File Coverage

blib/lib/Mail/Milter/Authentication/Handler/BIMI.pm

Criterion	Covered	Total	%
statement	142	224	63.3
branch	69	128	53.9
condition	11	26	42.3
subroutine	13	14	92.8
pod	1	8	12.5
total	236	400	59.0

line	stmt	bran	cond	sub	pod	time	code
1							package Mail::Milter::Authentication::Handler::BIMI;
2	2			2		2177	use 5.20.0;
	2					11
3	2			2		13	use strict;
	2					5
	2					52
4	2			2		13	use warnings;
	2					5
	2					156
5	2			2		19	use Mail::Milter::Authentication::Pragmas;
	2					5
	2					17
6							# ABSTRACT: Handler class for BIMI
7							our $VERSION = '3.20230911'; # VERSION
8	2			2		495	use base 'Mail::Milter::Authentication::Handler';
	2					6
	2					249
9	2			2		1215	use Mail::BIMI 2;
	2					2902649
	2					6645
10
11							sub default_config {
12							return {
13	1			1	0	2129	'bimi_options' => {},
14							'rbl_allowlist' => '',
15							'rbl_blocklist' => '',
16							'rbl_no_evidence_allowlist' => '',
17							};
18							}
19
20							sub register_metrics {
21							return {
22	1			1	1	13	'bimi_total' => 'The number of emails processed for BIMI',
23							};
24							}
25
26							sub setup_callback {
27	1			1	0	4	my ($self) = @_;
28	1					10	my $config = $self->handler_config();
29	1		50			11	my $sanitize_location_header = $config->{sanitize_location_header} // 'yes';
30	1		50			9	my $sanitize_indicator_header = $config->{sanitize_indicator_header} // 'silent';
31	1	50				13	$self->add_header_to_sanitize_list('bimi-location', $sanitize_location_header eq 'silent') unless $sanitize_location_header eq 'no';
32	1	50				19	$self->add_header_to_sanitize_list('bimi-indicator', $sanitize_indicator_header eq 'silent') unless $sanitize_indicator_header eq 'no';
33	1					3	return;
34							}
35
36							sub envfrom_callback {
37	10			10	0	49	my ( $self, $env_from ) = @_;
38	10					49	$self->{ 'header_added' } = 0;
39							}
40
41							sub header_callback {
42	46			46	0	137	my ( $self, $header, $value ) = @_;
43
44	46	50				154	return if ( $self->is_local_ip_address() );
45	46	50				148	return if ( $self->is_trusted_ip_address() );
46	46	50				198	return if ( $self->is_authenticated() );
47	46	50				157	return if ( $self->{'failmode'} );
48
49	46	100				177	if ( lc $header eq 'bimi-selector' ) {
50	7	50				58	if ( exists $self->{'selector'} ) {
51	0					0	$self->dbgout( 'BIMIFail', 'Multiple BIMI-Selector fields', LOG_DEBUG );
52	0					0	my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( 'fail' );
53	0					0	$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'multiple BIMI-Selector fields in message' ) );
54	0					0	$self->add_auth_header( $header );
55	0					0	$self->metric_count( 'bimi_total', { 'result' => 'fail', 'reason' => 'bad_selector_header' } );
56	0					0	$self->{ 'header_added' } = 1;
57	0					0	$self->{'failmode'} = 1;
58	0					0	return;
59							}
60	7					26	$self->{'selector'} = $value;
61							}
62	46	100				162	if ( lc $header eq 'from' ) {
63	10	50				54	if ( exists $self->{'from_header'} ) {
64	0					0	$self->dbgout( 'BIMIFail', 'Multiple RFC5322 from fields', LOG_DEBUG );
65	0					0	my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( 'fail' );
66	0					0	$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'multiple RFC5322 from fields in message' ) );
67	0					0	$self->add_auth_header( $header );
68	0					0	$self->metric_count( 'bimi_total', { 'result' => 'fail', 'reason' => 'bad_from_header' } );
69	0					0	$self->{ 'header_added' } = 1;
70	0					0	$self->{'failmode'} = 1;
71	0					0	return;
72							}
73	10					44	$self->{'from_header'} = $value;
74							}
75							}
76
77							sub eom_requires {
78	1			1	0	6	my ($self) = @_;
79	1					4	my @requires = qw{ DMARC };
80	1					5	return \@requires;
81							}
82
83							sub eom_callback {
84	10			10	0	45	my ($self) = @_;
85	10					48	my $config = $self->handler_config();
86
87	10	0	33			58	if ( $config->{rbl_allowlist} && $config->{rbl_blocklist} ) {
88	0					0	$self->dbgout( 'BIMI Error', 'Cannot specify both rbl_allowlist and rbl_blocklist', LOG_DEBUG );
89	0					0	return;
90							}
91
92	10	50				41	return if ( $self->{ 'header_added' } );
93	10	50				53	return if ( $self->is_local_ip_address() );
94	10	50				45	return if ( $self->is_trusted_ip_address() );
95	10	50				54	return if ( $self->is_authenticated() );
96	10	50				50	return if ( $self->{'failmode'} );
97	10					26	eval {
98	10					58	my $Domain = $self->get_domain_from( $self->{'from_header'} );
99
100	10					64	my $DMARCResults = $self->get_object( 'dmarc_results' );
101	10	50				83	if ( ! $DMARCResults ) {
102
103	0					0	my $failure_type = 'temperror';
104	0					0	my $top_handler = $self->get_top_handler();
105	0					0	my @auth_headers;
106	0	0				0	if ( exists( $top_handler->{'auth_headers'} ) ) {
107	0					0	for my $type ( sort keys $top_handler->{'auth_headers'}->%* ) {
108	0					0	@auth_headers = ( @auth_headers, @{ $top_handler->{'auth_headers'}->{$type} } );
	0					0
109							}
110							}
111	0	0				0	if (@auth_headers) {
112	0					0	foreach my $auth_header (@auth_headers) {
113	0	0				0	next unless $auth_header->key eq 'dmarc';
114	0	0				0	if ( $auth_header->value eq 'permerror' ) {
115	0					0	$failure_type = 'permerror';
116	0					0	last;
117							}
118							}
119							}
120
121	0					0	$self->log_error( 'BIMI Error No DMARC Results object');
122	0					0	my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( $failure_type );
123	0					0	$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'Internal DMARC error' ) );
124	0					0	$self->add_auth_header( $header );
125	0					0	$self->{ 'header_added' } = 1;
126
127							}
128							else {
129	10	50				41	if ( scalar @$DMARCResults != 1 ) {
130	0					0	$self->dbgout( 'BIMIFail', 'Multiple DMARC Results', LOG_DEBUG );
131	0					0	my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( 'fail' );
132	0					0	$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( 'multiple DMARC results for message' ) );
133	0					0	$self->add_auth_header( $header );
134	0					0	$self->metric_count( 'bimi_total', { 'result' => 'fail', 'reason' => 'multiple_dmarc_results' } );
135	0					0	$self->{ 'header_added' } = 1;
136	0					0	$self->{'failmode'} = 1;
137	0					0	return;
138							}
139							else {
140	10					325	my $DMARCResult = clone $DMARCResults->[0]; # Clone so we can modify without breaking reporting data
141
142							## Consider ARC
143							# We only have 1 DMARC result so we find the auth results header that it added
144	10					43	my $selector_arc_pass = 0;
145	10	100				61	if ( $DMARCResult->result ne 'pass' ) {
146	2					20	my $top_handler = $self->get_top_handler();
147	2					6	my @auth_headers;
148	2	50				9	if ( exists( $top_handler->{'auth_headers'} ) ) {
149	2					14	for my $type ( sort keys $top_handler->{'auth_headers'}->%* ) {
150	2					7	@auth_headers = ( @auth_headers, @{ $top_handler->{'auth_headers'}->{$type} } );
	2					10
151							}
152							}
153	2	50				9	if (@auth_headers) {
154	2					6	foreach my $auth_header ( @auth_headers ) {
155	9	100				89	next if $auth_header->key ne 'dmarc';
156	2		50			23	my $arc_aware_result = eval{ $auth_header->search({key=>'policy.arc-aware-result'})->children->[0]->value } // '';
	2					11
157	2					1404	$self->handle_exception( $@ );
158	2	100				12	if ( $arc_aware_result eq 'pass' ) {
159	1					7	$self->log_error( 'BIMI DMARC ARC pass detected' );
160	1					5	$DMARCResult->{result} = $arc_aware_result; # Feels hacky, but does the right thing
161							# Note, we can't check for signness of BIMI-Selector for arc forwarded mail where DKIM context has been lost
162							# When we have a pass by arc we skip the DKIM check for BIMI-Selector
163	1					4	$selector_arc_pass = 1;
164							}
165							}
166							}
167							}
168
169	10					80	my $Selector = $self->{ 'selector' };
170	10	100				87	if ( !$Selector ) {
		50
171	3					9	$Selector = 'default';
172							}
173							elsif ( $Selector =~ m/^v=BIMI1;\s+s=(\w+);?/i ) {
174	7					28	$Selector = $1;
175	7					19	$Selector = lc $Selector;
176							# Was the BIMI-Selector header DKIM Signed?
177	7					20	my $selector_was_domain_signed = 0;
178	7					16	my $selector_was_org_domain_signed = 0;
179	7					17	my $selector_was_third_party_domain_signed = 0;
180	7					16	my $OrgDomain = eval{ $self->get_handler('DMARC')->get_dmarc_object()->get_organizational_domain( $Domain ) };
	7					46
181	7					1606	$self->handle_exception( $@ );
182	7	50				50	if ( $self->{'selector'} ) {
183	7					31	my $dkim_handler = $self->get_handler('DKIM');
184	7	100				43	if ( $dkim_handler->{'has_dkim'} ) {
185	4					21	my $dkim_object = $self->get_object('dkim');
186	4	50				24	if ( $dkim_object ) {
187	4	50				17	if ( $dkim_object->signatures() ) {
188	4					56	foreach my $signature ( $dkim_object->signatures() ) {
189	4	50				46	next if $signature->result ne 'pass';
190	4					56	my @signed_headers = $signature->headerlist;
191	4	100				246	next if ! grep { lc $_ eq 'bimi-selector' } @signed_headers;
	15					58
192	3					17	my $signature_domain = $signature->domain;
193	3	100				71	if ( lc $signature_domain eq lc $Domain ) {
		100
194	1					7	$selector_was_domain_signed = 1;
195							}
196							elsif ( lc $signature_domain eq lc $OrgDomain ) {
197	1					4	$selector_was_org_domain_signed = 1;
198							}
199							else {
200	1					4	$selector_was_third_party_domain_signed = 1;
201							}
202							}
203							}
204							}
205							}
206							}
207	7	100				46	my $Alignment = $selector_was_domain_signed ? 'domain'
		100
		100
		100
208							: $selector_was_org_domain_signed ? 'orgdomain'
209							: $selector_arc_pass ? 'arc'
210							: $selector_was_third_party_domain_signed ? 'thirdparty'
211							: 'unsigned';
212	7	100	100			49	if ( $Alignment eq 'unsigned' \|\| $Alignment eq 'thirdparty' ) {
213	4					42	$self->log_error( 'BIMI Header DKIM '.$Alignment.' for Selector '.$Selector.' - ignoring' );
214	4					20	$Selector = 'default';
215							}
216
217							}
218							else {
219	0					0	$self->log_error( 'BIMI Invalid Selector Header: ' . $Selector );
220	0					0	$Selector = 'default';
221							}
222
223	10					24	my $RelevantSPFResult;
224	10					30	my $SPFResults = $self->get_object( 'spf_results' );
225	10	50				41	if ( $SPFResults ) {
226	10					29	foreach my $SPFResult ( $SPFResults->@* ) {
227	10	100				172	next if lc $SPFResult->request->domain ne $Domain;
228	7					1327	$RelevantSPFResult = $SPFResult;
229							}
230							}
231
232	10					625	my $Skip;
233	10	50				76	if ( $config->{rbl_allowlist} ) {
		50
234	0					0	my $OrgDomain = $self->get_object('dmarc')->get_organizational_domain($Domain);
235	0	0				0	unless ( $self->rbl_check_domain( $OrgDomain, $config->{'rbl_allowlist'} ) ) {
236	0					0	$self->dbgout( 'BIMISkip', 'Not on allowlist', LOG_DEBUG );
237	0					0	$Skip = 'Local policy; not allowed';
238							}
239							}
240							elsif ( $config->{rbl_blocklist} ) {
241	0					0	my $OrgDomain = $self->get_object('dmarc')->get_organizational_domain($Domain);
242	0	0				0	if ( $self->rbl_check_domain( $OrgDomain, $config->{'rbl_blocklist'} ) ) {
243	0					0	$self->dbgout( 'BIMISkip', 'On blocklist', LOG_DEBUG );
244	0					0	$Skip = 'Local policy; blocked';
245							}
246							}
247
248	10					22	my %Options;
249	10	50				31	$Options{options} = $config->{'bimi_options'} if exists $config->{'bimi_options'};
250	10					48	$Options{resolver} = $self->get_object( 'resolver' );
251	10					48	$Options{dmarc_object} = $self->get_object('dmarc');
252	10	100				617	$Options{spf_object} = $RelevantSPFResult if $RelevantSPFResult;
253	10					93	$Options{domain} = $Domain;
254	10					30	$Options{selector} = $Selector;
255	10					130	my $BIMI = Mail::BIMI->new(%Options);
256	10					58994	$self->{'bimi_object'} = $BIMI; # For testing!
257
258	10					31	my $Result;
259	10		50			62	my $timeout = $config->{'timeout'} // 5000000;
260	10					20	eval {
261	10					98	$self->set_handler_alarm( $timeout );
262	10	50				419	$Result = $BIMI->result() if ! $Skip;
263							};
264	10	50				390156	if ( my $Error = $@ ) {
265	0					0	$self->reset_alarm();
266	0					0	my $Type = $self->is_exception_type( $Error );
267	0	0				0	if ( $Type ) {
268	0	0				0	if ( $Type eq 'Timeout' ) {
269							# We have a timeout, is it global or is it ours?
270	0	0				0	if ( $self->get_time_remaining() > 0 ) {
271							# We have time left, but this operation save timed out
272	0					0	$Skip = 'Timeout';
273							}
274							else {
275	0					0	$self->handle_exception( $Error );
276							}
277							}
278							}
279							}
280
281	10	0	33			109	if ( !$Skip
			33
			0
			33
282							&& $config->{rbl_no_evidence_allowlist}
283							&& $Result->result eq 'pass'
284							&& (
285							!$BIMI->record->authority
286							\|\| !$BIMI->record->authority->vmc
287							\|\| !$BIMI->record->authority->vmc->is_valid
288							)
289							) {
290	0					0	my $OrgDomain = $self->get_object('dmarc')->get_organizational_domain($Domain);
291	0	0				0	unless ( $self->rbl_check_domain( $OrgDomain, $config->{'rbl_no_evidence_allowlist'} ) ) {
292	0					0	$self->dbgout( 'BIMISkip', 'Not on No Evidence Allowlist', LOG_DEBUG );
293	0					0	$Skip = 'Local policy; not allowed without evidence';
294							}
295							}
296
297
298	10	50				42	if ( $Skip ) {
299	0					0	my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( 'skipped' );
300	0					0	$header->add_child( Mail::AuthenticationResults::Header::Comment->new()->safe_set_value( $Skip ) );
301	0					0	$self->add_auth_header( $header );
302	0					0	$self->{ 'header_added' } = 1;
303	0					0	$self->metric_count( 'bimi_total', { 'result' => 'skipped', 'reason' => 'rbl' } );
304							}
305							else {
306	10					51	my $AuthResults = $Result->get_authentication_results_object();
307	10					27960	$self->add_auth_header( $AuthResults );
308	10					48	$self->{ 'header_added' } = 1;
309	10					268	my $Record = $BIMI->record();
310	10	100				369	if ( $Result->result() eq 'pass' ) {
311	8					311	my $Headers = $Result->headers;
312	8	50				97	if ( $Headers ) {
313	8	50				78	$self->prepend_header( 'BIMI-Location', $Headers->{'BIMI-Location'} ) if exists $Headers->{'BIMI-Location'} ;
314	8	50				57	$self->prepend_header( 'BIMI-Indicator', $Headers->{'BIMI-Indicator'} ) if exists $Headers->{'BIMI-Indicator'} ;
315							}
316							}
317
318	10					293	$self->metric_count( 'bimi_total', { 'result' => $Result->result() } );
319							}
320	10					91	$BIMI->finish;
321							}
322							}
323
324							};
325	10	50				75374	if ( my $error = $@ ) {
326	0						$self->handle_exception( $error );
327	0						$self->log_error( 'BIMI Error ' . $error );
328	0	0					if ( ! $self->{ 'header_added' } ) {
329	0						my $header = Mail::AuthenticationResults::Header::Entry->new()->set_key( 'bimi' )->safe_set_value( 'temperror' );
330	0						$self->add_auth_header( $header );
331	0						$self->{ 'header_added' } = 1;
332							}
333							}
334							}
335
336							sub close_callback {
337	0			0	0		my ( $self ) = @_;
338	0						delete $self->{'selector'};
339	0						delete $self->{'from_header'};
340	0						delete $self->{'failmode'};
341	0						delete $self->{'bimi_object'};
342	0						delete $self->{'header_added'};
343							}
344
345							1;
346
347							__END__
348
349							=pod
350
351							=encoding UTF-8
352
353							=head1 NAME
354
355							Mail::Milter::Authentication::Handler::BIMI - Handler class for BIMI
356
357							=head1 VERSION
358
359							version 3.20230911
360
361							=head1 DESCRIPTION
362
363							Module implementing the BIMI standard checks.
364
365							This handler requires the DMARC handler and its dependencies to be installed and active.
366
367							=head1 NAME
368
369							Authentication Milter - BIMI Module
370
371							=head1 CONFIGURATION
372
373							"BIMI" : { \| Config for the BIMI Module
374							\| Requires DMARC
375							"bimi_options" : {}, \| Options to pass into Mail::BIMI->new
376							"rbl_allowlist" : "", \| Optional RBL Allow list of allowed org domains
377							"rbl_blocklist" : "", \| Optional RBL Block list of disallowed org domains
378							\| Allow and Block list cannot both be present
379							"rbl_no_evidence_allowlist" : "", \| Optonal RBL Allow list of allowed org domains that do NOT require evidence documents
380							\| When set, domains not on this list which do not have evidence documents will be 'skipped'
381							"timeout" : 5000000, \| Timeout, in microseconds, to apply to a BIMI record check/fetch, detault 5000000 (5s)
382							"sanitize_location_header" : "yes", \| Remove existing BIMI-Location header? yes\|no\|silent (default yes)
383							"sanitize_indicator_header" : "yes", \| Remove existing BIMI-Location header? yes\|no\|silent (default silent)
384							},
385
386							=head1 AUTHOR
387
388							Marc Bradshaw <marc@marcbradshaw.net>
389
390							=head1 COPYRIGHT AND LICENSE
391
392							This software is copyright (c) 2020 by Marc Bradshaw.
393
394							This is free software; you can redistribute it and/or modify it under
395							the same terms as the Perl 5 programming language system itself.
396
397							=cut