# Begin: Custom macros and commands for all e-mails BEFORE processing
log(1,'Begin: Custom macros and commands for all e-mails BEFORE processing');

	# Begin: Setting EDIFACT informations
	setvar('edifact_mailbox_regex','email\.address@domain\.tld');
	setvar('clearing_mailbox','clearing@domain.tld');
	setvar('keywords','ALOCAT|APERAK|CONTRL|CREMUL|DELFOR|DELJIT|DESADV|IFCSUM|IFTDGN|IFTMBC|IFTMBF|IFTMBP|IFTMIN|IFTSTA|IMBNOT|INSDES|INSRPT|INVOIC|INVRPT|MSCONS|NOMINT|NOMRES|ORDCHG|ORDERS|ORDRSP|QUOTES|PAYMUL|PAYORD|PRICAT|PRODAT|RECADV|REMADV|REQOTE|SLSRPT|UTILMD');
	setvar('allowed_filetypes','!txt,!gzip,application,audio,image,text,video,message/news,message/rfc822,model/vrmlx-epoc/x-sisx-app');
	## set variables to empty. Otherwise e.g. $reason would be handled as string "$reason" and not as variable
	setvar('result','undefined');
	setvar('reason','');
	setvar('encryption_check','');
	setvar('encryption_result','');
	setvar('signature_check','');
	setvar('signature_result','');
	# End: Setting EDIFACT informations

EDIFACT_address_check = {
	# Begin: EDIFACT address check
	if (compareattr('to','match','.*@.*@.*')) {
		log(1,'Found more than one recipient');
		setvar('EDIFACTrecipient','more than one recipient: $header_to $header_cc');
		setvar('reason','more than one recipient');
		flag('drop',1);
	}
	if (compare('cc','match','.*@.*')) {
		log(1,'Found more than one recipient, dropping e-mail');
		setvar('EDIFACTrecipient','more than one recipient: $header_to $header_cc');
		setvar('reason','more than one recipient');
		flag('drop',1);
	}
	log(1,'Delete all information from from- and to-header except SMTP-address');
	replace_rcpt('(.*)(\<.*\>$)','$2');
	setvar('EDIFACTrecipient','$to');
	replace_sender('(.*)(\<.*\>$)','$2');
	setvar('EDIFACTsender','$from');
	# End: EDIFACT address check
};

EDIFACT_file_type_check = {
	# Begin: EDIFACT file type check
	log(1,'Checking if e-mail contains forbidden file types');
	if (partoftype('$allowed_filetypes','info','false')) {
		setvar('filetype_check','forbidden');
		log(1,'Forbidden file types found');
		if (empty('$reason')) {
			setvar('reason','forbidden file type');
		} else {
			setvar('reason','$reason / forbidden file type');
		}
		flag('drop',1);
	} else {
		log(1,'No forbidden file types found');
		setvar('filetype_check','OK');
	}
	# End: EDIFACT file type check
};

EDIFACT_subject_check = {
	# Begin: EDIFACT subject check
	log(1,'Checking if subject contains EDIFACT keyword');
	if (compare('subject','match','$keywords')) {
		log(1,'Found EDIFACT keyword');
		setvar('subject_check','OK');
	} else {
		log(1,'No EDIFACT keyword found');
		setvar('subject_check','No keyword found');
		if (empty('$reason')) {
			setvar('reason','wrong subject content');
		} else {
			setvar('reason','$reason / wrong subject content');
		}
		flag('drop',1);
	}
	# End: EDIFACT subject check
};

EDIFACT_encryption_subcheck = {
	# Begin: EDIFACT encryption subcheck
	if (compareattr('key_encryption_algorithm','match','RSAES-OAEP')) {
		log(1,'...with RSAES-OAEP');
		setvar('encryption_check','$encryption_check with RSAES-OAEP');
	} else {
		log(1,'...but not using RSAES-OAEP');
		setvar('encryption_result','not OK');
		setvar('encryption_check','$encryption_check, incorrect padding');
		if (empty('$reason')) {
			setvar('reason','incorrect S/MIME encryption padding');
		} else {
			setvar('reason','$reason / incorrect S/MIME encryption padding');
		}
		flag('drop',1);
	}
	if (compareattr('content_encryption_algorithm','match','AES-128|AES128')) {
		log(1,'...with cipher AES128');
		setvar('encryption_check','$encryption_check, cipher AES128');
	} else if (compareattr('content_encryption_algorithm','match','AES-192|AES192')) {
		log(1,'...with cipher AES192');
		setvar('encryption_check','$encryption_check, cipher AES192');
	} else if (compareattr('content_encryption_algorithm','match','AES-256|AES256')) {
		log(1,'...with cipher AES256');
		setvar('encryption_check','$encryption_check, cipher AES256');
	} else {
		log(1,'...but with incorrect cipher');
		setvar('encryption_result','not OK');
		setvar('encryption_check','$encryption_check, incorrect cipher');
		if (empty('$reason')) {
			setvar('reason','incorrect S/MIME cipher');
		} else {
			setvar('reason','$reason / incorrect S/MIME cipher');
		}
		flag('drop',1);
	}
	# End: EDIFACT encryption subcheck
};

EDIFACT_encryption_check = {
	# Begin: EDIFACT encryption check / decryption
	if (smime_encrypted()) {
		log(1,'E-mail is S/MIME encrypted...');
		setvar('encryption_check','S/MIME encrypted');
		$EDIFACT_encryption_subcheck;
		if (!flag('drop')) {
			if (decrypt_smime()) {
				log(1,'E-mail successfully S/MIME decrypted');
				setvar('encryption_result','OK');
			} else {
				log(1,'E-mail could not be S/MIME decrypted');
				setvar('encryption_result','not OK');
				setvar('encryption_check','$encryption_check, could not be S/MIME decrypted');
				if (empty('$reason')) {
					setvar('reason','could not be S/MIME decrypted');
				} else {
					setvar('reason','$reason / could not be S/MIME decrypted');
				}
				flag('drop',1);
			}
		}
	} else {
		log(1,'E-mail is not S/MIME encrypted, dropping e-mail');
		setvar('encryption_result','not OK');
		setvar('encryption_check','not S/MIME encrypted');
		if (empty('$reason')) {
			setvar('reason','not S/MIME encrypted');
		} else {
			setvar('reason','$reason / not S/MIME encrypted');
		}
		flag('drop',1);
	}
	# End: EDIFACT encryption check
};

EDIFACT_signature_subcheck = {
	# Begin: EDIFACT signature subcheck
	if (compareattr('signature_algorithm','match','RSASSA-PSS')) {
		log(1,'...with RSASSA-PSS');
		setvar('signature_check','$signature_check with RSASSA-PSS');
	} else {
		log(1,'...but not using RSASSA-PSS');
		setvar('signature_result','not OK');
		setvar('signature_check','$signature_check, incorrect padding');
		if (empty('$reason')) {
			setvar('reason','incorrect S/MIME signing padding');
		} else {
		s	etvar('reason','$reason / incorrect S/MIME signing padding');
		}
		flag('drop',1);
	}
	if (compareattr('digest_algorithm','match','SHA-256|SHA256')) {
		log(1,'...with digest SHA-256');
		setvar('signature_check','$signature_check, digest SHA-256');
	} else {
		log(1,'...but with incorrect digest');
		setvar('signature_result','not OK');
		setvar('signature_check','$signature_check, incorrect digest');
		if (empty('$reason')) {
			setvar('reason','incorrect digest');
		} else {
			setvar('reason','$reason / incorrect digest');
		}
		flag('drop',1);
	}
	# End: EDIFACT signature subcheck
};

EDIFACT_signature_check = {
	# Begin: EDIFACT signature check /validation
	if (smime_signed()) {
		log(1,'E-mail is S/MIME signed...');
		setvar('signature_check','S/MIME signed');
		$EDIFACT_signature_subcheck;
		if (!flag('drop')) {
			if (validate_smime_sig('1')) {
				log(1,'Signature is valid');
				setvar('signature_result','OK');
				setvar('signature_check','$signature_check, signature is valid');
			} else {
				log(1,'Signature is invalid');
				setvar('signature_result','not OK');
				setvar('signature_check','$signature_check, signature is invalid');
				if (empty('$reason')) {
					setvar('reason','S/MIME signature validation failed');
				} else {
					setvar('reason','$reason / S/MIME signature validation failed');
				}
				flag('drop',1);
			}
		}
	}else {
		log(1,'E-mail is not S/MIME signed');
		setvar('signature_result','not OK');
		setvar('signature_check','not S/MIME signed');
		if (empty('$reason')) {
			setvar('reason','not S/MIME signed');
		} else {
			setvar('reason','$reason / not S/MIME signed');
		}
		flag('drop',1);
	}
	# End: EDIFACT signature check / validation
};

EDIFACT_sign = {
	# Begin: EDIFACT sign
	log(1,'S/MIME signing e-mail');
	if (has_smime_key()){
		log(1,'S/MIME key available');
		if (sign_smime('sha256;pss')) {
			log(1,'Signing successful');
			setvar('signature_result','OK');
			setvar('signature_check','S/MIME signed');
		} else {
			log(1,'Signing failed');
			setvar('signature_check','signing failed');
			setvar('signature_result','not OK');
			if (empty('$reason')) {
				setvar('reason','S/MIME signing failed');
			} else {
			setvar('reason','$reason / S/MIME signing failed');
			}
			flag('drop',1);
		}
	} else {
		log(1,'No S/MIME key available for signing');
		setvar('signature_result','not OK');
		setvar('signature_check','no signing key available');
		if (empty('$reason')) {
			setvar('reason','no S/MIME signing key available');
		} else {
			setvar('reason','$reason / no S/MIME signing key available');
		}
		flag('drop',1);
	}
	# End: EDIFACT sign
};

EDIFACT_encrypt = {
	# Begin: EDIFACT encrypt
	if (smime_keys_avail()) {
		log(1,'S/MIME certificate available for recipient $to');
		if (encrypt_smime('','','aes192;oaep')) {
			log(1,'Encryption successful');
			setvar('encryption_check','S/MIME encrypted');
			setvar('encryption_result','OK');
		} else {
			log(1,'Encryption failed');
			setvar('encryption_result','not OK');
			setvar('encryption_check','S/MIME encryption failed');
			if (empty('$reason')) {
				setvar('reason','S/MIME encryption failed');
			} else {
				setvar('reason','$reason / S/MIME encryption failed');
			}
			flag('drop',1);
		}
	} else {
		log(1,'No S/MIME certificate available for encryption');
		setvar('encryption_result','not OK');
		setvar('encryption_check','no S/MIME certificate available');
		if (empty('$reason')) {
			setvar('reason','no S/MIME certificate available');
		} else {
			setvar('reason','$reason / no S/MIME certificate available');
		}
		flag('drop',1);
	}
	# End: EDIFACT encrypt
};

log(1,'End: Custom macros and commands for all e-mails BEFORE processing');
# End: Custom macros and commands for all e-mails BEFORE processing