diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2020-03-25 16:40:36 +0000 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2020-03-25 16:40:36 +0000 |
| commit | 1fa88bcd56301f2f41319b987ac89909c87b6d0b (patch) | |
| tree | ca8d97237b293ecb5157a6f696730e3fd3e2049d | |
| parent | 13539ad7e6cead667276c1d56827cb68aa73025b (diff) | |
| download | rspamd-1fa88bcd56301f2f41319b987ac89909c87b6d0b.tar.gz rspamd-1fa88bcd56301f2f41319b987ac89909c87b6d0b.zip | |
[Feature] Arc: Add whitelisted_signers_map option
Issue: #3308
| -rw-r--r-- | src/plugins/lua/arc.lua | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 4350f6fe5..caad92737 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -88,6 +88,7 @@ local settings = { use_redis = false, key_prefix = 'arc_keys', -- default hash name reuse_auth_results = false, -- Reuse the existing authentication results + whitelisted_signers_map = nil, -- Trusted signers domains } -- To match normal AR @@ -180,7 +181,8 @@ local function arc_callback(task) sigs = {}, checked = 0, res = 'success', - errors = {} + errors = {}, + allowed_by_trusted = false } parse_arc_header(arc_seal_headers, cbdata.seals) @@ -227,6 +229,14 @@ local function arc_callback(task) end end + if settings.whitelisted_signers_map and cbdata.res == 'success' then + if settings.whitelisted_signers_map:get_key(sig.d) then + -- Whitelisted signer has been found in a valid chain + task:insert_result(arc_symbols.trusted_allow, 1.0, + string.format('%s:s=%s:i=%d', domain, sig.s, cbdata.checked)) + end + end + if cbdata.checked == #arc_sig_headers then if cbdata.res == 'success' then task:insert_result(arc_symbols.allow, 1.0, string.format('%s:s=%s:i=%d', @@ -397,6 +407,24 @@ rspamd_config:register_symbol({ groups = {'arc'}, }) +if settings.whitelisted_signers_map then + local lua_maps = require "lua_maps" + settings.whitelisted_signers_map = lua_maps.map_add_from_ucl(settings.whitelisted_signers_map, + 'set', + 'ARC trusted signers domains') + if settings.whitelisted_signers_map then + arc_symbols.trusted_allow = arc_symbols.trusted_allow or 'ARC_ALLOW_TRUSTED' + rspamd_config:register_symbol({ + name = arc_symbols.trusted_allow, + parent = id, + type = 'virtual', + score = -2.0, + group = 'policies', + groups = {'arc'}, + }) + end +end + rspamd_config:register_dependency('ARC_CALLBACK', symbols['spf_allow_symbol']) rspamd_config:register_dependency('ARC_CALLBACK', symbols['dkim_allow_symbol']) |