Added dmarc allow header from Rspamd

SELF-HOSTING.md

@@ -907,7 +907,7 @@ Here we are telling Rspamd to add a header to any message that fails DMARC check
 Next we'll configure the headers to add, create a new file `/etc/rspamd/local.d/milter_headers.conf` and enter the following inside:
 
 ```
-use = ["authentication-results", "remove-headers", "spam-header"];
+use = ["authentication-results", "remove-headers", "spam-header", "add_dmarc_allow_header"];
 
 routines {
   remove-headers {
@@ -929,10 +929,30 @@ routines {
     remove = 0;
   }
 }
+
+custom {
+  add_dmarc_allow_header = <<EOD
+return function(task, common_meta)
+  if task:has_symbol('DMARC_POLICY_ALLOW') then
+    return nil,
+    {['X-AnonAddy-Dmarc-Allow'] = 'Yes'},
+    {['X-AnonAddy-Dmarc-Allow'] = 0},
+    {}
+  end
+
+  return nil,
+  {},
+  {['X-AnonAddy-Dmarc-Allow'] = 0},
+  {}
+end
+EOD;
+}
 ```
 
 The authentication results header will give information on whether the message passed SPF, DKIM and DMARC checks and the spam header will be added if it fails any of these.
 
+The custom routine we've created `add_dmarc_allow_header` will simply add a header to messages that have the `DMARC_POLICY_ALLOW` symbol present in Rspamd. We will use this to only allow replies / sends from aliases that are explicity permitted by their DMARC policy, in order to prevent anyone spoofing any of your recipient's email addresses.
+
 To see the currently enabled modules in Rspamd we can run:
 
 ```bash

app/Console/Commands/ReceiveEmail.php

@@ -144,8 +144,8 @@ class ReceiveEmail extends Command
                 // Check whether this email is a reply/send from or a new email to be forwarded.
                 if (filter_var(Str::replaceLast('=', '@', $recipient['extension']), FILTER_VALIDATE_EMAIL) && $user->isVerifiedRecipient($this->getSenderFrom())) {
 
-                    // Check if the spam header is present from Rspamd
-                    if ($this->parser->getHeader('X-AnonAddy-Spam')) {
+                    // Check if the Dmarc allow or spam headers are present from Rspamd
+                    if (! $this->parser->getHeader('X-AnonAddy-Dmarc-Allow') || $this->parser->getHeader('X-AnonAddy-Spam')) {
                         // Notify user and exit
                         $user->notify(new SpamReplySendAttempt($recipient, $this->getSenderFrom(), $this->parser->getHeader('X-AnonAddy-Authentication-Results')));
                         exit(0);

config/version.yml

@@ -5,9 +5,9 @@ current:
   major: 0
   minor: 9
   patch: 1
-  prerelease: ''
+  prerelease: 1-g5ee6abf
   buildmetadata: ''
-  commit: 3044d9
+  commit: 5ee6ab
   timestamp:
     year: 2020
     month: 10

package-lock.json

@@ -34,9 +34,9 @@
             }
         },
         "node_modules/@ampproject/remapping": {
-            "version": "2.1.0",
-            "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.0.tgz",
-            "integrity": "sha512-d5RysTlJ7hmw5Tw4UxgxcY3lkMe92n8sXCcuLPAyIAHK6j8DefDwtGnVVDgOnv+RnEosulDJ9NPKQL27bDId0g==",
+            "version": "2.1.1",
+            "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.1.tgz",
+            "integrity": "sha512-Aolwjd7HSC2PyY0fDj/wA/EimQT4HfEnFYNp5s9CQlrdhyvWTtvZ5YzrUPu6R6/1jKiUlxu8bUhkdSnKHNAHMA==",
             "dependencies": {
                 "@jridgewell/trace-mapping": "^0.3.0"
             },
@@ -1624,17 +1624,17 @@
             }
         },
         "node_modules/@jridgewell/resolve-uri": {
-            "version": "3.0.4",
-            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.4.tgz",
-            "integrity": "sha512-cz8HFjOFfUBtvN+NXYSFMHYRdxZMaEl0XypVrhzxBgadKIXhIkRd8aMeHhmF56Sl7SuS8OnUpQ73/k9LE4VnLg==",
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.5.tgz",
+            "integrity": "sha512-VPeQ7+wH0itvQxnG+lIzWgkysKIr3L9sslimFW55rHMdGu/qCQ5z5h9zq4gI8uBtqkpHhsF4Z/OwExufUCThew==",
             "engines": {
                 "node": ">=6.0.0"
             }
         },
         "node_modules/@jridgewell/sourcemap-codec": {
-            "version": "1.4.10",
-            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.10.tgz",
-            "integrity": "sha512-Ht8wIW5v165atIX1p+JvKR5ONzUyF4Ac8DZIQ5kZs9zrb6M8SJNXpx1zn04rn65VjBMygRoMXcyYwNK0fT7bEg=="
+            "version": "1.4.11",
+            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.11.tgz",
+            "integrity": "sha512-Fg32GrJo61m+VqYSdRSjRXMjQ06j8YIYfcTqndLYVAaHmroZHLJZCydsWBOTDqXS2v+mjxohBWEMfg97GXmYQg=="
         },
         "node_modules/@jridgewell/trace-mapping": {
             "version": "0.3.4",
@@ -6905,9 +6905,9 @@
             }
         },
         "node_modules/postcss-load-config": {
-            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.1.tgz",
-            "integrity": "sha512-c/9XYboIbSEUZpiD1UQD0IKiUe8n9WHYV7YFe7X7J+ZwCsEKkUJSFWjS9hBU1RR9THR7jMXst8sxiqP0jjo2mg==",
+            "version": "3.1.3",
+            "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.3.tgz",
+            "integrity": "sha512-5EYgaM9auHGtO//ljHH+v/aC/TQ5LHXtL7bQajNAUBKUVKiYE8rYpFms7+V26D9FncaGe2zwCoPQsFKb5zF/Hw==",
             "dependencies": {
                 "lilconfig": "^2.0.4",
                 "yaml": "^1.10.2"
@@ -8483,9 +8483,9 @@
             }
         },
         "node_modules/tailwindcss": {
-            "version": "3.0.19",
-            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.19.tgz",
-            "integrity": "sha512-rjsdfz/qZya5xQ0OVynEMETgWq1CacmftgMYeXXh6bRM5vxsNwRSbMJsCCIjq/w67om9VP/AFMolOwiE+5VKig==",
+            "version": "3.0.21",
+            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.21.tgz",
+            "integrity": "sha512-PGTiaBu/K4QlzjKlLgtz6nVYlrmhy6INPMKYb6RHX18/VXwygFbRdAlJGl2NfXabTQOP62ttKwjQviWLKQuWrA==",
             "dependencies": {
                 "arg": "^5.0.1",
                 "chalk": "^4.1.2",
@@ -9490,9 +9490,9 @@
     },
     "dependencies": {
         "@ampproject/remapping": {
-            "version": "2.1.0",
-            "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.0.tgz",
-            "integrity": "sha512-d5RysTlJ7hmw5Tw4UxgxcY3lkMe92n8sXCcuLPAyIAHK6j8DefDwtGnVVDgOnv+RnEosulDJ9NPKQL27bDId0g==",
+            "version": "2.1.1",
+            "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.1.tgz",
+            "integrity": "sha512-Aolwjd7HSC2PyY0fDj/wA/EimQT4HfEnFYNp5s9CQlrdhyvWTtvZ5YzrUPu6R6/1jKiUlxu8bUhkdSnKHNAHMA==",
             "requires": {
                 "@jridgewell/trace-mapping": "^0.3.0"
             }
@@ -10578,14 +10578,14 @@
             "integrity": "sha512-ws57AidsDvREKrZKYffXddNkyaF14iHNHm8VQnZH6t99E8gczjNN0GpvcGny0imC80yQ0tHz1xVUKk/KFQSUyA=="
         },
         "@jridgewell/resolve-uri": {
-            "version": "3.0.4",
-            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.4.tgz",
-            "integrity": "sha512-cz8HFjOFfUBtvN+NXYSFMHYRdxZMaEl0XypVrhzxBgadKIXhIkRd8aMeHhmF56Sl7SuS8OnUpQ73/k9LE4VnLg=="
+            "version": "3.0.5",
+            "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.5.tgz",
+            "integrity": "sha512-VPeQ7+wH0itvQxnG+lIzWgkysKIr3L9sslimFW55rHMdGu/qCQ5z5h9zq4gI8uBtqkpHhsF4Z/OwExufUCThew=="
         },
         "@jridgewell/sourcemap-codec": {
-            "version": "1.4.10",
-            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.10.tgz",
-            "integrity": "sha512-Ht8wIW5v165atIX1p+JvKR5ONzUyF4Ac8DZIQ5kZs9zrb6M8SJNXpx1zn04rn65VjBMygRoMXcyYwNK0fT7bEg=="
+            "version": "1.4.11",
+            "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.11.tgz",
+            "integrity": "sha512-Fg32GrJo61m+VqYSdRSjRXMjQ06j8YIYfcTqndLYVAaHmroZHLJZCydsWBOTDqXS2v+mjxohBWEMfg97GXmYQg=="
         },
         "@jridgewell/trace-mapping": {
             "version": "0.3.4",
@@ -14573,9 +14573,9 @@
             }
         },
         "postcss-load-config": {
-            "version": "3.1.1",
-            "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.1.tgz",
-            "integrity": "sha512-c/9XYboIbSEUZpiD1UQD0IKiUe8n9WHYV7YFe7X7J+ZwCsEKkUJSFWjS9hBU1RR9THR7jMXst8sxiqP0jjo2mg==",
+            "version": "3.1.3",
+            "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.3.tgz",
+            "integrity": "sha512-5EYgaM9auHGtO//ljHH+v/aC/TQ5LHXtL7bQajNAUBKUVKiYE8rYpFms7+V26D9FncaGe2zwCoPQsFKb5zF/Hw==",
             "requires": {
                 "lilconfig": "^2.0.4",
                 "yaml": "^1.10.2"
@@ -15690,9 +15690,9 @@
             }
         },
         "tailwindcss": {
-            "version": "3.0.19",
-            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.19.tgz",
-            "integrity": "sha512-rjsdfz/qZya5xQ0OVynEMETgWq1CacmftgMYeXXh6bRM5vxsNwRSbMJsCCIjq/w67om9VP/AFMolOwiE+5VKig==",
+            "version": "3.0.21",
+            "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.21.tgz",
+            "integrity": "sha512-PGTiaBu/K4QlzjKlLgtz6nVYlrmhy6INPMKYb6RHX18/VXwygFbRdAlJGl2NfXabTQOP62ttKwjQviWLKQuWrA==",
             "requires": {
                 "arg": "^5.0.1",
                 "chalk": "^4.1.2",

resources/views/mail/spam_reply_send_attempt.blade.php

@@ -4,6 +4,8 @@
 
 An attempt to send or reply from your alias **{{ $aliasEmail }}** was just made from **{{ $recipient }}** which failed because it didn't pass authentication checks and could be a spoofed.
 
+In order to send or reply from an alias there must be a valid DMARC policy present for **{{ \Illuminate\Support\Str::afterLast($recipient, '@') }}** and your message must be permitted by that DMARC policy.
+
 The attempt was trying to send the message to the following destination: **{{ $destination }}**
 
 @if($authenticationResults)
@@ -14,6 +16,6 @@ These are the authentication results for the message:
 
 If this attempt was made by yourself then you need to @if($authenticationResults) inspect the authentication results above and @endif make sure your recipient's domain (**{{ \Illuminate\Support\Str::afterLast($recipient, '@') }}**) has the correct DNS records in place; SPF, DKIM and DMARC.
 
-If this attempt was not made by you then someone else may be attempting to send a message from your alias. Make sure you have a suitable DMARC policy in place (with p=quarantine or p=reject) along with SPF and DKIM records to protect your recipient address from being spoofed.
+If this attempt was not made by you then someone else may be attempting to send a message from your alias. Make sure you have a suitable DMARC policy in place (with p=quarantine or p=reject) along with SPF and DKIM records to protect your recipient's email address from being spoofed.
 
 @endcomponent

tests/emails/email_multiple_reply.eml

@@ -3,6 +3,7 @@ From: Will <will@anonaddy.com>
 To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com>
 Subject: RE: Test Email
 In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated>
+X-AnonAddy-Dmarc-Allow: Yes
 Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
 
 ------=_Part_10031_1199410393.1550677940425

tests/emails/email_multiple_send_from.eml

@@ -2,6 +2,7 @@ Date: Wed, 20 Feb 2019 15:00:00 +0100 (CET)
 From: Will <will@anonaddy.com>
 To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com>
 Subject: Test Email
+X-AnonAddy-Dmarc-Allow: Yes
 Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
 
 ------=_Part_10031_1199410393.1550677940425

tests/emails/email_reply.eml

@@ -3,6 +3,7 @@ From: Will <will@anonaddy.com>
 To: <ebay+contact=ebay.com@johndoe.anonaddy.com>
 Subject: RE: Test Email
 In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated>
+X-AnonAddy-Dmarc-Allow: Yes
 Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
 
 ------=_Part_10031_1199410393.1550677940425

tests/emails/email_send_from_alias.eml

@@ -2,6 +2,7 @@ Date: Wed, 20 Feb 2019 15:00:00 +0100 (CET)
 From: Will <will@anonaddy.com>
 To: ebay+contact=ebay.com@johndoe.anonaddy.com
 Subject: Test Email
+X-AnonAddy-Dmarc-Allow: Yes
 Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
 
 ------=_Part_10031_1199410393.1550677940425