diff options
author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2022-01-09 12:59:18 +0000 |
---|---|---|
committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2022-01-09 12:59:18 +0000 |
commit | b98e76367a8a9099720ce666753386f5189be24f (patch) | |
tree | bc91d9e6cf77173c5bd6a03ba715fad2666e472d /src | |
parent | 5704b3b55f4e0828c85ee786b46e5cfc93013ea7 (diff) | |
download | rspamd-b98e76367a8a9099720ce666753386f5189be24f.tar.gz rspamd-b98e76367a8a9099720ce666753386f5189be24f.zip |
[Minor] Arc: Check AAR on trusted forwarding check
Diffstat (limited to 'src')
-rw-r--r-- | src/plugins/lua/arc.lua | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 8252424ab..e482ce0f0 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -30,6 +30,7 @@ if confighelp then end local N = 'arc' +local AR_TRUSTED_CACHE_KEY = 'arc_trusted_aar' if not rspamd_plugins.dkim then rspamd_logger.errx(rspamd_config, "cannot enable arc plugin: dkim is disabled") @@ -74,6 +75,7 @@ local settings = { key_prefix = 'arc_keys', -- default hash name reuse_auth_results = false, -- Reuse the existing authentication results whitelisted_signers_map = nil, -- Trusted signers domains + adjust_dmarc = true, -- Adjust DMARC rejected policy for trusted forwarders allowed_ids = nil, -- Allowed settings id forbidden_ids = nil, -- Banned settings id } @@ -271,7 +273,36 @@ local function arc_callback(task) if settings.whitelisted_signers_map and cbdata.res == 'success' then if settings.whitelisted_signers_map:get_key(sig.d) then -- Whitelisted signer has been found in a valid chain - task:insert_result(arc_symbols.trusted_allow, 1.0, + local mult = 1.0 + local cur_aar = cbdata.ars[cbdata.cur_arc_id] + if not cur_aar then + rspamd_logger.warnx(task, "cannot find Arc-Authentication-Results for trusted " .. + "forwarder %s on i=%s", domain, cbdata.cur_arc_id) + else + task:cache_set(AR_TRUSTED_CACHE_KEY, cur_aar) + local seen_dmarc + for _,ar in ipairs(cur_aar.ar) do + if ar.dmarc then + local dmarc_fwd = ar.dmarc + seen_dmarc = true + if dmarc_fwd == 'reject' or dmarc_fwd == 'fail' or dmarc_fwd == 'quarantine' then + lua_util.debugm(N, "found rejected dmarc on forwarding") + mult = 0.0 + elseif dmarc_fwd == 'pass' then + mult = 1.0 + end + elseif ar.spf then + local spf_fwd = ar.spf + if spf_fwd == 'reject' or spf_fwd == 'fail' or spf_fwd == 'quarantine' then + lua_util.debugm(N, "found rejected spf on forwarding") + if not seen_dmarc then + mult = mult * 0.5 + end + end + end + end + end + task:insert_result(arc_symbols.trusted_allow, mult, string.format('%s:s=%s:i=%d', domain, sig.s, cbdata.cur_arc_id)) end end |