mirror of
https://github.com/chillout2k/ExOTA-Milter.git
synced 2025-12-11 01:10:18 +00:00
73 lines
1.8 KiB
Plaintext
73 lines
1.8 KiB
Plaintext
@startuml
|
|
|
|
title ExOTA-Milter security policy flow
|
|
start
|
|
:MTA connected;
|
|
|
|
:HDR: Collecting all relevant headers;
|
|
note left: From, Authentication-Results, X-MS-Exchange-CrossTenant-Id
|
|
|
|
:HDR: Recognising sender domain;
|
|
note left: Taken from RFC5322.From header and/or RFC5322.Resent-From header. RFC5321.mail (envelope) is NOT relevant!
|
|
|
|
:EOM: Looking up policy in backend;
|
|
note left: Based on RFC5322.from domain
|
|
|
|
if (Policy found?) then (yes)
|
|
if (Milter: x509 client CN checking enabled?) then (yes)
|
|
:Looking up x509 client CN;
|
|
note left: ENV[MILTER_X509_TRUSTED_CN]
|
|
if (Found trusted x509 client CN?) then (yes)
|
|
else (no)
|
|
:REJECT;
|
|
stop
|
|
endif
|
|
else (no)
|
|
endif
|
|
if (Milter: DKIM checking enabled?) then (yes)
|
|
if (Policy has DKIM checking enabled?) then (yes)
|
|
:Looking up trusted Authentication-Results headers;
|
|
note left: ENV[MILTER_TRUSTED_AUTHSERVID]
|
|
if (Found trusted DKIM AR-headers?) then (yes)
|
|
else (no)
|
|
:REJECT;
|
|
stop
|
|
endif
|
|
if (Milter: DKIM alignment checking enabled?) then (yes)
|
|
if (Policy has DKIM-alignment enabled?) then (yes)
|
|
:Checking if DKIM-signature is aligned;
|
|
note left: DKIM SDID must equal to RFC5322.from_domain!
|
|
if (Is DKIM aligned?) then (yes)
|
|
else (no)
|
|
:REJECT;
|
|
stop
|
|
endif
|
|
else (no)
|
|
endif
|
|
else (no)
|
|
endif
|
|
else (no)
|
|
endif
|
|
else (no)
|
|
endif
|
|
:Looking up tenant-id in policy;
|
|
if (Found trusted tenant-ID?) then (no)
|
|
:REJECT;
|
|
stop
|
|
else (yes)
|
|
endif
|
|
else (no)
|
|
:REJECT;
|
|
stop
|
|
endif
|
|
:Removing all X-ExOTA-Authentication-Results headers if present;
|
|
if (Milter: add header?) then (yes)
|
|
:Adding X-ExOTA-Authentication-Results header;
|
|
note left: ENV[MILTER_ADD_HEADER]
|
|
else (no)
|
|
endif
|
|
:CONTINUE;
|
|
stop
|
|
|
|
@enduml
|