require ["vacation-seconds", "envelope", "regex", "variables"]; # # Change these as necessary for your system. myaddress is the email address # of the sieve autoresponder script. The response to the end-user will contain # this as the "From" address. The serverstring is the string parsed in the # MultiLine "Received:" header than contains the TLS connection string. For # Postfix, you may have to set: smtpd_tls_received_header = yes in the # "main.cf" configuration file. The time that any remote user should wait until # sending another test message is 300 seconds, defined in the vacation command # towards the end of this script. This was built around Pigeonhole Sieve but # should work OK with other Sieve-based filters (CMU/Cyrus Sieve, etc.). # # rule:[SetVariables] set "subject" "EMail Security Test"; set "myaddress" "autotest@example.com"; set "serverstring" "*by mail.example.com (Postfix)*"; set "certkey" "4096"; #SSL Certificate Key Length-Informational Only # rule:[DiscardSpam] if header :contains "X-Spam-Flag" "YES" { discard; stop; } # rule:[DiscardBulk] if header :contains "subject" ["ADV:", "bounceme", "ADV:ADLT", "ADV-ADULT", "ADULT ADVERTISEMENT"] { discard; stop; } # rule:[DiscardLists] if anyof ( header "Precedence" "list", header "Precedence" "bulk", exists "List-Id", exists "X-Listname" ) { discard; stop; } #rule:[DiscardSieveLoop] if anyof ( exists "X-Sieve" ) { discard; stop; } #rule:[DiscardSystem] if address :localpart :is "from" ["postmaster", "MAILER-DAEMON", "hostmaster", "abuse"] { discard; stop; } # rule:[AutoTest] if size :under 15K { if header :matches "Received" "${serverstring}" { set "status" "Your message was received using encryption:"; set "msgrcvd" "${1}"; if string :matches "${msgrcvd}" "*ECDHE-RSA-AES128-GCM-SHA256*" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA256"; } elsif string :matches "${msgrcvd}" "*ECDHE-RSA-AES256-SHA384*" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA384"; } elsif string :matches "${msgrcvd}" "*ECDHE-RSA-AES256-GCM-SHA384*" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA384"; } elsif string :matches "${msgrcvd}" "* ECDHE-RSA-AES128-SHA *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "*ECDHE-RSA-AES256-SHA *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES128-SHA *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES256-SHA *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* AES256-SHA *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* AES128-SHA *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* AES256-SHA *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* AES128-GCM-SHA256 *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA1"; } elsif string :matches "${msgrcvd}" "* AES256-GCM-SHA256 *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA256"; } elsif string :matches "${msgrcvd}" "* AES256-GCM-SHA384 *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: None"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA384"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES256-GCM-SHA384 *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA384"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES128-GCM-SHA256 *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Galois/Counter Mode (GCM)"; set "hash" "Message Authentication Code: SHA256"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES256-SHA256 *" { set "enc" "Algorithm: AES 256-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA256"; } elsif string :matches "${msgrcvd}" "* ECDHE-RSA-AES128-SHA256 *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Elliptical Curve Diffie-Hellman Ephemeral, P-384,384bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA256"; } elsif string :matches "${msgrcvd}" "* DHE-RSA-AES128-SHA256 *" { set "enc" "Algorithm: AES 128-bit RSA"; set "key" "Public Key Size: ${certkey}"; set "pfs" "Perfect Forward Secrecy: Diffie-Hellman Ephemeral, 2048 bits"; set "mode" "Cipher Mode: Cipher Block Chaining (CBC)"; set "hash" "Message Authentication Code: SHA256"; } } else { set "status" "Your message DID NOT use encryption."; } vacation :seconds 300 :addresses "${myaddress}" :subject "${subject}" :from "${myaddress}" " ${status} ${msgrcvd} ${enc} ${key} ${pfs} ${mode} ${hash} "; }