File Coverage

blib/lib/Mail/Qmail/Filter/DMARC.pm
Criterion Covered Total %
statement 11 40 27.5
branch 0 8 0.0
condition 0 3 0.0
subroutine 4 5 80.0
pod 1 1 100.0
total 16 57 28.0


line stmt bran cond sub pod time code
1 1     1   973 use 5.014;
  1         3  
2 1     1   5 use warnings;
  1         2  
  1         257  
3              
4             package Mail::Qmail::Filter::DMARC;
5              
6             our $VERSION = '1.21';
7              
8             sub domain {
9             shift =~ s/.*\@//r;
10             }
11              
12             sub if_set {
13             my ( $key, $value, @additional_checks ) = @_;
14             return unless defined $value && length $value;
15             $_->($value) or return for @additional_checks;
16             $key => $value;
17             }
18              
19             sub is_valid_domain {
20             require Mail::DMARC::Base;
21             Mail::DMARC::Base->new->is_valid_domain(shift);
22             }
23              
24             sub spf_query {
25             require Mail::SPF;
26             my $request = Mail::SPF::Request->new(@_);
27             state $server = Mail::SPF::Server->new;
28             $server->process($request);
29             }
30              
31 1     1   7 use namespace::clean;
  1         11  
  1         6  
32              
33 1     1   267 use Mo qw(coerce default);
  1         2  
  1         6  
34             extends 'Mail::Qmail::Filter';
35              
36             has 'dry_run';
37             has 'reject_text' => 'Failed DMARC test.';
38              
39             sub filter {
40 0     0 1   my $self = shift;
41 0           my $message = $self->message;
42              
43 0           require Mail::DKIM::Verifier; # lazy load because filter might be skipped
44 0           my $dkim = Mail::DKIM::Verifier->new;
45 0           $dkim->PRINT( $message->body =~ s/\cM?\cJ/\cM\cJ/gr );
46 0           $dkim->CLOSE;
47 0           $self->debug( 'DKIM result' => $dkim->result );
48              
49 0 0         if ( $dkim->result ne 'pass' ) {
50              
51 0           $self->debug( 'Remote IP' => $ENV{TCPREMOTEIP} );
52              
53 0           my %spf_query = ( ip_address => $ENV{TCPREMOTEIP} );
54              
55 0           $self->debug( helo => $spf_query{helo_identity} = $message->helo );
56              
57 0           my $header_from = $message->header_from;
58 0           my $header_from_domain;
59 0 0         if ($header_from) {
60             $self->debug( 'RFC5322.From' => $spf_query{identity} =
61 0           $header_from->address );
62 0           $header_from_domain = $header_from->host;
63 0           $spf_query{scope} = 'mfrom';
64             }
65             else {
66 0           $spf_query{scope} = 'helo';
67              
68             # identity required by Mail::SPF:
69 0           $spf_query{identity} = $spf_query{helo_identity};
70             }
71              
72 0           $self->debug( 'SPF result' => my $spf_result = spf_query(%spf_query) );
73 0           $message->add_header( $spf_result->received_spf_header );
74              
75 0           require Mail::DMARC::PurePerl;
76             my $dmarc_text = (
77             my $dmarc_result = Mail::DMARC::PurePerl->new(
78             source_ip => $ENV{TCPREMOTEIP},
79             envelope_to => domain( ( $message->to )[0] ),
80             if_set(
81             envelope_from => domain( $message->from ),
82             \&is_valid_domain
83             ),
84             if_set(
85             header_from => $header_from_domain,
86             \&is_valid_domain
87             ),
88             dkim => $dkim,
89             spf => {
90             if_set( domain => $header_from_domain ),
91             scope => $spf_query{scope},
92 0           result => $spf_result->code,
93             },
94             )->validate
95             )->result;
96 0           $self->debug( 'DMARC result' => $dmarc_text );
97 0           $message->add_header("DMARC-Status: $dmarc_text");
98              
99 0 0         if ( $dmarc_result->result ne 'pass' ) {
100 0           my $disposition = $dmarc_result->disposition;
101 0           $self->debug( 'DMARC disposition' => $disposition );
102 0 0 0       $self->reject( $self->reject_text )
103             if $disposition eq 'reject' && !$self->dry_run;
104             }
105             }
106             }
107              
108             1;
109              
110             __END__
111              
112             =head1 NAME
113              
114             Mail::Qmail::Filter::DMARC -
115             verify DMARC policy of mail message
116              
117             =head1 SYNOPSIS
118              
119             use Mail::Qmail::Filter;
120              
121             Mail::Qmail::Filter->new->add_filters(
122             '::DMARC' => {
123             skip_if_relayclient => 1,
124             },
125             '::Queue',
126             )->run;
127              
128             =head1 DESCRIPTION
129              
130             This L<Mail::Qmail::Filter> plugin verifies if the incoming e-mail message
131             conforms to the DMARC policy of its sender domain:
132              
133             =over 4
134              
135             =item 1.
136              
137             The plugin is skipped if imported with feature C<:skip_for_relayclient>
138             and the message comes from a relay client.
139              
140             =item 2.
141              
142             We check if the message contains a valid DKIM signature
143             matching the domain of the C<From:> header field.
144             If this is the case, the e-mail is passed on.
145              
146             =item 3.
147              
148             If not, a SPF check is done, and a C<Received-SPF:> header field is added to
149             the message.
150             Then we check if the message is aligned with its sender's DMARC policy.
151             A C<DMARC-Status:> header field is added.
152              
153             If the message does not align to the policy, the policy advises to reject such
154             messages and when the plugin is C<use>d with the C<:reject> feature or the
155             environment variable C<DMARC_REJECT> is set to a true value, the message will
156             be rejected with C<554 Failed DMARC test.>
157              
158             =back
159              
160             Please note: This only works for valid sender addresses.
161             If the message has no valid RFC5322.From, this filter will I<not> reject
162             the message, because L<Mail::DMARC> does not like invalid sender addresses.
163             If you also happen to not like these, please use
164             L<Mail::Qmail::Filter::ValidateFrom> and/or
165             L<Mail::Qmail::Filter::ValidateSender> I<before> this filter.
166              
167             =head1 OPTIONAL PARAMETERS
168              
169             =head2 dry_run
170              
171             When set to a true value, the message is only marked, not rejected.
172              
173             =head2 reject_text
174              
175             Reply text to send to the client when the message is rejected.
176              
177             Default: C<Failed DMARC test.>
178              
179             =head1 SEE ALSO
180              
181             L<Mail::Qmail::Filter/COMMON PARAMETERS FOR ALL FILTERS>,
182             L<Mail::Qmail::Filter::ValidateFrom>, L<Mail::Qmail::Filter::ValidateSender>
183              
184             =head1 LICENSE AND COPYRIGHT
185              
186             Copyright 2019 Martin Sluka.
187              
188             This module is free software; you can redistribute it and/or modify it
189             under the terms of the the Artistic License (2.0). You may obtain a
190             copy of the full license at:
191              
192             L<http://www.perlfoundation.org/artistic_license_2_0>
193              
194             Any use, modification, and distribution of the Standard or Modified
195             Versions is governed by this Artistic License. By using, modifying or
196             distributing the Package, you accept this license. Do not use, modify,
197             or distribute the Package, if you do not accept this license.
198              
199             If your Modified Version has been derived from a Modified Version made
200             by someone other than you, you are nevertheless required to ensure that
201             your Modified Version complies with the requirements of this license.
202              
203             This license does not grant you the right to use any trademark, service
204             mark, tradename, or logo of the Copyright Holder.
205              
206             This license includes the non-exclusive, worldwide, free-of-charge
207             patent license to make, have made, use, offer to sell, sell, import and
208             otherwise transfer the Package with respect to any patent claims
209             licensable by the Copyright Holder that are necessarily infringed by the
210             Package. If you institute patent litigation (including a cross-claim or
211             counterclaim) against any party alleging that the Package constitutes
212             direct or contributory patent infringement, then this Artistic License
213             to you shall terminate on the date that such litigation is filed.
214              
215             Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
216             AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
217             THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
218             PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
219             YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
220             CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
221             CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
222             EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
223              
224             =cut