[pmg-devel] [PATCH pmg-api v2 05/11] DKIM sign outbound mail if configured

Stoiko Ivanov s.ivanov at proxmox.com
Tue Oct 15 21:46:44 CEST 2019


The signing is done in the Accept and BCC Actions just before the mail gets
handed to the outbound postifx process, thus ensuring that all modifications
done by the rule-system don't invalidate the signature

The PMG::DKIMSign/DKIM::Signer object is not cached, since subsequent calls to
the same object lead to invalid signatures.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PMG/RuleDB/Accept.pm | 14 +++++++++++++-
 src/PMG/RuleDB/BCC.pm    | 11 +++++++++++
 src/bin/pmg-smtp-filter  |  7 +++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
index 8e76d8f..0bcf250 100644
--- a/src/PMG/RuleDB/Accept.pm
+++ b/src/PMG/RuleDB/Accept.pm
@@ -10,6 +10,7 @@ use Digest::SHA;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -89,7 +90,8 @@ sub execute {
     my ($self, $queue, $ruledb, $mod_group, $targets, 
 	$msginfo, $vars, $marks) = @_;
 
-    my $subgroups = $mod_group->subgroups($targets, 1);
+    my $dkim = $msginfo->{dkim} // {};
+    my $subgroups = $mod_group->subgroups($targets, !$dkim->{sign});
 
     my $rulename = $vars->{RULE} // 'unknown';
 
@@ -98,6 +100,16 @@ sub execute {
 
 	PMG::Utils::remove_marks($entity);
 
+	if ($dkim->{sign}) {
+	    eval {
+		$entity = PMG::DKIMSign::sign_entity($entity,
+		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+	    };
+	    syslog('warning',
+		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
+	}
+
+
 	if ($msginfo->{testmode}) {
 	    my $fh = $msginfo->{test_fh};
 	    print $fh "accept from: $msginfo->{sender}\n";
diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
index be695f7..a8db3f5 100644
--- a/src/PMG/RuleDB/BCC.pm
+++ b/src/PMG/RuleDB/BCC.pm
@@ -8,6 +8,7 @@ use PVE::SafeSyslog;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -137,6 +138,16 @@ sub execute {
 	$entity = $entity->dup();
 	PMG::Utils::remove_marks($entity);
 
+	my $dkim = $msginfo->{dkim} // {};
+	if ($dkim->{sign}) {
+	    eval {
+		$entity = PMG::DKIMSign::sign_entity($entity,
+		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+	    };
+	    syslog('warning',
+		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
+	}
+
 	if ($msginfo->{testmode}) {
 	    my $fh = $msginfo->{test_fh};
 	    print $fh "bcc from: $msginfo->{sender}\n";
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 62ce9ab..5f1e582 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -640,6 +640,13 @@ sub handle_smtp {
 	$msginfo->{xforward} = $smtp->{xforward};
 	$msginfo->{targets} = $smtp->{to};
 
+	my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
+	if ($dkim_sign) {
+	    $msginfo->{dkim}->{sign} = $dkim_sign;
+	    $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
+	    $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
+	}
+
 	$msginfo->{hostname} = PVE::INotify::nodename();
 	my $resolv = PVE::INotify::read_file('resolvconf');
 
-- 
2.20.1




More information about the pmg-devel mailing list