mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
13030 Commits
29 Branches
Tree: f19f9f3acd
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'f19f9f3acd'
${ noResults }
rspamd/lualib/lua_dkim_tools.lua

lua_dkim_tools.lua 8.5KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276 
  1. --[[

  2. Copyright (c) 2016, Andrew Lewis <nerf@judo.za.org>

  3. Copyright (c) 2017, Vsevolod Stakhov <vsevolod@highsecure.ru>

  4. 

  5. Licensed under the Apache License, Version 2.0 (the "License");

  6. you may not use this file except in compliance with the License.

  7. You may obtain a copy of the License at

  8. 

  9.     http://www.apache.org/licenses/LICENSE-2.0

  10. 

  11. Unless required by applicable law or agreed to in writing, software

  12. distributed under the License is distributed on an "AS IS" BASIS,

  13. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  14. See the License for the specific language governing permissions and

  15. limitations under the License.

  16. ]]--

  17. 

  18. local exports = {}

  19. 

  20. local E = {}

  21. local lua_util = require "lua_util"

  22. local rspamd_util = require "rspamd_util"

  23. 

  24. local function parse_dkim_http_headers(N, task, settings)

  25.   local logger = require "rspamd_logger"

  26.   -- Configure headers

  27.   local headers = {

  28.     sign_header = settings.http_sign_header or "PerformDkimSign",

  29.     sign_on_reject_header = settings.http_sign_on_reject_header_header or 'SignOnAuthFailed',

  30.     domain_header = settings.http_domain_header or 'DkimDomain',

  31.     selector_header = settings.http_selector_header or 'DkimSelector',

  32.     key_header = settings.http_key_header or 'DkimPrivateKey'

  33.   }

  34. 

  35.   if task:get_request_header(headers.sign_header) then

  36.     local domain = task:get_request_header(headers.domain_header)

  37.     local selector = task:get_request_header(headers.selector_header)

  38.     local key = task:get_request_header(headers.key_header)

  39. 

  40.     if not (domain and selector and key) then

  41. 

  42.       logger.errx(task, 'missing required headers to sign email')

  43.       return false,{}

  44.     end

  45. 

  46.     -- Now check if we need to check the existing auth

  47.     local hdr = task:get_request_header(headers.sign_on_reject_header)

  48.     if not hdr then

  49.       -- Check for DKIM_REJECT

  50.       if task:has_symbol('R_DKIM_REJECT') then

  51.         local sym = task:get_symbol('R_DKIM_REJECT')

  52.         logger.infox(task, 'skip signing for %s:%s: R_DKIM_REJECT found: %s',

  53.             domain, selector, sym.options)

  54.         return false,{}

  55.       end

  56.     end

  57. 

  58.     return true,{

  59.       rawkey = key,

  60.       domain = domain,

  61.       selector = selector

  62.     }

  63.   end

  64. 

  65.   lua_util.debugm(N, task, 'no sign header %s', headers.sign_header)

  66.   return false,{}

  67. end

  68. 

  69. local function prepare_dkim_signing(N, task, settings)

  70.   local is_local, is_sign_networks

  71. 

  72.   if settings.use_http_headers then

  73.     return parse_dkim_http_headers(N, task, settings)

  74.   end

  75. 

  76.   local auser = task:get_user()

  77.   local ip = task:get_from_ip()

  78. 

  79.   if ip and ip:is_local() then

  80.     is_local = true

  81.   end

  82. 

  83.   if settings.auth_only and auser then

  84.     lua_util.debugm(N, task, 'user is authenticated')

  85.   elseif (settings.sign_networks and settings.sign_networks:get_key(ip)) then

  86.     is_sign_networks = true

  87.     lua_util.debugm(N, task, 'mail is from address in sign_networks')

  88.   elseif settings.sign_local and is_local then

  89.     lua_util.debugm(N, task, 'mail is from local address')

  90.   elseif settings.sign_inbound and not is_local and not auser then

  91.     lua_util.debugm(N, task, 'mail was sent to us')

  92.   else

  93.     lua_util.debugm(N, task, 'ignoring unauthenticated mail')

  94.     return false,{}

  95.   end

  96. 

  97.   local efrom = task:get_from('smtp')

  98.   if not settings.allow_envfrom_empty and

  99.       #(((efrom or E)[1] or E).addr or '') == 0 then

  100.     lua_util.debugm(N, task, 'empty envelope from not allowed')

  101.     return false,{}

  102.   end

  103. 

  104.   local hfrom = task:get_from('mime')

  105.   if not settings.allow_hdrfrom_multiple and (hfrom or E)[2] then

  106.     lua_util.debugm(N, task, 'multiple header from not allowed')

  107.     return false,{}

  108.   end

  109. 

  110.   local eto = task:get_recipients(0)

  111. 

  112.   local dkim_domain

  113.   local hdom = ((hfrom or E)[1] or E).domain

  114.   local edom = ((efrom or E)[1] or E).domain

  115.   local tdom = ((eto or E)[1] or E).domain

  116.   local udom = string.match(auser or '', '.*@(.*)')

  117. 

  118.   local function get_dkim_domain(dtype)

  119.     if settings[dtype] == 'header' then

  120.       return hdom

  121.     elseif settings[dtype] == 'envelope' then

  122.       return edom

  123.     elseif settings[dtype] == 'auth' then

  124.       return udom

  125.     elseif settings[dtype] == 'recipient' then

  126.       return tdom

  127.     end

  128.   end

  129. 

  130.   if hdom then

  131.     hdom = hdom:lower()

  132.   end

  133.   if edom then

  134.     edom = edom:lower()

  135.   end

  136.   if udom then

  137.     udom = udom:lower()

  138.   end

  139.   if tdom then

  140.     tdom = tdom:lower()

  141.   end

  142. 

  143.   if settings.use_domain_sign_networks and is_sign_networks then

  144.     dkim_domain = get_dkim_domain('use_domain_sign_networks')

  145.     lua_util.debugm(N, task, 'sign_networks: use domain(%s) for signature: %s',

  146.       settings.use_domain_sign_networks, dkim_domain)

  147.   elseif settings.use_domain_sign_local and is_local then

  148.     dkim_domain = get_dkim_domain('use_domain_sign_local')

  149.     lua_util.debugm(N, task, 'local: use domain(%s) for signature: %s',

  150.       settings.use_domain_sign_local, dkim_domain)

  151.   elseif settings.use_domain_sign_inbound and not is_local and not auser then

  152.     dkim_domain = get_dkim_domain('use_domain_sign_inbound')

  153.     lua_util.debugm(N, task, 'inbound: use domain(%s) for signature: %s',

  154.       settings.use_domain_sign_inbound, dkim_domain)

  155.   else

  156.     dkim_domain = get_dkim_domain('use_domain')

  157.     lua_util.debugm(N, task, 'use domain(%s) for signature: %s',

  158.       settings.use_domain, dkim_domain)

  159.   end

  160. 

  161.   if not dkim_domain then

  162.     lua_util.debugm(N, task, 'could not extract dkim domain')

  163.     return false,{}

  164.   end

  165. 

  166.   if settings.use_esld then

  167.     dkim_domain = rspamd_util.get_tld(dkim_domain)

  168.     if hdom then

  169.       hdom = rspamd_util.get_tld(hdom)

  170.     end

  171.     if edom then

  172.       edom = rspamd_util.get_tld(edom)

  173.     end

  174.   end

  175. 

  176.   lua_util.debugm(N, task, 'final DKIM domain: %s', dkim_domain)

  177. 

  178.   if edom and hdom and not settings.allow_hdrfrom_mismatch and hdom ~= edom then

  179.     if settings.allow_hdrfrom_mismatch_local and is_local then

  180.       lua_util.debugm(N, task, 'domain mismatch allowed for local IP: %1 != %2', hdom, edom)

  181.     elseif settings.allow_hdrfrom_mismatch_sign_networks and is_sign_networks then

  182.       lua_util.debugm(N, task, 'domain mismatch allowed for sign_networks: %1 != %2', hdom, edom)

  183.     else

  184.       lua_util.debugm(N, task, 'domain mismatch not allowed: %1 != %2', hdom, edom)

  185.       return false,{}

  186.     end

  187.   end

  188. 

  189.   if auser and not settings.allow_username_mismatch then

  190.     if not udom then

  191.       lua_util.debugm(N, task, 'couldnt find domain in username')

  192.       return false,{}

  193.     end

  194.     if settings.use_esld then

  195.       udom = rspamd_util.get_tld(udom)

  196.     end

  197.     if udom ~= dkim_domain then

  198.       lua_util.debugm(N, task, 'user domain mismatch')

  199.       return false,{}

  200.     end

  201.   end

  202. 

  203.   local p = {}

  204. 

  205.   if settings.domain[dkim_domain] then

  206.     p.selector = settings.domain[dkim_domain].selector

  207.     p.key = settings.domain[dkim_domain].path

  208.   end

  209. 

  210.   if not p.key and p.selector then

  211.     local key_var = "dkim_key"

  212.     local selector_var = "dkim_selector"

  213.     if N == "arc" then

  214.       key_var = "arc_key"

  215.       selector_var = "arc_selector"

  216.     end

  217. 

  218.     p.key = task:get_mempool():get_variable(key_var)

  219.     local selector_override = task:get_mempool():get_variable(selector_var)

  220. 

  221.     if selector_override then

  222.       p.selector = selector_override

  223.     end

  224. 

  225.     if (not p.key or not p.selector) and (not (settings.try_fallback or

  226.         settings.use_redis or settings.selector_map

  227.         or settings.path_map)) then

  228.       lua_util.debugm(N, task, 'dkim unconfigured and fallback disabled')

  229.       return false,{}

  230.     end

  231. 

  232.     lua_util.debugm(N, task, 'override selector and key to %s:%s', p.key, p.selector)

  233.   end

  234. 

  235.   if not p.selector and settings.selector_map then

  236.     local data = settings.selector_map:get_key(dkim_domain)

  237.     if data then

  238.       p.selector = data

  239.       lua_util.debugm(N, task, 'override selector to "%s" using selector_map', p.selector)

  240.     elseif not settings.try_fallback then

  241.       lua_util.debugm(N, task, 'no selector for %s', dkim_domain)

  242.       return false,{}

  243.     end

  244.   end

  245. 

  246.   if not p.key and settings.path_map then

  247.     local data = settings.path_map:get_key(dkim_domain)

  248.     if data then

  249.       p.key = data

  250.       lua_util.debugm(N, task, 'override key to "%s" using path_map', p.key)

  251.     elseif not settings.try_fallback then

  252.       lua_util.debugm(N, task, 'no key for %s', dkim_domain)

  253.       return false,{}

  254.     end

  255.   end

  256. 

  257.   if not p.key then

  258.     if not settings.use_redis then

  259.       p.key = settings.path

  260.       lua_util.debugm(N, task, 'use default key "%s" from path', p.key)

  261.     end

  262.   end

  263. 

  264.   if not p.selector then

  265.     p.selector = settings.selector

  266.     lua_util.debugm(N, task, 'use default selector "%s"', p.selector)

  267.   end

  268. 

  269.   p.domain = dkim_domain

  270. 

  271.   return true,p

  272. end

  273. 

  274. exports.prepare_dkim_signing = prepare_dkim_signing

  275. 

  276. return exports