Difference between revisions of "Trusted Email Services"

From Halon, SMTP software for hosting providers
Jump to: navigation, search
(Shared functions)
Line 104: Line 104:
 
function tes_is_member($domain, $error_callback)
 
function tes_is_member($domain, $error_callback)
 
{
 
{
     $dns = dnscname("tes_master.$domain", ["extended_result" => true]);
+
     $dns = dnscname("tes-master.$domain", ["extended_result" => true]);
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if (!$dns["result"]) return $error_callback($dns["error"]);
 
     if (!$dns["result"]) return $error_callback($dns["error"]);
Line 110: Line 110:
 
     $tesmaster = $dns["result"][0];
 
     $tesmaster = $dns["result"][0];
 
      
 
      
     $dns = dnstxt("$domain.tes_member.$tesmaster", ["extended_result" => true]);
+
     $dns = dnstxt("$domain.tes-member.$tesmaster", ["extended_result" => true]);
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if (!$dns["result"]) return $error_callback($dns["error"]);
 
     if (!$dns["result"]) return $error_callback($dns["error"]);
  
     $dns = dnstxt("$tesmaster.tes_member.trusted-email-services.com", ["extended_result" => true]);
+
     $dns = dnstxt("$tesmaster.tes-member.trusted-email-services.com", ["extended_result" => true]);
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if ($dns["error"] == "NXDOMAIN") return false;
 
     if (!$dns["result"]) return $error_callback($dns["error"]);
 
     if (!$dns["result"]) return $error_callback($dns["error"]);

Revision as of 10:32, 17 March 2016

Mail Submission

On client submission port (587) use the following script.

if (!tes_check_client_policy())
    
Reject("Client is not TES compliant"); 

And the following configuration:

  • Listener setting
    • A TLS certificate
    • A auth flow
    • Require TLS for AUTH

DKIMSign($selector$senderdomain$rsakey); 

if (tes_is_member($recipientdomain, function ($error) {
        
Reschedule(3600, ["reason" => "tes_is_member: $error""increment_retry" => false]);
    }))
{
    
SetTLS([
        
"tls_protocols" => "!SSLv2,!SSLv3,!TLSv1,!TLSv1.1",
        
"tls" => "dane_require"
    
]);
}
else
{
    
SetTLS([
        
"tls" => "dane"
    
]);

Mail Relay

Use the following script.

if (tes_is_member($senderdomain, function ($error) {
     
Defer("TES lookup failed");
    }))
{
    if (!
tes_check_member_server_policy())
        
Reject("Member is not TES compliant");

if (tes_is_member($senderdomain, function ($error) {
     
Defer("TES lookup failed");
    }))
{
    
$result DKIMSDID([$senderdomain]);
    if (
$result[$senderdomain] != "pass")
        
Reject("The messages is not DKIM signed policy of $senderdomain ($messageid)");

    
$result ScanDMARC();
    if (
is_array($result) && $result[$senderdomain] == "reject")
        
Reject("The messages violates the DMARC policy of $senderdomain ($messageid)");

    
AddHeader("X-TES-Status""member");
}
else
{
    
AddHeader("X-TES-Status""non-member");

Shared functions

These function should be put in a include file. In order to be able to update them easily.

Include file
function tes_check_client_policy()
{
    global 
$saslauthed$tlsstarted$tlsprotocol;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1")
        return 
false;
    if (!
$saslauthed)
        return 
false;
    return 
true;
}
function 
tes_check_member_server_policy()
{
    global 
$tlsstarted$tlsprotocol;
    if (!
$tlsstarted)
        return 
false;
    if (
$tlsprotocol == "SSLv2" or
        
$tlsprotocol == "SSLv3" or
        
$tlsprotocol == "TLSv1" or
        
$tlsprotocol == "TLSv1.1")
        return 
false;
    return 
true;
}
function 
tes_is_member($domain$error_callback)
{
    
$dns dnscname("tes-master.$domain", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);
    
    
$tesmaster $dns["result"][0];
    
    
$dns dnstxt("$domain.tes-member.$tesmaster", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);

    
$dns dnstxt("$tesmaster.tes-member.trusted-email-services.com", ["extended_result" => true]);
    if (
$dns["error"] == "NXDOMAIN") return false;
    if (!
$dns["result"]) return $error_callback($dns["error"]);

    return 
true;