line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
1
|
|
|
1
|
|
906
|
use 5.014; |
|
1
|
|
|
|
|
4
|
|
2
|
1
|
|
|
1
|
|
6
|
use warnings; |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
261
|
|
3
|
|
|
|
|
|
|
|
4
|
|
|
|
|
|
|
package Mail::Qmail::Filter::DMARC; |
5
|
|
|
|
|
|
|
|
6
|
|
|
|
|
|
|
our $VERSION = '1.2'; |
7
|
|
|
|
|
|
|
|
8
|
|
|
|
|
|
|
sub domain { |
9
|
|
|
|
|
|
|
shift =~ s/.*\@//r; |
10
|
|
|
|
|
|
|
} |
11
|
|
|
|
|
|
|
|
12
|
|
|
|
|
|
|
sub if_set { |
13
|
|
|
|
|
|
|
my ( $key, $value, @additional_checks ) = @_; |
14
|
|
|
|
|
|
|
return unless defined $value && length $value; |
15
|
|
|
|
|
|
|
$_->($value) or return for @additional_checks; |
16
|
|
|
|
|
|
|
$key => $value; |
17
|
|
|
|
|
|
|
} |
18
|
|
|
|
|
|
|
|
19
|
|
|
|
|
|
|
sub is_valid_domain { |
20
|
|
|
|
|
|
|
require Mail::DMARC::Base; |
21
|
|
|
|
|
|
|
Mail::DMARC::Base->new->is_valid_domain(shift); |
22
|
|
|
|
|
|
|
} |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
sub spf_query { |
25
|
|
|
|
|
|
|
require Mail::SPF; |
26
|
|
|
|
|
|
|
my $request = Mail::SPF::Request->new(@_); |
27
|
|
|
|
|
|
|
state $server = Mail::SPF::Server->new; |
28
|
|
|
|
|
|
|
$server->process($request); |
29
|
|
|
|
|
|
|
} |
30
|
|
|
|
|
|
|
|
31
|
1
|
|
|
1
|
|
8
|
use namespace::clean; |
|
1
|
|
|
|
|
1
|
|
|
1
|
|
|
|
|
6
|
|
32
|
|
|
|
|
|
|
|
33
|
1
|
|
|
1
|
|
236
|
use Mo qw(coerce default); |
|
1
|
|
|
|
|
2
|
|
|
1
|
|
|
|
|
5
|
|
34
|
|
|
|
|
|
|
extends 'Mail::Qmail::Filter'; |
35
|
|
|
|
|
|
|
|
36
|
|
|
|
|
|
|
has 'dry_run'; |
37
|
|
|
|
|
|
|
has 'reject_text' => 'Failed DMARC test.'; |
38
|
|
|
|
|
|
|
|
39
|
|
|
|
|
|
|
sub filter { |
40
|
0
|
|
|
0
|
1
|
|
my $self = shift; |
41
|
0
|
|
|
|
|
|
my $message = $self->message; |
42
|
|
|
|
|
|
|
|
43
|
0
|
|
|
|
|
|
require Mail::DKIM::Verifier; # lazy load because filter might be skipped |
44
|
0
|
|
|
|
|
|
my $dkim = Mail::DKIM::Verifier->new; |
45
|
0
|
|
|
|
|
|
$dkim->PRINT( $message->body =~ s/\cM?\cJ/\cM\cJ/gr ); |
46
|
0
|
|
|
|
|
|
$dkim->CLOSE; |
47
|
0
|
|
|
|
|
|
$self->debug( 'DKIM result' => $dkim->result ); |
48
|
|
|
|
|
|
|
|
49
|
0
|
0
|
|
|
|
|
if ( $dkim->result ne 'pass' ) { |
50
|
|
|
|
|
|
|
|
51
|
0
|
|
|
|
|
|
$self->debug( 'Remote IP' => $ENV{TCPREMOTEIP} ); |
52
|
|
|
|
|
|
|
|
53
|
0
|
|
|
|
|
|
my %spf_query = ( ip_address => $ENV{TCPREMOTEIP} ); |
54
|
|
|
|
|
|
|
|
55
|
0
|
|
|
|
|
|
$self->debug( helo => $spf_query{helo_identity} = $message->helo ); |
56
|
|
|
|
|
|
|
|
57
|
0
|
|
|
|
|
|
my $header_from = $message->header_from; |
58
|
0
|
|
|
|
|
|
my $header_from_domain; |
59
|
0
|
0
|
|
|
|
|
if ($header_from) { |
60
|
|
|
|
|
|
|
$self->debug( 'RFC5322.From' => $spf_query{identity} = |
61
|
0
|
|
|
|
|
|
$header_from->address ); |
62
|
0
|
|
|
|
|
|
$header_from_domain = $header_from->host; |
63
|
0
|
|
|
|
|
|
$spf_query{scope} = 'mfrom'; |
64
|
|
|
|
|
|
|
} |
65
|
|
|
|
|
|
|
else { |
66
|
0
|
|
|
|
|
|
$spf_query{scope} = 'helo'; |
67
|
|
|
|
|
|
|
|
68
|
|
|
|
|
|
|
# identity required by Mail::SPF: |
69
|
0
|
|
|
|
|
|
$spf_query{identity} = $spf_query{helo_identity}; |
70
|
|
|
|
|
|
|
} |
71
|
|
|
|
|
|
|
|
72
|
0
|
|
|
|
|
|
$self->debug( 'SPF result' => my $spf_result = spf_query(%spf_query) ); |
73
|
0
|
|
|
|
|
|
$message->add_header( $spf_result->received_spf_header ); |
74
|
|
|
|
|
|
|
|
75
|
0
|
|
|
|
|
|
require Mail::DMARC::PurePerl; |
76
|
|
|
|
|
|
|
my $dmarc_text = ( |
77
|
|
|
|
|
|
|
my $dmarc_result = Mail::DMARC::PurePerl->new( |
78
|
|
|
|
|
|
|
source_ip => $ENV{TCPREMOTEIP}, |
79
|
|
|
|
|
|
|
envelope_to => domain( ( $message->to )[0] ), |
80
|
|
|
|
|
|
|
if_set( |
81
|
|
|
|
|
|
|
envelope_from => domain( $message->from ), |
82
|
|
|
|
|
|
|
\&is_valid_domain |
83
|
|
|
|
|
|
|
), |
84
|
|
|
|
|
|
|
if_set( |
85
|
|
|
|
|
|
|
header_from => $header_from_domain, |
86
|
|
|
|
|
|
|
\&is_valid_domain |
87
|
|
|
|
|
|
|
), |
88
|
|
|
|
|
|
|
dkim => $dkim, |
89
|
|
|
|
|
|
|
spf => { |
90
|
|
|
|
|
|
|
if_set( domain => $header_from_domain ), |
91
|
|
|
|
|
|
|
scope => $spf_query{scope}, |
92
|
0
|
|
|
|
|
|
result => $spf_result->code, |
93
|
|
|
|
|
|
|
}, |
94
|
|
|
|
|
|
|
)->validate |
95
|
|
|
|
|
|
|
)->result; |
96
|
0
|
|
|
|
|
|
$self->debug( 'DMARC result' => $dmarc_text ); |
97
|
0
|
|
|
|
|
|
$message->add_header("DMARC-Status: $dmarc_text"); |
98
|
|
|
|
|
|
|
|
99
|
0
|
0
|
|
|
|
|
if ( $dmarc_result->result ne 'pass' ) { |
100
|
0
|
|
|
|
|
|
my $disposition = $dmarc_result->disposition; |
101
|
0
|
|
|
|
|
|
$self->debug( 'DMARC disposition' => $disposition ); |
102
|
0
|
0
|
0
|
|
|
|
$self->reject( $self->reject_text ) |
103
|
|
|
|
|
|
|
if $disposition eq 'reject' && !$self->dry_run; |
104
|
|
|
|
|
|
|
} |
105
|
|
|
|
|
|
|
} |
106
|
|
|
|
|
|
|
} |
107
|
|
|
|
|
|
|
|
108
|
|
|
|
|
|
|
1; |
109
|
|
|
|
|
|
|
|
110
|
|
|
|
|
|
|
__END__ |
111
|
|
|
|
|
|
|
|
112
|
|
|
|
|
|
|
=head1 NAME |
113
|
|
|
|
|
|
|
|
114
|
|
|
|
|
|
|
Mail::Qmail::Filter::DMARC - verify DMARC policy of mail message |
115
|
|
|
|
|
|
|
|
116
|
|
|
|
|
|
|
=head1 SYNOPSIS |
117
|
|
|
|
|
|
|
|
118
|
|
|
|
|
|
|
use Mail::Qmail::Filter; |
119
|
|
|
|
|
|
|
|
120
|
|
|
|
|
|
|
Mail::Qmail::Filter->new->add_filters( |
121
|
|
|
|
|
|
|
'::DMARC' => { |
122
|
|
|
|
|
|
|
skip_if_relayclient => 1, |
123
|
|
|
|
|
|
|
}, |
124
|
|
|
|
|
|
|
'::Queue', |
125
|
|
|
|
|
|
|
)->run; |
126
|
|
|
|
|
|
|
|
127
|
|
|
|
|
|
|
=head1 DESCRIPTION |
128
|
|
|
|
|
|
|
|
129
|
|
|
|
|
|
|
This L<Mail::Qmail::Filter> plugin verifies if the incoming e-mail message |
130
|
|
|
|
|
|
|
conforms to the DMARC policy of its sender domain: |
131
|
|
|
|
|
|
|
|
132
|
|
|
|
|
|
|
=over 4 |
133
|
|
|
|
|
|
|
|
134
|
|
|
|
|
|
|
=item 1. |
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
The plugin is skipped if imported with feature C<:skip_for_relayclient> |
137
|
|
|
|
|
|
|
and the message comes from a relay client. |
138
|
|
|
|
|
|
|
|
139
|
|
|
|
|
|
|
=item 2. |
140
|
|
|
|
|
|
|
|
141
|
|
|
|
|
|
|
We check if the message contains a valid DKIM signature |
142
|
|
|
|
|
|
|
matching the domain of the C<From:> header field. |
143
|
|
|
|
|
|
|
If this is the case, the e-mail is passed on. |
144
|
|
|
|
|
|
|
|
145
|
|
|
|
|
|
|
=item 3. |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
If not, a SPF check is done, and a C<Received-SPF:> header field is added to |
148
|
|
|
|
|
|
|
the message. |
149
|
|
|
|
|
|
|
Then we check if the message is aligned with its sender's DMARC policy. |
150
|
|
|
|
|
|
|
A C<DMARC-Status:> header field is added. |
151
|
|
|
|
|
|
|
|
152
|
|
|
|
|
|
|
If the message does not align to the policy, the policy advises to reject such |
153
|
|
|
|
|
|
|
messages and when the plugin is C<use>d with the C<:reject> feature or the |
154
|
|
|
|
|
|
|
environment variable C<DMARC_REJECT> is set to a true value, the message will |
155
|
|
|
|
|
|
|
be rejected with C<554 Failed DMARC test.> |
156
|
|
|
|
|
|
|
|
157
|
|
|
|
|
|
|
=back |
158
|
|
|
|
|
|
|
|
159
|
|
|
|
|
|
|
Please note: This only works for valid sender addresses. |
160
|
|
|
|
|
|
|
If the message has no valid RFC5322.From, this filter will I<not> reject |
161
|
|
|
|
|
|
|
the message, because L<Mail::DMARC> does not like invalid sender addresses. |
162
|
|
|
|
|
|
|
If you also happen to not like these, please use |
163
|
|
|
|
|
|
|
L<Mail::Qmail::Filter::ValidateFrom> and/or |
164
|
|
|
|
|
|
|
L<Mail::Qmail::Filter::ValidateSender> I<before> this filter. |
165
|
|
|
|
|
|
|
|
166
|
|
|
|
|
|
|
=head1 OPTIONAL PARAMETERS |
167
|
|
|
|
|
|
|
|
168
|
|
|
|
|
|
|
=head2 dry_run |
169
|
|
|
|
|
|
|
|
170
|
|
|
|
|
|
|
When set to a true value, the message is only marked, not rejected. |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
=head2 reject_text |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
Reply text to send to the client when the message is rejected. |
175
|
|
|
|
|
|
|
|
176
|
|
|
|
|
|
|
Default: C<Failed DMARC test.> |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=head1 SEE ALSO |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
L<Mail::Qmail::Filter/COMMON PARAMETERS FOR ALL FILTERS>, |
181
|
|
|
|
|
|
|
L<Mail::Qmail::Filter::ValidateFrom>, L<Mail::Qmail::Filter::ValidateSender> |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
=head1 LICENSE AND COPYRIGHT |
184
|
|
|
|
|
|
|
|
185
|
|
|
|
|
|
|
Copyright 2019 Martin Sluka. |
186
|
|
|
|
|
|
|
|
187
|
|
|
|
|
|
|
This module is free software; you can redistribute it and/or modify it |
188
|
|
|
|
|
|
|
under the terms of the the Artistic License (2.0). You may obtain a |
189
|
|
|
|
|
|
|
copy of the full license at: |
190
|
|
|
|
|
|
|
|
191
|
|
|
|
|
|
|
L<http://www.perlfoundation.org/artistic_license_2_0> |
192
|
|
|
|
|
|
|
|
193
|
|
|
|
|
|
|
Any use, modification, and distribution of the Standard or Modified |
194
|
|
|
|
|
|
|
Versions is governed by this Artistic License. By using, modifying or |
195
|
|
|
|
|
|
|
distributing the Package, you accept this license. Do not use, modify, |
196
|
|
|
|
|
|
|
or distribute the Package, if you do not accept this license. |
197
|
|
|
|
|
|
|
|
198
|
|
|
|
|
|
|
If your Modified Version has been derived from a Modified Version made |
199
|
|
|
|
|
|
|
by someone other than you, you are nevertheless required to ensure that |
200
|
|
|
|
|
|
|
your Modified Version complies with the requirements of this license. |
201
|
|
|
|
|
|
|
|
202
|
|
|
|
|
|
|
This license does not grant you the right to use any trademark, service |
203
|
|
|
|
|
|
|
mark, tradename, or logo of the Copyright Holder. |
204
|
|
|
|
|
|
|
|
205
|
|
|
|
|
|
|
This license includes the non-exclusive, worldwide, free-of-charge |
206
|
|
|
|
|
|
|
patent license to make, have made, use, offer to sell, sell, import and |
207
|
|
|
|
|
|
|
otherwise transfer the Package with respect to any patent claims |
208
|
|
|
|
|
|
|
licensable by the Copyright Holder that are necessarily infringed by the |
209
|
|
|
|
|
|
|
Package. If you institute patent litigation (including a cross-claim or |
210
|
|
|
|
|
|
|
counterclaim) against any party alleging that the Package constitutes |
211
|
|
|
|
|
|
|
direct or contributory patent infringement, then this Artistic License |
212
|
|
|
|
|
|
|
to you shall terminate on the date that such litigation is filed. |
213
|
|
|
|
|
|
|
|
214
|
|
|
|
|
|
|
Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER |
215
|
|
|
|
|
|
|
AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES. |
216
|
|
|
|
|
|
|
THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR |
217
|
|
|
|
|
|
|
PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY |
218
|
|
|
|
|
|
|
YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR |
219
|
|
|
|
|
|
|
CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR |
220
|
|
|
|
|
|
|
CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, |
221
|
|
|
|
|
|
|
EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
=cut |