-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathpostfwd-anti-spam.plugin
543 lines (456 loc) · 17.6 KB
/
postfwd-anti-spam.plugin
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
#!/usr/bin/env perl
# Declare version
our $VERSION = '2.0.0';
# English module for Perl::Critic compliance
use English qw( -no_match_vars );
# For constants
use Readonly;
# DBI
use DBI;
# Additional libraries for time and files
use IO::Handle;
use Time::Piece;
# For subnet matching and IP address validation
use Net::Subnet;
# IP validator
use Data::Validate::IP qw(is_ip is_public_ip);
# Configure default path to configuration files
# or read them from environment variables
my $cfg_anti_spam_path = '/etc/postfix/anti-spam.conf';
my $cfg_sql_statements_path = '/etc/postfix/anti-spam-sql-st.conf';
if ( $ENV{'POSTFWD_ANTISPAM_MAIN_CONFIG_PATH'} ) {
$cfg_anti_spam_path = $ENV{'POSTFWD_ANTISPAM_MAIN_CONFIG_PATH'};
}
if ( $ENV{'POSTFWD_ANTISPAM_SQL_STATEMENTS_CONFIG_PATH'} ) {
$cfg_sql_statements_path =
$ENV{'POSTFWD_ANTISPAM_SQL_STATEMENTS_CONFIG_PATH'};
}
# Main config file
use Config::Any::INI;
my $config_ref = Config::Any::INI->load($cfg_anti_spam_path);
my %config = %{$config_ref};
# Set unique IP and Country limit for logging
my $LOGGING_IP_LIMIT;
my $LOGGING_COUNTRY_LIMIT;
if ( $config{logging}{ip_limit} ) {
Readonly $LOGGING_IP_LIMIT => $config{logging}{ip_limit};
} else {
Readonly $LOGGING_IP_LIMIT => 20;
}
if ( $config{logging}{country_limit} ) {
Readonly $LOGGING_COUNTRY_LIMIT => $config{logging}{country_limit};
} else {
Readonly $LOGGING_COUNTRY_LIMIT => 5;
}
# SQL statements config file
use Config::Any::General;
my $config_sql_ref = Config::Any::General->load($cfg_sql_statements_path);
my %config_sql = %{$config_sql_ref};
# Logging
my $program = 'postfwd::anti-spam-plugin';
my $log_file_fh;
sub mylog {
my ( $log_level, @errstr ) = @_;
if ( $config{logging}{enable} ) {
my $date = localtime(time)->strftime('%F %T');
my $final_str = "$date $program $log_level: ";
foreach my $s (@errstr) {
if ( length $s ) {
$final_str = $final_str . $s;
}
}
my $tmp = print {$log_file_fh} "$final_str\n";
}
return;
}
sub mylog_info {
my @args = @_;
mylog( "INFO[$PID]", @args );
return;
}
sub mylog_err {
my @args = @_;
mylog( "ERROR[$PID]", @args );
return;
}
sub mylog_fatal {
my @args = @_;
mylog( "FATAL[$PID]", @args );
exit 1;
}
sub log_uniq_ip_spam {
my ($uniq_ip_login_count, $user) = @_;
if ($uniq_ip_login_count > $LOGGING_IP_LIMIT ) {
mylog_info("User $user was logged from more than $LOGGING_IP_LIMIT IP addresses($uniq_ip_login_count)");
}
return;
}
sub log_uniq_country_spam {
my ($uniq_country_login_count, $user) = @_;
if ($uniq_country_login_count > $LOGGING_COUNTRY_LIMIT ) {
mylog_info("User $user was logged from more than $LOGGING_COUNTRY_LIMIT countries($uniq_country_login_count)");
}
return;
}
if ( !$config{logging}{logfile}
|| !length $config{logging}{logfile}
|| $config{logging}{logfile} eq '\'\''
|| $config{logging}{logfile} eq '\'\'' )
{
if ( $config{logging}{autoflush} ) {
STDOUT->autoflush(1);
}
$log_file_fh = *STDOUT;
mylog_info('Logging destination is STDOUT');
} else {
open $log_file_fh, '>>', $config{logging}{logfile}
or die "ERROR: Could not open file '$config{logging}{logfile}' $ERRNO\n";
$log_file_fh->autoflush;
mylog_info("Logging destination is file '$config{logging}{logfile}'");
}
mylog_info("Configuration file $cfg_anti_spam_path was loaded successfully");
# IP WHITELIST
# Do not whitelist any IP addresses by default
my $ip_whitelist = subnet_matcher qw(
255.255.255.255/32
);
# Make sure that either ip_whitelist or ip_whitelist_path are used in configuration file
if ( ($config{app}{ip_whitelist} || length $config{app}{ip_whitelist}) &&
($config{app}{ip_whitelist_path} || length $config{app}{ip_whitelist_path}) ) {
mylog_fatal('Both "ip_whitelist" and "ip_whitelist_path" are defined! Please choose only one method of whitelisting.');
}
# Set whitelist according to config variable ip_whitelist
if ( $config{app}{ip_whitelist} || length $config{app}{ip_whitelist} ) {
$ip_whitelist = subnet_matcher(split /,/mxs, $config{app}{ip_whitelist});
mylog_info('IP whitelist set to CIDRs: ', $config{app}{ip_whitelist});
}
# Read list of IP addresses to whitelist from file ip_whitelist_path and set whitelist according to it
if ( $config{app}{ip_whitelist_path} || length $config{app}{ip_whitelist_path} ) {
open my $ip_whitelist_fh, '<:encoding(UTF-8)', $config{app}{ip_whitelist_path} or die "ERROR: Could not open file '$config{app}{ip_whitelist_path}' $ERRNO\n";
my @ip_list;
while (my $row = <$ip_whitelist_fh>) {
chomp $row;
if ( $row =~ m/^\s*\#/msx ) {
next;
}
push @ip_list, $row;
}
$ip_whitelist = subnet_matcher(@ip_list);
close $ip_whitelist_fh or die "ERROR: Could not close file '$config{app}{ip_whitelist_path}' $ERRNO\n";
mylog_info('IP whitelist set to file: ', $config{app}{ip_whitelist_path});
mylog_info('IP CIDRs in whitelist file: ', join(', ', @ip_list));
}
# GeoIP:
# Load GeoIP modules
use GeoIP2::Database::Reader;
if (! -e $config{app}{geoip_db_path}) {
mylog_fatal("[GeoIP2] GeoIP Database file $config{app}{geoip_db_path} doesn't exist");
}
mylog_info("[GeoIP2] Loading GeoIP Database from file $config{app}{geoip_db_path}");
# GeoIP Version 2 check
my $gi = GeoIP2::Database::Reader->new(
file => $config{app}{geoip_db_path},
locales => [ 'en' ]
);
my $gi_metadata = eval { $gi->metadata() };
if ( $EVAL_ERROR ) {
mylog_fatal('[GeoIP2] Failed to get info about GeoIP database (v2 decoder)');
} else {
mylog_info('[GeoIP2] Description: ', $gi_metadata->description()->{en});
mylog_info('[GeoIP2] Database Edition: ', $gi_metadata->binary_format_major_version(), '.', $gi_metadata->binary_format_minor_version());
mylog_info('[GeoIP2] Database Type: ', $gi_metadata->database_type());
mylog_info('[GeoIP2] Build: ', $gi_metadata->build_epoch());
mylog_info('[GeoIP2] IP Version: ', $gi_metadata->ip_version());
}
mylog_info("[GeoIP2] GeoIP2 database $config{app}{geoip_db_path} was loaded successfully");
sub geoip_country_code {
my ($client_ip) = @_;
my $cc;
my $country = eval {
$gi->country( ip => $client_ip );
};
if ( $EVAL_ERROR ) {
if ($EVAL_ERROR =~ m/No record found for IP address/ims ) {
mylog_info("[GeoIP2] Cannot find IP address [$client_ip] in GeoIP database");
return;
}
if ($EVAL_ERROR =~ m/The IP address you provided (.*) is not a public IP address/ims ) {
mylog_info("[GeoIP2] IP address [$client_ip] is not public");
return;
}
if ($EVAL_ERROR =~ m/is not a valid IP/ims ) {
mylog_info("[GeoIP2] Invalid IP address [$client_ip]");
return;
}
if ($EVAL_ERROR =~ m/The IP address you provided (.*) is not a valid IPv4/ims ) {
mylog_info("[GeoIP2] Invalid IP address [$client_ip]");
return;
}
}
my $country_rec = $country->country();
$cc = eval { $country_rec->iso_code() };
if ( $EVAL_ERROR ) {
mylog_info("[GeoIP2] Country code for IP address [$client_ip] is empty");
return;
}
return $cc;
}
# DB connection
# Update values to your DB connection in config file /etc/postfix/anti-spam.conf
my $dbh;
my $dsn =
"DBI:$config{database}{driver}:database=$config{database}{database};host=$config{database}{host};port=$config{database}{port}";
my %attr = ( RaiseError => 0, PrintError => 1, AutoCommit => 1 );
mylog_info("Starting postfwd plugin with dsn '$dsn'");
# Connect to DB, do 3 retries with 10 second timeout
Readonly my $DB_CONN_RETRIES => 3;
Readonly my $DB_CONN_TIMEOUT => 10;
for ( 1 .. $DB_CONN_RETRIES ) {
$dbh = DBI->connect(
$dsn,
$config{database}{userid},
$config{database}{password}, \%attr
) and last;
mylog_err( 'Retry ', $_, '/3', ' - ', DBI->errstr );
sleep $DB_CONN_TIMEOUT;
}
if ( !defined $dbh ) {
mylog_fatal 'Could not connect to configured database after 3 retries';
} else {
mylog_info('Database connection successful');
}
# Create table "postfwd_logins" if it does not exist
mylog_info('Creating table postfwd_logins if it does not exist');
my $create_table_sth = $dbh->prepare( $config_sql{create_table_st} )
or mylog_fatal( $dbh->errstr );
$create_table_sth->execute() or mylog_fatal( $create_table_sth->errstr );
mylog_info(
'Table was created successfully and plugin is correctly initialized.');
# Setup initial time for flushing database records older than interval set in config file
my $last_cache_flush = time;
# Function: Test if database connection is still alive
sub is_db_connection_alive {
my $rc = $dbh->ping;
if ( !$rc ) {
mylog_info(
"Database connection dropped (rc=$rc). Reconnecting to database."
);
$dbh = DBI->connect_cached(
$dsn,
$config{database}{userid},
$config{database}{password}, \%attr
) or mylog_fatal( DBI->errstr );
}
return 1
}
# Function: Check if user exists in logins database
sub user_exists {
my ($user) = @_;
my $check_user_existence_sth =
$dbh->prepare( $config_sql{check_user_existence_st} )
or do {
mylog_err( $dbh->errstr );
return 0;
};
my $row_count = $check_user_existence_sth->execute($user);
if ( $row_count == 0 ) {
if ( $check_user_existence_sth->err ) {
mylog_err( $check_user_existence_sth->errstr );
}
return 0;
}
return 1;
}
%postfwd_items_plugin = (
'incr_client_country_login_count' => sub {
my ($request) = shift;
my ($result) = undef;
$result->{incr_client_country_login_count} = 0;
# Check if we still have DB connection
is_db_connection_alive();
# Clear old records after flush interval expired
if ( ( $last_cache_flush + $config{app}{db_flush_interval} ) < time ) {
mylog_info(
"Removing records which are older than $config{app}{db_flush_interval}"
);
my $clear_table_sth =
$dbh->prepare( $config_sql{delete_old_logins_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
$clear_table_sth->execute( $config{app}{db_flush_interval} )
or do { mylog_err( $clear_table_sth->errstr ); return $result; };
mylog_info("DB in pid $PID cleared!");
$last_cache_flush = time;
}
# Check if IP address is in whitelist and return from function if yes
if ( $ip_whitelist->($request->{client_address}) ) {
return $result;
}
# Get sasl_username from request
my $user = $request->{sasl_username};
if ( !length $user || !($user) ) {
return $result;
}
# Get client address
my $client_ip = $request->{client_address};
if ( !length $client_ip || !($client_ip) ) {
return $result;
}
# Validate if IP address is IPv4 or IPv6 public address
if (is_ip($client_ip)) {
if (! is_public_ip($client_ip)) {
mylog_info("'$client_ip' is not a public address");
return $result;
}
} else {
mylog_info("'$client_ip' is not a valid IPv4 or IPv6 address");
return $result;
}
# Get country code from GeoIP module
my $cc = geoip_country_code($client_ip);
if ( !defined $cc ) {
return $result;
}
# Check if user with given IP already has record
my $check_row_existence_sth =
$dbh->prepare( $config_sql{check_row_existence_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
if ( !( $check_row_existence_sth->execute( $user, $client_ip, $cc ) ) )
{
mylog_err( $check_row_existence_sth->errstr );
return $result;
}
# Check how many rows were returned (0 or more)
my $row_count = $check_row_existence_sth->fetchrow_array;
if ( $check_row_existence_sth->err ) {
mylog_err( $check_row_existence_sth->errstr );
return $result;
}
if ( $row_count == 0 ) {
# Save new user mail into hash if it does not exists
mylog_info("Inserting $user, $client_ip, $cc");
my $insert_sth = $dbh->prepare( $config_sql{insert_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
$insert_sth->execute( $user, $client_ip, $cc,
localtime(time)->strftime('%F %T') )
or do { mylog_err( $insert_sth->errstr ); return $result; };
} else {
# Increment or initialize login count for user and given IP/country
mylog_info("Incrementing $user, $client_ip, $cc");
my $increment_sth = $dbh->prepare( $config_sql{increment_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
$increment_sth->execute( localtime(time)->strftime('%F %T'),
$user, $client_ip, $cc )
or do { mylog_err( $increment_sth->errstr ); return $result; };
}
# Get number of logins from given IP
my $login_count_from_country_sth =
$dbh->prepare( $config_sql{login_count_from_country_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
if (
!(
$login_count_from_country_sth->execute(
$user, $client_ip, $cc
)
)
)
{
mylog_err( $login_count_from_country_sth->errstr );
return $result;
}
# Fetch number of logins from sth
$result->{incr_client_country_login_count} =
$login_count_from_country_sth->fetchrow_array;
if ( !$result->{incr_client_country_login_count} ) {
if ( $login_count_from_country_sth->err ) {
mylog_err( $login_count_from_country_sth->errstr );
}
return $result;
}
mylog_info(
"Number of logins from IP $client_ip is $result->{incr_client_country_login_count}"
);
# Return number of logins from country last logged from
return $result;
},
'client_uniq_country_login_count' => sub {
my ($request) = shift;
my ($result) = undef;
$result->{client_uniq_country_login_count} = 0;
# Check if we still have DB connection
is_db_connection_alive();
# Get sasl_username
my $user = $request->{sasl_username};
if ( !length $user || !($user) ) {
return $result;
}
# Check if user already exists, if not return from function
if (!user_exists($user)) {
return $result;
}
# Get number of unique countries from which has user logged in
my $num_countries_logs_sth =
$dbh->prepare( $config_sql{num_countries_logs_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
if ( !( $num_countries_logs_sth->execute($user) ) ) {
mylog_err( $num_countries_logs_sth->errstr );
return $result;
}
# Get first row of data
$result->{client_uniq_country_login_count} =
$num_countries_logs_sth->fetchrow_array;
if ( !$result->{client_uniq_country_login_count} ) {
if ( $num_countries_logs_sth->err ) {
mylog_err( $num_countries_logs_sth->errstr );
}
return $result;
}
$request->{client_uniq_country_login_count} = $result->{client_uniq_country_login_count};
# Print unique number of countries that user was logged in from
mylog_info(
"Number of unique countries logged in from user [$user]: $result->{client_uniq_country_login_count}"
);
log_uniq_country_spam($result->{client_uniq_country_login_count}, $user);
# Returns number of countries from which user logged in to an email via sasl
return $result;
},
'client_uniq_ip_login_count' => sub {
my ($request) = shift;
my ($result) = undef;
$result->{client_ip_login_count} = 0;
# Check if we still have DB connection
is_db_connection_alive();
# Get sasl_username
my $user = $request->{sasl_username};
if ( !length $user || !($user) ) {
return $result;
}
# Check if user already exists, if not return from function
if (!user_exists($user)) {
return $result;
}
# Get number of unique IPs from which has user logged in
my $num_ip_logs_sth = $dbh->prepare( $config_sql{num_ip_logs_st} )
or do { mylog_err( $dbh->errstr ); return $result; };
if ( !( $num_ip_logs_sth->execute($user) ) ) {
mylog_err( $num_ip_logs_sth->errstr );
return $result;
}
# Get first row of data
$result->{client_uniq_ip_login_count} = $num_ip_logs_sth->fetchrow_array;
if ( !$result->{client_uniq_ip_login_count} ) {
if ( $num_ip_logs_sth->err ) {
mylog_err( $num_ip_logs_sth->errstr );
}
return $result;
}
$request->{client_uniq_ip_login_count} = $result->{client_uniq_ip_login_count};
# Print unique number of IPs that user was logged in from
mylog_info(
"Number of unique IPs logged in from user [$user]: $result->{client_uniq_ip_login_count}"
);
log_uniq_ip_spam($result->{client_uniq_ip_login_count}, $user);
# Returns number of IPs from which user logged in to an email via sasl
return $result;
},
);
1;