aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorVsevolod Stakhov <vsevolod@highsecure.ru>2022-01-09 12:59:18 +0000
committerVsevolod Stakhov <vsevolod@highsecure.ru>2022-01-09 12:59:18 +0000
commitb98e76367a8a9099720ce666753386f5189be24f (patch)
treebc91d9e6cf77173c5bd6a03ba715fad2666e472d /src
parent5704b3b55f4e0828c85ee786b46e5cfc93013ea7 (diff)
downloadrspamd-b98e76367a8a9099720ce666753386f5189be24f.tar.gz
rspamd-b98e76367a8a9099720ce666753386f5189be24f.zip
[Minor] Arc: Check AAR on trusted forwarding check
Diffstat (limited to 'src')
-rw-r--r--src/plugins/lua/arc.lua33
1 files changed, 32 insertions, 1 deletions
diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua
index 8252424ab..e482ce0f0 100644
--- a/src/plugins/lua/arc.lua
+++ b/src/plugins/lua/arc.lua
@@ -30,6 +30,7 @@ if confighelp then
end
local N = 'arc'
+local AR_TRUSTED_CACHE_KEY = 'arc_trusted_aar'
if not rspamd_plugins.dkim then
rspamd_logger.errx(rspamd_config, "cannot enable arc plugin: dkim is disabled")
@@ -74,6 +75,7 @@ local settings = {
key_prefix = 'arc_keys', -- default hash name
reuse_auth_results = false, -- Reuse the existing authentication results
whitelisted_signers_map = nil, -- Trusted signers domains
+ adjust_dmarc = true, -- Adjust DMARC rejected policy for trusted forwarders
allowed_ids = nil, -- Allowed settings id
forbidden_ids = nil, -- Banned settings id
}
@@ -271,7 +273,36 @@ local function arc_callback(task)
if settings.whitelisted_signers_map and cbdata.res == 'success' then
if settings.whitelisted_signers_map:get_key(sig.d) then
-- Whitelisted signer has been found in a valid chain
- task:insert_result(arc_symbols.trusted_allow, 1.0,
+ local mult = 1.0
+ local cur_aar = cbdata.ars[cbdata.cur_arc_id]
+ if not cur_aar then
+ rspamd_logger.warnx(task, "cannot find Arc-Authentication-Results for trusted " ..
+ "forwarder %s on i=%s", domain, cbdata.cur_arc_id)
+ else
+ task:cache_set(AR_TRUSTED_CACHE_KEY, cur_aar)
+ local seen_dmarc
+ for _,ar in ipairs(cur_aar.ar) do
+ if ar.dmarc then
+ local dmarc_fwd = ar.dmarc
+ seen_dmarc = true
+ if dmarc_fwd == 'reject' or dmarc_fwd == 'fail' or dmarc_fwd == 'quarantine' then
+ lua_util.debugm(N, "found rejected dmarc on forwarding")
+ mult = 0.0
+ elseif dmarc_fwd == 'pass' then
+ mult = 1.0
+ end
+ elseif ar.spf then
+ local spf_fwd = ar.spf
+ if spf_fwd == 'reject' or spf_fwd == 'fail' or spf_fwd == 'quarantine' then
+ lua_util.debugm(N, "found rejected spf on forwarding")
+ if not seen_dmarc then
+ mult = mult * 0.5
+ end
+ end
+ end
+ end
+ end
+ task:insert_result(arc_symbols.trusted_allow, mult,
string.format('%s:s=%s:i=%d', domain, sig.s, cbdata.cur_arc_id))
end
end