[pmg-devel] [PATCH pmg-api v4 05/11] DKIM sign outbound mail if configured

Mon Oct 21 19:23:29 CEST 2019

The signing is done in the Accept-Action just before the mail gets handed to
the outbound postifx process, thus ensuring that all modifications done by
the rule-system don't invalidate the signature

The PMG::DKIMSign/DKIM::Signer object is not cached, since subsequent calls to
the same object lead to invalid signatures.

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 src/PMG/RuleDB/Accept.pm | 14 +++++++++++++-
 src/PMG/RuleDB/BCC.pm    | 11 +++++++++++
 src/bin/pmg-smtp-filter  |  7 +++++++
 3 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
index 8e76d8f..0bcf250 100644
--- a/src/PMG/RuleDB/Accept.pm
+++ b/src/PMG/RuleDB/Accept.pm
@@ -10,6 +10,7 @@ use Digest::SHA;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -89,7 +90,8 @@ sub execute {
     my ($self, $queue, $ruledb, $mod_group, $targets, 
 	$msginfo, $vars, $marks) = @_;
 
-    my $subgroups = $mod_group->subgroups($targets, 1);
+    my $dkim = $msginfo->{dkim} // {};
+    my $subgroups = $mod_group->subgroups($targets, !$dkim->{sign});
 
     my $rulename = $vars->{RULE} // 'unknown';
 
@@ -98,6 +100,16 @@ sub execute {
 
 	PMG::Utils::remove_marks($entity);
 
+	if ($dkim->{sign}) {
+	    eval {
+		$entity = PMG::DKIMSign::sign_entity($entity,
+		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+	    };
+	    syslog('warning',
+		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
+	}
+
+
 	if ($msginfo->{testmode}) {
 	    my $fh = $msginfo->{test_fh};
 	    print $fh "accept from: $msginfo->{sender}\n";
diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
index be695f7..a8db3f5 100644
--- a/src/PMG/RuleDB/BCC.pm
+++ b/src/PMG/RuleDB/BCC.pm
@@ -8,6 +8,7 @@ use PVE::SafeSyslog;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -137,6 +138,16 @@ sub execute {
 	$entity = $entity->dup();
 	PMG::Utils::remove_marks($entity);
 
+	my $dkim = $msginfo->{dkim} // {};
+	if ($dkim->{sign}) {
+	    eval {
+		$entity = PMG::DKIMSign::sign_entity($entity,
+		    $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+	    };
+	    syslog('warning',
+		"Could not create DKIM-Signature - disabling Signing: $@") if $@;
+	}
+
 	if ($msginfo->{testmode}) {
 	    my $fh = $msginfo->{test_fh};
 	    print $fh "bcc from: $msginfo->{sender}\n";
diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 62ce9ab..5f1e582 100755
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -640,6 +640,13 @@ sub handle_smtp {
 	$msginfo->{xforward} = $smtp->{xforward};
 	$msginfo->{targets} = $smtp->{to};
 
+	my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
+	if ($dkim_sign) {
+	    $msginfo->{dkim}->{sign} = $dkim_sign;
+	    $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
+	    $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
+	}
+
 	$msginfo->{hostname} = PVE::INotify::nodename();
 	my $resolv = PVE::INotify::read_file('resolvconf');
 
-- 
2.20.1


