From a8747407be40649dabe7761dd2a68a91a529e99d Mon Sep 17 00:00:00 2001 From: Daniel B Date: Wed, 4 May 2016 23:46:24 +0200 Subject: [PATCH] No dmarc policy (#263) * Update data_post_headers documentation We cannot reject at this stage, which is only there to alter headers. Fix #258 * DMARC plugin: reject in data_post Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection * Support spf rejects when no DMARC policy is published When using DMARC, you have to run sender_permitted_from first, and without rejecting anything. If a DMARC policy is published, then fine, the dmarc plugin will handle this. But if there's no DMARC policy at all, then we can decide solely on SPF to reject on not. This decision must be taken after dmarc runs, so, add a hook into post_data (dmarc is evaluated in post_data_headers). A new no_dmarc_policy argument is available and you can decide the level at wich you want to reject on SPF failures * Typo --- plugins/sender_permitted_from | 79 +++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/plugins/sender_permitted_from b/plugins/sender_permitted_from index e1eacc9..caa8978 100644 --- a/plugins/sender_permitted_from +++ b/plugins/sender_permitted_from @@ -37,6 +37,37 @@ Most sites should start at level 3. It temporarily defers connections (4xx) that SPF levels above 4 are for crusaders who don't mind rejecting some valid mail when the sending server administrator hasn't dotted his i's and crossed his t's. May the deities bless their obsessive little hearts. +=head2 no_dmarc_policy + +When used with the dmarc plugin, you don't want sender_permitted_from to reject anything, because dmarc needs to check the sender's domain policy. +So you'll most likely have reject 1. +But then, if the sender's domain has no dmarc policy, you might want to reject solely based on SPF result. This is what this setting is for. A first hook runs at the mail stage and evaluate SPF. Then a second hook runs at the data_post stage (after dmarc), so you have a second chance to reject. + +Like reject, you can set a value to indicate how agressive you want to be: + + 0 do not reject (default) + 1 reject if SPF record says 'fail' + 2 stricter reject. Also rejects 'softfail' + 3 reject 'neutral' + 4 reject if no SPF records, or a syntax error + +Just like reject, the recommanded value is 1. 2 will be a bit more agressive. 3 and 4 will most likely reject some valid emails. + +So, for example, you can use something like this: + +sender_permetted_from reject 1 no_dmarc_policy 1 +dkim reject 0 +dmarc reject 1 reporting 1 + +Note this setting will only have effect if: + + * dmarc plugin is used, and loaded after sender_permetted_from in your plugin's config + * the reject value is either 1 or 2 (meaning, no reject at the mail stage) + * dmarc ran with no error + * the sender's domain has no dmarc policy published (that means, no _dmarc DNS entry) + +Note that if a domain has a dmarc "p=none" policy, then this setting has no effect. Only if there's no dmarc policy at all it'll be used. + =head1 SEE ALSO http://spf.pobox.com/ @@ -82,8 +113,11 @@ sub register { if (!$self->{_args}{reject} && $self->qp->config('spfbehavior')) { $self->{_args}{reject} = $self->qp->config('spfbehavior'); } + $self->{_args}{no_dmarc_policy} ||= 0; $self->register_hook('mail', 'evaluate_spf'); $self->register_hook('data_post_headers', 'add_spf_header'); + $self->register_hook('data_post', 'no_dmarc_policy') if $self->{_args}{no_dmarc_policy} > 0; + } sub evaluate_spf { @@ -202,6 +236,51 @@ sub evaluate_spf { return DECLINED; } +sub no_dmarc_policy { + my ($self, $transaction) = @_; + return DECLINED if $self->is_immune; + unless ($self->{_args}{no_dmarc_policy}){ + return DECLINED; + } + if ($transaction->notes('spfquery') && $transaction->notes('dmarc_result')){ + my $spf_result = $transaction->notes('spfquery')->code; + my $why = $transaction->notes('spfquery')->local_explanation; + my $dmarc_dispo = $transaction->notes('dmarc_result')->disposition; + return DECLINED unless $dmarc_dispo eq 'none'; + my $comment = ''; + if ($transaction->notes('dmarc_result')->reason && + $transaction->notes('dmarc_result')->reason->[0] && + $transaction->notes('dmarc_result')->reason->[0]->comment){ + $comment = $transaction->notes('dmarc_result')->reason->[0]->comment; + } + return DECLINED unless $comment eq 'no policy'; + # No SPF or syntaxe error: reject if no_dmarc_policy is at least 4 + if ((!$spf_result || $spf_result =~ m/(?:permerror|error|none)/) && $self->{_args}{no_dmarc_policy} >= 4){ + $self->log(LOGINFO, "fail, $spf_result, $why"); + return DENY, "SPF - $spf_result: $why"; + } + # All other reject levels require an SPF code + return DECLINED unless $spf_result; + # Neutral + if ($spf_result eq 'neutral' && $self->{_args}{no_dmarc_policy} >= 3){ + $self->log(LOGINFO, "fail, $spf_result, $why"); + return DENY, "SPF - $spf_result: $why"; + } + # Softfail + if ($spf_result eq 'softfail' && $self->{_args}{no_dmarc_policy} >= 2){ + $self->log(LOGINFO, "fail, $spf_result, $why"); + return DENY, "SPF - $spf_result: $why"; + } + # Fail + if ($spf_result eq 'fail' && $self->{_args}{no_dmarc_policy} >= 1){ + $self->log(LOGINFO, "fail, $spf_result, $why"); + return DENY, "SPF - $spf_result: $why"; + } + } + $self->log(LOGINFO, 'pass'); + return DECLINED; +} + sub handle_code_none { my ($self, $reject, $why) = @_;