DKIM sign outbound mail if configured

The signing is done in the Accept-Action just before the mail gets handed to
the outbound postifx process, thus ensuring that all modifications done by
the rule-system don't invalidate the signature

The PMG::DKIMSign/DKIM::Signer object is not cached, since subsequent calls to
the same object lead to invalid signatures.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/src/PMG/RuleDB/Accept.pm b/src/PMG/RuleDB/Accept.pm
index 8e76d8f4d8d8d988d24223a765aaa92991b642cb..0bcf250c259c7e75789df4e11d2172b24bd9da30 100644 (file)
--- a/src/PMG/RuleDB/Accept.pm
+++ b/src/PMG/RuleDB/Accept.pm
@@ -10,6 +10,7 @@ use Digest::SHA;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -89,7 +90,8 @@ sub execute {
     my ($self, $queue, $ruledb, $mod_group, $targets, 
        $msginfo, $vars, $marks) = @_;
 
-    my $subgroups = $mod_group->subgroups($targets, 1);
+    my $dkim = $msginfo->{dkim} // {};
+    my $subgroups = $mod_group->subgroups($targets, !$dkim->{sign});
 
     my $rulename = $vars->{RULE} // 'unknown';
 
@@ -98,6 +100,16 @@ sub execute {
 
        PMG::Utils::remove_marks($entity);
 
+       if ($dkim->{sign}) {
+           eval {
+               $entity = PMG::DKIMSign::sign_entity($entity,
+                   $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+           };
+           syslog('warning',
+               "Could not create DKIM-Signature - disabling Signing: $@") if $@;
+       }
+
+
        if ($msginfo->{testmode}) {
            my $fh = $msginfo->{test_fh};
            print $fh "accept from: $msginfo->{sender}\n";

diff --git a/src/PMG/RuleDB/BCC.pm b/src/PMG/RuleDB/BCC.pm
index be695f710b6b94f1e31123688ca94faba15ed931..a8db3f530d65b0b42fe1490b7c54d5794570b817 100644 (file)
--- a/src/PMG/RuleDB/BCC.pm
+++ b/src/PMG/RuleDB/BCC.pm
@@ -8,6 +8,7 @@ use PVE::SafeSyslog;
 
 use PMG::Utils;
 use PMG::ModGroup;
+use PMG::DKIMSign;
 use PMG::RuleDB::Object;
 
 use base qw(PMG::RuleDB::Object);
@@ -137,6 +138,16 @@ sub execute {
        $entity = $entity->dup();
        PMG::Utils::remove_marks($entity);
 
+       my $dkim = $msginfo->{dkim} // {};
+       if ($dkim->{sign}) {
+           eval {
+               $entity = PMG::DKIMSign::sign_entity($entity,
+                   $dkim->{selector}, $msginfo->{sender}, $dkim->{sign_all});
+           };
+           syslog('warning',
+               "Could not create DKIM-Signature - disabling Signing: $@") if $@;
+       }
+
        if ($msginfo->{testmode}) {
            my $fh = $msginfo->{test_fh};
            print $fh "bcc from: $msginfo->{sender}\n";

diff --git a/src/bin/pmg-smtp-filter b/src/bin/pmg-smtp-filter
index 62ce9ab96fe847fd4e7faeeca9243a4a2ecc3de8..5f1e5821c3e8cf1d7745ead127766dcbdd6d6b06 100755 (executable)
--- a/src/bin/pmg-smtp-filter
+++ b/src/bin/pmg-smtp-filter
@@ -640,6 +640,13 @@ sub handle_smtp {
        $msginfo->{xforward} = $smtp->{xforward};
        $msginfo->{targets} = $smtp->{to};
 
+       my $dkim_sign = $msginfo->{trusted} && $pmg_cfg->get('admin', 'dkim_sign');
+       if ($dkim_sign) {
+           $msginfo->{dkim}->{sign} = $dkim_sign;
+           $msginfo->{dkim}->{sign_all} = $pmg_cfg->get('admin', 'dkim_sign_all_mail');
+           $msginfo->{dkim}->{selector} = $pmg_cfg->get('admin', 'dkim_selector');
+       }
+
        $msginfo->{hostname} = PVE::INotify::nodename();
        my $resolv = PVE::INotify::read_file('resolvconf');