mirrors
/
rspamd
mirror da https://github.com/vstakhov/rspamd.git
Segui 1
Vota 0
Forka 0
Codice Problemi 0 Rilasci 159 Wiki Attività
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
21018 Commit
28 Rami (Branch)
Albero (Tree): 3de247b318
Rami (Branch) Tag
${ item.name }
Crea branch ${ searchTerm }
da '3de247b318'
${ noResults }
rspamd/src/plugins/lua/dkim_signing.lua

dkim_signing.lua 5.4KB
Originale Blame Cronologia

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2022, Vsevolod Stakhov <vsevolod@rspamd.com>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local lua_util = require "lua_util"

  19. local rspamd_logger = require "rspamd_logger"

  20. local dkim_sign_tools = require "lua_dkim_tools"

  21. local lua_redis = require "lua_redis"

  22. local lua_mime = require "lua_mime"

  23. 

  24. if confighelp then

  25.   return

  26. end

  27. 

  28. local settings = {

  29.   allow_envfrom_empty = true,

  30.   allow_hdrfrom_mismatch = false,

  31.   allow_hdrfrom_mismatch_local = false,

  32.   allow_hdrfrom_mismatch_sign_networks = false,

  33.   allow_hdrfrom_multiple = false,

  34.   allow_username_mismatch = false,

  35.   allow_pubkey_mismatch = true,

  36.   sign_authenticated = true,

  37.   allowed_ids = nil,

  38.   forbidden_ids = nil,

  39.   check_pubkey = false,

  40.   domain = {},

  41.   path = string.format('%s/%s/%s', rspamd_paths['DBDIR'], 'dkim', '$domain.$selector.key'),

  42.   sign_local = true,

  43.   selector = 'dkim',

  44.   symbol = 'DKIM_SIGNED',

  45.   try_fallback = true,

  46.   use_domain = 'header',

  47.   use_esld = true,

  48.   use_redis = false,

  49.   key_prefix = 'dkim_keys', -- default hash name

  50.   use_milter_headers = false, -- use milter headers instead of `dkim_signature`

  51. }

  52. 

  53. local N = 'dkim_signing'

  54. local redis_params

  55. local sign_func = rspamd_plugins.dkim.sign

  56. 

  57. local function insert_sign_results(task, ret, hdr, dkim_params)

  58.   if settings.use_milter_headers then

  59.     lua_mime.modify_headers(task, {

  60.       add = {

  61.         ['DKIM-Signature'] = { order = 1, value = hdr },

  62.       }

  63.     })

  64.   end

  65.   if ret then

  66.     task:insert_result(settings.symbol, 1.0, string.format('%s:s=%s',

  67.         dkim_params.domain, dkim_params.selector))

  68.   end

  69. end

  70. 

  71. local function do_sign(task, p)

  72.   if settings.use_milter_headers then

  73.     p.no_cache = true -- Disable caching in rspamd_mempool

  74.   end

  75.   if settings.check_pubkey then

  76.     local resolve_name = p.selector .. "._domainkey." .. p.domain

  77.     task:get_resolver():resolve_txt({

  78.       task = task,

  79.       name = resolve_name,

  80.       callback = function(_, _, results, err)

  81.         if not err and results and results[1] then

  82.           p.pubkey = results[1]

  83.           p.strict_pubkey_check = not settings.allow_pubkey_mismatch

  84.         elseif not settings.allow_pubkey_mismatch then

  85.           rspamd_logger.infox(task, 'public key for domain %s/%s is not found: %s, skip signing',

  86.               p.domain, p.selector, err)

  87.           return

  88.         else

  89.           rspamd_logger.infox(task, 'public key for domain %s/%s is not found: %s',

  90.               p.domain, p.selector, err)

  91.         end

  92. 

  93.         local sret, hdr = sign_func(task, p)

  94.         insert_sign_results(task, sret, hdr, p)

  95.       end,

  96.       forced = true

  97.     })

  98.   else

  99.     local sret, hdr = sign_func(task, p)

  100.     insert_sign_results(task, sret, hdr, p)

  101.   end

  102. end

  103. 

  104. local function sign_error(task, msg)

  105.   rspamd_logger.errx(task, 'signing failure: %s', msg)

  106. end

  107. 

  108. local function dkim_signing_cb(task)

  109.   local ret, selectors = dkim_sign_tools.prepare_dkim_signing(N, task, settings)

  110. 

  111.   if not ret or #selectors == 0 then

  112.     return

  113.   end

  114. 

  115.   if settings.use_redis then

  116.     dkim_sign_tools.sign_using_redis(N, task, settings, selectors, do_sign, sign_error)

  117.   else

  118.     if selectors.vault then

  119.       dkim_sign_tools.sign_using_vault(N, task, settings, selectors, do_sign, sign_error)

  120.     else

  121.       if #selectors > 0 then

  122.         for _, k in ipairs(selectors) do

  123.           -- templates

  124.           if k.key then

  125.             k.key = lua_util.template(k.key, {

  126.               domain = k.domain,

  127.               selector = k.selector

  128.             })

  129.             lua_util.debugm(N, task, 'using key "%s", use selector "%s" for domain "%s"',

  130.                 k.key, k.selector, k.domain)

  131.           end

  132. 

  133.           do_sign(task, k)

  134.         end

  135.       else

  136.         rspamd_logger.infox(task, 'key path or dkim selector unconfigured; no signing')

  137.         return false

  138.       end

  139.     end

  140.   end

  141. end

  142. 

  143. local opts = rspamd_config:get_all_opt('dkim_signing')

  144. if not opts then

  145.   return

  146. end

  147. 

  148. dkim_sign_tools.process_signing_settings(N, settings, opts)

  149. 

  150. if not dkim_sign_tools.validate_signing_settings(settings) then

  151.   rspamd_logger.infox(rspamd_config, 'mandatory parameters missing, disable dkim signing')

  152.   lua_util.disable_module(N, "config")

  153.   return

  154. end

  155. 

  156. if settings.use_redis then

  157.   redis_params = lua_redis.parse_redis_server('dkim_signing')

  158. 

  159.   if not redis_params then

  160.     rspamd_logger.errx(rspamd_config,

  161.         'no servers are specified, but module is configured to load keys from redis, disable dkim signing')

  162.     lua_util.disable_module(N, "redis")

  163.     return

  164.   end

  165. 

  166.   settings.redis_params = redis_params

  167. end

  168. 

  169. local sym_reg_tbl = {

  170.   name = settings['symbol'],

  171.   callback = dkim_signing_cb,

  172.   groups = { "policies", "dkim" },

  173.   flags = 'ignore_passthrough',

  174.   score = 0.0,

  175. }

  176. 

  177. if type(settings.allowed_ids) == 'table' then

  178.   sym_reg_tbl.allowed_ids = settings.allowed_ids

  179. end

  180. if type(settings.forbidden_ids) == 'table' then

  181.   sym_reg_tbl.forbidden_ids = settings.forbidden_ids

  182. end

  183. 

  184. rspamd_config:register_symbol(sym_reg_tbl)

  185. -- Add dependency on DKIM checks

  186. rspamd_config:register_dependency(settings['symbol'], 'DKIM_CHECK')