4 files changed, 68 insertions, 25 deletions

diff --git a/conf/modules.d/rbl.conf b/conf/modules.d/rbl.conf
index 902a56ee1..3825101ce 100644
--- a/conf/modules.d/rbl.conf
+++ b/conf/modules.d/rbl.conf
@@ -157,6 +157,7 @@ rbl {
     RSPAMD_EMAILBL {
       ignore_defaults = true;
       emails_delimiter = ".";
+      emails = true;
       hash_format = "base32";
       hash_len = 32;
       rbl = "email.rspamd.com";
@@ -170,6 +171,7 @@ rbl {
       ignore_whitelist = true;
       ignore_defaults = true;
       rbl = "ebl.msbl.org";
+      emails = true;
       emails_domainonly = false;
       replyto = true;
       hash = "sha1";
diff --git a/contrib/libev/ev_iouring.c b/contrib/libev/ev_iouring.c
index bfd3de65f..612391b53 100644
--- a/contrib/libev/ev_iouring.c
+++ b/contrib/libev/ev_iouring.c
@@ -255,7 +255,7 @@ struct io_uring_sqe *
 iouring_sqe_get (EV_P)
 {
   unsigned tail;
-  
+
   for (;;)
     {
       tail = EV_SQ_VAR (tail);
@@ -295,8 +295,9 @@ iouring_sqe_submit (EV_P_ struct io_uring_sqe *sqe)
   EV_SQ_ARRAY [idx] = idx;
   ECB_MEMORY_FENCE_RELEASE;
   ++EV_SQ_VAR (tail);
-  /*ECB_MEMORY_FENCE_RELEASE; /* for the time being we assume this is not needed */
+  // ECB_MEMORY_FENCE_RELEASE; /* for the time being we assume this is not needed */
   ++iouring_to_submit;
+  return sqe;
 }
 
 /*****************************************************************************/
@@ -328,6 +329,8 @@ iouring_internal_destroy (EV_P)
       ev_ref (EV_A);
       ev_io_stop (EV_A_ &iouring_tfd_w);
     }
+
+  return 0;
 }
 
 ecb_cold
@@ -603,7 +606,7 @@ static int
 iouring_handle_cq (EV_P)
 {
   unsigned head, tail, mask;
-  
+
   head = EV_CQ_VAR (head);
   ECB_MEMORY_FENCE_ACQUIRE;
   tail = EV_CQ_VAR (tail);
diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua
index 1b6d1c430..caad92737 100644
--- a/src/plugins/lua/arc.lua
+++ b/src/plugins/lua/arc.lua
@@ -1,5 +1,5 @@
 --[[
-Copyright (c) 2017, Vsevolod Stakhov <vsevolod@highsecure.ru>
+Copyright (c) 2020, Vsevolod Stakhov <vsevolod@highsecure.ru>
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -88,6 +88,7 @@ local settings = {
   use_redis = false,
   key_prefix = 'arc_keys', -- default hash name
   reuse_auth_results = false, -- Reuse the existing authentication results
+  whitelisted_signers_map = nil, -- Trusted signers domains
 }
 
 -- To match normal AR
@@ -180,7 +181,8 @@ local function arc_callback(task)
     sigs = {},
     checked = 0,
     res = 'success',
-    errors = {}
+    errors = {},
+    allowed_by_trusted = false
   }
 
   parse_arc_header(arc_seal_headers, cbdata.seals)
@@ -214,26 +216,36 @@ local function arc_callback(task)
   task:cache_set('arc-sigs', cbdata.sigs)
   task:cache_set('arc-seals', cbdata.seals)
 
-  local function arc_seal_cb(_, res, err, domain)
-    cbdata.checked = cbdata.checked + 1
-    lua_util.debugm(N, task, 'checked arc seal: %s(%s), %s processed',
-        res, err, cbdata.checked)
+  local function gen_arc_seal_cb(sig)
+    return function (_, res, err, domain)
+      cbdata.checked = cbdata.checked + 1
+      lua_util.debugm(N, task, 'checked arc seal: %s(%s), %s processed',
+          res, err, cbdata.checked)
 
-    if not res then
-      cbdata.res = 'fail'
-      if err and domain then
-        table.insert(cbdata.errors, string.format('sig:%s:%s', domain, err))
+      if not res then
+        cbdata.res = 'fail'
+        if err and domain then
+          table.insert(cbdata.errors, string.format('sig:%s:%s', domain, err))
+        end
       end
-    end
 
-    if cbdata.checked == #arc_sig_headers then
-      if cbdata.res == 'success' then
-        task:insert_result(arc_symbols['allow'], 1.0, 'i=' ..
-            tostring(cbdata.checked))
-      else
-        task:insert_result(arc_symbols['reject'], 1.0,
-          rspamd_logger.slog('seal check failed: %s, %s', cbdata.res,
-            cbdata.errors))
+      if settings.whitelisted_signers_map and cbdata.res == 'success' then
+        if settings.whitelisted_signers_map:get_key(sig.d) then
+          -- Whitelisted signer has been found in a valid chain
+          task:insert_result(arc_symbols.trusted_allow, 1.0,
+              string.format('%s:s=%s:i=%d', domain, sig.s, cbdata.checked))
+        end
+      end
+
+      if cbdata.checked == #arc_sig_headers then
+        if cbdata.res == 'success' then
+          task:insert_result(arc_symbols.allow, 1.0, string.format('%s:s=%s:i=%d',
+              domain, sig.s, cbdata.checked))
+        else
+          task:insert_result(arc_symbols.reject, 1.0,
+              rspamd_logger.slog('seal check failed: %s, %s', cbdata.res,
+                  cbdata.errors))
+        end
       end
     end
   end
@@ -253,10 +265,11 @@ local function arc_callback(task)
       cbdata.checked = 0
       fun.each(
         function(sig)
-          local ret, lerr = dkim_verify(task, sig.header, arc_seal_cb, 'arc-seal')
+          local ret, lerr = dkim_verify(task, sig.header, gen_arc_seal_cb(sig), 'arc-seal')
           if not ret then
             cbdata.res = 'fail'
-            table.insert(cbdata.errors, string.format('sig:%s:%s', sig.d or '', lerr))
+            table.insert(cbdata.errors, string.format('seal:%s:s=%s:i=%s:%s',
+                sig.d or '', sig.s or '', sig.i or '', lerr))
             cbdata.checked = cbdata.checked + 1
             lua_util.debugm(N, task, 'checked arc seal %s: %s(%s), %s processed',
               sig.d, ret, lerr, cbdata.checked)
@@ -394,6 +407,24 @@ rspamd_config:register_symbol({
   groups = {'arc'},
 })
 
+if settings.whitelisted_signers_map then
+  local lua_maps = require "lua_maps"
+  settings.whitelisted_signers_map = lua_maps.map_add_from_ucl(settings.whitelisted_signers_map,
+      'set',
+      'ARC trusted signers domains')
+  if settings.whitelisted_signers_map then
+    arc_symbols.trusted_allow = arc_symbols.trusted_allow or 'ARC_ALLOW_TRUSTED'
+    rspamd_config:register_symbol({
+      name = arc_symbols.trusted_allow,
+      parent = id,
+      type = 'virtual',
+      score = -2.0,
+      group = 'policies',
+      groups = {'arc'},
+    })
+  end
+end
+
 rspamd_config:register_dependency('ARC_CALLBACK', symbols['spf_allow_symbol'])
 rspamd_config:register_dependency('ARC_CALLBACK', symbols['dkim_allow_symbol'])
 
diff --git a/src/plugins/lua/settings.lua b/src/plugins/lua/settings.lua
index 7427e779d..b497d4388 100644
--- a/src/plugins/lua/settings.lua
+++ b/src/plugins/lua/settings.lua
@@ -1038,7 +1038,14 @@ end
 local settings_map_pool
 local function process_settings_map(map_text)
   local parser = ucl.parser()
-  local res,err = parser:parse_string(map_text)
+  local res,err
+
+  if type(map_text) == 'string' then
+    res,err = parser:parse_string(map_text)
+  else
+    res,err = parser:parse_text(map_text)
+  end
+
   if not res then
     rspamd_logger.warnx(rspamd_config, 'cannot parse settings map: ' .. err)
   else