Difference between revisions of "Trusted Email Services"

From Halon, SMTP software for hosting providers
Jump to: navigation, search
(Mail Relay)
(Mail Relay)
Line 80: Line 80:
  
 
<hsl type="data">
 
<hsl type="data">
$result = DKIMSDID([$senderdomain]);
+
if (is_tes_member($senderdomain))
if ($result[$senderdomain] != "pass")
+
{
    Reject();
+
    $result = DKIMSDID([$senderdomain]);
 +
    if ($result[$senderdomain] != "pass")
 +
        Reject("The messages is not DKIM signed policy of $senderdomain ($messageid));
  
$dmarcresult = ScanDMARC();
+
    $result = ScanDMARC();
if (is_array($dmarcresult) && $dmarcdomain[$senderdomain] == "reject")
+
    if (is_array($result) && $result[$senderdomain] == "reject")
    Reject("The messages violates the DMARC policy of $senderdomain ($messageid)");
+
        Reject("The messages violates the DMARC policy of $senderdomain ($messageid)");
  
AddHeader("X-TES-Status", tes_is_member()?"member":"non-member");
+
    AddHeader("X-TES-Status", "member");
 +
}
 +
else
 +
{
 +
    AddHeader("X-TES-Status", "non-member");
 +
}
 
</hsl>
 
</hsl>
  

Revision as of 15:16, 14 March 2016

function tes_check_client_policy()
{
    global 
$saslauthed$tlsstarted$tlsprotocol;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1")
        return 
false;
    if (!
$saslauthed)
        return 
false;
    return 
true;
}
function 
tes_check_member_server_policy()
{
    global 
$tlsstarted$tlsprotocol$tlsciphers$tlskeysize;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1" or
        
$tlsprotocol == "TLSv1.1")
        return 
false;
    return 
true;
}
function 
tes_check_nonmember_server_policy()
{
    global 
$tlsstarted$tlsprotocol$tlsciphers$tlskeysize;

Mail Submission

On client submission port (587) use the following script.

if (!tes_check_client_policy())
    
Reject("Client is not TES compliant"); 

And the following configuration:

  • Listener setting
    • A TLS certificate
    • A auth flow
    • Require TLS for AUTH

DKIMSign($selector$senderdomain$rsakey); 

if (tes_is_member($recipientdomain))
{
    
SetTLS([
        
"tls_protocols" => "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1",
        
"tls" => "dane_require"
    
]);

Mail Relay

Use the following script.

if (tes_is_member($senderdomain))
{
    if (!
tes_check_member_server_policy())
        
Reject("Member is not TES compliant");
}
else
{
    if (!
tes_check_nonmember_server_policy())
        
Reject("Server is not TES compliant");

if (is_tes_member($senderdomain))
{
    
$result DKIMSDID([$senderdomain]);
    if (
$result[$senderdomain] != "pass")
        
Reject("The messages is not DKIM signed policy of $senderdomain ($messageid));

    
$result = ScanDMARC();
    if (is_array(
$result) && $result[$senderdomain] == "reject")
        Reject("
The messages violates the DMARC policy of $senderdomain ($messageid)");

    AddHeader("
X-TES-Status", "member");
}
else
{
    AddHeader("
X-TES-Status", "non-member");
} ?>