mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
14611 Commits
28 Branches
Tree: 8f39eca68d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '8f39eca68d'
${ noResults }
rspamd/src/plugins/lua/dkim_signing.lua

dkim_signing.lua 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2016, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local lua_util = require "lua_util"

  19. local rspamd_logger = require "rspamd_logger"

  20. local dkim_sign_tools = require "lua_dkim_tools"

  21. local lua_redis = require "lua_redis"

  22. local lua_maps = require "lua_maps"

  23. 

  24. if confighelp then

  25.   return

  26. end

  27. 

  28. local settings = {

  29.   allow_envfrom_empty = true,

  30.   allow_hdrfrom_mismatch = false,

  31.   allow_hdrfrom_mismatch_local = false,

  32.   allow_hdrfrom_mismatch_sign_networks = false,

  33.   allow_hdrfrom_multiple = false,

  34.   allow_username_mismatch = false,

  35.   allow_pubkey_mismatch = true,

  36.   auth_only = true,

  37.   check_pubkey = false,

  38.   domain = {},

  39.   path = string.format('%s/%s/%s', rspamd_paths['DBDIR'], 'dkim', '$domain.$selector.key'),

  40.   sign_local = true,

  41.   selector = 'dkim',

  42.   symbol = 'DKIM_SIGNED',

  43.   try_fallback = true,

  44.   use_domain = 'header',

  45.   use_esld = true,

  46.   use_redis = false,

  47.   key_prefix = 'dkim_keys', -- default hash name

  48. }

  49. 

  50. local N = 'dkim_signing'

  51. local redis_params

  52. local sign_func = rspamd_plugins.dkim.sign

  53. 

  54. local function do_sign(task, p)

  55.   if settings.check_pubkey then

  56.     local resolve_name = p.selector .. "._domainkey." .. p.domain

  57.     task:get_resolver():resolve_txt({

  58.       task = task,

  59.       name = resolve_name,

  60.       callback = function(_, _, results, err)

  61.         if not err and results and results[1] then

  62.           p.pubkey = results[1]

  63.           p.strict_pubkey_check = not settings.allow_pubkey_mismatch

  64.         elseif not settings.allow_pubkey_mismatch then

  65.           rspamd_logger.errx('public key for domain %s/%s is not found: %s, skip signing',

  66.               p.domain, p.selector, err)

  67.           return

  68.         else

  69.           rspamd_logger.infox('public key for domain %s/%s is not found: %s',

  70.               p.domain, p.selector, err)

  71.         end

  72. 

  73.         local sret, _ = sign_func(task, p)

  74.         if sret then

  75.           task:insert_result(settings.symbol, 1.0)

  76.         end

  77.       end,

  78.       forced = true

  79.     })

  80.   else

  81.     local sret, _ = sign_func(task, p)

  82.     if sret then

  83.       task:insert_result(settings.symbol, 1.0)

  84.     end

  85.   end

  86. end

  87. 

  88. local function sign_error(task, msg)

  89.   rspamd_logger.errx(task, 'signing failure: %s', msg)

  90. end

  91. 

  92. local function dkim_signing_cb(task)

  93.   local ret,selectors = dkim_sign_tools.prepare_dkim_signing(N, task, settings)

  94. 

  95.   if not ret then

  96.     return

  97.   end

  98. 

  99.   if settings.use_redis then

  100.     dkim_sign_tools.sign_using_redis(N, task, settings, selectors, do_sign, sign_error)

  101.   else

  102.     if selectors.vault then

  103.       dkim_sign_tools.sign_using_vault(N, task, settings, selectors, do_sign, sign_error)

  104.     else

  105.       if #selectors > 0 then

  106.         for _, k in ipairs(selectors) do

  107.           -- templates

  108.           if k.key then

  109.             k.key = lua_util.template(k.key, {

  110.               domain = k.domain,

  111.               selector = k.selector

  112.             })

  113.             lua_util.debugm(N, task, 'using key "%s", use selector "%s" for domain "%s"',

  114.                 k.key, k.selector, k.domain)

  115.           end

  116. 

  117.           do_sign(task, k)

  118.         end

  119.       else

  120.         rspamd_logger.infox(task, 'key path or dkim selector unconfigured; no signing')

  121.         return false

  122.       end

  123.     end

  124.   end

  125. end

  126. 

  127. local opts =  rspamd_config:get_all_opt('dkim_signing')

  128. if not opts then return end

  129. 

  130. dkim_sign_tools.process_signing_settings(N, settings, opts)

  131. 

  132. if not dkim_sign_tools.validate_signing_settings(settings) then

  133.   rspamd_logger.infox(rspamd_config, 'mandatory parameters missing, disable dkim signing')

  134.   lua_util.disable_module(N, "config")

  135.   return

  136. end

  137. 

  138. if settings.use_redis then

  139.   redis_params = lua_redis.parse_redis_server('dkim_signing')

  140. 

  141.   if not redis_params then

  142.     rspamd_logger.errx(rspamd_config,

  143.         'no servers are specified, but module is configured to load keys from redis, disable dkim signing')

  144.     lua_util.disable_module(N, "redis")

  145.     return

  146.   end

  147. 

  148.   settings.redis_params = redis_params

  149. end

  150. 

  151. 

  152. rspamd_config:register_symbol({

  153.   name = settings['symbol'],

  154.   callback = dkim_signing_cb,

  155.   groups = {"policies", "dkim"},

  156.   score = 0.0,

  157. })

  158. 

  159. -- Add dependency on DKIM checks

  160. rspamd_config:register_dependency(settings['symbol'], 'DKIM_CHECK')