Changes

Revision history for Mail-Milter-Authentication

{{$NEXT}}
  - DMARC: Fix an error in logs when suppressing DMARC reports

3.20241024 2024-10-24 20:54:14+11:00 Australia/Melbourne
  - Optimizations and efficiency improvements

3.20241011 2024-10-11 15:06:59+11:00 Australia/Melbourne
  - DMARC: Add HBL address style report suppression
           New config item: report_suppression_email_list

3.20240827 2024-08-27 10:35:56+10:00 Australia/Melbourne
  - Core: Make the DNS Timeouts caching configurable
          Thanks to Jedrzej Jajor (@jedrzejj)
          Adds a config option (cache_dns_timeouts) to allow disabling the
          caching of domains which timed out during a DNS query. By default
          the option is enabled to preserve the current behaviour. Setting
          the option to 0 disables the cache and the query will be sent to the
          DNS resolver each time regardless of previous timeouts.
  - ARC: Fix bug in ARC use of DKIM identity where no DKIM domain exists
  - Core: Skip addresses with more than 1 @ as bogus
  - Core: Don't override log_dispatchouli's configuration default values
          Thanks to: Norikatsu Shigemura (@nanorkyo)

3.20240701 2024-07-01 14:10:31+10:00 Australia/Melbourne
  - DMARC: New option to enable strict processing of rfc5322 from domains.
           Adds the strict_multifrom config item to DMARC (default false).
           If set, the handler will reject/quarantine messages where
           multiple rfc5322 from domains are present.
           DMARC processing/reporting will continue as usual as defined by
           the *_on_multifrom settings, however any dispositions will
           be overridden to reject or quarantine depending on the value set
           for hard_reject.
  - ARC/DMARC: Override DMARC enforcement when the trusted ARC chain has
               a passing DMARC entry.
               This improves the case where an ARC trusted forwarder has broken
               authentication without leaving enough SPF/DKIM indicators in the
               AAR for us to process, OR has modified the RFC5322 From domain as
               is the case with certain privacy focussed bi-directional
               forwarding services

3.20240618 2024-06-18 17:18:47+10:00 Australia/Melbourne
  - Config: Fix generation of some directories when they are not supplied and
            also do not exist. This should fix issues with OpenBSD

3.20240205 2024-02-05 02:47:38+00:00 UTC
  - BIMI: Add metrics for new BIMI certificate types

3.20230911 2023-09-11 06:18:44+00:00 UTC
  - Core: Switch from deprecated method in Net::DNS
          In Net::DNS::Resolver, call the rdstring method
          rather than the deprecated rdstring method
          This change bumps the minimum version of Net::DNS
          required to 1.01
  - SPF: Add option to detect and optionally mitigate SPF upgrade problems.
  - Core: Add authentication_milter_log command with arex subcommand
          which can be used to process ARex JSON log format back into
          standard Authentication-Results: header lines

3.20230629 2023-06-29 23:44:32+00:00 UTC
  - DKIM: Prepare for Ed25519 support in Mail::DKIM
          Ed25519 key types do not have a size method
          which can lead to confusing results.

3.20230214 2023-02-14 23:31:27+00:00 UTC
  - Core: Fix get_client_proto for Net::Server>=2.011
          Thanks to @J5lx

  - DMARC: Fix config file existence checks.
    DMARC: Fix config lookups for config_file and verbosity.
    Core: Set config property in parent hooks.
          Thanks to @dev-aaront-org

3.20221121 2022-11-21 04:08:15+00:00 UTC
  - Core: Added option to log all added Authentication-Results headers
          in JSON format for processing with Mail::AuthenticationResults
          including option to also log in legacy format to allow transition.
  - Core: When we see parse errors for AR existing headers, log the header
          not the exception

  [New config items]
    extended_log - Log added Authentication-Results headers in JSON format
    legacy_log   - When logging extended Authentication-Results logs, also log in legacy format

3.20221006 2022-10-06 19:27:39+00:00 UTC
  - Core: Changed logging, Most log entries are now only sent in
          debugging mode (LOG_DEBUG), logging of Authentication-Results
          added has a new format.

3.20220914 2022-09-14 00:33:40+00:00 UTC
  - Core: Allow the location of the Net::Server lock file to be specified

3.20220131 2022-01-31 04:04:43+00:00 UTC
  - DMARC: When an invalid MAIL_FROM is encountered continue processing
           as if there were no MAIL_FROM domain.
  - DMARC: Catch and ignore bad ARC results

3.20210914 2021-09-14 04:00:11+00:00 UTC
  - Bugfix: Properly report selectors that truthy evaluate to false

3.20210907 2021-09-07 00:26:14+00:00 UTC
  - Client: Chunk the body when sending with Mail::Milter::Authentication::Client

3.20210825 2021-08-25 01:01:38+00:00 UTC
  - Core: Allow Authentication-Results header to be split or renamed per Handler

3.20210707 2021-07-07 00:29:17+00:00 UTC
  - DNS: More consistent error logging on DNS lookup timeouts
  - RBLDNS: Config structure change

  [UPDATED Config Items for RBLDNS]
    RBLDNS config items should be moved under a new rbls key
    A future update will make this change mandatory, please update your
    configs now.

3.20210514 2021-05-14 01:15:58+00:00 UTC
  - Core: Fix an error when appending Connection scope authentication-results
    header parts which would cause processing child processes to crash.

3.20210324 2021-03-24 06:00:40+00:00 UTC
  - DMARC: When a report fails to save move it to error state
  - Sanitize: Allow the Sanitize handler to be used by
    other handlers to remove headers.
  - BIMI: Use the Sanitize handler to remove existing headers
  - BIMI: Add an overall timeout to BIMI processing
  - RBLDNS: Use the Sanitize handler to remove existing headers

  [New Config Items for BIMI]
    sanitize_location_header - Remove existing BIMI-Location header? yes|no|silent (default yes)
    sanitize_indicator_header - Remove existing BIMI-Location header? yes|no|silent (default silent)
    timeout - Timeout, in microseconds, to apply to a BIMI record check/fetch, detault 5000000 (5s)

  [New Config Items for RBLDNS]
    $key sanitize_header - Remove existing header? yes|no|silent (default yes)

3.20210308 2021-03-08 22:55:12+00:00 UTC
  - Better handling of timeouts in DMARC dequeue stage
  - Allow more than 1 dequeue process to run at a time
  - DMARC: Added report suppression list

  [New Config Items]
    max_dequeue - How many dequeue processes can we run at once

  [New Config Items for DMARC]
    report_suppression_list - RBL used to look Org domains for which we want to suppress reporting

3.20210113 2021-01-13 04:54:40+00:00 UTC
  - RBLDNS: Add module to lookup connecting IP with RBLDNS
  - Switch to a purely numeric version string

  [New Handler]
    RBLDNS - Lookup connecting IP with RBLDNS

2.20210105.2 2021-01-05 06:02:43+00:00 UTC
  - Make Net::Server patches optional
    These were causing issues in some cases where the server was only
    listening on a single port.
  - BIMI: Optional RBL allow list for domains that will not require evidence documents
  - DMARC: Option to lookup DMARC domains on an RBL and
    add configurable policy entries to the DMARC result.

  [New Config Items]
    patch_net_server - If true, try and patch some Net::Server issues

  [New Config Items for DMARC]
    policy_rbl_lookup - set of RBLs to check the from domain against for policy entries

  [New Config Items for BIMI]
    rbl_no_evidence_allowlist - Optonal RBL Allow list of org domains that do NOT require evidence documents

2.20201209.2 2020-12-09 10:40:10+00:00 UTC
  - Revert Net::Server patches
    These were causing issues in some cases where the server was only
    listening on a single port.

2.20201208.2 2020-12-08 04:25:22+00:00 UTC
  - Apply some patches to Net::Server
  - Core: Misc fixes to some error states

2.20201113.2 2020-11-13 04:45:42+00:00 UTC
  - Logger: Added a handler to add additional logging detail
  - DMARC: Rename failed spool files with .err extension
  - Abusix: Delete failed spool files

2.20200930.2 2020-09-30 08:51:35+00:00 UTC
  - Improve language used internally
  - Core: Configurable SERVFAIL timeout with default
  - Core: Avoid opening unnecessary sockets
  - Core: Add dequeue handling
  - Core: Setup cache, lib, and spool directories
  - DMARC: Use dequeue for report saving
  - AbusixDataFeed: Defer feed sending into dequeue handler
  - Sanitize: Fix domain/subdomain checking - Thanks to @dev-aaront-org
  - Client: Fix handling of mail data with CRLF endings - Thanks to @dev-aaront-org
  - Milter: Set SMFIP_HDR_LEADSPC to get exact whitespace from MTA - Thanks to @dev-aaront-org
  - DMARC: Fix hide_none result - Thanks to @dev-aaront-org
  - Milter: Replace CRLF with LF in headers sent to MTA - Thanks to @dev-aaront-org
  - Milter: Set SMFIP_HDR_LEADSPC to get exact whitespace from MTA - Thanks to @dev-aaront-org
  - Core: Add hide_none option for an empty AR header - Thanks to @dev-aaront-org
  - SMTP: Pass ESMTP parameters to MAIL and RCPT callbacks - Thanks to @dev-aaront-org
  - Core: Allow certain HTTP pages to be disabled using the metric_basic_http option
  - BIMI: Use Mail::BIMI Version 2 - A more complete implementation of the current BIMI standards

  [New Config Items]
    metric_basic_http     -  Disable extended http services such as config and grafana json pages
    cache_dir             -  Path to the shared cache directory
    spool_dir             -  Path to the shared spool directory
    lib_dir               -  Path to the shared lib directory
    dequeue_timeout       -  Timeout for Dequeue callbacks
    check_for_dequeue     -  How often in seconds should a dequeue process be spawned
    dns_servfail_timeout  -  How long in microseconds a SERVFAIL can take before being considered a timeout
    hide_none             -  Do not add the Authentication-Results header if the result is 'none'
  [New Config Items for BIMI]
    handlers BIMI bimi_options  - Options to pass into Mail::BIMI->new
    handlers BIMI rbl_allowlist - Optional RBL Allow list of allowed org domains
    handlers BIMI rbl_blocklist - Optional RBL Block list of disallowed org domains

2.20200625.2 2020-06-25 04:34:45+00:00 UTC
  - DMARC: Option to redact some Reporting fields

  [New Config Items]
    handlers DMARC hide_report_to  - If set, remove envelope_to from DMARC reports

2.20200612.2 2020-06-12 00:14:00+00:00 UTC
  - Core: Only set Nameservers when given
    Prevents issue with newer Net::DNS::Resolver

2.20200602.2 2020-06-02 09:11:51+00:00 UTC
  - XGoogleDKIM: Require a more modern Mail::DKIM
  - ARC: Require a more modern Mail::DKIM

2.20200602.1 2020-06-02 06:18:01+00:00 UTC
  - DKIM: Require a more modern Mail::DKIM

2.20200513.1 2020-05-13 04:13:58+00:00 UTC
  - BIMI: Prepare for breaking changes in Mail::BIMI 2

2.20200420.1 2020-04-20 04:31:22+00:00 UTC
  - DMARC: Allow limiting of DMARC processing in a single message
  - Core: use JSON::XS instead of JSON

2.20200331.1 2020-03-31 23:54:13+00:00 UTC
  - ARC: x-arc should use set_key not key

2.20200329.1 2020-03-29 23:55:13+00:00 UTC
  - Metrics: Upgrade to Prometheus::Tiny::Shared 0.020
    backed by Hash::SharedMem

2.20200319 2020-03-19 03:51:02+00:00 UTC
  - Fix problem loading external modules

2.20200313 2020-03-13 04:03:59+00:00 UTC
  - Try and clean-up state on an unexpected exit/restart

2.20200302 2020-03-02 04:50:55+00:00 UTC
  - Require minimum Perl 5.20
  - ARC: Merge ARC Handler into core
  - Abusix: Merge Abusix Handler into core
  - BIMI: Merge BIMI Handler into core
  - Blocker: Merge Blocker Handler into core
  - Core: Modernise and tind some code
  - Core: Set a default version for metrics where one does not exist
  - Core: Milter protocol quarantine fixes
  - ARC: Use x-arc- prefix for derived Authentication Results
  - Core: Better reporting on errors
  - Core: Ability to email errors to admin address
  - BIMI: Add SPF policy checks to BIMI handler
  - Metrics: Use Prometheus::Tiny::Shared 0.011 backed by Sqlite

2.20200206 2020-02-06 01:15:45+00:00 UTC
  - Size: Add metrics for added header bytes

2.20200202 2020-02-02 14:23:58+00:00 UTC
  - DMARC: Updated ARC override reporting re RFC
  - DMARC: Add metrics for active/pending reports
  - Core: Added version metrics

2.20200129 (BIMI) 2020-01-29 UTC
  - Update declaration of PreReqs

2.20200107 2020-01-07 04:26:20+00:00 UTC
  - Ignore Errors from bgsend

2.20200106 2020-01-06 04:09:07+00:00 UTC
  - Properly clear DNS errors cache on close

2.20200102 (BIMI) 2020-01-02 UTC
  - Updated for new Mail::BIMI
  - Trust ARC

2.20200102 2020-01-02 01:14:35+00:00 UTC
  - DMARC: Store all DMARC result object for other handlers
  - Properly set IP objects in tester

2.20191206 2019-12-05 02:14:47+00:00 UTC
  - Fix second header parse bug

2.20191205 (ARC) 2019-12-05 01:46:10+00:00 UTC
  - Fix header parse bug

2.20191205 2019-12-05 01:25:51+00:00 UTC
  - Send DNS requests early
  - Fix header parse bug

2.20191120 (blocker) 2019-11-20 23:57:12+00:00 UTC
  - First release

2.20191106 2019-11-06 01:22:25+00:00 UTC
  - More aggressive handling of DNS timeoutsi

2.20190523 2019-05-23 02:16:29+00:00 UTC
  - ReturnOK: Add detail in comments
  - ReturnOK: Don't duplicate checks for repeated domains
  - Core: Use Log::Dispatchouli for logging

2.20190502 2019-05-02 15:54:56+10:00 Australia/Melbourne
  - DMARC: Make sure we actually have a trusted ARC chain before
    applying arc_before_list

2.20190501 2019-05-01 11:52:35+10:00 Australia/Melbourne
  - DMARC: Option to override List-ID detection if we have ARC

2.20181213 (Abusix) 2018-12-13 Australia/Melbourne
  - Removed stray debugging output

2.20181212 2018-12-12 15:17:16+11:00 Australia/Melbourne
  - Core: Remap IP addresses as early as possible.

2.20181204 (Abusix) 2018-12-03 Australia/Melbourne
  - Set TLS to 0 if not encrypted and TLS handler is loaded

2.20181203 (Abusix) 2018-12-03 Australia/Melbourne
  - First Release

2.20181130 2018-11-30 15:12:34+11:00 Australia/Melbourne
  - Core/TLS: Expose the TLS state in a helper method.
  - Core: Enforce DNS timeouts

2.20181114 2018-11-14 15:20:39+11:00 Australia/Melbourne
  - Core: Return effective config in toml or json
    NB The version of TOML used here is not sufficient to
       express all possible configurations, in particular those
       which would require a . in the key name (ip addresses etc) are
       not possible to express in TOML.
       As such, TOML should be considered as experimental.
  - Core: Allow ip remapping based on received HELO host
  - Core: Pre-load some Net::DNS::RR modules pre-fork
  - Core: Allow multiple digit extended return codes

2.20181024 2018-10-24 12:02:46+11:00 Australia/Melbourne
  - DMARC: Defer saving of aggregate reports until the close stage
  - Metrics: Use shared memory for metrics processing rather than
    child<>parent socket calls.
    Requires Prometheus::Tiny::Shared (and Cache::FastMmap)

2.20181013 (ARC) 2018-10-13 09:22:28-04:00 America/New_York
  - Add smtp.remote-ip

2.20181013 2018-10-13 08:58:04-04:00 America/New_York
  - IPRev: rename policy.iprev to smtp.remote-ip for interop

2.20180927 2018-09-27 14:00:13+10:00 Australia/Melbourne
  - DMARC: Record policy used (p or sp) in header and metrics

2.20180912 2018-09-12 22:03:15+10:00 Australia/Melbourne
  - Fix bug in loading of conf.d files

2.20180911 (ARC) 2018-09-11 13:03:03+10:00 Australia/Melbourne
  - Fix detection of domain in identity when inheriting DKIM results.

2.20180903 (ARC) 2018-09-03 15:52:55+10:00 Australia/Melbourne
  - Option to lookup trusted arc domains via DNS

2.20180903 2018-09-03 14:47:52+10:00 Australia/Melbourne
  - DMARC: Allow whitelist by passing SPF domain.
  - DMARC: Allow whitelist lookup via a dns whitelist.
  - DMARC: Allow configuration of disposition for failing mailing list messages
  - DMARC: Check whitelist before list detection

2.20180726 2018-07-26 16:30:40+01:00 Europe/London
  - Allow config file to be written in TOML
  - DMARC: Add policy decision factors in policy ptype entries
  - SMTP: Don't hold entire message in memory unless necessary
    Option to chunk message when passing to handlers
    Option to use spool file rather than using memory
  - SMTP: Count quarantined mail properly in metrics

2.20180612 (ARC) 2018-06-12 13:47:27+10:00 Australia/Melbourne
  - Follow RFC 8301 security recommendations by default
  - Handle full identities in override

2.20180612 2018-06-12 13:32:26+10:00 Australia/Melbourne
  - Bugfix: clear quarantine reason after use

2.20180608 2018-06-08 21:14:19+02:00 Europe/Berlin
  - ReturnOK: Rewrite Handler to handle multiple addresses properly
  - Core: Fix per-protocol-section timeouts
  - DKIM: Follow RFC 8301 security recommendations by default
  - Core: Improved the HTTP status page
  - DMARC: Correctly report DMARC policy when using ARC override
  - DMARC: Set the disposition more reliably
  - Core: methods to set defer/quarantine reasons
  - Core: set a header for quarantined mail
  - Sanitize: Add code to remove arbitrary headers
  - Milter: Experimental support for Quarantine action

2.20180526 2018-05-27 09:11:02+10:00 Australia/Melbourne
  - Removed experimental external callback stage hooks
  - Allow handlers to specify required BEFORE other handlers

2.20180525 2018-05-25 13:01:51+10:00 Australia/Melbourne
  - Add external callback hooks for stage callbacks
  - Add external callback hook for handler config
  - More timeout improvements
  - DKIM: switch extra properties to more standard properties
  - Minimum perl verion 5.10 required (Dependencies demand it)
  - Make ptype of TLS/PTR/SPF entries more correct

2.20180521 (ARC) 2018-05-21 14:41:56+10:00 Australia/Melbourne
  - Option to pull values from a trusted ARC chain for use elsewhere
  - Manually check timeout status in key stages

2.20180521 2018-05-21 14:33:46+10:00 Australia/Melbourne
  - Add method to manually check timeout status in Handlers
  - Switch to useconds internally for Handler timeouts
  - Fix test data on some BSD systems
  - DMARC: Option to pull values from a trusted ARC chain

2.20180511 2018-05-11 11:50:22+10:00 Australia/Melbourne
  - Return exception type correctly to caller

2.20180510 (BIMI) 2018-05-10 Australia/Melbourne
  - Improve handling of timeouts

2.20180510 (ARC) 2018-05-10 15:15:15+10:00 Australia/Melbourne
  - Improve handling of timeouts

2.20180510 2018-05-10 14:58:08+10:00 Australia/Melbourne
  - Improve handling of timeouts

2.20180509 2018-05-09 15:19:12+10:00 Australia/Melbourne
  - Make sure timeout events are propigated correctly
  - Silence some warnings

2.20180430 2018-04-30 21:02:23+10:00 Australia/Melbourne
  - Allow folding of Authentication-Results header
  - Fix bug where handlers could receive emptystring instead of 0

2.20180329 2018-03-29 11:12:49+11:00 Australia/Melbourne
  - Updated config processor to be a generic external callback handler

2.20180328 2018-03-28 21:26:54+11:00 Australia/Melbourne
  - Add config option to process loaded config with a named Perl module

2.20180326 2018-03-26 13:09:14+11:00 Australia/Melbourne
  - Allow indent/fold style and depth to be configured
  - Build the internal AR header list using objects

2.20180318 (ARC) 2018-03-18 Australia/Melbourne
  - Pass headers as objects
  - Change build system to dist zilla

2.20180318 2018-03-18 Australia/Melbourne
  - Allow remapping of IP address/HELO based on source IP address
  - Authentication-Results headers are now passed as objects internally
  - Added Mail::Milter::Authentication::Tester::HandlerTester to improve testing of handlers
  - Improved testing frameworks
  - Switched build framework to Dist::Zilla
  - Minimum Perl version is now 5.10 due to dependencies in Mail::DMARC
  - Improve output from tests when there are failures
  - Fix Best guess SPF mode

1.1.7   2017-12-21
  - Removed nasty recursion bug in header sorting
  - Updated DMARC policy reporting

1.1.6   2017-12-20
  - DMARC processing for all domains found in message headers
  - Avoid semicolon in DMARC result comment
  - Updated IPRev (and PTR) to follow CNAMEs
  - Added experimental "Best Guess SPF" option

1.1.6 (ARC)   2017-12-18
  - Fix bug which prevented ARCSealing when Domain != ServerId

1.1.5 (ARC)   2017-12-16
  - First production ready release

1.1.5   2017-12-16
  - Added Mail::Milter::Authentication::Tester module to help with testing handlers
  - Report DMARC policy deviations

1.1.4   2017-10-19
  - Added a FromAlignment checker handler
  - Improvements in timeout handling
  - Added more metrics to the ReturkOK handler
  - Extra optional information in DKIM results

1.1.3 (ARC)   2017-10-02
  - First public release of ARC handler
  - This handler is experimental

1.1.3   2017-10-01
  - Handler for capturing metrics on message size
  - Collect metrics for processing time in each handler/stage
  - Defer internal counting of metrics until after transaction
  - Generate grafana dashboard automatically for installed handlers
  - Allow metrics port to be unix socket
  - Tests for metrics system
  - New handler to gather metrics of the size of messages/headers processed
  - Make the IPRev handler rfc compliant
  - Add metrics for IPRev, PTR, and ReturnOK handlers
  - Stability fixes

1.1.2   2017-08-22
  - Fixed process management under SmartOS
  - Added post processing callback for adding headers (Required for future ARC handler)
  - Improve DNS mocking in tests by using Net::DNS::Resolver::Mock
  - Fix syslog for Debian 9
  - Add DKIM hash algorithm to metrics and AR comments
  - Parse headers for TLS information in SMTP protocol mode
  - Misc bugfixes

1.1.1   2017-04-14
  - Added metrics collection (prometheus)
  - Re-write address parsing code to avoid Email::Address::parse issues
  - SMTP Debugging modes added
  - Correctly handle From header with odd case in DMARC module
  - Added example metrics dashboard for Grafana
  - Metrics bugfixes
  - Improved test suite

1.1.0   2016-07-01
  - Allow email to be rejected by handlers
  - Option to reject DMARC p=reject failures
  - DMARC reject whitelist based on ip or dkim
  - Split X-Google-DKIM checks into own handler
  - DKIM DNS error handling improvements
  - Optionally hide Domainkeys results
  - Updates to improve operation when running as a postfix pre-queue filter
  - Do not drop connections when restarting
  - Better handling of multiple instances
  - Updated daemon control
  - Improved logging

1.0.1   2015-09-11
  - Removed unrequired error handling
  - Fixed some typos (sergeyromanov)
  - Allow relaxed JSON parsing in config

1.0.0   2015-08-22
  - Version bump to avoid confusion with old unreleased versions
  - Cleaned up CPANTS errors
  - Fixed inconsistent versions
  - Moved handler config docs into handlers
  - Fixed possible dependency loop when misconfigured
  - Improve logging to stderr when logtoerr is set

0.1.1   2015-08-05
  - Released to CPAN

0.1.0   2015-07-21
  - Catch warnings and report in log with context.
  - Skip DMARC reporting for specified addresses.

0.08    2015-02-23
  - Fixes header unwrapping issue
  - Allow DMARC reporting to be disabled
  - DMARC: preload the PSL where possible
  - Better SMTP pipeline handling

0.07    2015-02-02
  - Fix up some warning output.
  - Fixed edge case which caused false DKIM failures.
  - Allow use as an SMTP proxy based after queue filter.
  - More test casese added.
  - Allow listening on multiple ports.
  - Bug Fixes.

0.06    2015-01-13
  - First version, released on an unsuspecting world.