File Coverage

blib/lib/Mail/MtPolicyd/Plugin/Greylist.pm

Criterion	Covered	Total	%
statement	15	140	10.7
branch	0	36	0.0
condition	0	15	0.0
subroutine	5	25	20.0
pod	2	15	13.3
total	22	231	9.5

line	stmt	bran	cond	sub	pod	time	code
1							package Mail::MtPolicyd::Plugin::Greylist;
2
3	2			2		1697	use Moose;
	2					2
	2					12
4	2			2		8668	use namespace::autoclean;
	2					3
	2					18
5
6							our $VERSION = '2.01'; # VERSION
7							# ABSTRACT: This plugin implements a greylisting mechanism with an auto whitelist.
8
9							extends 'Mail::MtPolicyd::Plugin';
10							with 'Mail::MtPolicyd::Plugin::Role::Scoring';
11							with 'Mail::MtPolicyd::Plugin::Role::UserConfig' => {
12							'uc_attributes' => [ 'enabled' ],
13							};
14
15	2			2		209	use Mail::MtPolicyd::Plugin::Result;
	2					3
	2					34
16	2			2		542	use Time::Piece;
	2					8198
	2					14
17	2			2		120	use Time::Seconds;
	2					4
	2					2607
18
19
20							has 'enabled' => ( is => 'rw', isa => 'Str', default => 'on' );
21
22							has 'score' => ( is => 'rw', isa => 'Maybe[Num]' );
23							has 'mode' => ( is => 'rw', isa => 'Str', default => 'passive');
24
25							has 'defer_message' => ( is => 'rw', isa => 'Str', default => 'defer greylisting is active');
26							has 'append_waittime' => ( is => 'rw', isa => 'Bool', default => 1 );
27
28							has 'min_retry_wait' => ( is => 'rw', isa => 'Int', default => 60*5 );
29							has 'max_retry_wait' => ( is => 'rw', isa => 'Int', default => 60602 );
30
31							has 'use_autowl' => ( is => 'rw', isa => 'Bool', default => 1 );
32							has 'autowl_threshold' => ( is => 'rw', isa => 'Int', default => 3 );
33							has 'autowl_expire_days' => ( is => 'rw', isa => 'Int', default => 60 );
34
35							has 'autowl_table' => ( is => 'rw', isa => 'Str', default => 'autowl' );
36
37							has 'query_autowl' => ( is => 'rw', isa => 'Bool', default => 1 );
38							has 'create_ticket' => ( is => 'rw', isa => 'Bool', default => 1 );
39
40							with 'Mail::MtPolicyd::Role::Connection' => {
41							name => 'db',
42							type => 'Sql',
43							};
44							with 'Mail::MtPolicyd::Role::Connection' => {
45							name => 'memcached',
46							type => 'Memcached',
47							};
48
49							with 'Mail::MtPolicyd::Plugin::Role::SqlUtils';
50
51							sub run {
52	0			0	1		my ( $self, $r ) = @_;
53	0						my $ip = $r->attr('client_address');
54	0						my $sender = $r->attr('sender');
55	0						my $recipient = $r->attr('recipient');
56	0						my @triplet = ($sender, $ip, $recipient);
57	0						my $session = $r->session;
58
59	0						my $enabled = $self->get_uc( $session, 'enabled' );
60	0	0					if( $enabled eq 'off' ) {
61	0						return;
62							}
63
64	0	0	0				if( $self->use_autowl && $self->query_autowl ) {
65							my ( $is_autowl ) = $r->do_cached('greylist-is_autowl', sub {
66	0			0			$self->is_autowl( $r, @triplet );
67	0						} );
68	0	0					if( $is_autowl ) {
69	0						$self->log($r, 'client on greylist autowl');
70	0						return $self->success( $r );
71							}
72							}
73
74	0			0			my ( $ticket ) = $r->do_cached('greylist-ticket', sub { $self->get_ticket($r, @triplet) } );
	0
75	0	0					if( defined $ticket ) {
76	0	0					if( $self->is_valid_ticket( $ticket ) ) {
77	0						$self->log($r, join(',', @triplet).' has a valid greylisting ticket');
78	0	0	0				if( $self->use_autowl && ! $r->is_already_done('greylist-autowl-add') ) {
79	0						$self->add_autowl( $r, @triplet );
80							}
81	0						$self->remove_ticket( $r, @triplet );
82	0						return $self->success( $r );
83							}
84	0						$self->log($r, join(',', @triplet).' has a invalid greylisting ticket. wait again');
85	0						return( $self->defer( $ticket ) );
86							}
87
88	0	0					if( $self->create_ticket ) {
89	0						$self->log($r, 'creating new greylisting ticket');
90	0						$self->do_create_ticket($r, @triplet);
91	0						return( $self->defer );
92							}
93	0						return;
94							}
95
96							sub defer {
97	0			0	1		my ( $self, $ticket ) = @_;
98	0						my $message = $self->defer_message;
99	0	0	0				if( defined $ticket && $self->append_waittime ) {
100	0						$message .= ' ('.( $ticket - time ).'s left)'
101							}
102	0						return( Mail::MtPolicyd::Plugin::Result->new(
103							action => $message,
104							abort => 1,
105							) );
106							}
107
108							sub success {
109	0			0	0		my ( $self, $r ) = @_;
110	0	0	0				if( defined $self->score && ! $r->is_already_done('greylist-score') ) {
111	0						$self->add_score($r, $self->name => $self->score);
112							}
113	0	0	0				if( $self->mode eq 'accept' \|\| $self->mode eq 'dunno' ) {
114	0						return( Mail::MtPolicyd::Plugin::Result->new(
115							action => $self->mode,
116							abort => 1,
117							) );
118							}
119	0						return;
120							}
121
122							sub _extract_sender_domain {
123	0			0			my ( $self, $sender ) = @_;
124	0						my $sender_domain;
125
126	0	0					if( $sender =~ /@/ ) {
127	0						( $sender_domain ) = $sender =~ /@([^@]+)$/;
128							} else { # fallback to just the sender?
129	0						$sender_domain = $sender;
130							}
131
132	0						return($sender_domain);
133							}
134
135							sub is_autowl {
136	0			0	0		my ( $self, $r, $sender, $client_ip ) = @_;
137	0						my $sender_domain = $self->_extract_sender_domain( $sender );
138
139							my ( $row ) = $r->do_cached('greylist-autowl-row', sub {
140	0			0			$self->get_autowl_row( $sender_domain, $client_ip );
141	0						} );
142
143	0	0					if( ! defined $row ) {
144	0						$self->log($r, 'client is not on autowl');
145	0						return(0);
146							}
147
148	0						my $last_seen = $row->{'last_seen'};
149	0						my $expires = $last_seen + ( ONE_DAY * $self->autowl_expire_days );
150	0						my $now = Time::Piece->new->epoch;
151	0	0					if( $now > $expires ) {
152	0						$self->log($r, 'removing expired autowl row');
153	0						$self->remove_autowl_row( $sender_domain, $client_ip );
154	0						return(0);
155							}
156
157	0	0					if( $row->{'count'} < $self->autowl_threshold ) {
158	0						$self->log($r, 'client has not yet reached autowl_threshold');
159	0						return(0);
160							}
161
162	0						$self->log($r, 'client has valid autowl row. updating row');
163	0						$self->incr_autowl_row( $sender_domain, $client_ip );
164	0						return(1);
165							}
166
167							sub add_autowl {
168	0			0	0		my ( $self, $r, $sender, $client_ip ) = @_;
169	0						my $sender_domain = $self->_extract_sender_domain( $sender );
170
171							my ( $row ) = $r->do_cached('greylist-autowl-row', sub {
172	0			0			$self->get_autowl_row( $sender_domain, $client_ip );
173	0						} );
174
175	0	0					if( defined $row ) {
176	0						$self->log($r, 'client already on autowl, just incrementing count');
177	0						$self->incr_autowl_row( $sender_domain, $client_ip );
178	0						return;
179							}
180
181	0						$self->log($r, 'creating initial autowl entry');
182	0						$self->create_autowl_row( $sender_domain, $client_ip );
183	0						return;
184							}
185
186							sub get_autowl_row {
187	0			0	0		my ( $self, $sender_domain, $client_ip ) = @_;
188	0						my $sql = sprintf("SELECT * FROM %s WHERE sender_domain=? AND client_ip=?",
189							$self->autowl_table );
190	0						return $self->execute_sql($sql, $sender_domain, $client_ip)->fetchrow_hashref;
191							}
192
193							sub create_autowl_row {
194	0			0	0		my ( $self, $sender_domain, $client_ip ) = @_;
195	0						my $timestamp =
196							my $sql = sprintf("INSERT INTO %s VALUES(NULL, ?, ?, 1, %d)",
197							$self->autowl_table, Time::Piece->new->epoch );
198	0						$self->execute_sql($sql, $sender_domain, $client_ip);
199	0						return;
200							}
201
202							sub incr_autowl_row {
203	0			0	0		my ( $self, $sender_domain, $client_ip ) = @_;
204	0						my $sql = sprintf(
205							"UPDATE %s SET count=count+1, last_seen=%d WHERE sender_domain=? AND client_ip=?",
206							$self->autowl_table,
207							Time::Piece->new->epoch );
208	0						$self->execute_sql($sql, $sender_domain, $client_ip);
209	0						return;
210							}
211
212							sub remove_autowl_row {
213	0			0	0		my ( $self, $sender_domain, $client_ip ) = @_;
214	0						my $sql = sprintf("DELETE FROM %s WHERE sender_domain=? AND client_ip=?",
215							$self->autowl_table );
216	0						$self->execute_sql($sql, $sender_domain, $client_ip);
217	0						return;
218							}
219
220							sub expire_autowl_rows {
221	0			0	0		my ( $self ) = @_;
222	0						my $timeout = ONE_DAY * $self->autowl_expire_days;
223	0						my $now = Time::Piece->new->epoch;
224	0						my $sql = sprintf("DELETE FROM %s WHERE ? > last_seen + ?",
225							$self->autowl_table );
226	0						$self->execute_sql($sql, $now, $timeout);
227	0						return;
228							}
229
230							sub get_ticket {
231	0			0	0		my ( $self, $r, $sender, $ip, $rcpt ) = @_;
232	0						my $key = join(",", $sender, $ip, $rcpt );
233	0	0					if( my $ticket = $self->_memcached_handle->get( $key ) ) {
234	0						return( $ticket );
235							}
236	0						return;
237							}
238
239							sub is_valid_ticket {
240	0			0	0		my ( $self, $ticket ) = @_;
241	0	0					if( time > $ticket ) {
242	0						return 1;
243							}
244	0						return 0;
245							}
246
247							sub remove_ticket {
248	0			0	0		my ( $self, $r, $sender, $ip, $rcpt ) = @_;
249	0						my $key = join(",", $sender, $ip, $rcpt );
250	0						$self->_memcached_handle->delete( $key );
251	0						return;
252							}
253
254							sub do_create_ticket {
255	0			0	0		my ( $self, $r, $sender, $ip, $rcpt ) = @_;
256	0						my $ticket = time + $self->min_retry_wait;
257	0						my $key = join(",", $sender, $ip, $rcpt );
258	0						$self->_memcached_handle->set( $key, $ticket, $self->max_retry_wait );
259	0						return;
260							}
261
262							sub init {
263							my $self = shift;
264							if( $self->use_autowl ) {
265							$self->check_sql_tables( %{$self->_table_definitions} );
266							}
267							}
268
269							has '_table_definitions' => ( is => 'ro', isa => 'HashRef', lazy => 1,
270							default => sub { {
271							'autowl' => {
272							'mysql' => 'CREATE TABLE %TABLE_NAME% (
273							`id` int(11) NOT NULL AUTO_INCREMENT,
274							`sender_domain` VARCHAR(255) NOT NULL,
275							`client_ip` VARCHAR(39) NOT NULL,
276							`count` INT UNSIGNED NOT NULL,
277							`last_seen` INT UNSIGNED NOT NULL,
278							PRIMARY KEY (`id`),
279							UNIQUE KEY `domain_ip` (`client_ip`, `sender_domain`),
280							KEY(`client_ip`),
281							KEY(`sender_domain`)
282							) ENGINE=MyISAM DEFAULT CHARSET=latin1',
283							'SQLite' => 'CREATE TABLE %TABLE_NAME% (
284							`id` INTEGER PRIMARY KEY AUTOINCREMENT,
285							`sender_domain` VARCHAR(255) NOT NULL,
286							`client_ip` VARCHAR(39) NOT NULL,
287							`count` INT UNSIGNED NOT NULL,
288							`last_seen` INTEGER NOT NULL
289							)',
290							},
291							} },
292							);
293
294							sub cron {
295	0			0	0		my $self = shift;
296	0						my $server = shift;
297
298	0	0					if( grep { $_ eq 'hourly' } @_ ) {
	0
299	0						$server->log(3, 'expiring greylist autowl...');
300	0						$self->expire_autowl_rows;
301							}
302
303	0						return;
304							}
305
306							__PACKAGE__->meta->make_immutable;
307
308							1;
309
310							__END__
311
312							=pod
313
314							=encoding UTF-8
315
316							=head1 NAME
317
318							Mail::MtPolicyd::Plugin::Greylist - This plugin implements a greylisting mechanism with an auto whitelist.
319
320							=head1 VERSION
321
322							version 2.01
323
324							=head1 DESCRIPTION
325
326							This plugin implements a greylisting mechanism with an auto whitelist.
327
328							If a client connects it will return an defer and create a greylisting "ticket"
329							for the combination of the address of the sender, the senders address and the
330							recipient address. The ticket will be stored in memcached and will contain the time
331							when the client was seen for the first time. The ticket will expire after
332							the max_retry_wait timeout.
333
334							The client will be defered until the min_retry_wait timeout has been reached.
335							Only in the time between the min_retry_wait and max_retry_wait the request will
336							pass the greylisting test.
337
338							When the auto-whitelist is enabled (default) a record for every client which
339							passes the greylisting test will be stored in the autowl_table.
340							The table is based on the combination of the sender domain and client_address.
341							If a client passed the test at least autowl_threshold (default 3) times the greylisting
342							test will be skipped.
343							Additional an last_seen timestamp is stored in the record and records which are older
344							then the autowl_expire_days will expire.
345
346							Please note the greylisting is done on a triplet based on the
347
348							client_address + sender + recipient
349
350							The auto-white list is based on the
351
352							client_address + sender_domain
353
354							=head1 PARAMETERS
355
356							=over
357
358							=item (uc_)enabled (default: on)
359
360							Enable/disable this check.
361
362							=item score (default: empty)
363
364							Apply an score to this message if it _passed_ the greylisting test. In most cases you want to assign a negative score. (eg. -10)
365
366							=item mode (default: passive)
367
368							The default is to return no action if the client passed the greylisting test and continue.
369
370							You can set this 'accept' or 'dunno' if you want skip further checks.
371
372							=item defer_message (default: defer greylisting is active)
373
374							This action is returned to the MTA if a message is defered.
375
376							If a client retries too fast the time left till min_retry_wait is reach will be appended to the string.
377
378							=item min_retry_wait (default: 300 (5m))
379
380							A client will have to wait at least for this timeout. (in seconds)
381
382							=item max_retry_wait (default: 7200 (2h))
383
384							A client must retry to deliver the message before this timeout. (in seconds)
385
386							=item use_autowl (default: 1)
387
388							Could be used to disable the use of the auto-whitelist.
389
390							=item autowl_threshold (default: 3)
391
392							How often a client/sender_domain pair must pass the check before it is whitelisted.
393
394							=item autowl_expire_days (default: 60)
395
396							After how many days an auto-whitelist entry will expire if no client with this client/sender pair is seen.
397
398							=item autowl_table (default: autowl)
399
400							The name of the table to use.
401
402							The database handle specified in the global configuration will be used. (see man mtpolicyd)
403
404							=item query_autowl, create_ticket (default: 1)
405
406							This options could be used to disable the creation of a new ticket or to query the autowl.
407
408							This can be used to catch early retries at the begin of your configuration before more expensive checks a processes.
409
410							Example:
411
412							<Plugin greylist>
413							module = "Greylist"
414							score = -5
415							mode = "passive"
416							create_ticket = 0
417							query_autowl = 0
418							</Plugin>
419							# ... a lot of RBL checks, etc...
420							<Plugin ScoreGreylist>
421							module = "ScoreAction"
422							threshold = 5
423							<Plugin greylist>
424							module = "Greylist"
425							score = -5
426							mode = "passive"
427							</Plugin>
428							</Plugin>
429
430							This will prevent early retries from running thru all checks.
431
432							=back
433
434							=head1 AUTHOR
435
436							Markus Benning <ich@markusbenning.de>
437
438							=head1 COPYRIGHT AND LICENSE
439
440							This software is Copyright (c) 2014 by Markus Benning <ich@markusbenning.de>.
441
442							This is free software, licensed under:
443
444							The GNU General Public License, Version 2, June 1991
445
446							=cut