants.py b/certbot-nginx/certbot_nginx/constants.py index dfc451202..d749b6989 100644 --- a/certbot-nginx/certbot_nginx/constants.py +++ b/certbot-nginx/certbot_nginx/constants.py @@ -2,10 +2,13 @@ import pkg_resources import platform +FREEBSD_DARWIN_SERVER_ROOT = "/usr/local/etc/nginx" +LINUX_SERVER_ROOT = "/etc/nginx" + if platform.system() in ('FreeBSD', 'Darwin'): - server_root_tmp = "/usr/local/etc/nginx" + server_root_tmp = FREEBSD_DARWIN_SERVER_ROOT else: - server_root_tmp = "/etc/nginx" + server_root_tmp = LINUX_SERVER_ROOT CLI_DEFAULTS = dict( server_root=server_root_tmp, diff --git a/certbot-nginx/certbot_nginx/tests/configurator_test.py b/certbot-nginx/certbot_nginx/tests/configurator_test.py index 9386c3cd9..75dfca563 100644 --- a/certbot-nginx/certbot_nginx/tests/configurator_test.py +++ b/certbot-nginx/certbot_nginx/tests/configurator_test.py @@ -949,5 +949,31 @@ class InstallSslOptionsConfTest(util.NginxTest): " with the sha256 hash of self.config.mod_ssl_conf when it is updated.") +class DetermineDefaultServerRootTest(certbot_test_util.ConfigTestCase): + """Tests for certbot_nginx.configurator._determine_default_server_root.""" + + def _call(self): + from certbot_nginx.configurator import _determine_default_server_root + return _determine_default_server_root() + + @mock.patch.dict(os.environ, {"CERTBOT_DOCS": "1"}) + def test_docs_value(self): + self._test(expect_both_values=True) + + @mock.patch.dict(os.environ, {}) + def test_real_values(self): + self._test(expect_both_values=False) + + def _test(self, expect_both_values): + server_root = self._call() + + if expect_both_values: + self.assertIn("/usr/local/etc/nginx", server_root) + self.assertIn("/etc/nginx", server_root) + else: + self.assertTrue("/etc/nginx" in server_root or "/usr/local/etc/nginx" in server_root) + self.assertFalse("/etc/nginx" in server_root and "/usr/local/etc/nginx" in server_root) + + if __name__ == "__main__": unittest.main() # pragma: no cover From a4760cfe56ee88bbc776859fb95a141d128adcaf Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 26 Jun 2018 15:33:41 -0700 Subject: [PATCH 244/256] Partially revert "Implement TLS-ALPN-01 challenge and standalone TLS-ALPN server (#5894)" (#6144) This partially reverts commit 15f1405fff7083bf5d4f599a58c54a43be499740. A basic tls-alpn-01 implementation is left so we can successfully parse the challenge so it can be used in boulder's tests. --- acme/acme/challenges.py | 158 +++------------------------- acme/acme/challenges_test.py | 93 +--------------- acme/acme/crypto_util.py | 61 +++-------- acme/acme/crypto_util_test.py | 16 +-- acme/acme/standalone.py | 48 +-------- acme/acme/standalone_test.py | 57 ---------- acme/acme/testdata/README | 6 +- acme/acme/testdata/rsa1024_cert.pem | 13 --- 8 files changed, 32 insertions(+), 420 deletions(-) delete mode 100644 acme/acme/testdata/rsa1024_cert.pem diff --git a/acme/acme/challenges.py b/acme/acme/challenges.py index 30983e28f..2f0bf004d 100644 --- a/acme/acme/challenges.py +++ b/acme/acme/challenges.py @@ -1,6 +1,5 @@ """ACME Identifier Validation Challenges.""" import abc -import codecs import functools import hashlib import logging @@ -8,7 +7,7 @@ import socket from cryptography.hazmat.primitives import hashes # type: ignore import josepy as jose -from OpenSSL import crypto +import OpenSSL import requests import six @@ -412,8 +411,8 @@ class TLSSNI01Response(KeyAuthorizationChallengeResponse): """ if key is None: - key = crypto.PKey() - key.generate_key(crypto.TYPE_RSA, bits) + key = OpenSSL.crypto.PKey() + key.generate_key(OpenSSL.crypto.TYPE_RSA, bits) return crypto_util.gen_ss_cert(key, [ # z_domain is too big to fit into CN, hence first dummy domain 'dummy', self.z_domain.decode()], force_san=True), key @@ -508,152 +507,19 @@ class TLSSNI01(KeyAuthorizationChallenge): return self.response(account_key).gen_cert(key=kwargs.get('cert_key')) -@ChallengeResponse.register -class TLSALPN01Response(KeyAuthorizationChallengeResponse): - """ACME tls-alpn-01 challenge response.""" - typ = "tls-alpn-01" - - PORT = 443 - """Verification port as defined by the protocol. - - You can override it (e.g. for testing) by passing ``port`` to - `simple_verify`. - - """ - - ID_PE_ACME_IDENTIFIER_V1 = b"1.3.6.1.5.5.7.1.30.1" - ACME_TLS_1_PROTOCOL = "acme-tls/1" - - @property - def h(self): - """Hash value stored in challenge certificate""" - return hashlib.sha256(self.key_authorization.encode('utf-8')).digest() - - def gen_cert(self, domain, key=None, bits=2048): - """Generate tls-alpn-01 certificate. - - :param unicode domain: Domain verified by the challenge. - :param OpenSSL.crypto.PKey key: Optional private key used in - certificate generation. If not provided (``None``), then - fresh key will be generated. - :param int bits: Number of bits for newly generated key. - - :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` - - """ - if key is None: - key = crypto.PKey() - key.generate_key(crypto.TYPE_RSA, bits) - - - # Instead of using a ASN.1 encoding library just append the OCTET STRING tag (0x04) - # and the length of the SHA256 hash (0x20) since both of these should never change - der_value = b"DER:0420" + codecs.encode(self.h, 'hex') - acme_extension = crypto.X509Extension(self.ID_PE_ACME_IDENTIFIER_V1, - critical=True, value=der_value) - - return crypto_util.gen_ss_cert(key, [domain], force_san=True, - extensions=[acme_extension]), key - - def probe_cert(self, domain, host=None, port=None): - """Probe tls-alpn-01 challenge certificate. - - :param unicode domain: domain being validated, required. - :param string host: IP address used to probe the certificate. - :param int port: Port used to probe the certificate. - - """ - if host is None: - host = socket.gethostbyname(domain) - logger.debug('%s resolved to %s', domain, host) - if port is None: - port = self.PORT - - return crypto_util.probe_sni(host=host, port=port, name=domain, - alpn_protocols=[self.ACME_TLS_1_PROTOCOL]) - - def verify_cert(self, domain, cert): - """Verify tls-alpn-01 challenge certificate. - - :param unicode domain: Domain name being validated. - :param OpensSSL.crypto.X509 cert: Challenge certificate. - - :returns: Whether the certificate was successfully verified. - :rtype: bool - - """ - # pylint: disable=protected-access - names = crypto_util._pyopenssl_cert_or_req_all_names(cert) - logger.debug('Certificate %s. SANs: %s', cert.digest('sha256'), names) - if len(names) != 1 or names[0].lower() != domain.lower(): - return False - - for i in range(cert.get_extension_count()): - ext = cert.get_extension(i) - # FIXME: assume this is the ACME extension. Currently there is no - # way to get full OID of an unknown extension from pyopenssl. - if ext.get_short_name() == b'UNDEF': - data = ext.get_data() - # Add the ASN.1 tag/length prefix to the hash before comparison - return data == b'\x04\x20' + self.h - - return False - - # pylint: disable=too-many-arguments - def simple_verify(self, chall, domain, account_public_key, - cert=None, host=None, port=None): - """Simple verify. - - Verify ``validation`` using ``account_public_key``, optionally - probe tls-alpn-01 certificate and check using `verify_cert`. - - :param .challenges.TLSALPN01 chall: Corresponding challenge. - :param str domain: Domain name being validated. - :param JWK account_public_key: - :param OpenSSL.crypto.X509 cert: Optional certificate. If not - provided (``None``) certificate will be retrieved using - `probe_cert`. - :param string host: IP address used to probe the certificate. - :param int port: Port used to probe the certificate. - - - :returns: ``True`` iff client's control of the domain has been - verified. - :rtype: bool - - """ - if not self.verify(chall, account_public_key): - logger.debug("Verification of key authorization in response failed") - return False - - if cert is None: - try: - cert = self.probe_cert(domain=domain, host=host, port=port) - except errors.Error as error: - logger.debug(str(error), exc_info=True) - return False - - return self.verify_cert(cert, domain) - - @Challenge.register # pylint: disable=too-many-ancestors class TLSALPN01(KeyAuthorizationChallenge): - """ACME tls-alpn-01 challenge.""" - response_cls = TLSALPN01Response - typ = response_cls.typ + """ACME tls-alpn-01 challenge. + + This class simply allows parsing the TLS-ALPN-01 challenge returned from + the CA. Full TLS-ALPN-01 support is not currently provided. + + """ + typ = "tls-alpn-01" def validation(self, account_key, **kwargs): - """Generate validation. - - :param JWK account_key: - :param OpenSSL.crypto.PKey cert_key: Optional private key used - in certificate generation. If not provided (``None``), then - fresh key will be generated. - - :rtype: `tuple` of `OpenSSL.crypto.X509` and `OpenSSL.crypto.PKey` - - """ - return self.response(account_key).gen_cert(key=kwargs.get('cert_key')) + """Generate validation for the challenge.""" + raise NotImplementedError() @Challenge.register # pylint: disable=too-many-ancestors diff --git a/acme/acme/challenges_test.py b/acme/acme/challenges_test.py index b929d4939..661d25a35 100644 --- a/acme/acme/challenges_test.py +++ b/acme/acme/challenges_test.py @@ -393,91 +393,6 @@ class TLSSNI01Test(unittest.TestCase): mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key) -class TLSALPN01ResponseTest(unittest.TestCase): - # pylint: disable=too-many-instance-attributes - - def setUp(self): - from acme.challenges import TLSALPN01 - self.chall = TLSALPN01( - token=jose.b64decode(b'a82d5ff8ef740d12881f6d3c2277ab2e')) - self.domain = u'example.com' - self.domain2 = u'example2.com' - - self.response = self.chall.response(KEY) - self.jmsg = { - 'resource': 'challenge', - 'type': 'tls-alpn-01', - 'keyAuthorization': self.response.key_authorization, - } - - def test_to_partial_json(self): - self.assertEqual(self.jmsg, self.response.to_partial_json()) - - def test_from_json(self): - from acme.challenges import TLSALPN01Response - self.assertEqual(self.response, TLSALPN01Response.from_json(self.jmsg)) - - def test_from_json_hashable(self): - from acme.challenges import TLSALPN01Response - hash(TLSALPN01Response.from_json(self.jmsg)) - - def test_gen_verify_cert(self): - key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem') - cert, key2 = self.response.gen_cert(self.domain, key1) - self.assertEqual(key1, key2) - self.assertTrue(self.response.verify_cert(self.domain, cert)) - - def test_gen_verify_cert_gen_key(self): - cert, key = self.response.gen_cert(self.domain) - self.assertTrue(isinstance(key, OpenSSL.crypto.PKey)) - self.assertTrue(self.response.verify_cert(self.domain, cert)) - - def test_verify_bad_cert(self): - self.assertFalse(self.response.verify_cert(self.domain, - test_util.load_cert('cert.pem'))) - - def test_verify_bad_domain(self): - key1 = test_util.load_pyopenssl_private_key('rsa512_key.pem') - cert, key2 = self.response.gen_cert(self.domain, key1) - self.assertEqual(key1, key2) - self.assertFalse(self.response.verify_cert(self.domain2, cert)) - - def test_simple_verify_bad_key_authorization(self): - key2 = jose.JWKRSA.load(test_util.load_vector('rsa256_key.pem')) - self.response.simple_verify(self.chall, "local", key2.public_key()) - - @mock.patch('acme.challenges.TLSALPN01Response.verify_cert', autospec=True) - def test_simple_verify(self, mock_verify_cert): - mock_verify_cert.return_value = mock.sentinel.verification - self.assertEqual( - mock.sentinel.verification, self.response.simple_verify( - self.chall, self.domain, KEY.public_key(), - cert=mock.sentinel.cert)) - mock_verify_cert.assert_called_once_with( - self.response, mock.sentinel.cert, self.domain) - - @mock.patch('acme.challenges.socket.gethostbyname') - @mock.patch('acme.challenges.crypto_util.probe_sni') - def test_probe_cert(self, mock_probe_sni, mock_gethostbyname): - mock_gethostbyname.return_value = '127.0.0.1' - self.response.probe_cert('foo.com') - mock_gethostbyname.assert_called_once_with('foo.com') - mock_probe_sni.assert_called_once_with( - host='127.0.0.1', port=self.response.PORT, name='foo.com', - alpn_protocols=['acme-tls/1']) - - self.response.probe_cert('foo.com', host='8.8.8.8') - mock_probe_sni.assert_called_with( - host='8.8.8.8', port=mock.ANY, name='foo.com', - alpn_protocols=['acme-tls/1']) - - @mock.patch('acme.challenges.TLSALPN01Response.probe_cert') - def test_simple_verify_false_on_probe_error(self, mock_probe_cert): - mock_probe_cert.side_effect = errors.Error - self.assertFalse(self.response.simple_verify( - self.chall, self.domain, KEY.public_key())) - - class TLSALPN01Test(unittest.TestCase): def setUp(self): @@ -506,12 +421,8 @@ class TLSALPN01Test(unittest.TestCase): self.assertRaises( jose.DeserializationError, TLSALPN01.from_json, self.jmsg) - @mock.patch('acme.challenges.TLSALPN01Response.gen_cert') - def test_validation(self, mock_gen_cert): - mock_gen_cert.return_value = ('cert', 'key') - self.assertEqual(('cert', 'key'), self.msg.validation( - KEY, cert_key=mock.sentinel.cert_key)) - mock_gen_cert.assert_called_once_with(key=mock.sentinel.cert_key) + def test_validation(self): + self.assertRaises(NotImplementedError, self.msg.validation, KEY) class DNSTest(unittest.TestCase): diff --git a/acme/acme/crypto_util.py b/acme/acme/crypto_util.py index d25c2340b..d0e203417 100644 --- a/acme/acme/crypto_util.py +++ b/acme/acme/crypto_util.py @@ -31,15 +31,6 @@ logger = logging.getLogger(__name__) _DEFAULT_TLSSNI01_SSL_METHOD = SSL.SSLv23_METHOD # type: ignore -class _DefaultCertSelection(object): - def __init__(self, certs): - self.certs = certs - - def __call__(self, connection): - server_name = connection.get_servername() - return self.certs.get(server_name, None) - - class SSLSocket(object): # pylint: disable=too-few-public-methods """SSL wrapper for sockets. @@ -47,25 +38,12 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods :ivar dict certs: Mapping from domain names (`bytes`) to `OpenSSL.crypto.X509`. :ivar method: See `OpenSSL.SSL.Context` for allowed values. - :ivar alpn_selection: Hook to select negotiated ALPN protocol for - connection. - :ivar cert_selection: Hook to select certificate for connection. If given, - `certs` parameter would be ignored, and therefore must be empty. """ - def __init__(self, sock, certs=None, - method=_DEFAULT_TLSSNI01_SSL_METHOD, alpn_selection=None, - cert_selection=None): + def __init__(self, sock, certs, method=_DEFAULT_TLSSNI01_SSL_METHOD): self.sock = sock - self.alpn_selection = alpn_selection + self.certs = certs self.method = method - if not cert_selection and not certs: - raise ValueError("Neither cert_selection or certs specified.") - if cert_selection and certs: - raise ValueError("Both cert_selection and certs specified.") - if cert_selection is None: - cert_selection = _DefaultCertSelection(certs) - self.cert_selection = cert_selection def __getattr__(self, name): return getattr(self.sock, name) @@ -82,19 +60,18 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods :type connection: :class:`OpenSSL.Connection` """ - pair = self.cert_selection(connection) - if pair is None: - logger.debug("Certificate selection for server name %s failed, dropping SSL", - connection.get_servername()) + server_name = connection.get_servername() + try: + key, cert = self.certs[server_name] + except KeyError: + logger.debug("Server name (%s) not recognized, dropping SSL", + server_name) return - key, cert = pair new_context = SSL.Context(self.method) new_context.set_options(SSL.OP_NO_SSLv2) new_context.set_options(SSL.OP_NO_SSLv3) new_context.use_privatekey(key) new_context.use_certificate(cert) - if self.alpn_selection is not None: - new_context.set_alpn_select_callback(self.alpn_selection) connection.set_context(new_context) class FakeConnection(object): @@ -119,8 +96,6 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods context.set_options(SSL.OP_NO_SSLv2) context.set_options(SSL.OP_NO_SSLv3) context.set_tlsext_servername_callback(self._pick_certificate_cb) - if self.alpn_selection is not None: - context.set_alpn_select_callback(self.alpn_selection) ssl_sock = self.FakeConnection(SSL.Connection(context, sock)) ssl_sock.set_accept_state() @@ -136,9 +111,8 @@ class SSLSocket(object): # pylint: disable=too-few-public-methods return ssl_sock, addr -def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-arguments - method=_DEFAULT_TLSSNI01_SSL_METHOD, source_address=('', 0), - alpn_protocols=None): +def probe_sni(name, host, port=443, timeout=300, + method=_DEFAULT_TLSSNI01_SSL_METHOD, source_address=('', 0)): """Probe SNI server for SSL certificate. :param bytes name: Byte string to send as the server name in the @@ -150,8 +124,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu :param tuple source_address: Enables multi-path probing (selection of source interface). See `socket.creation_connection` for more info. Available only in Python 2.7+. - :param alpn_protocols: Protocols to request using ALPN. - :type alpn_protocols: `list` of `bytes` :raises acme.errors.Error: In case of any problems. @@ -188,8 +160,6 @@ def probe_sni(name, host, port=443, timeout=300, # pylint: disable=too-many-argu client_ssl = SSL.Connection(context, client) client_ssl.set_connect_state() client_ssl.set_tlsext_host_name(name) # pyOpenSSL>=0.13 - if alpn_protocols is not None: - client_ssl.set_alpn_protos(alpn_protocols) try: client_ssl.do_handshake() client_ssl.shutdown() @@ -281,14 +251,12 @@ def _pyopenssl_cert_or_req_san(cert_or_req): def gen_ss_cert(key, domains, not_before=None, - validity=(7 * 24 * 60 * 60), force_san=True, extensions=None): + validity=(7 * 24 * 60 * 60), force_san=True): """Generate new self-signed certificate. :type domains: `list` of `unicode` :param OpenSSL.crypto.PKey key: :param bool force_san: - :param extensions: List of additional extensions to include in the cert. - :type extensions: `list` of `OpenSSL.crypto.X509Extension` If more than one domain is provided, all of the domains are put into ``subjectAltName`` X.509 extension and first domain is set as the @@ -301,13 +269,10 @@ def gen_ss_cert(key, domains, not_before=None, cert.set_serial_number(int(binascii.hexlify(os.urandom(16)), 16)) cert.set_version(2) - if extensions is None: - extensions = [] - - extensions.append( + extensions = [ crypto.X509Extension( b"basicConstraints", True, b"CA:TRUE, pathlen:0"), - ) + ] cert.get_subject().CN = domains[0] # TODO: what to put into cert.get_subject()? diff --git a/acme/acme/crypto_util_test.py b/acme/acme/crypto_util_test.py index b661e4e70..36d62b324 100644 --- a/acme/acme/crypto_util_test.py +++ b/acme/acme/crypto_util_test.py @@ -19,6 +19,7 @@ from acme.magic_typing import List # pylint: disable=unused-import, no-name-in-m class SSLSocketAndProbeSNITest(unittest.TestCase): """Tests for acme.crypto_util.SSLSocket/probe_sni.""" + def setUp(self): self.cert = test_util.load_comparable_cert('rsa2048_cert.pem') key = test_util.load_pyopenssl_private_key('rsa2048_key.pem') @@ -33,8 +34,7 @@ class SSLSocketAndProbeSNITest(unittest.TestCase): # six.moves.* | pylint: disable=attribute-defined-outside-init,no-init def server_bind(self): # pylint: disable=missing-docstring - self.socket = SSLSocket(socket.socket(), - certs) + self.socket = SSLSocket(socket.socket(), certs=certs) socketserver.TCPServer.server_bind(self) self.server = _TestServer(('', 0), socketserver.BaseRequestHandler) @@ -66,18 +66,6 @@ class SSLSocketAndProbeSNITest(unittest.TestCase): # self.assertRaises(errors.Error, self._probe, b'bar') -class SSLSocketTest(unittest.TestCase): - """Tests for acme.crypto_util.SSLSocket.""" - - def test_ssl_socket_invalid_arguments(self): - from acme.crypto_util import SSLSocket - with self.assertRaises(ValueError): - _ = SSLSocket(None, {'sni': ('key', 'cert')}, - cert_selection=lambda _: None) - with self.assertRaises(ValueError): - _ = SSLSocket(None) - - class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase): """Test for acme.crypto_util._pyopenssl_cert_or_req_all_names.""" diff --git a/acme/acme/standalone.py b/acme/acme/standalone.py index 3bcb0b230..ff9159933 100644 --- a/acme/acme/standalone.py +++ b/acme/acme/standalone.py @@ -43,14 +43,7 @@ class TLSServer(socketserver.TCPServer): def _wrap_sock(self): self.socket = crypto_util.SSLSocket( - self.socket, cert_selection=self._cert_selection, - alpn_selection=getattr(self, '_alpn_selection', None), - method=self.method) - - def _cert_selection(self, connection): - """Callback selecting certificate for connection.""" - server_name = connection.get_servername() - return self.certs.get(server_name, None) + self.socket, certs=self.certs, method=self.method) def server_bind(self): # pylint: disable=missing-docstring self._wrap_sock() @@ -154,45 +147,6 @@ class TLSSNI01DualNetworkedServers(BaseDualNetworkedServers): BaseDualNetworkedServers.__init__(self, TLSSNI01Server, *args, **kwargs) -class BadALPNProtos(Exception): - """Error raised when cannot negotiate ALPN protocol.""" - pass - - -class TLSALPN01Server(TLSServer, ACMEServerMixin): - """TLSALPN01 Server.""" - - ACME_TLS_1_PROTOCOL = b"acme-tls/1" - - def __init__(self, server_address, certs, challenge_certs, ipv6=False): - TLSServer.__init__( - self, server_address, BaseRequestHandlerWithLogging, certs=certs, - ipv6=ipv6) - self.challenge_certs = challenge_certs - - def _cert_selection(self, connection): - # TODO: We would like to serve challenge cert only if asked for it via - # ALPN. To do this, we need to retrieve the list of protos from client - # hello, but this is currently impossible with openssl [0], and ALPN - # negotiation is done after cert selection. - # Therefore, currently we always return challenge cert, and terminate - # handshake in alpn_selection() if ALPN protos are not what we expect. - # [0] https://github.com/openssl/openssl/issues/4952 - server_name = connection.get_servername() - logger.debug("Serving challenge cert for server name %s", server_name) - return self.challenge_certs.get(server_name, None) - - def _alpn_selection(self, _connection, alpn_protos): - """Callback to select alpn protocol.""" - if len(alpn_protos) == 1 and alpn_protos[0] == self.ACME_TLS_1_PROTOCOL: - logger.debug("Agreed on %s ALPN", self.ACME_TLS_1_PROTOCOL) - return self.ACME_TLS_1_PROTOCOL - # Raising an exception causes openssl to terminate handshake and - # send fatal tls alert. - logger.debug("Cannot agree on ALPN proto. Got: %s", str(alpn_protos)) - raise BadALPNProtos("Got: %s" % str(alpn_protos)) - - class BaseRequestHandlerWithLogging(socketserver.BaseRequestHandler): """BaseRequestHandler with logging.""" diff --git a/acme/acme/standalone_test.py b/acme/acme/standalone_test.py index aee592187..1591187e5 100644 --- a/acme/acme/standalone_test.py +++ b/acme/acme/standalone_test.py @@ -10,7 +10,6 @@ import unittest from six.moves import http_client # pylint: disable=import-error from six.moves import socketserver # type: ignore # pylint: disable=import-error -from OpenSSL import SSL # type: ignore # https://github.com/python/typeshed/issues/2052 import josepy as jose import mock import requests @@ -120,62 +119,6 @@ class HTTP01ServerTest(unittest.TestCase): self.assertFalse(self._test_http01(add=False)) -@unittest.skipUnless( - hasattr(SSL.Connection, "set_alpn_protos") and - hasattr(SSL.Context, "set_alpn_select_callback"), - "pyOpenSSL too old") -class TLSALPN01ServerTest(unittest.TestCase): - """Test for acme.standalone.TLSALPN01Server.""" - - def setUp(self): - self.certs = {b'localhost': ( - test_util.load_pyopenssl_private_key('rsa2048_key.pem'), - test_util.load_cert('rsa2048_cert.pem'), - )} - # Use different certificate for challenge. - self.challenge_certs = {b'localhost': ( - test_util.load_pyopenssl_private_key('rsa1024_key.pem'), - test_util.load_cert('rsa1024_cert.pem'), - )} - from acme.standalone import TLSALPN01Server - self.server = TLSALPN01Server(("", 0), certs=self.certs, - challenge_certs=self.challenge_certs) - # pylint: disable=no-member - self.thread = threading.Thread(target=self.server.serve_forever) - self.thread.start() - - def tearDown(self): - self.server.shutdown() # pylint: disable=no-member - self.thread.join() - - #TODO: This is not implemented yet, see comments in standalone.py - #def test_certs(self): - # host, port = self.server.socket.getsockname()[:2] - # cert = crypto_util.probe_sni( - # b'localhost', host=host, port=port, timeout=1) - # # Expect normal cert when connecting without ALPN. - # self.assertEqual(jose.ComparableX509(cert), - # jose.ComparableX509(self.certs[b'localhost'][1])) - - def test_challenge_certs(self): - host, port = self.server.socket.getsockname()[:2] - cert = crypto_util.probe_sni( - b'localhost', host=host, port=port, timeout=1, - alpn_protocols=[b"acme-tls/1"]) - # Expect challenge cert when connecting with ALPN. - self.assertEqual( - jose.ComparableX509(cert), - jose.ComparableX509(self.challenge_certs[b'localhost'][1]) - ) - - def test_bad_alpn(self): - host, port = self.server.socket.getsockname()[:2] - with self.assertRaises(errors.Error): - crypto_util.probe_sni( - b'localhost', host=host, port=port, timeout=1, - alpn_protocols=[b"bad-alpn"]) - - class BaseDualNetworkedServersTest(unittest.TestCase): """Test for acme.standalone.BaseDualNetworkedServers.""" diff --git a/acme/acme/testdata/README b/acme/acme/testdata/README index d65cc3018..dfe3f5405 100644 --- a/acme/acme/testdata/README +++ b/acme/acme/testdata/README @@ -10,8 +10,6 @@ and for the CSR: openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -outform DER > csr.der -and for the certificates: +and for the certificate: - openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der - openssl req -key rsa2048_key.pem -new -subj '/CN=example.com' -x509 > rsa2048_cert.pem - openssl req -key rsa1024_key.pem -new -subj '/CN=example.com' -x509 > rsa1024_cert.pem + openssl req -key rsa2047_key.pem -new -subj '/CN=example.com' -x509 -outform DER > cert.der diff --git a/acme/acme/testdata/rsa1024_cert.pem b/acme/acme/testdata/rsa1024_cert.pem deleted file mode 100644 index 1b7912181..000000000 --- a/acme/acme/testdata/rsa1024_cert.pem +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIB/TCCAWagAwIBAgIJAOyRIBs3QT8QMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNV -BAMMC2V4YW1wbGUuY29tMB4XDTE4MDQyMzEwMzE0NFoXDTE4MDUyMzEwMzE0NFow -FjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJ -AoGBAJqJ87R8aVwByONxgQA9hwgvQd/QqI1r1UInXhEF2VnEtZGtUWLi100IpIqr -Mq4qusDwNZ3g8cUPtSkvJGs89djoajMDIJP7lQUEKUYnYrI0q755Tr/DgLWSk7iW -l5ezym0VzWUD0/xXUz8yRbNMTjTac80rS5SZk2ja2wWkYlRJAgMBAAGjUzBRMB0G -A1UdDgQWBBSsaX0IVZ4XXwdeffVAbG7gnxSYjTAfBgNVHSMEGDAWgBSsaX0IVZ4X -XwdeffVAbG7gnxSYjTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GB -ADe7SVmvGH2nkwVfONk8TauRUDkePN1CJZKFb2zW1uO9ANJ2v5Arm/OQp0BG/xnI -Djw/aLTNVESF89oe15dkrUErtcaF413MC1Ld5lTCaJLHLGqDKY69e02YwRuxW7jY -qarpt7k7aR5FbcfO5r4V/FK/Gvp4Dmoky8uap7SJIW6x ------END CERTIFICATE----- From 2304f7fcdadd6baad61a925e9a11541d2b534d6f Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Wed, 27 Jun 2018 19:32:53 +0300 Subject: [PATCH 245/256] Remove unnecessary dotfiles (#6151) --- .../augeas_vhosts/apache2/mods-enabled/.gitignore | 0 .../multiple_vhosts/apache2/mods-enabled/.gitignore | 0 .../apache/apache2/modules.d/.keep_www-servers_apache-2 | 0 .../apache/apache2/vhosts.d/.keep_www-servers_apache-2 | 0 4 files changed, 0 insertions(+), 0 deletions(-) delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore delete mode 100644 certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore delete mode 100644 certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 delete mode 100644 certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/augeas_vhosts/apache2/mods-enabled/.gitignore deleted file mode 100644 index e69de29bb..000000000 diff --git a/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore b/certbot-apache/certbot_apache/tests/testdata/debian_apache_2_4/multiple_vhosts/apache2/mods-enabled/.gitignore deleted file mode 100644 index e69de29bb..000000000 diff --git a/certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 b/certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/modules.d/.keep_www-servers_apache-2 deleted file mode 100644 index e69de29bb..000000000 diff --git a/certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 b/certbot-apache/certbot_apache/tests/testdata/gentoo_apache/apache/apache2/vhosts.d/.keep_www-servers_apache-2 deleted file mode 100644 index e69de29bb..000000000 From f169e7374bedf11a77c860d522f7e9b7eaad0824 Mon Sep 17 00:00:00 2001 From: Joona Hoikkala Date: Wed, 27 Jun 2018 21:35:01 +0300 Subject: [PATCH 246/256] Interactive certificate selection with install verb (#6097) If either --cert-name or both --key-path and --cert-path (in which case the user requests installation for a certificate not managed by Certbot) are not provided, prompt the user with managed certificates and let them choose. Fixes: #5824 --- certbot/main.py | 7 +++++++ certbot/tests/main_test.py | 26 +++++++++++++++++--------- 2 files changed, 24 insertions(+), 9 deletions(-) diff --git a/certbot/main.py b/certbot/main.py index a457919d4..6078f87a6 100644 --- a/certbot/main.py +++ b/certbot/main.py @@ -789,6 +789,13 @@ def install(config, plugins): except errors.PluginSelectionError as e: return str(e) + custom_cert = (config.key_path and config.cert_path) + if not config.certname and not custom_cert: + certname_question = "Which certificate would you like to install?" + config.certname = cert_manager.get_certnames( + config, "install", allow_multiple=False, + custom_prompt=certname_question)[0] + if not enhancements.are_supported(config, installer): raise errors.NotSupportedError("One ore more of the requested enhancements " "are not supported by the selected installer") diff --git a/certbot/tests/main_test.py b/certbot/tests/main_test.py index 24d059e53..a2115a486 100644 --- a/certbot/tests/main_test.py +++ b/certbot/tests/main_test.py @@ -761,20 +761,25 @@ class MainTest(test_util.ConfigTestCase): # pylint: disable=too-many-public-met @mock.patch('certbot.main.plug_sel.record_chosen_plugins') @mock.patch('certbot.main.plug_sel.pick_installer') def test_installer_param_error(self, _inst, _rec): - self.assertRaises(errors.ConfigurationError, - self._call, - ['install', '--key-path', '/tmp/key_path']) - self.assertRaises(errors.ConfigurationError, - self._call, - ['install', '--cert-path', '/tmp/key_path']) - self.assertRaises(errors.ConfigurationError, - self._call, - ['install']) self.assertRaises(errors.ConfigurationError, self._call, ['install', '--cert-name', 'notfound', '--key-path', 'invalid']) + @mock.patch('certbot.main.plug_sel.record_chosen_plugins') + @mock.patch('certbot.main.plug_sel.pick_installer') + @mock.patch('certbot.cert_manager.get_certnames') + @mock.patch('certbot.main._install_cert') + def test_installer_select_cert(self, mock_inst, mock_getcert, _inst, _rec): + mock_lineage = mock.MagicMock(cert_path="/tmp/cert", chain_path="/tmp/chain", + fullchain_path="/tmp/chain", + key_path="/tmp/privkey") + with mock.patch("certbot.cert_manager.lineage_for_certname") as mock_getlin: + mock_getlin.return_value = mock_lineage + self._call(['install'], mockisfile=True) + self.assertTrue(mock_getcert.called) + self.assertTrue(mock_inst.called) + @mock.patch('certbot.main._report_new_cert') @mock.patch('certbot.util.exe_exists') def test_configurator_selection(self, mock_exe_exists, unused_report): @@ -1742,6 +1747,7 @@ class InstallTest(test_util.ConfigTestCase): mock_inst.return_value = null.Installer(self.config, "null") plugins = disco.PluginsRegistry.find_all() self.config.auto_hsts = True + self.config.certname = "nonexistent" self.assertRaises(errors.NotSupportedError, main.install, self.config, plugins) @@ -1753,6 +1759,8 @@ class InstallTest(test_util.ConfigTestCase): plugins = disco.PluginsRegistry.find_all() self.config.auto_hsts = True self.config.certname = None + self.config.key_path = "/tmp/nonexistent" + self.config.cert_path = "/tmp/nonexistent" self.assertRaises(errors.ConfigurationError, main.install, self.config, plugins) From ad3c547e1fcd88d7877f0abbed3cf999ba7fc94b Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 27 Jun 2018 14:29:21 -0700 Subject: [PATCH 247/256] Update cli-help.txt to use generic values (#6143) --- docs/cli-help.txt | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/cli-help.txt b/docs/cli-help.txt index 49821a7b5..594bcfd04 100644 --- a/docs/cli-help.txt +++ b/docs/cli-help.txt @@ -108,12 +108,12 @@ optional arguments: case, and to know when to deprecate support for past Python versions and flags. If you wish to hide this information from the Let's Encrypt server, set this to - "". (default: CertbotACMEClient/0.25.1 (certbot; - darwin 10.13.5) Authenticator/XXX Installer/YYY - (SUBCOMMAND; flags: FLAGS) Py/2.7.15). The flags - encoded in the user agent are: --duplicate, --force- - renew, --allow-subset-of-names, -n, and whether any - hooks are set. + "". (default: CertbotACMEClient/0.25.1 + (certbot(-auto); OS_NAME OS_VERSION) Authenticator/XXX + Installer/YYY (SUBCOMMAND; flags: FLAGS) + Py/major.minor.patchlevel). The flags encoded in the + user agent are: --duplicate, --force-renew, --allow- + subset-of-names, -n, and whether any hooks are set. --user-agent-comment USER_AGENT_COMMENT Add a comment to the default user agent string. May be used when repackaging Certbot or calling it from @@ -638,7 +638,7 @@ nginx: Nginx Web Server plugin - Alpha --nginx-server-root NGINX_SERVER_ROOT - Nginx server root directory. (default: + Nginx server root directory. (default: /etc/nginx or /usr/local/etc/nginx) --nginx-ctl NGINX_CTL Path to the 'nginx' binary, used for 'configtest' and From 742a57722ba99812920baae47a8d6b094859a952 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Wed, 27 Jun 2018 17:35:43 -0700 Subject: [PATCH 248/256] fix server_root default tests on macOS (#6149) --- certbot-nginx/certbot_nginx/tests/configurator_test.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/certbot-nginx/certbot_nginx/tests/configurator_test.py b/certbot-nginx/certbot_nginx/tests/configurator_test.py index 75dfca563..4d23f3518 100644 --- a/certbot-nginx/certbot_nginx/tests/configurator_test.py +++ b/certbot-nginx/certbot_nginx/tests/configurator_test.py @@ -971,8 +971,7 @@ class DetermineDefaultServerRootTest(certbot_test_util.ConfigTestCase): self.assertIn("/usr/local/etc/nginx", server_root) self.assertIn("/etc/nginx", server_root) else: - self.assertTrue("/etc/nginx" in server_root or "/usr/local/etc/nginx" in server_root) - self.assertFalse("/etc/nginx" in server_root and "/usr/local/etc/nginx" in server_root) + self.assertTrue(server_root == "/etc/nginx" or server_root == "/usr/local/etc/nginx") if __name__ == "__main__": From d00a31622dd4f797a75b140b95320e99bcc4c953 Mon Sep 17 00:00:00 2001 From: Bahram Aghaei Date: Thu, 28 Jun 2018 17:43:52 +0000 Subject: [PATCH 249/256] run Isort on imported packages (#6138) --- setup.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/setup.py b/setup.py index e32925583..8176883ad 100644 --- a/setup.py +++ b/setup.py @@ -2,8 +2,7 @@ import codecs import os import re -from setuptools import setup -from setuptools import find_packages +from setuptools import find_packages, setup # Workaround for http://bugs.python.org/issue8876, see # http://bugs.python.org/issue8876#msg208792 From 64e06d4201a8695580533c3cb07370fac226ebea Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 28 Jun 2018 10:55:21 -0700 Subject: [PATCH 250/256] Use greater than or equal to in requirements. (#6117) * Use greater than or equal to in requirements. This changes the existing requirements using strictly greater than to greater than or equal to so that they're more conventional. * Use >= for certbot-postfix. Despite it previously saying 'certbot>0.23.0', certbot-postfix/local-oldest-requirements.txt was pinned to 0.23.0 so let's just use certbot>=0.23.0. --- certbot-apache/setup.py | 4 ++-- certbot-dns-route53/setup.py | 2 +- certbot-nginx/setup.py | 2 +- certbot-postfix/setup.py | 2 +- setup.py | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/certbot-apache/setup.py b/certbot-apache/setup.py index 8d15e7971..ffaa6a863 100644 --- a/certbot-apache/setup.py +++ b/certbot-apache/setup.py @@ -7,8 +7,8 @@ version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. install_requires = [ - 'acme>0.24.0', - 'certbot>0.25.1', + 'acme>=0.25.0', + 'certbot>=0.26.0.dev0', 'mock', 'python-augeas', 'setuptools', diff --git a/certbot-dns-route53/setup.py b/certbot-dns-route53/setup.py index 8e2821332..c8806e862 100644 --- a/certbot-dns-route53/setup.py +++ b/certbot-dns-route53/setup.py @@ -6,7 +6,7 @@ version = '0.26.0.dev0' # Remember to update local-oldest-requirements.txt when changing the minimum # acme/certbot version. install_requires = [ - 'acme>0.24.0', + 'acme>=0.25.0', 'certbot>=0.21.1', 'boto3', 'mock', diff --git a/certbot-nginx/setup.py b/certbot-nginx/setup.py index d9cb4a9c2..b486b2778 100644 --- a/certbot-nginx/setup.py +++ b/certbot-nginx/setup.py @@ -8,7 +8,7 @@ version = '0.26.0.dev0' # acme/certbot version. install_requires = [ 'acme>=0.25.0', - 'certbot>0.21.1', + 'certbot>=0.22.0', 'mock', 'PyOpenSSL', 'pyparsing>=1.5.5', # Python3 support; perhaps unnecessary? diff --git a/certbot-postfix/setup.py b/certbot-postfix/setup.py index cde1ac7c2..4c53477d2 100644 --- a/certbot-postfix/setup.py +++ b/certbot-postfix/setup.py @@ -6,7 +6,7 @@ version = '0.26.0.dev0' install_requires = [ 'acme>=0.25.0', - 'certbot>0.23.0', + 'certbot>=0.23.0', 'setuptools', 'six', 'zope.component', diff --git a/setup.py b/setup.py index 8176883ad..9ef9ec0d2 100644 --- a/setup.py +++ b/setup.py @@ -32,7 +32,7 @@ version = meta['version'] # specified here to avoid masking the more specific request requirements in # acme. See https://github.com/pypa/pip/issues/988 for more info. install_requires = [ - 'acme>0.24.0', + 'acme>=0.25.0', # We technically need ConfigArgParse 0.10.0 for Python 2.6 support, but # saying so here causes a runtime error against our temporary fork of 0.9.3 # in which we added 2.6 support (see #2243), so we relax the requirement. From a816cc89798823cc043058f016e4d89cb3fca4f6 Mon Sep 17 00:00:00 2001 From: ohemorange Date: Thu, 28 Jun 2018 13:34:16 -0700 Subject: [PATCH 251/256] Use account reuse symlink logic when loading an account (#6156) Fixes #6154. * add symlinking to load flow * test account reuse on load --- certbot/account.py | 36 ++++++++++++++++++++++------------- certbot/tests/account_test.py | 8 ++++++++ 2 files changed, 31 insertions(+), 13 deletions(-) diff --git a/certbot/account.py b/certbot/account.py index c4eeb1388..5e9455048 100644 --- a/certbot/account.py +++ b/certbot/account.py @@ -175,33 +175,43 @@ class AccountFileStorage(interfaces.AccountStorage): except errors.AccountStorageError: logger.debug("Account loading problem", exc_info=True) - if not accounts and server_path in constants.LE_REUSE_SERVERS: # find all for the next link down prev_server_path = constants.LE_REUSE_SERVERS[server_path] prev_accounts = self._find_all_for_server_path(prev_server_path) # if we found something, link to that if prev_accounts: - if os.path.islink(accounts_dir): - os.unlink(accounts_dir) - else: - try: - os.rmdir(accounts_dir) - except OSError: - return [] - prev_account_dir = self.config.accounts_dir_for_server_path(prev_server_path) - os.symlink(prev_account_dir, accounts_dir) + try: + self._symlink_to_accounts_dir(prev_server_path, server_path) + except OSError: + return [] accounts = prev_accounts return accounts def find_all(self): return self._find_all_for_server_path(self.config.server_path) + def _symlink_to_accounts_dir(self, prev_server_path, server_path): + accounts_dir = self.config.accounts_dir_for_server_path(server_path) + if os.path.islink(accounts_dir): + os.unlink(accounts_dir) + else: + os.rmdir(accounts_dir) + prev_account_dir = self.config.accounts_dir_for_server_path(prev_server_path) + os.symlink(prev_account_dir, accounts_dir) + def _load_for_server_path(self, account_id, server_path): account_dir_path = self._account_dir_path_for_server_path(account_id, server_path) - if not os.path.isdir(account_dir_path): - raise errors.AccountNotFound( - "Account at %s does not exist" % account_dir_path) + if not os.path.isdir(account_dir_path): # isdir is also true for symlinks + if server_path in constants.LE_REUSE_SERVERS: + prev_server_path = constants.LE_REUSE_SERVERS[server_path] + prev_loaded_account = self._load_for_server_path(account_id, prev_server_path) + # we didn't error so we found something, so create a symlink to that + self._symlink_to_accounts_dir(prev_server_path, server_path) + return prev_loaded_account + else: + raise errors.AccountNotFound( + "Account at %s does not exist" % account_dir_path) try: with open(self._regr_path(account_dir_path)) as regr_file: diff --git a/certbot/tests/account_test.py b/certbot/tests/account_test.py index a4fe5edb7..e7f82a5b8 100644 --- a/certbot/tests/account_test.py +++ b/certbot/tests/account_test.py @@ -241,6 +241,14 @@ class AccountFileStorageTest(test_util.ConfigTestCase): self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') self.assertEqual([], self.storage.find_all()) + def test_upgrade_load(self): + self._set_server('https://acme-staging.api.letsencrypt.org/directory') + self.storage.save(self.acc, self.mock_client) + prev_account = self.storage.load(self.acc.id) + self._set_server('https://acme-staging-v02.api.letsencrypt.org/directory') + account = self.storage.load(self.acc.id) + self.assertEqual(prev_account, account) + def test_load_ioerror(self): self.storage.save(self.acc, self.mock_client) mock_open = mock.mock_open() From 6e13c2ccc71e7629f451f89339870013fad7dc30 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 28 Jun 2018 15:06:52 -0700 Subject: [PATCH 252/256] Add --disable=locally-enabled to .pylintrc. (#6159) --- .pylintrc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.pylintrc b/.pylintrc index 36d8c286f..1d3f0ac4f 100644 --- a/.pylintrc +++ b/.pylintrc @@ -41,7 +41,7 @@ load-plugins=linter_plugin # --enable=similarities". If you want to run only the classes checker, but have # no Warning level messages displayed, use"--disable=all --enable=classes # --disable=W" -disable=fixme,locally-disabled,abstract-class-not-used,abstract-class-little-used,bad-continuation,too-few-public-methods,no-self-use,invalid-name,too-many-instance-attributes,cyclic-import,duplicate-code +disable=fixme,locally-disabled,locally-enabled,abstract-class-not-used,abstract-class-little-used,bad-continuation,too-few-public-methods,no-self-use,invalid-name,too-many-instance-attributes,cyclic-import,duplicate-code # abstract-class-not-used cannot be disabled locally (at least in # pylint 1.4.1), same for abstract-class-little-used From 552e60a12691d434ea86a7c6bf5bc4a270651ba8 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Fri, 29 Jun 2018 05:27:58 -0700 Subject: [PATCH 253/256] Don't use hardcoded port in tests (#6145) * Don't use port 1234 in standalone tests. * rename unused variable * add back failure case * Add back probe connection error test. * fix lint * remove unused import * fix test file coverage * prevent future heisenbug --- acme/acme/crypto_util_test.py | 26 ++++++++++++++++-------- acme/acme/standalone_test.py | 37 ++++++++++++++--------------------- 2 files changed, 33 insertions(+), 30 deletions(-) diff --git a/acme/acme/crypto_util_test.py b/acme/acme/crypto_util_test.py index 36d62b324..168489d86 100644 --- a/acme/acme/crypto_util_test.py +++ b/acme/acme/crypto_util_test.py @@ -42,28 +42,38 @@ class SSLSocketAndProbeSNITest(unittest.TestCase): self.server_thread = threading.Thread( # pylint: disable=no-member target=self.server.handle_request) - self.server_thread.start() - time.sleep(1) # TODO: avoid race conditions in other way def tearDown(self): - self.server_thread.join() + if self.server_thread.is_alive(): + # The thread may have already terminated. + self.server_thread.join() # pragma: no cover def _probe(self, name): from acme.crypto_util import probe_sni return jose.ComparableX509(probe_sni( name, host='127.0.0.1', port=self.port)) + def _start_server(self): + self.server_thread.start() + time.sleep(1) # TODO: avoid race conditions in other way + def test_probe_ok(self): + self._start_server() self.assertEqual(self.cert, self._probe(b'foo')) def test_probe_not_recognized_name(self): + self._start_server() self.assertRaises(errors.Error, self._probe, b'bar') - # TODO: py33/py34 tox hangs forever on do_handshake in second probe - #def probe_connection_error(self): - # self._probe(b'foo') - # #time.sleep(1) # TODO: avoid race conditions in other way - # self.assertRaises(errors.Error, self._probe, b'bar') + def test_probe_connection_error(self): + # pylint has a hard time with six + self.server.server_close() # pylint: disable=no-member + original_timeout = socket.getdefaulttimeout() + try: + socket.setdefaulttimeout(1) + self.assertRaises(errors.Error, self._probe, b'bar') + finally: + socket.setdefaulttimeout(original_timeout) class PyOpenSSLCertOrReqAllNamesTest(unittest.TestCase): diff --git a/acme/acme/standalone_test.py b/acme/acme/standalone_test.py index 1591187e5..6beea038e 100644 --- a/acme/acme/standalone_test.py +++ b/acme/acme/standalone_test.py @@ -4,10 +4,10 @@ import shutil import socket import threading import tempfile -import time import unittest from six.moves import http_client # pylint: disable=import-error +from six.moves import queue # pylint: disable=import-error from six.moves import socketserver # type: ignore # pylint: disable=import-error import josepy as jose @@ -16,7 +16,6 @@ import requests from acme import challenges from acme import crypto_util -from acme import errors from acme import test_util from acme.magic_typing import Set # pylint: disable=unused-import, no-name-in-module @@ -261,10 +260,9 @@ class TestSimpleTLSSNI01Server(unittest.TestCase): os.path.join(localhost_dir, 'key.pem')) from acme.standalone import simple_tls_sni_01_server - self.port = 1234 self.thread = threading.Thread( target=simple_tls_sni_01_server, kwargs={ - 'cli_args': ('xxx', '--port', str(self.port)), + 'cli_args': ('filename',), 'forever': False, }, ) @@ -276,25 +274,20 @@ class TestSimpleTLSSNI01Server(unittest.TestCase): self.thread.join() shutil.rmtree(self.test_cwd) - def test_it(self): - max_attempts = 5 - for attempt in range(max_attempts): - try: - cert = crypto_util.probe_sni( - b'localhost', b'0.0.0.0', self.port) - except errors.Error: - self.assertTrue(attempt + 1 < max_attempts, "Timeout!") - time.sleep(1) # wait until thread starts - else: - self.assertEqual(jose.ComparableX509(cert), - test_util.load_comparable_cert( - 'rsa2048_cert.pem')) - break + @mock.patch('acme.standalone.logger') + def test_it(self, mock_logger): + # Use a Queue because mock objects aren't thread safe. + q = queue.Queue() # type: queue.Queue[int] + # Add port number to the queue. + mock_logger.info.side_effect = lambda *args: q.put(args[-1]) + self.thread.start() - if attempt == 0: - # the first attempt is always meant to fail, so we can test - # the socket failure code-path for probe_sni, as well - self.thread.start() + # After the timeout, an exception is raised if the queue is empty. + port = q.get(timeout=5) + cert = crypto_util.probe_sni(b'localhost', b'0.0.0.0', port) + self.assertEqual(jose.ComparableX509(cert), + test_util.load_comparable_cert( + 'rsa2048_cert.pem')) if __name__ == "__main__": From ab9851d97e7f58290d0299da8fec49f072226750 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Tue, 3 Jul 2018 06:57:58 -0700 Subject: [PATCH 254/256] Upgrade to the latest cryptography version (#6169) This allows certbot-auto and our development setup to work with Python 3.7. --- letsencrypt-auto-source/letsencrypt-auto | 51 ++++++++----------- .../pieces/dependency-requirements.txt | 51 ++++++++----------- 2 files changed, 40 insertions(+), 62 deletions(-) diff --git a/letsencrypt-auto-source/letsencrypt-auto b/letsencrypt-auto-source/letsencrypt-auto index dc9190630..d571a5a8d 100755 --- a/letsencrypt-auto-source/letsencrypt-auto +++ b/letsencrypt-auto-source/letsencrypt-auto @@ -1060,37 +1060,26 @@ ConfigArgParse==0.12.0 \ configobj==5.0.6 \ --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 \ --no-binary configobj -cryptography==2.0.2 \ - --hash=sha256:187ae17358436d2c760f28c2aeb02fefa3f37647a9c5b6f7f7c3e83cd1c5a972 \ - --hash=sha256:19e43a13bbf52028dd1e810c803f2ad8880d0692d772f98d42e1eaf34bdee3d6 \ - --hash=sha256:da9291502cbc87dc0284a20c56876e4d2e68deac61cc43df4aec934e44ca97b1 \ - --hash=sha256:0954f8813095f581669330e0a2d5e726c33ac7f450c1458fac58bab54595e516 \ - --hash=sha256:d68b0cc40a8432ed3fc84876c519de704d6001800ec22b136e75ae841910c45b \ - --hash=sha256:2f8ad9580ab4da645cfea52a91d2da99a49a1e76616d8be68441a986fad652b0 \ - --hash=sha256:cc00b4511294f5f6b65c4e77a1a9c62f52490a63d2c120f3872176b40a82351e \ - --hash=sha256:cf896020f6a9f095a547b3d672c8db1ef2ed71fca11250731fa1d4a4cb8b1590 \ - --hash=sha256:e0fdb8322206fa02aa38f71519ff75dce2eb481b7e1110e2936795cb376bb6ee \ - --hash=sha256:277538466657ca5d6637f80be100242f9831d75138b788d718edd3aab34621f8 \ - --hash=sha256:2c77eb0560f54ce654ab82d6b2a64327a71ee969b29022bf9746ca311c9f5069 \ - --hash=sha256:755a7853b679e79d0a799351c092a9b0271f95ff54c8dd8823d8b527a2926a86 \ - --hash=sha256:77197a2d525e761cdd4c771180b4bd0d80703654c6385e4311cbbbe2beb56fa1 \ - --hash=sha256:eb8bb79d0ab00c931c8333b745f06fec481a51c52d70acd4ee95d6093ba5c386 \ - --hash=sha256:131f61de82ef28f3e20beb4bfc24f9692d28cecfd704e20e6c7f070f7793013a \ - --hash=sha256:ac35435974b2e27cd4520f29c191d7da36f4189aa3264e52c4c6c6d089ab6142 \ - --hash=sha256:04b6ea99daa2a8460728794213d76d45ad58ea247dc7e7ff148d7dd726e87863 \ - --hash=sha256:2b9442f8b4c3d575f6cc3db0e856034e0f5a9d55ecd636f52d8c496795b26952 \ - --hash=sha256:b3d3b3ecba1fe1bdb6f180770a137f877c8f07571f7b2934bb269475bcf0e5e8 \ - --hash=sha256:670a58c0d75cb0e78e73dd003bd96d4440bbb1f2bc041dcf7b81767ca4fb0ce9 \ - --hash=sha256:5af84d23bdb86b5e90aca263df1424b43f1748480bfcde3ac2a3cbe622612468 \ - --hash=sha256:ba22e8eefabdd7aca37d0c0c00d2274000d2cebb5cce9e5a710cb55bf8797b31 \ - --hash=sha256:b798b22fa7e92b439547323b8b719d217f1e1b7677585cfeeedf3b55c70bb7fb \ - --hash=sha256:59cff28af8cce96cb7e94a459726e1d88f6f5fa75097f9dcbebd99118d64ea4c \ - --hash=sha256:fe859e445abc9ba9e97950ddafb904e23234c4ecb76b0fae6c86e80592ce464a \ - --hash=sha256:655f3c474067f1e277430f23cc0549f0b1dc99b82aec6e53f80b9b2db7f76f11 \ - --hash=sha256:0ebc2be053c9a03a2f3e20a466e87bf12a51586b3c79bd2a22171b073a805346 \ - --hash=sha256:01e6e60654df64cca53733cda39446d67100c819c181d403afb120e0d2a71e1b \ - --hash=sha256:d46f4e5d455cb5563685c52ef212696f0a6cc1ea627603218eabbd8a095291d8 \ - --hash=sha256:3780b2663ee7ebb37cb83263326e3cd7f8b2ea439c448539d4b87de12c8d06ab +cryptography==2.2.2 \ + --hash=sha256:3f3b65d5a16e6b52fba63dc860b62ca9832f51f1a2ae5083c78b6840275f12dd \ + --hash=sha256:5251e7de0de66810833606439ca65c9b9e45da62196b0c88bfadf27740aac09f \ + --hash=sha256:551a3abfe0c8c6833df4192a63371aa2ff43afd8f570ed345d31f251d78e7e04 \ + --hash=sha256:5cb990056b7cadcca26813311187ad751ea644712022a3976443691168781b6f \ + --hash=sha256:60bda7f12ecb828358be53095fc9c6edda7de8f1ef571f96c00b2363643fa3cd \ + --hash=sha256:64b5c67acc9a7c83fbb4b69166f3105a0ab722d27934fac2cb26456718eec2ba \ + --hash=sha256:6fef51ec447fe9f8351894024e94736862900d3a9aa2961528e602eb65c92bdb \ + --hash=sha256:77d0ad229d47a6e0272d00f6bf8ac06ce14715a9fd02c9a97f5a2869aab3ccb2 \ + --hash=sha256:808fe471b1a6b777f026f7dc7bd9a4959da4bfab64972f2bbe91e22527c1c037 \ + --hash=sha256:9b62fb4d18529c84b961efd9187fecbb48e89aa1a0f9f4161c61b7fc42a101bd \ + --hash=sha256:9e5bed45ec6b4f828866ac6a6bedf08388ffcfa68abe9e94b34bb40977aba531 \ + --hash=sha256:9fc295bf69130a342e7a19a39d7bbeb15c0bcaabc7382ec33ef3b2b7d18d2f63 \ + --hash=sha256:abd070b5849ed64e6d349199bef955ee0ad99aefbad792f0c587f8effa681a5e \ + --hash=sha256:ba6a774749b6e510cffc2fb98535f717e0e5fd91c7c99a61d223293df79ab351 \ + --hash=sha256:c332118647f084c983c6a3e1dba0f3bcb051f69d12baccac68db8d62d177eb8a \ + --hash=sha256:d6f46e862ee36df81e6342c2177ba84e70f722d9dc9c6c394f9f1f434c4a5563 \ + --hash=sha256:db6013746f73bf8edd9c3d1d3f94db635b9422f503db3fc5ef105233d4c011ab \ + --hash=sha256:f57008eaff597c69cf692c3518f6d4800f0309253bb138b526a37fe9ef0c7471 \ + --hash=sha256:f6c821ac253c19f2ad4c8691633ae1d1a17f120d5b01ea1d256d7b602bc59887 enum34==1.1.2 ; python_version < '3.4' \ --hash=sha256:2475d7fcddf5951e92ff546972758802de5260bf409319a9f1934e6bbc8b1dc7 \ --hash=sha256:35907defb0f992b75ab7788f65fedc1cf20ffa22688e0e6f6f12afc06b3ea501 diff --git a/letsencrypt-auto-source/pieces/dependency-requirements.txt b/letsencrypt-auto-source/pieces/dependency-requirements.txt index 376e19deb..54498cb3e 100644 --- a/letsencrypt-auto-source/pieces/dependency-requirements.txt +++ b/letsencrypt-auto-source/pieces/dependency-requirements.txt @@ -64,37 +64,26 @@ ConfigArgParse==0.12.0 \ configobj==5.0.6 \ --hash=sha256:a2f5650770e1c87fb335af19a9b7eb73fc05ccf22144eb68db7d00cd2bcb0902 \ --no-binary configobj -cryptography==2.0.2 \ - --hash=sha256:187ae17358436d2c760f28c2aeb02fefa3f37647a9c5b6f7f7c3e83cd1c5a972 \ - --hash=sha256:19e43a13bbf52028dd1e810c803f2ad8880d0692d772f98d42e1eaf34bdee3d6 \ - --hash=sha256:da9291502cbc87dc0284a20c56876e4d2e68deac61cc43df4aec934e44ca97b1 \ - --hash=sha256:0954f8813095f581669330e0a2d5e726c33ac7f450c1458fac58bab54595e516 \ - --hash=sha256:d68b0cc40a8432ed3fc84876c519de704d6001800ec22b136e75ae841910c45b \ - --hash=sha256:2f8ad9580ab4da645cfea52a91d2da99a49a1e76616d8be68441a986fad652b0 \ - --hash=sha256:cc00b4511294f5f6b65c4e77a1a9c62f52490a63d2c120f3872176b40a82351e \ - --hash=sha256:cf896020f6a9f095a547b3d672c8db1ef2ed71fca11250731fa1d4a4cb8b1590 \ - --hash=sha256:e0fdb8322206fa02aa38f71519ff75dce2eb481b7e1110e2936795cb376bb6ee \ - --hash=sha256:277538466657ca5d6637f80be100242f9831d75138b788d718edd3aab34621f8 \ - --hash=sha256:2c77eb0560f54ce654ab82d6b2a64327a71ee969b29022bf9746ca311c9f5069 \ - --hash=sha256:755a7853b679e79d0a799351c092a9b0271f95ff54c8dd8823d8b527a2926a86 \ - --hash=sha256:77197a2d525e761cdd4c771180b4bd0d80703654c6385e4311cbbbe2beb56fa1 \ - --hash=sha256:eb8bb79d0ab00c931c8333b745f06fec481a51c52d70acd4ee95d6093ba5c386 \ - --hash=sha256:131f61de82ef28f3e20beb4bfc24f9692d28cecfd704e20e6c7f070f7793013a \ - --hash=sha256:ac35435974b2e27cd4520f29c191d7da36f4189aa3264e52c4c6c6d089ab6142 \ - --hash=sha256:04b6ea99daa2a8460728794213d76d45ad58ea247dc7e7ff148d7dd726e87863 \ - --hash=sha256:2b9442f8b4c3d575f6cc3db0e856034e0f5a9d55ecd636f52d8c496795b26952 \ - --hash=sha256:b3d3b3ecba1fe1bdb6f180770a137f877c8f07571f7b2934bb269475bcf0e5e8 \ - --hash=sha256:670a58c0d75cb0e78e73dd003bd96d4440bbb1f2bc041dcf7b81767ca4fb0ce9 \ - --hash=sha256:5af84d23bdb86b5e90aca263df1424b43f1748480bfcde3ac2a3cbe622612468 \ - --hash=sha256:ba22e8eefabdd7aca37d0c0c00d2274000d2cebb5cce9e5a710cb55bf8797b31 \ - --hash=sha256:b798b22fa7e92b439547323b8b719d217f1e1b7677585cfeeedf3b55c70bb7fb \ - --hash=sha256:59cff28af8cce96cb7e94a459726e1d88f6f5fa75097f9dcbebd99118d64ea4c \ - --hash=sha256:fe859e445abc9ba9e97950ddafb904e23234c4ecb76b0fae6c86e80592ce464a \ - --hash=sha256:655f3c474067f1e277430f23cc0549f0b1dc99b82aec6e53f80b9b2db7f76f11 \ - --hash=sha256:0ebc2be053c9a03a2f3e20a466e87bf12a51586b3c79bd2a22171b073a805346 \ - --hash=sha256:01e6e60654df64cca53733cda39446d67100c819c181d403afb120e0d2a71e1b \ - --hash=sha256:d46f4e5d455cb5563685c52ef212696f0a6cc1ea627603218eabbd8a095291d8 \ - --hash=sha256:3780b2663ee7ebb37cb83263326e3cd7f8b2ea439c448539d4b87de12c8d06ab +cryptography==2.2.2 \ + --hash=sha256:3f3b65d5a16e6b52fba63dc860b62ca9832f51f1a2ae5083c78b6840275f12dd \ + --hash=sha256:5251e7de0de66810833606439ca65c9b9e45da62196b0c88bfadf27740aac09f \ + --hash=sha256:551a3abfe0c8c6833df4192a63371aa2ff43afd8f570ed345d31f251d78e7e04 \ + --hash=sha256:5cb990056b7cadcca26813311187ad751ea644712022a3976443691168781b6f \ + --hash=sha256:60bda7f12ecb828358be53095fc9c6edda7de8f1ef571f96c00b2363643fa3cd \ + --hash=sha256:64b5c67acc9a7c83fbb4b69166f3105a0ab722d27934fac2cb26456718eec2ba \ + --hash=sha256:6fef51ec447fe9f8351894024e94736862900d3a9aa2961528e602eb65c92bdb \ + --hash=sha256:77d0ad229d47a6e0272d00f6bf8ac06ce14715a9fd02c9a97f5a2869aab3ccb2 \ + --hash=sha256:808fe471b1a6b777f026f7dc7bd9a4959da4bfab64972f2bbe91e22527c1c037 \ + --hash=sha256:9b62fb4d18529c84b961efd9187fecbb48e89aa1a0f9f4161c61b7fc42a101bd \ + --hash=sha256:9e5bed45ec6b4f828866ac6a6bedf08388ffcfa68abe9e94b34bb40977aba531 \ + --hash=sha256:9fc295bf69130a342e7a19a39d7bbeb15c0bcaabc7382ec33ef3b2b7d18d2f63 \ + --hash=sha256:abd070b5849ed64e6d349199bef955ee0ad99aefbad792f0c587f8effa681a5e \ + --hash=sha256:ba6a774749b6e510cffc2fb98535f717e0e5fd91c7c99a61d223293df79ab351 \ + --hash=sha256:c332118647f084c983c6a3e1dba0f3bcb051f69d12baccac68db8d62d177eb8a \ + --hash=sha256:d6f46e862ee36df81e6342c2177ba84e70f722d9dc9c6c394f9f1f434c4a5563 \ + --hash=sha256:db6013746f73bf8edd9c3d1d3f94db635b9422f503db3fc5ef105233d4c011ab \ + --hash=sha256:f57008eaff597c69cf692c3518f6d4800f0309253bb138b526a37fe9ef0c7471 \ + --hash=sha256:f6c821ac253c19f2ad4c8691633ae1d1a17f120d5b01ea1d256d7b602bc59887 enum34==1.1.2 ; python_version < '3.4' \ --hash=sha256:2475d7fcddf5951e92ff546972758802de5260bf409319a9f1934e6bbc8b1dc7 \ --hash=sha256:35907defb0f992b75ab7788f65fedc1cf20ffa22688e0e6f6f12afc06b3ea501 From cad95466b05e6be51c1c29eaa91e6e3b7ea3cefd Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 5 Jul 2018 02:11:04 -0700 Subject: [PATCH 255/256] Allow py37 testing (#6170) * Reorganize packages in tox to allow for py37 tests certbot-dns-cloudflare doesn't currently work in Python 3.7 because it transitively depends on pyYAML which doesn't yet support Python 3.7. See https://github.com/yaml/pyyaml/issues/126 for more info. * add py37 tox environment --- tox.ini | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/tox.ini b/tox.ini index ef71b52be..b44d30449 100644 --- a/tox.ini +++ b/tox.ini @@ -14,8 +14,7 @@ pip_install = {toxinidir}/tools/pip_install_editable.sh # before the script moves on to the next package. All dependencies are pinned # to a specific version for increased stability for developers. install_and_test = {toxinidir}/tools/install_and_test.sh -dns_packages = - certbot-dns-cloudflare \ +python37_compatible_dns_packages = certbot-dns-cloudxns \ certbot-dns-digitalocean \ certbot-dns-dnsimple \ @@ -25,14 +24,22 @@ dns_packages = certbot-dns-nsone \ certbot-dns-rfc2136 \ certbot-dns-route53 -all_packages = +dns_packages = + certbot-dns-cloudflare \ + {[base]python37_compatible_dns_packages} +nondns_packages = acme[dev] \ .[dev] \ certbot-apache \ - {[base]dns_packages} \ certbot-nginx \ certbot-postfix \ letshelp-certbot +python37_compatible_packages = + {[base]nondns_packages} \ + {[base]python37_compatible_dns_packages} +all_packages = + {[base]nondns_packages} \ + {[base]dns_packages} install_packages = {toxinidir}/tools/pip_install_editable.sh {[base]all_packages} source_paths = @@ -62,6 +69,13 @@ commands = setenv = PYTHONHASHSEED = 0 +[testenv:py37] +commands = + {[base]install_and_test} {[base]python37_compatible_packages} + python tests/lock_test.py +setenv = + {[testenv]setenv} + [testenv:py27-oldest] commands = {[testenv]commands} From cb076539ec99423b8e3f8ff7f0bc4fa2b7452766 Mon Sep 17 00:00:00 2001 From: Brad Warren Date: Thu, 5 Jul 2018 08:26:42 -0700 Subject: [PATCH 256/256] Remove .dev0 from version numbers during releases. (#6116) This allows us to depend on packages like acme>=0.26.0.dev0 during development and automatically change it to acme>=0.26.0 during the release. We use `git add -p` to be safe, but if .dev0 is used at all in our released setup.py files, we're probably doing something wrong. --- tools/release.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/release.sh b/tools/release.sh index 069d311d1..02c7ccca5 100755 --- a/tools/release.sh +++ b/tools/release.sh @@ -87,6 +87,14 @@ if [ "$RELEASE_BRANCH" != "candidate-$version" ] ; then fi git checkout "$RELEASE_BRANCH" +for pkg_dir in $SUBPKGS_NO_CERTBOT certbot-compatibility-test . +do + sed -i 's/\.dev0//' "$pkg_dir/setup.py" +done +# We only add Certbot's setup.py here because the other files are added in the +# call to SetVersion below. +git add -p setup.py + SetVersion() { ver="$1" # bumping Certbot's version number is done differently