File Coverage

blib/lib/Mail/Qmail/Filter/DMARC.pm
Criterion Covered Total %
statement 11 40 27.5
branch 0 8 0.0
condition 0 3 0.0
subroutine 4 5 80.0
pod 1 1 100.0
total 16 57 28.0


line stmt bran cond sub pod time code
1 1     1   906 use 5.014;
  1         4  
2 1     1   6 use warnings;
  1         2  
  1         261  
3              
4             package Mail::Qmail::Filter::DMARC;
5              
6             our $VERSION = '1.2';
7              
8             sub domain {
9             shift =~ s/.*\@//r;
10             }
11              
12             sub if_set {
13             my ( $key, $value, @additional_checks ) = @_;
14             return unless defined $value && length $value;
15             $_->($value) or return for @additional_checks;
16             $key => $value;
17             }
18              
19             sub is_valid_domain {
20             require Mail::DMARC::Base;
21             Mail::DMARC::Base->new->is_valid_domain(shift);
22             }
23              
24             sub spf_query {
25             require Mail::SPF;
26             my $request = Mail::SPF::Request->new(@_);
27             state $server = Mail::SPF::Server->new;
28             $server->process($request);
29             }
30              
31 1     1   8 use namespace::clean;
  1         1  
  1         6  
32              
33 1     1   236 use Mo qw(coerce default);
  1         2  
  1         5  
34             extends 'Mail::Qmail::Filter';
35              
36             has 'dry_run';
37             has 'reject_text' => 'Failed DMARC test.';
38              
39             sub filter {
40 0     0 1   my $self = shift;
41 0           my $message = $self->message;
42              
43 0           require Mail::DKIM::Verifier; # lazy load because filter might be skipped
44 0           my $dkim = Mail::DKIM::Verifier->new;
45 0           $dkim->PRINT( $message->body =~ s/\cM?\cJ/\cM\cJ/gr );
46 0           $dkim->CLOSE;
47 0           $self->debug( 'DKIM result' => $dkim->result );
48              
49 0 0         if ( $dkim->result ne 'pass' ) {
50              
51 0           $self->debug( 'Remote IP' => $ENV{TCPREMOTEIP} );
52              
53 0           my %spf_query = ( ip_address => $ENV{TCPREMOTEIP} );
54              
55 0           $self->debug( helo => $spf_query{helo_identity} = $message->helo );
56              
57 0           my $header_from = $message->header_from;
58 0           my $header_from_domain;
59 0 0         if ($header_from) {
60             $self->debug( 'RFC5322.From' => $spf_query{identity} =
61 0           $header_from->address );
62 0           $header_from_domain = $header_from->host;
63 0           $spf_query{scope} = 'mfrom';
64             }
65             else {
66 0           $spf_query{scope} = 'helo';
67              
68             # identity required by Mail::SPF:
69 0           $spf_query{identity} = $spf_query{helo_identity};
70             }
71              
72 0           $self->debug( 'SPF result' => my $spf_result = spf_query(%spf_query) );
73 0           $message->add_header( $spf_result->received_spf_header );
74              
75 0           require Mail::DMARC::PurePerl;
76             my $dmarc_text = (
77             my $dmarc_result = Mail::DMARC::PurePerl->new(
78             source_ip => $ENV{TCPREMOTEIP},
79             envelope_to => domain( ( $message->to )[0] ),
80             if_set(
81             envelope_from => domain( $message->from ),
82             \&is_valid_domain
83             ),
84             if_set(
85             header_from => $header_from_domain,
86             \&is_valid_domain
87             ),
88             dkim => $dkim,
89             spf => {
90             if_set( domain => $header_from_domain ),
91             scope => $spf_query{scope},
92 0           result => $spf_result->code,
93             },
94             )->validate
95             )->result;
96 0           $self->debug( 'DMARC result' => $dmarc_text );
97 0           $message->add_header("DMARC-Status: $dmarc_text");
98              
99 0 0         if ( $dmarc_result->result ne 'pass' ) {
100 0           my $disposition = $dmarc_result->disposition;
101 0           $self->debug( 'DMARC disposition' => $disposition );
102 0 0 0       $self->reject( $self->reject_text )
103             if $disposition eq 'reject' && !$self->dry_run;
104             }
105             }
106             }
107              
108             1;
109              
110             __END__
111              
112             =head1 NAME
113              
114             Mail::Qmail::Filter::DMARC - verify DMARC policy of mail message
115              
116             =head1 SYNOPSIS
117              
118             use Mail::Qmail::Filter;
119              
120             Mail::Qmail::Filter->new->add_filters(
121             '::DMARC' => {
122             skip_if_relayclient => 1,
123             },
124             '::Queue',
125             )->run;
126              
127             =head1 DESCRIPTION
128              
129             This L<Mail::Qmail::Filter> plugin verifies if the incoming e-mail message
130             conforms to the DMARC policy of its sender domain:
131              
132             =over 4
133              
134             =item 1.
135              
136             The plugin is skipped if imported with feature C<:skip_for_relayclient>
137             and the message comes from a relay client.
138              
139             =item 2.
140              
141             We check if the message contains a valid DKIM signature
142             matching the domain of the C<From:> header field.
143             If this is the case, the e-mail is passed on.
144              
145             =item 3.
146              
147             If not, a SPF check is done, and a C<Received-SPF:> header field is added to
148             the message.
149             Then we check if the message is aligned with its sender's DMARC policy.
150             A C<DMARC-Status:> header field is added.
151              
152             If the message does not align to the policy, the policy advises to reject such
153             messages and when the plugin is C<use>d with the C<:reject> feature or the
154             environment variable C<DMARC_REJECT> is set to a true value, the message will
155             be rejected with C<554 Failed DMARC test.>
156              
157             =back
158              
159             Please note: This only works for valid sender addresses.
160             If the message has no valid RFC5322.From, this filter will I<not> reject
161             the message, because L<Mail::DMARC> does not like invalid sender addresses.
162             If you also happen to not like these, please use
163             L<Mail::Qmail::Filter::ValidateFrom> and/or
164             L<Mail::Qmail::Filter::ValidateSender> I<before> this filter.
165              
166             =head1 OPTIONAL PARAMETERS
167              
168             =head2 dry_run
169              
170             When set to a true value, the message is only marked, not rejected.
171              
172             =head2 reject_text
173              
174             Reply text to send to the client when the message is rejected.
175              
176             Default: C<Failed DMARC test.>
177              
178             =head1 SEE ALSO
179              
180             L<Mail::Qmail::Filter/COMMON PARAMETERS FOR ALL FILTERS>,
181             L<Mail::Qmail::Filter::ValidateFrom>, L<Mail::Qmail::Filter::ValidateSender>
182              
183             =head1 LICENSE AND COPYRIGHT
184              
185             Copyright 2019 Martin Sluka.
186              
187             This module is free software; you can redistribute it and/or modify it
188             under the terms of the the Artistic License (2.0). You may obtain a
189             copy of the full license at:
190              
191             L<http://www.perlfoundation.org/artistic_license_2_0>
192              
193             Any use, modification, and distribution of the Standard or Modified
194             Versions is governed by this Artistic License. By using, modifying or
195             distributing the Package, you accept this license. Do not use, modify,
196             or distribute the Package, if you do not accept this license.
197              
198             If your Modified Version has been derived from a Modified Version made
199             by someone other than you, you are nevertheless required to ensure that
200             your Modified Version complies with the requirements of this license.
201              
202             This license does not grant you the right to use any trademark, service
203             mark, tradename, or logo of the Copyright Holder.
204              
205             This license includes the non-exclusive, worldwide, free-of-charge
206             patent license to make, have made, use, offer to sell, sell, import and
207             otherwise transfer the Package with respect to any patent claims
208             licensable by the Copyright Holder that are necessarily infringed by the
209             Package. If you institute patent litigation (including a cross-claim or
210             counterclaim) against any party alleging that the Package constitutes
211             direct or contributory patent infringement, then this Artistic License
212             to you shall terminate on the date that such litigation is filed.
213              
214             Disclaimer of Warranty: THE PACKAGE IS PROVIDED BY THE COPYRIGHT HOLDER
215             AND CONTRIBUTORS "AS IS' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES.
216             THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
217             PURPOSE, OR NON-INFRINGEMENT ARE DISCLAIMED TO THE EXTENT PERMITTED BY
218             YOUR LOCAL LAW. UNLESS REQUIRED BY LAW, NO COPYRIGHT HOLDER OR
219             CONTRIBUTOR WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, OR
220             CONSEQUENTIAL DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE,
221             EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
222              
223             =cut