mirror of
https://github.com/chillout2k/ldap-acl-milter.git
synced 2025-12-12 19:00:19 +00:00
351 lines
14 KiB
Python
351 lines
14 KiB
Python
import Milter
|
||
import traceback
|
||
import re
|
||
import email.utils
|
||
import authres
|
||
from lam_backends import g_config_backend, g_policy_backend
|
||
from lam_rex import g_rex_domain, g_rex_srs
|
||
from lam_logger import log_debug, log_info, log_warning, log_error
|
||
from lam_exceptions import LamSoftException, LamHardException
|
||
from lam_session import LamSession
|
||
|
||
class LdapAclMilter(Milter.Base):
|
||
# Each new connection is handled in an own thread
|
||
def __init__(self):
|
||
self.session = None
|
||
|
||
def do_log(self, **kwargs):
|
||
log_line = ''
|
||
if hasattr(self.session, 'mconn_id'):
|
||
log_line = "{}".format(self.session.get_mconn_id())
|
||
if self.session.get_queue_id() != 'invalid':
|
||
log_line = "{0}/{1}".format(log_line, self.session.get_queue_id())
|
||
if self.session.get_proto_stage() != 'invalid':
|
||
log_line = "{0}/{1}".format(log_line, self.session.get_proto_stage())
|
||
log_line = "{0} {1}".format(log_line, kwargs['log_message'])
|
||
if kwargs['level'] == 'error':
|
||
log_error(log_line)
|
||
elif kwargs['level'] == 'warn' or kwargs['level'] == 'warning':
|
||
log_warning(log_line)
|
||
elif kwargs['level'] == 'info':
|
||
log_info(log_line)
|
||
elif kwargs['level'] == 'debug':
|
||
log_debug(log_line)
|
||
def log_error(self, log_message):
|
||
self.do_log(level='error', log_message=log_message)
|
||
def log_warn(self, log_message):
|
||
self.do_log(level='warn', log_message=log_message)
|
||
def log_info(self, log_message):
|
||
self.do_log(level='info', log_message=log_message)
|
||
def log_debug(self, log_message):
|
||
self.do_log(level='debug', log_message=log_message)
|
||
|
||
def milter_action(self, **kwargs) -> int:
|
||
if 'action' not in kwargs:
|
||
raise Exception("'action' kwarg is mandatory!")
|
||
message = None
|
||
smfir = None
|
||
smtp_code = None
|
||
smtp_ecode = None
|
||
if kwargs['action'] == 'reject':
|
||
message = g_config_backend.milter_reject_message
|
||
smtp_code = '550'
|
||
smtp_ecode = '5.7.1'
|
||
smfir = Milter.REJECT
|
||
elif kwargs['action'] == 'tmpfail':
|
||
message = g_config_backend.milter_tmpfail_message
|
||
smtp_code = '450'
|
||
smtp_ecode = '4.7.1'
|
||
smfir = Milter.TEMPFAIL
|
||
elif kwargs['action'] == 'continue':
|
||
message = 'continue'
|
||
smfir = Milter.CONTINUE
|
||
else:
|
||
raise Exception("Invalid 'action': {}".format(kwargs['action']))
|
||
# override message
|
||
if 'message' in kwargs:
|
||
message = kwargs['message']
|
||
# prepend queue-id to message if it´s already available (DATA and later)
|
||
if self.session.get_queue_id() != 'invalid':
|
||
message = " queue_id: {0} - {1}".format(self.session.get_queue_id(), message)
|
||
# append reason to message
|
||
if 'reason' in kwargs:
|
||
message = "{0} - reason: {1}".format(message, kwargs['reason'])
|
||
if kwargs['action'] == 'reject' or kwargs['action'] == 'tmpfail':
|
||
self.log_info("{0} - milter_action={1} message={2}".format(
|
||
self.session.get_mconn_id(), kwargs['action'], message
|
||
))
|
||
self.setreply(smtp_code, smtp_ecode, message)
|
||
return smfir
|
||
|
||
def connect(self, IPname, family, hostaddr):
|
||
self.session = LamSession(hostaddr[0], g_config_backend)
|
||
self.session.set_proto_stage('CONNECT')
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def envfrom(self, mailfrom, *str):
|
||
self.session.reset()
|
||
self.session.set_proto_stage('FROM')
|
||
if g_config_backend.milter_expect_auth:
|
||
try:
|
||
# this may fail, if no x509 client certificate was used.
|
||
# postfix only passes this macro to milters if the TLS connection
|
||
# with the authenticating client was trusted in a x509 manner!
|
||
# Unfortunately, postfix only passes the CN-field of the subject/issuer DN :-/
|
||
x509_subject = self.getsymval('{cert_subject}')
|
||
if x509_subject != None:
|
||
self.session.set_x509_subject(x509_subject)
|
||
self.log_debug("x509_subject={}".format(self.session.get_x509_subject()))
|
||
else:
|
||
self.log_debug("No x509_subject registered")
|
||
x509_issuer = self.getsymval('{cert_issuer}')
|
||
if x509_issuer != None:
|
||
self.session.set_x509_issuer(x509_issuer)
|
||
self.log_debug("x509_issuer={}".format(self.session.get_x509_issuer()))
|
||
else:
|
||
self.log_debug("No x509_issuer registered")
|
||
except:
|
||
self.log_error("x509 exception: {}".format(traceback.format_exc()))
|
||
try:
|
||
# this may fail, if no SASL authentication preceded
|
||
sasl_user = self.getsymval('{auth_authen}')
|
||
if sasl_user != None:
|
||
self.session.set_sasl_user(sasl_user)
|
||
self.log_debug("sasl_user={}".format(self.session.get_sasl_user()))
|
||
else:
|
||
self.log_debug("No sasl_user registered")
|
||
except:
|
||
self.log_error("sasl_user exception: {}".format(traceback.format_exc()))
|
||
self.log_info(
|
||
"auth: client_ip={0} sasl_user={1} x509_subject={2} x509_issuer={3}".format(
|
||
self.session.get_client_addr(), self.session.get_sasl_user(),
|
||
self.session.get_x509_subject(), self.session.get_x509_issuer()
|
||
)
|
||
)
|
||
if mailfrom == '<>':
|
||
self.session.set_null_sender(True)
|
||
if g_config_backend.milter_allow_null_sender and self.session.is_null_sender():
|
||
self.log_info("Null-sender accepted - skipping policy checks")
|
||
else:
|
||
mailfrom = mailfrom.replace("<","")
|
||
mailfrom = mailfrom.replace(">","")
|
||
# BATV (https://tools.ietf.org/html/draft-levine-smtp-batv-01)
|
||
# Strip out Simple Private Signature (PRVS)
|
||
mailfrom = re.sub(r"^prvs=.{10}=", '', mailfrom)
|
||
# SRS (https://www.libsrs2.org/srs/srs.pdf)
|
||
m_srs = g_rex_srs.match(mailfrom)
|
||
if m_srs != None:
|
||
self.log_info("Found SRS-encoded envelope-sender: {}".format(mailfrom))
|
||
mailfrom = m_srs.group(2) + '@' + m_srs.group(1)
|
||
self.log_info("SRS envelope-sender replaced with: {}".format(mailfrom))
|
||
self.session.set_env_from(mailfrom.lower())
|
||
self.log_debug("5321.from={}".format(self.session.get_env_from()))
|
||
m = g_rex_domain.match(self.session.get_env_from())
|
||
if m == None:
|
||
return self.milter_action(
|
||
action = 'reject',
|
||
reason = "Could not determine domain of 5321.from={}".format(
|
||
self.session.get_env_from()
|
||
)
|
||
)
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def envrcpt(self, to, *str):
|
||
self.session.set_proto_stage('RCPT')
|
||
if g_config_backend.milter_allow_null_sender and self.session.is_null_sender():
|
||
return self.milter_action(action = 'continue')
|
||
to = to.replace("<","")
|
||
to = to.replace(">","")
|
||
to = to.lower()
|
||
self.log_debug("5321.rcpt={}".format(to))
|
||
if to in g_config_backend.milter_whitelisted_rcpts:
|
||
self.log_info("Welcome-listed rcpt={} - skipping policy checks".format(to))
|
||
return self.milter_action(action = 'continue')
|
||
if g_config_backend.milter_dkim_enabled:
|
||
# Collect all envelope-recipients for later
|
||
# investigation (EOM). Do not perform any
|
||
# policy action at this protocol phase.
|
||
self.session.add_env_rcpt(to)
|
||
else:
|
||
# DKIM disabled. Policy enforcement takes place here.
|
||
try:
|
||
g_policy_backend.check_policy(
|
||
self.session,
|
||
from_addr = self.session.get_env_from(),
|
||
rcpt_addr = to,
|
||
from_source = 'envelope'
|
||
)
|
||
self.session.add_env_rcpt(to)
|
||
except LamSoftException as e:
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(action = 'tmpfail')
|
||
except LamHardException as e:
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(
|
||
action = 'reject',
|
||
reason = e.message
|
||
)
|
||
else:
|
||
self.log_info("TEST-Mode: {}".format(e.message))
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def header(self, hname, hval):
|
||
self.session.set_proto_stage('HDR')
|
||
self.session.set_queue_id(self.getsymval('i'))
|
||
if g_config_backend.milter_allow_null_sender and self.session.is_null_sender():
|
||
return self.milter_action(action = 'continue')
|
||
if g_config_backend.milter_dkim_enabled == True:
|
||
# Parse RFC-5322-From header
|
||
if(hname.lower() == "From".lower()):
|
||
hdr_5322_from = email.utils.parseaddr(hval)
|
||
self.session.set_hdr_from(hdr_5322_from[1].lower())
|
||
m = re.match(g_rex_domain, self.session.get_hdr_from())
|
||
if m is None:
|
||
return self.milter_action(
|
||
action = 'reject',
|
||
reason = "Could not determine domain-part of 5322.from={}".format(
|
||
self.session.get_hdr_from()
|
||
)
|
||
)
|
||
self.session.set_hdr_from_domain(m.group(1))
|
||
self.log_debug("5322.from={0}, 5322.from_domain={1}".format(
|
||
self.session.get_hdr_from(), self.session.get_hdr_from_domain()
|
||
))
|
||
# Parse RFC-7601 Authentication-Results header
|
||
elif(hname.lower() == "Authentication-Results".lower()):
|
||
ar = None
|
||
try:
|
||
ar = authres.AuthenticationResultsHeader.parse(
|
||
"{0}: {1}".format(hname, hval)
|
||
)
|
||
if ar.authserv_id.lower() == g_config_backend.milter_trusted_authservid.lower():
|
||
for ar_result in ar.results:
|
||
if ar_result.method.lower() == 'dkim':
|
||
if ar_result.result.lower() == 'pass':
|
||
self.session.add_passed_dkim_result(ar_result.header_d.lower())
|
||
self.log_debug("dkim=pass sdid={}".format(ar_result.header_d))
|
||
self.session.set_dkim_valid(True)
|
||
else:
|
||
self.log_debug(
|
||
"Ignoring authentication results of {}".format(
|
||
ar.authserv_id
|
||
)
|
||
)
|
||
except Exception as e:
|
||
self.log_info("AR-parse exception: {0}".format(str(e)))
|
||
return self.milter_action(action = 'continue')
|
||
|
||
# Not registered/used callbacks
|
||
@Milter.nocallback
|
||
def eoh(self):
|
||
return self.milter_action(action = 'continue')
|
||
@Milter.nocallback
|
||
def body(self, chunk):
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def eom(self):
|
||
self.session.set_proto_stage('EOM')
|
||
if g_config_backend.milter_max_rcpt_enabled:
|
||
if len(self.session.get_env_rcpts()) > int(g_config_backend.milter_max_rcpt):
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(action='reject', reason='Too many recipients!')
|
||
else:
|
||
self.log_error("TEST-Mode: Too many recipients!")
|
||
if g_config_backend.milter_allow_null_sender and self.session.is_null_sender():
|
||
return self.milter_action(action = 'continue')
|
||
if g_config_backend.milter_dkim_enabled:
|
||
self.log_info(
|
||
"5321.from={0} 5322.from={1} 5322.from_domain={2} 5321.rcpt={3}".format(
|
||
self.session.get_env_from(), self.session.get_hdr_from(),
|
||
self.session.get_hdr_from_domain(), self.session.get_env_rcpts()
|
||
)
|
||
)
|
||
if self.session.is_dkim_valid():
|
||
# There is at least one valid DKIM signature!
|
||
# Check if one of them is also aligned
|
||
for passed_dkim_sdid in self.session.get_passed_dkim_results():
|
||
if self.session.get_hdr_from_domain().lower() == passed_dkim_sdid.lower():
|
||
self.session.set_dkim_aligned(True)
|
||
self.log_info("Found aligned DKIM signature for SDID: {0}".format(
|
||
passed_dkim_sdid
|
||
))
|
||
reject_message = False
|
||
for rcpt in self.session.get_env_rcpts():
|
||
if rcpt in g_config_backend.milter_whitelisted_rcpts:
|
||
self.log_info("Welcome-listed rcpt={}".format(rcpt))
|
||
try:
|
||
# Check 5321.from <-> 5321.rcpt against policy
|
||
g_policy_backend.check_policy(
|
||
self.session,
|
||
from_addr=self.session.get_env_from(),
|
||
rcpt_addr=rcpt,
|
||
from_source='envelope'
|
||
)
|
||
self.log_info(
|
||
"action=pass 5321.from={0} 5321.rcpt={1}".format(
|
||
self.session.get_env_from(), rcpt
|
||
)
|
||
)
|
||
except LamSoftException as e:
|
||
self.log_info(str(e))
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(action = 'tmpfail')
|
||
else:
|
||
self.log_info("TEST-Mode - tmpfail: {}".format(str(e)))
|
||
except LamHardException as e:
|
||
self.log_info(e.message)
|
||
if self.session.is_dkim_aligned():
|
||
try:
|
||
# Check 5322.from <-> 5321.rcpt against policy
|
||
g_policy_backend.check_policy(
|
||
self.session,
|
||
from_addr=self.session.get_hdr_from(),
|
||
rcpt_addr=rcpt,
|
||
from_source='from-header'
|
||
)
|
||
self.log_info(
|
||
"action=pass 5322.from={0} 5321.rcpt={1}".format(
|
||
self.session.get_hdr_from(), rcpt
|
||
)
|
||
)
|
||
except LamSoftException as e:
|
||
self.log_info(str(e))
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(action = 'tmpfail')
|
||
else:
|
||
self.log_info("TEST-Mode - tmpfail: {}".format(str(e)))
|
||
except LamHardException as e:
|
||
reject_message = True
|
||
else:
|
||
reject_message = True
|
||
if reject_message:
|
||
if g_config_backend.milter_mode == 'reject':
|
||
return self.milter_action(
|
||
action = 'reject',
|
||
reason = 'policy mismatch! Message rejected for all recipients!'
|
||
)
|
||
else:
|
||
self.log_info(
|
||
"TEST-Mode: policy mismatch! Message would be rejected for all recipients!"
|
||
)
|
||
else:
|
||
# * DKIM check disabled
|
||
# Iterate through all accepted envelope recipients and log success
|
||
for rcpt in self.session.get_env_rcpts():
|
||
self.log_info("action=pass 5321.from={0} 5321.rcpt={1}".format(
|
||
self.session.get_env_from(), rcpt)
|
||
)
|
||
# No policy violations so far :-)
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def abort(self):
|
||
# Client disconnected prematurely
|
||
self.session.set_proto_stage('ABORT')
|
||
return self.milter_action(action = 'continue')
|
||
|
||
def close(self):
|
||
# Always called, even when abort is called.
|
||
# Clean up any external resources here.
|
||
self.session.set_proto_stage('CLOSE')
|
||
return self.milter_action(action = 'continue')
|