line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
package Mail::Milter::Authentication::Handler::ARC; |
2
|
2
|
|
|
2
|
|
2038
|
use 5.20.0; |
|
2
|
|
|
|
|
13
|
|
3
|
2
|
|
|
2
|
|
12
|
use strict; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
49
|
|
4
|
2
|
|
|
2
|
|
13
|
use warnings; |
|
2
|
|
|
|
|
10
|
|
|
2
|
|
|
|
|
66
|
|
5
|
2
|
|
|
2
|
|
13
|
use Mail::Milter::Authentication::Pragmas; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
18
|
|
6
|
|
|
|
|
|
|
# ABSTRACT: Handler class for ARC |
7
|
|
|
|
|
|
|
our $VERSION = '3.20230911'; # VERSION |
8
|
2
|
|
|
2
|
|
518
|
use base 'Mail::Milter::Authentication::Handler'; |
|
2
|
|
|
|
|
6
|
|
|
2
|
|
|
|
|
253
|
|
9
|
2
|
|
|
2
|
|
535
|
use Mail::DKIM 1.20200824; |
|
2
|
|
|
|
|
170
|
|
|
2
|
|
|
|
|
77
|
|
10
|
2
|
|
|
2
|
|
1674
|
use Mail::DKIM::ARC::Signer; |
|
2
|
|
|
|
|
8582
|
|
|
2
|
|
|
|
|
91
|
|
11
|
2
|
|
|
2
|
|
2383
|
use Mail::DKIM::ARC::Verifier; |
|
2
|
|
|
|
|
7168
|
|
|
2
|
|
|
|
|
83
|
|
12
|
2
|
|
|
2
|
|
32
|
use Mail::DKIM::DNS; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
52
|
|
13
|
2
|
|
|
2
|
|
1641
|
use Mail::DKIM::TextWrap; |
|
2
|
|
|
|
|
2147
|
|
|
2
|
|
|
|
|
13649
|
|
14
|
|
|
|
|
|
|
|
15
|
|
|
|
|
|
|
sub default_config { |
16
|
|
|
|
|
|
|
return { |
17
|
0
|
|
|
0
|
0
|
0
|
'hide_none' => 0, |
18
|
|
|
|
|
|
|
'arcseal_domain' => undef, |
19
|
|
|
|
|
|
|
'arcseal_selector' => undef, |
20
|
|
|
|
|
|
|
'arcseal_algorithm' => 'rsa-sha256', |
21
|
|
|
|
|
|
|
'arcseal_key' => undef, |
22
|
|
|
|
|
|
|
'arcseal_keyfile' => undef, |
23
|
|
|
|
|
|
|
'arcseal_headers' => undef, |
24
|
|
|
|
|
|
|
'trusted_domains' => [], |
25
|
|
|
|
|
|
|
'rbl_whitelist' => '', |
26
|
|
|
|
|
|
|
'no_strict' => 0, |
27
|
|
|
|
|
|
|
}; |
28
|
|
|
|
|
|
|
} |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
sub grafana_rows { |
31
|
0
|
|
|
0
|
0
|
0
|
my ( $self ) = @_; |
32
|
0
|
|
|
|
|
0
|
my @rows; |
33
|
0
|
|
|
|
|
0
|
push @rows, $self->get_json( 'ARC_metrics' ); |
34
|
0
|
|
|
|
|
0
|
return \@rows; |
35
|
|
|
|
|
|
|
} |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
sub register_metrics { |
38
|
|
|
|
|
|
|
return { |
39
|
1
|
|
|
1
|
1
|
159
|
'arc_total' => 'The number of emails processed for ARC', |
40
|
|
|
|
|
|
|
'arc_signatures' => 'The number of signatures processed for ARC', |
41
|
|
|
|
|
|
|
'arcseal_total' => 'The number of ARC seals added', |
42
|
|
|
|
|
|
|
}; |
43
|
|
|
|
|
|
|
} |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
sub is_domain_trusted { |
46
|
5
|
|
|
5
|
0
|
12
|
my ( $self, $domain ) = @_; |
47
|
5
|
50
|
|
|
|
13
|
return 0 if ! defined $domain; |
48
|
5
|
|
|
|
|
12
|
$domain = lc $domain; |
49
|
5
|
|
|
|
|
14
|
my $config = $self->handler_config(); |
50
|
|
|
|
|
|
|
|
51
|
5
|
|
|
|
|
12
|
my $trusted_domains = $config->{ 'trusted_domains' }; |
52
|
5
|
50
|
|
|
|
18
|
if ( $trusted_domains ) { |
53
|
5
|
|
|
|
|
10
|
foreach my $trusted_domain ( @$trusted_domains ) { |
54
|
5
|
50
|
|
|
|
16
|
if ( $domain eq lc $trusted_domain ) { |
55
|
|
|
|
|
|
|
#$self->dbgout( 'ARCResult', 'ARC domain trusted by static list', LOG_INFO ); |
56
|
5
|
|
|
|
|
15
|
return 1; |
57
|
|
|
|
|
|
|
} |
58
|
|
|
|
|
|
|
} |
59
|
|
|
|
|
|
|
} |
60
|
|
|
|
|
|
|
|
61
|
0
|
|
|
|
|
0
|
my $rbl_whitelist = $config->{ 'rbl_whitelist' }; |
62
|
0
|
0
|
|
|
|
0
|
if ( $rbl_whitelist ) { |
63
|
0
|
0
|
|
|
|
0
|
if ( $self->rbl_check_domain( $domain, $rbl_whitelist ) ) { |
64
|
|
|
|
|
|
|
#$self->dbgout( 'ARCResult', 'ARC domain trusted by dns list', LOG_INFO ); |
65
|
0
|
|
|
|
|
0
|
return 1; |
66
|
|
|
|
|
|
|
} |
67
|
|
|
|
|
|
|
} |
68
|
|
|
|
|
|
|
|
69
|
0
|
|
|
|
|
0
|
return 0; |
70
|
|
|
|
|
|
|
} |
71
|
|
|
|
|
|
|
|
72
|
|
|
|
|
|
|
sub get_trusted_spf_results { |
73
|
2
|
|
|
2
|
0
|
8
|
my ( $self ) = @_; |
74
|
|
|
|
|
|
|
|
75
|
2
|
|
|
|
|
10
|
my $aar = $self->get_trusted_arc_authentication_results(); |
76
|
2
|
100
|
|
|
|
16
|
return if ! $aar; |
77
|
|
|
|
|
|
|
|
78
|
1
|
|
|
|
|
3
|
my @trusted_results; |
79
|
|
|
|
|
|
|
|
80
|
1
|
|
|
|
|
8
|
foreach my $instance ( sort keys %$aar ) { |
81
|
1
|
|
|
|
|
2
|
eval { |
82
|
1
|
|
|
|
|
39
|
my $results = $aar->{$instance}->search({ 'isa' => 'entry', 'key' => 'spf' })->children(); |
83
|
|
|
|
|
|
|
RESULT: |
84
|
1
|
|
|
|
|
196
|
foreach my $result ( @$results ) { |
85
|
0
|
|
|
|
|
0
|
my $smtp_mailfrom = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'smtp.mailfrom' })->children()->[0]->value() }; |
|
0
|
|
|
|
|
0
|
|
86
|
0
|
|
|
|
|
0
|
$self->handle_exception( $@ ); |
87
|
0
|
0
|
|
|
|
0
|
next RESULT if ! $smtp_mailfrom; |
88
|
0
|
|
|
|
|
0
|
my $result_domain = $self->get_domain_from( $smtp_mailfrom ); |
89
|
0
|
|
|
|
|
0
|
push @trusted_results, { |
90
|
|
|
|
|
|
|
'domain' => $result_domain, |
91
|
|
|
|
|
|
|
'scope' => 'mfrom', |
92
|
|
|
|
|
|
|
'result' => $result->value(), |
93
|
|
|
|
|
|
|
}; |
94
|
|
|
|
|
|
|
} |
95
|
|
|
|
|
|
|
}; |
96
|
1
|
50
|
|
|
|
6
|
if ( my $error = $@ ) { |
97
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
98
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
99
|
|
|
|
|
|
|
} |
100
|
|
|
|
|
|
|
} |
101
|
1
|
|
|
|
|
12
|
return \@trusted_results; |
102
|
|
|
|
|
|
|
} |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
sub get_trusted_dkim_results { |
105
|
2
|
|
|
2
|
0
|
8
|
my ( $self ) = @_; |
106
|
|
|
|
|
|
|
|
107
|
2
|
|
|
|
|
6
|
my $aar = $self->get_trusted_arc_authentication_results(); |
108
|
2
|
100
|
|
|
|
13
|
return if ! $aar; |
109
|
|
|
|
|
|
|
|
110
|
1
|
|
|
|
|
4
|
my @trusted_results; |
111
|
|
|
|
|
|
|
|
112
|
1
|
|
|
|
|
5
|
foreach my $instance ( sort keys %$aar ) { |
113
|
1
|
|
|
|
|
4
|
eval { |
114
|
1
|
|
|
|
|
10
|
my $results = $aar->{$instance}->search({ 'isa' => 'entry', 'key' => 'dkim' })->children(); |
115
|
|
|
|
|
|
|
RESULT: |
116
|
1
|
|
|
|
|
319
|
foreach my $result ( @$results ) { |
117
|
1
|
|
|
|
|
3
|
my $entry_domain = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'header.d' })->children()->[0]->value() }; |
|
1
|
|
|
|
|
6
|
|
118
|
1
|
|
|
|
|
272
|
$self->handle_exception( $@ ); |
119
|
1
|
50
|
|
|
|
5
|
if ( ! $entry_domain ) { |
120
|
|
|
|
|
|
|
# No domain, check for an identifier instead |
121
|
0
|
|
|
|
|
0
|
my $entry_domain = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'header.i' })->children()->[0]->value() }; |
|
0
|
|
|
|
|
0
|
|
122
|
0
|
|
|
|
|
0
|
$self->handle_exception( $@ ); |
123
|
0
|
0
|
|
|
|
0
|
if ( $entry_domain ) { |
124
|
0
|
|
|
|
|
0
|
$entry_domain =~ s/^.*\@//; |
125
|
|
|
|
|
|
|
} |
126
|
|
|
|
|
|
|
} |
127
|
1
|
50
|
|
|
|
6
|
next RESULT if ! $entry_domain; |
128
|
1
|
|
|
|
|
4
|
$entry_domain = lc $entry_domain; |
129
|
|
|
|
|
|
|
|
130
|
1
|
|
|
|
|
14
|
my $entry_selector = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'x-selector' })->children()->[0]->value() }; |
|
1
|
|
|
|
|
14
|
|
131
|
1
|
|
|
|
|
143
|
$self->handle_exception( $@ ); |
132
|
1
|
50
|
|
|
|
4
|
if ( ! defined $entry_selector ) { |
133
|
|
|
|
|
|
|
# Google are using header.s |
134
|
1
|
|
|
|
|
3
|
$entry_selector = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'header.s' })->children()->[0]->value() }; |
|
1
|
|
|
|
|
28
|
|
135
|
1
|
|
|
|
|
140
|
$self->handle_exception( $@ ); |
136
|
|
|
|
|
|
|
} |
137
|
|
|
|
|
|
|
# If we don't have a selector then we fake it. |
138
|
1
|
50
|
|
|
|
12
|
$entry_selector = 'x-arc-chain' if ! defined $entry_selector; |
139
|
1
|
50
|
|
|
|
6
|
$entry_selector = 'x-arc-chain' if $entry_selector eq ''; |
140
|
|
|
|
|
|
|
## TODO If we can't find this in the ar header then we could |
141
|
|
|
|
|
|
|
## try looking for the Signature and pull it from there. |
142
|
|
|
|
|
|
|
## But let's not do that right now. |
143
|
1
|
50
|
|
|
|
3
|
next RESULT if ! $entry_selector; |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
#my $result_domain = $self->get_domain_from( $smtp_mailfrom ); |
146
|
1
|
|
|
|
|
8
|
push @trusted_results, { |
147
|
|
|
|
|
|
|
'domain' => $entry_domain, |
148
|
|
|
|
|
|
|
'selector' => $entry_selector,, |
149
|
|
|
|
|
|
|
'result' => $result->value(), |
150
|
|
|
|
|
|
|
'human_result' => 'Trusted ARC entry', |
151
|
|
|
|
|
|
|
}; |
152
|
|
|
|
|
|
|
} |
153
|
|
|
|
|
|
|
}; |
154
|
1
|
50
|
|
|
|
25
|
if ( my $error = $@ ) { |
155
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
156
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
157
|
|
|
|
|
|
|
} |
158
|
|
|
|
|
|
|
} |
159
|
1
|
|
|
|
|
8
|
return \@trusted_results; |
160
|
|
|
|
|
|
|
} |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
sub inherit_trusted_spf_results { |
163
|
1
|
|
|
1
|
0
|
2
|
my ( $self ) = @_; |
164
|
|
|
|
|
|
|
|
165
|
1
|
50
|
|
|
|
5
|
return if ( ! $self->is_handler_loaded( 'SPF' ) ); |
166
|
|
|
|
|
|
|
|
167
|
1
|
|
|
|
|
7
|
my $aar = $self->get_trusted_arc_authentication_results(); |
168
|
1
|
50
|
|
|
|
5
|
return if ! $aar; |
169
|
|
|
|
|
|
|
|
170
|
1
|
|
|
|
|
6
|
foreach my $instance ( sort keys %$aar ) { |
171
|
1
|
|
|
|
|
3
|
eval { |
172
|
|
|
|
|
|
|
# Find all ARC SPF results which passed |
173
|
1
|
|
|
|
|
10
|
my $results = $aar->{$instance}->search({ 'isa' => 'entry', 'key' => 'spf', 'value' => 'pass' })->children(); |
174
|
|
|
|
|
|
|
RESULT: |
175
|
1
|
|
|
|
|
286
|
foreach my $result ( @$results ) { |
176
|
|
|
|
|
|
|
|
177
|
|
|
|
|
|
|
# Does the entry have an x-arc-domain entry? if do then leave it alone. |
178
|
0
|
0
|
|
|
|
0
|
next RESULT if ( scalar @{ $result->search({ 'isa' => 'subentry', 'key' => 'x-arc-domain' })->children() }> 0 ); |
|
0
|
|
|
|
|
0
|
|
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
# Does the entry have a smtp.mailfrom entry we can match on? |
181
|
0
|
|
|
|
|
0
|
my $smtp_mailfrom = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'smtp.mailfrom' })->children()->[0]->value() }; |
|
0
|
|
|
|
|
0
|
|
182
|
0
|
|
|
|
|
0
|
$self->handle_exception( $@ ); |
183
|
0
|
0
|
|
|
|
0
|
next RESULT if ! $smtp_mailfrom; |
184
|
0
|
|
|
|
|
0
|
$smtp_mailfrom = lc $smtp_mailfrom; |
185
|
|
|
|
|
|
|
|
186
|
|
|
|
|
|
|
# And add the new one |
187
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-instance' )->safe_set_value( $instance ) ); |
188
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-domain' )->safe_set_value( $self->{ 'arc_domain'}->{ $instance } ) ); |
189
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'Trusted from aar.' . $instance . '.' . $self->{ 'arc_domain' }->{ $instance } ) ); |
190
|
0
|
|
|
|
|
0
|
$result->orphan(); |
191
|
0
|
|
|
|
|
0
|
$result->set_key( 'x-arc-spf' ); |
192
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $result ); |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
} |
195
|
|
|
|
|
|
|
}; |
196
|
1
|
50
|
|
|
|
10
|
if ( my $error = $@ ) { |
197
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
198
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
199
|
|
|
|
|
|
|
} |
200
|
|
|
|
|
|
|
} |
201
|
|
|
|
|
|
|
} |
202
|
|
|
|
|
|
|
|
203
|
|
|
|
|
|
|
sub inherit_trusted_dkim_results { |
204
|
1
|
|
|
1
|
0
|
3
|
my ( $self ) = @_; |
205
|
|
|
|
|
|
|
|
206
|
1
|
50
|
|
|
|
4
|
return if ( ! $self->is_handler_loaded( 'DKIM' ) ); |
207
|
|
|
|
|
|
|
|
208
|
1
|
|
|
|
|
5
|
my $aar = $self->get_trusted_arc_authentication_results(); |
209
|
1
|
50
|
|
|
|
5
|
return if ! $aar; |
210
|
|
|
|
|
|
|
|
211
|
1
|
|
|
|
|
5
|
foreach my $instance ( sort keys %$aar ) { |
212
|
1
|
|
|
|
|
3
|
eval { |
213
|
|
|
|
|
|
|
# Find all ARC DKIM results which passed |
214
|
1
|
|
|
|
|
7
|
my $results = $aar->{$instance}->search({ 'isa' => 'entry', 'key' => 'dkim', 'value' => 'pass' })->children(); |
215
|
|
|
|
|
|
|
RESULT: |
216
|
1
|
|
|
|
|
390
|
foreach my $result ( @$results ) { |
217
|
|
|
|
|
|
|
|
218
|
|
|
|
|
|
|
# Does the entry have an x-arc-domain entry? if do then leave it alone. |
219
|
1
|
50
|
|
|
|
3
|
next RESULT if ( scalar @{ $result->search({ 'isa' => 'subentry', 'key' => 'x-arc-domain' })->children() }> 0 ); |
|
1
|
|
|
|
|
5
|
|
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
# Does the entry have a domain identifier we can match on? |
222
|
1
|
|
|
|
|
124
|
my $entry_domain = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'header.d' })->children()->[0]->value() }; |
|
1
|
|
|
|
|
7
|
|
223
|
1
|
|
|
|
|
274
|
$self->handle_exception( $@ ); |
224
|
1
|
50
|
|
|
|
7
|
if ( ! $entry_domain ) { |
225
|
|
|
|
|
|
|
# No domain, check for an identifier instead |
226
|
0
|
|
|
|
|
0
|
my $entry_domain = eval{ $result->search({ 'isa' => 'subentry', 'key' => 'header.i' })->children()->[0]->value() }; |
|
0
|
|
|
|
|
0
|
|
227
|
0
|
|
|
|
|
0
|
$self->handle_exception( $@ ); |
228
|
0
|
0
|
|
|
|
0
|
if ( $entry_domain ) { |
229
|
0
|
|
|
|
|
0
|
$entry_domain =~ s/^.*\@//; |
230
|
|
|
|
|
|
|
} |
231
|
|
|
|
|
|
|
} |
232
|
1
|
50
|
|
|
|
5
|
next RESULT if ! $entry_domain; |
233
|
1
|
|
|
|
|
5
|
$entry_domain = lc $entry_domain; |
234
|
|
|
|
|
|
|
|
235
|
|
|
|
|
|
|
# And add the new one |
236
|
1
|
|
|
|
|
23
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-instance' )->safe_set_value( $instance ) ); |
237
|
1
|
|
|
|
|
117
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-domain' )->safe_set_value( $self->{ 'arc_domain'}->{ $instance } ) ); |
238
|
1
|
|
|
|
|
97
|
$result->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'Trusted from aar.' . $instance . '.' . $self->{ 'arc_domain' }->{ $instance } ) ); |
239
|
1
|
|
|
|
|
501
|
$result->orphan(); |
240
|
1
|
|
|
|
|
14
|
$result->set_key( 'x-arc-dkim' ); |
241
|
1
|
|
|
|
|
20
|
$self->add_auth_header( $result ); |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
} |
244
|
|
|
|
|
|
|
}; |
245
|
1
|
50
|
|
|
|
10
|
if ( my $error = $@ ) { |
246
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
247
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
248
|
|
|
|
|
|
|
} |
249
|
|
|
|
|
|
|
} |
250
|
|
|
|
|
|
|
} |
251
|
|
|
|
|
|
|
|
252
|
|
|
|
|
|
|
sub inherit_trusted_ip_results { |
253
|
1
|
|
|
1
|
0
|
4
|
my ( $self ) = @_; |
254
|
|
|
|
|
|
|
|
255
|
1
|
|
|
|
|
3
|
my $aar = $self->get_trusted_arc_authentication_results(); |
256
|
1
|
50
|
|
|
|
6
|
return if ! $aar; |
257
|
|
|
|
|
|
|
|
258
|
|
|
|
|
|
|
# Add result from first trusted ingress hop |
259
|
1
|
|
|
|
|
7
|
my ( $instance ) = sort keys %$aar; |
260
|
1
|
|
|
|
|
5
|
foreach my $thing ( sort qw { iprev x-ptr } ) { |
261
|
2
|
|
|
|
|
4
|
eval { |
262
|
2
|
|
|
|
|
10
|
my $results = $aar->{$instance}->search({ 'isa' => 'entry', 'key' => $thing })->children(); |
263
|
|
|
|
|
|
|
RESULT: |
264
|
2
|
|
|
|
|
344
|
foreach my $result ( @$results ) { |
265
|
0
|
0
|
|
|
|
0
|
next RESULT if ( scalar @{ $result->search({ 'isa' => 'subentry', 'key' => 'x-arc-domain' })->children() }> 0 ); |
|
0
|
|
|
|
|
0
|
|
266
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-instance' )->safe_set_value( $instance ) ); |
267
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'x-arc-domain' )->safe_set_value( $self->{ 'arc_domain'}->{ $instance } ) ); |
268
|
0
|
|
|
|
|
0
|
$result->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'Trusted from aar.' . $instance . '.' . $self->{ 'arc_domain' }->{ $instance } ) ); |
269
|
0
|
|
|
|
|
0
|
$result->orphan(); |
270
|
0
|
|
|
|
|
0
|
$result->set_key( 'x-arc-'.$thing ); |
271
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $result ); |
272
|
|
|
|
|
|
|
} |
273
|
|
|
|
|
|
|
}; |
274
|
2
|
50
|
|
|
|
13
|
if ( my $error = $@ ) { |
275
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
276
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
277
|
|
|
|
|
|
|
} |
278
|
|
|
|
|
|
|
} |
279
|
|
|
|
|
|
|
} |
280
|
|
|
|
|
|
|
|
281
|
|
|
|
|
|
|
sub get_trusted_arc_authentication_results { |
282
|
7
|
|
|
7
|
0
|
17
|
my ( $self ) = @_; |
283
|
|
|
|
|
|
|
|
284
|
|
|
|
|
|
|
# First, we need an arc pass or we trust nothing! |
285
|
7
|
100
|
|
|
|
27
|
return if $self->{ 'arc_result' } ne 'pass'; |
286
|
|
|
|
|
|
|
|
287
|
5
|
|
|
|
|
10
|
my $trusted_aar = {}; |
288
|
|
|
|
|
|
|
INSTANCE: |
289
|
5
|
|
|
|
|
10
|
foreach my $instance ( reverse sort keys %{$self->{ 'arc_auth_results' } } ) { |
|
5
|
|
|
|
|
19
|
|
290
|
5
|
|
50
|
|
|
18
|
my $signature_domain = $self->{'arc_domain'}->{ $instance } // q{}; |
291
|
5
|
50
|
|
|
|
13
|
if ( $self->is_domain_trusted( $signature_domain ) ) { |
292
|
|
|
|
|
|
|
# Clone this, so we can safely modify entries later |
293
|
5
|
|
|
|
|
130
|
$trusted_aar->{ $instance } = clone $self->{ 'arc_auth_results' }->{ $instance }; |
294
|
|
|
|
|
|
|
} |
295
|
|
|
|
|
|
|
else { |
296
|
|
|
|
|
|
|
# We don't trust this host, we can't trust anything before it! |
297
|
0
|
|
|
|
|
0
|
last INSTANCE; |
298
|
|
|
|
|
|
|
} |
299
|
|
|
|
|
|
|
} |
300
|
|
|
|
|
|
|
|
301
|
5
|
50
|
|
|
|
24
|
if ( scalar keys %$trusted_aar == 0 ) { |
302
|
0
|
|
|
|
|
0
|
return; |
303
|
|
|
|
|
|
|
} |
304
|
5
|
|
|
|
|
12
|
return $trusted_aar; |
305
|
|
|
|
|
|
|
} |
306
|
|
|
|
|
|
|
|
307
|
|
|
|
|
|
|
# Do we trust the entire chain |
308
|
|
|
|
|
|
|
sub is_chain_trusted { |
309
|
0
|
|
|
0
|
0
|
0
|
my ( $self ) = @_; |
310
|
0
|
0
|
|
|
|
0
|
return 0 if $self->{ 'arc_result' } ne 'pass'; |
311
|
0
|
|
|
|
|
0
|
foreach my $instance ( reverse sort keys %{$self->{ 'arc_auth_results' } } ) { |
|
0
|
|
|
|
|
0
|
|
312
|
0
|
|
0
|
|
|
0
|
my $signature_domain = $self->{'arc_domain'}->{ $instance } // q{}; |
313
|
0
|
0
|
|
|
|
0
|
return 0 if ! $self->is_domain_trusted( $signature_domain ); |
314
|
|
|
|
|
|
|
} |
315
|
0
|
|
|
|
|
0
|
return 1; |
316
|
|
|
|
|
|
|
} |
317
|
|
|
|
|
|
|
|
318
|
|
|
|
|
|
|
# Get the trusted ingress IP |
319
|
|
|
|
|
|
|
sub get_arc_trusted_ingress_ip { |
320
|
0
|
|
|
0
|
0
|
0
|
my ( $self ) = @_; |
321
|
0
|
|
|
|
|
0
|
my $aar = $self->get_trusted_arc_authentication_results(); |
322
|
0
|
0
|
|
|
|
0
|
return if ! $aar; |
323
|
0
|
|
|
|
|
0
|
my ( $first_instance ) = sort keys %$aar; |
324
|
0
|
0
|
|
|
|
0
|
return if ! $first_instance; |
325
|
|
|
|
|
|
|
|
326
|
0
|
|
|
|
|
0
|
my $ip; |
327
|
|
|
|
|
|
|
|
328
|
0
|
|
|
|
|
0
|
$ip = eval{ $aar->{$first_instance}->search({ 'isa' => 'entry', 'key' => 'iprev' })->children()->[0]->search({ 'isa' => 'subentry', 'key' => 'smtp.remote-ip'})->children()->[0]->value(); }; |
|
0
|
|
|
|
|
0
|
|
329
|
0
|
0
|
|
|
|
0
|
if ( my $error = $@ ) { |
330
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
331
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
332
|
|
|
|
|
|
|
} |
333
|
0
|
0
|
|
|
|
0
|
return $ip if $ip; |
334
|
|
|
|
|
|
|
|
335
|
0
|
|
|
|
|
0
|
$ip = eval{ $aar->{$first_instance}->search({ 'isa' => 'entry', 'key' => 'iprev' })->children()->[0]->search({ 'isa' => 'subentry', 'key' => 'policy.iprev'})->children()->[0]->value(); }; |
|
0
|
|
|
|
|
0
|
|
336
|
0
|
0
|
|
|
|
0
|
if ( my $error = $@ ) { |
337
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
338
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Inherit Error ' . $error ); |
339
|
|
|
|
|
|
|
} |
340
|
0
|
|
|
|
|
0
|
return $ip; |
341
|
|
|
|
|
|
|
} |
342
|
|
|
|
|
|
|
|
343
|
|
|
|
|
|
|
# Find the earliest instance in the trusted chain |
344
|
|
|
|
|
|
|
sub search_trusted_aar { |
345
|
0
|
|
|
0
|
0
|
0
|
my ( $self, $search ) = @_; |
346
|
0
|
|
|
|
|
0
|
my $trusted_aar = $self->get_trusted_arc_authentication_results(); |
347
|
0
|
0
|
|
|
|
0
|
return if ! $trusted_aar; |
348
|
0
|
|
|
|
|
0
|
foreach my $instance ( sort keys %{$trusted_aar} ) { |
|
0
|
|
|
|
|
0
|
|
349
|
0
|
|
|
|
|
0
|
my $found = $trusted_aar->{ $instance }->search( $search ); |
350
|
0
|
0
|
|
|
|
0
|
if ( scalar @{ $found->children() } ) { |
|
0
|
|
|
|
|
0
|
|
351
|
0
|
|
|
|
|
0
|
return $found; |
352
|
|
|
|
|
|
|
} |
353
|
|
|
|
|
|
|
} |
354
|
|
|
|
|
|
|
} |
355
|
|
|
|
|
|
|
|
356
|
|
|
|
|
|
|
sub envfrom_callback { |
357
|
10
|
|
|
10
|
0
|
40
|
my ( $self, $env_from ) = @_; |
358
|
10
|
|
|
|
|
36
|
$self->{'failmode'} = 0; |
359
|
10
|
|
|
|
|
42
|
$self->{'headers'} = []; |
360
|
10
|
|
|
|
|
38
|
$self->{'body'} = []; |
361
|
10
|
|
|
|
|
38
|
$self->{'has_arc'} = 0; |
362
|
10
|
|
|
|
|
34
|
$self->{'valid_domains'} = {}; |
363
|
10
|
|
|
|
|
38
|
$self->{'carry'} = q{}; |
364
|
10
|
|
|
|
|
49
|
$self->{'arc_auth_results'} = {}; |
365
|
10
|
|
|
|
|
53
|
$self->{'arc_domain'} = {}; |
366
|
10
|
|
|
|
|
26
|
$self->{'arc_result'} = ''; |
367
|
10
|
|
|
|
|
61
|
$self->destroy_object('arc'); |
368
|
|
|
|
|
|
|
} |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
sub header_callback { |
371
|
46
|
|
|
46
|
0
|
151
|
my ( $self, $header, $value, $original ) = @_; |
372
|
46
|
|
|
|
|
100
|
my $EOL = "\015\012"; |
373
|
46
|
|
|
|
|
137
|
my $arc_chunk = $original . $EOL; |
374
|
46
|
|
|
|
|
409
|
$arc_chunk =~ s/\015?\012/$EOL/g; |
375
|
46
|
|
|
|
|
127
|
push @{$self->{'headers'}} , $arc_chunk; |
|
46
|
|
|
|
|
127
|
|
376
|
|
|
|
|
|
|
|
377
|
46
|
100
|
|
|
|
173
|
if ( lc($header) eq 'arc-authentication-results' ) { |
378
|
1
|
|
|
|
|
4
|
$self->{'has_arc'} = 1; |
379
|
1
|
|
|
|
|
5
|
my ( $instance, $aar ) = split( ';', $value, 2 ); |
380
|
1
|
|
|
|
|
18
|
$instance =~ s/.*i=(\d+).*$/$1/; |
381
|
1
|
|
|
|
|
4
|
my $parsed = eval{ Mail::AuthenticationResults->parser()->parse( $aar ) }; |
|
1
|
|
|
|
|
13
|
|
382
|
1
|
|
|
|
|
1867
|
$self->handle_exception( $@ ); |
383
|
1
|
|
|
|
|
5
|
$self->{'arc_auth_results'}->{ $instance } = $parsed; |
384
|
|
|
|
|
|
|
} |
385
|
|
|
|
|
|
|
|
386
|
46
|
100
|
|
|
|
132
|
if ( lc($header) eq 'arc-seal' ) { |
387
|
1
|
|
|
|
|
4
|
$self->{'has_arc'} = 1; |
388
|
|
|
|
|
|
|
} |
389
|
|
|
|
|
|
|
|
390
|
46
|
100
|
|
|
|
167
|
if ( lc($header) eq 'arc-message-signature' ) { |
391
|
1
|
|
|
|
|
6
|
$self->{'has_arc'} = 1; |
392
|
|
|
|
|
|
|
} |
393
|
|
|
|
|
|
|
} |
394
|
|
|
|
|
|
|
|
395
|
|
|
|
|
|
|
sub eoh_callback { |
396
|
10
|
|
|
10
|
0
|
50
|
my ($self) = @_; |
397
|
10
|
|
|
|
|
49
|
my $config = $self->handler_config(); |
398
|
|
|
|
|
|
|
|
399
|
10
|
|
|
|
|
92
|
$self->{'carry'} = q{}; |
400
|
|
|
|
|
|
|
|
401
|
10
|
0
|
33
|
|
|
71
|
if ($config->{arcseal_domain} and |
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
402
|
|
|
|
|
|
|
$config->{arcseal_selector} and |
403
|
|
|
|
|
|
|
($config->{arcseal_key} || $config->{arcseal_keyfile})) |
404
|
|
|
|
|
|
|
{ |
405
|
0
|
|
|
|
|
0
|
$self->{has_arcseal} = 1; |
406
|
|
|
|
|
|
|
} |
407
|
|
|
|
|
|
|
|
408
|
10
|
100
|
|
|
|
53
|
unless ($self->{'has_arc'}) { |
409
|
9
|
|
|
|
|
66
|
$self->metric_count( 'arc_total', { 'result' => 'none' } ); |
410
|
9
|
|
|
|
|
97
|
$self->dbgout( 'ARCResult', 'No ARC headers', LOG_DEBUG ); |
411
|
9
|
50
|
|
|
|
82
|
unless ($config->{'hide_none'}) { |
412
|
9
|
|
|
|
|
116
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( 'none' ); |
413
|
9
|
|
|
|
|
761
|
$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'no signatures found' ) ); |
414
|
9
|
|
|
|
|
3382
|
$self->add_auth_header( $header ); |
415
|
|
|
|
|
|
|
} |
416
|
9
|
|
|
|
|
36
|
$self->{arc_result} = 'none'; |
417
|
9
|
50
|
|
|
|
52
|
delete $self->{headers} unless $self->{has_arcseal}; |
418
|
9
|
|
|
|
|
39
|
return; |
419
|
|
|
|
|
|
|
} |
420
|
|
|
|
|
|
|
|
421
|
1
|
|
|
|
|
3
|
my $arc; |
422
|
1
|
|
|
|
|
4
|
eval { |
423
|
1
|
|
|
|
|
2
|
my $UseStrict = 1; |
424
|
1
|
50
|
|
|
|
8
|
if ( $config->{ 'no_strict' } ) { |
425
|
0
|
|
|
|
|
0
|
$UseStrict = 0; |
426
|
|
|
|
|
|
|
} |
427
|
1
|
|
|
|
|
23
|
$arc = Mail::DKIM::ARC::Verifier->new( 'Strict' => $UseStrict ); |
428
|
1
|
|
|
|
|
109
|
my $resolver = $self->get_object('resolver'); |
429
|
1
|
|
|
|
|
11
|
Mail::DKIM::DNS::resolver($resolver); |
430
|
1
|
|
|
|
|
13
|
$self->set_object('arc', $arc, 1); |
431
|
|
|
|
|
|
|
}; |
432
|
1
|
50
|
|
|
|
4
|
if ( my $error = $@ ) { |
433
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
434
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Setup Error ' . $error ); |
435
|
0
|
|
|
|
|
0
|
$self->_check_error( $error ); |
436
|
0
|
|
|
|
|
0
|
$self->metric_count( 'arc_total', { 'result' => 'error' } ); |
437
|
0
|
|
|
|
|
0
|
$self->{'failmode'} = 1; |
438
|
0
|
|
|
|
|
0
|
$self->{arc_result} = 'fail'; # XXX - handle tempfail better |
439
|
0
|
0
|
|
|
|
0
|
delete $self->{headers} unless $self->{has_arcseal}; |
440
|
0
|
|
|
|
|
0
|
return; |
441
|
|
|
|
|
|
|
} |
442
|
|
|
|
|
|
|
|
443
|
1
|
|
|
|
|
3
|
eval { |
444
|
|
|
|
|
|
|
$arc->PRINT( join q{}, |
445
|
1
|
|
|
|
|
3
|
@{ $self->{'headers'} }, |
|
1
|
|
|
|
|
18
|
|
446
|
|
|
|
|
|
|
"\015\012", |
447
|
|
|
|
|
|
|
); |
448
|
|
|
|
|
|
|
}; |
449
|
1
|
50
|
|
|
|
4773
|
if ( my $error = $@ ) { |
450
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
451
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Headers Error ' . $error ); |
452
|
0
|
|
|
|
|
0
|
$self->_check_error( $error ); |
453
|
0
|
|
|
|
|
0
|
$self->metric_count( 'arc_total', { 'result' => 'error' } ); |
454
|
0
|
|
|
|
|
0
|
$self->{'failmode'} = 1; |
455
|
0
|
|
|
|
|
0
|
$self->{arc_result} = 'fail'; # XXX - handle tempfail better |
456
|
0
|
0
|
|
|
|
0
|
delete $self->{headers} unless $self->{has_arcseal}; |
457
|
0
|
|
|
|
|
0
|
return; |
458
|
|
|
|
|
|
|
} |
459
|
|
|
|
|
|
|
} |
460
|
|
|
|
|
|
|
|
461
|
|
|
|
|
|
|
sub body_callback { |
462
|
10
|
|
|
10
|
0
|
36
|
my ( $self, $body_chunk ) = @_; |
463
|
10
|
|
|
|
|
37
|
my $EOL = "\015\012"; |
464
|
|
|
|
|
|
|
|
465
|
10
|
|
|
|
|
23
|
my $arc_chunk; |
466
|
10
|
50
|
|
|
|
55
|
if ( $self->{'carry'} ne q{} ) { |
467
|
0
|
|
|
|
|
0
|
$arc_chunk = $self->{'carry'} . $body_chunk; |
468
|
0
|
|
|
|
|
0
|
$self->{'carry'} = q{}; |
469
|
|
|
|
|
|
|
} |
470
|
|
|
|
|
|
|
else { |
471
|
10
|
|
|
|
|
22
|
$arc_chunk = $body_chunk; |
472
|
|
|
|
|
|
|
} |
473
|
|
|
|
|
|
|
|
474
|
10
|
50
|
|
|
|
70
|
if ( substr( $arc_chunk, -1 ) eq "\015" ) { |
475
|
0
|
|
|
|
|
0
|
$self->{'carry'} = "\015"; |
476
|
0
|
|
|
|
|
0
|
$arc_chunk = substr( $arc_chunk, 0, -1 ); |
477
|
|
|
|
|
|
|
} |
478
|
|
|
|
|
|
|
|
479
|
10
|
|
|
|
|
101
|
$arc_chunk =~ s/\015?\012/$EOL/g; |
480
|
10
|
50
|
|
|
|
61
|
push @{$self->{body}}, $arc_chunk if $self->{has_arcseal}; |
|
0
|
|
|
|
|
0
|
|
481
|
|
|
|
|
|
|
|
482
|
10
|
100
|
66
|
|
|
70
|
if ($self->{has_arc} and not $self->{failmode}) { |
483
|
1
|
|
|
|
|
9
|
my $arc = $self->get_object('arc'); |
484
|
1
|
|
|
|
|
4
|
eval { |
485
|
1
|
|
|
|
|
8
|
$arc->PRINT( $arc_chunk ); |
486
|
|
|
|
|
|
|
}; |
487
|
1
|
50
|
|
|
|
177
|
if ( my $error = $@ ) { |
488
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
489
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC Body Error ' . $error ); |
490
|
0
|
|
|
|
|
0
|
$self->_check_error( $error ); |
491
|
0
|
|
|
|
|
0
|
$self->metric_count( 'arc_total', { 'result' => 'error' } ); |
492
|
0
|
|
|
|
|
0
|
$self->{'failmode'} = 1; |
493
|
0
|
|
|
|
|
0
|
$self->{arc_result} = 'fail'; # XXX - handle tempfail better |
494
|
0
|
0
|
|
|
|
0
|
delete $self->{headers} unless $self->{has_arcseal}; |
495
|
|
|
|
|
|
|
} |
496
|
|
|
|
|
|
|
} |
497
|
|
|
|
|
|
|
} |
498
|
|
|
|
|
|
|
|
499
|
|
|
|
|
|
|
sub eom_requires { |
500
|
1
|
|
|
1
|
0
|
4
|
my ( $self ) = @_; |
501
|
1
|
|
|
|
|
5
|
my @requires; |
502
|
|
|
|
|
|
|
|
503
|
1
|
50
|
|
|
|
7
|
if ( $self->is_handler_loaded( 'DKIM' ) ) { |
504
|
1
|
|
|
|
|
5
|
push @requires, 'DKIM'; |
505
|
|
|
|
|
|
|
} |
506
|
|
|
|
|
|
|
|
507
|
1
|
|
|
|
|
3
|
return \@requires; |
508
|
|
|
|
|
|
|
} |
509
|
|
|
|
|
|
|
|
510
|
|
|
|
|
|
|
sub eom_callback { |
511
|
10
|
|
|
10
|
0
|
33
|
my ($self) = @_; |
512
|
|
|
|
|
|
|
|
513
|
10
|
0
|
33
|
|
|
45
|
push @{$self->{body}}, $self->{carry} if ($self->{carry} and $self->{has_arcseal}); |
|
0
|
|
|
|
|
0
|
|
514
|
|
|
|
|
|
|
|
515
|
|
|
|
|
|
|
# the rest of eom is only used for arc, not arcseal |
516
|
10
|
100
|
|
|
|
49
|
return unless $self->{'has_arc'}; |
517
|
1
|
50
|
|
|
|
6
|
return if $self->{'failmode'}; |
518
|
|
|
|
|
|
|
|
519
|
1
|
|
|
|
|
6
|
my $config = $self->handler_config(); |
520
|
|
|
|
|
|
|
|
521
|
1
|
|
|
|
|
5
|
my $arc = $self->get_object('arc'); |
522
|
|
|
|
|
|
|
|
523
|
1
|
|
|
|
|
4
|
eval { |
524
|
1
|
|
|
|
|
6
|
$arc->PRINT( $self->{'carry'} ); |
525
|
1
|
|
|
|
|
30
|
$arc->CLOSE(); |
526
|
1
|
|
|
|
|
4808
|
$self->check_timeout(); |
527
|
|
|
|
|
|
|
|
528
|
1
|
|
|
|
|
11
|
my $arc_result = $arc->result; |
529
|
1
|
|
|
|
|
15
|
my $arc_result_detail = $arc->result_detail; |
530
|
|
|
|
|
|
|
|
531
|
1
|
|
|
|
|
119
|
$self->metric_count( 'arc_total', { 'result' => $arc_result } ); |
532
|
|
|
|
|
|
|
|
533
|
1
|
|
|
|
|
7
|
$self->dbgout( 'ARCResult', $arc_result_detail, LOG_DEBUG ); |
534
|
|
|
|
|
|
|
|
535
|
1
|
|
|
|
|
13
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( $arc_result ); |
536
|
|
|
|
|
|
|
|
537
|
1
|
|
|
|
|
129
|
my @items; |
538
|
1
|
|
|
|
|
3
|
foreach my $signature ( @{ $arc->{signatures} } ) { |
|
1
|
|
|
|
|
5
|
|
539
|
2
|
50
|
|
|
|
41
|
my $type = |
|
|
100
|
|
|
|
|
|
540
|
|
|
|
|
|
|
ref($signature) eq 'Mail::DKIM::ARC::Seal' ? 'as' |
541
|
|
|
|
|
|
|
: ref($signature) eq 'Mail::DKIM::ARC::MessageSignature' ? 'ams' |
542
|
|
|
|
|
|
|
: ref($signature); |
543
|
2
|
|
50
|
|
|
9
|
push @items, |
|
|
|
50
|
|
|
|
|
|
|
|
50
|
|
|
|
|
544
|
|
|
|
|
|
|
"$type." |
545
|
|
|
|
|
|
|
. ( $signature->instance() || '' ) . '.' |
546
|
|
|
|
|
|
|
. ( $signature->domain() || '(none)' ) . '=' |
547
|
|
|
|
|
|
|
. ( $signature->result_detail() || '?' ); |
548
|
2
|
|
|
|
|
90
|
$self->{ 'arc_domain' }->{ $signature->instance() } = $signature->domain(); |
549
|
|
|
|
|
|
|
} |
550
|
|
|
|
|
|
|
|
551
|
1
|
50
|
|
|
|
31
|
if ( @items ) { |
552
|
1
|
|
|
|
|
8
|
my $header_comment = Mail::AuthenticationResults::Header::Comment->new(); |
553
|
1
|
|
|
|
|
12
|
my $header_comment_text = join( ', ', @items ); |
554
|
|
|
|
|
|
|
# Try set_value first (required for potential nested comment), if this fails then |
555
|
|
|
|
|
|
|
# set using safe_set_value |
556
|
1
|
|
|
|
|
4
|
eval { $header_comment->set_value( $header_comment_text ); }; |
|
1
|
|
|
|
|
7
|
|
557
|
1
|
50
|
|
|
|
329
|
if ( my $error = $@ ) { |
558
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
559
|
0
|
|
|
|
|
0
|
$header_comment->safe_set_value( $header_comment_text ); |
560
|
|
|
|
|
|
|
} |
561
|
1
|
|
|
|
|
5
|
$header->add_child( $header_comment ); |
562
|
|
|
|
|
|
|
} |
563
|
|
|
|
|
|
|
|
564
|
1
|
|
|
|
|
59
|
my $ip_address = $self->ip_address(); |
565
|
1
|
|
|
|
|
18
|
$header->add_child( Mail::AuthenticationResults::Header::SubEntry->new()->set_key( 'smtp.remote-ip' )->safe_set_value( $ip_address ) ); |
566
|
|
|
|
|
|
|
|
567
|
1
|
|
|
|
|
105
|
$self->add_auth_header( $header ); |
568
|
|
|
|
|
|
|
|
569
|
1
|
|
|
|
|
4
|
$self->{arc_result} = $arc_result; |
570
|
|
|
|
|
|
|
}; |
571
|
1
|
50
|
|
|
|
6
|
if ( my $error = $@ ) { |
572
|
0
|
|
|
|
|
0
|
$self->handle_exception( $error ); |
573
|
0
|
|
|
|
|
0
|
$self->log_error( 'ARC EOM Error ' . $error ); |
574
|
0
|
|
|
|
|
0
|
$self->_check_error( $error ); |
575
|
0
|
|
|
|
|
0
|
$self->metric_count( 'arc_total', { 'result' => 'error' } ); |
576
|
0
|
|
|
|
|
0
|
$self->{'failmode'} = 1; |
577
|
0
|
|
|
|
|
0
|
$self->{arc_result} = 'fail'; |
578
|
|
|
|
|
|
|
} |
579
|
|
|
|
|
|
|
|
580
|
1
|
|
|
|
|
7
|
$self->inherit_trusted_spf_results(); |
581
|
1
|
|
|
|
|
6
|
$self->inherit_trusted_dkim_results(); |
582
|
1
|
|
|
|
|
7
|
$self->inherit_trusted_ip_results(); |
583
|
|
|
|
|
|
|
} |
584
|
|
|
|
|
|
|
|
585
|
|
|
|
|
|
|
sub close_callback { |
586
|
0
|
|
|
0
|
0
|
0
|
my ( $self ) = @_; |
587
|
0
|
|
|
|
|
0
|
delete $self->{'failmode'}; |
588
|
0
|
|
|
|
|
0
|
delete $self->{'headers'}; |
589
|
0
|
|
|
|
|
0
|
delete $self->{'body'}; |
590
|
0
|
|
|
|
|
0
|
delete $self->{'carry'}; |
591
|
0
|
|
|
|
|
0
|
delete $self->{'has_arc'}; |
592
|
0
|
|
|
|
|
0
|
delete $self->{'has_arcseal'}; |
593
|
0
|
|
|
|
|
0
|
delete $self->{'valid_domains'}; |
594
|
0
|
|
|
|
|
0
|
delete $self->{'arc_domain'}; |
595
|
0
|
|
|
|
|
0
|
delete $self->{'arc_result'}; |
596
|
0
|
|
|
|
|
0
|
delete $self->{'arc_auth_results'}; |
597
|
0
|
|
|
|
|
0
|
$self->destroy_object('arc'); |
598
|
|
|
|
|
|
|
} |
599
|
|
|
|
|
|
|
|
600
|
|
|
|
|
|
|
sub _check_error { |
601
|
0
|
|
|
0
|
|
0
|
my ( $self, $error ) = @_; |
602
|
0
|
0
|
0
|
|
|
0
|
if ( $error =~ /^DNS error: query timed out/ |
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
603
|
|
|
|
|
|
|
or $error =~ /^DNS query timeout/ |
604
|
|
|
|
|
|
|
){ |
605
|
0
|
|
|
|
|
0
|
$self->log_error( 'Temp ARC Error - ' . $error ); |
606
|
0
|
|
|
|
|
0
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( 'temperror' ); |
607
|
0
|
|
|
|
|
0
|
$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'dns timeout' ) ); |
608
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $header ); |
609
|
|
|
|
|
|
|
} |
610
|
|
|
|
|
|
|
elsif ( $error =~ /^DNS error: SERVFAIL/ ){ |
611
|
0
|
|
|
|
|
0
|
$self->log_error( 'Temp ARC Error - ' . $error ); |
612
|
0
|
|
|
|
|
0
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( 'temperror' ); |
613
|
0
|
|
|
|
|
0
|
$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'dns servfail' ) ); |
614
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $header ); |
615
|
|
|
|
|
|
|
} |
616
|
|
|
|
|
|
|
elsif ( $error =~ /^no domain to fetch policy for$/ |
617
|
|
|
|
|
|
|
or $error =~ /^policy syntax error$/ |
618
|
|
|
|
|
|
|
or $error =~ /^empty domain label/ |
619
|
|
|
|
|
|
|
or $error =~ /^invalid name / |
620
|
|
|
|
|
|
|
){ |
621
|
0
|
|
|
|
|
0
|
$self->log_error( 'Perm ARC Error - ' . $error ); |
622
|
0
|
|
|
|
|
0
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( 'permerror' ); |
623
|
0
|
|
|
|
|
0
|
$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'syntax or domain error' ) ); |
624
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $header ); |
625
|
|
|
|
|
|
|
} |
626
|
|
|
|
|
|
|
else { |
627
|
0
|
|
|
|
|
0
|
$self->exit_on_close( 'Unexpected ARC Error - ' . $error ); |
628
|
0
|
|
|
|
|
0
|
my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'arc' )->safe_set_value( 'temperror' ); |
629
|
0
|
|
|
|
|
0
|
$self->add_auth_header( $header ); |
630
|
|
|
|
|
|
|
# Fill these in as they occur, but for unknowns err on the side of caution |
631
|
|
|
|
|
|
|
# and tempfail/exit |
632
|
0
|
|
|
|
|
0
|
$self->tempfail_on_error(); |
633
|
|
|
|
|
|
|
} |
634
|
|
|
|
|
|
|
} |
635
|
|
|
|
|
|
|
|
636
|
|
|
|
|
|
|
sub _fmtheader { |
637
|
0
|
|
|
0
|
|
0
|
my $header = shift; |
638
|
0
|
|
|
|
|
0
|
my $value = $header->{value}; |
639
|
0
|
|
|
|
|
0
|
$value =~ s/\015?\012/\015\012/gs; # make sure line endings are right |
640
|
0
|
|
|
|
|
0
|
return "$header->{field}: $value\015\012"; |
641
|
|
|
|
|
|
|
} |
642
|
|
|
|
|
|
|
|
643
|
|
|
|
|
|
|
sub addheader_callback { |
644
|
20
|
|
|
20
|
0
|
75
|
my $self = shift; |
645
|
20
|
|
|
|
|
47
|
my $handler = shift; |
646
|
|
|
|
|
|
|
|
647
|
20
|
50
|
|
|
|
115
|
return unless $self->{has_arcseal}; |
648
|
|
|
|
|
|
|
|
649
|
0
|
|
|
|
|
|
my $config = $self->handler_config(); |
650
|
|
|
|
|
|
|
|
651
|
0
|
|
|
|
|
|
eval { |
652
|
0
|
|
|
|
|
|
my %KeyOpts; |
653
|
0
|
0
|
|
|
|
|
if ($config->{arcseal_keyfile}) { |
654
|
0
|
|
|
|
|
|
$KeyOpts{KeyFile} = $config->{arcseal_keyfile}; |
655
|
|
|
|
|
|
|
} |
656
|
|
|
|
|
|
|
else { |
657
|
|
|
|
|
|
|
$KeyOpts{Key} = Mail::DKIM::PrivateKey->load( |
658
|
0
|
|
|
|
|
|
Data => $config->{arcseal_key}); |
659
|
|
|
|
|
|
|
} |
660
|
|
|
|
|
|
|
my $arcseal = Mail::DKIM::ARC::Signer->new( |
661
|
|
|
|
|
|
|
Algorithm => $config->{arcseal_algorithm}, |
662
|
|
|
|
|
|
|
Domain => $config->{arcseal_domain}, |
663
|
|
|
|
|
|
|
SrvId => $self->get_my_authserv_id(), |
664
|
|
|
|
|
|
|
Selector => $config->{arcseal_selector}, |
665
|
|
|
|
|
|
|
Headers => $config->{arcseal_headers}, |
666
|
|
|
|
|
|
|
# chain value is arc_result from previous seal validation |
667
|
|
|
|
|
|
|
Chain => $self->{arc_result}, |
668
|
0
|
|
|
|
|
|
Timestamp => time(), |
669
|
|
|
|
|
|
|
%KeyOpts, |
670
|
|
|
|
|
|
|
); |
671
|
|
|
|
|
|
|
|
672
|
|
|
|
|
|
|
# pre-headers from handler (reversed as they will add in reverse) |
673
|
0
|
0
|
|
|
|
|
foreach my $header (reverse @{$handler->{pre_headers} || []}) { |
|
0
|
|
|
|
|
|
|
674
|
0
|
|
|
|
|
|
$arcseal->PRINT(_fmtheader($header)); |
675
|
|
|
|
|
|
|
} |
676
|
|
|
|
|
|
|
|
677
|
|
|
|
|
|
|
# then all the original headers: XXX - this doesn't deal with |
678
|
|
|
|
|
|
|
# the change_header command, but only sanitize uses that. |
679
|
|
|
|
|
|
|
# It would be a massive pain to make that work consistently, |
680
|
|
|
|
|
|
|
# as it would need to modify the already cached headers in |
681
|
|
|
|
|
|
|
# each handler with the current architecture |
682
|
0
|
0
|
|
|
|
|
foreach my $chunk (@{$self->{headers} || []}) { |
|
0
|
|
|
|
|
|
|
683
|
0
|
|
|
|
|
|
$arcseal->PRINT($chunk); |
684
|
|
|
|
|
|
|
} |
685
|
|
|
|
|
|
|
|
686
|
|
|
|
|
|
|
# post-headers from handler (these are in order) |
687
|
0
|
0
|
|
|
|
|
foreach my $header (@{$handler->{add_headers} || []}) { |
|
0
|
|
|
|
|
|
|
688
|
0
|
|
|
|
|
|
$arcseal->PRINT(_fmtheader($header)); |
689
|
0
|
|
|
|
|
|
$self->check_timeout(); |
690
|
|
|
|
|
|
|
} |
691
|
|
|
|
|
|
|
|
692
|
|
|
|
|
|
|
# finish header block with a blank line |
693
|
0
|
|
|
|
|
|
$arcseal->PRINT("\015\012"); |
694
|
|
|
|
|
|
|
|
695
|
|
|
|
|
|
|
# all the body chunks |
696
|
0
|
|
|
|
|
|
foreach my $chunk (@{$self->{body}}) { |
|
0
|
|
|
|
|
|
|
697
|
0
|
|
|
|
|
|
$arcseal->PRINT($chunk); |
698
|
|
|
|
|
|
|
} |
699
|
|
|
|
|
|
|
|
700
|
|
|
|
|
|
|
# and we're done |
701
|
0
|
|
|
|
|
|
$arcseal->CLOSE; |
702
|
0
|
|
|
|
|
|
$self->check_timeout(); |
703
|
|
|
|
|
|
|
|
704
|
0
|
|
|
|
|
|
my $arcseal_result = $arcseal->result(); |
705
|
0
|
|
|
|
|
|
my $arcseal_result_detail = $arcseal->result_detail(); |
706
|
|
|
|
|
|
|
|
707
|
0
|
|
|
|
|
|
$self->metric_count( 'arcseal_total', { 'result' => $arcseal_result } ); |
708
|
|
|
|
|
|
|
|
709
|
0
|
|
|
|
|
|
$self->dbgout( 'ARCSealResult', $arcseal_result_detail, LOG_DEBUG ); |
710
|
|
|
|
|
|
|
|
711
|
|
|
|
|
|
|
# we need to extract the headers from ARCSeal and re-format them |
712
|
|
|
|
|
|
|
# back to the format that pre_headers expects |
713
|
0
|
|
|
|
|
|
my $headers = $arcseal->as_string(); |
714
|
0
|
|
|
|
|
|
my @list; |
715
|
|
|
|
|
|
|
|
716
|
0
|
|
|
|
|
|
my $current_header = q{}; |
717
|
0
|
|
|
|
|
|
my $current_value = q{}; |
718
|
0
|
|
|
|
|
|
foreach my $header_line ( (split ( /\015?\012/, $headers ) ) ) { |
719
|
0
|
0
|
|
|
|
|
if ( $header_line =~ /^\s/ ) { |
720
|
|
|
|
|
|
|
# Line begins with whitespace, add to previous header |
721
|
0
|
|
|
|
|
|
$header_line =~ s/^\s+/ /; # for consistency |
722
|
0
|
|
|
|
|
|
$current_value .= "\n" . $header_line; |
723
|
|
|
|
|
|
|
} |
724
|
|
|
|
|
|
|
else { |
725
|
|
|
|
|
|
|
# This is a brand new header! |
726
|
0
|
0
|
|
|
|
|
if ( $current_header ne q{} ) { |
727
|
|
|
|
|
|
|
# We have a cached header, add it now. |
728
|
0
|
|
|
|
|
|
push @list, { 'field' => $current_header, 'value' => $current_value }; |
729
|
0
|
|
|
|
|
|
$current_value = q{}; |
730
|
|
|
|
|
|
|
} |
731
|
0
|
|
|
|
|
|
( $current_header, $current_value ) = split ( ':', $header_line, 2 ); |
732
|
0
|
|
|
|
|
|
$current_value =~ s/^ +//; |
733
|
|
|
|
|
|
|
} |
734
|
|
|
|
|
|
|
} |
735
|
0
|
0
|
|
|
|
|
if ( $current_header ne q{} ) { |
736
|
|
|
|
|
|
|
# We have a cached header, add it now. |
737
|
0
|
|
|
|
|
|
push @list, { 'field' => $current_header, 'value' => $current_value }; |
738
|
0
|
|
|
|
|
|
$current_value = q{}; |
739
|
|
|
|
|
|
|
} |
740
|
|
|
|
|
|
|
|
741
|
|
|
|
|
|
|
# these will prepend in reverse |
742
|
0
|
|
|
|
|
|
push @{$handler->{pre_headers}}, reverse @list; |
|
0
|
|
|
|
|
|
|
743
|
|
|
|
|
|
|
}; |
744
|
|
|
|
|
|
|
|
745
|
0
|
0
|
|
|
|
|
if ( my $error = $@ ) { |
746
|
0
|
|
|
|
|
|
$self->handle_exception( $error ); |
747
|
0
|
|
|
|
|
|
$self->log_error( 'ARCSeal Error ' . $error ); |
748
|
0
|
|
|
|
|
|
$self->metric_count( 'arcseal_total', { 'result' => 'error' } ); |
749
|
0
|
|
|
|
|
|
return; |
750
|
|
|
|
|
|
|
} |
751
|
|
|
|
|
|
|
} |
752
|
|
|
|
|
|
|
|
753
|
|
|
|
|
|
|
1; |
754
|
|
|
|
|
|
|
|
755
|
|
|
|
|
|
|
__END__ |
756
|
|
|
|
|
|
|
|
757
|
|
|
|
|
|
|
=pod |
758
|
|
|
|
|
|
|
|
759
|
|
|
|
|
|
|
=encoding UTF-8 |
760
|
|
|
|
|
|
|
|
761
|
|
|
|
|
|
|
=head1 NAME |
762
|
|
|
|
|
|
|
|
763
|
|
|
|
|
|
|
Mail::Milter::Authentication::Handler::ARC - Handler class for ARC |
764
|
|
|
|
|
|
|
|
765
|
|
|
|
|
|
|
=head1 VERSION |
766
|
|
|
|
|
|
|
|
767
|
|
|
|
|
|
|
version 3.20230911 |
768
|
|
|
|
|
|
|
|
769
|
|
|
|
|
|
|
=head1 DESCRIPTION |
770
|
|
|
|
|
|
|
|
771
|
|
|
|
|
|
|
Module for validation of ARC signatures |
772
|
|
|
|
|
|
|
|
773
|
|
|
|
|
|
|
=head1 CONFIGURATION |
774
|
|
|
|
|
|
|
|
775
|
|
|
|
|
|
|
"ARC" : { | Config for the ARC Module |
776
|
|
|
|
|
|
|
"hide_none" : 0, | Hide auth line if the result is 'none' |
777
|
|
|
|
|
|
|
"arcseal_domain" : "example.com", | Domain to sign ARC Seal with (not sealed if blank) |
778
|
|
|
|
|
|
|
"arcseal_selector" : undef, | Selector to use for ARC Seal (not sealed if blank) |
779
|
|
|
|
|
|
|
"arcseal_algorithm" : 'rsa-sha256', | Algorithm to use on ARC Seal (default rsa-sha256) |
780
|
|
|
|
|
|
|
"arcseal_key" : undef, | Key (base64) string to sign ARC Seal with; or |
781
|
|
|
|
|
|
|
"arcseal_keyfile" : undef, | File containing ARC Seal key |
782
|
|
|
|
|
|
|
"arcseal_headers" : undef, | Additional headers to cover in ARC-Message-Signature |
783
|
|
|
|
|
|
|
"trusted_domains" : [], | Trust these domains when traversing ARC chains |
784
|
|
|
|
|
|
|
"rbl_whitelist" : undef, | rhs list for looking up trusted signing domains |
785
|
|
|
|
|
|
|
"no_strict" : 0, | Ignore rfc 8301 security considerations (not recommended) |
786
|
|
|
|
|
|
|
}, |
787
|
|
|
|
|
|
|
|
788
|
|
|
|
|
|
|
=head1 AUTHOR |
789
|
|
|
|
|
|
|
|
790
|
|
|
|
|
|
|
Marc Bradshaw <marc@marcbradshaw.net> |
791
|
|
|
|
|
|
|
|
792
|
|
|
|
|
|
|
=head1 COPYRIGHT AND LICENSE |
793
|
|
|
|
|
|
|
|
794
|
|
|
|
|
|
|
This software is copyright (c) 2020 by Marc Bradshaw. |
795
|
|
|
|
|
|
|
|
796
|
|
|
|
|
|
|
This is free software; you can redistribute it and/or modify it under |
797
|
|
|
|
|
|
|
the same terms as the Perl 5 programming language system itself. |
798
|
|
|
|
|
|
|
|
799
|
|
|
|
|
|
|
=cut |