0ct0pu5/anonaddy
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added dmarc allow header from Rspamd

Browse source
This commit is contained in:
Will Browning 2022-02-11 15:47:16 +00:00
parent 5ee6abf69b
commit 1e93c6f8b2
9 changed files with 62 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
SELF-HOSTING.md
View file

@ -907,7 +907,7 @@ Here we are telling Rspamd to add a header to any message that fails DMARC check
Next we'll configure the headers to add, create a new file `/etc/rspamd/local.d/milter_headers.conf` and enter the following inside: Next we'll configure the headers to add, create a new file `/etc/rspamd/local.d/milter_headers.conf` and enter the following inside:
``` ```
use = ["authentication-results", "remove-headers", "spam-header"]; use = ["authentication-results", "remove-headers", "spam-header", "add_dmarc_allow_header"];
routines { routines {
remove-headers { remove-headers {
@ -929,10 +929,30 @@ routines {
remove = 0; remove = 0;
} }
} }
custom {
add_dmarc_allow_header = <<EOD
return function(task, common_meta)
if task:has_symbol('DMARC_POLICY_ALLOW') then
return nil,
{['X-AnonAddy-Dmarc-Allow'] = 'Yes'},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
return nil,
{},
{['X-AnonAddy-Dmarc-Allow'] = 0},
{}
end
EOD;
}
``` ```
The authentication results header will give information on whether the message passed SPF, DKIM and DMARC checks and the spam header will be added if it fails any of these. The authentication results header will give information on whether the message passed SPF, DKIM and DMARC checks and the spam header will be added if it fails any of these.
The custom routine we've created `add_dmarc_allow_header` will simply add a header to messages that have the `DMARC_POLICY_ALLOW` symbol present in Rspamd. We will use this to only allow replies / sends from aliases that are explicity permitted by their DMARC policy, in order to prevent anyone spoofing any of your recipient's email addresses.
To see the currently enabled modules in Rspamd we can run: To see the currently enabled modules in Rspamd we can run:
```bash ```bash

4
app/Console/Commands/ReceiveEmail.php
View file

@ -144,8 +144,8 @@ class ReceiveEmail extends Command
// Check whether this email is a reply/send from or a new email to be forwarded. // Check whether this email is a reply/send from or a new email to be forwarded.
if (filter_var(Str::replaceLast('=', '@', $recipient['extension']), FILTER_VALIDATE_EMAIL) && $user->isVerifiedRecipient($this->getSenderFrom())) { if (filter_var(Str::replaceLast('=', '@', $recipient['extension']), FILTER_VALIDATE_EMAIL) && $user->isVerifiedRecipient($this->getSenderFrom())) {
// Check if the spam header is present from Rspamd // Check if the Dmarc allow or spam headers are present from Rspamd
if ($this->parser->getHeader('X-AnonAddy-Spam')) { if (! $this->parser->getHeader('X-AnonAddy-Dmarc-Allow') || $this->parser->getHeader('X-AnonAddy-Spam')) {
// Notify user and exit // Notify user and exit
$user->notify(new SpamReplySendAttempt($recipient, $this->getSenderFrom(), $this->parser->getHeader('X-AnonAddy-Authentication-Results'))); $user->notify(new SpamReplySendAttempt($recipient, $this->getSenderFrom(), $this->parser->getHeader('X-AnonAddy-Authentication-Results')));
exit(0); exit(0);

4
config/version.yml
View file

@ -5,9 +5,9 @@ current:
major: 0 major: 0
minor: 9 minor: 9
patch: 1 patch: 1
prerelease: '' prerelease: 1-g5ee6abf
buildmetadata: '' buildmetadata: ''
commit: 3044d9 commit: 5ee6ab
timestamp: timestamp:
year: 2020 year: 2020
month: 10 month: 10

60
package-lock.json generated
View file

@ -34,9 +34,9 @@
} }
}, },
"node_modules/@ampproject/remapping": { "node_modules/@ampproject/remapping": {
"version": "2.1.0", "version": "2.1.1",
"resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.0.tgz", "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.1.tgz",
"integrity": "sha512-d5RysTlJ7hmw5Tw4UxgxcY3lkMe92n8sXCcuLPAyIAHK6j8DefDwtGnVVDgOnv+RnEosulDJ9NPKQL27bDId0g==", "integrity": "sha512-Aolwjd7HSC2PyY0fDj/wA/EimQT4HfEnFYNp5s9CQlrdhyvWTtvZ5YzrUPu6R6/1jKiUlxu8bUhkdSnKHNAHMA==",
"dependencies": { "dependencies": {
"@jridgewell/trace-mapping": "^0.3.0" "@jridgewell/trace-mapping": "^0.3.0"
}, },
@ -1624,17 +1624,17 @@
} }
}, },
"node_modules/@jridgewell/resolve-uri": { "node_modules/@jridgewell/resolve-uri": {
"version": "3.0.4", "version": "3.0.5",
"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.4.tgz", "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.5.tgz",
"integrity": "sha512-cz8HFjOFfUBtvN+NXYSFMHYRdxZMaEl0XypVrhzxBgadKIXhIkRd8aMeHhmF56Sl7SuS8OnUpQ73/k9LE4VnLg==", "integrity": "sha512-VPeQ7+wH0itvQxnG+lIzWgkysKIr3L9sslimFW55rHMdGu/qCQ5z5h9zq4gI8uBtqkpHhsF4Z/OwExufUCThew==",
"engines": { "engines": {
"node": ">=6.0.0" "node": ">=6.0.0"
} }
}, },
"node_modules/@jridgewell/sourcemap-codec": { "node_modules/@jridgewell/sourcemap-codec": {
"version": "1.4.10", "version": "1.4.11",
"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.10.tgz", "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.11.tgz",
"integrity": "sha512-Ht8wIW5v165atIX1p+JvKR5ONzUyF4Ac8DZIQ5kZs9zrb6M8SJNXpx1zn04rn65VjBMygRoMXcyYwNK0fT7bEg==" "integrity": "sha512-Fg32GrJo61m+VqYSdRSjRXMjQ06j8YIYfcTqndLYVAaHmroZHLJZCydsWBOTDqXS2v+mjxohBWEMfg97GXmYQg=="
}, },
"node_modules/@jridgewell/trace-mapping": { "node_modules/@jridgewell/trace-mapping": {
"version": "0.3.4", "version": "0.3.4",
@ -6905,9 +6905,9 @@
} }
}, },
"node_modules/postcss-load-config": { "node_modules/postcss-load-config": {
"version": "3.1.1", "version": "3.1.3",
"resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.1.tgz", "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.3.tgz",
"integrity": "sha512-c/9XYboIbSEUZpiD1UQD0IKiUe8n9WHYV7YFe7X7J+ZwCsEKkUJSFWjS9hBU1RR9THR7jMXst8sxiqP0jjo2mg==", "integrity": "sha512-5EYgaM9auHGtO//ljHH+v/aC/TQ5LHXtL7bQajNAUBKUVKiYE8rYpFms7+V26D9FncaGe2zwCoPQsFKb5zF/Hw==",
"dependencies": { "dependencies": {
"lilconfig": "^2.0.4", "lilconfig": "^2.0.4",
"yaml": "^1.10.2" "yaml": "^1.10.2"
@ -8483,9 +8483,9 @@
} }
}, },
"node_modules/tailwindcss": { "node_modules/tailwindcss": {
"version": "3.0.19", "version": "3.0.21",
"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.19.tgz", "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.21.tgz",
"integrity": "sha512-rjsdfz/qZya5xQ0OVynEMETgWq1CacmftgMYeXXh6bRM5vxsNwRSbMJsCCIjq/w67om9VP/AFMolOwiE+5VKig==", "integrity": "sha512-PGTiaBu/K4QlzjKlLgtz6nVYlrmhy6INPMKYb6RHX18/VXwygFbRdAlJGl2NfXabTQOP62ttKwjQviWLKQuWrA==",
"dependencies": { "dependencies": {
"arg": "^5.0.1", "arg": "^5.0.1",
"chalk": "^4.1.2", "chalk": "^4.1.2",
@ -9490,9 +9490,9 @@
}, },
"dependencies": { "dependencies": {
"@ampproject/remapping": { "@ampproject/remapping": {
"version": "2.1.0", "version": "2.1.1",
"resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.0.tgz", "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.1.1.tgz",
"integrity": "sha512-d5RysTlJ7hmw5Tw4UxgxcY3lkMe92n8sXCcuLPAyIAHK6j8DefDwtGnVVDgOnv+RnEosulDJ9NPKQL27bDId0g==", "integrity": "sha512-Aolwjd7HSC2PyY0fDj/wA/EimQT4HfEnFYNp5s9CQlrdhyvWTtvZ5YzrUPu6R6/1jKiUlxu8bUhkdSnKHNAHMA==",
"requires": { "requires": {
"@jridgewell/trace-mapping": "^0.3.0" "@jridgewell/trace-mapping": "^0.3.0"
} }
@ -10578,14 +10578,14 @@
"integrity": "sha512-ws57AidsDvREKrZKYffXddNkyaF14iHNHm8VQnZH6t99E8gczjNN0GpvcGny0imC80yQ0tHz1xVUKk/KFQSUyA==" "integrity": "sha512-ws57AidsDvREKrZKYffXddNkyaF14iHNHm8VQnZH6t99E8gczjNN0GpvcGny0imC80yQ0tHz1xVUKk/KFQSUyA=="
}, },
"@jridgewell/resolve-uri": { "@jridgewell/resolve-uri": {
"version": "3.0.4", "version": "3.0.5",
"resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.4.tgz", "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.0.5.tgz",
"integrity": "sha512-cz8HFjOFfUBtvN+NXYSFMHYRdxZMaEl0XypVrhzxBgadKIXhIkRd8aMeHhmF56Sl7SuS8OnUpQ73/k9LE4VnLg==" "integrity": "sha512-VPeQ7+wH0itvQxnG+lIzWgkysKIr3L9sslimFW55rHMdGu/qCQ5z5h9zq4gI8uBtqkpHhsF4Z/OwExufUCThew=="
}, },
"@jridgewell/sourcemap-codec": { "@jridgewell/sourcemap-codec": {
"version": "1.4.10", "version": "1.4.11",
"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.10.tgz", "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.4.11.tgz",
"integrity": "sha512-Ht8wIW5v165atIX1p+JvKR5ONzUyF4Ac8DZIQ5kZs9zrb6M8SJNXpx1zn04rn65VjBMygRoMXcyYwNK0fT7bEg==" "integrity": "sha512-Fg32GrJo61m+VqYSdRSjRXMjQ06j8YIYfcTqndLYVAaHmroZHLJZCydsWBOTDqXS2v+mjxohBWEMfg97GXmYQg=="
}, },
"@jridgewell/trace-mapping": { "@jridgewell/trace-mapping": {
"version": "0.3.4", "version": "0.3.4",
@ -14573,9 +14573,9 @@
} }
}, },
"postcss-load-config": { "postcss-load-config": {
"version": "3.1.1", "version": "3.1.3",
"resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.1.tgz", "resolved": "https://registry.npmjs.org/postcss-load-config/-/postcss-load-config-3.1.3.tgz",
"integrity": "sha512-c/9XYboIbSEUZpiD1UQD0IKiUe8n9WHYV7YFe7X7J+ZwCsEKkUJSFWjS9hBU1RR9THR7jMXst8sxiqP0jjo2mg==", "integrity": "sha512-5EYgaM9auHGtO//ljHH+v/aC/TQ5LHXtL7bQajNAUBKUVKiYE8rYpFms7+V26D9FncaGe2zwCoPQsFKb5zF/Hw==",
"requires": { "requires": {
"lilconfig": "^2.0.4", "lilconfig": "^2.0.4",
"yaml": "^1.10.2" "yaml": "^1.10.2"
@ -15690,9 +15690,9 @@
} }
}, },
"tailwindcss": { "tailwindcss": {
"version": "3.0.19", "version": "3.0.21",
"resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.19.tgz", "resolved": "https://registry.npmjs.org/tailwindcss/-/tailwindcss-3.0.21.tgz",
"integrity": "sha512-rjsdfz/qZya5xQ0OVynEMETgWq1CacmftgMYeXXh6bRM5vxsNwRSbMJsCCIjq/w67om9VP/AFMolOwiE+5VKig==", "integrity": "sha512-PGTiaBu/K4QlzjKlLgtz6nVYlrmhy6INPMKYb6RHX18/VXwygFbRdAlJGl2NfXabTQOP62ttKwjQviWLKQuWrA==",
"requires": { "requires": {
"arg": "^5.0.1", "arg": "^5.0.1",
"chalk": "^4.1.2", "chalk": "^4.1.2",

4
resources/views/mail/spam_reply_send_attempt.blade.php
View file

@ -4,6 +4,8 @@
An attempt to send or reply from your alias **{{ $aliasEmail }}** was just made from **{{ $recipient }}** which failed because it didn't pass authentication checks and could be a spoofed. An attempt to send or reply from your alias **{{ $aliasEmail }}** was just made from **{{ $recipient }}** which failed because it didn't pass authentication checks and could be a spoofed.
In order to send or reply from an alias there must be a valid DMARC policy present for **{{ \Illuminate\Support\Str::afterLast($recipient, '@') }}** and your message must be permitted by that DMARC policy.
The attempt was trying to send the message to the following destination: **{{ $destination }}** The attempt was trying to send the message to the following destination: **{{ $destination }}**
@if($authenticationResults) @if($authenticationResults)
@ -14,6 +16,6 @@ These are the authentication results for the message:
If this attempt was made by yourself then you need to @if($authenticationResults) inspect the authentication results above and @endif make sure your recipient's domain (**{{ \Illuminate\Support\Str::afterLast($recipient, '@') }}**) has the correct DNS records in place; SPF, DKIM and DMARC. If this attempt was made by yourself then you need to @if($authenticationResults) inspect the authentication results above and @endif make sure your recipient's domain (**{{ \Illuminate\Support\Str::afterLast($recipient, '@') }}**) has the correct DNS records in place; SPF, DKIM and DMARC.
If this attempt was not made by you then someone else may be attempting to send a message from your alias. Make sure you have a suitable DMARC policy in place (with p=quarantine or p=reject) along with SPF and DKIM records to protect your recipient address from being spoofed. If this attempt was not made by you then someone else may be attempting to send a message from your alias. Make sure you have a suitable DMARC policy in place (with p=quarantine or p=reject) along with SPF and DKIM records to protect your recipient's email address from being spoofed.
@endcomponent @endcomponent

1
tests/emails/email_multiple_reply.eml
View file

@ -3,6 +3,7 @@ From: Will <will@anonaddy.com>
To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com> To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com>
Subject: RE: Test Email Subject: RE: Test Email
In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated> In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated>
X-AnonAddy-Dmarc-Allow: Yes
Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425" Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
------=_Part_10031_1199410393.1550677940425 ------=_Part_10031_1199410393.1550677940425

1
tests/emails/email_multiple_send_from.eml
View file

@ -2,6 +2,7 @@ Date: Wed, 20 Feb 2019 15:00:00 +0100 (CET)
From: Will <will@anonaddy.com> From: Will <will@anonaddy.com>
To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com> To: <ebay+contact=ebay.com@johndoe.anonaddy.com>, <ebay+support=ebay.com@johndoe.anonaddy.com>
Subject: Test Email Subject: Test Email
X-AnonAddy-Dmarc-Allow: Yes
Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425" Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
------=_Part_10031_1199410393.1550677940425 ------=_Part_10031_1199410393.1550677940425

1
tests/emails/email_reply.eml
View file

@ -3,6 +3,7 @@ From: Will <will@anonaddy.com>
To: <ebay+contact=ebay.com@johndoe.anonaddy.com> To: <ebay+contact=ebay.com@johndoe.anonaddy.com>
Subject: RE: Test Email Subject: RE: Test Email
In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated> In-Reply-To: <9f2ada5308f1a3f88515a370504a66b3@swift.generated>
X-AnonAddy-Dmarc-Allow: Yes
Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425" Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
------=_Part_10031_1199410393.1550677940425 ------=_Part_10031_1199410393.1550677940425

1
tests/emails/email_send_from_alias.eml
View file

@ -2,6 +2,7 @@ Date: Wed, 20 Feb 2019 15:00:00 +0100 (CET)
From: Will <will@anonaddy.com> From: Will <will@anonaddy.com>
To: ebay+contact=ebay.com@johndoe.anonaddy.com To: ebay+contact=ebay.com@johndoe.anonaddy.com
Subject: Test Email Subject: Test Email
X-AnonAddy-Dmarc-Allow: Yes
Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425" Content-Type: multipart/mixed; boundary="----=_Part_10031_1199410393.1550677940425"
------=_Part_10031_1199410393.1550677940425 ------=_Part_10031_1199410393.1550677940425