Filter AutoResponder on "From: " address (already filtered on To:)

Author: pjkundert

slip39/invoice/communications.py

@@ -21,6 +21,7 @@
 import ssl
 import sys
 
+from fnmatch		import fnmatch
 from subprocess		import Popen, PIPE
 
 import click
@@ -58,10 +59,29 @@ def mx_records( domain, timeout=None ):
         yield mx
 
 
-def matchaddr( address, mailbox=None, domain=None ):
-    """The supplied email address begins with "<mailbox>", optionally followed by a "+<extension>", and
-    then ends with "@<domain>".  If so, return the re.match w/ the 3 groups.  If either 'mailbox' or
-    'domain' is falsey, any will be allowed.
+def matchglob( string, pattern ):
+    """Returns the 'string' matching the Glob 'pattern', nor None."""
+    if set( '*?[' ) & set( pattern ):
+        if fnmatch( string, pattern ):
+            return string
+    elif pattern == string:
+        return string
+
+
+def matchaddr( address, mailbox=None, extension=None, domain=None ):
+    """Parse and email address (eg. from "Real Name <[email protected]>"), and return its
+    (<mailbox>,<extension>,<domain>), or None if no address parsed/matched.
+
+    The supplied email address begins with "<mailbox>", optionally followed by a "+<extension>", and
+    then ends with "@<domain>".  If so, return the re.match's 3 groups.  Note: a group may be None
+    if not present, ie. "[email protected]" returns ("someone", None, "domain.com").  If 'mailbox',
+    'extension' or 'domain' are falsey, any will be allowed.
+
+    Allows Glob-style patterns in the supplied 'mailbox', 'extension' or 'domain', eg:
+
+        domain="dominion*.c*"
+
+    would match email addresses to both "[email protected]" and "[email protected]"
 
     Does not properly respect email addresses with quoting, eg. 'abc"123@456"@domain.com' because,
     quite frankly, I don't want to and that's just "Little Bobby Tables" (https://xkcd.com/327/)
@@ -70,11 +90,14 @@ def matchaddr( address, mailbox=None, domain=None ):
     Simple <mailbox>[+<extension>]@<domain>, please.
 
     """
-    return re.match(
-        rf"(^{mailbox if mailbox else '[^@+]*'})(?:\+([^@]+))?@({domain if domain else '.*'})",
+    m			= re.match(
+        r"(^[^@+]+)(?:\+([^@]+))?@(.*)",
         utils.parseaddr( address )[1],
-        re.IGNORECASE
     )
+    if ( not mailbox or ( m.group( 1 ) and matchglob( m.group( 1 ).lower(), mailbox.lower() ))):
+        if ( not extension or ( m.group( 2 ) and matchglob( m.group( 2 ).lower(), extension.lower() ))):
+            if ( not domain or ( m.group( 3 ) and matchglob( m.group( 3 ).lower(), domain.lower() ))):
+                return m.groups()
 
 
 def dkim_message(
@@ -117,7 +140,7 @@ def dkim_message(
     if headers is None:
         headers			= ["From", "To", "Subject"]
 
-    sender_domain		= matchaddr( sender_email ).group( 3 )
+    sender_domain		= matchaddr( sender_email )[2]
 
     msg				= multipart.MIMEMultipart("alternative")
     msg.attach(text.MIMEText(message_text, "plain"))
@@ -428,24 +451,37 @@ def response( self, msg, new_id=None ):
             # Prefer the sender field per RFC 2822:3.6.2.
             sender_m		= matchaddr( rsp['Sender'] if 'Sender' in rsp else rsp['From'] )
             if sender_m:
-                domain		= sender_m.group( 3 )
+                domain		= sender_m[2]
             rsp['Message-ID']	= utils.make_msgid( domain=domain )
         return rsp
 
 
 class AutoResponder( PostQueue ):
+    """Filter DKIM-signed emails by Sender:/From: address, and auto-respond by sending a copy to all
+    Cc/Bcc/Reply-To recipients.
+
+    This is useful when incoming emails generated by an automated process have been DKIM-signed, and
+    can therefore not have their To: field modified; there is no generally accepted method for delivering
+    such emails to multiple parties.
+
+    Once we are reasonably assured that this email is going to be delivered (eg. if it carries a
+    financially costly payload, such as a Cryptocurrency wallet address, or the means to derive it),
+    we may use this filter to (also) inform the intended recipient(s) (eg. in the Cc/Bcc/Reply-To)
+    to proceed with the payment into the designated Cryptocurrency account.
+
+    """
     def __init__( self, *args, address=None, server=None, port=None, **kwds ):
-        m			= matchaddr( address or '' )
-        assert m, \
-            f"Must supply a valid email destination address to auto-respond to: {address}"
+        address_m			= matchaddr( address or '' )
+        assert address_m, \
+            f"Must supply a valid email From: address to auto-respond to: {address}"
         self.address		= address
-        self.mailbox,self.extension,self.domain	= m.groups()
+        self.mailbox,self.extension,self.domain	= address_m
         self.relay		= 'localhost' if server is None else server
         self.port		= 25 if port is None else port
 
         super().__init__( *args, **kwds )
 
-        log.info( f"autoresponding to DKIM-signed emails To: {self.address}@{self.domain}" )
+        log.info( f"autoresponding to DKIM-signed emails From: {self.address}@{self.domain}" )
 
     def __call__( self, from_addr, *to_addrs ):
         """Decide if we should auto-respond, and do so.  Return the email.Message, and an appropriate
@@ -460,40 +496,50 @@ def __call__( self, from_addr, *to_addrs ):
         log.info( f"Filtered From: {self.msg['From']}, To: {self.msg['To']}"
                   f" originally     from {from_addr} to {len(to_addrs)} recipients: {commas( to_addrs, final='and' )}" )
 
-        # Detect if this is a message we are intended to autorespond to; if not, do nothing.
-        if 'To' not in self.msg or not matchaddr( self.msg['To'], mailbox=self.mailbox, domain=self.domain ):
-            log.warning( f"Message From: {self.msg['From']}, To: {self.msg['To']} expected To: {self.address}; not auto-responding" )
+        # Detect if this is a message we are intended to autorespond to; if not, do nothing.  First thing, ensure
+        # that its Sender:/From: matches address (allows Glob wildcards).
+        from_m			= matchaddr(
+            self.msg['Sender'] or self.msg['From'],
+            mailbox	= self.mailbox,
+            extension	= self.extension,
+            domain	= self.domain
+        )
+        if not from_m:
+            log.warning( f"Message From: {self.msg['From']}, To: {self.msg['To']} expected Sender:/From: {self.address}; not auto-responding" )
             return 0
-        if 'dkim-signature' not in self.msg:
+        if 'DKIM-Signature' not in self.msg:
             log.warning( f"Message From: {self.msg['From']}, To: {self.msg['To']} is not DKIM signed; not auto-responding" )
             return 0
         if not dkim.verify( self.msg.as_bytes() ):
             log.warning( f"Message From: {self.msg['From']}, To: {self.msg['To']} DKIM signature fails; not auto-responding " )
             return 0
 
         # This message is a target: Normalize, uniqueify and filter the addresses (discarding
-        # invalids).  Avoid sending it to the designated self.address, as this would set up a mail
-        # loop.
+        # invalids).  Avoid sending it to the designated To: address as this would likely set up a
+        # mail loop.
+        to_addr			= utils.parseaddr( self.msg['To'] )[1]  # May be empty, if no To: in header
         to_addrs_filt		= [
             fa
             for fa in uniq( filter( None, (
                 utils.parseaddr( a )[1]
                 for a in to_addrs
             )))
-            if fa != self.address
+            if fa != to_addr
         ]
 
         # Get the outgoing message; also use the Reply-To: address, if supplied
         self.rsp		= self.response( self.msg )
-        if 'reply-to' in self.rsp:
-            _,reply_to		= utils.parseaddr( self.rsp['reply-to'] )
+        if 'Reply-To' in self.rsp:
+            _,reply_to		= utils.parseaddr( self.rsp['Reply-To'] )
             if reply_to not in to_addrs_filt:
                 to_addrs_filt.append( reply_to )
         self.rsp_peers		= (from_addr, tuple( to_addrs_filt ))
-
         log.info( f"Response From: {self.rsp['From']}, To: {self.rsp['To']}"
                   f" autoresponding from {from_addr} to {len(to_addrs_filt)} recipients: {commas( to_addrs_filt, final='and' )}"
                   + ( ""  if set( to_addrs ) == set( to_addrs_filt ) else f" (was {len(to_addrs)}: {commas( to_addrs, final='and' )})" ))
+        if not to_addrs_filt:
+            log.warning( f"Message From: {self.msg['From']}, To: {self.msg['To']} has no additional recipients; not auto-responding " )
+            return 0
 
         # Now, send the same message to all the supplied Reply-To, and Cc/Bcc addresses (which were
         # already in to_addrs).  If it is DKIM signed, it will remain so, since we're not adjusting
@@ -533,7 +579,7 @@ def cli( verbose, quiet, json ):
 
 
 @click.command()
-@click.argument( 'address', nargs=1 )
+@click.argument( 'address', nargs=1 )		# Only auto-respond to message with Sender:/From: this address
 @click.argument( 'from_addr', nargs=1 )
 @click.argument( 'to_addrs', nargs=-1 )
 @click.option( '--server', default='localhost' )
@@ -552,12 +598,42 @@ def autoresponder( address, from_addr, to_addrs, server, port, reinject ):
       - We won't autorespond to copies forwarded from other email addresses
 
 
-    Configure Postfix system as per: https://github.com/innovara/autoreply, eg.:
+    Build/install Python3.10
+     $ wget https://www.python.org/ftp/python/3.10.9/Python-3.10.9.tgz
+     $ sudo apt-get -u  install wget build-essential libreadline-gplv2-dev libncursesw5-dev libssl-dev \
+         libsqlite3-dev tk-dev libgdbm-dev libc6-dev libbz2-dev libffi-dev zlib1g-dev
+     $ tar xzf Python-3.10.9.tgz
+     $ cd Python-3.10.9
+     $ ./configure --enable-optimizations --with-readline
+     $ make
+     $ make altinstall
+
+    Install python-slip39
+
+      # python3.10 -m pip install https://github.com/pjkundert/python-slip39/archive/feature-invoice.zip#egg=slip39[gui,wallet]
+
+    Configure Postfix system roughly as per: https://github.com/innovara/autoreply,
+    to run our slip39.invoice.communications autoresponder
+
+    - Create 'autoreply' user, and /opt/autoreply (not presently used)
+      - Only necessary if your filter uses filesystem; otherwise, use 'nobody'
+
+    - Configure /etc/postfix/master.cf to run the autoreply filter
 
         # autoresponder pipe
         autoreply unix  -       n       n       -       -       pipe
          flags= user=autoreply null_sender=
-         argv=python3 -m slip39.invoice.communication autoresponder [email protected] ${sender} ${recipient}
+         argv=/usr/local/bin/python3.10 -m slip39.invoice.communication autoresponder [email protected] ${sender} ${recipient}
+
+    - Create /etc/postfix/autoreply w/ lines like (and postmap /etc/postfix/autoreply):
+
+        [email protected]	FILTER	autoreply:dummy
+
+    - Configure /etc/postfix/main.cf to process the autoreply filter
+
+        # Trigger the autoreply filter for specified recipient addresses
+        smtpd_recipient_restrictions =
+            check_recipient_access hash:/etc/postfix/autoreply
 
     """
     ar				= AutoResponder(
@@ -567,25 +643,25 @@ def autoresponder( address, from_addr, to_addrs, server, port, reinject ):
         reinject	= reinject,
     )
     status			= ar( from_addr, *to_addrs )
-    if cli.json:
+    if cli.json and cli.verbosity:
         click.echo( json.dumps( dict(
             dict(
                 dict(
                     Original	= ar.msg.as_string() if ar.msg else None,
-                ) if cli.verbosity > 1 else dict(),
+                ) if cli.verbosity > 2 else dict(),
                 Response	= ar.rsp.as_string() if ar.rsp else None,
-            ) if cli.verbosity > 0 else dict(),
+            ) if cli.verbosity > 1 else dict(),
             status		= status,
             MAIL_FROM		= ar.rsp_peers[0],
             RCPT_TOs		= ar.rsp_peers[1],
         ), indent=4 ))
-    else:
+    elif cli.verbosity:
         click.echo( f"status:    {status}" )
         click.echo( f"MAIL FROM: {ar.rsp_peers[0]}" )
         click.echo( f"RCPT TOs:  {commas( ar.rsp_peers[1] )}" )
-        if cli.verbosity > 1:
+        if cli.verbosity > 2:
             click.echo( f"Original:\n{ar.msg.as_string() if ar.msg else None}" )
-        if cli.verbosity > 0:
+        if cli.verbosity > 1:
             click.echo( f"Response:\n{ar.rsp.as_string() if ar.rsp else None}" )
     sys.exit( status )
 

slip39/invoice/communications_test.py

@@ -16,8 +16,7 @@
 
 log				= logging.getLogger( __package__ )
 
-# If we find a key, lets use it.  Otherwise, we'll just use the pre-defined pre-signed email.Message
-
+# If we find a DKIM key, lets use it.  Otherwise, we'll just use the pre-defined pre-signed email.Message
 dkim_keys			= list( Path( __file__ ).resolve().parent.parent.parent.glob( 'licensing.dominionrnd.com.*.key' ))
 dkim_key			= None
 dkim_msg			= None
@@ -34,6 +33,7 @@
 To: [email protected]
 Reply-To: [email protected]
 Subject: Hello, world!
+Content-Type: multipart/alternative; boundary================1903566236404015660==
 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=licensing.dominionrnd.com; [email protected]; q=dns/txt; s=20221230; t=1673405994; h=from : to;\
  bh=RkF6KP4Q94MVDBEv7pluaWdzw0z0GNQxK72rU02XNcE=; b=Tao30CJGcqyX86f37pSrSFLSDvA8VkzQW0jiMf+aFg5D99LsUYmUZxSgnDhW2ZEzjwu6bzjkEEyvSEv8LxfDUW+AZZG3enbq/mnnUZw3PXp4l\
 MaZGN9whvTIUy4/QUlMGKuf+7Vzi+8eKKjh4CWKN/UEyX6YoU7V5eyjTTA7q1jIjEl8jiM4LXYEFQ9LaKUmqqmRh2OkxBVf1QG+fEYTYUed+oS05m/d1SyVLjxv8ldeXT/mGgm1CrGk1qfRTzfcksX4qNAluTfJTa\
@@ -52,22 +52,26 @@
 
 <em>Testing 123</em>
 --===============1903566236404015660==--
+
 """ )
 
 log.warning( f"Using DKIM: {dkim_selector}: {dkim_key}" )
 
 
 def test_communications_matchaddr():
-    assert matchaddr( "abc+def@xyz", mailbox="abc", domain="xyz" ).groups() == ("abc", "def", "xyz")
-    assert matchaddr( "abc+def@xyz",                domain="xYz" ).groups() == ("abc", "def", "xyz")
-    assert matchaddr( "abc+def@xyz", mailbox="Abc"               ).groups() == ("abc", "def", "xyz")
-    assert matchaddr( "abc+def@xyz",                             ).groups() == ("abc", "def", "xyz")
-    assert matchaddr( "abc+def@xyz",                             ).group( 3 ) == "xyz"
+    assert matchaddr( "abc+def@xyz", mailbox="abc", domain="xyz" ) == ("abc", "def", "xyz")
+    assert matchaddr( "abc+def@xyz",                domain="xYz" ) == ("abc", "def", "xyz")
+    assert matchaddr( "abc+def@xyz", mailbox="Abc"               ) == ("abc", "def", "xyz")
+    assert matchaddr( "abc+def@xyz",                             ) == ("abc", "def", "xyz")
+    assert matchaddr( "abc+def@xyz", "a*c","*f","x?z"            ) == ("abc", "def", "xyz")
+    assert matchaddr( "abc+def@xyz", "b*c","*f","x?z"            ) is None
+    assert matchaddr( "abc+def@xyz", "a*c","*f","x?"             ) is None
+    assert matchaddr( "abc+def@xyz",                             )[2] == "xyz"
     assert matchaddr( "abc+def@xyz", mailbox="xxx"               ) is None
 
 
 def test_communications_dkim():
-    msg				= dkim_message(
+    msg				= dkim_msg if not dkim_key else dkim_message(
         sender_email	= SMTP_FROM,			# Message From: specifies claimed sender
         to_email	= SMTP_TO,			# See https://dkimvalidator.com to test!
         reply_to_email	= "[email protected]",
@@ -77,7 +81,7 @@ def test_communications_dkim():
         dkim_private_key_path = dkim_key,
         dkim_selector	= dkim_selector,
         headers		= ['From', 'To'],
-    ) if dkim_key else dkim_msg
+    )
 
     log.info( f"DKIM Message: {msg}" )
 
@@ -108,27 +112,31 @@ def test_communications_dkim():
     # recipient of the response.  I guess, to avoid using "bounces" to send SPAM email.  Therefore,
     # the auto-responder must be programmed to use the Reply-To address -- something that eg. Gmail
     # cannot be programmed to do.
-    send_message(
-        msg,
-        #from_addr	= SMTP_FROM,		# Envelope MAIL FROM: specifies actual sender
-        #to_addrs	= [ SMTP_TO ],		# Will be the same as message To: (should default)
-        #relay		= ['mail2.kundert.ca'],  # 'localhost',   # use eg. ssh -fNL 0.0.0.0:25:linda.mx.cloudflare.net:25 [email protected]
-        #port		= 25,  # 465 --> SSL, 587 --> TLS (default),
-        #usessl = False, starttls = False, verifycert = False,  # to mail.kundert.ca; no TLS
-        #usessl = False, starttls = True, verifycert = False,  # default
-    )
-    # This may fail (eg. if you have no access to networking), so we don't check.
+    try:
+        send_message(
+            msg,
+            #from_addr	= SMTP_FROM,		# Envelope MAIL FROM: specifies actual sender
+            #to_addrs	= [ SMTP_TO ],		# Will be the same as message To: (should default)
+            relay		= ['mail2.kundert.ca'],  # 'localhost',   # use eg. ssh -fNL 0.0.0.0:25:linda.mx.cloudflare.net:25 [email protected]
+            #port		= 25,  # 465 --> SSL, 587 --> TLS (default),
+            #usessl = False, starttls = False, verifycert = False,  # to mail.kundert.ca; no TLS
+            #usessl = False, starttls = True, verifycert = False,  # default
+        )
+    except Exception as exc:
+        # This may fail (eg. if you have no access to networking), so we don't check.
+        log.warning( f"Failed to send DKIM-validated email to {SMTP_TO}: {exc}" )
+        pass
 
 
 def test_communications_autoresponder( monkeypatch ):
-    """The Postfix-compatible auto-responder takes an email from stdin, and auto-forwards it (via a
-    relay; normally the same Postfix installation that it is running within).
+    """The Postfix-compatible auto-responder takes an email.Message from stdin, and auto-forwards it
+    (via a relay; normally the same Postfix installation that it is running within).
 
     Let's shuttle a simple message through the AutoResponder, and fire up an SMTP daemon to receive
     the auto-forwarded message(s).
 
     """
-    msg				= dkim_message(
+    msg				= dkim_msg if not dkim_key else dkim_message(
         sender_email	= SMTP_FROM,			# Message From: specifies claimed sender
         to_email	= SMTP_TO,			# See https://dkimvalidator.com to test!
         reply_to_email	= "[email protected]",
@@ -138,13 +146,13 @@ def test_communications_autoresponder( monkeypatch ):
         dkim_private_key_path = dkim_key,
         dkim_selector	= dkim_selector,
         headers		= ['From', 'To'],
-    ) if dkim_key else dkim_msg
+    )
 
     envelopes		= []
 
     class PrintingHandler:
         async def handle_RCPT(self, server, session, envelope, address, rcpt_options):
-            if matchaddr( address ).group( 3 ) not in ('dominionrnd.com', 'kundert.ca'):
+            if matchaddr( address )[2] not in ('dominionrnd.com', 'kundert.ca'):
                 return f'550 not relaying to {address}'
             envelope.rcpt_tos.append(address)
             return '250 OK'
@@ -190,7 +198,7 @@ async def handle_DATA(self, server, session, envelope):
 
     monkeypatch.setattr( 'sys.stdin', StringIO( msg.as_string() ))
     ar				= AutoResponder(
-        address		= SMTP_TO,
+        address		= SMTP_FROM,
         server		= controller.hostname,
         port		= controller.port,
         reinject	= False,
@@ -217,7 +225,7 @@ async def handle_DATA(self, server, session, envelope):
             '--port',		controller.port,
             #'--no-reinject',
             '--reinject',	"echo",
-            'licensing@dominionrnd.com',
+            '*@*licensing.dominionrnd.com',  # allow any sender mailbox, any ...licensing subdomain of dominionrnd.com
             from_addr,
             *to_addrs
         ] ))