line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# <@LICENSE> |
2
|
|
|
|
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one or more |
3
|
|
|
|
|
|
|
# contributor license agreements. See the NOTICE file distributed with |
4
|
|
|
|
|
|
|
# this work for additional information regarding copyright ownership. |
5
|
|
|
|
|
|
|
# The ASF licenses this file to you under the Apache License, Version 2.0 |
6
|
|
|
|
|
|
|
# (the "License"); you may not use this file except in compliance with |
7
|
|
|
|
|
|
|
# the License. You may obtain a copy of the License at: |
8
|
|
|
|
|
|
|
# |
9
|
|
|
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0 |
10
|
|
|
|
|
|
|
# |
11
|
|
|
|
|
|
|
# Unless required by applicable law or agreed to in writing, software |
12
|
|
|
|
|
|
|
# distributed under the License is distributed on an "AS IS" BASIS, |
13
|
|
|
|
|
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
14
|
|
|
|
|
|
|
# See the License for the specific language governing permissions and |
15
|
|
|
|
|
|
|
# limitations under the License. |
16
|
|
|
|
|
|
|
# </@LICENSE> |
17
|
|
|
|
|
|
|
|
18
|
|
|
|
|
|
|
=head1 NAME |
19
|
|
|
|
|
|
|
|
20
|
|
|
|
|
|
|
Mail::SpamAssassin::Plugin::DKIM - perform DKIM verification tests |
21
|
|
|
|
|
|
|
|
22
|
|
|
|
|
|
|
=head1 SYNOPSIS |
23
|
|
|
|
|
|
|
|
24
|
|
|
|
|
|
|
loadplugin Mail::SpamAssassin::Plugin::DKIM [/path/to/DKIM.pm] |
25
|
|
|
|
|
|
|
|
26
|
|
|
|
|
|
|
Taking into account signatures from any signing domains: |
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
full DKIM_SIGNED eval:check_dkim_signed() |
29
|
|
|
|
|
|
|
full DKIM_VALID eval:check_dkim_valid() |
30
|
|
|
|
|
|
|
full DKIM_VALID_AU eval:check_dkim_valid_author_sig() |
31
|
|
|
|
|
|
|
full DKIM_VALID_EF eval:check_dkim_valid_envelopefrom() |
32
|
|
|
|
|
|
|
|
33
|
|
|
|
|
|
|
Taking into account signatures from specified signing domains only: |
34
|
|
|
|
|
|
|
(quotes may be omitted on domain names consisting only of letters, digits, |
35
|
|
|
|
|
|
|
dots, and minus characters) |
36
|
|
|
|
|
|
|
|
37
|
|
|
|
|
|
|
full DKIM_SIGNED_MY1 eval:check_dkim_signed('dom1','dom2',...) |
38
|
|
|
|
|
|
|
full DKIM_VALID_MY1 eval:check_dkim_valid('dom1','dom2',...) |
39
|
|
|
|
|
|
|
full DKIM_VALID_AU_MY1 eval:check_dkim_valid_author_sig('d1','d2',...) |
40
|
|
|
|
|
|
|
|
41
|
|
|
|
|
|
|
full __DKIM_DEPENDABLE eval:check_dkim_dependable() |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
Author Domain Signing Practices (ADSP) from any author domains: |
44
|
|
|
|
|
|
|
|
45
|
|
|
|
|
|
|
header DKIM_ADSP_NXDOMAIN eval:check_dkim_adsp('N') |
46
|
|
|
|
|
|
|
header DKIM_ADSP_ALL eval:check_dkim_adsp('A') |
47
|
|
|
|
|
|
|
header DKIM_ADSP_DISCARD eval:check_dkim_adsp('D') |
48
|
|
|
|
|
|
|
header DKIM_ADSP_CUSTOM_LOW eval:check_dkim_adsp('1') |
49
|
|
|
|
|
|
|
header DKIM_ADSP_CUSTOM_MED eval:check_dkim_adsp('2') |
50
|
|
|
|
|
|
|
header DKIM_ADSP_CUSTOM_HIGH eval:check_dkim_adsp('3') |
51
|
|
|
|
|
|
|
|
52
|
|
|
|
|
|
|
Author Domain Signing Practices (ADSP) from specified author domains only: |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
header DKIM_ADSP_MY1 eval:check_dkim_adsp('*','dom1','dom2',...) |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
describe DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid |
57
|
|
|
|
|
|
|
describe DKIM_VALID Message has at least one valid DKIM or DK signature |
58
|
|
|
|
|
|
|
describe DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain |
59
|
|
|
|
|
|
|
describe DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain |
60
|
|
|
|
|
|
|
describe __DKIM_DEPENDABLE A validation failure not attributable to truncation |
61
|
|
|
|
|
|
|
|
62
|
|
|
|
|
|
|
describe DKIM_ADSP_NXDOMAIN Domain not in DNS and no valid author domain signature |
63
|
|
|
|
|
|
|
describe DKIM_ADSP_ALL Domain signs all mail, no valid author domain signature |
64
|
|
|
|
|
|
|
describe DKIM_ADSP_DISCARD Domain signs all mail and suggests discarding mail with no valid author domain signature, no valid author domain signature |
65
|
|
|
|
|
|
|
describe DKIM_ADSP_CUSTOM_LOW adsp_override is CUSTOM_LOW, no valid author domain signature |
66
|
|
|
|
|
|
|
describe DKIM_ADSP_CUSTOM_MED adsp_override is CUSTOM_MED, no valid author domain signature |
67
|
|
|
|
|
|
|
describe DKIM_ADSP_CUSTOM_HIGH adsp_override is CUSTOM_HIGH, no valid author domain signature |
68
|
|
|
|
|
|
|
|
69
|
|
|
|
|
|
|
For compatibility with pre-3.3.0 versions, the following are synonyms: |
70
|
|
|
|
|
|
|
|
71
|
|
|
|
|
|
|
OLD: eval:check_dkim_verified = NEW: eval:check_dkim_valid |
72
|
|
|
|
|
|
|
OLD: eval:check_dkim_signall = NEW: eval:check_dkim_adsp('A') |
73
|
|
|
|
|
|
|
OLD: eval:check_dkim_signsome = NEW: redundant, semantically always true |
74
|
|
|
|
|
|
|
|
75
|
|
|
|
|
|
|
The __DKIM_DEPENDABLE eval rule deserves an explanation. The rule yields true |
76
|
|
|
|
|
|
|
when signatures are supplied by a caller, OR ELSE when signatures are obtained |
77
|
|
|
|
|
|
|
by this plugin AND either there are no signatures OR a rule __TRUNCATED was |
78
|
|
|
|
|
|
|
false. In other words: __DKIM_DEPENDABLE is true when failed signatures can |
79
|
|
|
|
|
|
|
not be attributed to message truncation when feeding a message to SpamAssassin. |
80
|
|
|
|
|
|
|
It can be consulted to prevent false positives on large but truncated messages |
81
|
|
|
|
|
|
|
with poor man's implementation of ADSP by hand-crafted rules. |
82
|
|
|
|
|
|
|
|
83
|
|
|
|
|
|
|
=head1 DESCRIPTION |
84
|
|
|
|
|
|
|
|
85
|
|
|
|
|
|
|
This SpamAssassin plugin implements DKIM lookups as described by the RFC 4871, |
86
|
|
|
|
|
|
|
as well as historical DomainKeys lookups, as described by RFC 4870, thanks |
87
|
|
|
|
|
|
|
to the support for both types of signatures by newer versions of module |
88
|
|
|
|
|
|
|
Mail::DKIM. |
89
|
|
|
|
|
|
|
|
90
|
|
|
|
|
|
|
It requires the C<Mail::DKIM> CPAN module to operate. Many thanks to Jason Long |
91
|
|
|
|
|
|
|
for that module. |
92
|
|
|
|
|
|
|
|
93
|
|
|
|
|
|
|
=head1 TAGS |
94
|
|
|
|
|
|
|
|
95
|
|
|
|
|
|
|
The following tags are added to the set, available for use in reports, |
96
|
|
|
|
|
|
|
header fields, other plugins, etc.: |
97
|
|
|
|
|
|
|
|
98
|
|
|
|
|
|
|
_DKIMIDENTITY_ |
99
|
|
|
|
|
|
|
Agent or User Identifier (AUID) (the 'i' tag) from valid signatures; |
100
|
|
|
|
|
|
|
|
101
|
|
|
|
|
|
|
_DKIMDOMAIN_ |
102
|
|
|
|
|
|
|
Signing Domain Identifier (SDID) (the 'd' tag) from valid signatures; |
103
|
|
|
|
|
|
|
|
104
|
|
|
|
|
|
|
_DKIMSELECTOR_ |
105
|
|
|
|
|
|
|
DKIM selector (the 's' tag) from valid signatures; |
106
|
|
|
|
|
|
|
|
107
|
|
|
|
|
|
|
Identities and domains from signatures which failed verification are not |
108
|
|
|
|
|
|
|
included in these tags. Duplicates are eliminated (e.g. when there are two or |
109
|
|
|
|
|
|
|
more valid signatures from the same signer, only one copy makes it into a tag). |
110
|
|
|
|
|
|
|
Note that there may be more than one signature in a message - currently they |
111
|
|
|
|
|
|
|
are provided as a space-separated list, although this behaviour may change. |
112
|
|
|
|
|
|
|
|
113
|
|
|
|
|
|
|
=head1 SEE ALSO |
114
|
|
|
|
|
|
|
|
115
|
|
|
|
|
|
|
C<Mail::DKIM>, C<Mail::SpamAssassin::Plugin> |
116
|
|
|
|
|
|
|
|
117
|
|
|
|
|
|
|
http://jason.long.name/dkimproxy/ |
118
|
|
|
|
|
|
|
http://tools.ietf.org/rfc/rfc4871.txt |
119
|
|
|
|
|
|
|
http://tools.ietf.org/rfc/rfc4870.txt |
120
|
|
|
|
|
|
|
http://tools.ietf.org/rfc/rfc5617.txt |
121
|
|
|
|
|
|
|
http://ietf.org/html.charters/dkim-charter.html |
122
|
|
|
|
|
|
|
|
123
|
|
|
|
|
|
|
=cut |
124
|
|
|
|
|
|
|
|
125
|
|
|
|
|
|
|
package Mail::SpamAssassin::Plugin::DKIM; |
126
|
|
|
|
|
|
|
|
127
|
22
|
|
|
22
|
|
144
|
use Mail::SpamAssassin::Plugin; |
|
22
|
|
|
|
|
48
|
|
|
22
|
|
|
|
|
722
|
|
128
|
22
|
|
|
22
|
|
117
|
use Mail::SpamAssassin::Logger; |
|
22
|
|
|
|
|
42
|
|
|
22
|
|
|
|
|
1219
|
|
129
|
22
|
|
|
22
|
|
243
|
use Mail::SpamAssassin::Timeout; |
|
22
|
|
|
|
|
49
|
|
|
22
|
|
|
|
|
548
|
|
130
|
|
|
|
|
|
|
|
131
|
22
|
|
|
22
|
|
110
|
use strict; |
|
22
|
|
|
|
|
45
|
|
|
22
|
|
|
|
|
548
|
|
132
|
22
|
|
|
22
|
|
111
|
use warnings; |
|
22
|
|
|
|
|
39
|
|
|
22
|
|
|
|
|
690
|
|
133
|
|
|
|
|
|
|
# use bytes; |
134
|
22
|
|
|
22
|
|
132
|
use re 'taint'; |
|
22
|
|
|
|
|
50
|
|
|
22
|
|
|
|
|
129129
|
|
135
|
|
|
|
|
|
|
|
136
|
|
|
|
|
|
|
our @ISA = qw(Mail::SpamAssassin::Plugin); |
137
|
|
|
|
|
|
|
|
138
|
|
|
|
|
|
|
# constructor: register the eval rule |
139
|
|
|
|
|
|
|
sub new { |
140
|
63
|
|
|
63
|
1
|
236
|
my $class = shift; |
141
|
63
|
|
|
|
|
139
|
my $mailsaobject = shift; |
142
|
|
|
|
|
|
|
|
143
|
63
|
|
33
|
|
|
521
|
$class = ref($class) || $class; |
144
|
63
|
|
|
|
|
502
|
my $self = $class->SUPER::new($mailsaobject); |
145
|
63
|
|
|
|
|
187
|
bless ($self, $class); |
146
|
|
|
|
|
|
|
|
147
|
|
|
|
|
|
|
# signatures |
148
|
63
|
|
|
|
|
368
|
$self->register_eval_rule("check_dkim_signed"); |
149
|
63
|
|
|
|
|
217
|
$self->register_eval_rule("check_dkim_valid"); |
150
|
63
|
|
|
|
|
204
|
$self->register_eval_rule("check_dkim_valid_author_sig"); |
151
|
63
|
|
|
|
|
236
|
$self->register_eval_rule("check_dkim_testing"); |
152
|
63
|
|
|
|
|
208
|
$self->register_eval_rule("check_dkim_valid_envelopefrom"); |
153
|
|
|
|
|
|
|
|
154
|
|
|
|
|
|
|
# author domain signing practices |
155
|
63
|
|
|
|
|
203
|
$self->register_eval_rule("check_dkim_adsp"); |
156
|
63
|
|
|
|
|
207
|
$self->register_eval_rule("check_dkim_dependable"); |
157
|
|
|
|
|
|
|
|
158
|
|
|
|
|
|
|
# whitelisting |
159
|
63
|
|
|
|
|
205
|
$self->register_eval_rule("check_for_dkim_whitelist_from"); |
160
|
63
|
|
|
|
|
194
|
$self->register_eval_rule("check_for_def_dkim_whitelist_from"); |
161
|
|
|
|
|
|
|
|
162
|
|
|
|
|
|
|
# old names (aliases) for compatibility |
163
|
63
|
|
|
|
|
214
|
$self->register_eval_rule("check_dkim_verified"); # = check_dkim_valid |
164
|
63
|
|
|
|
|
238
|
$self->register_eval_rule("check_dkim_signall"); # = check_dkim_adsp('A') |
165
|
63
|
|
|
|
|
195
|
$self->register_eval_rule("check_dkim_signsome"); # redundant, always false |
166
|
|
|
|
|
|
|
|
167
|
63
|
|
|
|
|
265
|
$self->set_config($mailsaobject->{conf}); |
168
|
|
|
|
|
|
|
|
169
|
63
|
|
|
|
|
614
|
return $self; |
170
|
|
|
|
|
|
|
} |
171
|
|
|
|
|
|
|
|
172
|
|
|
|
|
|
|
########################################################################### |
173
|
|
|
|
|
|
|
|
174
|
|
|
|
|
|
|
sub set_config { |
175
|
63
|
|
|
63
|
0
|
149
|
my($self, $conf) = @_; |
176
|
63
|
|
|
|
|
150
|
my @cmds; |
177
|
|
|
|
|
|
|
|
178
|
|
|
|
|
|
|
=head1 USER SETTINGS |
179
|
|
|
|
|
|
|
|
180
|
|
|
|
|
|
|
=over 4 |
181
|
|
|
|
|
|
|
|
182
|
|
|
|
|
|
|
=item whitelist_from_dkim author@example.com [signing-domain] |
183
|
|
|
|
|
|
|
|
184
|
|
|
|
|
|
|
Works similarly to whitelist_from, except that in addition to matching |
185
|
|
|
|
|
|
|
an author address (From) to the pattern in the first parameter, the message |
186
|
|
|
|
|
|
|
must also carry a valid Domain Keys Identified Mail (DKIM) signature made by |
187
|
|
|
|
|
|
|
a signing domain (SDID, i.e. the d= tag) that is acceptable to us. |
188
|
|
|
|
|
|
|
|
189
|
|
|
|
|
|
|
Only one whitelist entry is allowed per line, as in C<whitelist_from_rcvd>. |
190
|
|
|
|
|
|
|
Multiple C<whitelist_from_dkim> lines are allowed. File-glob style characters |
191
|
|
|
|
|
|
|
are allowed for the From address (the first parameter), just like with |
192
|
|
|
|
|
|
|
C<whitelist_from_rcvd>. |
193
|
|
|
|
|
|
|
|
194
|
|
|
|
|
|
|
The second parameter (the signing-domain) does not accept full file-glob style |
195
|
|
|
|
|
|
|
wildcards, although a simple '*.' (or just a '.') prefix to a domain name |
196
|
|
|
|
|
|
|
is recognized and implies any subdomain of the specified domain (but not |
197
|
|
|
|
|
|
|
the domain itself). |
198
|
|
|
|
|
|
|
|
199
|
|
|
|
|
|
|
If no signing-domain parameter is specified, the only acceptable signature |
200
|
|
|
|
|
|
|
will be an Author Domain Signature (sometimes called first-party signature) |
201
|
|
|
|
|
|
|
which is a signature where the signing domain (SDID) of a signature matches |
202
|
|
|
|
|
|
|
the domain of the author's address (i.e. the address in a From header field). |
203
|
|
|
|
|
|
|
|
204
|
|
|
|
|
|
|
Since this whitelist requires a DKIM check to be made, network tests must |
205
|
|
|
|
|
|
|
be enabled. |
206
|
|
|
|
|
|
|
|
207
|
|
|
|
|
|
|
Examples of whitelisting based on an author domain signature (first-party): |
208
|
|
|
|
|
|
|
|
209
|
|
|
|
|
|
|
whitelist_from_dkim joe@example.com |
210
|
|
|
|
|
|
|
whitelist_from_dkim *@corp.example.com |
211
|
|
|
|
|
|
|
whitelist_from_dkim *@*.example.com |
212
|
|
|
|
|
|
|
|
213
|
|
|
|
|
|
|
Examples of whitelisting based on third-party signatures: |
214
|
|
|
|
|
|
|
|
215
|
|
|
|
|
|
|
whitelist_from_dkim jane@example.net example.org |
216
|
|
|
|
|
|
|
whitelist_from_dkim rick@info.example.net example.net |
217
|
|
|
|
|
|
|
whitelist_from_dkim *@info.example.net example.net |
218
|
|
|
|
|
|
|
whitelist_from_dkim *@* mail7.remailer.example.com |
219
|
|
|
|
|
|
|
whitelist_from_dkim *@* *.remailer.example.com |
220
|
|
|
|
|
|
|
|
221
|
|
|
|
|
|
|
=item def_whitelist_from_dkim author@example.com [signing-domain] |
222
|
|
|
|
|
|
|
|
223
|
|
|
|
|
|
|
Same as C<whitelist_from_dkim>, but used for the default whitelist entries |
224
|
|
|
|
|
|
|
in the SpamAssassin distribution. The whitelist score is lower, because |
225
|
|
|
|
|
|
|
these are often targets for abuse of public mailers which sign their mail. |
226
|
|
|
|
|
|
|
|
227
|
|
|
|
|
|
|
=item unwhitelist_from_dkim author@example.com [signing-domain] |
228
|
|
|
|
|
|
|
|
229
|
|
|
|
|
|
|
Removes an email address with its corresponding signing-domain field |
230
|
|
|
|
|
|
|
from def_whitelist_from_dkim and whitelist_from_dkim tables, if it exists. |
231
|
|
|
|
|
|
|
Parameters to unwhitelist_from_dkim must exactly match the parameters of |
232
|
|
|
|
|
|
|
a corresponding whitelist_from_dkim or def_whitelist_from_dkim config |
233
|
|
|
|
|
|
|
option which created the entry, for it to be removed (a domain name is |
234
|
|
|
|
|
|
|
matched case-insensitively); i.e. if a signing-domain parameter was |
235
|
|
|
|
|
|
|
specified in a whitelisting command, it must also be specified in the |
236
|
|
|
|
|
|
|
unwhitelisting command. |
237
|
|
|
|
|
|
|
|
238
|
|
|
|
|
|
|
Useful for removing undesired default entries from a distributed configuration |
239
|
|
|
|
|
|
|
by a local or site-specific configuration or by C<user_prefs>. |
240
|
|
|
|
|
|
|
|
241
|
|
|
|
|
|
|
=item adsp_override domain [signing-practices] |
242
|
|
|
|
|
|
|
|
243
|
|
|
|
|
|
|
Currently few domains publish their signing practices (RFC 5617 - ADSP), |
244
|
|
|
|
|
|
|
partly because the ADSP rfc is rather new, partly because they think |
245
|
|
|
|
|
|
|
hardly any recipient bothers to check it, and partly for fear that some |
246
|
|
|
|
|
|
|
recipients might lose mail due to problems in their signature validation |
247
|
|
|
|
|
|
|
procedures or mail mangling by mailers beyond their control. |
248
|
|
|
|
|
|
|
|
249
|
|
|
|
|
|
|
Nevertheless, recipients could benefit by knowing signing practices of a |
250
|
|
|
|
|
|
|
sending (author's) domain, for example to recognize forged mail claiming |
251
|
|
|
|
|
|
|
to be from certain domains which are popular targets for phishing, like |
252
|
|
|
|
|
|
|
financial institutions. Unfortunately, as signing practices are seldom |
253
|
|
|
|
|
|
|
published or are weak, it is hardly justifiable to look them up in DNS. |
254
|
|
|
|
|
|
|
|
255
|
|
|
|
|
|
|
To overcome this chicken-or-the-egg problem, the C<adsp_override> mechanism |
256
|
|
|
|
|
|
|
allows recipients using SpamAssassin to override published or defaulted |
257
|
|
|
|
|
|
|
ADSP for certain domains. This makes it possible to manually specify a |
258
|
|
|
|
|
|
|
stronger (or weaker) signing practices than a signing domain is willing |
259
|
|
|
|
|
|
|
to publish (explicitly or by default), and also save on a DNS lookup. |
260
|
|
|
|
|
|
|
|
261
|
|
|
|
|
|
|
Note that ADSP (published or overridden) is only consulted for messages |
262
|
|
|
|
|
|
|
which do not contain a valid DKIM signature from the author's domain. |
263
|
|
|
|
|
|
|
|
264
|
|
|
|
|
|
|
According to RFC 5617, signing practices can be one of the following: |
265
|
|
|
|
|
|
|
C<unknown>, C<all> and C<discardable>. |
266
|
|
|
|
|
|
|
|
267
|
|
|
|
|
|
|
C<unknown>: The domain might sign some or all email - messages from the |
268
|
|
|
|
|
|
|
domain may or may not have an Author Domain Signature. This is a default |
269
|
|
|
|
|
|
|
if a domain exists in DNS but no ADSP record is found. |
270
|
|
|
|
|
|
|
|
271
|
|
|
|
|
|
|
C<all>: All mail from the domain is signed with an Author Domain Signature. |
272
|
|
|
|
|
|
|
|
273
|
|
|
|
|
|
|
C<discardable>: All mail from the domain is signed with an Author Domain |
274
|
|
|
|
|
|
|
Signature. Furthermore, if a message arrives without a valid Author Domain |
275
|
|
|
|
|
|
|
Signature, the domain encourages the recipient(s) to discard it. |
276
|
|
|
|
|
|
|
|
277
|
|
|
|
|
|
|
ADSP lookup can also determine that a domain is "out of scope", i.e., the |
278
|
|
|
|
|
|
|
domain does not exist (NXDOMAIN) in the DNS. |
279
|
|
|
|
|
|
|
|
280
|
|
|
|
|
|
|
To override domain's signing practices in a SpamAssassin configuration file, |
281
|
|
|
|
|
|
|
specify an C<adsp_override> directive for each sending domain to be overridden. |
282
|
|
|
|
|
|
|
|
283
|
|
|
|
|
|
|
Its first argument is a domain name. Author's domain is matched against it, |
284
|
|
|
|
|
|
|
matching is case insensitive. This is not a regular expression or a file-glob |
285
|
|
|
|
|
|
|
style wildcard, but limited wildcarding is still available: if this argument |
286
|
|
|
|
|
|
|
starts by a "*." (or is a sole "*"), author's domain matches if it is a |
287
|
|
|
|
|
|
|
subdomain (to one or more levels) of the argument. Otherwise (with no leading |
288
|
|
|
|
|
|
|
asterisk) the match must be exact (not a subdomain). |
289
|
|
|
|
|
|
|
|
290
|
|
|
|
|
|
|
An optional second parameter is one of the following keywords |
291
|
|
|
|
|
|
|
(case-insensitive): C<nxdomain>, C<unknown>, C<all>, C<discardable>, |
292
|
|
|
|
|
|
|
C<custom_low>, C<custom_med>, C<custom_high>. |
293
|
|
|
|
|
|
|
|
294
|
|
|
|
|
|
|
Absence of this second parameter implies C<discardable>. If a domain is not |
295
|
|
|
|
|
|
|
listed by a C<adsp_override> directive nor does it explicitly publish any |
296
|
|
|
|
|
|
|
ADSP record, then C<unknown> is implied for valid domains, and C<nxdomain> |
297
|
|
|
|
|
|
|
for domains not existing in DNS. (Note: domain validity is only checked with |
298
|
|
|
|
|
|
|
versions of Mail::DKIM 0.37 or later (actually since 0.36_5), the C<nxdomain> |
299
|
|
|
|
|
|
|
would never turn up with older versions). |
300
|
|
|
|
|
|
|
|
301
|
|
|
|
|
|
|
The strong setting C<discardable> is useful for domains which are known |
302
|
|
|
|
|
|
|
to always sign their mail and to always send it directly to recipients |
303
|
|
|
|
|
|
|
(not to mailing lists), and are frequent targets of fishing attempts, |
304
|
|
|
|
|
|
|
such as financial institutions. The C<discardable> is also appropriate |
305
|
|
|
|
|
|
|
for domains which are known never to send any mail. |
306
|
|
|
|
|
|
|
|
307
|
|
|
|
|
|
|
When a message does not contain a valid signature by the author's domain |
308
|
|
|
|
|
|
|
(the domain in a From header field), the signing practices pertaining |
309
|
|
|
|
|
|
|
to author's domain determine which of the following rules fire and |
310
|
|
|
|
|
|
|
contributes its score: DKIM_ADSP_NXDOMAIN, DKIM_ADSP_ALL, DKIM_ADSP_DISCARD, |
311
|
|
|
|
|
|
|
DKIM_ADSP_CUSTOM_LOW, DKIM_ADSP_CUSTOM_MED, DKIM_ADSP_CUSTOM_HIGH. Not more |
312
|
|
|
|
|
|
|
than one of these rules can fire for messages that have one author (but see |
313
|
|
|
|
|
|
|
below). The last three can only result from a 'signing-practices' as given |
314
|
|
|
|
|
|
|
in a C<adsp_override> directive (not from a DNS lookup), and can serve as |
315
|
|
|
|
|
|
|
a convenient means of providing a different score if scores assigned to |
316
|
|
|
|
|
|
|
DKIM_ADSP_ALL or DKIM_ADSP_DISCARD are not considered suitable for some |
317
|
|
|
|
|
|
|
domains. |
318
|
|
|
|
|
|
|
|
319
|
|
|
|
|
|
|
RFC 5322 permits a message to have more than one author - multiple addresses |
320
|
|
|
|
|
|
|
may be listed in a single From header field. RFC 5617 defines that a message |
321
|
|
|
|
|
|
|
with multiple authors has multiple signing domain signing practices, but does |
322
|
|
|
|
|
|
|
not prescribe how these should be combined. In presence of multiple signing |
323
|
|
|
|
|
|
|
practices, more than one of the DKIM_ADSP_* rules may fire. |
324
|
|
|
|
|
|
|
|
325
|
|
|
|
|
|
|
As a precaution against firing DKIM_ADSP_* rules when there is a known local |
326
|
|
|
|
|
|
|
reason for a signature verification failure, the domain's ADSP is considered |
327
|
|
|
|
|
|
|
'unknown' when DNS lookups are disabled or a DNS lookup encountered a temporary |
328
|
|
|
|
|
|
|
problem on fetching a public key from the author's domain. Similarly, ADSP |
329
|
|
|
|
|
|
|
is considered 'unknown' when this plugin did its own signature verification |
330
|
|
|
|
|
|
|
(signatures were not passed to SA by a caller) and a metarule __TRUNCATED was |
331
|
|
|
|
|
|
|
triggered, indicating the caller intentionally passed a truncated message to |
332
|
|
|
|
|
|
|
SpamAssassin, which was a likely reason for a signature verification failure. |
333
|
|
|
|
|
|
|
|
334
|
|
|
|
|
|
|
Example: |
335
|
|
|
|
|
|
|
|
336
|
|
|
|
|
|
|
adsp_override *.mydomain.example.com discardable |
337
|
|
|
|
|
|
|
adsp_override *.neversends.example.com discardable |
338
|
|
|
|
|
|
|
|
339
|
|
|
|
|
|
|
adsp_override ebay.com |
340
|
|
|
|
|
|
|
adsp_override *.ebay.com |
341
|
|
|
|
|
|
|
adsp_override ebay.co.uk |
342
|
|
|
|
|
|
|
adsp_override *.ebay.co.uk |
343
|
|
|
|
|
|
|
adsp_override paypal.com |
344
|
|
|
|
|
|
|
adsp_override *.paypal.com |
345
|
|
|
|
|
|
|
adsp_override amazon.com |
346
|
|
|
|
|
|
|
adsp_override ealerts.bankofamerica.com |
347
|
|
|
|
|
|
|
adsp_override americangreetings.com |
348
|
|
|
|
|
|
|
adsp_override egreetings.com |
349
|
|
|
|
|
|
|
adsp_override bluemountain.com |
350
|
|
|
|
|
|
|
adsp_override hallmark.com all |
351
|
|
|
|
|
|
|
adsp_override *.hallmark.com all |
352
|
|
|
|
|
|
|
adsp_override youtube.com custom_high |
353
|
|
|
|
|
|
|
adsp_override google.com custom_low |
354
|
|
|
|
|
|
|
adsp_override gmail.com custom_low |
355
|
|
|
|
|
|
|
adsp_override googlemail.com custom_low |
356
|
|
|
|
|
|
|
adsp_override yahoo.com custom_low |
357
|
|
|
|
|
|
|
adsp_override yahoo.com.au custom_low |
358
|
|
|
|
|
|
|
adsp_override yahoo.se custom_low |
359
|
|
|
|
|
|
|
|
360
|
|
|
|
|
|
|
adsp_override junkmailerkbw0rr.com nxdomain |
361
|
|
|
|
|
|
|
adsp_override junkmailerd2hlsg.com nxdomain |
362
|
|
|
|
|
|
|
|
363
|
|
|
|
|
|
|
# effectively disables ADSP network DNS lookups for all other domains: |
364
|
|
|
|
|
|
|
adsp_override * unknown |
365
|
|
|
|
|
|
|
|
366
|
|
|
|
|
|
|
score DKIM_ADSP_ALL 2.5 |
367
|
|
|
|
|
|
|
score DKIM_ADSP_DISCARD 25 |
368
|
|
|
|
|
|
|
score DKIM_ADSP_NXDOMAIN 3 |
369
|
|
|
|
|
|
|
|
370
|
|
|
|
|
|
|
score DKIM_ADSP_CUSTOM_LOW 1 |
371
|
|
|
|
|
|
|
score DKIM_ADSP_CUSTOM_MED 3.5 |
372
|
|
|
|
|
|
|
score DKIM_ADSP_CUSTOM_HIGH 8 |
373
|
|
|
|
|
|
|
|
374
|
|
|
|
|
|
|
|
375
|
|
|
|
|
|
|
=item dkim_minimum_key_bits n (default: 1024) |
376
|
|
|
|
|
|
|
|
377
|
|
|
|
|
|
|
The smallest size of a signing key (in bits) for a valid signature to be |
378
|
|
|
|
|
|
|
considered for whitelisting. Additionally, the eval function check_dkim_valid() |
379
|
|
|
|
|
|
|
will return false on short keys when called with explicitly listed domains, |
380
|
|
|
|
|
|
|
and the eval function check_dkim_valid_author_sig() will return false on short |
381
|
|
|
|
|
|
|
keys (regardless of its arguments). Setting the option to 0 disables a key |
382
|
|
|
|
|
|
|
size check. |
383
|
|
|
|
|
|
|
|
384
|
|
|
|
|
|
|
Note that the option has no effect when the eval function check_dkim_valid() |
385
|
|
|
|
|
|
|
is called with no arguments (like in a rule DKIM_VALID). A mere presence of |
386
|
|
|
|
|
|
|
some valid signature on a message has no reputational value (without being |
387
|
|
|
|
|
|
|
associated with a particular domain), regardless of its key size - anyone can |
388
|
|
|
|
|
|
|
prepend its own signature on a copy of some third party mail and re-send it, |
389
|
|
|
|
|
|
|
which makes it no more trustworthy than without such signature. This is also |
390
|
|
|
|
|
|
|
a reason for a rule DKIM_VALID to have a near-zero score, i.e. a rule hit |
391
|
|
|
|
|
|
|
is only informational. |
392
|
|
|
|
|
|
|
|
393
|
|
|
|
|
|
|
=cut |
394
|
|
|
|
|
|
|
|
395
|
|
|
|
|
|
|
push (@cmds, { |
396
|
|
|
|
|
|
|
setting => 'whitelist_from_dkim', |
397
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST, |
398
|
|
|
|
|
|
|
code => sub { |
399
|
0
|
|
|
0
|
|
0
|
my ($self, $key, $value, $line) = @_; |
400
|
0
|
|
|
|
|
0
|
local ($1,$2); |
401
|
0
|
0
|
0
|
|
|
0
|
unless (defined $value && $value !~ /^$/) { |
402
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE; |
403
|
|
|
|
|
|
|
} |
404
|
0
|
0
|
|
|
|
0
|
unless ($value =~ /^(\S+)(?:\s+(\S+))?$/) { |
405
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::INVALID_VALUE; |
406
|
|
|
|
|
|
|
} |
407
|
0
|
|
|
|
|
0
|
my $address = $1; |
408
|
0
|
0
|
|
|
|
0
|
my $sdid = defined $2 ? $2 : ''; # empty implies author domain signature |
409
|
0
|
|
|
|
|
0
|
$address =~ s/(\@[^@]*)\z/lc($1)/e; # lowercase the email address domain |
|
0
|
|
|
|
|
0
|
|
410
|
0
|
|
|
|
|
0
|
$self->{parser}->add_to_addrlist_dkim('whitelist_from_dkim', |
411
|
|
|
|
|
|
|
$address, lc $sdid); |
412
|
|
|
|
|
|
|
} |
413
|
63
|
|
|
|
|
589
|
}); |
414
|
|
|
|
|
|
|
|
415
|
|
|
|
|
|
|
push (@cmds, { |
416
|
|
|
|
|
|
|
setting => 'def_whitelist_from_dkim', |
417
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST, |
418
|
|
|
|
|
|
|
code => sub { |
419
|
0
|
|
|
0
|
|
0
|
my ($self, $key, $value, $line) = @_; |
420
|
0
|
|
|
|
|
0
|
local ($1,$2); |
421
|
0
|
0
|
0
|
|
|
0
|
unless (defined $value && $value !~ /^$/) { |
422
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE; |
423
|
|
|
|
|
|
|
} |
424
|
0
|
0
|
|
|
|
0
|
unless ($value =~ /^(\S+)(?:\s+(\S+))?$/) { |
425
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::INVALID_VALUE; |
426
|
|
|
|
|
|
|
} |
427
|
0
|
|
|
|
|
0
|
my $address = $1; |
428
|
0
|
0
|
|
|
|
0
|
my $sdid = defined $2 ? $2 : ''; # empty implies author domain signature |
429
|
0
|
|
|
|
|
0
|
$address =~ s/(\@[^@]*)\z/lc($1)/e; # lowercase the email address domain |
|
0
|
|
|
|
|
0
|
|
430
|
0
|
|
|
|
|
0
|
$self->{parser}->add_to_addrlist_dkim('def_whitelist_from_dkim', |
431
|
|
|
|
|
|
|
$address, lc $sdid); |
432
|
|
|
|
|
|
|
} |
433
|
63
|
|
|
|
|
582
|
}); |
434
|
|
|
|
|
|
|
|
435
|
|
|
|
|
|
|
push (@cmds, { |
436
|
|
|
|
|
|
|
setting => 'unwhitelist_from_dkim', |
437
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST, |
438
|
|
|
|
|
|
|
code => sub { |
439
|
0
|
|
|
0
|
|
0
|
my ($self, $key, $value, $line) = @_; |
440
|
0
|
|
|
|
|
0
|
local ($1,$2); |
441
|
0
|
0
|
0
|
|
|
0
|
unless (defined $value && $value !~ /^$/) { |
442
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE; |
443
|
|
|
|
|
|
|
} |
444
|
0
|
0
|
|
|
|
0
|
unless ($value =~ /^(\S+)(?:\s+(\S+))?$/) { |
445
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::INVALID_VALUE; |
446
|
|
|
|
|
|
|
} |
447
|
0
|
|
|
|
|
0
|
my $address = $1; |
448
|
0
|
0
|
|
|
|
0
|
my $sdid = defined $2 ? $2 : ''; # empty implies author domain signature |
449
|
0
|
|
|
|
|
0
|
$address =~ s/(\@[^@]*)\z/lc($1)/e; # lowercase the email address domain |
|
0
|
|
|
|
|
0
|
|
450
|
0
|
|
|
|
|
0
|
$self->{parser}->remove_from_addrlist_dkim('whitelist_from_dkim', |
451
|
|
|
|
|
|
|
$address, lc $sdid); |
452
|
0
|
|
|
|
|
0
|
$self->{parser}->remove_from_addrlist_dkim('def_whitelist_from_dkim', |
453
|
|
|
|
|
|
|
$address, lc $sdid); |
454
|
|
|
|
|
|
|
} |
455
|
63
|
|
|
|
|
515
|
}); |
456
|
|
|
|
|
|
|
|
457
|
|
|
|
|
|
|
push (@cmds, { |
458
|
|
|
|
|
|
|
setting => 'adsp_override', |
459
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_HASH_KEY_VALUE, |
460
|
|
|
|
|
|
|
code => sub { |
461
|
310
|
|
|
310
|
|
680
|
my ($self, $key, $value, $line) = @_; |
462
|
310
|
|
|
|
|
801
|
local ($1,$2); |
463
|
310
|
50
|
33
|
|
|
1435
|
unless (defined $value && $value !~ /^$/) { |
464
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::MISSING_REQUIRED_VALUE; |
465
|
|
|
|
|
|
|
} |
466
|
310
|
50
|
|
|
|
1504
|
unless ($value =~ /^ \@? ( [*a-z0-9._-]+ ) |
467
|
|
|
|
|
|
|
(?: \s+ (nxdomain|unknown|all|discardable| |
468
|
|
|
|
|
|
|
custom_low|custom_med|custom_high) )?$/ix) { |
469
|
0
|
|
|
|
|
0
|
return $Mail::SpamAssassin::Conf::INVALID_VALUE; |
470
|
|
|
|
|
|
|
} |
471
|
310
|
|
|
|
|
770
|
my $domain = lc $1; # author's domain |
472
|
310
|
|
|
|
|
529
|
my $adsp = $2; # author domain signing practices |
473
|
310
|
100
|
|
|
|
662
|
$adsp = 'discardable' if !defined $adsp; |
474
|
310
|
|
|
|
|
534
|
$adsp = lc $adsp; |
475
|
310
|
50
|
|
|
|
959
|
if ($adsp eq 'custom_low' ) { $adsp = '1' } |
|
0
|
50
|
|
|
|
0
|
|
|
|
50
|
|
|
|
|
|
476
|
0
|
|
|
|
|
0
|
elsif ($adsp eq 'custom_med' ) { $adsp = '2' } |
477
|
0
|
|
|
|
|
0
|
elsif ($adsp eq 'custom_high') { $adsp = '3' } |
478
|
310
|
|
|
|
|
758
|
else { $adsp = uc substr($adsp,0,1) } # N/U/A/D/1/2/3 |
479
|
310
|
|
|
|
|
1674
|
$self->{parser}->{conf}->{adsp_override}->{$domain} = $adsp; |
480
|
|
|
|
|
|
|
} |
481
|
63
|
|
|
|
|
492
|
}); |
482
|
|
|
|
|
|
|
|
483
|
|
|
|
|
|
|
# minimal signing key size in bits that is acceptable for whitelisting |
484
|
63
|
|
|
|
|
323
|
push (@cmds, { |
485
|
|
|
|
|
|
|
setting => 'dkim_minimum_key_bits', |
486
|
|
|
|
|
|
|
default => 1024, |
487
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_NUMERIC, |
488
|
|
|
|
|
|
|
}); |
489
|
|
|
|
|
|
|
|
490
|
|
|
|
|
|
|
=back |
491
|
|
|
|
|
|
|
|
492
|
|
|
|
|
|
|
=head1 ADMINISTRATOR SETTINGS |
493
|
|
|
|
|
|
|
|
494
|
|
|
|
|
|
|
=over 4 |
495
|
|
|
|
|
|
|
|
496
|
|
|
|
|
|
|
=item dkim_timeout n (default: 5) |
497
|
|
|
|
|
|
|
|
498
|
|
|
|
|
|
|
How many seconds to wait for a DKIM query to complete, before scanning |
499
|
|
|
|
|
|
|
continues without the DKIM result. A numeric value is optionally suffixed |
500
|
|
|
|
|
|
|
by a time unit (s, m, h, d, w, indicating seconds (default), minutes, hours, |
501
|
|
|
|
|
|
|
days, weeks). |
502
|
|
|
|
|
|
|
|
503
|
|
|
|
|
|
|
=back |
504
|
|
|
|
|
|
|
|
505
|
|
|
|
|
|
|
=cut |
506
|
|
|
|
|
|
|
|
507
|
63
|
|
|
|
|
319
|
push (@cmds, { |
508
|
|
|
|
|
|
|
setting => 'dkim_timeout', |
509
|
|
|
|
|
|
|
is_admin => 1, |
510
|
|
|
|
|
|
|
default => 5, |
511
|
|
|
|
|
|
|
type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATION |
512
|
|
|
|
|
|
|
}); |
513
|
|
|
|
|
|
|
|
514
|
63
|
|
|
|
|
290
|
$conf->{parser}->register_commands(\@cmds); |
515
|
|
|
|
|
|
|
} |
516
|
|
|
|
|
|
|
|
517
|
|
|
|
|
|
|
# --------------------------------------------------------------------------- |
518
|
|
|
|
|
|
|
|
519
|
|
|
|
|
|
|
sub check_dkim_signed { |
520
|
77
|
|
|
77
|
0
|
264
|
my ($self, $pms, $full_ref, @acceptable_domains) = @_; |
521
|
77
|
50
|
|
|
|
245
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
522
|
77
|
|
|
|
|
163
|
my $result = 0; |
523
|
77
|
50
|
|
|
|
310
|
if (!$pms->{dkim_signed}) { |
|
|
0
|
|
|
|
|
|
524
|
|
|
|
|
|
|
# don't bother |
525
|
|
|
|
|
|
|
} elsif (!@acceptable_domains) { |
526
|
0
|
|
|
|
|
0
|
$result = 1; # no additional constraints, any signing domain will do |
527
|
|
|
|
|
|
|
} else { |
528
|
0
|
|
|
|
|
0
|
$result = $self->_check_dkim_signed_by($pms,0,0,\@acceptable_domains); |
529
|
|
|
|
|
|
|
} |
530
|
77
|
|
|
|
|
1187
|
return $result; |
531
|
|
|
|
|
|
|
} |
532
|
|
|
|
|
|
|
|
533
|
|
|
|
|
|
|
sub check_dkim_valid { |
534
|
77
|
|
|
77
|
0
|
293
|
my ($self, $pms, $full_ref, @acceptable_domains) = @_; |
535
|
77
|
50
|
|
|
|
260
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
536
|
77
|
|
|
|
|
154
|
my $result = 0; |
537
|
77
|
50
|
|
|
|
255
|
if (!$pms->{dkim_valid}) { |
|
|
0
|
|
|
|
|
|
538
|
|
|
|
|
|
|
# don't bother |
539
|
|
|
|
|
|
|
} elsif (!@acceptable_domains) { |
540
|
0
|
|
|
|
|
0
|
$result = 1; # no additional constraints, any signing domain will do, |
541
|
|
|
|
|
|
|
# also any signing key size will do |
542
|
|
|
|
|
|
|
} else { |
543
|
0
|
|
|
|
|
0
|
$result = $self->_check_dkim_signed_by($pms,1,0,\@acceptable_domains); |
544
|
|
|
|
|
|
|
} |
545
|
77
|
|
|
|
|
1146
|
return $result; |
546
|
|
|
|
|
|
|
} |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
sub check_dkim_valid_author_sig { |
549
|
77
|
|
|
77
|
0
|
293
|
my ($self, $pms, $full_ref, @acceptable_domains) = @_; |
550
|
77
|
50
|
|
|
|
284
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
551
|
77
|
|
|
|
|
155
|
my $result = 0; |
552
|
77
|
50
|
|
|
|
196
|
if (!%{$pms->{dkim_has_valid_author_sig}}) { |
|
77
|
|
|
|
|
333
|
|
553
|
|
|
|
|
|
|
# don't bother |
554
|
|
|
|
|
|
|
} else { |
555
|
0
|
|
|
|
|
0
|
$result = $self->_check_dkim_signed_by($pms,1,1,\@acceptable_domains); |
556
|
|
|
|
|
|
|
} |
557
|
77
|
|
|
|
|
1179
|
return $result; |
558
|
|
|
|
|
|
|
} |
559
|
|
|
|
|
|
|
|
560
|
|
|
|
|
|
|
sub check_dkim_valid_envelopefrom { |
561
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms, $full_ref) = @_; |
562
|
0
|
|
|
|
|
0
|
my $result = 0; |
563
|
0
|
|
|
|
|
0
|
my $envfrom=$self->{'main'}->{'registryboundaries'}->uri_to_domain($pms->get("EnvelopeFrom")); |
564
|
|
|
|
|
|
|
# if no envelopeFrom, it cannot be valid |
565
|
0
|
0
|
|
|
|
0
|
return $result if !$envfrom; |
566
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
567
|
0
|
0
|
|
|
|
0
|
if (!$pms->{dkim_valid}) { |
568
|
|
|
|
|
|
|
# don't bother |
569
|
|
|
|
|
|
|
} else { |
570
|
0
|
|
|
|
|
0
|
$result = $self->_check_dkim_signed_by($pms,1,0,[$envfrom]); |
571
|
|
|
|
|
|
|
} |
572
|
0
|
|
|
|
|
0
|
return $result; |
573
|
|
|
|
|
|
|
} |
574
|
|
|
|
|
|
|
|
575
|
|
|
|
|
|
|
sub check_dkim_dependable { |
576
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
577
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
578
|
0
|
|
|
|
|
0
|
return $pms->{dkim_signatures_dependable}; |
579
|
|
|
|
|
|
|
} |
580
|
|
|
|
|
|
|
|
581
|
|
|
|
|
|
|
# mosnomer, old synonym for check_dkim_valid, kept for compatibility |
582
|
|
|
|
|
|
|
sub check_dkim_verified { |
583
|
0
|
|
|
0
|
0
|
0
|
return check_dkim_valid(@_); |
584
|
|
|
|
|
|
|
} |
585
|
|
|
|
|
|
|
|
586
|
|
|
|
|
|
|
# no valid Author Domain Signature && ADSP matches the argument |
587
|
|
|
|
|
|
|
sub check_dkim_adsp { |
588
|
462
|
|
|
462
|
0
|
990
|
my ($self, $pms, $adsp_char, @domains_list) = @_; |
589
|
462
|
100
|
|
|
|
1317
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
590
|
462
|
|
|
|
|
632
|
my $result = 0; |
591
|
462
|
50
|
|
|
|
1034
|
if (!$pms->{dkim_signatures_ready}) { |
592
|
|
|
|
|
|
|
# don't bother |
593
|
|
|
|
|
|
|
} else { |
594
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_adsp($pms) if !$pms->{dkim_checked_adsp}; |
595
|
|
|
|
|
|
|
|
596
|
|
|
|
|
|
|
# an asterisk indicates any ADSP type can match (as long as |
597
|
|
|
|
|
|
|
# there is no valid author domain signature present) |
598
|
0
|
0
|
|
|
|
0
|
$adsp_char = 'NAD123' if $adsp_char eq '*'; # a shorthand for NAD123 |
599
|
|
|
|
|
|
|
|
600
|
0
|
0
|
|
|
|
0
|
if ( !(grep { index($adsp_char,$_) >= 0 } values %{$pms->{dkim_adsp}}) ) { |
|
0
|
0
|
|
|
|
0
|
|
|
0
|
|
|
|
|
0
|
|
601
|
|
|
|
|
|
|
# not the right ADSP type |
602
|
|
|
|
|
|
|
} elsif (!@domains_list) { |
603
|
0
|
|
|
|
|
0
|
$result = 1; # no additional constraints, any author domain will do |
604
|
|
|
|
|
|
|
} else { |
605
|
0
|
|
|
|
|
0
|
local $1; |
606
|
0
|
|
|
|
|
0
|
my %author_domains = %{$pms->{dkim_author_domains}}; |
|
0
|
|
|
|
|
0
|
|
607
|
0
|
|
|
|
|
0
|
foreach my $dom (@domains_list) { |
608
|
0
|
0
|
|
|
|
0
|
if ($dom =~ /^\*?\.(.*)\z/s) { # domain itself or its subdomain |
609
|
0
|
|
|
|
|
0
|
my $doms = lc $1; |
610
|
0
|
0
|
0
|
|
|
0
|
if ($author_domains{$doms} || |
611
|
0
|
|
|
|
|
0
|
(grep { /\.\Q$doms\E\z/s } keys %author_domains) ) { |
612
|
0
|
|
|
|
|
0
|
$result = 1; last; |
|
0
|
|
|
|
|
0
|
|
613
|
|
|
|
|
|
|
} |
614
|
|
|
|
|
|
|
} else { # match on domain (not a subdomain) |
615
|
0
|
0
|
|
|
|
0
|
if ($author_domains{lc $dom}) { |
616
|
0
|
|
|
|
|
0
|
$result = 1; last; |
|
0
|
|
|
|
|
0
|
|
617
|
|
|
|
|
|
|
} |
618
|
|
|
|
|
|
|
} |
619
|
|
|
|
|
|
|
} |
620
|
|
|
|
|
|
|
} |
621
|
|
|
|
|
|
|
} |
622
|
462
|
|
|
|
|
6888
|
return $result; |
623
|
|
|
|
|
|
|
} |
624
|
|
|
|
|
|
|
|
625
|
|
|
|
|
|
|
# useless, semantically always true according to ADSP (RFC 5617) |
626
|
|
|
|
|
|
|
sub check_dkim_signsome { |
627
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
628
|
|
|
|
|
|
|
# the signsome is semantically always true, and thus redundant; |
629
|
|
|
|
|
|
|
# for compatibility just returns false to prevent |
630
|
|
|
|
|
|
|
# a legacy rule DKIM_POLICY_SIGNSOME from always firing |
631
|
0
|
|
|
|
|
0
|
return 0; |
632
|
|
|
|
|
|
|
} |
633
|
|
|
|
|
|
|
|
634
|
|
|
|
|
|
|
# synonym with check_dkim_adsp('A'), kept for compatibility |
635
|
|
|
|
|
|
|
sub check_dkim_signall { |
636
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
637
|
0
|
|
|
|
|
0
|
check_dkim_adsp($self, $pms, 'A'); |
638
|
|
|
|
|
|
|
} |
639
|
|
|
|
|
|
|
|
640
|
|
|
|
|
|
|
# public key carries a testing flag |
641
|
|
|
|
|
|
|
sub check_dkim_testing { |
642
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
643
|
0
|
|
|
|
|
0
|
my $result = 0; |
644
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
645
|
0
|
0
|
|
|
|
0
|
$result = 1 if $pms->{dkim_key_testing}; |
646
|
0
|
|
|
|
|
0
|
return $result; |
647
|
|
|
|
|
|
|
} |
648
|
|
|
|
|
|
|
|
649
|
|
|
|
|
|
|
sub check_for_dkim_whitelist_from { |
650
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
651
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_whitelist($pms) if !$pms->{whitelist_checked}; |
652
|
|
|
|
|
|
|
return $pms->{dkim_match_in_whitelist_from_dkim} || |
653
|
0
|
|
0
|
|
|
0
|
$pms->{dkim_match_in_whitelist_auth}; |
654
|
|
|
|
|
|
|
} |
655
|
|
|
|
|
|
|
|
656
|
|
|
|
|
|
|
sub check_for_def_dkim_whitelist_from { |
657
|
0
|
|
|
0
|
0
|
0
|
my ($self, $pms) = @_; |
658
|
0
|
0
|
|
|
|
0
|
$self->_check_dkim_whitelist($pms) if !$pms->{whitelist_checked}; |
659
|
|
|
|
|
|
|
return $pms->{dkim_match_in_def_whitelist_from_dkim} || |
660
|
0
|
|
0
|
|
|
0
|
$pms->{dkim_match_in_def_whitelist_auth}; |
661
|
|
|
|
|
|
|
} |
662
|
|
|
|
|
|
|
|
663
|
|
|
|
|
|
|
# --------------------------------------------------------------------------- |
664
|
|
|
|
|
|
|
|
665
|
|
|
|
|
|
|
sub _dkim_load_modules { |
666
|
0
|
|
|
0
|
|
0
|
my ($self) = @_; |
667
|
|
|
|
|
|
|
|
668
|
0
|
0
|
|
|
|
0
|
if (!$self->{tried_loading}) { |
669
|
0
|
|
|
|
|
0
|
$self->{service_available} = 0; |
670
|
|
|
|
|
|
|
my $timemethod = $self->{main}->UNIVERSAL::can("time_method") && |
671
|
0
|
|
0
|
|
|
0
|
$self->{main}->time_method("dkim_load_modules"); |
672
|
0
|
|
|
|
|
0
|
my $eval_stat; |
673
|
|
|
|
|
|
|
eval { |
674
|
|
|
|
|
|
|
# Have to do this so that RPM doesn't find these as required perl modules. |
675
|
0
|
|
|
|
|
0
|
{ require Mail::DKIM::Verifier } |
|
0
|
|
|
|
|
0
|
|
676
|
0
|
0
|
|
|
|
0
|
} or do { |
677
|
0
|
0
|
|
|
|
0
|
$eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; |
|
0
|
|
|
|
|
0
|
|
678
|
|
|
|
|
|
|
}; |
679
|
0
|
|
|
|
|
0
|
$self->{tried_loading} = 1; |
680
|
|
|
|
|
|
|
|
681
|
0
|
0
|
|
|
|
0
|
if (defined $eval_stat) { |
682
|
0
|
|
|
|
|
0
|
dbg("dkim: cannot load Mail::DKIM module, DKIM checks disabled: %s", |
683
|
|
|
|
|
|
|
$eval_stat); |
684
|
|
|
|
|
|
|
} else { |
685
|
0
|
|
|
|
|
0
|
my $version = Mail::DKIM::Verifier->VERSION; |
686
|
0
|
0
|
|
|
|
0
|
if ($version >= 0.31) { |
687
|
0
|
|
|
|
|
0
|
dbg("dkim: using Mail::DKIM version $version"); |
688
|
|
|
|
|
|
|
} else { |
689
|
0
|
|
|
|
|
0
|
info("dkim: Mail::DKIM $version is older than the required ". |
690
|
|
|
|
|
|
|
"minimal version 0.31, suggested upgrade to 0.37 or later!"); |
691
|
|
|
|
|
|
|
} |
692
|
0
|
|
|
|
|
0
|
$self->{service_available} = 1; |
693
|
|
|
|
|
|
|
|
694
|
|
|
|
|
|
|
my $adsp_avail = |
695
|
0
|
|
|
|
|
0
|
eval { require Mail::DKIM::AuthorDomainPolicy }; # since 0.34 |
|
0
|
|
|
|
|
0
|
|
696
|
0
|
0
|
|
|
|
0
|
if (!$adsp_avail) { # fallback to pre-ADSP policy |
697
|
0
|
|
|
|
|
0
|
eval { require Mail::DKIM::DkimPolicy } # ignoring status |
|
0
|
|
|
|
|
0
|
|
698
|
|
|
|
|
|
|
} |
699
|
|
|
|
|
|
|
} |
700
|
|
|
|
|
|
|
} |
701
|
0
|
|
|
|
|
0
|
return $self->{service_available}; |
702
|
|
|
|
|
|
|
} |
703
|
|
|
|
|
|
|
|
704
|
|
|
|
|
|
|
# --------------------------------------------------------------------------- |
705
|
|
|
|
|
|
|
|
706
|
|
|
|
|
|
|
sub _check_dkim_signed_by { |
707
|
0
|
|
|
0
|
|
0
|
my ($self, $pms, $must_be_valid, $must_be_author_domain_signature, |
708
|
|
|
|
|
|
|
$acceptable_domains_ref) = @_; |
709
|
0
|
|
|
|
|
0
|
my $result = 0; |
710
|
0
|
|
|
|
|
0
|
my $verifier = $pms->{dkim_verifier}; |
711
|
0
|
|
|
|
|
0
|
my $minimum_key_bits = $pms->{conf}->{dkim_minimum_key_bits}; |
712
|
0
|
|
|
|
|
0
|
foreach my $sig (@{$pms->{dkim_signatures}}) { |
|
0
|
|
|
|
|
0
|
|
713
|
0
|
0
|
|
|
|
0
|
next if !defined $sig; |
714
|
0
|
0
|
|
|
|
0
|
if ($must_be_valid) { |
715
|
0
|
0
|
|
|
|
0
|
next if ($sig->UNIVERSAL::can("result") ? $sig : $verifier) |
|
|
0
|
|
|
|
|
|
716
|
|
|
|
|
|
|
->result ne 'pass'; |
717
|
0
|
0
|
0
|
|
|
0
|
next if $sig->UNIVERSAL::can("check_expiration") && |
718
|
|
|
|
|
|
|
!$sig->check_expiration; |
719
|
|
|
|
|
|
|
next if $minimum_key_bits && $sig->{_spamassassin_key_size} && |
720
|
0
|
0
|
0
|
|
|
0
|
$sig->{_spamassassin_key_size} < $minimum_key_bits; |
|
|
|
0
|
|
|
|
|
721
|
|
|
|
|
|
|
} |
722
|
0
|
|
|
|
|
0
|
my $sdid = $sig->domain; |
723
|
0
|
0
|
|
|
|
0
|
next if !defined $sdid; # a signature with a missing required tag 'd' ? |
724
|
0
|
|
|
|
|
0
|
$sdid = lc $sdid; |
725
|
0
|
0
|
|
|
|
0
|
if ($must_be_author_domain_signature) { |
726
|
0
|
0
|
|
|
|
0
|
next if !$pms->{dkim_author_domains}->{$sdid}; |
727
|
|
|
|
|
|
|
} |
728
|
0
|
0
|
|
|
|
0
|
if (!@$acceptable_domains_ref) { |
729
|
0
|
|
|
|
|
0
|
$result = 1; |
730
|
|
|
|
|
|
|
} else { |
731
|
0
|
|
|
|
|
0
|
foreach my $ad (@$acceptable_domains_ref) { |
732
|
0
|
0
|
|
|
|
0
|
if ($ad =~ /^\*?\.(.*)\z/s) { # domain itself or its subdomain |
733
|
0
|
|
|
|
|
0
|
my $d = lc $1; |
734
|
0
|
0
|
0
|
|
|
0
|
if ($sdid eq $d || $sdid =~ /\.\Q$d\E\z/s) { $result = 1; last } |
|
0
|
|
|
|
|
0
|
|
|
0
|
|
|
|
|
0
|
|
735
|
|
|
|
|
|
|
} else { # match on domain (not a subdomain) |
736
|
0
|
0
|
|
|
|
0
|
if ($sdid eq lc $ad) { $result = 1; last } |
|
0
|
|
|
|
|
0
|
|
|
0
|
|
|
|
|
0
|
|
737
|
|
|
|
|
|
|
} |
738
|
|
|
|
|
|
|
} |
739
|
|
|
|
|
|
|
} |
740
|
0
|
0
|
|
|
|
0
|
last if $result; |
741
|
|
|
|
|
|
|
} |
742
|
0
|
|
|
|
|
0
|
return $result; |
743
|
|
|
|
|
|
|
} |
744
|
|
|
|
|
|
|
|
745
|
|
|
|
|
|
|
sub _get_authors { |
746
|
77
|
|
|
77
|
|
187
|
my ($self, $pms) = @_; |
747
|
|
|
|
|
|
|
|
748
|
|
|
|
|
|
|
# Note that RFC 5322 permits multiple addresses in the From header field, |
749
|
|
|
|
|
|
|
# and according to RFC 5617 such message has multiple authors and hence |
750
|
|
|
|
|
|
|
# multiple "Author Domain Signing Practices". For the time being the |
751
|
|
|
|
|
|
|
# SpamAssassin's get() can only provide a single author! |
752
|
|
|
|
|
|
|
|
753
|
77
|
|
|
|
|
155
|
my %author_domains; local $1; |
|
77
|
|
|
|
|
253
|
|
754
|
77
|
|
|
|
|
351
|
my @authors = grep { defined $_ } ( $pms->get('from:addr',undef) ); |
|
77
|
|
|
|
|
343
|
|
755
|
77
|
|
|
|
|
288
|
for (@authors) { |
756
|
|
|
|
|
|
|
# be tolerant, ignore trailing WSP after a domain name |
757
|
38
|
50
|
|
|
|
509
|
$author_domains{lc $1} = 1 if /\@([^\@]+?)[ \t]*\z/s; |
758
|
|
|
|
|
|
|
} |
759
|
77
|
|
|
|
|
270
|
$pms->{dkim_author_addresses} = \@authors; # list of full addresses |
760
|
77
|
|
|
|
|
459
|
$pms->{dkim_author_domains} = \%author_domains; # hash of their domains |
761
|
|
|
|
|
|
|
} |
762
|
|
|
|
|
|
|
|
763
|
|
|
|
|
|
|
sub _check_dkim_signature { |
764
|
77
|
|
|
77
|
|
216
|
my ($self, $pms) = @_; |
765
|
|
|
|
|
|
|
|
766
|
77
|
|
|
|
|
200
|
my $conf = $pms->{conf}; |
767
|
77
|
|
|
|
|
173
|
my($verifier, @signatures, @valid_signatures); |
768
|
|
|
|
|
|
|
|
769
|
77
|
|
|
|
|
220
|
$pms->{dkim_checked_signature} = 1; # has this sub already been invoked? |
770
|
77
|
|
|
|
|
178
|
$pms->{dkim_signatures_ready} = 0; # have we obtained & verified signatures? |
771
|
77
|
|
|
|
|
207
|
$pms->{dkim_signatures_dependable} = 0; |
772
|
|
|
|
|
|
|
# dkim_signatures_dependable = |
773
|
|
|
|
|
|
|
# (signatures supplied by a caller) or |
774
|
|
|
|
|
|
|
# ( (signatures obtained by this plugin) and |
775
|
|
|
|
|
|
|
# (no signatures, or message was not truncated) ) |
776
|
77
|
|
|
|
|
273
|
$pms->{dkim_signatures} = \@signatures; |
777
|
77
|
|
|
|
|
198
|
$pms->{dkim_valid_signatures} = \@valid_signatures; |
778
|
77
|
|
|
|
|
208
|
$pms->{dkim_signed} = 0; |
779
|
77
|
|
|
|
|
192
|
$pms->{dkim_valid} = 0; |
780
|
77
|
|
|
|
|
182
|
$pms->{dkim_key_testing} = 0; |
781
|
|
|
|
|
|
|
# the following hashes are keyed by a signing domain (SDID): |
782
|
77
|
|
|
|
|
233
|
$pms->{dkim_author_sig_tempfailed} = {}; # DNS timeout verifying author sign. |
783
|
77
|
|
|
|
|
258
|
$pms->{dkim_has_valid_author_sig} = {}; # a valid author domain signature |
784
|
77
|
|
|
|
|
218
|
$pms->{dkim_has_any_author_sig} = {}; # valid or invalid author domain sign. |
785
|
|
|
|
|
|
|
|
786
|
77
|
50
|
|
|
|
451
|
$self->_get_authors($pms) if !$pms->{dkim_author_addresses}; |
787
|
|
|
|
|
|
|
|
788
|
77
|
|
|
|
|
208
|
my $suppl_attrib = $pms->{msg}->{suppl_attrib}; |
789
|
77
|
50
|
66
|
|
|
381
|
if (defined $suppl_attrib && exists $suppl_attrib->{dkim_signatures}) { |
790
|
|
|
|
|
|
|
# caller of SpamAssassin already supplied DKIM signature objects |
791
|
0
|
|
|
|
|
0
|
my $provided_signatures = $suppl_attrib->{dkim_signatures}; |
792
|
0
|
0
|
|
|
|
0
|
@signatures = @$provided_signatures if ref $provided_signatures; |
793
|
0
|
|
|
|
|
0
|
$pms->{dkim_signatures_ready} = 1; |
794
|
0
|
|
|
|
|
0
|
$pms->{dkim_signatures_dependable} = 1; |
795
|
0
|
|
|
|
|
0
|
dbg("dkim: signatures provided by the caller, %d signatures", |
796
|
|
|
|
|
|
|
scalar(@signatures)); |
797
|
|
|
|
|
|
|
} |
798
|
|
|
|
|
|
|
|
799
|
77
|
50
|
|
|
|
454
|
if ($pms->{dkim_signatures_ready}) { |
|
|
50
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
800
|
|
|
|
|
|
|
# signatures already available and verified |
801
|
|
|
|
|
|
|
} elsif (!$pms->is_dns_available()) { |
802
|
77
|
|
|
|
|
306
|
dbg("dkim: signature verification disabled, DNS resolving not available"); |
803
|
|
|
|
|
|
|
} elsif (!$self->_dkim_load_modules()) { |
804
|
|
|
|
|
|
|
# Mail::DKIM module not available |
805
|
|
|
|
|
|
|
} else { |
806
|
|
|
|
|
|
|
# signature objects not provided by the caller, must verify for ourselves |
807
|
|
|
|
|
|
|
my $timemethod = $self->{main}->UNIVERSAL::can("time_method") && |
808
|
0
|
|
0
|
|
|
0
|
$self->{main}->time_method("check_dkim_signature"); |
809
|
0
|
0
|
|
|
|
0
|
if (Mail::DKIM::Verifier->VERSION >= 0.40) { |
810
|
0
|
|
|
|
|
0
|
my $edns = $conf->{dns_options}->{edns}; |
811
|
0
|
0
|
0
|
|
|
0
|
if ($edns && $edns >= 1024) { |
812
|
|
|
|
|
|
|
# Let Mail::DKIM use our interface to Net::DNS::Resolver. |
813
|
|
|
|
|
|
|
# Only do so if EDNS0 provides a reasonably-sized UDP payload size, |
814
|
|
|
|
|
|
|
# as our interface does not provide a DNS fallback to TCP, unlike |
815
|
|
|
|
|
|
|
# the Net::DNS::Resolver::send which does provide it. |
816
|
0
|
|
|
|
|
0
|
my $res = $self->{main}->{resolver}; |
817
|
0
|
|
|
|
|
0
|
dbg("dkim: providing our own resolver: %s", ref $res); |
818
|
0
|
|
|
|
|
0
|
Mail::DKIM::DNS::resolver($res); |
819
|
|
|
|
|
|
|
} |
820
|
|
|
|
|
|
|
} |
821
|
0
|
|
|
|
|
0
|
$verifier = Mail::DKIM::Verifier->new; |
822
|
0
|
0
|
|
|
|
0
|
if (!$verifier) { |
823
|
0
|
|
|
|
|
0
|
dbg("dkim: cannot create Mail::DKIM::Verifier object"); |
824
|
0
|
|
|
|
|
0
|
return; |
825
|
|
|
|
|
|
|
} |
826
|
0
|
|
|
|
|
0
|
$pms->{dkim_verifier} = $verifier; |
827
|
|
|
|
|
|
|
# |
828
|
|
|
|
|
|
|
# feed content of a message into verifier, using \r\n endings, |
829
|
|
|
|
|
|
|
# required by Mail::DKIM API (see bug 5300) |
830
|
|
|
|
|
|
|
# note: bug 5179 comment 28: perl does silly things on non-Unix platforms |
831
|
|
|
|
|
|
|
# unless we use \015\012 instead of \r\n |
832
|
|
|
|
|
|
|
eval { |
833
|
0
|
|
|
|
|
0
|
my $str = $pms->{msg}->get_pristine; |
834
|
0
|
|
|
|
|
0
|
$str =~ s/\r?\n/\015\012/sg; # ensure \015\012 ending |
835
|
|
|
|
|
|
|
# feeding large chunks to Mail::DKIM is much faster than line-by-line |
836
|
0
|
|
|
|
|
0
|
$verifier->PRINT($str); |
837
|
0
|
|
|
|
|
0
|
1; |
838
|
0
|
0
|
|
|
|
0
|
} or do { # intercept die() exceptions and render safe |
839
|
0
|
0
|
|
|
|
0
|
my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; |
|
0
|
|
|
|
|
0
|
|
840
|
0
|
|
|
|
|
0
|
dbg("dkim: verification failed, intercepted error: $eval_stat"); |
841
|
0
|
|
|
|
|
0
|
return 0; # cannot verify message |
842
|
|
|
|
|
|
|
}; |
843
|
|
|
|
|
|
|
|
844
|
0
|
|
|
|
|
0
|
my $timeout = $conf->{dkim_timeout}; |
845
|
|
|
|
|
|
|
my $timer = Mail::SpamAssassin::Timeout->new( |
846
|
0
|
|
|
|
|
0
|
{ secs => $timeout, deadline => $pms->{master_deadline} }); |
847
|
|
|
|
|
|
|
|
848
|
|
|
|
|
|
|
my $err = $timer->run_and_catch(sub { |
849
|
0
|
|
|
0
|
|
0
|
dbg("dkim: performing public key lookup and signature verification"); |
850
|
0
|
|
|
|
|
0
|
$verifier->CLOSE(); # the action happens here |
851
|
|
|
|
|
|
|
|
852
|
|
|
|
|
|
|
# currently SpamAssassin's parsing is better than Mail::Address parsing, |
853
|
|
|
|
|
|
|
# don't bother fetching $verifier->message_originator->address |
854
|
|
|
|
|
|
|
# to replace what we already have in $pms->{dkim_author_addresses} |
855
|
|
|
|
|
|
|
|
856
|
|
|
|
|
|
|
# versions before 0.29 only provided a public interface to fetch one |
857
|
|
|
|
|
|
|
# signature, newer versions allow access to all signatures of a message |
858
|
0
|
0
|
|
|
|
0
|
@signatures = $verifier->UNIVERSAL::can("signatures") ? |
859
|
|
|
|
|
|
|
$verifier->signatures : $verifier->signature; |
860
|
0
|
|
|
|
|
0
|
}); |
861
|
0
|
0
|
|
|
|
0
|
if ($timer->timed_out()) { |
|
|
0
|
|
|
|
|
|
862
|
0
|
|
|
|
|
0
|
dbg("dkim: public key lookup or verification timed out after %s s", |
863
|
|
|
|
|
|
|
$timeout ); |
864
|
|
|
|
|
|
|
#*** |
865
|
|
|
|
|
|
|
# $pms->{dkim_author_sig_tempfailed}->{$_} = 1 for ... |
866
|
|
|
|
|
|
|
|
867
|
|
|
|
|
|
|
} elsif ($err) { |
868
|
0
|
|
|
|
|
0
|
chomp $err; |
869
|
0
|
|
|
|
|
0
|
dbg("dkim: public key lookup or verification failed: $err"); |
870
|
|
|
|
|
|
|
} |
871
|
0
|
|
|
|
|
0
|
$pms->{dkim_signatures_ready} = 1; |
872
|
0
|
0
|
0
|
|
|
0
|
if (!@signatures || !$pms->{tests_already_hit}->{'__TRUNCATED'}) { |
873
|
0
|
|
|
|
|
0
|
$pms->{dkim_signatures_dependable} = 1; |
874
|
|
|
|
|
|
|
} |
875
|
|
|
|
|
|
|
} |
876
|
|
|
|
|
|
|
|
877
|
77
|
50
|
|
|
|
404
|
if ($pms->{dkim_signatures_ready}) { |
878
|
0
|
|
|
|
|
|
my $sig_result_supported; |
879
|
0
|
|
|
|
|
|
my $minimum_key_bits = $conf->{dkim_minimum_key_bits}; |
880
|
0
|
|
|
|
|
|
foreach my $signature (@signatures) { |
881
|
|
|
|
|
|
|
# old versions of Mail::DKIM would give undef for an invalid signature |
882
|
0
|
0
|
|
|
|
|
next if !defined $signature; |
883
|
|
|
|
|
|
|
|
884
|
0
|
|
|
|
|
|
$sig_result_supported = $signature->UNIVERSAL::can("result_detail"); |
885
|
0
|
|
|
|
|
|
my($info, $valid, $expired); |
886
|
0
|
0
|
|
|
|
|
$valid = |
887
|
|
|
|
|
|
|
($sig_result_supported ? $signature : $verifier)->result eq 'pass'; |
888
|
0
|
0
|
|
|
|
|
$info = $valid ? 'VALID' : 'FAILED'; |
889
|
0
|
0
|
0
|
|
|
|
if ($valid && $signature->UNIVERSAL::can("check_expiration")) { |
890
|
0
|
|
|
|
|
|
$expired = !$signature->check_expiration; |
891
|
0
|
0
|
|
|
|
|
$info .= ' EXPIRED' if $expired; |
892
|
|
|
|
|
|
|
} |
893
|
0
|
|
|
|
|
|
my $key_size; |
894
|
0
|
0
|
0
|
|
|
|
if ($valid && !$expired && $minimum_key_bits) { |
|
|
|
0
|
|
|
|
|
895
|
0
|
|
|
|
|
|
$key_size = eval { my $pk = $signature->get_public_key; |
|
0
|
|
|
|
|
|
|
896
|
0
|
0
|
0
|
|
|
|
$pk && $pk->cork && $pk->cork->size * 8 }; |
897
|
0
|
0
|
|
|
|
|
if ($key_size) { |
898
|
0
|
|
|
|
|
|
$signature->{_spamassassin_key_size} = $key_size; # stash it for later |
899
|
0
|
0
|
|
|
|
|
$info .= " WEAK($key_size)" if $key_size < $minimum_key_bits; |
900
|
|
|
|
|
|
|
} |
901
|
|
|
|
|
|
|
} |
902
|
0
|
0
|
0
|
|
|
|
push(@valid_signatures, $signature) if $valid && !$expired; |
903
|
|
|
|
|
|
|
|
904
|
|
|
|
|
|
|
# check if we have a potential Author Domain Signature, valid or not |
905
|
0
|
|
|
|
|
|
my $d = $signature->domain; |
906
|
0
|
0
|
|
|
|
|
if (!defined $d) { |
907
|
|
|
|
|
|
|
# can be undefined on a broken signature with missing required tags |
908
|
|
|
|
|
|
|
} else { |
909
|
0
|
|
|
|
|
|
$d = lc $d; |
910
|
0
|
0
|
|
|
|
|
if ($pms->{dkim_author_domains}->{$d}) { # SDID matches author domain |
911
|
0
|
|
|
|
|
|
$pms->{dkim_has_any_author_sig}->{$d} = 1; |
912
|
0
|
0
|
0
|
|
|
|
if ($valid && !$expired && |
|
|
0
|
0
|
|
|
|
|
|
|
0
|
0
|
|
|
|
|
913
|
|
|
|
|
|
|
$key_size && $key_size >= $minimum_key_bits) { |
914
|
0
|
|
|
|
|
|
$pms->{dkim_has_valid_author_sig}->{$d} = 1; |
915
|
|
|
|
|
|
|
} elsif ( ($sig_result_supported ? $signature |
916
|
|
|
|
|
|
|
: $verifier)->result_detail |
917
|
|
|
|
|
|
|
=~ /\b(?:timed out|SERVFAIL)\b/i) { |
918
|
0
|
|
|
|
|
|
$pms->{dkim_author_sig_tempfailed}->{$d} = 1; |
919
|
|
|
|
|
|
|
} |
920
|
|
|
|
|
|
|
} |
921
|
|
|
|
|
|
|
} |
922
|
0
|
0
|
|
|
|
|
if (would_log("dbg","dkim")) { |
923
|
|
|
|
|
|
|
dbg("dkim: %s %s, i=%s, d=%s, s=%s, a=%s, c=%s, %s, %s, %s", |
924
|
|
|
|
|
|
|
$info, |
925
|
|
|
|
|
|
|
$signature->isa('Mail::DKIM::DkSignature') ? 'DK' : 'DKIM', |
926
|
|
|
|
|
|
|
map(!defined $_ ? '(undef)' : $_, |
927
|
|
|
|
|
|
|
$signature->identity, $d, $signature->selector, |
928
|
|
|
|
|
|
|
$signature->algorithm, scalar($signature->canonicalization), |
929
|
|
|
|
|
|
|
$key_size ? "key_bits=$key_size" : "unknown key size", |
930
|
|
|
|
|
|
|
($sig_result_supported ? $signature : $verifier)->result ), |
931
|
0
|
0
|
0
|
|
|
|
defined $d && $pms->{dkim_author_domains}->{$d} |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
932
|
|
|
|
|
|
|
? 'matches author domain' |
933
|
|
|
|
|
|
|
: 'does not match author domain', |
934
|
|
|
|
|
|
|
); |
935
|
|
|
|
|
|
|
} |
936
|
|
|
|
|
|
|
} |
937
|
0
|
0
|
|
|
|
|
if (@valid_signatures) { |
|
|
0
|
|
|
|
|
|
938
|
0
|
|
|
|
|
|
$pms->{dkim_signed} = 1; |
939
|
0
|
|
|
|
|
|
$pms->{dkim_valid} = 1; |
940
|
|
|
|
|
|
|
# let the result stand out more clearly in the log, use uppercase |
941
|
0
|
|
|
|
|
|
my $sig = $valid_signatures[0]; |
942
|
0
|
0
|
|
|
|
|
my $sig_res = ($sig_result_supported ? $sig : $verifier)->result_detail; |
943
|
0
|
|
|
|
|
|
dbg("dkim: signature verification result: %s", uc($sig_res)); |
944
|
|
|
|
|
|
|
|
945
|
|
|
|
|
|
|
# supply values for both tags |
946
|
0
|
|
|
|
|
|
my(%seen1, %seen2, %seen3, @identity_list, @domain_list, @selector_list); |
947
|
0
|
|
0
|
|
|
|
@identity_list = grep(defined $_ && $_ ne '' && !$seen1{$_}++, |
948
|
|
|
|
|
|
|
map($_->identity, @valid_signatures)); |
949
|
0
|
|
0
|
|
|
|
@domain_list = grep(defined $_ && $_ ne '' && !$seen2{$_}++, |
950
|
|
|
|
|
|
|
map($_->domain, @valid_signatures)); |
951
|
0
|
|
0
|
|
|
|
@selector_list = grep(defined $_ && $_ ne '' && !$seen3{$_}++, |
952
|
|
|
|
|
|
|
map($_->selector, @valid_signatures)); |
953
|
0
|
0
|
|
|
|
|
$pms->set_tag('DKIMIDENTITY', |
954
|
|
|
|
|
|
|
@identity_list == 1 ? $identity_list[0] : \@identity_list); |
955
|
0
|
0
|
|
|
|
|
$pms->set_tag('DKIMDOMAIN', |
956
|
|
|
|
|
|
|
@domain_list == 1 ? $domain_list[0] : \@domain_list); |
957
|
0
|
0
|
|
|
|
|
$pms->set_tag('DKIMSELECTOR', |
958
|
|
|
|
|
|
|
@selector_list == 1 ? $selector_list[0] : \@selector_list); |
959
|
|
|
|
|
|
|
} elsif (@signatures) { |
960
|
0
|
|
|
|
|
|
$pms->{dkim_signed} = 1; |
961
|
0
|
|
|
|
|
|
my $sig = $signatures[0]; |
962
|
0
|
0
|
0
|
|
|
|
my $sig_res = |
963
|
|
|
|
|
|
|
($sig_result_supported && $sig ? $sig : $verifier)->result_detail; |
964
|
0
|
|
|
|
|
|
dbg("dkim: signature verification result: %s", uc($sig_res)); |
965
|
|
|
|
|
|
|
} else { |
966
|
0
|
|
|
|
|
|
dbg("dkim: signature verification result: none"); |
967
|
|
|
|
|
|
|
} |
968
|
|
|
|
|
|
|
} |
969
|
|
|
|
|
|
|
} |
970
|
|
|
|
|
|
|
|
971
|
|
|
|
|
|
|
sub _check_dkim_adsp { |
972
|
0
|
|
|
0
|
|
|
my ($self, $pms) = @_; |
973
|
|
|
|
|
|
|
|
974
|
0
|
|
|
|
|
|
$pms->{dkim_checked_adsp} = 1; |
975
|
|
|
|
|
|
|
|
976
|
|
|
|
|
|
|
# a message may have multiple authors (RFC 5322), |
977
|
|
|
|
|
|
|
# and hence multiple signing policies (RFC 5617) |
978
|
0
|
|
|
|
|
|
$pms->{dkim_adsp} = {}; # a hash: author_domain => adsp |
979
|
0
|
|
|
|
|
|
my $practices_as_string = ''; |
980
|
|
|
|
|
|
|
|
981
|
0
|
0
|
|
|
|
|
$self->_get_authors($pms) if !$pms->{dkim_author_addresses}; |
982
|
|
|
|
|
|
|
|
983
|
|
|
|
|
|
|
# collect only fully qualified domain names, allow '-', think of IDN |
984
|
0
|
|
|
|
|
|
my @author_domains = grep { /.\.[a-z-]{2,}\z/si } |
985
|
0
|
|
|
|
|
|
keys %{$pms->{dkim_author_domains}}; |
|
0
|
|
|
|
|
|
|
986
|
|
|
|
|
|
|
|
987
|
0
|
|
|
|
|
|
my %label = |
988
|
|
|
|
|
|
|
('D' => 'discardable', 'A' => 'all', 'U' => 'unknown', 'N' => 'nxdomain', |
989
|
|
|
|
|
|
|
'1' => 'custom_low', '2' => 'custom_med', '3' => 'custom_high'); |
990
|
|
|
|
|
|
|
|
991
|
|
|
|
|
|
|
# must check the message first to obtain signer, domain, and verif. status |
992
|
0
|
0
|
|
|
|
|
$self->_check_dkim_signature($pms) if !$pms->{dkim_checked_signature}; |
993
|
|
|
|
|
|
|
|
994
|
0
|
0
|
|
|
|
|
if (!$pms->{dkim_signatures_ready}) { |
|
|
0
|
|
|
|
|
|
995
|
0
|
|
|
|
|
|
dbg("dkim: adsp not retrieved, signatures not obtained"); |
996
|
|
|
|
|
|
|
|
997
|
|
|
|
|
|
|
} elsif (!@author_domains) { |
998
|
0
|
|
|
|
|
|
dbg("dkim: adsp not retrieved, no author f.q. domain name"); |
999
|
0
|
|
|
|
|
|
$practices_as_string = 'no author domains, ignored'; |
1000
|
|
|
|
|
|
|
|
1001
|
|
|
|
|
|
|
} else { |
1002
|
|
|
|
|
|
|
|
1003
|
0
|
|
|
|
|
|
foreach my $author_domain (@author_domains) { |
1004
|
0
|
|
|
|
|
|
my $adsp; |
1005
|
|
|
|
|
|
|
|
1006
|
0
|
0
|
0
|
|
|
|
if ($pms->{dkim_has_valid_author_sig}->{$author_domain}) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
1007
|
|
|
|
|
|
|
# don't fetch adsp when valid |
1008
|
|
|
|
|
|
|
# RFC 5617: If a message has an Author Domain Signature, ADSP provides |
1009
|
|
|
|
|
|
|
# no benefit relative to that domain since the message is already known |
1010
|
|
|
|
|
|
|
# to be compliant with any possible ADSP for that domain. [...] |
1011
|
|
|
|
|
|
|
# implementations SHOULD avoid doing unnecessary DNS lookups |
1012
|
|
|
|
|
|
|
# |
1013
|
0
|
|
|
|
|
|
dbg("dkim: adsp not retrieved, author domain signature is valid"); |
1014
|
0
|
|
|
|
|
|
$practices_as_string = 'valid a. d. signature'; |
1015
|
|
|
|
|
|
|
|
1016
|
|
|
|
|
|
|
} elsif ($pms->{dkim_author_sig_tempfailed}->{$author_domain}) { |
1017
|
0
|
|
|
|
|
|
dbg("dkim: adsp ignored, tempfail varifying author domain signature"); |
1018
|
0
|
|
|
|
|
|
$practices_as_string = 'pub key tempfailed, ignored'; |
1019
|
|
|
|
|
|
|
|
1020
|
|
|
|
|
|
|
} elsif ($pms->{dkim_has_any_author_sig}->{$author_domain} && |
1021
|
|
|
|
|
|
|
!$pms->{dkim_signatures_dependable}) { |
1022
|
|
|
|
|
|
|
# the message did have an Author Domain Signature but it wasn't valid; |
1023
|
|
|
|
|
|
|
# we also believe the message was truncated just before being passed |
1024
|
|
|
|
|
|
|
# to SpamAssassin, which is a likely reason for verification failure, |
1025
|
|
|
|
|
|
|
# so we shouldn't take it too harsh with ADSP rules - just pretend |
1026
|
|
|
|
|
|
|
# the ADSP was 'unknown' |
1027
|
|
|
|
|
|
|
# |
1028
|
0
|
|
|
|
|
|
dbg("dkim: adsp ignored, message was truncated, ". |
1029
|
|
|
|
|
|
|
"invalid author domain signature"); |
1030
|
0
|
|
|
|
|
|
$practices_as_string = 'truncated, ignored'; |
1031
|
|
|
|
|
|
|
|
1032
|
|
|
|
|
|
|
} else { |
1033
|
|
|
|
|
|
|
# search the adsp_override list |
1034
|
|
|
|
|
|
|
|
1035
|
|
|
|
|
|
|
# for a domain a.b.c.d it searches the hash in the following order: |
1036
|
|
|
|
|
|
|
# a.b.c.d |
1037
|
|
|
|
|
|
|
# *.b.c.d |
1038
|
|
|
|
|
|
|
# *.c.d |
1039
|
|
|
|
|
|
|
# *.d |
1040
|
|
|
|
|
|
|
# * |
1041
|
0
|
|
|
|
|
|
my $matched_key; |
1042
|
0
|
|
|
|
|
|
my $p = $pms->{conf}->{adsp_override}; |
1043
|
0
|
0
|
|
|
|
|
if ($p) { |
1044
|
0
|
|
|
|
|
|
my @d = split(/\./, $author_domain); |
1045
|
0
|
|
|
|
|
|
@d = map { shift @d; join('.', '*', @d) } (0..$#d); |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
1046
|
0
|
|
|
|
|
|
for my $key ($author_domain, @d) { |
1047
|
0
|
|
|
|
|
|
$adsp = $p->{$key}; |
1048
|
0
|
0
|
|
|
|
|
if (defined $adsp) { $matched_key = $key; last } |
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
1049
|
|
|
|
|
|
|
} |
1050
|
|
|
|
|
|
|
} |
1051
|
|
|
|
|
|
|
|
1052
|
0
|
0
|
|
|
|
|
if (defined $adsp) { |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
1053
|
0
|
|
|
|
|
|
dbg("dkim: adsp override for domain %s", $author_domain); |
1054
|
0
|
|
|
|
|
|
$practices_as_string = 'override'; |
1055
|
0
|
0
|
|
|
|
|
$practices_as_string .= |
1056
|
|
|
|
|
|
|
" by $matched_key" if $matched_key ne $author_domain; |
1057
|
|
|
|
|
|
|
|
1058
|
|
|
|
|
|
|
} elsif (!$pms->is_dns_available()) { |
1059
|
0
|
|
|
|
|
|
dbg("dkim: adsp not retrieved, DNS resolving not available"); |
1060
|
|
|
|
|
|
|
|
1061
|
|
|
|
|
|
|
} elsif (!$self->_dkim_load_modules()) { |
1062
|
0
|
|
|
|
|
|
dbg("dkim: adsp not retrieved, module Mail::DKIM not available"); |
1063
|
|
|
|
|
|
|
|
1064
|
|
|
|
|
|
|
} else { # do the ADSP DNS lookup |
1065
|
|
|
|
|
|
|
my $timemethod = $self->{main}->UNIVERSAL::can("time_method") && |
1066
|
0
|
|
0
|
|
|
|
$self->{main}->time_method("check_dkim_adsp"); |
1067
|
|
|
|
|
|
|
|
1068
|
0
|
|
|
|
|
|
my $practices; # author domain signing practices object |
1069
|
0
|
|
|
|
|
|
my $timeout = $pms->{conf}->{dkim_timeout}; |
1070
|
|
|
|
|
|
|
my $timer = Mail::SpamAssassin::Timeout->new( |
1071
|
0
|
|
|
|
|
|
{ secs => $timeout, deadline => $pms->{master_deadline} }); |
1072
|
|
|
|
|
|
|
my $err = $timer->run_and_catch(sub { |
1073
|
|
|
|
|
|
|
eval { |
1074
|
0
|
0
|
|
|
|
|
if (Mail::DKIM::AuthorDomainPolicy->UNIVERSAL::can("fetch")) { |
1075
|
0
|
|
|
|
|
|
dbg("dkim: adsp: performing lookup on _adsp._domainkey.%s", |
1076
|
|
|
|
|
|
|
$author_domain); |
1077
|
|
|
|
|
|
|
# get our Net::DNS::Resolver object |
1078
|
0
|
|
|
|
|
|
my $res = $self->{main}->{resolver}->get_resolver; |
1079
|
0
|
|
|
|
|
|
$practices = Mail::DKIM::AuthorDomainPolicy->fetch( |
1080
|
|
|
|
|
|
|
Protocol => "dns", Domain => $author_domain, |
1081
|
|
|
|
|
|
|
DnsResolver => $res); |
1082
|
|
|
|
|
|
|
} |
1083
|
0
|
|
|
|
|
|
1; |
1084
|
0
|
0
|
|
0
|
|
|
} or do { |
1085
|
|
|
|
|
|
|
# fetching/parsing adsp record may throw error, ignore such s.p. |
1086
|
0
|
0
|
|
|
|
|
my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat; |
|
0
|
|
|
|
|
|
|
1087
|
0
|
|
|
|
|
|
dbg("dkim: adsp: fetch or parse on domain %s failed: %s", |
1088
|
|
|
|
|
|
|
$author_domain, $eval_stat); |
1089
|
0
|
|
|
|
|
|
undef $practices; |
1090
|
|
|
|
|
|
|
}; |
1091
|
0
|
|
|
|
|
|
}); |
1092
|
0
|
0
|
|
|
|
|
if ($timer->timed_out()) { |
|
|
0
|
|
|
|
|
|
1093
|
0
|
|
|
|
|
|
dbg("dkim: adsp lookup on domain %s timed out after %s seconds", |
1094
|
|
|
|
|
|
|
$author_domain, $timeout); |
1095
|
|
|
|
|
|
|
} elsif ($err) { |
1096
|
0
|
|
|
|
|
|
chomp $err; |
1097
|
0
|
|
|
|
|
|
dbg("dkim: adsp lookup on domain %s failed: %s", |
1098
|
|
|
|
|
|
|
$author_domain, $err); |
1099
|
|
|
|
|
|
|
} else { |
1100
|
0
|
|
|
|
|
|
my $sp; # ADSP: unknown / all / discardable |
1101
|
0
|
0
|
|
|
|
|
($sp) = $practices->policy if $practices; |
1102
|
0
|
0
|
0
|
|
|
|
if (!defined $sp || $sp eq '') { # SERVFAIL or a timeout |
1103
|
0
|
|
|
|
|
|
dbg("dkim: signing practices on %s unavailable", $author_domain); |
1104
|
0
|
|
|
|
|
|
$adsp = 'U'; |
1105
|
0
|
|
|
|
|
|
$practices_as_string = 'dns: no result'; |
1106
|
|
|
|
|
|
|
} else { |
1107
|
0
|
0
|
|
|
|
|
$adsp = $sp eq "unknown" ? 'U' # most common |
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
|
|
0
|
|
|
|
|
|
1108
|
|
|
|
|
|
|
: $sp eq "all" ? 'A' |
1109
|
|
|
|
|
|
|
: $sp eq "discardable" ? 'D' # ADSP |
1110
|
|
|
|
|
|
|
: $sp eq "strict" ? 'D' # old style SSP |
1111
|
|
|
|
|
|
|
: uc($sp) eq "NXDOMAIN" ? 'N' |
1112
|
|
|
|
|
|
|
: 'U'; |
1113
|
0
|
|
|
|
|
|
$practices_as_string = 'dns: ' . $sp; |
1114
|
|
|
|
|
|
|
} |
1115
|
|
|
|
|
|
|
} |
1116
|
|
|
|
|
|
|
} |
1117
|
|
|
|
|
|
|
} |
1118
|
|
|
|
|
|
|
|
1119
|
|
|
|
|
|
|
# is signing practices available? |
1120
|
0
|
0
|
|
|
|
|
$pms->{dkim_adsp}->{$author_domain} = $adsp if defined $adsp; |
1121
|
|
|
|
|
|
|
|
1122
|
|
|
|
|
|
|
dbg("dkim: adsp result: %s (%s), author domain '%s'", |
1123
|
0
|
0
|
|
|
|
|
!defined($adsp) ? '-' : $adsp.'/'.$label{$adsp}, |
1124
|
|
|
|
|
|
|
$practices_as_string, $author_domain); |
1125
|
|
|
|
|
|
|
} |
1126
|
|
|
|
|
|
|
} |
1127
|
|
|
|
|
|
|
} |
1128
|
|
|
|
|
|
|
|
1129
|
|
|
|
|
|
|
sub _check_dkim_whitelist { |
1130
|
0
|
|
|
0
|
|
|
my ($self, $pms) = @_; |
1131
|
|
|
|
|
|
|
|
1132
|
0
|
|
|
|
|
|
$pms->{whitelist_checked} = 1; |
1133
|
|
|
|
|
|
|
|
1134
|
0
|
0
|
|
|
|
|
$self->_get_authors($pms) if !$pms->{dkim_author_addresses}; |
1135
|
|
|
|
|
|
|
|
1136
|
0
|
|
|
|
|
|
my $authors_str = join(", ", @{$pms->{dkim_author_addresses}}); |
|
0
|
|
|
|
|
|
|
1137
|
0
|
0
|
|
|
|
|
if ($authors_str eq '') { |
1138
|
0
|
|
|
|
|
|
dbg("dkim: check_dkim_whitelist: could not find author address"); |
1139
|
0
|
|
|
|
|
|
return; |
1140
|
|
|
|
|
|
|
} |
1141
|
|
|
|
|
|
|
|
1142
|
|
|
|
|
|
|
# collect whitelist entries matching the author from all lists |
1143
|
0
|
|
|
|
|
|
my @acceptable_sdid_tuples; |
1144
|
0
|
|
|
|
|
|
$self->_wlcheck_acceptable_signature($pms, \@acceptable_sdid_tuples, |
1145
|
|
|
|
|
|
|
'def_whitelist_from_dkim'); |
1146
|
0
|
|
|
|
|
|
$self->_wlcheck_author_signature($pms, \@acceptable_sdid_tuples, |
1147
|
|
|
|
|
|
|
'def_whitelist_auth'); |
1148
|
0
|
|
|
|
|
|
$self->_wlcheck_acceptable_signature($pms, \@acceptable_sdid_tuples, |
1149
|
|
|
|
|
|
|
'whitelist_from_dkim'); |
1150
|
0
|
|
|
|
|
|
$self->_wlcheck_author_signature($pms, \@acceptable_sdid_tuples, |
1151
|
|
|
|
|
|
|
'whitelist_auth'); |
1152
|
0
|
0
|
|
|
|
|
if (!@acceptable_sdid_tuples) { |
1153
|
0
|
|
|
|
|
|
dbg("dkim: no wl entries match author %s, no need to verify sigs", |
1154
|
|
|
|
|
|
|
$authors_str); |
1155
|
0
|
|
|
|
|
|
return; |
1156
|
|
|
|
|
|
|
} |
1157
|
|
|
|
|
|
|
|
1158
|
|
|
|
|
|
|
# if the message doesn't pass DKIM validation, it can't pass DKIM whitelist |
1159
|
|
|
|
|
|
|
|
1160
|
|
|
|
|
|
|
# trigger a DKIM check; |
1161
|
|
|
|
|
|
|
# continue if one or more signatures are valid or we want the debug info |
1162
|
0
|
0
|
0
|
|
|
|
return unless $self->check_dkim_valid($pms) || would_log("dbg","dkim"); |
1163
|
0
|
0
|
|
|
|
|
return unless $pms->{dkim_signatures_ready}; |
1164
|
|
|
|
|
|
|
|
1165
|
|
|
|
|
|
|
# now do all the matching in one go, against all signatures in a message |
1166
|
0
|
|
|
|
|
|
my($any_match_at_all, $any_match_by_wl_ref) = |
1167
|
|
|
|
|
|
|
_wlcheck_list($self, $pms, \@acceptable_sdid_tuples); |
1168
|
|
|
|
|
|
|
|
1169
|
0
|
|
|
|
|
|
my(@valid,@fail); |
1170
|
0
|
|
|
|
|
|
foreach my $wl (keys %$any_match_by_wl_ref) { |
1171
|
0
|
|
|
|
|
|
my $match = $any_match_by_wl_ref->{$wl}; |
1172
|
0
|
0
|
|
|
|
|
if (defined $match) { |
1173
|
0
|
0
|
|
|
|
|
$pms->{"dkim_match_in_$wl"} = 1 if $match; |
1174
|
0
|
0
|
|
|
|
|
push(@{$match ? \@valid : \@fail}, "$wl/$match"); |
|
0
|
|
|
|
|
|
|
1175
|
|
|
|
|
|
|
} |
1176
|
|
|
|
|
|
|
} |
1177
|
0
|
0
|
|
|
|
|
if (@valid) { |
|
|
0
|
|
|
|
|
|
1178
|
0
|
|
|
|
|
|
dbg("dkim: author %s, WHITELISTED by %s", |
1179
|
|
|
|
|
|
|
$authors_str, join(", ",@valid)); |
1180
|
|
|
|
|
|
|
} elsif (@fail) { |
1181
|
0
|
|
|
|
|
|
dbg("dkim: author %s, found in %s BUT IGNORED", |
1182
|
|
|
|
|
|
|
$authors_str, join(", ",@fail)); |
1183
|
|
|
|
|
|
|
} else { |
1184
|
0
|
|
|
|
|
|
dbg("dkim: author %s, not in any dkim whitelist", $authors_str); |
1185
|
|
|
|
|
|
|
} |
1186
|
|
|
|
|
|
|
} |
1187
|
|
|
|
|
|
|
|
1188
|
|
|
|
|
|
|
# check for verifier-acceptable signatures; an empty (or undefined) signing |
1189
|
|
|
|
|
|
|
# domain in a whitelist implies checking for an Author Domain Signature |
1190
|
|
|
|
|
|
|
# |
1191
|
|
|
|
|
|
|
sub _wlcheck_acceptable_signature { |
1192
|
0
|
|
|
0
|
|
|
my ($self, $pms, $acceptable_sdid_tuples_ref, $wl) = @_; |
1193
|
0
|
|
|
|
|
|
my $wl_ref = $pms->{conf}->{$wl}; |
1194
|
0
|
|
|
|
|
|
foreach my $author (@{$pms->{dkim_author_addresses}}) { |
|
0
|
|
|
|
|
|
|
1195
|
0
|
|
|
|
|
|
foreach my $white_addr (keys %$wl_ref) { |
1196
|
0
|
|
|
|
|
|
my $wl_addr_ref = $wl_ref->{$white_addr}; |
1197
|
0
|
|
|
|
|
|
my $re = qr/$wl_addr_ref->{re}/i; |
1198
|
|
|
|
|
|
|
# dbg("dkim: WL %s %s, d: %s", $wl, $white_addr, |
1199
|
|
|
|
|
|
|
# join(", ", map { $_ eq '' ? "''" : $_ } @{$wl_addr_ref->{domain}})); |
1200
|
0
|
0
|
|
|
|
|
if ($author =~ $re) { |
1201
|
0
|
|
|
|
|
|
foreach my $sdid (@{$wl_addr_ref->{domain}}) { |
|
0
|
|
|
|
|
|
|
1202
|
0
|
|
|
|
|
|
push(@$acceptable_sdid_tuples_ref, [$author,$sdid,$wl,$re]); |
1203
|
|
|
|
|
|
|
} |
1204
|
|
|
|
|
|
|
} |
1205
|
|
|
|
|
|
|
} |
1206
|
|
|
|
|
|
|
} |
1207
|
|
|
|
|
|
|
} |
1208
|
|
|
|
|
|
|
|
1209
|
|
|
|
|
|
|
# use a traditional whitelist_from -style addrlist, the only acceptable DKIM |
1210
|
|
|
|
|
|
|
# signature is an Author Domain Signature. Note: don't pre-parse and store |
1211
|
|
|
|
|
|
|
# domains; that's inefficient memory-wise and only saves one m// |
1212
|
|
|
|
|
|
|
# |
1213
|
|
|
|
|
|
|
sub _wlcheck_author_signature { |
1214
|
0
|
|
|
0
|
|
|
my ($self, $pms, $acceptable_sdid_tuples_ref, $wl) = @_; |
1215
|
0
|
|
|
|
|
|
my $wl_ref = $pms->{conf}->{$wl}; |
1216
|
0
|
|
|
|
|
|
foreach my $author (@{$pms->{dkim_author_addresses}}) { |
|
0
|
|
|
|
|
|
|
1217
|
0
|
|
|
|
|
|
foreach my $white_addr (keys %$wl_ref) { |
1218
|
0
|
|
|
|
|
|
my $re = $wl_ref->{$white_addr}; |
1219
|
|
|
|
|
|
|
# dbg("dkim: WL %s %s", $wl, $white_addr); |
1220
|
0
|
0
|
|
|
|
|
if ($author =~ $re) { |
1221
|
0
|
|
|
|
|
|
push(@$acceptable_sdid_tuples_ref, [$author,undef,$wl,$re]); |
1222
|
|
|
|
|
|
|
} |
1223
|
|
|
|
|
|
|
} |
1224
|
|
|
|
|
|
|
} |
1225
|
|
|
|
|
|
|
} |
1226
|
|
|
|
|
|
|
|
1227
|
|
|
|
|
|
|
sub _wlcheck_list { |
1228
|
0
|
|
|
0
|
|
|
my ($self, $pms, $acceptable_sdid_tuples_ref) = @_; |
1229
|
|
|
|
|
|
|
|
1230
|
0
|
|
|
|
|
|
my %any_match_by_wl; |
1231
|
0
|
|
|
|
|
|
my $any_match_at_all = 0; |
1232
|
0
|
|
|
|
|
|
my $verifier = $pms->{dkim_verifier}; |
1233
|
0
|
|
|
|
|
|
my $minimum_key_bits = $pms->{conf}->{dkim_minimum_key_bits}; |
1234
|
|
|
|
|
|
|
|
1235
|
|
|
|
|
|
|
# walk through all signatures present in a message |
1236
|
0
|
|
|
|
|
|
foreach my $signature (@{$pms->{dkim_signatures}}) { |
|
0
|
|
|
|
|
|
|
1237
|
|
|
|
|
|
|
# old versions of Mail::DKIM would give undef for an invalid signature |
1238
|
0
|
0
|
|
|
|
|
next if !defined $signature; |
1239
|
|
|
|
|
|
|
|
1240
|
0
|
|
|
|
|
|
my $sig_result_supported = $signature->UNIVERSAL::can("result_detail"); |
1241
|
0
|
|
|
|
|
|
my($info, $valid, $expired, $key_size_weak); |
1242
|
0
|
0
|
|
|
|
|
$valid = |
1243
|
|
|
|
|
|
|
($sig_result_supported ? $signature : $verifier)->result eq 'pass'; |
1244
|
0
|
0
|
|
|
|
|
$info = $valid ? 'VALID' : 'FAILED'; |
1245
|
0
|
0
|
0
|
|
|
|
if ($valid && $signature->UNIVERSAL::can("check_expiration")) { |
1246
|
0
|
|
|
|
|
|
$expired = !$signature->check_expiration; |
1247
|
0
|
0
|
|
|
|
|
$info .= ' EXPIRED' if $expired; |
1248
|
|
|
|
|
|
|
} |
1249
|
0
|
0
|
0
|
|
|
|
if ($valid && !$expired && $minimum_key_bits) { |
|
|
|
0
|
|
|
|
|
1250
|
0
|
|
|
|
|
|
my $key_size = $signature->{_spamassassin_key_size}; |
1251
|
0
|
0
|
0
|
|
|
|
if ($key_size && $key_size < $minimum_key_bits) { |
1252
|
0
|
|
|
|
|
|
$info .= " WEAK($key_size)"; $key_size_weak = 1; |
|
0
|
|
|
|
|
|
|
1253
|
|
|
|
|
|
|
} |
1254
|
|
|
|
|
|
|
} |
1255
|
|
|
|
|
|
|
|
1256
|
0
|
|
|
|
|
|
my $sdid = $signature->domain; |
1257
|
0
|
0
|
|
|
|
|
$sdid = lc $sdid if defined $sdid; |
1258
|
|
|
|
|
|
|
|
1259
|
0
|
|
|
|
|
|
my %tried_authors; |
1260
|
0
|
|
|
|
|
|
foreach my $entry (@$acceptable_sdid_tuples_ref) { |
1261
|
0
|
|
|
|
|
|
my($author, $acceptable_sdid, $wl, $re) = @$entry; |
1262
|
|
|
|
|
|
|
# $re and $wl are here for logging purposes only, $re already checked. |
1263
|
|
|
|
|
|
|
# The $acceptable_sdid is a verifier-acceptable signing domain |
1264
|
|
|
|
|
|
|
# identifier (to be matched against a 'd' tag in signatures). |
1265
|
|
|
|
|
|
|
# When $acceptable_sdid is undef or an empty string it implies |
1266
|
|
|
|
|
|
|
# a check for Author Domain Signature. |
1267
|
|
|
|
|
|
|
|
1268
|
0
|
|
|
|
|
|
local $1; |
1269
|
0
|
0
|
|
|
|
|
my $author_domain = $author !~ /\@([^\@]+)\z/s ? '' : lc $1; |
1270
|
0
|
|
|
|
|
|
$tried_authors{$author} = 1; # for logging purposes |
1271
|
|
|
|
|
|
|
|
1272
|
0
|
|
|
|
|
|
my $matches = 0; |
1273
|
0
|
0
|
0
|
|
|
|
if (!defined $sdid) { |
|
|
0
|
|
|
|
|
|
1274
|
|
|
|
|
|
|
# don't bother, invalid signature with a missing 'd' tag |
1275
|
|
|
|
|
|
|
|
1276
|
|
|
|
|
|
|
} elsif (!defined $acceptable_sdid || $acceptable_sdid eq '') { |
1277
|
|
|
|
|
|
|
# An "Author Domain Signature" (sometimes called a first-party |
1278
|
|
|
|
|
|
|
# signature) is a Valid Signature in which the domain name of the |
1279
|
|
|
|
|
|
|
# DKIM signing entity, i.e., the d= tag in the DKIM-Signature header |
1280
|
|
|
|
|
|
|
# field, is the same as the domain name in the Author Address. |
1281
|
|
|
|
|
|
|
# Following [RFC5321], domain name comparisons are case insensitive. |
1282
|
|
|
|
|
|
|
|
1283
|
|
|
|
|
|
|
# checking for Author Domain Signature |
1284
|
0
|
0
|
|
|
|
|
$matches = 1 if $sdid eq $author_domain; |
1285
|
|
|
|
|
|
|
|
1286
|
|
|
|
|
|
|
} else { # checking for verifier-acceptable signature |
1287
|
|
|
|
|
|
|
# The second argument to a 'whitelist_from_dkim' option is now (since |
1288
|
|
|
|
|
|
|
# version 3.3.0) supposed to be a signing domain (SDID), no longer an |
1289
|
|
|
|
|
|
|
# identity (AUID). Nevertheless, be prepared to accept the full e-mail |
1290
|
|
|
|
|
|
|
# address there for compatibility, and just ignore its local-part. |
1291
|
|
|
|
|
|
|
|
1292
|
0
|
0
|
|
|
|
|
$acceptable_sdid = $1 if $acceptable_sdid =~ /\@([^\@]*)\z/s; |
1293
|
0
|
0
|
|
|
|
|
if ($acceptable_sdid =~ s/^\*?\.//s) { |
1294
|
0
|
0
|
|
|
|
|
$matches = 1 if $sdid =~ /\.\Q$acceptable_sdid\E\z/si; |
1295
|
|
|
|
|
|
|
} else { |
1296
|
0
|
0
|
|
|
|
|
$matches = 1 if $sdid eq lc $acceptable_sdid; |
1297
|
|
|
|
|
|
|
} |
1298
|
|
|
|
|
|
|
} |
1299
|
0
|
0
|
|
|
|
|
if ($matches) { |
1300
|
0
|
0
|
|
|
|
|
if (would_log("dbg","dkim")) { |
1301
|
0
|
0
|
|
|
|
|
if ($sdid eq $author_domain) { |
1302
|
0
|
|
|
|
|
|
dbg("dkim: %s author domain signature by %s, MATCHES %s %s", |
1303
|
|
|
|
|
|
|
$info, $sdid, $wl, $re); |
1304
|
|
|
|
|
|
|
} else { |
1305
|
0
|
|
|
|
|
|
dbg("dkim: %s third-party signature by %s, author domain %s, ". |
1306
|
|
|
|
|
|
|
"MATCHES %s %s", $info, $sdid, $author_domain, $wl, $re); |
1307
|
|
|
|
|
|
|
} |
1308
|
|
|
|
|
|
|
} |
1309
|
|
|
|
|
|
|
# a defined value indicates at least a match, not necessarily valid |
1310
|
|
|
|
|
|
|
# (this complication servers to preserve logging compatibility) |
1311
|
0
|
0
|
|
|
|
|
$any_match_by_wl{$wl} = '' if !exists $any_match_by_wl{$wl}; |
1312
|
|
|
|
|
|
|
} |
1313
|
|
|
|
|
|
|
# only valid signature can cause whitelisting |
1314
|
0
|
0
|
0
|
|
|
|
$matches = 0 if !$valid || $expired || $key_size_weak; |
|
|
|
0
|
|
|
|
|
1315
|
|
|
|
|
|
|
|
1316
|
0
|
0
|
|
|
|
|
if ($matches) { |
1317
|
0
|
|
|
|
|
|
$any_match_at_all = 1; |
1318
|
0
|
|
|
|
|
|
$any_match_by_wl{$wl} = $sdid; # value used for debug logging |
1319
|
|
|
|
|
|
|
} |
1320
|
|
|
|
|
|
|
} |
1321
|
0
|
0
|
|
|
|
|
dbg("dkim: %s signature by %s, author %s, no valid matches", |
|
|
0
|
|
|
|
|
|
1322
|
|
|
|
|
|
|
$info, defined $sdid ? $sdid : '(undef)', |
1323
|
|
|
|
|
|
|
join(", ", keys %tried_authors)) if !$any_match_at_all; |
1324
|
|
|
|
|
|
|
} |
1325
|
0
|
|
|
|
|
|
return ($any_match_at_all, \%any_match_by_wl); |
1326
|
|
|
|
|
|
|
} |
1327
|
|
|
|
|
|
|
|
1328
|
|
|
|
|
|
|
1; |