DKIM-authorisation - init

.gitignore

@@ -0,0 +1,129 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+pip-wheel-metadata/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+.python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/

BASEOS

@@ -1 +0,0 @@
-debian

VERSION

@@ -1 +0,0 @@
-19.04

app/ldap-acl-milter.py

@@ -1,6 +1,7 @@
+from argparse import Action
 import Milter
 from ldap3 import (
-  Server,ServerPool,Connection,NONE,LDAPOperationResult,set_config_parameter
+  Server, Connection, NONE, set_config_parameter
 )
 import sys
 import traceback
@@ -10,6 +11,8 @@ import string
 import random
 import re
 from timeit import default_timer as timer
+import email.utils
+import authres
 
 # Globals...
 g_milter_name = 'ldap-acl-milter'
@@ -17,7 +20,6 @@ g_milter_socket = '/socket/' + g_milter_name
 g_milter_reject_message = 'Security policy violation!'
 g_milter_tmpfail_message = 'Service temporarily not available! Please try again later.'
 g_ldap_conn = None
-# ...with mostly senseless defaults ;)
 g_ldap_server = 'ldap://127.0.0.1:389'
 g_ldap_binddn = 'cn=ldap-reader,ou=binds,dc=example,dc=org'
 g_ldap_bindpw = 'TopSecret;-)'
@@ -33,123 +35,101 @@ g_milter_schema = False
 g_milter_schema_wildcard_domain = False # works only if g_milter_schema == True
 g_milter_expect_auth = False
 g_milter_whitelisted_rcpts = {}
+g_milter_dkim_enabled = False
+g_milter_trusted_authservid = None
 g_re_srs = re.compile(r"^SRS0=.+=.+=(\S+)=(\S+)\@.+$")
 
 class LdapAclMilter(Milter.Base):
   # Each new connection is handled in an own thread
   def __init__(self):
-    self.time_start = timer()
+    # client_addr gets overriden on any connect()
-    self.ldap_conn = g_ldap_conn
     self.client_addr = None
+
+  def reset(self):
+    self.proto_stage = 'proto-stage'
     self.env_from = None
     self.env_from_domain = None
     self.sasl_user = None
     self.x509_subject = None
     self.x509_issuer = None
-    # recipients list
+    self.queue_id = 'qid-na'
     self.env_rcpts = []
+    self.hdr_from = None
+    self.hdr_from_domain = None
+    self.dkim_valid = False
+    self.passed_dkim_results = []
+    logging.debug("reset(): {}".format(self.__dict__))
     # https://stackoverflow.com/a/2257449
     self.mconn_id = g_milter_name + ': ' + ''.join(
       random.choice(string.ascii_lowercase + string.digits) for _ in range(8)
     )
 
-  # Not registered/used callbacks
+  def milter_action(self, **kwargs):
-  #@Milter.nocallback
+    if 'action' not in kwargs:
-  #def hello(self, heloname)
+      raise Exception("'action' kwarg is mandatory!")
-  #  return Milter.CONTINUE
+    message = None
-  @Milter.nocallback
+    smfir = None
-  def header(self, name, hval):
+    smtp_code = None
-    return Milter.CONTINUE
+    smtp_ecode = None
-  @Milter.nocallback
+    if kwargs['action'] == 'reject':
-  def eoh(self):
+      message = g_milter_reject_message
-    return Milter.CONTINUE
+      smtp_code = '550'
-  @Milter.nocallback
+      smtp_ecode = '5.7.1'
-  def body(self, chunk):
+      smfir = Milter.REJECT
-    return Milter.CONTINUE
+    elif kwargs['action'] == 'tmpfail':
+      message = g_milter_tmpfail_message
+      smtp_code = '450'
+      smtp_ecode = '4.7.1'
+      smfir = Milter.TEMPFAIL
+    elif kwargs['action'] == 'continue':
+      message = 'continue'
+      smfir = Milter.CONTINUE
+    else:
+      raise Exception("Invalid 'action': {}".format(kwargs['action']))
+    # override message
+    if 'message' in kwargs:
+      message = kwargs['message']
+    # prepend queue-id to message if it´s already available (DATA and later)
+    if self.queue_id:
+      message = "queue_id: {0} - {1}".format(self.queue_id, message)
+    # append reason to message
+    if 'reason' in kwargs:
+      message = "{0} - reason: {1}".format(message, kwargs['reason'])
+    if kwargs['action'] == 'reject' or kwargs['action'] == 'tmpfail':
+      self.setreply(smtp_code, smtp_ecode, message)
+      logging.info(self.mconn_id + "/" +
+       self.proto_stage + ": milter_action={0} message={1}".format(kwargs['action'], message)
+      )
+    return smfir
 
-  def connect(self, IPname, family, hostaddr):
+  def check_policy(self, from_addr, rcpt_addr):
-    self.client_addr = hostaddr[0]
     logging.debug(self.mconn_id +
-      "/CONNECT client_addr=[" + self.client_addr + "]:" + str(hostaddr[1])
+      " /CHECK_POLICY/{0} from={1} rcpt={2}".format(
+        self.proto_stage, from_addr, rcpt_addr
+      )
     )
-    return Milter.CONTINUE
+    if rcpt_addr in g_milter_whitelisted_rcpts:
-
+      return self.milter_action(action = 'continue')
-  def envfrom(self, mailfrom, *str):
+    m = g_re_domain.match(from_addr)
-    try:
-      # this may fail, if no x509 client certificate was used.
-      # postfix only passes this macro to milters if the TLS connection
-      # with the authenticating client was trusted in a x509 manner!
-      # http://postfix.1071664.n5.nabble.com/verification-levels-and-Milter-tp91634p91638.html
-      # Unfortunately, postfix only passes the CN-field of the subject/issuer DN :-/
-      x509_subject = self.getsymval('{cert_subject}')
-      if x509_subject != None:
-        self.x509_subject = x509_subject
-        logging.info(self.mconn_id + "/FROM x509_subject=" + self.x509_subject)
-      x509_issuer = self.getsymval('{cert_issuer}')
-      if x509_issuer != None:
-        self.x509_issuer = x509_issuer
-        logging.info(self.mconn_id + "/FROM x509_issuer=" + self.x509_issuer)
-    except:
-      logging.error(self.mconn_id + "/FROM x509 " + traceback.format_exc())
-    try:
-      # this may fail, if no SASL authentication preceded
-      sasl_user = self.getsymval('{auth_authen}')
-      if sasl_user != None:
-        self.sasl_user = sasl_user
-        logging.info(self.mconn_id + "/FROM sasl_user=" + self.sasl_user)
-    except:
-      logging.error(self.mconn_id + "/FROM sasl_user " + traceback.format_exc())
-    mailfrom = mailfrom.replace("<","")
-    mailfrom = mailfrom.replace(">","")
-    # BATV (https://tools.ietf.org/html/draft-levine-smtp-batv-01)
-    # Strip out Simple Private Signature (PRVS)
-    mailfrom = re.sub(r"^prvs=.{10}=", '', mailfrom)
-    # SRS (https://www.libsrs2.org/srs/srs.pdf)
-    m_srs = g_re_srs.match(mailfrom)
-    if m_srs != None:
-      logging.info(self.mconn_id + "/FROM " +
-        "Found SRS-encoded envelope-sender: " + mailfrom
-      )
-      mailfrom = m_srs.group(2) + '@' + m_srs.group(1)
-      logging.info(self.mconn_id + "/FROM " +
-        "SRS envelope-sender replaced with: " + mailfrom
-      )
-    self.env_from = mailfrom
-    m = g_re_domain.match(self.env_from)
     if m == None:
-      logging.error(self.mconn_id + "/FROM " +
+      return self.milter_action(
-        "Could not determine domain of 5321.from=" + self.env_from
+        action = 'tmpfail',
+        reason = "Could not determine domain of from={}".format(from_addr)
       )
-      self.setreply('450','4.7.1', g_milter_tmpfail_message)
+    from_domain = m.group(1)
-      return Milter.TEMPFAIL
-    self.env_from_domain = m.group(1)
     logging.debug(self.mconn_id +
-      "/FROM env_from_domain=" + self.env_from_domain
+      "/{0} from_domain={1}".format(self.queue_id, from_domain)
     )
-    return Milter.CONTINUE
+    m = g_re_domain.match(rcpt_addr)
-
-  def envrcpt(self, to, *str):
-    time_start = timer()
-    to = to.replace("<","")
-    to = to.replace(">","")
-    if to in g_milter_whitelisted_rcpts:
-      time_end = timer()
-      self.env_rcpts.append({
-        "rcpt": to, "action":'whitelisted_rcpt',"time_start":time_start,"time_end":time_end
-      })
-      return Milter.CONTINUE
-    m = g_re_domain.match(to)
     if m == None:
-      logging.error(self.mconn_id + "/RCPT " +
+      return self.milter_action(
-        "Could not determine domain of 5321.to: " + to
+        action = 'tmpfail',
+        reason = "Could not determine domain of rcpt={}".format(rcpt_addr)
       )
-      self.setreply('450','4.7.1', g_milter_tmpfail_message)
-      return Milter.TEMPFAIL
     rcpt_domain = m.group(1)
     logging.debug(self.mconn_id +
-      "/RCPT rcpt_domain=" + rcpt_domain
+      "/{0} rcpt_domain={1}".format(self.queue_id, rcpt_domain)
     )
-    time_end = None
     try:
       if g_milter_schema == True:
         # LDAP-ACL-Milter schema
@@ -181,178 +161,298 @@ class LdapAclMilter(Milter.Base):
           # be ASCII-HEX encoded '\2a' (42 in decimal => answer to everything)
           # for proper use in LDAP queries.
           # In this case *@<domain> cannot be a real address!
-          if re.match(r'^\*@.+$', self.env_from, re.IGNORECASE):
+          if re.match(r'^\*@.+$', from_addr, re.IGNORECASE):
-            logging.info(self.mconn_id + "/RCPT REJECT " +
+            return self.milter_action(
-              "Literal wildcard sender (*@<domain>) is not " +
+              action = 'reject',
-              "allowed in wildcard mode!"
+              reason = "Literal wildcard sender (*@<domain>) is not " +
+                "allowed in wildcard mode!"
             )
-            self.setreply('550','5.7.1',
+          if re.match(r'^\*@.+$', rcpt_addr, re.IGNORECASE):
-              g_milter_reject_message + ' (' + self.mconn_id + ')'
+            return self.milter_action(
+              action = 'reject',
+              reason = "Literal wildcard recipient (*@<domain>) is not " +
+                "allowed in wildcard mode!"
             )
-            return Milter.REJECT
+          g_ldap_conn.search(g_ldap_base,
-          if re.match(r'^\*@.+$', to, re.IGNORECASE):
-            logging.info(self.mconn_id + "/RCPT REJECT " +
-              "Literal wildcard recipient (*@<domain>) is not " +
-              "allowed in wildcard mode!"
-            )
-            self.setreply('550','5.7.1',
-              g_milter_reject_message + ' (' + self.mconn_id + ')'
-            )
-            return Milter.REJECT
-          self.ldap_conn.search(g_ldap_base,
             "(&" +
               auth_method +
               "(|"+
-                "(allowedRcpts="+to+")"+
+                "(allowedRcpts=" + rcpt_addr + ")"+
-                "(allowedRcpts=\\2a@"+rcpt_domain+")"+
+                "(allowedRcpts=\\2a@" + rcpt_domain + ")"+
                 "(allowedRcpts=\\2a@\\2a)"+
               ")"+
               "(|"+
-                "(allowedSenders="+self.env_from+")"+
+                "(allowedSenders=" + from_addr + ")"+
-                "(allowedSenders=\\2a@"+self.env_from_domain+")"+
+                "(allowedSenders=\\2a@" + from_domain + ")"+
                 "(allowedSenders=\\2a@\\2a)"+
               ")"+
             ")",
             attributes=['policyID']
           )
         else:
+          # Wildcard-domain DISABLED
           # Asterisk must be ASCII-HEX encoded for LDAP queries
-          query_from = self.env_from.replace("*","\\2a")
+          query_from = from_addr.replace("*","\\2a")
-          query_to = to.replace("*","\\2a")
+          query_to = rcpt_addr.replace("*","\\2a")
-          self.ldap_conn.search(g_ldap_base,
+          g_ldap_conn.search(g_ldap_base,
             "(&" +
               auth_method +
-              "(allowedRcpts="+query_to+")" +
+              "(allowedRcpts=" + query_to + ")" +
-              "(allowedSenders="+query_from+")" +
+              "(allowedSenders=" + query_from + ")" +
             ")",
             attributes=['policyID']
           )
-        time_end = timer()
+        if len(g_ldap_conn.entries) == 0:
-        if len(self.ldap_conn.entries) == 0:
           # Policy not found in LDAP
-          self.env_rcpts.append({
-            "rcpt": to, "action": g_milter_reject_message,
-            "time_start":time_start, "time_end":time_end
-          })
           if g_milter_expect_auth == True:
-            logging.info(self.mconn_id + "/RCPT " + "policy mismatch "
+            logging.info(self.mconn_id + " " + "policy mismatch "
-              "5321.from=" + self.env_from + ", 5321.rcpt=" + to +
+              "from=" + from_addr + ", rcpt=" + rcpt_addr +
               ", auth_method=" + auth_method
             )
           else:
-            logging.info(self.mconn_id + "/RCPT " + "policy mismatch "
+            logging.info(self.mconn_id + " " + "policy mismatch "
-              "5321.from=" + self.env_from + ", 5321.rcpt=" + to
+              "from=" + from_addr + ", rcpt=" + rcpt_addr
             )
           if g_milter_mode == 'reject':
-            logging.info(self.mconn_id + "/RCPT REJECT "
+            return self.milter_action(
-              + g_milter_reject_message
+              action = 'reject',
+              reason = "policy not found!"
             )
-            self.setreply('550','5.7.1',
-              g_milter_reject_message + ' (' + self.mconn_id + ')'
-            )
-            return Milter.REJECT
           else:
-            logging.info(self.mconn_id + "/RCPT TEST_MODE " +
+            logging.info(self.mconn_id + " TEST_MODE " +
               g_milter_reject_message
             )
-            return Milter.CONTINUE
+        elif len(g_ldap_conn.entries) == 1:
-        elif len(self.ldap_conn.entries) == 1:
           # Policy found in LDAP, but which one?
-          entry = self.ldap_conn.entries[0]
+          entry = g_ldap_conn.entries[0]
           logging.info(self.mconn_id +
-            "/RCPT Policy match: " + entry.policyID.value
+            " Policy match: " + entry.policyID.value
           )
-        elif len(self.ldap_conn.entries) > 1:
+        elif len(g_ldap_conn.entries) > 1:
           # Something went wrong!? There shouldn´t be more than one entries!
-          logging.warn(self.mconn_id + "/RCPT More than one policies found! "+
+          logging.warning(self.mconn_id + " More than one policies found! "+
-             "5321.from=" + self.env_from + ", 5321.rcpt=" + to +
+            "from=" + from_addr + ", rcpt=" + rcpt_addr +
-             ", auth_method=" + auth_method
+            ", auth_method=" + auth_method
           )
-          self.setreply('550','5.7.1',
+          return self.milter_action(action = 'reject')
-            g_milter_reject_message + ' (' + self.mconn_id + ')'
-          )
-          return Milter.REJECT
       else:
         # Custom LDAP schema
         # 'build' a LDAP query per recipient
         # replace all placeholders in query templates
-        query = g_ldap_query.replace("%rcpt%",to)
+        query = g_ldap_query.replace("%rcpt%", rcpt_addr)
-        query = query.replace("%from%", self.env_from)
+        query = query.replace("%from%", from_addr)
         query = query.replace("%client_addr%", self.client_addr)
         query = query.replace("%sasl_user%", self.sasl_user)
-        query = query.replace("%from_domain%", self.env_from_domain)
+        query = query.replace("%from_domain%", from_domain)
         query = query.replace("%rcpt_domain%", rcpt_domain)
-        logging.debug(self.mconn_id + "/RCPT " + query)
+        logging.debug(self.mconn_id + " " + query)
-        self.ldap_conn.search(g_ldap_base, query)
+        g_ldap_conn.search(g_ldap_base, query)
-        time_end = timer()
+        if len(g_ldap_conn.entries) == 0:
-        if len(self.ldap_conn.entries) == 0:
+          logging.info(self.mconn_id + " " + "policy mismatch "
-          self.env_rcpts.append({
+            "from: " + from_addr + " and rcpt: " + rcpt_addr
-            "rcpt": to, "action": g_milter_reject_message,
-            "time_start":time_start, "time_end":time_end
-          })
-          logging.info(self.mconn_id + "/RCPT " + "policy mismatch "
-            "5321.from: " + self.env_from + " and 5321.rcpt: " + to
           )
           if g_milter_mode == 'reject':
-            logging.info(self.mconn_id + "/RCPT REJECT " + g_milter_reject_message)
+            return self.milter_action(
-            self.setreply('550','5.7.1',
+              action = 'reject',
-              g_milter_reject_message + ' (' + self.mconn_id + ')'
+              reason = 'policy mismatch'
             )
-            return Milter.REJECT
           else:
-            logging.info(self.mconn_id + "/RCPT TEST_MODE " +
+            logging.info(self.mconn_id + " TEST_MODE " +
               g_milter_reject_message
             )
-            return Milter.CONTINUE
     except LDAPOperationResult as e:
-      logging.warn(self.mconn_id + "/RCPT LDAP: " + str(e))
+      logging.error(self.mconn_id + " LDAP: " + str(e))
-      self.setreply('451', '4.7.1', g_milter_tmpfail_message)
+      return self.milter_action(action = 'tmpfail')
-      return Milter.TEMPFAIL
     except:
-      logging.error(self.mconn_id + "/RCPT LDAP: " + traceback.format_exc())
+      logging.error(self.mconn_id + " LDAP: " + traceback.format_exc())
-      self.setreply('451', '4.7.1', g_milter_tmpfail_message)
+      return self.milter_action(action = 'tmpfail')
-      return Milter.TEMPFAIL
+    return self.milter_action(action = 'continue')
-    self.env_rcpts.append({
-      "rcpt": to, "action":'pass',"time_start":time_start,"time_end":time_end
-    })
-    return Milter.CONTINUE
 
-  def data(self):
+  # Not registered/used callbacks
-    # A queue-id will be generated after the first accepted RCPT TO
+  @Milter.nocallback
-    # and therefore not available until DATA command
+  def eoh(self):
-    self.queue_id = self.getsymval('i')
+    return self.milter_action(action = 'continue')
-    try:
+  @Milter.nocallback
-      for rcpt in self.env_rcpts:
+  def body(self, chunk):
-        duration = rcpt['time_end'] - rcpt['time_start']
+    return self.milter_action(action = 'continue')
-        logging.info(self.mconn_id + "/DATA " + self.queue_id +
+
-          ": 5321.from=" + self.env_from + " 5321.rcpt=" +
+  def connect(self, IPname, family, hostaddr):
-          rcpt['rcpt'] + " action=" + rcpt['action'] +
+    self.reset()
-          " duration=" + str(duration) + "sec."
+    self.proto_stage = 'CONNECT'
+    self.client_addr = hostaddr[0]
+    logging.debug(self.mconn_id +
+      "/CONNECT client_addr=[" + self.client_addr + "]:" + str(hostaddr[1])
+    )
+    return self.milter_action(action = 'continue')
+
+  def envfrom(self, mailfrom, *str):
+    self.reset()
+    self.proto_stage = 'FROM'
+    if g_milter_expect_auth:
+      try:
+        # this may fail, if no x509 client certificate was used.
+        # postfix only passes this macro to milters if the TLS connection
+        # with the authenticating client was trusted in a x509 manner!
+        # http://postfix.1071664.n5.nabble.com/verification-levels-and-Milter-tp91634p91638.html
+        # Unfortunately, postfix only passes the CN-field of the subject/issuer DN :-/
+        x509_subject = self.getsymval('{cert_subject}')
+        if x509_subject != None:
+          self.x509_subject = x509_subject
+          logging.debug(self.mconn_id + "/FROM x509_subject=" + self.x509_subject)
+        else:
+          logging.debug(self.mconn_id + "/FROM No x509_subject registered")
+        x509_issuer = self.getsymval('{cert_issuer}')
+        if x509_issuer != None:
+          self.x509_issuer = x509_issuer
+          logging.debug(self.mconn_id + "/FROM x509_issuer=" + self.x509_issuer)
+        else:
+          logging.debug(self.mconn_id + "/FROM No x509_issuer registered")
+      except:
+        logging.error(self.mconn_id + "/FROM x509 " + traceback.format_exc())
+      try:
+        # this may fail, if no SASL authentication preceded
+        sasl_user = self.getsymval('{auth_authen}')
+        if sasl_user != None:
+          self.sasl_user = sasl_user
+          logging.debug(self.mconn_id + "/FROM sasl_user=" + self.sasl_user)
+        else:
+          logging.debug(self.mconn_id + "/FROM No sasl_user registered")
+      except:
+        logging.error(self.mconn_id + "/FROM sasl_user " + traceback.format_exc())
+      logging.info(self.mconn_id + "/FROM auth: " + 
+        "client_ip={0}, x509_subject={1}, x509_issuer={2}, sasl_user={3}".format(
+          self.client_addr, self.x509_subject, self.x509_issuer, self.sasl_user
         )
-    except:
+      )
-      logging.warn(self.mconn_id + "/DATA " + self.queue_id +
+    mailfrom = mailfrom.replace("<","")
-        ": " + traceback.format_exc())
+    mailfrom = mailfrom.replace(">","")
-      self.setreply('451', '4.7.1', g_milter_tmpfail_message)
+    # BATV (https://tools.ietf.org/html/draft-levine-smtp-batv-01)
-      return Milter.TEMPFAIL
+    # Strip out Simple Private Signature (PRVS)
-    return Milter.CONTINUE
+    mailfrom = re.sub(r"^prvs=.{10}=", '', mailfrom)
+    # SRS (https://www.libsrs2.org/srs/srs.pdf)
+    m_srs = g_re_srs.match(mailfrom)
+    if m_srs != None:
+      logging.info(self.mconn_id + "/FROM " +
+        "Found SRS-encoded envelope-sender: " + mailfrom
+      )
+      mailfrom = m_srs.group(2) + '@' + m_srs.group(1)
+      logging.info(self.mconn_id + "/FROM " +
+        "SRS envelope-sender replaced with: " + mailfrom
+      )
+    self.env_from = mailfrom.lower()
+    logging.debug(self.mconn_id + "/FROM 5321.from={}".format(self.env_from))
+    m = g_re_domain.match(self.env_from)
+    if m == None:
+      return self.milter_action(
+        action = 'tmpfail',
+        reason = "Could not determine domain of 5321.from=" + self.env_from
+      )
+    self.env_from_domain = m.group(1)
+    logging.debug(self.mconn_id +
+      "/FROM 5321.from_domain={}".format(self.env_from_domain)
+    )
+    return self.milter_action(action = 'continue')
+
+  def envrcpt(self, to, *str):
+    self.proto_stage = 'RCPT'
+    to = to.replace("<","")
+    to = to.replace(">","")
+    to = to.lower()
+    logging.debug(self.mconn_id +
+      "/RCPT env_rcpt={}".format(to)
+    )
+    if g_milter_dkim_enabled:
+      # Collect all envelope-recipients for later
+      # investigation (EOM). Do not perform any 
+      # policy action at this protocol phase.
+      self.env_rcpts.append(to)
+    else:
+      return self.check_policy(self.env_from, to)
+    return self.milter_action(action = 'continue')
+
+  def header(self, hname, hval):
+    self.proto_stage = 'HDR'
+    self.queue_id = self.getsymval('i')
+    if g_milter_dkim_enabled == True:
+      # Parse RFC-5322-From header
+      if(hname.lower() == "From".lower()):
+        hdr_5322_from = email.utils.parseaddr(hval)
+        self.hdr_from = hdr_5322_from[1].lower()
+        m = re.match(g_re_domain, self.hdr_from)
+        if m is None:
+          return self.milter_action(
+            action = 'reject',
+            reason = "Could not determine domain-part of 5322.from=" + self.hdr_from
+          )
+        self.hdr_from_domain = m.group(1)
+        logging.info(self.mconn_id + "/" + str(self.queue_id) +
+          "/HDR: 5322.from={0}, 5322.from_domain={1}".format(
+            self.hdr_from, self.hdr_from_domain
+          )
+        )
+      # Parse RFC-7601 Authentication-Results header
+      elif(hname.lower() == "Authentication-Results".lower()):
+        ar = None
+        try:
+          ar = authres.AuthenticationResultsHeader.parse(
+            "{0}: {1}".format(hname, hval)
+          )
+          if ar.authserv_id.lower() == g_milter_trusted_authservid.lower():
+            for ar_result in ar.results:
+              if ar_result.method == 'dkim':
+                if ar_result.result == 'pass':
+                  self.passed_dkim_results.append({
+                    "sdid": ar_result.header_d.lower()
+                  })
+                  logging.debug(self.mconn_id + "/" + str(self.queue_id) +
+                    "/HDR: DKIM passed SDID {0}".format(ar_result.header_d)
+                  )
+                  self.dkim_valid = True
+          else:
+            logging.debug(self.mconn_id + "/" + str(self.queue_id) +
+              "/HDR: Ignoring authentication results of {0}".format(ar.authserv_id)
+            )
+        except Exception as e:
+          logging.info(self.mconn_id + "/" + str(self.queue_id) +
+            "/HDR: AR-parse exception: {0}".format(str(e))
+          )
+    return self.milter_action(action = 'continue')
 
   def eom(self):
-    # EOM is not optional and thus, always called by MTA
+    self.proto_stage = 'EOM'
-    time_end = timer()
+    if g_milter_dkim_enabled == True:
-    duration = time_end - self.time_start
+      accept_message = True
-    logging.info(self.mconn_id + "/EOM " + self.queue_id +
+      for rcpt in self.env_rcpts:
-      " processed in " + str(duration) + " sec."
+        logging.debug(self.mconn_id +
-    )
+          "/{0}/EOM rcpt={1}".format(self.queue_id, rcpt)
-    return Milter.CONTINUE
+        )
+        # Check 5321.sender against policy
+        ret = self.check_policy(self.env_from, rcpt)
+        if ret != Milter.CONTINUE:
+          if self.dkim_valid:
+            # Check 5322.sender against policy
+            ret = self.check_policy(self.hdr_from, rcpt)
+            if ret != Milter.CONTINUE:
+              accept_message = False
+          else:
+            accept_message = False
+      if accept_message == False:
+        return self.milter_action(
+          action = 'reject',
+          reason = 'sender unauthorized!'
+        )
+    return self.milter_action(action = 'continue')
 
   def abort(self):
     # Client disconnected prematurely
-    return Milter.CONTINUE
+    self.proto_stage = 'ABORT'
+    return self.milter_action(action = 'continue')
 
   def close(self):
     # Always called, even when abort is called.
     # Clean up any external resources here.
-    return Milter.CONTINUE
+    self.proto_stage = 'CLOSE'
+    return self.milter_action(action = 'continue')
 
 if __name__ == "__main__":
   try:
@@ -377,7 +477,7 @@ if __name__ == "__main__":
       if re.match(r'^reject|permit$',os.environ['MILTER_DEFAULT_POLICY'], re.IGNORECASE):
         g_milter_default_policy = str(os.environ['MILTER_DEFAULT_POLICY']).lower()
       else:
-        logging.warn("MILTER_DEFAULT_POLICY invalid value: " +
+        logging.warning("MILTER_DEFAULT_POLICY invalid value: " +
           os.environ['MILTER_DEFAULT_POLICY']
         )
     if 'MILTER_NAME' in os.environ:
@@ -420,7 +520,6 @@ if __name__ == "__main__":
     if 'MILTER_WHITELISTED_RCPTS' in os.environ:
       # A blank separated list is expected
       whitelisted_rcpts_str = os.environ['MILTER_WHITELISTED_RCPTS']
-#      for whitelisted_rcpt in whitelisted_rcpts_str.split():
       for whitelisted_rcpt in re.split(',|\s', whitelisted_rcpts_str):
         if g_re_email.match(whitelisted_rcpt) == None:
           logging.error(
@@ -431,6 +530,15 @@ if __name__ == "__main__":
         else:
           logging.info("ENV[MILTER_WHITELISTED_RCPTS]: " + whitelisted_rcpt)
           g_milter_whitelisted_rcpts[whitelisted_rcpt] = {}
+    if 'MILTER_DKIM_ENABLED' in os.environ:
+      g_milter_dkim_enabled = True
+      if 'MILTER_TRUSTED_AUTHSERVID' in os.environ:
+        g_milter_trusted_authservid = os.environ['MILTER_TRUSTED_AUTHSERVID'].lower()
+        logging.info("ENV[MILTER_TRUSTED_AUTHSERVID]: {0}".format(g_milter_trusted_authservid))
+      else:
+        logging.error("ENV[MILTER_TRUSTED_AUTHSERVID] is mandatory!")
+        sys.exit(1)
+    logging.info("ENV[MILTER_DKIM_ENABLED]: {0}".format(g_milter_dkim_enabled))
     set_config_parameter("RESTARTABLE_SLEEPTIME", 2)
     set_config_parameter("RESTARTABLE_TRIES", 2)
     server = Server(g_ldap_server, get_info=NONE)

docker-build.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-
-BRANCH="$(/usr/bin/git branch|/bin/grep \*|/usr/bin/awk {'print $2'})"
-VERSION="$(/bin/cat VERSION)"
-BASEOS="$(/bin/cat BASEOS)"
-GO=""
-
-while getopts g opt
-do
-  case $opt in
-    g) GO="go";;
-  esac
-done
-
-if [ -z "${GO}" ] ; then
-  echo "Building ldap-acl-milter@docker on '${BASEOS}' for version '${VERSION}' in branch '${BRANCH}'!"
-  echo "GO serious with '-g'!"
-  exit 1
-fi
-
-IMAGES="ldap-acl-milter"
-
-for IMAGE in ${IMAGES}; do
-  /usr/bin/docker build \
-    -t "${IMAGE}:${BRANCH}" \
-    -f "docker/${BASEOS}/Dockerfile" .
-done

requirements.txt

@@ -0,0 +1,3 @@
+authres<2
+pymilter<2
+ldap3<3

tests/miltertest-ip-conn_reuse.lua

@@ -0,0 +1,90 @@
+-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
+-- http://www.opendkim.org/miltertest.8.html
+
+-- socket must be defined as miltertest global variable (-D)
+conn = mt.connect(socket)
+if conn == nil then
+  error "mt.connect() failed"
+end
+if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
+  error "mt.conninfo() failed"
+end
+
+mt.set_timeout(60)
+
+-- 5321.FROM
+if mt.mailfrom(conn, "tester-ip@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- 5321.RCPT+MACROS
+mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
+if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.rcptto() unexpected reply"
+end
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- CONNECTION REUSE
+
+-- 5321.FROM
+if mt.mailfrom(conn, "tester-ip2@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- 5321.RCPT+MACROS
+mt.macro(conn, SMFIC_RCPT, "i", "conn-reused-QID")
+if mt.rcptto(conn, "<rcpt-ip2@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.rcptto() unexpected reply"
+end
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip2@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- DISCONNECT
+mt.disconnect(conn)

tests/miltertest-ip-multiple_rcpts.lua

@@ -0,0 +1,66 @@
+-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
+-- http://www.opendkim.org/miltertest.8.html
+
+-- socket must be defined as miltertest global variable (-D)
+conn = mt.connect(socket)
+if conn == nil then
+  error "mt.connect() failed"
+end
+if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
+  error "mt.conninfo() failed"
+end
+
+mt.set_timeout(60)
+
+-- 5321.FROM
+if mt.mailfrom(conn, "tester-ipx@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- FIRST 5321.RCPT
+if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("RCPT1-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("RCPT1-reject")
+end
+
+-- SECOND 5321.RCPT
+if mt.rcptto(conn, "<rcpt-ip2@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("RCPT2-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("RCPT2-reject")
+end
+
+-- SET RCPT-MACRO
+mt.macro(conn, SMFIC_RCPT, "i", "some-queue-id")
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- DISCONNECT
+mt.disconnect(conn)

tests/miltertest-ip.lua

@@ -0,0 +1,52 @@
+-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
+-- http://www.opendkim.org/miltertest.8.html
+
+-- socket must be defined as miltertest global variable (-D)
+conn = mt.connect(socket)
+if conn == nil then
+  error "mt.connect() failed"
+end
+if mt.conninfo(conn, "blubb-ip.host", "127.128.129.130") ~= nil then
+  error "mt.conninfo() failed"
+end
+
+mt.set_timeout(60)
+
+-- 5321.FROM
+if mt.mailfrom(conn, "tester-ip@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- 5321.RCPT+MACROS
+mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
+if mt.rcptto(conn, "<rcpt-ip@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.rcptto() unexpected reply"
+end
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester-ip@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-REsuLTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- DISCONNECT
+mt.disconnect(conn)

tests/miltertest-sasl.lua

@@ -0,0 +1,53 @@
+-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
+-- http://www.opendkim.org/miltertest.8.html
+
+-- socket must be defined as miltertest global variable (-D)
+conn = mt.connect(socket)
+if conn == nil then
+  error "mt.connect() failed"
+end
+if mt.conninfo(conn, "localhost", "::1") ~= nil then
+  error "mt.conninfo() failed"
+end
+
+mt.set_timeout(60)
+
+-- 5321.FROM+MACROS
+mt.macro(conn, SMFIC_MAIL, "{auth_authen}", "blubb-user1")
+if mt.mailfrom(conn, "tester@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- 5321.RCPT+MACROS
+mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
+if mt.rcptto(conn, "<rcpt@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.rcptto() unexpected reply"
+end
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- DISCONNECT
+mt.disconnect(conn)

tests/miltertest-x509.lua

@@ -0,0 +1,54 @@
+-- https://mopano.github.io/sendmail-filter-api/constant-values.html#com.sendmail.milter.MilterConstants
+-- http://www.opendkim.org/miltertest.8.html
+
+-- socket must be defined as miltertest global variable (-D)
+conn = mt.connect(socket)
+if conn == nil then
+  error "mt.connect() failed"
+end
+if mt.conninfo(conn, "localhost", "::1") ~= nil then
+  error "mt.conninfo() failed"
+end
+
+mt.set_timeout(60)
+
+-- 5321.FROM+MACROS
+mt.macro(conn, SMFIC_MAIL, "{cert_issuer}", "x509-issuer", "{cert_subject}", "x509-subject")
+-- mt.macro(conn, SMFIC_MAIL, "{cert_subject}", "x509-subject")
+if mt.mailfrom(conn, "tester-x509@test.blah") ~= nil then
+  error "mt.mailfrom() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.mailfrom() unexpected reply"
+end
+
+-- 5321.RCPT+MACROS
+mt.macro(conn, SMFIC_RCPT, "i", "4CgSNs5Q9sz7SllQ")
+if mt.rcptto(conn, "<rcpt-x509@test.blubb>") ~= nil then
+  error "mt.rcptto() failed"
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error "mt.rcptto() unexpected reply"
+end
+
+-- 5322.HEADERS
+if mt.header(conn, "fRoM", '"Blah Blubb" <tester@test.blah>') ~= nil then
+  error "mt.header(From) failed"  
+end
+if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=test.blah header.s=selector1-test-blah header.b=mumble") ~= nil then
+  error "mt.header(Authentication-Results) failed"  
+end
+
+-- EOM
+if mt.eom(conn) ~= nil then
+  error "mt.eom() failed"
+end
+mt.echo("EOM: " .. mt.getreply(conn))
+if mt.getreply(conn) == SMFIR_CONTINUE then
+  mt.echo("EOM-continue")
+elseif mt.getreply(conn) == SMFIR_REPLYCODE then
+  mt.echo("EOM-reject")
+end
+
+-- DISCONNECT
+mt.disconnect(conn)