From 1fa88bcd56301f2f41319b987ac89909c87b6d0b Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Wed, 25 Mar 2020 16:40:36 +0000 Subject: [Feature] Arc: Add whitelisted_signers_map option Issue: #3308 --- src/plugins/lua/arc.lua | 30 +++++++++++++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 4350f6fe5..caad92737 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -88,6 +88,7 @@ local settings = { use_redis = false, key_prefix = 'arc_keys', -- default hash name reuse_auth_results = false, -- Reuse the existing authentication results + whitelisted_signers_map = nil, -- Trusted signers domains } -- To match normal AR @@ -180,7 +181,8 @@ local function arc_callback(task) sigs = {}, checked = 0, res = 'success', - errors = {} + errors = {}, + allowed_by_trusted = false } parse_arc_header(arc_seal_headers, cbdata.seals) @@ -227,6 +229,14 @@ local function arc_callback(task) end end + if settings.whitelisted_signers_map and cbdata.res == 'success' then + if settings.whitelisted_signers_map:get_key(sig.d) then + -- Whitelisted signer has been found in a valid chain + task:insert_result(arc_symbols.trusted_allow, 1.0, + string.format('%s:s=%s:i=%d', domain, sig.s, cbdata.checked)) + end + end + if cbdata.checked == #arc_sig_headers then if cbdata.res == 'success' then task:insert_result(arc_symbols.allow, 1.0, string.format('%s:s=%s:i=%d', @@ -397,6 +407,24 @@ rspamd_config:register_symbol({ groups = {'arc'}, }) +if settings.whitelisted_signers_map then + local lua_maps = require "lua_maps" + settings.whitelisted_signers_map = lua_maps.map_add_from_ucl(settings.whitelisted_signers_map, + 'set', + 'ARC trusted signers domains') + if settings.whitelisted_signers_map then + arc_symbols.trusted_allow = arc_symbols.trusted_allow or 'ARC_ALLOW_TRUSTED' + rspamd_config:register_symbol({ + name = arc_symbols.trusted_allow, + parent = id, + type = 'virtual', + score = -2.0, + group = 'policies', + groups = {'arc'}, + }) + end +end + rspamd_config:register_dependency('ARC_CALLBACK', symbols['spf_allow_symbol']) rspamd_config:register_dependency('ARC_CALLBACK', symbols['dkim_allow_symbol']) -- cgit v1.2.3