/[smeserver]/rpms/qpsmtpd/sme10/qpsmtpd-0.96-spf_on_no_dmarc_policy.patch
ViewVC logotype

Contents of /rpms/qpsmtpd/sme10/qpsmtpd-0.96-spf_on_no_dmarc_policy.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Fri May 6 09:10:35 2016 UTC (8 years, 6 months ago) by vip-ire
Branch: MAIN
CVS Tags: qpsmtpd-0_96-21_el7_sme, qpsmtpd-0_96-19_el7_sme, qpsmtpd-0_96-23_el7_sme, qpsmtpd-0_96-10_el7_sme, qpsmtpd-0_96-20_el7_sme, qpsmtpd-0_96-12_el7_sme, qpsmtpd-0_96-22_el7_sme, qpsmtpd-0_96-14_el7_sme, qpsmtpd-0_96-11_el7_sme, qpsmtpd-0_96-16_el7_sme, qpsmtpd-0_96-13_el7_sme, qpsmtpd-0_96-15_el7_sme, qpsmtpd-0_96-17_el7_sme, qpsmtpd-0_96-9_el7_sme, qpsmtpd-0_96-8_el7_sme, qpsmtpd-0_96-6_el7_sme, qpsmtpd-0_96-18_el7_sme, HEAD
* Fri May 6 2016 Daniel Berteaud <daniel@firewall-services.com> 0.96-8.sme
- Support dkim signing with symlinks [SME: 9496]
- Fix DMARC rejects not working [SME: 9202]
- Add DMARC results notes so further plugin can check it [SME: 9202]
- Add possibility to reject solely on SPF result if no DMARC policy is published
  [SME: 9479]

1 diff -Nur -x '*.orig' -x '*.rej' qpsmtpd-0.96/plugins/sender_permitted_from mezzanine_patched_qpsmtpd-0.96/plugins/sender_permitted_from
2 --- qpsmtpd-0.96/plugins/sender_permitted_from 2016-02-16 23:52:02.000000000 +0100
3 +++ mezzanine_patched_qpsmtpd-0.96/plugins/sender_permitted_from 2016-05-04 18:33:37.510387152 +0200
4 @@ -37,6 +37,37 @@
5
6 SPF levels above 4 are for crusaders who don't mind rejecting some valid mail when the sending server administrator hasn't dotted his i's and crossed his t's. May the deities bless their obsessive little hearts.
7
8 +=head2 no_dmarc_policy
9 +
10 +When used with the dmarc plugin, you don't want sender_permitted_from to reject anything, because dmarc needs to check the sender's domain policy.
11 +So you'll most likely have reject 1.
12 +But then, if the sender's domain has no dmarc policy, you might want to reject solely based on SPF result. This is what this setting is for. A first hook runs at the mail stage and evaluate SPF. Then a second hook runs at the data_post stage (after dmarc), so you have a second chance to reject.
13 +
14 +Like reject, you can set a value to indicate how agressive you want to be:
15 +
16 + 0 do not reject (default)
17 + 1 reject if SPF record says 'fail'
18 + 2 stricter reject. Also rejects 'softfail'
19 + 3 reject 'neutral'
20 + 4 reject if no SPF records, or a syntax error
21 +
22 +Just like reject, the recommanded value is 1. 2 will be a bit more agressive. 3 and 4 will most likely reject some valid emails.
23 +
24 +So, for example, you can use something like this:
25 +
26 +sender_permetted_from reject 1 no_dmarc_policy 1
27 +dkim reject 0
28 +dmarc reject 1 reporting 1
29 +
30 +Note this setting will only have effect if:
31 +
32 + * dmarc plugin is used, and loaded after sender_permetted_from in your plugin's config
33 + * the reject value is either 1 or 2 (meaning, no reject at the mail stage)
34 + * dmarc ran with no error
35 + * the sender's domain has no dmarc policy published (that means, no _dmarc DNS entry)
36 +
37 +Note that if a domain has a dmarc "p=none" policy, then this setting has no effect. Only if there's no dmarc policy at all it'll be used.
38 +
39 =head1 SEE ALSO
40
41 http://spf.pobox.com/
42 @@ -82,8 +113,10 @@
43 if (!$self->{_args}{reject} && $self->qp->config('spfbehavior')) {
44 $self->{_args}{reject} = $self->qp->config('spfbehavior');
45 }
46 + $self->{_args}{no_dmarc_policy} ||= 0;
47 $self->register_hook('mail', 'evaluate_spf');
48 $self->register_hook('data_post_headers', 'add_spf_header');
49 + $self->register_hook('data_post', 'no_dmarc_policy') if $self->{_args}{no_dmarc_policy} > 0;
50 }
51
52 sub evaluate_spf {
53 @@ -202,6 +235,51 @@
54 return DECLINED;
55 }
56
57 +sub no_dmarc_policy {
58 + my ($self, $transaction) = @_;
59 + return DECLINED if $self->is_immune;
60 + unless ($self->{_args}{no_dmarc_policy}){
61 + return DECLINED;
62 + }
63 + if ($transaction->notes('spfquery') && $transaction->notes('dmarc_result')){
64 + my $spf_result = $transaction->notes('spfquery')->code;
65 + my $why = $transaction->notes('spfquery')->local_explanation;
66 + my $dmarc_dispo = $transaction->notes('dmarc_result')->disposition;
67 + return DECLINED unless $dmarc_dispo eq 'none';
68 + my $comment = '';
69 + if ($transaction->notes('dmarc_result')->reason &&
70 + $transaction->notes('dmarc_result')->reason->[0] &&
71 + $transaction->notes('dmarc_result')->reason->[0]->comment){
72 + $comment = $transaction->notes('dmarc_result')->reason->[0]->comment;
73 + }
74 + return DECLINED unless $comment eq 'no policy';
75 + # No SPF or syntaxe error: reject if no_dmarc_policy is at least 4
76 + if ((!$spf_result || $spf_result =~ m/(?:permerror|error|none)/) && $self->{_args}{no_dmarc_policy} >= 4){
77 + $self->log(LOGINFO, "fail, $spf_result, $why");
78 + return DENY, "SPF - $spf_result: $why";
79 + }
80 + # All other reject levels require an SPF code
81 + return DECLINED unless $spf_result;
82 + # Neutral
83 + if ($spf_result eq 'neutral' && $self->{_args}{no_dmarc_policy} >= 3){
84 + $self->log(LOGINFO, "fail, $spf_result, $why");
85 + return DENY, "SPF - $spf_result: $why";
86 + }
87 + # Softfail
88 + if ($spf_result eq 'softfail' && $self->{_args}{no_dmarc_policy} >= 2){
89 + $self->log(LOGINFO, "fail, $spf_result, $why");
90 + return DENY, "SPF - $spf_result: $why";
91 + }
92 + # Fail
93 + if ($spf_result eq 'fail' && $self->{_args}{no_dmarc_policy} >= 1){
94 + $self->log(LOGINFO, "fail, $spf_result, $why");
95 + return DENY, "SPF - $spf_result: $why";
96 + }
97 + }
98 + $self->log(LOGINFO, 'pass');
99 + return DECLINED;
100 +}
101 +
102 sub handle_code_none {
103 my ($self, $reject, $why) = @_;
104

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed