From 5aafca314fc1eac76f56aedaa308bd0d1d7c6ee5 Mon Sep 17 00:00:00 2001 From: Matt Simerson Date: Wed, 24 Apr 2013 03:09:02 -0400 Subject: [PATCH] SPF: arrage flow so if a pass result is possible, we will get it and set the note for DMARC plugin --- plugins/dmarc | 26 +++++++++++++---- plugins/sender_permitted_from | 55 ++++++++++++++--------------------- 2 files changed, 43 insertions(+), 38 deletions(-) diff --git a/plugins/dmarc b/plugins/dmarc index 60db367..6f41234 100644 --- a/plugins/dmarc +++ b/plugins/dmarc @@ -296,9 +296,16 @@ sub get_organizational_domain { # $self->log( LOGINFO, "i: $i, $tld" ); #warn "i: $i - tld: $tld\n"; - if (grep /$tld/, $self->qp->config('public_suffix_list')) { + if (grep /^$tld/, $self->qp->config('public_suffix_list')) { $greatest = $i + 1; + next; } + + # check for wildcards (ex: *.uk should match co.uk) + $tld = join '.', '\*', reverse((@labels)[0 .. $i-1]); + if (grep /^$tld/, $self->qp->config('public_suffix_list')) { + $greatest = $i + 1; + }; } return $from_host if $greatest == scalar @labels; # same @@ -327,7 +334,16 @@ sub exists_in_dns { # Since this search gets repeated for the Organizational Name, if it # fails for the O.N., there's no delegation from the TLD. my $res = $self->init_resolver(8); - my $query = $res->query($domain, 'NS') or do { + return 1 if $self->host_has_rr('NS', $res, $domain); + return 1 if $self->host_has_rr('MX', $res, $domain); + return 1 if $self->host_has_rr('A', $res, $domain); + return 1 if $self->host_has_rr('AAAA', $res, $domain); +} + +sub host_has_rr { + my ($self, $type, $res, $domain) = @_; + + my $query = $res->query($domain, $type) or do { if ($res->errorstring eq 'NXDOMAIN') { $self->log(LOGDEBUG, "fail, non-existent domain: $domain"); return; @@ -337,14 +353,14 @@ sub exists_in_dns { }; my $matches = 0; for my $rr ($query->answer) { - next if $rr->type !~ /(?:NS|MX|A|AAAA)/; + next if $rr->type ne $type; $matches++; } if (0 == $matches) { - $self->log(LOGDEBUG, "fail, no records for $domain"); + $self->log(LOGDEBUG, "no $type records for $domain"); } return $matches; -} +}; sub fetch_dmarc_record { my ($self, $zone) = @_; diff --git a/plugins/sender_permitted_from b/plugins/sender_permitted_from index e9a1f9e..87d418d 100644 --- a/plugins/sender_permitted_from +++ b/plugins/sender_permitted_from @@ -96,28 +96,17 @@ sub mail_handler { return (DECLINED, "SPF - null sender"); } - if ($self->qp->connection->relay_client) { - $self->log(LOGINFO, "skip, relay_client"); - return (DECLINED, "SPF - relaying permitted"); - } - - if (!$self->{_args}{reject}) { - $self->log(LOGINFO, "skip, reject disabled"); - return (DECLINED); - } - - my $client_ip = $self->qp->connection->remote_ip; my $from = $sender->user . '@' . lc($sender->host); my $helo = $self->qp->connection->hello_host; my $scope = $from ? 'mfrom' : 'helo'; my %req_params = ( versions => [1, 2], # optional scope => $scope, - ip_address => $client_ip, + ip_address => $self->qp->connection->remote_ip, ); if ($scope =~ /^mfrom|pra$/) { - $req_params{identity} = $from; + $req_params{identity} = $from; $req_params{helo_identity} = $helo if $helo; } elsif ($scope eq 'helo') { @@ -144,28 +133,24 @@ sub mail_handler { return (DECLINED, "SPF - no response"); } - if (!$reject) { - $self->log(LOGINFO, "fail, no reject policy ($code: $why)"); - return (DECLINED, "SPF - $code: $why"); - } - - # SPF result codes: pass fail softfail neutral none error permerror temperror - return $self->handle_code_none($reject, $why) if $code eq 'none'; - if ($code eq 'fail') { - $self->adjust_karma(-1); - return $self->handle_code_fail($reject, $why); - } - elsif ($code eq 'softfail') { - $self->adjust_karma(-1); - return $self->handle_code_softfail($reject, $why); - } - elsif ($code eq 'pass') { + if ($code eq 'pass') { $self->adjust_karma(1); $transaction->notes('spf_pass_host', lc $sender->host); $self->log(LOGINFO, "pass, $code: $why"); return (DECLINED); } - elsif ($code eq 'neutral') { + + if (!$reject) { + $self->log(LOGINFO, "skip, tolerated ($code: $why)"); + return (DECLINED, "SPF - $code: $why"); + } + + # SPF result codes: pass fail softfail neutral none error permerror temperror + return $self->handle_code_none($reject, $why) if $code eq 'none'; + return $self->handle_code_fail($reject, $why) if $code eq 'fail'; + return $self->handle_code_softfail($reject, $why) if $code eq 'softfail'; + + if ($code eq 'neutral') { $self->log(LOGINFO, "fail, $code, $why"); return (DENY, "SPF - $code: $why") if $reject >= 5; } @@ -196,33 +181,37 @@ sub handle_code_none { return (DENY, "SPF - none: $why"); } - $self->log(LOGINFO, "pass, none, $why"); + $self->log(LOGINFO, "skip, tolerated, none, $why"); return DECLINED; } sub handle_code_fail { my ($self, $reject, $why) = @_; + $self->adjust_karma(-1); + if ($reject >= 2) { $self->log(LOGINFO, "fail, $why"); return (DENY, "SPF - forgery: $why") if $reject >= 3; return (DENYSOFT, "SPF - fail: $why"); } - $self->log(LOGINFO, "pass, fail tolerated, $why"); + $self->log(LOGINFO, "fail, tolerated, $why"); return DECLINED; } sub handle_code_softfail { my ($self, $reject, $why) = @_; + $self->adjust_karma(-1); + if ($reject >= 3) { $self->log(LOGINFO, "fail, soft, $why"); return (DENY, "SPF - fail: $why") if $reject >= 4; return (DENYSOFT, "SPF - fail: $why") if $reject >= 3; } - $self->log(LOGINFO, "pass, softfail tolerated, $why"); + $self->log(LOGINFO, "fail, soft, tolerated, $why"); return DECLINED; }