github-public-mirror/ExOTA-Milter
1
0
Fork 0
mirror of https://github.com/chillout2k/ExOTA-Milter.git synced 2025-12-11 09:20:18 +00:00
Code Issues Releases Wiki Activity
8b8c327022
ExOTA-Milter/app/exota-milter.py

657 lines
26 KiB
Python
Raw Blame History

import Milter
import sys
import traceback
import os
import string
import random
import re
import email.utils
import authres
from policy import (
ExOTAPolicyException, ExOTAPolicyNotFoundException,
ExOTAPolicyBackendJSON, ExOTAPolicyBackendLDAP,
ExOTAPolicyInvalidException, ExOTAPolicyBackendException
)
from logger import (
init_logger, log_info, log_error, log_debug
)
# Globals with defaults. Can/should be modified by ENV-variables on startup.
# ENV[MILTER_NAME]
g_milter_name = 'exota-milter'
# ENV[MILTER_SOCKET]
g_milter_socket = '/socket/' + g_milter_name
# ENV[MILTER_REJECT_MESSAGE]
g_milter_reject_message = 'Security policy violation!'
# ENV[MILTER_TMPFAIL_MESSAGE]
g_milter_tmpfail_message = 'Service temporarily not available! Please try again later.'
# ENV[MILTER_DKIM_ENABLED]
g_milter_dkim_enabled = False
# ENV[MILTER_DKIM_ALIGNMENT_REQUIRED]
g_milter_dkim_alignment_required = False
# ENV[MILTER_TRUSTED_AUTHSERVID]
g_milter_trusted_authservid = 'invalid'
# ENV[MILTER_POLICY_SOURCE]
g_milter_policy_source = 'file'
# ENV[MILTER_POLICY_FILE]
g_milter_policy_file = '/data/policy.json'
# ENV[MILTER_X509_ENABLED]
g_milter_x509_enabled = False
# ENV[MILTER_X509_TRUSTED_CN]
g_milter_x509_trusted_cn = 'mail.protection.outlook.com'
# ENV[MILTER_X509_IP_WHITELIST]
g_milter_x509_ip_whitelist = ['127.0.0.1','::1']
# ENV[MILTER_ADD_HEADER]
g_milter_add_header = False
# ENV[MILTER_AUTHSERVID]
g_milter_authservid = None
# ENV[MILTER_LDAP_SERVER_URI]
g_milter_ldap_server_uri = ''
# ENV[MILTER_LDAP_RECEIVE_TIMEOUT]
g_milter_ldap_receive_timeout = 5
# ENV[MILTER_LDAP_BINDDN]
g_milter_ldap_binddn = ''
# ENV[MILTER_LDAP_BINDPW]
g_milter_ldap_bindpw = ''
# ENV[MILTER_LDAP_SEARCH_BASE]
g_milter_ldap_search_base = ''
# ENV[MILTER_LDAP_QUERY]
g_milter_ldap_query = ''
# ENV[MILTER_LDAP_TENANT_ID_ATTR]
g_milter_ldap_tenant_id_attr = 'exotaMilterTenantId'
# ENV[MILTER_LDAP_DKIM_ENABLED_ATTR]
g_milter_ldap_dkim_enabled_attr = 'exotaMilterDkimEnabled'
# ENV[MILTER_LDAP_DKIM_ALIGNMENT_REQIRED_ATTR]
g_milter_ldap_dkim_alignment_required_attr = 'exotaMilterDkimAlignmentRequired'
# Another globals
g_policy_backend = None
g_re_domain = re.compile(r'^.*@(\S+)$', re.IGNORECASE)
g_milter_ldap_conn = None
class ExOTAMilter(Milter.Base):
# Each new connection is handled in an own thread
def __init__(self):
self.x509_client_valid = False
self.client_ip = None
self.client_port = None
self.reset()
log_debug(self.mconn_id + " INIT: {0}".format(self.__dict__))
def reset(self):
self.hdr_from = None
self.hdr_from_domain = None
self.hdr_resent_from = None
self.hdr_resent_from_domain = None
self.forwarded = False
self.hdr_tenant_id = None
self.hdr_tenant_id_count = 0
self.hdr_different_tenant_id = False
self.x509_whitelisted = False
self.dkim_valid = False
self.passed_dkim_results = []
self.dkim_aligned = False
self.xar_hdr_count = 0
# https://stackoverflow.com/a/2257449
self.mconn_id = g_milter_name + ': ' + ''.join(
random.choice(string.ascii_lowercase + string.digits) for _ in range(8)
)
log_debug(self.mconn_id + " reset(): {0}".format(self.__dict__))
def smfir_reject(self, **kwargs):
message = g_milter_reject_message
if 'message' in kwargs:
message = kwargs['message']
if 'queue_id' in kwargs:
message = "queue_id: {0} - {1}".format(kwargs['queue_id'], message)
if 'reason' in kwargs:
message = "{0} - reason: {1}".format(message, kwargs['reason'])
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
": milter_action=reject message={0}".format(message)
)
self.reset()
self.setreply('550','5.7.1', message)
return Milter.REJECT
def smfir_tempfail(self, **kwargs):
message = g_milter_tmpfail_message
if 'message' in kwargs:
message = kwargs['message']
if 'queue_id' in kwargs:
message = "queue_id: {0} - {1}".format(kwargs['queue_id'], message)
if 'reason' in kwargs:
message = "{0} - reason: {1}".format(message, kwargs['reason'])
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
": milter_action=tempfail message={0}".format(message)
)
self.reset()
self.setreply('450','4.7.1', message)
return Milter.TEMPFAIL
def smfir_continue(self):
return Milter.CONTINUE
# Not registered/used callbacks
@Milter.nocallback
def hello(self, heloname):
return self.smfir_continue()
@Milter.nocallback
def eoh(self):
return self.smfir_continue()
@Milter.nocallback
def body(self, chunk):
return self.smfir_continue()
def connect(self, IPname, family, hostaddr):
self.reset()
self.client_ip = hostaddr[0]
self.client_port = hostaddr[1]
log_debug(self.mconn_id + "/CONNECT client_ip={0} client_port={1}".format(
self.client_ip, self.client_port
))
return self.smfir_continue()
# Mandatory callback
def envfrom(self, mailfrom, *str):
log_debug(self.mconn_id + "/FROM 5321.from={0}".format(mailfrom))
log_debug(self.mconn_id + "/FROM {0}".format(self.__dict__))
return self.smfir_continue()
# Mandatory callback
def envrcpt(self, to, *str):
log_debug(self.mconn_id + "/RCPT 5321.rcpt={0}".format(to))
return self.smfir_continue()
def header(self, name, hval):
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: Header: {0}, Value: {1}".format(name, hval)
)
# Parse RFC-5322-From header
if(name.lower() == "From".lower()):
hdr_5322_from = email.utils.parseaddr(hval)
self.hdr_from = hdr_5322_from[1].lower()
m = re.match(g_re_domain, self.hdr_from)
if m is None:
log_error(self.mconn_id + "/" + str(self.getsymval('i')) + "/HDR " +
"Could not determine domain-part of 5322.from=" + self.hdr_from
)
return self.smfir_reject(queue_id=self.getsymval('i'))
self.hdr_from_domain = m.group(1)
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: 5322.from={0}, 5322.from_domain={1}".format(
self.hdr_from, self.hdr_from_domain
)
)
# Parse RFC-5322-Resent-From header (Forwarded)
if(name.lower() == "Resent-From".lower()):
hdr_5322_resent_from = email.utils.parseaddr(hval)
self.hdr_resent_from = hdr_5322_resent_from[1].lower()
m = re.match(g_re_domain, self.hdr_resent_from)
if m is None:
log_error(self.mconn_id + "/" + str(self.getsymval('i')) + "/HDR " +
"Could not determine domain-part of 5322.resent_from=" + self.hdr_resent_from
)
else:
self.hdr_resent_from_domain = m.group(1).lower()
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: 5322.resentfrom={0}, 5322.resent_from_domain={1}".format(
self.hdr_resent_from, self.hdr_resent_from_domain
)
)
# Parse non-standardized X-MS-Exchange-CrossTenant-Id header
elif(name.lower() == "X-MS-Exchange-CrossTenant-Id".lower()):
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: Tenant-ID: {0}".format(self.hdr_tenant_id)
)
if self.hdr_tenant_id_count > 0:
if not self.hdr_tenant_id == hval.lower():
self.hdr_different_tenant_id = True
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: Different Tenant-IDs found!"
)
else:
self.hdr_tenant_id_count += 1
self.hdr_tenant_id = hval.lower()
# Parse RFC-7601 Authentication-Results header
elif(name.lower() == "Authentication-Results".lower()):
if g_milter_dkim_enabled == True:
ar = None
try:
ar = authres.AuthenticationResultsHeader.parse(
"{0}: {1}".format(name, hval)
)
if ar.authserv_id == g_milter_trusted_authservid:
for ar_result in ar.results:
if ar_result.method == 'dkim':
if ar_result.result == 'pass':
self.passed_dkim_results.append({
"sdid": ar_result.header_d.lower()
})
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: DKIM passed SDID {0}".format(ar_result.header_d)
)
self.dkim_valid = True
else:
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: Ignoring authentication results of {0}".format(ar.authserv_id)
)
except Exception as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: AR-parse exception: {0}".format(str(e))
)
elif(name == "X-ExOTA-Authentication-Results"):
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/HDR: Found X-ExOTA-Authentication-Results header. Marking for deletion."
)
self.xar_hdr_count += 1
return self.smfir_continue()
# EOM is mandatory as well and thus always called by MTA
def eom(self):
# Here in EoM the final policy logic happens.
# Check if client certificate CN matches trusted CN
if g_milter_x509_enabled:
for whitelisted_client_ip in g_milter_x509_ip_whitelist:
if self.client_ip == whitelisted_client_ip:
log_info(self.mconn_id + "/" + str(self.getsymval('i'))
+ "/EOM: x509 CN check: client-IP '{0}' is whitelisted".format(
whitelisted_client_ip
)
)
self.x509_whitelisted = True
if not self.x509_whitelisted:
cert_subject = self.getsymval('{cert_subject}')
if cert_subject is None:
log_info(self.mconn_id + "/" + str(self.getsymval('i'))
+ "/EOM: No trusted x509 client CN found - action=reject"
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'No trusted x509 client CN found'
)
else:
if g_milter_x509_trusted_cn.lower() == cert_subject.lower():
self.x509_client_valid = True
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Trusted x509 client CN {0}".format(cert_subject)
)
else:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Untrusted x509 client CN {0} - action=reject".format(cert_subject)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = "Untrusted x509 client CN: {0}".format(cert_subject)
)
if self.hdr_from is None:
log_error(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: exception: could not determine 5322.from header - action=reject"
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = '5322.from header missing'
)
if self.hdr_different_tenant_id == True:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Multiple/different tenant-ID headers found for {0} - action=reject".format(
self.hdr_from_domain
)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'Multiple/different tenant-IDs headers found!'
)
# Get policy for 5322.from_domain
policy = None
try:
policy = g_policy_backend.get(self.hdr_from_domain)
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Policy for 5322.from_domain={0} fetched from backend: *{1}*".format(
self.hdr_from_domain, str(policy)
)
)
except ExOTAPolicyBackendException as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Policy backend problem: {0}".format(e.message)
)
return self.smfir_tempfail(
queue_id = self.getsymval('i'),
reason = "Policy backend problem"
)
except ExOTAPolicyInvalidException as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Invalid policy for 5322.from_domain={0}: {1}".format(
self.hdr_from_domain, e.message
)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = "Invalid policy for 5322.from_domain {0}".format(
self.hdr_from_domain
)
)
except (ExOTAPolicyException, ExOTAPolicyNotFoundException) as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: 5322.from: {0}".format(e.message)
)
# Forwarded message? Maybe the Resent-From header domain matches.
if self.hdr_resent_from_domain is not None:
try:
policy = g_policy_backend.get(self.hdr_resent_from_domain)
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Policy for 5322.resent_from_domain={0} fetched from backend: *{1}*".format(
self.hdr_resent_from_domain, str(policy)
)
)
self.forwarded = True
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Forwarded message -> Policy for 5322.resent_from_domain={0} found.".format(
self.hdr_resent_from_domain
)
)
except ExOTAPolicyBackendException as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Policy backend problem: {0}".format(e.message)
)
return self.smfir_tempfail(
queue_id = self.getsymval('i'),
reason = "Policy backend problem"
)
except ExOTAPolicyInvalidException as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Invalid policy for 5322.resent_from_domain={0}: {1}".format(
self.hdr_resent_from_domain, e.message
)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = "Invalid policy for 5322.resent_from_domain {0}".format(
self.hdr_resent_from_domain
)
)
except (ExOTAPolicyException, ExOTAPolicyNotFoundException) as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: 5322.resent-from: {0}".format(e.message)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = "No policy for 5322.resent_from_domain {0}".format(
self.hdr_resent_from_domain
)
)
else:
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = "No policy for 5322.from_domain {0}".format(self.hdr_from_domain)
)
if self.hdr_tenant_id is None:
log_error(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: exception: could not determine X-MS-Exchange-CrossTenant-Id - action=reject"
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'Tenant-ID is missing!'
)
if self.hdr_tenant_id == policy.get_tenant_id():
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: tenant_id={0} status=match".format(self.hdr_tenant_id)
)
else:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: tenant_id={0} status=no_match - action=reject".format(
self.hdr_tenant_id
)
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'No policy match for tenant-id'
)
if g_milter_dkim_enabled and policy.is_dkim_enabled():
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: 5322.from_domain={0} dkim_auth=enabled".format(self.hdr_from_domain)
)
if self.dkim_valid:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Valid DKIM signatures found"
)
for passed_dkim_result in self.passed_dkim_results:
if self.hdr_from_domain == passed_dkim_result['sdid']:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Found aligned DKIM signature for SDID: {0}".format(
passed_dkim_result['sdid']
)
)
self.dkim_aligned = True
if not self.dkim_aligned:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: No aligned DKIM signatures found!"
)
if g_milter_dkim_alignment_required:
if policy.is_dkim_alignment_required() == False:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Policy overrides DKIM alignment requirement to '{0}'!".format(
policy.is_dkim_alignment_required()
)
)
else:
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'DKIM alignment required!'
)
else:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: No valid DKIM authentication result found"
)
return self.smfir_reject(
queue_id = self.getsymval('i'),
reason = 'No valid DKIM authentication results found'
)
# Delete all existing X-ExOTA-Authentication-Results headers
for i in range(self.xar_hdr_count, 0, -1):
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Deleting X-ExOTA-Authentication-Results header"
)
try:
self.chgheader("X-ExOTA-Authentication-Results", i-1, '')
except Exception as e:
log_error(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Deleting X-ExOTA-Authentication-Results failed: {0}".format(str(e))
)
if g_milter_add_header:
try:
addhdr_value = str(
"{0};\n" +
" auth=pass 5322_from_domain={1} dkim={2} dkim_aligned={3} " +
"x509_client_trust={4} forwarded={5}"
).format(
g_milter_authservid, self.hdr_from_domain, policy.is_dkim_enabled(),
self.dkim_aligned, g_milter_x509_enabled, self.forwarded
)
log_debug(addhdr_value)
self.addheader("X-ExOTA-Authentication-Results", addhdr_value)
log_debug(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: AR-header added"
)
except Exception as e:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: addheader(AR) failed: {0}".format(str(e))
)
if g_milter_dkim_enabled:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Tenant successfully authorized (dkim_enabled={0} dkim_aligned={1})".format(
policy.is_dkim_enabled(), self.dkim_aligned
)
)
else:
log_info(self.mconn_id + "/" + str(self.getsymval('i')) +
"/EOM: Tenant successfully authorized"
)
self.reset()
return self.smfir_continue()
def abort(self):
# Client disconnected prematurely
log_debug(self.mconn_id + "/ABORT")
return self.smfir_continue()
def close(self):
# Always called, even when abort is called.
# Clean up any external resources here.
log_debug(self.mconn_id + "/CLOSE {0}".format(self.__dict__))
return self.smfir_continue()
if __name__ == "__main__":
init_logger()
if 'MILTER_NAME' in os.environ:
g_milter_name = os.environ['MILTER_NAME']
log_info("ENV[MILTER_NAME]: {0}".format(g_milter_name))
if 'MILTER_SOCKET' in os.environ:
g_milter_socket = os.environ['MILTER_SOCKET']
log_info("ENV[MILTER_SOCKET]: {0}".format(g_milter_socket))
if 'MILTER_REJECT_MESSAGE' in os.environ:
g_milter_reject_message = os.environ['MILTER_REJECT_MESSAGE']
log_info("ENV[MILTER_REJECT_MESSAGE]: {0}".format(g_milter_reject_message))
if 'MILTER_TMPFAIL_MESSAGE' in os.environ:
g_milter_tmpfail_message = os.environ['MILTER_TMPFAIL_MESSAGE']
log_info("ENV[MILTER_TMPFAIL_MESSAGE]: {0}".format(g_milter_tmpfail_message))
if 'MILTER_DKIM_ENABLED' in os.environ:
g_milter_dkim_enabled = True
if 'MILTER_TRUSTED_AUTHSERVID' in os.environ:
g_milter_trusted_authservid = os.environ['MILTER_TRUSTED_AUTHSERVID'].lower()
log_info("ENV[MILTER_TRUSTED_AUTHSERVID]: {0}".format(g_milter_trusted_authservid))
else:
log_error("ENV[MILTER_TRUSTED_AUTHSERVID] is mandatory!")
sys.exit(1)
if 'MILTER_DKIM_ALIGNMENT_REQUIRED' in os.environ:
if os.environ['MILTER_DKIM_ALIGNMENT_REQUIRED'] == 'True':
g_milter_dkim_alignment_required = True
elif os.environ['MILTER_DKIM_ALIGNMENT_REQUIRED'] == 'False':
g_milter_dkim_alignment_required = False
else:
log_error("ENV[MILTER_DKIM_ALIGNMENT_REQUIRED] must be a boolean type: 'True' or 'False'!")
sys.exit(1)
log_info("ENV[MILTER_DKIM_ALIGNMENT_REQUIRED]: {0}".format(
g_milter_dkim_alignment_required
))
log_info("ENV[MILTER_DKIM_ENABLED]: {0}".format(g_milter_dkim_enabled))
if 'MILTER_X509_ENABLED' in os.environ:
g_milter_x509_enabled = True
if 'MILTER_X509_TRUSTED_CN' in os.environ:
g_milter_x509_trusted_cn = os.environ['MILTER_X509_TRUSTED_CN']
log_info("ENV[MILTER_X509_TRUSTED_CN]: {0}".format(g_milter_x509_trusted_cn))
if 'MILTER_X509_IP_WHITELIST' in os.environ:
g_milter_x509_ip_whitelist = "".join(os.environ['MILTER_X509_IP_WHITELIST'].split())
g_milter_x509_ip_whitelist = g_milter_x509_ip_whitelist.split(',')
log_info("ENV[MILTER_X509_IP_WHITELIST]: {0}".format(g_milter_x509_ip_whitelist))
log_info("ENV[MILTER_X509_ENABLED]: {0}".format(g_milter_x509_enabled))
if 'MILTER_ADD_HEADER' in os.environ:
g_milter_add_header = True
if 'MILTER_AUTHSERVID' in os.environ:
g_milter_authservid = os.environ['MILTER_AUTHSERVID']
if not re.match(r'^\S+$', g_milter_authservid):
log_error("ENV[MILTER_AUTHSERVID] is invalid: {0}".format(g_milter_authservid))
log_info("ENV[MILTER_AUTHSERVID]: {0}".format(g_milter_authservid))
else:
log_error("ENV[MILTER_AUTHSERVID] is mandatory!")
sys.exit(1)
log_info("ENV[MILTER_ADD_HEADER]: {0}".format(g_milter_add_header))
if 'MILTER_POLICY_SOURCE' in os.environ:
g_milter_policy_source = os.environ['MILTER_POLICY_SOURCE']
log_info("ENV[MILTER_POLICY_SOURCE]: {0}".format(g_milter_policy_source))
if g_milter_policy_source == 'file':
if 'MILTER_POLICY_FILE' in os.environ:
g_milter_policy_file = os.environ['MILTER_POLICY_FILE']
log_info("ENV[MILTER_POLICY_FILE]: {0}".format(g_milter_policy_file))
try:
g_policy_backend = ExOTAPolicyBackendJSON(g_milter_policy_file)
log_info("JSON policy backend initialized")
except ExOTAPolicyException as e:
log_error("Policy backend error: {0}".format(e.message))
sys.exit(1)
else:
log_error("ENV[MILTER_POLICY_FILE] is mandatory!")
sys.exit(1)
elif g_milter_policy_source == 'ldap':
if 'MILTER_LDAP_SERVER_URI' not in os.environ:
log_error("ENV[MILTER_LDAP_SERVER_URI] is mandatory!")
sys.exit(1)
g_milter_ldap_server_uri = os.environ['MILTER_LDAP_SERVER_URI']
if 'MILTER_LDAP_RECEIVE_TIMEOUT' in os.environ:
try:
g_milter_ldap_receive_timeout = int(os.environ['MILTER_LDAP_RECEIVE_TIMEOUT'])
except ValueError:
log_error("ENV[MILTER_LDAP_RECEIVE_TIMEOUT] must be an integer!")
sys.exit(1)
log_info("ENV[MILTER_LDAP_RECEIVE_TIMEOUT]: {0}".format(
g_milter_ldap_receive_timeout
))
if 'MILTER_LDAP_BINDDN' not in os.environ:
log_info("ENV[MILTER_LDAP_BINDDN] not set! Continue...")
else:
g_milter_ldap_binddn = os.environ['MILTER_LDAP_BINDDN']
if 'MILTER_LDAP_BINDPW' not in os.environ:
log_info("ENV[MILTER_LDAP_BINDPW] not set! Continue...")
else:
g_milter_ldap_bindpw = os.environ['MILTER_LDAP_BINDPW']
if 'MILTER_LDAP_SEARCH_BASE' not in os.environ:
log_error("ENV[MILTER_LDAP_SEARCH_BASE] is mandatory!")
sys.exit(1)
g_milter_ldap_search_base = os.environ['MILTER_LDAP_SEARCH_BASE']
if 'MILTER_LDAP_QUERY' not in os.environ:
log_error("ENV[MILTER_LDAP_QUERY] is mandatory!")
sys.exit(1)
g_milter_ldap_query = os.environ['MILTER_LDAP_QUERY']
if 'MILTER_LDAP_TENANT_ID_ATTR' in os.environ:
g_milter_ldap_tenant_id_attr = os.environ['MILTER_LDAP_TENANT_ID_ATTR']
if 'MILTER_LDAP_DKIM_ENABLED_ATTR' in os.environ:
g_milter_ldap_dkim_enabled_attr = os.environ['MILTER_LDAP_DKIM_ENABLED_ATTR']
if 'MILTER_LDAP_DKIM_ALIGNMENT_REQUIRED_ATTR' in os.environ:
g_milter_ldap_dkim_alignment_required_attr = os.environ['MILTER_LDAP_DKIM_ALIGNMENT_REQUIRED_ATTR']
try:
ldap_config = {
'ldap_server_uri': g_milter_ldap_server_uri,
'ldap_binddn': g_milter_ldap_binddn,
'ldap_bindpw': g_milter_ldap_bindpw,
'ldap_receive_timeout': g_milter_ldap_receive_timeout,
'ldap_search_base': g_milter_ldap_search_base,
'ldap_query': g_milter_ldap_query,
'ldap_tenant_id_attr': g_milter_ldap_tenant_id_attr,
'ldap_dkim_enabled_attr': g_milter_ldap_dkim_enabled_attr,
'ldap_dkim_alignment_required_attr': g_milter_ldap_dkim_alignment_required_attr
}
g_policy_backend = ExOTAPolicyBackendLDAP(ldap_config)
log_info("LDAP policy backend initialized")
except ExOTAPolicyException as e:
log_error("Policy backend error: {0}".format(e.message))
sys.exit(1)
else:
log_debug("Unsupported backend: {0}!".format(g_milter_policy_source))
sys.exit(1)
try:
timeout = 600
# Register to have the Milter factory create instances of your class:
Milter.factory = ExOTAMilter
Milter.set_flags(Milter.ADDHDRS + Milter.CHGHDRS)
log_info("Startup " + g_milter_name +
"@socket: " + g_milter_socket
)
Milter.runmilter(g_milter_name,g_milter_socket,timeout,True)
log_info("Shutdown " + g_milter_name)
except:
log_error("MAIN-EXCEPTION: " + traceback.format_exc())
sys.exit(1)
Reference in New Issue View Git Blame Copy Permalink