-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathspfmilter.py
306 lines (282 loc) · 11.4 KB
/
spfmilter.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
#!/usr/bin/python3
from __future__ import print_function
# A simple SPF milter.
# You must install pyspf for this to work.
# http://www.sendmail.org/doc/sendmail-current/libmilter/docs/installation.html
# Author: Stuart D. Gathman <[email protected]>
# Copyright 2007 Business Management Systems, Inc.
# This code is under GPL. See COPYING for details.
import sys
import os
import Milter
import spf
import syslog
from Milter.config import MilterConfigParser
from Milter.policy import MTAPolicy
from Milter.utils import iniplist,parse_addr,ip4re
syslog.openlog('spfmilter',0,syslog.LOG_MAIL)
class Config(object):
"Hold configuration options."
def __init__(self):
self.internal_connect = ()
self.trusted_relay = ()
self.trusted_forwarder = ()
self.access_file = None
self.access_file_nulls = False
self.access_file_colon = True
#os.umask(config.savumask)
config = None
def read_config(cfglist):
"Return new config object."
cp = MilterConfigParser({
'access_file_nulls': 'no'
})
cp.read(cfglist)
if cp.has_option('milter','datadir'):
os.chdir(cp.get('milter','datadir'))
conf = Config()
conf.socketname = cp.getdefault('milter','socketname', '/tmp/spfmiltersock')
conf.miltername = cp.getdefault('milter','name','pyspffilter')
conf.trusted_relay = cp.getlist('milter','trusted_relay')
conf.internal_connect = cp.getlist('milter','internal_connect')
conf.untrapped_exception = cp.getdefault('milter','untrapped_exception',
'CONTINUE')
conf.umask = int(cp.getdefault('milter','umask',default='0o177'),base=0)
# SPF options
if cp.has_option('spf','trusted_forwarder'):
conf.trusted_forwarder = cp.getlist('spf','trusted_forwarder')
else: # backward compatibility with config typo
conf.trusted_forwarder = cp.getlist('spf','trusted_relay')
conf.access_file = cp.getdefault('spf','access_file',None)
conf.access_file_nulls = cp.getboolean('spf','access_file_nulls')
conf.access_file_colon = cp.getboolean('spf','access_file_colon')
return conf
class spfMilter(Milter.Base):
"Milter to check SPF. Each connection gets its own instance."
def log(self,*msg):
syslog.syslog('[%d] %s' % (self.id,' '.join([str(m) for m in msg])))
def __init__(self):
self.mailfrom = None
self.id = Milter.uniqueID()
# we don't want config used to change during a connection
self.conf = config
# addheader can only be called from eom(). This accumulates added headers
# which can then be applied by alter_headers()
def add_header(self,name,val,idx=-1):
self.new_headers.append((name,val,idx))
self.log('%s: %s' % (name,val))
@Milter.noreply
def connect(self,hostname,unused,hostaddr):
self.internal_connection = False
self.trusted_relay = False
self.hello_name = None
# sometimes people put extra space in sendmail config, so we strip
self.receiver = self.getsymval('j').strip()
if hostaddr and len(hostaddr) > 0:
ipaddr = hostaddr[0]
if iniplist(ipaddr,self.conf.internal_connect):
self.internal_connection = True
if iniplist(ipaddr,self.conf.trusted_relay):
self.trusted_relay = True
else: ipaddr = ''
self.connectip = ipaddr
if self.internal_connection:
connecttype = 'INTERNAL'
else:
connecttype = 'EXTERNAL'
if self.trusted_relay:
connecttype += ' TRUSTED'
self.log("connect from %s at %s %s" % (hostname,hostaddr,connecttype))
return Milter.CONTINUE
def hello(self,hostname):
self.hello_name = hostname
self.log("hello from %s" % hostname)
if not self.internal_connection:
# Allow illegal HELO from internal network, some email enabled copier/fax
# type devices (Toshiba) have broken firmware.
if ip4re.match(hostname):
self.log("REJECT: numeric hello name:",hostname)
self.setreply('550','5.7.1','hello name cannot be numeric ip')
return Milter.REJECT
return Milter.CONTINUE
# multiple messages can be received on a single connection
# envfrom (MAIL FROM in the SMTP protocol) seems to mark the start
# of each message.
def envfrom(self,f,*str):
self.log("mail from",f,str)
self.new_headers = []
if not self.hello_name:
self.log('REJECT: missing HELO')
self.setreply('550','5.7.1',"It's polite to say helo first.")
return Milter.REJECT
self.mailfrom = f
t = parse_addr(f)
if len(t) == 2:
t[1] = t[1].lower()
domain = t[1]
else:
domain = 'localhost.localdomain'
self.canon_from = '@'.join(t)
# Check SMTP AUTH, also available:
# auth_authen authenticated user
# auth_author (ESMTP AUTH= param)
# auth_ssf (connection security, 0 = unencrypted)
# auth_type (authentication method, CRAM-MD5, DIGEST-MD5, PLAIN, etc)
# cipher_bits SSL encryption strength
# cert_subject SSL cert subject
# verify SSL cert verified
self.user = self.getsymval('{auth_authen}')
if self.user:
# Very simple SMTP AUTH policy by default:
# any successful authentication is considered INTERNAL
# Detailed authorization policy is configured in the access file below.
self.internal_connection = True
self.log(
"SMTP AUTH:",self.user, self.getsymval('{auth_type}'),
"sslbits =",self.getsymval('{cipher_bits}'),
"ssf =",self.getsymval('{auth_ssf}'), "INTERNAL"
)
# Restrict SMTP AUTH users to authorized domains
authsend = '@'.join((self.user,domain))
with MTAPolicy(authsend,self.conf) as p:
policy = p.getPolicy('smtp-auth')
print('smtp-auth policy:',policy,authsend,self.conf.access_file)
if policy:
if policy != 'OK':
self.log("REJECT: SMTP user",self.user,
"at",self.connectip,"not authorized for domain",domain)
self.setreply('550','5.7.1',
'SMTP user %s is not authorized to send from domain %s.' %
(self.user,domain)
)
return Milter.REJECT
self.log("SMTP authorized user",self.user,"sending from domain",domain)
if not (self.internal_connection or self.trusted_relay) and self.connectip:
return self.check_spf()
return Milter.CONTINUE
def eom(self):
for name,val,idx in self.new_headers:
try:
self.addheader(name,val,idx)
except:
self.addheader(name,val) # older sendmail can't insheader
return Milter.CONTINUE
def check_spf(self):
receiver = self.receiver
for tf in self.conf.trusted_forwarder:
q = spf.query(self.connectip,'',tf,receiver=receiver,strict=False)
res,code,txt = q.check()
if res == 'pass':
self.log("TRUSTED_FORWARDER:",tf)
break
else:
q = spf.query(self.connectip,self.canon_from,self.hello_name,
receiver=receiver,strict=False)
q.set_default_explanation(
'SPF fail: see http://openspf.org/why.html?sender=%s&ip=%s' % (q.s,q.i))
res,code,txt = q.check()
if res not in ('pass','temperror'):
if self.mailfrom != '<>':
# check hello name via spf unless spf pass
h = spf.query(self.connectip,'',self.hello_name,receiver=receiver)
hres,hcode,htxt = h.check()
with MTAPolicy(self.hello_name,self.conf) as hp:
policy = hp.getPolicy('helo-%s'%hres)
#print('helo-%s:%s %s'%(hres,self.hello_name,policy))
if not policy:
if hres in ('deny','fail','neutral','softfail'):
policy = 'REJECT'
else:
policy = 'OK'
if policy != 'OK':
self.log('REJECT: hello SPF: %s 550 %s' % (hres,htxt))
self.setreply('550','5.7.1',htxt,
"The hostname given in your MTA's HELO response is not listed",
"as a legitimate MTA in the SPF records for your domain. If you",
"get this bounce, the message was not in fact a forgery, and you",
"should IMMEDIATELY notify your email administrator of the problem."
)
return Milter.REJECT
else:
hres,hcode,htxt = res,code,txt
else: hres = None
with MTAPolicy(q.s,self.conf) as p:
if res == 'fail':
policy = p.getPolicy('spf-fail')
if not policy or policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'5.7.1',txt)
# A proper SPF fail error message would read:
# forger.biz [1.2.3.4] is not allowed to send mail with the domain
# "forged.org" in the sender address. Contact <[email protected]>.
return Milter.REJECT
elif res == 'softfail':
policy = p.getPolicy('spf-softfail')
if policy and policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'5.7.1',txt)
# A proper SPF fail error message would read:
# forger.biz [1.2.3.4] is not allowed to send mail with the domain
# "forged.org" in the sender address. Contact <[email protected]>.
return Milter.REJECT
elif res == 'permerror':
policy = p.getPolicy('spf-permerror')
if not policy or policy == 'REJECT':
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
# latest SPF draft recommends 5.5.2 instead of 5.7.1
self.setreply(str(code),'5.5.2',txt,
'There is a fatal syntax error in the SPF record for %s' % q.o,
'We cannot accept mail from %s until this is corrected.' % q.o
)
return Milter.REJECT
elif res == 'temperror':
policy = p.getPolicy('spf-temperror')
if not policy or policy == 'REJECT':
self.log('TEMPFAIL: SPF %s %i %s' % (res,code,txt))
self.setreply(str(code),'4.3.0',txt)
return Milter.TEMPFAIL
elif res == 'neutral' or res == 'none':
policy = p.getPolicy('spf-neutral')
if policy and policy == 'REJECT':
self.log('REJECT NEUTRAL:',q.s)
self.setreply('550','5.7.1',
"%s requires an SPF PASS to accept mail from %s. [http://openspf.org]"
% (receiver,q.s))
return Milter.REJECT
elif res == 'pass':
policy = p.getPolicy('spf-pass')
if policy and policy == 'REJECT':
self.log('REJECT PASS:',q.s)
self.setreply('550','5.7.1',
"%s has been blacklisted by %s." % (q.s,receiver))
return Milter.REJECT
self.add_header('Received-SPF',q.get_header(res,receiver),0)
if hres and q.h != q.o:
self.add_header('X-Hello-SPF',hres,0)
return Milter.CONTINUE
if __name__ == "__main__":
Milter.factory = spfMilter
Milter.set_flags(Milter.CHGHDRS + Milter.ADDHDRS)
config = read_config(
['spfmilter.cfg','/etc/mail/spfmilter.cfg','/etc/postfix/spfmilter.cfg'])
ue = config.untrapped_exception.upper()
if ue == 'CONTINUE':
Milter.set_exception_policy(Milter.CONTINUE)
elif ue == 'REJECT':
Milter.set_exception_policy(Milter.REJECT)
elif ue == 'TEMPFAIL':
Milter.set_exception_policy(Milter.TEMPFAIL)
else:
print("WARNING: invalid untrapped_exception policy: %s"%ue)
miltername = config.miltername
socketname = config.socketname
# FIXME: set process umask based on config
print("""To use this with sendmail, add the following to sendmail.cf:
O InputMailFilters=%s
X%s, S=local:%s
See the sendmail README for libmilter.
spfmilter startup""" % (miltername,miltername,socketname))
sys.stdout.flush()
config.savumask = os.umask(config.umask)
Milter.runmilter(miltername,socketname,240)
print("spfmilter shutdown")