From 43dfa08ded5f0e78b321d4df54f960c07e631593 Mon Sep 17 00:00:00 2001
From: Vsevolod Stakhov <vsevolod@highsecure.ru>
Date: Sat, 4 May 2019 14:09:35 +0100
Subject: [PATCH] [Fix] Do not blacklist mail by SPF/DMARC for local/authed
 users

Issue: #2871
---
 src/plugins/lua/dmarc.lua     |  4 ++--
 src/plugins/lua/whitelist.lua | 37 ++++++++++++++++++++++++++++++++---
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/src/plugins/lua/dmarc.lua b/src/plugins/lua/dmarc.lua
index 2c9bf1951..333eb6f55 100644
--- a/src/plugins/lua/dmarc.lua
+++ b/src/plugins/lua/dmarc.lua
@@ -564,13 +564,13 @@ local function dmarc_callback(task)
   local seen_invalid = false
 
   if dmarc_checks ~= 2 then
-    rspamd_logger.infox(task, "skip DMARC checks as either SPF or DKIM were not checked");
+    rspamd_logger.infox(task, "skip DMARC checks as either SPF or DKIM were not checked")
     return
   end
 
   if ((not check_authed and task:get_user()) or
       (not check_local and ip_addr and ip_addr:is_local())) then
-    rspamd_logger.infox(task, "skip DMARC checks for local networks and authorized users");
+    rspamd_logger.infox(task, "skip DMARC checks for local networks and authorized users")
     return
   end
 
diff --git a/src/plugins/lua/whitelist.lua b/src/plugins/lua/whitelist.lua
index b9dce612b..4836f2d02 100644
--- a/src/plugins/lua/whitelist.lua
+++ b/src/plugins/lua/whitelist.lua
@@ -29,7 +29,8 @@ local options = {
   dmarc_allow_symbol = 'DMARC_POLICY_ALLOW',
   spf_allow_symbol = 'R_SPF_ALLOW',
   dkim_allow_symbol = 'R_DKIM_ALLOW',
-
+  check_local = false,
+  check_authed = false,
   rules = {}
 }
 
@@ -127,6 +128,7 @@ local function whitelist_cb(symbol, rule, task)
 
   local spf_violated = false
   local dmarc_violated = false
+  local ip_addr = task:get_ip()
 
   if rule['valid_spf'] then
     if not task:has_symbol(options['spf_allow_symbol']) then
@@ -243,6 +245,7 @@ local function whitelist_cb(symbol, rule, task)
   end
 
   if rule.valid_dmarc then
+
     found_wl = false
 
     for dom,val in pairs(domains.dmarc or E) do
@@ -281,7 +284,16 @@ local function whitelist_cb(symbol, rule, task)
   end
 
   if found_bl then
-    add_symbol(true, final_mult)
+    if not ((not options.check_authed and task:get_user()) or
+        (not options.check_local and ip_addr and ip_addr:is_local())) then
+      add_symbol(true, final_mult)
+    else
+      if rule.valid_spf or rule.valid_dmarc then
+        rspamd_logger.infox(task, "skip DMARC/SPF blacklists for local networks and/or authorized users")
+      else
+        add_symbol(true, final_mult)
+      end
+    end
   elseif found_wl then
     add_symbol(false, final_mult)
   end
@@ -295,11 +307,30 @@ local function gen_whitelist_cb(symbol, rule)
 end
 
 local configure_whitelist_module = function()
-  local opts =  rspamd_config:get_all_opt('whitelist')
+  local opts = rspamd_config:get_all_opt('whitelist')
   if opts then
     for k,v in pairs(opts) do
       options[k] = v
     end
+
+    local function try_opts(where)
+      local ret = false
+      local opts = rspamd_config:get_all_opt(where)
+      if type(opts) == 'table' then
+        if type(opts['check_local']) == 'boolean' then
+          options.check_local = opts['check_local']
+          ret = true
+        end
+        if type(opts['check_authed']) == 'boolean' then
+          options.check_authed = opts['check_authed']
+          ret = true
+        end
+      end
+
+      return ret
+    end
+
+    if not try_opts(N) then try_opts('options') end
   else
     rspamd_logger.infox(rspamd_config, 'Module is unconfigured')
     return
-- 
2.39.5