mirrors
/
rspamd
spegling av https://github.com/vstakhov/rspamd.git
Bevaka 1
Stjärnmärk 0
Förgrening 0
Kod Ärenden 0 Släpp 159 Wiki Aktiviteter
Du kan inte välja fler än 25 ämnen Ämnen måste starta med en bokstav eller siffra, kan innehålla bindestreck ('-') och vara max 35 tecken långa.
15880 Incheckningar
28 Grenar
Träd: 3a93b559eb
Grenar Taggar
${ item.name }
Skapa branchen ${ searchTerm }
från '3a93b559eb'
${ noResults }
rspamd/lualib/lua_auth_results.lua

lua_auth_results.lua 8.1KB
Blame Historik

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2017, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local rspamd_util = require "rspamd_util"

  19. 

  20. local default_settings = {

  21.   spf_symbols = {

  22.     pass = 'R_SPF_ALLOW',

  23.     fail = 'R_SPF_FAIL',

  24.     softfail = 'R_SPF_SOFTFAIL',

  25.     neutral = 'R_SPF_NEUTRAL',

  26.     temperror = 'R_SPF_DNSFAIL',

  27.     none = 'R_SPF_NA',

  28.     permerror = 'R_SPF_PERMFAIL',

  29.   },

  30.   dmarc_symbols = {

  31.     pass = 'DMARC_POLICY_ALLOW',

  32.     permerror = 'DMARC_BAD_POLICY',

  33.     temperror = 'DMARC_DNSFAIL',

  34.     none = 'DMARC_NA',

  35.     reject = 'DMARC_POLICY_REJECT',

  36.     softfail = 'DMARC_POLICY_SOFTFAIL',

  37.     quarantine = 'DMARC_POLICY_QUARANTINE',

  38.   },

  39.   arc_symbols = {

  40.     pass = 'ARC_ALLOW',

  41.     permerror = 'ARC_INVALID',

  42.     temperror = 'ARC_DNSFAIL',

  43.     none = 'ARC_NA',

  44.     reject = 'ARC_REJECT',

  45.   },

  46.   dkim_symbols = {

  47.     none = 'R_DKIM_NA',

  48.   },

  49.   add_smtp_user = true,

  50. }

  51. 

  52. local exports = {

  53.   default_settings = default_settings

  54. }

  55. 

  56. local local_hostname = rspamd_util.get_hostname()

  57. 

  58. local function gen_auth_results(task, settings)

  59.   local auth_results, hdr_parts = {}, {}

  60. 

  61.   if not settings then

  62.     settings = default_settings

  63.   end

  64. 

  65.   local auth_types = {

  66.     dkim = settings.dkim_symbols,

  67.     dmarc = settings.dmarc_symbols,

  68.     spf = settings.spf_symbols,

  69.     arc = settings.arc_symbols,

  70.   }

  71. 

  72.   local common = {

  73.     symbols = {}

  74.   }

  75. 

  76.   local mta_hostname = task:get_request_header('MTA-Name') or

  77.       task:get_request_header('MTA-Tag')

  78.   if mta_hostname then

  79.     mta_hostname = tostring(mta_hostname)

  80.   else

  81.     mta_hostname = local_hostname

  82.   end

  83. 

  84.   table.insert(hdr_parts, mta_hostname)

  85. 

  86.   for auth_type, symbols in pairs(auth_types) do

  87.     for key, sym in pairs(symbols) do

  88.       if not common.symbols.sym then

  89.         local s = task:get_symbol(sym)

  90.         if not s then

  91.           common.symbols[sym] = false

  92.         else

  93.           common.symbols[sym] = s

  94.           if not auth_results[auth_type] then

  95.             auth_results[auth_type] = {key}

  96.           else

  97.             table.insert(auth_results[auth_type], key)

  98.           end

  99. 

  100.           if auth_type ~= 'dkim' then

  101.             break

  102.           end

  103.         end

  104.       end

  105.     end

  106.   end

  107. 

  108.   local dkim_results = task:get_dkim_results()

  109.   -- For each signature we set authentication results

  110.   -- dkim=neutral (body hash did not verify) header.d=example.com header.s=sel header.b=fA8VVvJ8;

  111.   -- dkim=neutral (body hash did not verify) header.d=example.com header.s=sel header.b=f8pM8o90;

  112. 

  113.   for _,dres in ipairs(dkim_results) do

  114.     local ar_string = 'none'

  115. 

  116.     if dres.result == 'reject' then

  117.       ar_string = 'fail' -- imply failure, not neutral

  118.     elseif dres.result == 'allow' then

  119.       ar_string = 'pass'

  120.     elseif dres.result == 'bad record' or dres.result == 'permerror' then

  121.       ar_string = 'permerror'

  122.     elseif dres.result == 'tempfail' then

  123.       ar_string = 'temperror'

  124.     end

  125.     local hdr = {}

  126. 

  127.     hdr[1] = string.format('dkim=%s', ar_string)

  128. 

  129.     if dres.fail_reason then

  130.       hdr[#hdr + 1] = string.format('(%s)', dres.fail_reason)

  131.     end

  132. 

  133.     if dres.domain then

  134.       hdr[#hdr + 1] = string.format('header.d=%s', dres.domain)

  135.     end

  136. 

  137.     if dres.selector then

  138.       hdr[#hdr + 1] = string.format('header.s=%s', dres.selector)

  139.     end

  140. 

  141.     if dres.bhash then

  142.       hdr[#hdr + 1] = string.format('header.b=%s', dres.bhash)

  143.     end

  144. 

  145.     table.insert(hdr_parts, table.concat(hdr, ' '))

  146.   end

  147. 

  148.   if #dkim_results == 0 then

  149.     -- We have no dkim results, so check for DKIM_NA symbol

  150.     if common.symbols[settings.dkim_symbols.none] then

  151.       table.insert(hdr_parts, 'dkim=none')

  152.     end

  153.   end

  154. 

  155.   for auth_type, keys in pairs(auth_results) do

  156.     for _, key in ipairs(keys) do

  157.       local hdr = ''

  158.       if auth_type == 'dmarc' then

  159.         local opts = common.symbols[auth_types['dmarc'][key]][1]['options'] or {}

  160.         hdr = hdr .. 'dmarc='

  161.         if key == 'reject' or key == 'quarantine' or key == 'softfail' then

  162.           hdr = hdr .. 'fail'

  163.         else

  164.           hdr = hdr .. key

  165.         end

  166.         if key == 'pass' then

  167.           hdr = hdr .. ' (policy=' .. opts[2] .. ')'

  168.           hdr = hdr .. ' header.from=' .. opts[1]

  169.         elseif key ~= 'none' then

  170.           local t = {opts[1]:match('^([^%s]+) : (.*)$')}

  171.           if #t > 0 then

  172.             local dom = t[1]

  173.             local rsn = t[2]

  174.             if rsn then

  175.               hdr = hdr .. ' reason="' .. rsn .. '"'

  176.             end

  177.             hdr = hdr .. ' header.from=' .. dom

  178.           end

  179.           if key == 'softfail' then

  180.             hdr = hdr .. ' (policy=none)'

  181.           else

  182.             hdr = hdr .. ' (policy=' .. key .. ')'

  183.           end

  184.         end

  185.         table.insert(hdr_parts, hdr)

  186.       elseif auth_type == 'arc' then

  187.         if common.symbols[auth_types['arc'][key]][1] then

  188.           local opts = common.symbols[auth_types['arc'][key]][1]['options'] or {}

  189.           for _, v in ipairs(opts) do

  190.             hdr = hdr .. auth_type .. '=' .. key .. ' (' .. v .. ')'

  191.             table.insert(hdr_parts, hdr)

  192.           end

  193.         end

  194.       elseif auth_type == 'spf' then

  195.         -- Main type

  196.         local sender

  197.         local sender_type

  198.         local smtp_from = task:get_from('smtp')

  199. 

  200.         if smtp_from and

  201.             smtp_from[1] and

  202.             smtp_from[1]['addr'] ~= '' and

  203.             smtp_from[1]['addr'] ~= nil then

  204.           sender = smtp_from[1]['addr']

  205.           sender_type = 'smtp.mailfrom'

  206.         else

  207.           local helo = task:get_helo()

  208.           if helo then

  209.             sender = helo

  210.             sender_type = 'smtp.helo'

  211.           end

  212.         end

  213. 

  214.         if sender and sender_type then

  215.           -- Comment line

  216.           local comment = ''

  217.           if key == 'pass' then

  218.             comment = string.format('%s: domain of %s designates %s as permitted sender',

  219.                 mta_hostname, sender, tostring(task:get_from_ip() or 'unknown'))

  220.           elseif key == 'fail' then

  221.             comment = string.format('%s: domain of %s does not designate %s as permitted sender',

  222.                 mta_hostname, sender, tostring(task:get_from_ip() or 'unknown'))

  223.           elseif key == 'neutral' or key == 'softfail' then

  224.             comment = string.format('%s: %s is neither permitted nor denied by domain of %s',

  225.                 mta_hostname, tostring(task:get_from_ip() or 'unknown'), sender)

  226.           elseif key == 'permerror' then

  227.             comment = string.format('%s: domain of %s uses mechanism not recognized by this client',

  228.                 mta_hostname, sender)

  229.           elseif key == 'temperror' then

  230.             comment = string.format('%s: error in processing during lookup of %s: DNS error',

  231.                 mta_hostname, sender)

  232.           elseif key == 'none' then

  233.             comment = string.format('%s: domain of %s has no SPF policy when checking %s',

  234.                 mta_hostname, sender, tostring(task:get_from_ip() or 'unknown'))

  235.           end

  236.           hdr = string.format('%s=%s (%s) %s=%s', auth_type, key,

  237.               comment, sender_type, sender)

  238.         else

  239.           hdr = string.format('%s=%s', auth_type, key)

  240.         end

  241. 

  242. 

  243.         table.insert(hdr_parts, hdr)

  244.       end

  245.     end

  246.   end

  247. 

  248.   local u = task:get_user()

  249.   local smtp_from = task:get_from('smtp')

  250. 

  251.   if u and smtp_from then

  252.     local hdr = {[1] = 'auth=pass'}

  253. 

  254.     if settings['add_smtp_user'] then

  255.       table.insert(hdr,'smtp.auth=' .. u)

  256.     end

  257.     if smtp_from[1]['addr'] then

  258.       table.insert(hdr,'smtp.mailfrom=' .. smtp_from[1]['addr'])

  259.     end

  260. 

  261.     table.insert(hdr_parts, table.concat(hdr,' '))

  262.   end

  263. 

  264.   if #hdr_parts > 0 then

  265.     if #hdr_parts == 1 then

  266.       hdr_parts[2] = 'none'

  267.     end

  268.     return table.concat(hdr_parts, '; ')

  269.   end

  270. 

  271.   return nil

  272. end

  273. 

  274. exports.gen_auth_results = gen_auth_results

  275. 

  276. return exports