commit 0b87e30: [Feature] Rbl: Add resolve_ip based RBLs
Vsevolod Stakhov
vsevolod at highsecure.ru
Fri Aug 23 15:56:05 UTC 2019
Author: Vsevolod Stakhov
Date: 2019-08-23 16:46:08 +0100
URL: https://github.com/rspamd/rspamd/commit/0b87e30b0f947b0df6f4be8d79a376604597d082 (HEAD -> master)
[Feature] Rbl: Add resolve_ip based RBLs
---
src/plugins/lua/rbl.lua | 141 +++++++++++++++++++++++++++++++++++++-----------
1 file changed, 110 insertions(+), 31 deletions(-)
diff --git a/src/plugins/lua/rbl.lua b/src/plugins/lua/rbl.lua
index 35101efb4..7abe163b1 100644
--- a/src/plugins/lua/rbl.lua
+++ b/src/plugins/lua/rbl.lua
@@ -240,32 +240,45 @@ end
local function gen_rbl_callback(rule)
- local function add_dns_request(task, req, forced, requests_table)
+ local function add_dns_request(task, req, forced, is_ip, requests_table)
if requests_table[req] then
-- Duplicate request
if forced and not requests_table[req].forced then
requests_table[req].forced = true
end
else
+ local resolve_ip = rule.resolve_ip and not is_ip
if rule.process_script then
- local proc = rule.process_script(req, rule.rbl, task)
+ local processed = rule.process_script(req, rule.rbl, task, resolve_ip)
- if proc then
+ if processed then
local nreq = {
forced = forced,
- n = proc,
- orig = req
+ n = processed,
+ orig = req,
+ resolve_ip = resolve_ip
}
requests_table[req] = nreq
end
else
- local orign = maybe_make_hash(req, rule)
+ local to_resolve
+ local orign = req
+
+ if not resolve_ip then
+ orign = maybe_make_hash(req, rule)
+ to_resolve = string.format('%s.%s',
+ orign,
+ rule.rbl)
+ else
+ -- First, resolve origin stuff without hashing or anything
+ to_resolve = orign
+ end
+
local nreq = {
forced = forced,
- n = string.format('%s.%s',
- orign,
- rule.rbl),
- orig = orign
+ n = to_resolve,
+ orig = orign,
+ is_ip = resolve_ip
}
requests_table[req] = nreq
end
@@ -316,7 +329,7 @@ local function gen_rbl_callback(rule)
return false
end
- add_dns_request(task, helo, true, requests_table)
+ add_dns_request(task, helo, true, false, requests_table)
end
local function check_dkim(task, requests_table)
@@ -349,16 +362,16 @@ local function gen_rbl_callback(rule)
end
if mime_from_domain and mime_from_domain == domain_tld then
- add_dns_request(task, domain_tld, true, requests_table)
+ add_dns_request(task, domain_tld, true, false, requests_table)
ret = true
end
else
if rule.dkim_domainonly then
add_dns_request(task, rspamd_util.get_tld(domain),
- false, requests_table)
+ false, false, requests_table)
ret = true
else
- add_dns_request(task, domain, false, requests_table)
+ add_dns_request(task, domain, false, false, requests_table)
ret = true
end
end
@@ -378,16 +391,16 @@ local function gen_rbl_callback(rule)
for _,email in ipairs(emails) do
if rule.emails_domainonly then
- add_dns_request(task, email:get_tld(), false, requests_table)
+ add_dns_request(task, email:get_tld(), false, false, requests_table)
else
if rule.hash then
-- Leave @ as is
add_dns_request(task, string.format('%s@%s',
- email:get_user(), email:get_host()), false, requests_table)
+ email:get_user(), email:get_host()), false, false, requests_table)
else
-- Replace @ with .
add_dns_request(task, string.format('%s.%s',
- email:get_user(), email:get_host()), false, requests_table)
+ email:get_user(), email:get_host()), false, false, requests_table)
end
end
end
@@ -403,7 +416,7 @@ local function gen_rbl_callback(rule)
end
if (ip:get_version() == 6 and rule.ipv6) or
(ip:get_version() == 4 and rule.ipv4) then
- add_dns_request(task, ip_to_rbl(ip), true, requests_table)
+ add_dns_request(task, ip_to_rbl(ip), true, true, requests_table)
end
return true
@@ -419,7 +432,7 @@ local function gen_rbl_callback(rule)
for pos,rh in ipairs(received) do
if check_conditions(rh, pos) then
- add_dns_request(task, ip_to_rbl(rh.real_ip), false, requests_table)
+ add_dns_request(task, ip_to_rbl(rh.real_ip), false, true, requests_table)
end
end
@@ -432,7 +445,7 @@ local function gen_rbl_callback(rule)
return false
end
- add_dns_request(task, hostname, true, requests_table)
+ add_dns_request(task, hostname, true, false, requests_table)
return true
end
@@ -442,7 +455,7 @@ local function gen_rbl_callback(rule)
if res then
for _,r in ipairs(res) do
- add_dns_request(task, r, false, requests_table)
+ add_dns_request(task, r, false, false, requests_table)
end
end
end
@@ -509,19 +522,83 @@ local function gen_rbl_callback(rule)
-- Now check all DNS requests pending and emit them
local r = task:get_resolver()
- for name,p in pairs(dns_req) do
- if validate_dns(p.n) then
+ -- Used for 2 passes ip resolution
+ local resolved_req = {}
+ local nresolved = 0
+
+ -- This is called when doing resolve_ip phase...
+ local function gen_rbl_ip_dns_callback(orig)
+ return function(_, _, results, err)
+ if not err then
+ for _,dns_res in ipairs(results) do
+ -- Check if we have rspamd{ip} userdata
+ if type(dns_res) == 'userdata' then
+ -- Add result as an actual RBL request
+ add_dns_request(task, ip_to_rbl(dns_res), false, true,
+ resolved_req)
+ end
+ end
+ end
+
+ nresolved = nresolved - 1
+
+ if nresolved == 0 then
+ -- Emit real RBL requests as there are no ip resolution requests
+ for name, req in pairs(resolved_req) do
+ if validate_dns(req.n) then
+ lua_util.debugm(N, task, "rbl %s; resolve %s -> %s",
+ rule.symbol, name, req.n)
+ r:resolve_a({
+ task = task,
+ name = req.n,
+ callback = gen_rbl_dns_callback(orig),
+ forced = req.forced
+ })
+ else
+ rspamd_logger.warnx(task, 'cannot send invalid DNS request %s for %s',
+ req.n, rule.symbol)
+ end
+ end
+ end
+ end
+ end
+
+ for name, req in pairs(dns_req) do
+ if validate_dns(req.n) then
lua_util.debugm(N, task, "rbl %s; resolve %s -> %s",
- rule.symbol, name, p.n)
- r:resolve_a({
- task = task,
- name = p.n,
- callback = gen_rbl_dns_callback(p.orig),
- forced = p.forced
- })
+ rule.symbol, name, req.n)
+
+ if req.resolve_ip then
+ -- Deal with both ipv4 and ipv6
+ -- Resolve names first
+ if r:resolve_a({
+ task = task,
+ name = req.n,
+ callback = gen_rbl_ip_dns_callback(req.orig),
+ forced = req.forced
+ }) then
+ nresolved = nresolved + 1
+ end
+ if r:resolve('aaaa', {
+ task = task,
+ name = req.n,
+ callback = gen_rbl_ip_dns_callback(req.orig),
+ forced = req.forced
+ }) then
+ nresolved = nresolved + 1
+ end
+ else
+ r:resolve_a({
+ task = task,
+ name = req.n,
+ callback = gen_rbl_dns_callback(req.orig),
+ forced = req.forced
+ })
+ end
+
else
rspamd_logger.warnx(task, 'cannot send invalid DNS request %s for %s',
- p.n, rule.symbol)
+ req.n, rule.symbol)
end
end
end
@@ -674,6 +751,7 @@ local default_options = {
['default_exclude_local'] = true,
['default_is_whitelist'] = false,
['default_ignore_whitelist'] = false,
+ ['default_resolve_ip'] = false,
}
opts = lua_util.override_defaults(default_options, opts)
@@ -721,6 +799,7 @@ local rule_schema = ts.shape({
requests_limit = (ts.integer + ts.string / tonumber):is_optional(),
process_script = ts.string:is_optional(),
}, {
+ -- Covers boolean defaults
extra_fields = ts.map_of(ts.string, ts.boolean)
})
More information about the Commits
mailing list