Forwarding hosts: use SPF records if present

master
Michael Kuron 2017-04-22 12:33:53 +02:00
parent a75d916b74
commit df71e97a09
7 changed files with 206 additions and 32 deletions

View File

@ -313,7 +313,8 @@ $tfa_data = get_tfa();
<table class="table table-striped" id="forwardinghoststable">
<thead>
<tr>
<th style="min-width: 100px;"><?=$lang['edit']['hostname'];?></th>
<th style="min-width: 100px;"><?=$lang['edit']['host'];?></th>
<th style="min-width: 100px;"><?=$lang['edit']['source'];?></th>
<th style="text-align: right; min-width: 200px;"><?=$lang['admin']['action'];?></th>
</tr>
</thead>
@ -321,20 +322,23 @@ $tfa_data = get_tfa();
<?php
$forwarding_hosts = get_forwarding_hosts();
if ($forwarding_hosts) {
foreach ($forwarding_hosts as $host) {
?>
<tr id="data">
<td><?=htmlspecialchars(strtolower($host));?></td>
<td style="text-align: right;">
<div class="btn-group">
<a href="delete.php?forwardinghost=<?=$host;?>" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> <?=$lang['admin']['remove'];?></a>
</div>
</td>
</td>
</tr>
foreach ($forwarding_hosts as $host) {
$source = $host->source;
$host = $host->host;
?>
<tr id="data">
<td><?=htmlspecialchars(strtolower($host));?></td>
<td><?=htmlspecialchars(strtolower($source));?></td>
<td style="text-align: right;">
<div class="btn-group">
<a href="delete.php?forwardinghost=<?=$host;?>" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> <?=$lang['admin']['remove'];?></a>
</div>
</td>
</td>
</tr>
<?php
}
<?php
}
} else {
?>
<tr id="no-data"><td colspan="4" style="text-align: center; font-style: italic;"><?=$lang['admin']['no_record'];?></td></tr>
@ -347,9 +351,10 @@ $tfa_data = get_tfa();
</form>
<small>
<legend><?=$lang['admin']['add_forwarding_host'];?></legend>
<p style="margin-bottom:10px"><?=$lang['admin']['forwarding_hosts_add_hint'];?></p>
<form class="form-horizontal" role="form" method="post">
<div class="form-group">
<label class="control-label col-sm-2" for="hostname"><?=$lang['edit']['hostname'];?>:</label>
<label class="control-label col-sm-2" for="hostname"><?=$lang['edit']['host'];?>:</label>
<div class="col-sm-10">
<input type="text" class="form-control" name="hostname" id="hostname" required>
</div>

View File

@ -105,7 +105,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
</form>
<?php
}
// DELETE DOMAIN ADMIN
// DELETE FORWARDING HOST
elseif (isset($_GET["forwardinghost"]) &&
!empty($_GET["forwardinghost"]) &&
$_SESSION['mailcow_cc_role'] == "admin") {

View File

@ -98,6 +98,8 @@ function init_db_schema() {
'msg' => 'Database initialization completed.'
);
}
// Add newly added tables
$stmt = $pdo->query("CREATE TABLE IF NOT EXISTS `forwarding_hosts` (`host` VARCHAR(255) NOT NULL, PRIMARY KEY (`host`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC");
// Add newly added columns
$stmt = $pdo->query("SHOW COLUMNS FROM `mailbox` LIKE 'kind'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@ -124,9 +126,11 @@ function init_db_schema() {
if ($num_results == 0) {
$pdo->query("ALTER TABLE `tfa` ADD `key_id` VARCHAR(255) DEFAULT 'unidentified'");
}
// Add newly added tables
$stmt = $pdo->query("CREATE TABLE IF NOT EXISTS `forwarding_hosts` (`host` VARCHAR(255) NOT NULL, PRIMARY KEY (`host`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC");
$stmt = $pdo->query("SHOW COLUMNS FROM `forwarding_hosts` LIKE 'source'");
$num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
if ($num_results == 0) {
$pdo->query("ALTER TABLE `forwarding_hosts` ADD `source` VARCHAR(255) DEFAULT ''");
}
}
function verify_ssha256($hash, $password) {
// Remove tag if any
@ -5044,11 +5048,12 @@ function get_u2f_registrations($username) {
}
function get_forwarding_hosts() {
global $pdo;
$sel = $pdo->prepare("SELECT host FROM `forwarding_hosts`");
$sel = $pdo->prepare("SELECT host, source FROM `forwarding_hosts`");
$sel->execute();
return $sel->fetchAll(PDO::FETCH_COLUMN);
return $sel->fetchAll(PDO::FETCH_OBJ);
}
function add_forwarding_host($postarray) {
require_once 'spf.inc.php';
global $pdo;
global $lang;
if ($_SESSION['mailcow_cc_role'] != "admin") {
@ -5058,23 +5063,47 @@ function add_forwarding_host($postarray) {
);
return false;
}
$source = $postarray['hostname'];
$host = $postarray['hostname'];
try {
$stmt = $pdo->prepare("INSERT INTO `forwarding_hosts` (`host`) VALUES (:host)");
$stmt->execute(array(
':host' => $host,
));
$hosts = array();
if (preg_match('/^[0-9a-fA-F:\/]+$/', $host)) { // IPv6 address
$hosts = array($host);
}
catch (PDOException $e) {
elseif (preg_match('/^[0-9\.\/]+$/', $host)) { // IPv4 address
$hosts = array($host);
}
else {
$hosts = get_outgoing_hosts_best_guess($host);
}
if (!$hosts)
{
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => 'MySQL: '.$e
'msg' => 'Invalid host specified: '. htmlspecialchars($host)
);
return false;
}
foreach ($hosts as $host) {
if ($source == $host)
$source = '';
try {
$stmt = $pdo->prepare("INSERT IGNORE INTO `forwarding_hosts` (`host`, `source`) VALUES (:host, :source)");
$stmt->execute(array(
':host' => $host,
':source' => $source,
));
}
catch (PDOException $e) {
$_SESSION['return'] = array(
'type' => 'danger',
'msg' => 'MySQL: '.$e
);
return false;
}
}
$_SESSION['return'] = array(
'type' => 'success',
'msg' => sprintf($lang['success']['forwarding_host_added'], htmlspecialchars($host))
'msg' => sprintf($lang['success']['forwarding_host_added'], htmlspecialchars(implode(', ', $hosts)))
);
}
function delete_forwarding_host($postarray) {

View File

@ -142,6 +142,7 @@ CREATE TABLE IF NOT EXISTS `tfa` (
CREATE TABLE IF NOT EXISTS `forwarding_hosts` (
`host` VARCHAR(255) NOT NULL,
`source` VARCHAR(255) NOT NULL,
PRIMARY KEY (`host`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;

View File

@ -0,0 +1,127 @@
<?php
function get_spf_allowed_hosts($domain)
{
$hosts = array();
$records = dns_get_record($domain, DNS_TXT);
foreach ($records as $record)
{
$txt = explode(' ', $record['entries'][0]);
if (array_shift($txt) != 'v=spf1') // only handle SPF records
continue;
foreach ($txt as $mech)
{
$qual = substr($mech, 0, 1);
if ($qual == '-' || $qual == '~') // only handle pass or neutral records
continue(2);
if ($qual == '+' || $qual == '?')
$mech = substr($mech, 1); // remove the qualifier
if (strpos($mech, '=') !== FALSE) // handle a modifier
{
$mod = explode('=', $mech);
if ($mod[0] == 'redirect') // handle a redirect
{
$hosts = get_spf_allowed_hosts($mod[1]);
return $hosts;
}
}
else
{
unset($cidr);
if (strpos($mech, ':') !== FALSE) // handle a domain specification
{
$split = explode(':', $mech);
$mech = array_shift($split);
$domain = implode(':', $split);
if (strpos($domain, '/') !== FALSE) // remove CIDR specification
{
$split = explode('/', $domain);
$domain = $split[0];
$cidr = $split[1];
}
}
$new_hosts = array();
if ($mech == 'include') // handle an inclusion
{
$new_hosts = get_spf_allowed_hosts($domain);
}
elseif ($mech == 'a') // handle a mechanism
{
$new_hosts = get_a_hosts($domain);
}
elseif ($mech == 'mx') // handle mx mechanism
{
$new_hosts = get_mx_hosts($domain);
}
elseif ($mech == 'ip4' || $mech == 'ip6') // handle ip mechanism
{
$new_hosts = array($domain);
}
if (isset($cidr)) // add CIDR specification if present
{
foreach ($new_hosts as &$host)
{
$host .= '/' . $cidr;
}
unset($host);
}
$hosts = array_unique(array_merge($hosts,$new_hosts), SORT_REGULAR);
}
}
}
return $hosts;
}
function get_mx_hosts($domain)
{
$hosts = array();
$mx_records = dns_get_record($domain, DNS_MX);
foreach ($mx_records as $mx_record)
{
$new_hosts = get_a_hosts($mx_record['target']);
$hosts = array_unique(array_merge($hosts,$new_hosts), SORT_REGULAR);
}
return $hosts;
}
function get_a_hosts($domain)
{
$hosts = array();
$a_records = dns_get_record($domain, DNS_A);
foreach ($a_records as $a_record)
{
$hosts[] = $a_record['ip'];
}
$a_records = dns_get_record($domain, DNS_AAAA);
foreach ($a_records as $a_record)
{
$hosts[] = $a_record['ipv6'];
}
return $hosts;
}
function get_outgoing_hosts_best_guess($domain)
{
// try the SPF record to get hosts that are allowed to send outgoing mails for this domain
$hosts = get_spf_allowed_hosts($domain);
if ($hosts) return $hosts;
// try the MX record to get mail servers for this domain
$hosts = get_mx_hosts($domain);
if ($hosts) return $hosts;
// fall back to the A record to get the host name for this domain
return get_a_hosts($domain);
}
?>

View File

@ -450,11 +450,20 @@ $lang['admin']['unchanged_if_empty'] = 'Unverändert, wenn leer';
$lang['admin']['yes'] = '&#10004;';
$lang['admin']['no'] = '&#10008;';
$lang['admin']['access'] = 'Zugang';
$lang['admin']['invalid_max_msg_size'] = 'Invalid max. message size'; // NEEDS TRANSLATION
$lang['admin']['invalid_max_msg_size'] = 'Ungültige maximale Nachrichtengröße';
$lang['admin']['site_not_found'] = 'Kann mailcow Site-Konfiguration nicht finden';
$lang['admin']['public_folder_empty'] = 'Public folder name must not be empty'; // NEEDS TRANSLATION
$lang['admin']['public_folder_empty'] = 'Name des öffentlichen Ordners darf nicht leer sein';
$lang['admin']['set_rr_failed'] = 'Kann Postfix Restriktionen nicht setzen';
$lang['admin']['no_record'] = 'Kein Eintrag';
$lang['admin']['filter_table'] = 'Tabelle Filtern';
$lang['admin']['empty'] = 'Keine Einträge vorhanden';
$lang['admin']['forwarding_hosts'] = 'Weiterleitungs-Hosts';
$lang['admin']['forwarding_hosts_hint'] = 'Eingehende Nachrichten werden von den hier gelisteten Hosts bedingungslos akzeptiert. Diese Hosts werden dann nicht mit DNSBLs abgeglichen oder Greylisting unterworfen. Von ihnen empfangener Spam wird nie abgelehnt und immer in den Spam-Ordner einsortiert. Die übliche Verwendung für diese Funktion ist, um Mailserver anzugeben, auf denen eine Weiterleitung zu Ihrem Mailcow-Server eingerichtet wurde.';
$lang['admin']['forwarding_hosts_add_hint'] = 'Sie können entweder IPv4/IPv6-Adressen, Netzwerke in CIDR-Notation, Hostnamen (die zu IP-Adressen aufgelöst werden), oder Domainnamen (die zu IP-Adressen aufgelöst werden, indem ihr SPF-Record abgefragt wird oder, in dessen Abwesenheit, ihre MX-Records) angeben.';
$lang['edit']['host'] = 'Host';
$lang['edit']['source'] = 'Quelle';
$lang['admin']['add_forwarding_host'] = 'Weiterleitungs-Host hinzufügen';
$lang['delete']['remove_forwardinghost_warning'] = '<b>Warnung:</b> Sie entfernen den Weiterleitungs-Host <b>%s</b>!';
$lang['success']['forwarding_host_removed'] = "Weiterleitungs-Host %s wurde entfernt";
$lang['success']['forwarding_host_added'] = "Weiterleitungs-Host %s wurde hinzugefügt";
?>

View File

@ -469,7 +469,10 @@ $lang['admin']['no_record'] = 'No record';
$lang['admin']['filter_table'] = 'Filter table';
$lang['admin']['empty'] = 'No results';
$lang['admin']['forwarding_hosts'] = 'Forwarding Hosts';
$lang['admin']['forwarding_hosts_hint'] = 'Specify any networks (in CIDR notation) from which you unconditionally want to accept incoming messages. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected and always filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a forwarding rule.';
$lang['admin']['forwarding_hosts_hint'] = 'Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected and always filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your Mailcow server.';
$lang['admin']['forwarding_hosts_add_hint'] = 'You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).';
$lang['edit']['host'] = 'Host';
$lang['edit']['source'] = 'Source';
$lang['admin']['add_forwarding_host'] = 'Add Forwarding Host';
$lang['delete']['remove_forwardinghost_warning'] = '<b>Warning:</b> You are about to remove the forwarding host <b>%s</b>!';
$lang['success']['forwarding_host_removed'] = "Forwarding host %s has been removed";