mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
19741 Commits
28 Branches
Tree: 05fd471df5
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '05fd471df5'
${ noResults }
rspamd/src/plugins/lua/replies.lua

replies.lua 9.4KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324 
  1. --[[

  2. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  3. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. if confighelp then

  19.   return

  20. end

  21. 

  22. local rspamd_logger = require 'rspamd_logger'

  23. local hash = require 'rspamd_cryptobox_hash'

  24. local lua_util = require 'lua_util'

  25. local lua_redis = require 'lua_redis'

  26. local fun = require "fun"

  27. 

  28. -- A plugin that implements replies check using redis

  29. 

  30. -- Default port for redis upstreams

  31. local redis_params

  32. local settings = {

  33.   action = nil,

  34.   expire = 86400, -- 1 day by default

  35.   key_prefix = 'rr',

  36.   key_size = 20,

  37.   message = 'Message is reply to one we originated',

  38.   symbol = 'REPLY',

  39.   score = -4, -- Default score

  40.   use_auth = true,

  41.   use_local = true,

  42.   cookie = nil,

  43.   cookie_key = nil,

  44.   cookie_is_pattern = false,

  45.   cookie_valid_time = '2w', -- 2 weeks by default

  46.   min_message_id = 2, -- minimum length of the message-id header

  47. }

  48. 

  49. local N = "replies"

  50. 

  51. local function make_key(goop, sz, prefix)

  52.   local h = hash.create()

  53.   h:update(goop)

  54.   local key

  55.   if sz then

  56.     key = h:base32():sub(1, sz)

  57.   else

  58.     key = h:base32()

  59.   end

  60. 

  61.   if prefix then

  62.     key = prefix .. key

  63.   end

  64. 

  65.   return key

  66. end

  67. 

  68. local function replies_check(task)

  69.   local in_reply_to

  70.   local function check_recipient(stored_rcpt)

  71.     local rcpts = task:get_recipients('mime')

  72. 

  73.     if rcpts then

  74.       local filter_predicate = function(input_rcpt)

  75.         local real_rcpt_h = make_key(input_rcpt:lower(), 8)

  76. 

  77.         return real_rcpt_h == stored_rcpt

  78.       end

  79. 

  80.       if fun.any(filter_predicate, fun.map(function(rcpt) return rcpt.addr or '' end, rcpts)) then

  81.         lua_util.debugm(N, task, 'reply to %s validated', in_reply_to)

  82.         return true

  83.       end

  84. 

  85.       rspamd_logger.infox(task, 'ignoring reply to %s as no recipients are matching hash %s',

  86.           in_reply_to, stored_rcpt)

  87.     else

  88.       rspamd_logger.infox(task, 'ignoring reply to %s as recipient cannot be detected for hash %s',

  89.           in_reply_to, stored_rcpt)

  90.     end

  91. 

  92.     return false

  93.   end

  94. 

  95.   local function redis_get_cb(err, data, addr)

  96.     if err ~= nil then

  97.       rspamd_logger.errx(task, 'redis_get_cb error when reading data from %s: %s', addr:get_addr(), err)

  98.       return

  99.     end

  100.     if data and type(data) == 'string' and check_recipient(data) then

  101.       -- Hash was found

  102.       task:insert_result(settings['symbol'], 1.0)

  103.       if settings['action'] ~= nil then

  104.         local ip_addr = task:get_ip()

  105.         if (settings.use_auth and

  106.             task:get_user()) or

  107.             (settings.use_local and ip_addr and ip_addr:is_local()) then

  108.           rspamd_logger.infox(task, "not forcing action for local network or authorized user");

  109.         else

  110.           task:set_pre_result(settings['action'], settings['message'], N)

  111.         end

  112.       end

  113.     end

  114.   end

  115.   -- If in-reply-to header not present return

  116.   in_reply_to = task:get_header_raw('in-reply-to')

  117.   if not in_reply_to then

  118.     return

  119.   end

  120.   -- Create hash of in-reply-to and query redis

  121.   local key = make_key(in_reply_to, settings.key_size, settings.key_prefix)

  122. 

  123.   local ret = lua_redis.redis_make_request(task,

  124.     redis_params, -- connect params

  125.     key, -- hash key

  126.     false, -- is write

  127.     redis_get_cb, --callback

  128.     'GET', -- command

  129.     {key} -- arguments

  130.   )

  131. 

  132.   if not ret then

  133.     rspamd_logger.errx(task, "redis request wasn't scheduled")

  134.   end

  135. end

  136. 

  137. local function replies_set(task)

  138.   local function redis_set_cb(err, _, addr)

  139.     if err ~=nil then

  140.       rspamd_logger.errx(task, 'redis_set_cb error when writing data to %s: %s', addr:get_addr(), err)

  141.     end

  142.   end

  143.   -- If sender is unauthenticated return

  144.   local ip = task:get_ip()

  145.   if settings.use_auth and task:get_user() then

  146.     lua_util.debugm(N, task, 'sender is authenticated')

  147.   elseif settings.use_local and (ip and ip:is_local()) then

  148.     lua_util.debugm(N, task, 'sender is from local network')

  149.   else

  150.     return

  151.   end

  152.   -- If no message-id present return

  153.   local msg_id = task:get_header_raw('message-id')

  154.   if msg_id == nil or msg_id:len() <= (settings.min_message_id or 2) then

  155.     return

  156.   end

  157.   -- Create hash of message-id and store to redis

  158.   local key = make_key(msg_id, settings.key_size, settings.key_prefix)

  159. 

  160.   local sender = task:get_reply_sender()

  161. 

  162.   if sender then

  163.     local sender_hash = make_key(sender:lower(), 8)

  164.     lua_util.debugm(N, task, 'storing id: %s (%s), reply-to: %s (%s) for replies check',

  165.                       msg_id, key, sender, sender_hash)

  166.     local ret = lua_redis.redis_make_request(task,

  167.         redis_params, -- connect params

  168.         key, -- hash key

  169.         true, -- is write

  170.         redis_set_cb, --callback

  171.         'PSETEX', -- command

  172.         {key, tostring(math.floor(settings['expire'] * 1000)), sender_hash} -- arguments

  173.     )

  174.     if not ret then

  175.       rspamd_logger.errx(task, "redis request wasn't scheduled")

  176.     end

  177.   else

  178.     rspamd_logger.infox(task, "cannot find reply sender address")

  179.   end

  180. end

  181. 

  182. local function replies_check_cookie(task)

  183.   local function cookie_matched(extra, ts)

  184.     local dt = task:get_date{format = 'connect', gmt = true}

  185. 

  186.     if dt < ts then

  187.       rspamd_logger.infox(task, 'ignore cookie as its date is in future')

  188. 

  189.       return

  190.     end

  191. 

  192.     if settings.cookie_valid_time then

  193.       if dt - ts > settings.cookie_valid_time then

  194.         rspamd_logger.infox(task,

  195.             'ignore cookie as its timestamp is too old: %s (%s current time)',

  196.             ts, dt)

  197. 

  198.         return

  199.       end

  200.     end

  201. 

  202.     if extra then

  203.       task:insert_result(settings['symbol'], 1.0,

  204.           string.format('cookie:%s:%s', extra, ts))

  205.     else

  206.       task:insert_result(settings['symbol'], 1.0,

  207.           string.format('cookie:%s', ts))

  208.     end

  209.     if settings['action'] ~= nil then

  210.       local ip_addr = task:get_ip()

  211.       if (settings.use_auth and

  212.           task:get_user()) or

  213.           (settings.use_local and ip_addr and ip_addr:is_local()) then

  214.         rspamd_logger.infox(task, "not forcing action for local network or authorized user");

  215.       else

  216.         task:set_pre_result(settings['action'], settings['message'], N)

  217.       end

  218.     end

  219.   end

  220. 

  221.   -- If in-reply-to header not present return

  222.   local irt = task:get_header('in-reply-to')

  223.   if irt == nil then

  224.     return

  225.   end

  226. 

  227.   local cr = require "rspamd_cryptobox"

  228.   -- Extract user part if needed

  229.   local extracted_cookie = irt:match('^%<?([^@]+)@.*$')

  230.   if not extracted_cookie then

  231.     -- Assume full message id as a cookie

  232.     extracted_cookie = irt

  233.   end

  234. 

  235.   local dec_cookie,ts = cr.decrypt_cookie(settings.cookie_key, extracted_cookie)

  236. 

  237.   if dec_cookie then

  238.     -- We have something that looks like a cookie

  239.     if settings.cookie_is_pattern then

  240.       local m = dec_cookie:match(settings.cookie)

  241. 

  242.       if m then

  243.         cookie_matched(m, ts)

  244.       end

  245.     else

  246.       -- Direct match

  247.       if dec_cookie == settings.cookie then

  248.         cookie_matched(nil, ts)

  249.       end

  250.     end

  251.   end

  252. end

  253. 

  254. local opts = rspamd_config:get_all_opt('replies')

  255. if not (opts and type(opts) == 'table') then

  256.   rspamd_logger.infox(rspamd_config, 'module is unconfigured')

  257.   return

  258. end

  259. if opts then

  260.   settings = lua_util.override_defaults(settings, opts)

  261.   redis_params = lua_redis.parse_redis_server('replies')

  262.   if not redis_params then

  263.     if not (settings.cookie and settings.cookie_key) then

  264.       rspamd_logger.infox(rspamd_config, 'no servers are specified, disabling module')

  265.       lua_util.disable_module(N, "redis")

  266.     else

  267.       -- Cookies mode

  268.       -- Check key sanity:

  269.       local pattern = {'^'}

  270.       for i=1,32 do pattern[i + 1] = '[a-zA-Z0-9]' end

  271.       pattern[34] = '$'

  272.       if not settings.cookie_key:match(table.concat(pattern, '')) then

  273.         rspamd_logger.errx(rspamd_config,

  274.             'invalid cookies key: %s, must be 32 hex digits', settings.cookie_key)

  275.         lua_util.disable_module(N, "config")

  276. 

  277.         return

  278.       end

  279. 

  280.       if settings.cookie_valid_time then

  281.         settings.cookie_valid_time = lua_util.parse_time_interval(settings.cookie_valid_time)

  282.       end

  283. 

  284.       local id = rspamd_config:register_symbol({

  285.         name = 'REPLIES_CHECK',

  286.         type = 'prefilter',

  287.         callback = replies_check_cookie,

  288.         flags = 'nostat',

  289.         priority = lua_util.symbols_priorities.medium,

  290.         group = "replies"

  291.       })

  292.       rspamd_config:register_symbol({

  293.         name = settings['symbol'],

  294.         parent = id,

  295.         type = 'virtual',

  296.         score = settings.score,

  297.         group = "replies",

  298.       })

  299.     end

  300.   else

  301.     rspamd_config:register_symbol({

  302.       name = 'REPLIES_SET',

  303.       type = 'idempotent',

  304.       callback = replies_set,

  305.       group = 'replies',

  306.       flags = 'explicit_disable,ignore_passthrough',

  307.     })

  308.     local id = rspamd_config:register_symbol({

  309.       name = 'REPLIES_CHECK',

  310.       type = 'prefilter',

  311.       flags = 'nostat',

  312.       callback = replies_check,

  313.       priority = lua_util.symbols_priorities.medium,

  314.       group = "replies"

  315.     })

  316.     rspamd_config:register_symbol({

  317.       name = settings['symbol'],

  318.       parent = id,

  319.       type = 'virtual',

  320.       score = settings.score,

  321.       group = "replies",

  322.     })

  323.   end

  324. end