Revision history for Mail-Milter-Authentication
3.20240701 2024-07-01 14:10:31+10:00 Australia/Melbourne
- DMARC: New option to enable strict processing of rfc5322 from domains.
Adds the strict_multifrom config item to DMARC (default false).
If set, the handler will reject/quarantine messages where
multiple rfc5322 from domains are present.
DMARC processing/reporting will continue as usual as defined by
the *_on_multifrom settings, however any dispositions will
be overridden to reject or quarantine depending on the value set
for hard_reject.
- ARC/DMARC: Override DMARC enforcement when the trusted ARC chain has
a passing DMARC entry.
This improves the case where an ARC trusted forwarder has broken
authentication without leaving enough SPF/DKIM indicators in the
AAR for us to process, OR has modified the RFC5322 From domain as
is the case with certain privacy focussed bi-directional
forwarding services
3.20240618 2024-06-18 17:18:47+10:00 Australia/Melbourne
- Config: Fix generation of some directories when they are not supplied and
also do not exist. This should fix issues with OpenBSD
3.20240205 2024-02-05 02:47:38+00:00 UTC
- BIMI: Add metrics for new BIMI certificate types
3.20230911 2023-09-11 06:18:44+00:00 UTC
- Core: Switch from deprecated method in Net::DNS
In Net::DNS::Resolver, call the rdstring method
rather than the deprecated rdstring method
This change bumps the minimum version of Net::DNS
required to 1.01
- SPF: Add option to detect and optionally mitigate SPF upgrade problems.
- Core: Add authentication_milter_log command with arex subcommand
which can be used to process ARex JSON log format back into
standard Authentication-Results: header lines
3.20230629 2023-06-29 23:44:32+00:00 UTC
- DKIM: Prepare for Ed25519 support in Mail::DKIM
Ed25519 key types do not have a size method
which can lead to confusing results.
3.20230214 2023-02-14 23:31:27+00:00 UTC
- Core: Fix get_client_proto for Net::Server>=2.011
Thanks to @J5lx
- DMARC: Fix config file existence checks.
DMARC: Fix config lookups for config_file and verbosity.
Core: Set config property in parent hooks.
Thanks to @dev-aaront-org
3.20221121 2022-11-21 04:08:15+00:00 UTC
- Core: Added option to log all added Authentication-Results headers
in JSON format for processing with Mail::AuthenticationResults
including option to also log in legacy format to allow transition.
- Core: When we see parse errors for AR existing headers, log the header
not the exception
[New config items]
extended_log - Log added Authentication-Results headers in JSON format
legacy_log - When logging extended Authentication-Results logs, also log in legacy format
3.20221006 2022-10-06 19:27:39+00:00 UTC
- Core: Changed logging, Most log entries are now only sent in
debugging mode (LOG_DEBUG), logging of Authentication-Results
added has a new format.
3.20220914 2022-09-14 00:33:40+00:00 UTC
- Core: Allow the location of the Net::Server lock file to be specified
3.20220131 2022-01-31 04:04:43+00:00 UTC
- DMARC: When an invalid MAIL_FROM is encountered continue processing
as if there were no MAIL_FROM domain.
- DMARC: Catch and ignore bad ARC results
3.20210914 2021-09-14 04:00:11+00:00 UTC
- Bugfix: Properly report selectors that truthy evaluate to false
3.20210907 2021-09-07 00:26:14+00:00 UTC
- Client: Chunk the body when sending with Mail::Milter::Authentication::Client
3.20210825 2021-08-25 01:01:38+00:00 UTC
- Core: Allow Authentication-Results header to be split or renamed per Handler
3.20210707 2021-07-07 00:29:17+00:00 UTC
- DNS: More consistent error logging on DNS lookup timeouts
- RBLDNS: Config structure change
[UPDATED Config Items for RBLDNS]
RBLDNS config items should be moved under a new rbls key
A future update will make this change mandatory, please update your
configs now.
3.20210514 2021-05-14 01:15:58+00:00 UTC
- Core: Fix an error when appending Connection scope authentication-results
header parts which would cause processing child processes to crash.
3.20210324 2021-03-24 06:00:40+00:00 UTC
- DMARC: When a report fails to save move it to error state
- Sanitize: Allow the Sanitize handler to be used by
other handlers to remove headers.
- BIMI: Use the Sanitize handler to remove existing headers
- BIMI: Add an overall timeout to BIMI processing
- RBLDNS: Use the Sanitize handler to remove existing headers
[New Config Items for BIMI]
sanitize_location_header - Remove existing BIMI-Location header? yes|no|silent (default yes)
sanitize_indicator_header - Remove existing BIMI-Location header? yes|no|silent (default silent)
timeout - Timeout, in microseconds, to apply to a BIMI record check/fetch, detault 5000000 (5s)
[New Config Items for RBLDNS]
$key sanitize_header - Remove existing header? yes|no|silent (default yes)
3.20210308 2021-03-08 22:55:12+00:00 UTC
- Better handling of timeouts in DMARC dequeue stage
- Allow more than 1 dequeue process to run at a time
- DMARC: Added report suppression list
[New Config Items]
max_dequeue - How many dequeue processes can we run at once
[New Config Items for DMARC]
report_suppression_list - RBL used to look Org domains for which we want to suppress reporting
3.20210113 2021-01-13 04:54:40+00:00 UTC
- RBLDNS: Add module to lookup connecting IP with RBLDNS
- Switch to a purely numeric version string
[New Handler]
RBLDNS - Lookup connecting IP with RBLDNS
2.20210105.2 2021-01-05 06:02:43+00:00 UTC
- Make Net::Server patches optional
These were causing issues in some cases where the server was only
listening on a single port.
- BIMI: Optional RBL allow list for domains that will not require evidence documents
- DMARC: Option to lookup DMARC domains on an RBL and
add configurable policy entries to the DMARC result.
[New Config Items]
patch_net_server - If true, try and patch some Net::Server issues
[New Config Items for DMARC]
policy_rbl_lookup - set of RBLs to check the from domain against for policy entries
[New Config Items for BIMI]
rbl_no_evidence_allowlist - Optonal RBL Allow list of org domains that do NOT require evidence documents
2.20201209.2 2020-12-09 10:40:10+00:00 UTC
- Revert Net::Server patches
These were causing issues in some cases where the server was only
listening on a single port.
2.20201208.2 2020-12-08 04:25:22+00:00 UTC
- Apply some patches to Net::Server
- Core: Misc fixes to some error states
2.20201113.2 2020-11-13 04:45:42+00:00 UTC
- Logger: Added a handler to add additional logging detail
- DMARC: Rename failed spool files with .err extension
- Abusix: Delete failed spool files
2.20200930.2 2020-09-30 08:51:35+00:00 UTC
- Improve language used internally
- Core: Configurable SERVFAIL timeout with default
- Core: Avoid opening unnecessary sockets
- Core: Add dequeue handling
- Core: Setup cache, lib, and spool directories
- DMARC: Use dequeue for report saving
- AbusixDataFeed: Defer feed sending into dequeue handler
- Sanitize: Fix domain/subdomain checking - Thanks to @dev-aaront-org
- Client: Fix handling of mail data with CRLF endings - Thanks to @dev-aaront-org
- Milter: Set SMFIP_HDR_LEADSPC to get exact whitespace from MTA - Thanks to @dev-aaront-org
- DMARC: Fix hide_none result - Thanks to @dev-aaront-org
- Milter: Replace CRLF with LF in headers sent to MTA - Thanks to @dev-aaront-org
- Milter: Set SMFIP_HDR_LEADSPC to get exact whitespace from MTA - Thanks to @dev-aaront-org
- Core: Add hide_none option for an empty AR header - Thanks to @dev-aaront-org
- SMTP: Pass ESMTP parameters to MAIL and RCPT callbacks - Thanks to @dev-aaront-org
- Core: Allow certain HTTP pages to be disabled using the metric_basic_http option
- BIMI: Use Mail::BIMI Version 2 - A more complete implementation of the current BIMI standards
[New Config Items]
metric_basic_http - Disable extended http services such as config and grafana json pages
cache_dir - Path to the shared cache directory
spool_dir - Path to the shared spool directory
lib_dir - Path to the shared lib directory
dequeue_timeout - Timeout for Dequeue callbacks
check_for_dequeue - How often in seconds should a dequeue process be spawned
dns_servfail_timeout - How long in microseconds a SERVFAIL can take before being considered a timeout
hide_none - Do not add the Authentication-Results header if the result is 'none'
[New Config Items for BIMI]
handlers BIMI bimi_options - Options to pass into Mail::BIMI->new
handlers BIMI rbl_allowlist - Optional RBL Allow list of allowed org domains
handlers BIMI rbl_blocklist - Optional RBL Block list of disallowed org domains
2.20200625.2 2020-06-25 04:34:45+00:00 UTC
- DMARC: Option to redact some Reporting fields
[New Config Items]
handlers DMARC hide_report_to - If set, remove envelope_to from DMARC reports
2.20200612.2 2020-06-12 00:14:00+00:00 UTC
- Core: Only set Nameservers when given
Prevents issue with newer Net::DNS::Resolver
2.20200602.2 2020-06-02 09:11:51+00:00 UTC
- XGoogleDKIM: Require a more modern Mail::DKIM
- ARC: Require a more modern Mail::DKIM
2.20200602.1 2020-06-02 06:18:01+00:00 UTC
- DKIM: Require a more modern Mail::DKIM
2.20200513.1 2020-05-13 04:13:58+00:00 UTC
- BIMI: Prepare for breaking changes in Mail::BIMI 2
2.20200420.1 2020-04-20 04:31:22+00:00 UTC
- DMARC: Allow limiting of DMARC processing in a single message
- Core: use JSON::XS instead of JSON
2.20200331.1 2020-03-31 23:54:13+00:00 UTC
- ARC: x-arc should use set_key not key
2.20200329.1 2020-03-29 23:55:13+00:00 UTC
- Metrics: Upgrade to Prometheus::Tiny::Shared 0.020
backed by Hash::SharedMem
2.20200319 2020-03-19 03:51:02+00:00 UTC
- Fix problem loading external modules
2.20200313 2020-03-13 04:03:59+00:00 UTC
- Try and clean-up state on an unexpected exit/restart
2.20200302 2020-03-02 04:50:55+00:00 UTC
- Require minimum Perl 5.20
- ARC: Merge ARC Handler into core
- Abusix: Merge Abusix Handler into core
- BIMI: Merge BIMI Handler into core
- Blocker: Merge Blocker Handler into core
- Core: Modernise and tind some code
- Core: Set a default version for metrics where one does not exist
- Core: Milter protocol quarantine fixes
- ARC: Use x-arc- prefix for derived Authentication Results
- Core: Better reporting on errors
- Core: Ability to email errors to admin address
- BIMI: Add SPF policy checks to BIMI handler
- Metrics: Use Prometheus::Tiny::Shared 0.011 backed by Sqlite
2.20200206 2020-02-06 01:15:45+00:00 UTC
- Size: Add metrics for added header bytes
2.20200202 2020-02-02 14:23:58+00:00 UTC
- DMARC: Updated ARC override reporting re RFC
- DMARC: Add metrics for active/pending reports
- Core: Added version metrics
2.20200129 (BIMI) 2020-01-29 UTC
- Update declaration of PreReqs
2.20200107 2020-01-07 04:26:20+00:00 UTC
- Ignore Errors from bgsend
2.20200106 2020-01-06 04:09:07+00:00 UTC
- Properly clear DNS errors cache on close
2.20200102 (BIMI) 2020-01-02 UTC
- Updated for new Mail::BIMI
- Trust ARC
2.20200102 2020-01-02 01:14:35+00:00 UTC
- DMARC: Store all DMARC result object for other handlers
- Properly set IP objects in tester
2.20191206 2019-12-05 02:14:47+00:00 UTC
- Fix second header parse bug
2.20191205 (ARC) 2019-12-05 01:46:10+00:00 UTC
- Fix header parse bug
2.20191205 2019-12-05 01:25:51+00:00 UTC
- Send DNS requests early
- Fix header parse bug
2.20191120 (blocker) 2019-11-20 23:57:12+00:00 UTC
- First release
2.20191106 2019-11-06 01:22:25+00:00 UTC
- More aggressive handling of DNS timeoutsi
2.20190523 2019-05-23 02:16:29+00:00 UTC
- ReturnOK: Add detail in comments
- ReturnOK: Don't duplicate checks for repeated domains
- Core: Use Log::Dispatchouli for logging
2.20190502 2019-05-02 15:54:56+10:00 Australia/Melbourne
- DMARC: Make sure we actually have a trusted ARC chain before
applying arc_before_list
2.20190501 2019-05-01 11:52:35+10:00 Australia/Melbourne
- DMARC: Option to override List-ID detection if we have ARC
2.20181213 (Abusix) 2018-12-13 Australia/Melbourne
- Removed stray debugging output
2.20181212 2018-12-12 15:17:16+11:00 Australia/Melbourne
- Core: Remap IP addresses as early as possible.
2.20181204 (Abusix) 2018-12-03 Australia/Melbourne
- Set TLS to 0 if not encrypted and TLS handler is loaded
2.20181203 (Abusix) 2018-12-03 Australia/Melbourne
- First Release
2.20181130 2018-11-30 15:12:34+11:00 Australia/Melbourne
- Core/TLS: Expose the TLS state in a helper method.
- Core: Enforce DNS timeouts
2.20181114 2018-11-14 15:20:39+11:00 Australia/Melbourne
- Core: Return effective config in toml or json
NB The version of TOML used here is not sufficient to
express all possible configurations, in particular those
which would require a . in the key name (ip addresses etc) are
not possible to express in TOML.
As such, TOML should be considered as experimental.
- Core: Allow ip remapping based on received HELO host
- Core: Pre-load some Net::DNS::RR modules pre-fork
- Core: Allow multiple digit extended return codes
2.20181024 2018-10-24 12:02:46+11:00 Australia/Melbourne
- DMARC: Defer saving of aggregate reports until the close stage
- Metrics: Use shared memory for metrics processing rather than
child<>parent socket calls.
Requires Prometheus::Tiny::Shared (and Cache::FastMmap)
2.20181013 (ARC) 2018-10-13 09:22:28-04:00 America/New_York
- Add smtp.remote-ip
2.20181013 2018-10-13 08:58:04-04:00 America/New_York
- IPRev: rename policy.iprev to smtp.remote-ip for interop
2.20180927 2018-09-27 14:00:13+10:00 Australia/Melbourne
- DMARC: Record policy used (p or sp) in header and metrics
2.20180912 2018-09-12 22:03:15+10:00 Australia/Melbourne
- Fix bug in loading of conf.d files
2.20180911 (ARC) 2018-09-11 13:03:03+10:00 Australia/Melbourne
- Fix detection of domain in identity when inheriting DKIM results.
2.20180903 (ARC) 2018-09-03 15:52:55+10:00 Australia/Melbourne
- Option to lookup trusted arc domains via DNS
2.20180903 2018-09-03 14:47:52+10:00 Australia/Melbourne
- DMARC: Allow whitelist by passing SPF domain.
- DMARC: Allow whitelist lookup via a dns whitelist.
- DMARC: Allow configuration of disposition for failing mailing list messages
- DMARC: Check whitelist before list detection
2.20180726 2018-07-26 16:30:40+01:00 Europe/London
- Allow config file to be written in TOML
- DMARC: Add policy decision factors in policy ptype entries
- SMTP: Don't hold entire message in memory unless necessary
Option to chunk message when passing to handlers
Option to use spool file rather than using memory
- SMTP: Count quarantined mail properly in metrics
2.20180612 (ARC) 2018-06-12 13:47:27+10:00 Australia/Melbourne
- Follow RFC 8301 security recommendations by default
- Handle full identities in override
2.20180612 2018-06-12 13:32:26+10:00 Australia/Melbourne
- Bugfix: clear quarantine reason after use
2.20180608 2018-06-08 21:14:19+02:00 Europe/Berlin
- ReturnOK: Rewrite Handler to handle multiple addresses properly
- Core: Fix per-protocol-section timeouts
- DKIM: Follow RFC 8301 security recommendations by default
- Core: Improved the HTTP status page
- DMARC: Correctly report DMARC policy when using ARC override
- DMARC: Set the disposition more reliably
- Core: methods to set defer/quarantine reasons
- Core: set a header for quarantined mail
- Sanitize: Add code to remove arbitrary headers
- Milter: Experimental support for Quarantine action
2.20180526 2018-05-27 09:11:02+10:00 Australia/Melbourne
- Removed experimental external callback stage hooks
- Allow handlers to specify required BEFORE other handlers
2.20180525 2018-05-25 13:01:51+10:00 Australia/Melbourne
- Add external callback hooks for stage callbacks
- Add external callback hook for handler config
- More timeout improvements
- DKIM: switch extra properties to more standard properties
- Minimum perl verion 5.10 required (Dependencies demand it)
- Make ptype of TLS/PTR/SPF entries more correct
2.20180521 (ARC) 2018-05-21 14:41:56+10:00 Australia/Melbourne
- Option to pull values from a trusted ARC chain for use elsewhere
- Manually check timeout status in key stages
2.20180521 2018-05-21 14:33:46+10:00 Australia/Melbourne
- Add method to manually check timeout status in Handlers
- Switch to useconds internally for Handler timeouts
- Fix test data on some BSD systems
- DMARC: Option to pull values from a trusted ARC chain
2.20180511 2018-05-11 11:50:22+10:00 Australia/Melbourne
- Return exception type correctly to caller
2.20180510 (BIMI) 2018-05-10 Australia/Melbourne
- Improve handling of timeouts
2.20180510 (ARC) 2018-05-10 15:15:15+10:00 Australia/Melbourne
- Improve handling of timeouts
2.20180510 2018-05-10 14:58:08+10:00 Australia/Melbourne
- Improve handling of timeouts
2.20180509 2018-05-09 15:19:12+10:00 Australia/Melbourne
- Make sure timeout events are propigated correctly
- Silence some warnings
2.20180430 2018-04-30 21:02:23+10:00 Australia/Melbourne
- Allow folding of Authentication-Results header
- Fix bug where handlers could receive emptystring instead of 0
2.20180329 2018-03-29 11:12:49+11:00 Australia/Melbourne
- Updated config processor to be a generic external callback handler
2.20180328 2018-03-28 21:26:54+11:00 Australia/Melbourne
- Add config option to process loaded config with a named Perl module
2.20180326 2018-03-26 13:09:14+11:00 Australia/Melbourne
- Allow indent/fold style and depth to be configured
- Build the internal AR header list using objects
2.20180318 (ARC) 2018-03-18 Australia/Melbourne
- Pass headers as objects
- Change build system to dist zilla
2.20180318 2018-03-18 Australia/Melbourne
- Allow remapping of IP address/HELO based on source IP address
- Authentication-Results headers are now passed as objects internally
- Added Mail::Milter::Authentication::Tester::HandlerTester to improve testing of handlers
- Improved testing frameworks
- Switched build framework to Dist::Zilla
- Minimum Perl version is now 5.10 due to dependencies in Mail::DMARC
- Improve output from tests when there are failures
- Fix Best guess SPF mode
1.1.7 2017-12-21
- Removed nasty recursion bug in header sorting
- Updated DMARC policy reporting
1.1.6 2017-12-20
- DMARC processing for all domains found in message headers
- Avoid semicolon in DMARC result comment
- Updated IPRev (and PTR) to follow CNAMEs
- Added experimental "Best Guess SPF" option
1.1.6 (ARC) 2017-12-18
- Fix bug which prevented ARCSealing when Domain != ServerId
1.1.5 (ARC) 2017-12-16
- First production ready release
1.1.5 2017-12-16
- Added Mail::Milter::Authentication::Tester module to help with testing handlers
- Report DMARC policy deviations
1.1.4 2017-10-19
- Added a FromAlignment checker handler
- Improvements in timeout handling
- Added more metrics to the ReturkOK handler
- Extra optional information in DKIM results
1.1.3 (ARC) 2017-10-02
- First public release of ARC handler
- This handler is experimental
1.1.3 2017-10-01
- Handler for capturing metrics on message size
- Collect metrics for processing time in each handler/stage
- Defer internal counting of metrics until after transaction
- Generate grafana dashboard automatically for installed handlers
- Allow metrics port to be unix socket
- Tests for metrics system
- New handler to gather metrics of the size of messages/headers processed
- Make the IPRev handler rfc compliant
- Add metrics for IPRev, PTR, and ReturnOK handlers
- Stability fixes
1.1.2 2017-08-22
- Fixed process management under SmartOS
- Added post processing callback for adding headers (Required for future ARC handler)
- Improve DNS mocking in tests by using Net::DNS::Resolver::Mock
- Fix syslog for Debian 9
- Add DKIM hash algorithm to metrics and AR comments
- Parse headers for TLS information in SMTP protocol mode
- Misc bugfixes
1.1.1 2017-04-14
- Added metrics collection (prometheus)
- Re-write address parsing code to avoid Email::Address::parse issues
- SMTP Debugging modes added
- Correctly handle From header with odd case in DMARC module
- Added example metrics dashboard for Grafana
- Metrics bugfixes
- Improved test suite
1.1.0 2016-07-01
- Allow email to be rejected by handlers
- Option to reject DMARC p=reject failures
- DMARC reject whitelist based on ip or dkim
- Split X-Google-DKIM checks into own handler
- DKIM DNS error handling improvements
- Optionally hide Domainkeys results
- Updates to improve operation when running as a postfix pre-queue filter
- Do not drop connections when restarting
- Better handling of multiple instances
- Updated daemon control
- Improved logging
1.0.1 2015-09-11
- Removed unrequired error handling
- Fixed some typos (sergeyromanov)
- Allow relaxed JSON parsing in config
1.0.0 2015-08-22
- Version bump to avoid confusion with old unreleased versions
- Cleaned up CPANTS errors
- Fixed inconsistent versions
- Moved handler config docs into handlers
- Fixed possible dependency loop when misconfigured
- Improve logging to stderr when logtoerr is set
0.1.1 2015-08-05
- Released to CPAN
0.1.0 2015-07-21
- Catch warnings and report in log with context.
- Skip DMARC reporting for specified addresses.
0.08 2015-02-23
- Fixes header unwrapping issue
- Allow DMARC reporting to be disabled
- DMARC: preload the PSL where possible
- Better SMTP pipeline handling
0.07 2015-02-02
- Fix up some warning output.
- Fixed edge case which caused false DKIM failures.
- Allow use as an SMTP proxy based after queue filter.
- More test casese added.
- Allow listening on multiple ports.
- Bug Fixes.
0.06 2015-01-13
- First version, released on an unsuspecting world.