sub filter ($$$$) { my($entity, $fname, $ext, $type) = @_; return if message_rejected(); # Avoid unnecessary work my $part_head = $entity->head; $entity->sync_headers(Length=>'COMPUTE'); my $length = $part_head->get('Content-length'); # Work out whether the recipient domain needs encryption my %domains; my @domtmp; my $rcptdom,$senddom; my @domlist; my $domcount= -1; # start at -1 to allow for sender addition to list my $enccount=0; my $msgencrypted=0; # Count the number of distinct domains, and number requiring encryption my @recs; push @recs, $Sender; foreach my $recip (@Recipients) { push @recs, $recip; } my $cleansender=$Sender; $cleansender=~ s///g; @domtmp = split /@/,$cleansender; $senddom=$domtmp[1]; $senddom=~ s/>//; foreach my $recip ( @recs ) { my $cleanrecip=$recip; $cleanrecip=~ s///g; @domtmp = split /@/,$cleanrecip; $rcptdom=$domtmp[1]; $rcptdom=~ s/>//; if (! exists $domains{$rcptdom} ) { $domains{$rcptdom}=1; $domcount++; if ( exists $EncryptionRequired{$rcptdom}) { md_syslog('debug',"Exception check - $cleansender -> $cleanrecip"); if (! exists $EncryptionException{$cleansender} && ! exists $EncryptionException{$cleanrecip}) { $enccount++; push @domlist, $rcptdom; md_syslog('debug',"Domain $rcptdom requires encryption"); } else { md_syslog('debug',"Encryption exception detected - $cleansender -> $cleanrecip"); } } } } md_syslog('info',"Att-check: MsgID=$MsgID, Name=$fname, Type=$type, size=$length,sender=$Sender, Recips = @Recipients, doms=$domcount, encs=$enccount, lastdom=$rcptdom"); if ( ($enccount != $domcount ) && ( $enccount != 0 ) ) { md_syslog('info',"Mixing encrypted and un-encrypted domains, sender=$Sender, Recips = @Recipients"); action_notify_administrator("Unencrypted mail from $Sender to mixed domains including mandatory encrypted domain, recips=@Recipients"); action_quarantine_entire_message("Sending unencrypted messages to multiple addresses including addresses which require encryption not allowed - see http://pgp.ionixpharma.com/policy.htm for details."); action_bounce(" *** Sending unencrypted messages to multiple addresses including addresses which require encryption not allowed - see http://pgp.ionixpharma.com/policy.htm for details. Please also ensure that you DO NOT send mail in HTML format."); } # Detect encrypted messages # S/MIME messages look like: #type=application/pkcs7-mime #extension=.p7m, #file=smime.p7m $msgencrypted=0; if ( (lc($type) eq "application/pkcs7-mime" ) || ($ext eq ".p7m") ) { md_syslog('info',"S/MIME e-mail! - type=$type, extension=$ext"); $msgencrypted=1; md_graphdefang_log('S/MIME'); } # refuse ASCII armored attachments of over 2Mb if ( ($ext =~ /asc/i ) && ( $length > 2*1024*1024) ) { md_syslog('debug',"PGP with large ASC attachment - message bounced, size=$length, $MsgID, $Sender, @Recipients\n"); action_notify_administrator("Bad PGP attachment - ASCII, over 2Mb ($length)\nSender: $Sender\nRecipients: @Recipients\nSubject: $Subject\n"); action_quarantine_entire_message("Bad PGP ASCII attachment, length=$length"); md_graphdefang_log('PGP_ASCII'); return action_bounce(" *** ASCII armored PGP attachment refused. Please send all attachments as .PGP files, NOT as .ASC, as this cannot be guaranteed to work. Please also ensure that you DO NOT send mail in HTML format."); } $pgplevel=pgp_check($entity,$fname,$type); if ( $pgplevel > 0 ) { # $msgencrypted=1; # temporary fix for testing - remove when live md_syslog('debug',"PGP LEVEL INADEQUATE - message bounced, $MsgID, $Sender, @Recipients\n"); action_notify_administrator("Inadequate PGP key list detected\nSender: $Sender\nRecipients: @Recipients\nSubject: $Subject\n"); action_quarantine_entire_message("Inadequate PGP key list - corporate key not found, or message could not be decrypted"); action_bounce(" *** All encrypted messages must be encrypted to the Ionix Corporate key as well as all recipients. See http://pgp.ionixpharma.com/policy.htm for details. Please also ensure that you DO NOT send mail in HTML format."); md_graphdefang_log('PGP_keymissing'); } elsif ($pgplevel == 0 ) { md_syslog('debug',"PGP detected, encryption OK - message will be delivered, $MsgID, $Sender, @Recipients\n"); $msgencrypted=1; md_graphdefang_log('PGP_body'); } elsif ($pgplevel == -1 ) { # md_syslog('debug',"PGP - too small to be a problem - message will be delivered, $MsgID, $Sender, @Recipients\n"); $msgencrypted=1; } elsif ($pgplevel == -2 ) { md_syslog('debug',"PGP error - partially encrypted, $MsgID, $Sender, @Recipients\n"); $msgencrypted=0; } # else not encrypted elsif ($pgplevel == -3 ) { md_syslog('debug',"PGP - $fname ($type) Not encrypted, $MsgID, $Sender, @Recipients\n"); $msgencrypted=0; } if ( $msgencrypted < 1 ) { # get the entity body as an array of lines so we can examine it my $body = $entity->bodyhandle; my @bodylines = $body->as_lines; # allow for null parts which would otherwise be detected as unencrypted my $bodylinecount= scalar @bodylines; md_syslog('debug',"Body check - $bodylinecount lines in $fname/$type"); if ( $bodylinecount < 5 ) { $msgencrypted=1; } } # end < 1 # now check that encryption has been used if it is required if ( $enccount > 0 ) { if ( $msgencrypted < 1 ) { md_syslog('warning',"Unencrypted message to/from Mandatory-encrypted domain $rcptdom, sender=$Sender, Recips = @Recipients"); action_notify_administrator("Unencrypted mail from $Sender to mandatory encrypted domain, Encryption required for $enccount domains, encryption check returns $msgencrypted, recips=@Recipients"); action_quarantine_entire_message("Sending unencrypted messages between $senddom and $rcptdom not allowed - see http://pgp.ionixpharma.com/policy.htm for details.\nSender:$Sender\nRecipients = @Recipients\n"); action_bounce(" *** Sending unencrypted messages between $senddom and $rcptdom not allowed - see http://pgp.ionixpharma.com/policy.htm for details. Please also ensure that you DO NOT send mail in HTML format."); } }