No dmarc policy (#263)

* Update data_post_headers documentation
We cannot reject at this stage, which is only there to alter headers.
Fix #258

* DMARC plugin: reject in data_post
Followup of #258: we cannot reject a connection during data_post_headers. So add a new hook in data_post to do the real rejection

* Support spf rejects when no DMARC policy is published
When using DMARC, you have to run sender_permitted_from first, and without rejecting anything. If a DMARC policy is published, then fine, the dmarc plugin will handle this. But if there's no DMARC policy at all, then we can decide solely on SPF to reject on not. This decision must be taken after dmarc runs, so, add a hook into post_data (dmarc is evaluated in post_data_headers). A new no_dmarc_policy argument is available and you can decide the level at wich you want to reject on SPF failures

* Typo
This commit is contained in:
Daniel B 2016-05-04 23:46:24 +02:00 committed by Matt Simerson
parent b1b59cbfa1
commit a8747407be

View File

@ -37,6 +37,37 @@ Most sites should start at level 3. It temporarily defers connections (4xx) that
SPF levels above 4 are for crusaders who don't mind rejecting some valid mail when the sending server administrator hasn't dotted his i's and crossed his t's. May the deities bless their obsessive little hearts. SPF levels above 4 are for crusaders who don't mind rejecting some valid mail when the sending server administrator hasn't dotted his i's and crossed his t's. May the deities bless their obsessive little hearts.
=head2 no_dmarc_policy
When used with the dmarc plugin, you don't want sender_permitted_from to reject anything, because dmarc needs to check the sender's domain policy.
So you'll most likely have reject 1.
But then, if the sender's domain has no dmarc policy, you might want to reject solely based on SPF result. This is what this setting is for. A first hook runs at the mail stage and evaluate SPF. Then a second hook runs at the data_post stage (after dmarc), so you have a second chance to reject.
Like reject, you can set a value to indicate how agressive you want to be:
0 do not reject (default)
1 reject if SPF record says 'fail'
2 stricter reject. Also rejects 'softfail'
3 reject 'neutral'
4 reject if no SPF records, or a syntax error
Just like reject, the recommanded value is 1. 2 will be a bit more agressive. 3 and 4 will most likely reject some valid emails.
So, for example, you can use something like this:
sender_permetted_from reject 1 no_dmarc_policy 1
dkim reject 0
dmarc reject 1 reporting 1
Note this setting will only have effect if:
* dmarc plugin is used, and loaded after sender_permetted_from in your plugin's config
* the reject value is either 1 or 2 (meaning, no reject at the mail stage)
* dmarc ran with no error
* the sender's domain has no dmarc policy published (that means, no _dmarc DNS entry)
Note that if a domain has a dmarc "p=none" policy, then this setting has no effect. Only if there's no dmarc policy at all it'll be used.
=head1 SEE ALSO =head1 SEE ALSO
http://spf.pobox.com/ http://spf.pobox.com/
@ -82,8 +113,11 @@ sub register {
if (!$self->{_args}{reject} && $self->qp->config('spfbehavior')) { if (!$self->{_args}{reject} && $self->qp->config('spfbehavior')) {
$self->{_args}{reject} = $self->qp->config('spfbehavior'); $self->{_args}{reject} = $self->qp->config('spfbehavior');
} }
$self->{_args}{no_dmarc_policy} ||= 0;
$self->register_hook('mail', 'evaluate_spf'); $self->register_hook('mail', 'evaluate_spf');
$self->register_hook('data_post_headers', 'add_spf_header'); $self->register_hook('data_post_headers', 'add_spf_header');
$self->register_hook('data_post', 'no_dmarc_policy') if $self->{_args}{no_dmarc_policy} > 0;
} }
sub evaluate_spf { sub evaluate_spf {
@ -202,6 +236,51 @@ sub evaluate_spf {
return DECLINED; return DECLINED;
} }
sub no_dmarc_policy {
my ($self, $transaction) = @_;
return DECLINED if $self->is_immune;
unless ($self->{_args}{no_dmarc_policy}){
return DECLINED;
}
if ($transaction->notes('spfquery') && $transaction->notes('dmarc_result')){
my $spf_result = $transaction->notes('spfquery')->code;
my $why = $transaction->notes('spfquery')->local_explanation;
my $dmarc_dispo = $transaction->notes('dmarc_result')->disposition;
return DECLINED unless $dmarc_dispo eq 'none';
my $comment = '';
if ($transaction->notes('dmarc_result')->reason &&
$transaction->notes('dmarc_result')->reason->[0] &&
$transaction->notes('dmarc_result')->reason->[0]->comment){
$comment = $transaction->notes('dmarc_result')->reason->[0]->comment;
}
return DECLINED unless $comment eq 'no policy';
# No SPF or syntaxe error: reject if no_dmarc_policy is at least 4
if ((!$spf_result || $spf_result =~ m/(?:permerror|error|none)/) && $self->{_args}{no_dmarc_policy} >= 4){
$self->log(LOGINFO, "fail, $spf_result, $why");
return DENY, "SPF - $spf_result: $why";
}
# All other reject levels require an SPF code
return DECLINED unless $spf_result;
# Neutral
if ($spf_result eq 'neutral' && $self->{_args}{no_dmarc_policy} >= 3){
$self->log(LOGINFO, "fail, $spf_result, $why");
return DENY, "SPF - $spf_result: $why";
}
# Softfail
if ($spf_result eq 'softfail' && $self->{_args}{no_dmarc_policy} >= 2){
$self->log(LOGINFO, "fail, $spf_result, $why");
return DENY, "SPF - $spf_result: $why";
}
# Fail
if ($spf_result eq 'fail' && $self->{_args}{no_dmarc_policy} >= 1){
$self->log(LOGINFO, "fail, $spf_result, $why");
return DENY, "SPF - $spf_result: $why";
}
}
$self->log(LOGINFO, 'pass');
return DECLINED;
}
sub handle_code_none { sub handle_code_none {
my ($self, $reject, $why) = @_; my ($self, $reject, $why) = @_;