2012-04-29 10:35:59 +02:00
|
|
|
#!perl -w
|
2012-05-04 20:02:12 +02:00
|
|
|
|
|
|
|
|
=head1 NAME
|
|
|
|
|
|
|
|
|
|
domainkeys: validate a DomainKeys signature on an incoming mail
|
|
|
|
|
|
|
|
|
|
=head1 SYNOPSIS
|
|
|
|
|
|
|
|
|
|
domainkeys [warn_only 1]
|
|
|
|
|
|
|
|
|
|
Performs a DomainKeys validation on the message. Takes a single
|
|
|
|
|
configuration
|
|
|
|
|
|
|
|
|
|
warn_only 1
|
|
|
|
|
|
|
|
|
|
which means that messages which are not correctly signed (i.e. signed but
|
|
|
|
|
modified or deliberately forged) will not be DENY'd, but an error will still
|
|
|
|
|
be issued to the logfile.
|
|
|
|
|
|
|
|
|
|
=head1 COPYRIGHT
|
|
|
|
|
|
|
|
|
|
Copyright (C) 2005-2006 John Peacock.
|
|
|
|
|
|
|
|
|
|
Portions Copyright (C) 2004 Anthony D. Urso. All rights reserved. This
|
|
|
|
|
program is free software; you can redistribute it and/or modify it under
|
|
|
|
|
the same terms as Perl itself.
|
|
|
|
|
|
|
|
|
|
=cut
|
|
|
|
|
|
2006-07-12 20:10:00 +02:00
|
|
|
sub init {
|
2006-07-24 21:10:38 +02:00
|
|
|
my ($self, $qp, %args) = @_;
|
2006-07-12 20:10:00 +02:00
|
|
|
|
|
|
|
|
foreach my $key ( %args ) {
|
2012-05-04 20:02:12 +02:00
|
|
|
$self->{$key} = $args{$key};
|
2006-07-12 20:10:00 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-09 02:58:39 +02:00
|
|
|
sub hook_data_post {
|
|
|
|
|
use Mail::DomainKeys::Message;
|
|
|
|
|
use Mail::DomainKeys::Policy;
|
|
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
my ($self, $transaction) = @_;
|
2006-07-09 02:58:39 +02:00
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
# if this isn't signed, just move along
|
|
|
|
|
return DECLINED
|
|
|
|
|
unless $transaction->header->get('DomainKey-Signature');
|
|
|
|
|
|
2006-07-09 02:58:39 +02:00
|
|
|
my @body;
|
|
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
$transaction->body_resetpos;
|
2006-07-09 02:58:39 +02:00
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
$transaction->body_getline; # \r\n seperator is NOT part of the body
|
2006-07-09 02:58:39 +02:00
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
while (my $line = $transaction->body_getline) {
|
2006-07-09 02:58:39 +02:00
|
|
|
push @body, $line;
|
|
|
|
|
}
|
|
|
|
|
|
2006-07-11 19:41:48 +02:00
|
|
|
my $message = load Mail::DomainKeys::Message(
|
|
|
|
|
HeadString => $transaction->header->as_string,
|
2006-07-09 02:58:39 +02:00
|
|
|
BodyReference => \@body) or
|
|
|
|
|
$self->log(LOGWARN, "unable to load message"),
|
|
|
|
|
return DECLINED;
|
|
|
|
|
|
|
|
|
|
# no sender domain means no verification
|
2006-07-11 19:41:48 +02:00
|
|
|
$message->senderdomain or
|
2006-07-09 02:58:39 +02:00
|
|
|
return DECLINED;
|
|
|
|
|
|
|
|
|
|
my $status;
|
|
|
|
|
|
|
|
|
|
# key testing
|
2006-07-11 19:41:48 +02:00
|
|
|
if ( $message->testing ) {
|
2006-07-09 02:58:39 +02:00
|
|
|
# Don't do anything else
|
|
|
|
|
$status = "testing";
|
|
|
|
|
}
|
2006-07-12 20:10:00 +02:00
|
|
|
elsif ( $message->signed and $message->verify ) {
|
|
|
|
|
# verified: add good header
|
|
|
|
|
$status = $message->signature->status;
|
2006-07-09 02:58:39 +02:00
|
|
|
}
|
2006-07-12 20:10:00 +02:00
|
|
|
else { # not signed or not verified
|
2006-07-11 19:41:48 +02:00
|
|
|
my $policy = fetch Mail::DomainKeys::Policy(
|
2006-07-09 02:58:39 +02:00
|
|
|
Protocol => "dns",
|
2006-07-11 19:41:48 +02:00
|
|
|
Domain => $message->senderdomain
|
2006-07-09 02:58:39 +02:00
|
|
|
);
|
2006-07-11 19:41:48 +02:00
|
|
|
if ( $policy ) {
|
|
|
|
|
if ( $policy->testing ) {
|
2006-07-09 02:58:39 +02:00
|
|
|
# Don't do anything else
|
|
|
|
|
$status = "testing";
|
|
|
|
|
}
|
2006-07-11 19:41:48 +02:00
|
|
|
elsif ( $policy->signall ) {
|
2006-07-09 02:58:39 +02:00
|
|
|
# if policy requires all mail to be signed
|
|
|
|
|
$status = undef;
|
|
|
|
|
}
|
2006-07-11 19:41:48 +02:00
|
|
|
else { # $policy->signsome
|
2006-07-09 02:58:39 +02:00
|
|
|
# not signed and domain doesn't sign all
|
|
|
|
|
$status = "no signature";
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
2006-07-12 20:10:00 +02:00
|
|
|
$status = $message->signed ? "non-participant" : "no signature";
|
2006-07-09 02:58:39 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if ( defined $status ) {
|
2006-07-11 19:41:48 +02:00
|
|
|
$transaction->header->replace("DomainKey-Status", $status);
|
2006-07-12 20:10:00 +02:00
|
|
|
$self->log(LOGWARN, "DomainKeys-Status: $status");
|
2006-07-09 02:58:39 +02:00
|
|
|
return DECLINED;
|
|
|
|
|
}
|
|
|
|
|
else {
|
2006-07-12 20:10:00 +02:00
|
|
|
$self->log(LOGERROR, "DomainKeys signature failed to verify");
|
|
|
|
|
if ( $self->{warn_only} ) {
|
|
|
|
|
return DECLINED;
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return (DENY, "DomainKeys signature failed to verify");
|
|
|
|
|
}
|
2006-07-09 02:58:39 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
