github-public-mirror/ldap-acl-milter
1
0
Fork 0
mirror of https://github.com/chillout2k/ldap-acl-milter.git synced 2025-12-13 11:20:18 +00:00
Code Issues Projects Releases Wiki Activity

DKIM-authorisation - init

Browse Source
This commit is contained in:
Dominik Chilla 2022-02-13 00:14:38 +01:00
parent 992e009838
commit e57845f8b1
11 changed files with 757 additions and 231 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

129
.gitignore vendored Normal file
View File

@ -0,0 +1,129 @@
# Byte-compiled / optimized / DLL files
__pycache__/
*.py[cod]
*$py.class
# C extensions
*.so
# Distribution / packaging
.Python
build/
develop-eggs/
dist/
downloads/
eggs/
.eggs/
lib/
lib64/
parts/
sdist/
var/
wheels/
pip-wheel-metadata/
share/python-wheels/
*.egg-info/
.installed.cfg
*.egg
MANIFEST
# PyInstaller
# Usually these files are written by a python script from a template
# before PyInstaller builds the exe, so as to inject date/other infos into it.
*.manifest
*.spec
# Installer logs
pip-log.txt
pip-delete-this-directory.txt
# Unit test / coverage reports
htmlcov/
.tox/
.nox/
.coverage
.coverage.*
.cache
nosetests.xml
coverage.xml
*.cover
*.py,cover
.hypothesis/
.pytest_cache/
# Translations
*.mo
*.pot
# Django stuff:
*.log
local_settings.py
db.sqlite3
db.sqlite3-journal
# Flask stuff:
instance/
.webassets-cache
# Scrapy stuff:
.scrapy
# Sphinx documentation
docs/_build/
# PyBuilder
target/
# Jupyter Notebook
.ipynb_checkpoints
# IPython
profile_default/
ipython_config.py
# pyenv
.python-version
# pipenv
# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
# However, in case of collaboration, if having platform-specific dependencies or dependencies
# having no cross-platform support, pipenv may install dependencies that don't work, or not
# install all needed dependencies.
#Pipfile.lock
# PEP 582; used by e.g. github.com/David-OConnor/pyflow
__pypackages__/
# Celery stuff
celerybeat-schedule
celerybeat.pid
# SageMath parsed files
*.sage.py
# Environments
.env
.venv
env/
venv/
ENV/
env.bak/
venv.bak/
# Spyder project settings
.spyderproject
.spyproject
# Rope project settings
.ropeproject
# mkdocs documentation
/site
# mypy
.mypy_cache/
.dmypy.json
dmypy.json
# Pyre type checker
.pyre/

1
BASEOS
View File

@ -1 +0,0 @@
debian

1
VERSION
View File

@ -1 +0,0 @@
19.04

494
app/ldap-acl-milter.py
View File

@ -1,6 +1,7 @@
from argparse import Action
import Milter import Milter
from ldap3 import ( from ldap3 import (
Server,ServerPool,Connection,NONE,LDAPOperationResult,set_config_parameter Server, Connection, NONE, set_config_parameter
) )
import sys import sys
import traceback import traceback
@ -10,6 +11,8 @@ import string
import random import random
import re import re
from timeit import default_timer as timer from timeit import default_timer as timer
import email.utils
import authres
# Globals... # Globals...
g_milter_name = 'ldap-acl-milter' g_milter_name = 'ldap-acl-milter'
@ -17,7 +20,6 @@ g_milter_socket = '/socket/' + g_milter_name
g_milter_reject_message = 'Security policy violation!' g_milter_reject_message = 'Security policy violation!'
g_milter_tmpfail_message = 'Service temporarily not available! Please try again later.' g_milter_tmpfail_message = 'Service temporarily not available! Please try again later.'
g_ldap_conn = None g_ldap_conn = None
# ...with mostly senseless defaults ;)
g_ldap_server = 'ldap://127.0.0.1:389' g_ldap_server = 'ldap://127.0.0.1:389'
g_ldap_binddn = 'cn=ldap-reader,ou=binds,dc=example,dc=org' g_ldap_binddn = 'cn=ldap-reader,ou=binds,dc=example,dc=org'
g_ldap_bindpw = 'TopSecret;-)' g_ldap_bindpw = 'TopSecret;-)'
@ -33,123 +35,101 @@ g_milter_schema = False
g_milter_schema_wildcard_domain = False # works only if g_milter_schema == True g_milter_schema_wildcard_domain = False # works only if g_milter_schema == True
g_milter_expect_auth = False g_milter_expect_auth = False
g_milter_whitelisted_rcpts = {} g_milter_whitelisted_rcpts = {}
g_milter_dkim_enabled = False
g_milter_trusted_authservid = None
g_re_srs = re.compile(r"^SRS0=.+=.+=(\S+)=(\S+)\@.+$") g_re_srs = re.compile(r"^SRS0=.+=.+=(\S+)=(\S+)\@.+$")
class LdapAclMilter(Milter.Base): class LdapAclMilter(Milter.Base):
# Each new connection is handled in an own thread # Each new connection is handled in an own thread
def __init__(self): def __init__(self):
self.time_start = timer() # client_addr gets overriden on any connect()
self.ldap_conn = g_ldap_conn
self.client_addr = None self.client_addr = None
def reset(self):
self.proto_stage = 'proto-stage'
self.env_from = None self.env_from = None
self.env_from_domain = None self.env_from_domain = None
self.sasl_user = None self.sasl_user = None
self.x509_subject = None self.x509_subject = None
self.x509_issuer = None self.x509_issuer = None
# recipients list self.queue_id = 'qid-na'
self.env_rcpts = [] self.env_rcpts = []
self.hdr_from = None
self.hdr_from_domain = None
self.dkim_valid = False
self.passed_dkim_results = []
logging.debug("reset(): {}".format(self.__dict__))
# https://stackoverflow.com/a/2257449 # https://stackoverflow.com/a/2257449
self.mconn_id = g_milter_name + ': ' + ''.join( self.mconn_id = g_milter_name + ': ' + ''.join(
random.choice(string.ascii_lowercase + string.digits) for _ in range(8) random.choice(string.ascii_lowercase + string.digits) for _ in range(8)
) )
# Not registered/used callbacks def milter_action(self, **kwargs):
#@Milter.nocallback if 'action' not in kwargs:
#def hello(self, heloname) raise Exception("'action' kwarg is mandatory!")
# return Milter.CONTINUE message = None
@Milter.nocallback smfir = None
def header(self, name, hval): smtp_code = None
return Milter.CONTINUE smtp_ecode = None
@Milter.nocallback if kwargs['action'] == 'reject':
def eoh(self): message = g_milter_reject_message
return Milter.CONTINUE smtp_code = '550'
@Milter.nocallback smtp_ecode = '5.7.1'
def body(self, chunk): smfir = Milter.REJECT
return Milter.CONTINUE elif kwargs['action'] == 'tmpfail':
message = g_milter_tmpfail_message
smtp_code = '450'
smtp_ecode = '4.7.1'
smfir = Milter.TEMPFAIL
elif kwargs['action'] == 'continue':
message = 'continue'
smfir = Milter.CONTINUE
else:
raise Exception("Invalid 'action': {}".format(kwargs['action']))
# override message
if 'message' in kwargs:
message = kwargs['message']
# prepend queue-id to message if it´s already available (DATA and later)
if self.queue_id:
message = "queue_id: {0} - {1}".format(self.queue_id, message)
# append reason to message
if 'reason' in kwargs:
message = "{0} - reason: {1}".format(message, kwargs['reason'])
if kwargs['action'] == 'reject' or kwargs['action'] == 'tmpfail':
self.setreply(smtp_code, smtp_ecode, message)
logging.info(self.mconn_id + "/" +
self.proto_stage + ": milter_action={0} message={1}".format(kwargs['action'], message)
)
return smfir
def connect(self, IPname, family, hostaddr): def check_policy(self, from_addr, rcpt_addr):
self.client_addr = hostaddr[0]
logging.debug(self.mconn_id + logging.debug(self.mconn_id +
"/CONNECT client_addr=[" + self.client_addr + "]:" + str(hostaddr[1]) " /CHECK_POLICY/{0} from={1} rcpt={2}".format(
self.proto_stage, from_addr, rcpt_addr
) )
return Milter.CONTINUE
def envfrom(self, mailfrom, *str):
try:
# this may fail, if no x509 client certificate was used.
# postfix only passes this macro to milters if the TLS connection
# with the authenticating client was trusted in a x509 manner!
# http://postfix.1071664.n5.nabble.com/verification-levels-and-Milter-tp91634p91638.html
# Unfortunately, postfix only passes the CN-field of the subject/issuer DN :-/
x509_subject = self.getsymval('{cert_subject}')
if x509_subject != None:
self.x509_subject = x509_subject
logging.info(self.mconn_id + "/FROM x509_subject=" + self.x509_subject)
x509_issuer = self.getsymval('{cert_issuer}')
if x509_issuer != None:
self.x509_issuer = x509_issuer
logging.info(self.mconn_id + "/FROM x509_issuer=" + self.x509_issuer)
except:
logging.error(self.mconn_id + "/FROM x509 " + traceback.format_exc())
try:
# this may fail, if no SASL authentication preceded
sasl_user = self.getsymval('{auth_authen}')
if sasl_user != None:
self.sasl_user = sasl_user
logging.info(self.mconn_id + "/FROM sasl_user=" + self.sasl_user)
except:
logging.error(self.mconn_id + "/FROM sasl_user " + traceback.format_exc())
mailfrom = mailfrom.replace("<","")
mailfrom = mailfrom.replace(">","")
# BATV (https://tools.ietf.org/html/draft-levine-smtp-batv-01)
# Strip out Simple Private Signature (PRVS)
mailfrom = re.sub(r"^prvs=.{10}=", '', mailfrom)
# SRS (https://www.libsrs2.org/srs/srs.pdf)
m_srs = g_re_srs.match(mailfrom)
if m_srs != None:
logging.info(self.mconn_id + "/FROM " +
"Found SRS-encoded envelope-sender: " + mailfrom
) )
mailfrom = m_srs.group(2) + '@' + m_srs.group(1) if rcpt_addr in g_milter_whitelisted_rcpts:
logging.info(self.mconn_id + "/FROM " + return self.milter_action(action = 'continue')
"SRS envelope-sender replaced with: " + mailfrom m = g_re_domain.match(from_addr)
)
self.env_from = mailfrom
m = g_re_domain.match(self.env_from)
if m == None: if m == None:
logging.error(self.mconn_id + "/FROM " + return self.milter_action(
"Could not determine domain of 5321.from=" + self.env_from action = 'tmpfail',
reason = "Could not determine domain of from={}".format(from_addr)
) )
self.setreply('450','4.7.1', g_milter_tmpfail_message) from_domain = m.group(1)
return Milter.TEMPFAIL
self.env_from_domain = m.group(1)
logging.debug(self.mconn_id + logging.debug(self.mconn_id +
"/FROM env_from_domain=" + self.env_from_domain "/{0} from_domain={1}".format(self.queue_id, from_domain)
) )
return Milter.CONTINUE m = g_re_domain.match(rcpt_addr)
def envrcpt(self, to, *str):
time_start = timer()
to = to.replace("<","")
to = to.replace(">","")
if to in g_milter_whitelisted_rcpts:
time_end = timer()
self.env_rcpts.append({
"rcpt": to, "action":'whitelisted_rcpt',"time_start":time_start,"time_end":time_end
})
return Milter.CONTINUE
m = g_re_domain.match(to)
if m == None: if m == None:
logging.error(self.mconn_id + "/RCPT " + return self.milter_action(
"Could not determine domain of 5321.to: " + to action = 'tmpfail',
reason = "Could not determine domain of rcpt={}".format(rcpt_addr)
) )
self.setreply('450','4.7.1', g_milter_tmpfail_message)
return Milter.TEMPFAIL
rcpt_domain = m.group(1) rcpt_domain = m.group(1)
logging.debug(self.mconn_id + logging.debug(self.mconn_id +
"/RCPT rcpt_domain=" + rcpt_domain "/{0} rcpt_domain={1}".format(self.queue_id, rcpt_domain)
) )
time_end = None
try: try:
if g_milter_schema == True: if g_milter_schema == True:
# LDAP-ACL-Milter schema # LDAP-ACL-Milter schema
@ -181,45 +161,40 @@ class LdapAclMilter(Milter.Base):
# be ASCII-HEX encoded '\2a' (42 in decimal => answer to everything) # be ASCII-HEX encoded '\2a' (42 in decimal => answer to everything)
# for proper use in LDAP queries. # for proper use in LDAP queries.
# In this case *@<domain> cannot be a real address! # In this case *@<domain> cannot be a real address!
if re.match(r'^\*@.+$', self.env_from, re.IGNORECASE): if re.match(r'^\*@.+$', from_addr, re.IGNORECASE):
logging.info(self.mconn_id + "/RCPT REJECT " + return self.milter_action(
"Literal wildcard sender (*@<domain>) is not " + action = 'reject',
reason = "Literal wildcard sender (*@<domain>) is not " +
"allowed in wildcard mode!" "allowed in wildcard mode!"
) )
self.setreply('550','5.7.1', if re.match(r'^\*@.+$', rcpt_addr, re.IGNORECASE):
g_milter_reject_message + ' (' + self.mconn_id + ')' return self.milter_action(
) action = 'reject',
return Milter.REJECT reason = "Literal wildcard recipient (*@<domain>) is not " +
if re.match(r'^\*@.+$', to, re.IGNORECASE):
logging.info(self.mconn_id + "/RCPT REJECT " +
"Literal wildcard recipient (*@<domain>) is not " +
"allowed in wildcard mode!" "allowed in wildcard mode!"
) )
self.setreply('550','5.7.1', g_ldap_conn.search(g_ldap_base,
g_milter_reject_message + ' (' + self.mconn_id + ')'
)
return Milter.REJECT
self.ldap_conn.search(g_ldap_base,
"(&" + "(&" +
auth_method + auth_method +
"(|"+ "(|"+
"(allowedRcpts="+to+")"+ "(allowedRcpts=" + rcpt_addr + ")"+
"(allowedRcpts=\\2a@" + rcpt_domain + ")"+ "(allowedRcpts=\\2a@" + rcpt_domain + ")"+
"(allowedRcpts=\\2a@\\2a)"+ "(allowedRcpts=\\2a@\\2a)"+
")"+ ")"+
"(|"+ "(|"+
"(allowedSenders="+self.env_from+")"+ "(allowedSenders=" + from_addr + ")"+
"(allowedSenders=\\2a@"+self.env_from_domain+")"+ "(allowedSenders=\\2a@" + from_domain + ")"+
"(allowedSenders=\\2a@\\2a)"+ "(allowedSenders=\\2a@\\2a)"+
")"+ ")"+
")", ")",
attributes=['policyID'] attributes=['policyID']
) )
else: else:
# Wildcard-domain DISABLED
# Asterisk must be ASCII-HEX encoded for LDAP queries # Asterisk must be ASCII-HEX encoded for LDAP queries
query_from = self.env_from.replace("*","\\2a") query_from = from_addr.replace("*","\\2a")
query_to = to.replace("*","\\2a") query_to = rcpt_addr.replace("*","\\2a")
self.ldap_conn.search(g_ldap_base, g_ldap_conn.search(g_ldap_base,
"(&" + "(&" +
auth_method + auth_method +
"(allowedRcpts=" + query_to + ")" + "(allowedRcpts=" + query_to + ")" +
@ -227,132 +202,257 @@ class LdapAclMilter(Milter.Base):
")", ")",
attributes=['policyID'] attributes=['policyID']
) )
time_end = timer() if len(g_ldap_conn.entries) == 0:
if len(self.ldap_conn.entries) == 0:
# Policy not found in LDAP # Policy not found in LDAP
self.env_rcpts.append({
"rcpt": to, "action": g_milter_reject_message,
"time_start":time_start, "time_end":time_end
})
if g_milter_expect_auth == True: if g_milter_expect_auth == True:
logging.info(self.mconn_id + "/RCPT " + "policy mismatch " logging.info(self.mconn_id + " " + "policy mismatch "
"5321.from=" + self.env_from + ", 5321.rcpt=" + to + "from=" + from_addr + ", rcpt=" + rcpt_addr +
", auth_method=" + auth_method ", auth_method=" + auth_method
) )
else: else:
logging.info(self.mconn_id + "/RCPT " + "policy mismatch " logging.info(self.mconn_id + " " + "policy mismatch "
"5321.from=" + self.env_from + ", 5321.rcpt=" + to "from=" + from_addr + ", rcpt=" + rcpt_addr
) )
if g_milter_mode == 'reject': if g_milter_mode == 'reject':
logging.info(self.mconn_id + "/RCPT REJECT " return self.milter_action(
+ g_milter_reject_message action = 'reject',
reason = "policy not found!"
) )
self.setreply('550','5.7.1',
g_milter_reject_message + ' (' + self.mconn_id + ')'
)
return Milter.REJECT
else: else:
logging.info(self.mconn_id + "/RCPT TEST_MODE " + logging.info(self.mconn_id + " TEST_MODE " +
g_milter_reject_message g_milter_reject_message
) )
return Milter.CONTINUE elif len(g_ldap_conn.entries) == 1:
elif len(self.ldap_conn.entries) == 1:
# Policy found in LDAP, but which one? # Policy found in LDAP, but which one?
entry = self.ldap_conn.entries[0] entry = g_ldap_conn.entries[0]
logging.info(self.mconn_id + logging.info(self.mconn_id +
"/RCPT Policy match: " + entry.policyID.value " Policy match: " + entry.policyID.value
) )
elif len(self.ldap_conn.entries) > 1: elif len(g_ldap_conn.entries) > 1:
# Something went wrong!? There shouldn´t be more than one entries! # Something went wrong!? There shouldn´t be more than one entries!
logging.warn(self.mconn_id + "/RCPT More than one policies found! "+ logging.warning(self.mconn_id + " More than one policies found! "+
"5321.from=" + self.env_from + ", 5321.rcpt=" + to + "from=" + from_addr + ", rcpt=" + rcpt_addr +
", auth_method=" + auth_method ", auth_method=" + auth_method
) )
self.setreply('550','5.7.1', return self.milter_action(action = 'reject')
g_milter_reject_message + ' (' + self.mconn_id + ')'
)
return Milter.REJECT
else: else:
# Custom LDAP schema # Custom LDAP schema
# 'build' a LDAP query per recipient # 'build' a LDAP query per recipient
# replace all placeholders in query templates # replace all placeholders in query templates
query = g_ldap_query.replace("%rcpt%",to) query = g_ldap_query.replace("%rcpt%", rcpt_addr)
query = query.replace("%from%", self.env_from) query = query.replace("%from%", from_addr)
query = query.replace("%client_addr%", self.client_addr) query = query.replace("%client_addr%", self.client_addr)
query = query.replace("%sasl_user%", self.sasl_user) query = query.replace("%sasl_user%", self.sasl_user)
query = query.replace("%from_domain%", self.env_from_domain) query = query.replace("%from_domain%", from_domain)
query = query.replace("%rcpt_domain%", rcpt_domain) query = query.replace("%rcpt_domain%", rcpt_domain)
logging.debug(self.mconn_id + "/RCPT " + query) logging.debug(self.mconn_id + " " + query)
self.ldap_conn.search(g_ldap_base, query) g_ldap_conn.search(g_ldap_base, query)
time_end = timer() if len(g_ldap_conn.entries) == 0:
if len(self.ldap_conn.entries) == 0: logging.info(self.mconn_id + " " + "policy mismatch "
self.env_rcpts.append({ "from: " + from_addr + " and rcpt: " + rcpt_addr
"rcpt": to, "action": g_milter_reject_message,
"time_start":time_start, "time_end":time_end
})
logging.info(self.mconn_id + "/RCPT " + "policy mismatch "
"5321.from: " + self.env_from + " and 5321.rcpt: " + to
) )
if g_milter_mode == 'reject': if g_milter_mode == 'reject':
logging.info(self.mconn_id + "/RCPT REJECT " + g_milter_reject_message) return self.milter_action(
self.setreply('550','5.7.1', action = 'reject',
g_milter_reject_message + ' (' + self.mconn_id + ')' reason = 'policy mismatch'
) )
return Milter.REJECT
else: else:
logging.info(self.mconn_id + "/RCPT TEST_MODE " + logging.info(self.mconn_id + " TEST_MODE " +
g_milter_reject_message g_milter_reject_message
) )
return Milter.CONTINUE
except LDAPOperationResult as e: except LDAPOperationResult as e:
logging.warn(self.mconn_id + "/RCPT LDAP: " + str(e)) logging.error(self.mconn_id + " LDAP: " + str(e))
self.setreply('451', '4.7.1', g_milter_tmpfail_message) return self.milter_action(action = 'tmpfail')
return Milter.TEMPFAIL
except: except:
logging.error(self.mconn_id + "/RCPT LDAP: " + traceback.format_exc()) logging.error(self.mconn_id + " LDAP: " + traceback.format_exc())
self.setreply('451', '4.7.1', g_milter_tmpfail_message) return self.milter_action(action = 'tmpfail')
return Milter.TEMPFAIL return self.milter_action(action = 'continue')
self.env_rcpts.append({
"rcpt": to, "action":'pass',"time_start":time_start,"time_end":time_end
})
return Milter.CONTINUE
def data(self): # Not registered/used callbacks
# A queue-id will be generated after the first accepted RCPT TO @Milter.nocallback
# and therefore not available until DATA command def eoh(self):
self.queue_id = self.getsymval('i') return self.milter_action(action = 'continue')
try: @Milter.nocallback
for rcpt in self.env_rcpts: def body(self, chunk):
duration = rcpt['time_end'] - rcpt['time_start'] return self.milter_action(action = 'continue')
logging.info(self.mconn_id + "/DATA " + self.queue_id +
": 5321.from=" + self.env_from + " 5321.rcpt=" + def connect(self, IPname, family, hostaddr):
rcpt['rcpt'] + " action=" + rcpt['action'] + self.reset()
" duration=" + str(duration) + "sec." self.proto_stage = 'CONNECT'
self.client_addr = hostaddr[0]
logging.debug(self.mconn_id +
"/CONNECT client_addr=[" + self.client_addr + "]:" + str(hostaddr[1])
) )
return self.milter_action(action = 'continue')
def envfrom(self, mailfrom, *str):
self.reset()
self.proto_stage = 'FROM'
if g_milter_expect_auth:
try:
# this may fail, if no x509 client certificate was used.
# postfix only passes this macro to milters if the TLS connection
# with the authenticating client was trusted in a x509 manner!
# http://postfix.1071664.n5.nabble.com/verification-levels-and-Milter-tp91634p91638.html
# Unfortunately, postfix only passes the CN-field of the subject/issuer DN :-/
x509_subject = self.getsymval('{cert_subject}')
if x509_subject != None:
self.x509_subject = x509_subject
logging.debug(self.mconn_id + "/FROM x509_subject=" + self.x509_subject)
else:
logging.debug(self.mconn_id + "/FROM No x509_subject registered")
x509_issuer = self.getsymval('{cert_issuer}')
if x509_issuer != None:
self.x509_issuer = x509_issuer
logging.debug(self.mconn_id + "/FROM x509_issuer=" + self.x509_issuer)
else:
logging.debug(self.mconn_id + "/FROM No x509_issuer registered")
except: except:
logging.warn(self.mconn_id + "/DATA " + self.queue_id + logging.error(self.mconn_id + "/FROM x509 " + traceback.format_exc())
": " + traceback.format_exc()) try:
self.setreply('451', '4.7.1', g_milter_tmpfail_message) # this may fail, if no SASL authentication preceded
return Milter.TEMPFAIL sasl_user = self.getsymval('{auth_authen}')
return Milter.CONTINUE if sasl_user != None:
self.sasl_user = sasl_user
logging.debug(self.mconn_id + "/FROM sasl_user=" + self.sasl_user)
else:
logging.debug(self.mconn_id + "/FROM No sasl_user registered")
except:
logging.error(self.mconn_id + "/FROM sasl_user " + traceback.format_exc())
logging.info(self.mconn_id + "/FROM auth: " +
"client_ip={0}, x509_subject={1}, x509_issuer={2}, sasl_user={3}".format(
self.client_addr, self.x509_subject, self.x509_issuer, self.sasl_user
)
)
mailfrom = mailfrom.replace("<","")
mailfrom = mailfrom.replace(">","")
# BATV (https://tools.ietf.org/html/draft-levine-smtp-batv-01)
# Strip out Simple Private Signature (PRVS)
mailfrom = re.sub(r"^prvs=.{10}=", '', mailfrom)
# SRS (https://www.libsrs2.org/srs/srs.pdf)
m_srs = g_re_srs.match(mailfrom)
if m_srs != None:
logging.info(self.mconn_id + "/FROM " +
"Found SRS-encoded envelope-sender: " + mailfrom
)
mailfrom = m_srs.group(2) + '@' + m_srs.group(1)
logging.info(self.mconn_id + "/FROM " +
"SRS envelope-sender replaced with: " + mailfrom
)
self.env_from = mailfrom.lower()
logging.debug(self.mconn_id + "/FROM 5321.from={}".format(self.env_from))
m = g_re_domain.match(self.env_from)
if m == None:
return self.milter_action(
action = 'tmpfail',
reason = "Could not determine domain of 5321.from=" + self.env_from
)
self.env_from_domain = m.group(1)
logging.debug(self.mconn_id +
"/FROM 5321.from_domain={}".format(self.env_from_domain)
)
return self.milter_action(action = 'continue')
def envrcpt(self, to, *str):
self.proto_stage = 'RCPT'
to = to.replace("<","")
to = to.replace(">","")
to = to.lower()
logging.debug(self.mconn_id +
"/RCPT env_rcpt={}".format(to)
)
if g_milter_dkim_enabled:
# Collect all envelope-recipients for later
# investigation (EOM). Do not perform any
# policy action at this protocol phase.
self.env_rcpts.append(to)
else:
return self.check_policy(self.env_from, to)
return self.milter_action(action = 'continue')
def header(self, hname, hval):
self.proto_stage = 'HDR'
self.queue_id = self.getsymval('i')
if g_milter_dkim_enabled == True:
# Parse RFC-5322-From header
if(hname.lower() == "From".lower()):
hdr_5322_from = email.utils.parseaddr(hval)
self.hdr_from = hdr_5322_from[1].lower()
m = re.match(g_re_domain, self.hdr_from)
if m is None:
return self.milter_action(
action = 'reject',
reason = "Could not determine domain-part of 5322.from=" + self.hdr_from
)
self.hdr_from_domain = m.group(1)
logging.info(self.mconn_id + "/" + str(self.queue_id) +
"/HDR: 5322.from={0}, 5322.from_domain={1}".format(
self.hdr_from, self.hdr_from_domain
)
)
# Parse RFC-7601 Authentication-Results header
elif(hname.lower() == "Authentication-Results".lower()):
ar = None
try:
ar = authres.AuthenticationResultsHeader.parse(
"{0}: {1}".format(hname, hval)
)
if ar.authserv_id.lower() == g_milter_trusted_authservid.lower():
for ar_result in ar.results:
if ar_result.method == 'dkim':
if ar_result.result == 'pass':
self.passed_dkim_results.append({
"sdid": ar_result.header_d.lower()
})
logging.debug(self.mconn_id + "/" + str(self.queue_id) +
"/HDR: DKIM passed SDID {0}".format(ar_result.header_d)
)
self.dkim_valid = True
else:
logging.debug(self.mconn_id + "/" + str(self.queue_id) +
"/HDR: Ignoring authentication results of {0}".format(ar.authserv_id)
)
except Exception as e:
logging.info(self.mconn_id + "/" + str(self.queue_id) +
"/HDR: AR-parse exception: {0}".format(str(e))
)
return self.milter_action(action = 'continue')
def eom(self): def eom(self):
# EOM is not optional and thus, always called by MTA self.proto_stage = 'EOM'
time_end = timer() if g_milter_dkim_enabled == True:
duration = time_end - self.time_start accept_message = True
logging.info(self.mconn_id + "/EOM " + self.queue_id + for rcpt in self.env_rcpts:
" processed in " + str(duration) + " sec." logging.debug(self.mconn_id +
"/{0}/EOM rcpt={1}".format(self.queue_id, rcpt)
) )
return Milter.CONTINUE # Check 5321.sender against policy
ret = self.check_policy(self.env_from, rcpt)
if ret != Milter.CONTINUE:
if self.dkim_valid:
# Check 5322.sender against policy
ret = self.check_policy(self.hdr_from, rcpt)
if ret != Milter.CONTINUE:
accept_message = False
else:
accept_message = False
if accept_message == False:
return self.milter_action(
action = 'reject',
reason = 'sender unauthorized!'
)
return self.milter_action(action = 'continue')
def abort(self): def abort(self):
# Client disconnected prematurely # Client disconnected prematurely
return Milter.CONTINUE self.proto_stage = 'ABORT'
return self.milter_action(action = 'continue')
def close(self): def close(self):
# Always called, even when abort is called. # Always called, even when abort is called.
# Clean up any external resources here. # Clean up any external resources here.
return Milter.CONTINUE self.proto_stage = 'CLOSE'
return self.milter_action(action = 'continue')
if __name__ == "__main__": if __name__ == "__main__":
try: try:
@ -377,7 +477,7 @@ if __name__ == "__main__":
if re.match(r'^reject|permit$',os.environ['MILTER_DEFAULT_POLICY'], re.IGNORECASE): if re.match(r'^reject|permit$',os.environ['MILTER_DEFAULT_POLICY'], re.IGNORECASE):
g_milter_default_policy = str(os.environ['MILTER_DEFAULT_POLICY']).lower() g_milter_default_policy = str(os.environ['MILTER_DEFAULT_POLICY']).lower()
else: else:
logging.warn("MILTER_DEFAULT_POLICY invalid value: " + logging.warning("MILTER_DEFAULT_POLICY invalid value: " +
os.environ['MILTER_DEFAULT_POLICY'] os.environ['MILTER_DEFAULT_POLICY']
) )
if 'MILTER_NAME' in os.environ: if 'MILTER_NAME' in os.environ:
@ -420,7 +520,6 @@ if __name__ == "__main__":
if 'MILTER_WHITELISTED_RCPTS' in os.environ: if 'MILTER_WHITELISTED_RCPTS' in os.environ:
# A blank separated list is expected # A blank separated list is expected
whitelisted_rcpts_str = os.environ['MILTER_WHITELISTED_RCPTS'] whitelisted_rcpts_str = os.environ['MILTER_WHITELISTED_RCPTS']
# for whitelisted_rcpt in whitelisted_rcpts_str.split():
for whitelisted_rcpt in re.split(',|\s', whitelisted_rcpts_str): for whitelisted_rcpt in re.split(',|\s', whitelisted_rcpts_str):
if g_re_email.match(whitelisted_rcpt) == None: if g_re_email.match(whitelisted_rcpt) == None:
logging.error( logging.error(
@ -431,6 +530,15 @@ if __name__ == "__main__":
else: else:
logging.info("ENV[MILTER_WHITELISTED_RCPTS]: " + whitelisted_rcpt) logging.info("ENV[MILTER_WHITELISTED_RCPTS]: " + whitelisted_rcpt)
g_milter_whitelisted_rcpts[whitelisted_rcpt] = {} g_milter_whitelisted_rcpts[whitelisted_rcpt] = {}
if 'MILTER_DKIM_ENABLED' in os.environ:
g_milter_dkim_enabled = True
if 'MILTER_TRUSTED_AUTHSERVID' in os.environ:
g_milter_trusted_authservid = os.environ['MILTER_TRUSTED_AUTHSERVID'].lower()
logging.info("ENV[MILTER_TRUSTED_AUTHSERVID]: {0}".format(g_milter_trusted_authservid))
else:
logging.error("ENV[MILTER_TRUSTED_AUTHSERVID] is mandatory!")
sys.exit(1)
logging.info("ENV[MILTER_DKIM_ENABLED]: {0}".format(g_milter_dkim_enabled))
set_config_parameter("RESTARTABLE_SLEEPTIME", 2) set_config_parameter("RESTARTABLE_SLEEPTIME", 2)
set_config_parameter("RESTARTABLE_TRIES", 2) set_config_parameter("RESTARTABLE_TRIES", 2)
server = Server(g_ldap_server, get_info=NONE) server = Server(g_ldap_server, get_info=NONE)

27
docker-build.sh
View File

@ -1,27 +0,0 @@
#!/bin/sh
BRANCH="$(/usr/bin/git branch|/bin/grep \*|/usr/bin/awk {'print $2'})"
VERSION="$(/bin/cat VERSION)"
BASEOS="$(/bin/cat BASEOS)"
GO=""
while getopts g opt
do
case $opt in
g) GO="go";;
esac
done
if [ -z "${GO}" ] ; then
echo "Building ldap-acl-milter@docker on '${BASEOS}' for version '${VERSION}' in branch '${BRANCH}'!"
echo "GO serious with '-g'!"
exit 1
fi
IMAGES="ldap-acl-milter"
for IMAGE in ${IMAGES}; do
/usr/bin/docker build \
-t "${IMAGE}:${BRANCH}" \
-f "docker/${BASEOS}/Dockerfile" .
done

3
requirements.txt Normal file
View File

@ -0,0 +1,3 @@
authres<2
pymilter<2
ldap3<3

90
tests/miltertest-ip-conn_reuse.lua Normal file
View File

@ -0,0 +1,90 @@
-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
-- http://www.opendkim.org/miltertest.8.html
-- socket must be defined as miltertest global variable (-D)
conn = mt.connect(socket)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
error "mt.conninfo() failed"
end
mt.set_timeout(60)
-- 5321.FROM
if mt.mailfrom(conn, "tester-ip@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- 5321.RCPT+MACROS
mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.rcptto() unexpected reply"
end
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- CONNECTION REUSE
-- 5321.FROM
if mt.mailfrom(conn, "tester-ip2@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- 5321.RCPT+MACROS
mt.macro(conn, SMFIC_RCPT, "i", "conn-reused-QID")
if mt.rcptto(conn, "<rcpt-ip2@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.rcptto() unexpected reply"
end
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip2@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- DISCONNECT
mt.disconnect(conn)

66
tests/miltertest-ip-multiple_rcpts.lua Normal file
View File

@ -0,0 +1,66 @@
-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
-- http://www.opendkim.org/miltertest.8.html
-- socket must be defined as miltertest global variable (-D)
conn = mt.connect(socket)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
error "mt.conninfo() failed"
end
mt.set_timeout(60)
-- 5321.FROM
if mt.mailfrom(conn, "tester-ipx@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- FIRST 5321.RCPT
if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("RCPT1-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("RCPT1-reject")
end
-- SECOND 5321.RCPT
if mt.rcptto(conn, "<rcpt-ip2@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("RCPT2-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("RCPT2-reject")
end
-- SET RCPT-MACRO
mt.macro(conn, SMFIC_RCPT, "i", "some-queue-id")
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- DISCONNECT
mt.disconnect(conn)

52
tests/miltertest-ip.lua Normal file
View File

@ -0,0 +1,52 @@
-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
-- http://www.opendkim.org/miltertest.8.html
-- socket must be defined as miltertest global variable (-D)
conn = mt.connect(socket)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
error "mt.conninfo() failed"
end
mt.set_timeout(60)
-- 5321.FROM
if mt.mailfrom(conn, "tester-ip@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- 5321.RCPT+MACROS
mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.rcptto() unexpected reply"
end
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- DISCONNECT
mt.disconnect(conn)

53
tests/miltertest-sasl.lua Normal file
View File

@ -0,0 +1,53 @@
-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
-- http://www.opendkim.org/miltertest.8.html
-- socket must be defined as miltertest global variable (-D)
conn = mt.connect(socket)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "localhost", "::1") ~= nil then
error "mt.conninfo() failed"
end
mt.set_timeout(60)
-- 5321.FROM+MACROS
mt.macro(conn, SMFIC_MAIL, "{auth_authen}", "blubb-user1")
if mt.mailfrom(conn, "tester@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- 5321.RCPT+MACROS
mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
if mt.rcptto(conn, "<rcpt@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.rcptto() unexpected reply"
end
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- DISCONNECT
mt.disconnect(conn)

54
tests/miltertest-x509.lua Normal file
View File

@ -0,0 +1,54 @@
-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
-- http://www.opendkim.org/miltertest.8.html
-- socket must be defined as miltertest global variable (-D)
conn = mt.connect(socket)
if conn == nil then
error "mt.connect() failed"
end
if mt.conninfo(conn, "localhost", "::1") ~= nil then
error "mt.conninfo() failed"
end
mt.set_timeout(60)
-- 5321.FROM+MACROS
mt.macro(conn, SMFIC_MAIL, "{cert_issuer}", "x509-issuer", "{cert_subject}", "x509-subject")
-- mt.macro(conn, SMFIC_MAIL, "{cert_subject}", "x509-subject")
if mt.mailfrom(conn, "tester-x509@test.blah") ~= nil then
error "mt.mailfrom() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.mailfrom() unexpected reply"
end
-- 5321.RCPT+MACROS
mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
if mt.rcptto(conn, "<rcpt-x509@test.blubb>") ~= nil then
error "mt.rcptto() failed"
end
if mt.getreply(conn) ~= SMFIR_CONTINUE then
error "mt.rcptto() unexpected reply"
end
-- 5322.HEADERS
if mt.header(conn, "fRoM", '"Blah Blubb" <tester@test.blah>') ~= nil then
error "mt.header(From) failed"
end
if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
error "mt.header(Authentication-Results) failed"
end
-- EOM
if mt.eom(conn) ~= nil then
error "mt.eom() failed"
end
mt.echo("EOM: " .. mt.getreply(conn))
if mt.getreply(conn) == SMFIR_CONTINUE then
mt.echo("EOM-continue")
elseif mt.getreply(conn) == SMFIR_REPLYCODE then
mt.echo("EOM-reject")
end
-- DISCONNECT
mt.disconnect(conn)