Merge pull request #1869 from ikedas/issue-1851_ikedas-02 by ikedas

Several fixes/improvements on ARC seal & DKIM signature
sympa-community · Sep 29, 2024 · 5f06293 · 5f06293
2 parents 9ddb11e + c9903ac
commit 5f06293
Show file tree

Hide file tree

Showing 8 changed files with 212 additions and 270 deletions.
diff --git a/src/lib/Sympa/Internals/Workflow.pod b/src/lib/Sympa/Internals/Workflow.pod
@@ -41,7 +41,7 @@ workflow of Sympa.  For more details see documentation on each class.
                   /               v
  Incoming => [ProcessIncoming]    *2
                   \                              +-> (reject)
-                   +-> [DoForward] => (Mailer)  /
+                   +-> [DoForward] => Outgoing  /
                     \                          +-> [ToEditor] => Outgoing
                      +-> [DoMessage]          /
                                \             /---> [ToHeld] => Held

diff --git a/src/lib/Sympa/Message.pm b/src/lib/Sympa/Message.pm
@@ -544,8 +544,14 @@ sub arc_seal {
         $log->syslog('err', 'Can\'t create Mail::DKIM::ARC::Signer');
         return undef;
     }
-    # For One-Click Unsubscribe.
-    $arc->extended_headers({'List-Unsubscribe-Post' => '*'});
+    $arc->extended_headers(
+        {
+            # For any DKIM signature(s).  See RFC 8617, 4.1.2.
+            'DKIM-Signature' => '*',
+            # For One-Click Unsubscribe.
+            'List-Unsubscribe-Post' => '*',
+        }
+    );
 
     # $new_body will store the body as fed to Mail::DKIM to reuse it
     # when returning the message as string.  Line terminators must be

diff --git a/src/lib/Sympa/Spindle/AuthorizeMessage.pm b/src/lib/Sympa/Spindle/AuthorizeMessage.pm
@@ -7,7 +7,7 @@
 # Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 # 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
 # Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
-# Copyright 2018, 2019, 2021, 2022 The Sympa Community. See the
+# Copyright 2018, 2019, 2021, 2022, 2024 The Sympa Community. See the
 # AUTHORS.md file at the top-level directory of this distribution and at
 # <https://github.com/sympa-community/sympa.git>.
 #
@@ -34,7 +34,6 @@ use Sympa::List;
 use Sympa::Log;
 use Sympa::Scenario;
 use Sympa::Spool::Topic;
-use Sympa::Tools::Data;
 
 use base qw(Sympa::Spindle);
 
@@ -163,31 +162,21 @@ sub _twist {
     if ($action =~ /^do_it\b/) {
         $self->{quiet} ||= ($action =~ /,\s*quiet\b/);    # Overwrite.
 
+        my @apply_on =
+            @{$list->{'admin'}{'dkim_signature_apply_on'} || []};
         unless ($self->{confirmed_by}) {    # Not in ProcessHeld spindle.
             $message->{shelved}{dkim_sign} = 1
-                if Sympa::Tools::Data::is_in_array(
-                $list->{'admin'}{'dkim_signature_apply_on'}, 'any')
-                or (
-                Sympa::Tools::Data::is_in_array(
-                    $list->{'admin'}{'dkim_signature_apply_on'},
-                    'smime_authenticated_messages')
-                and $message->{'smime_signed'}
-                )
-                or (
-                Sympa::Tools::Data::is_in_array(
-                    $list->{'admin'}{'dkim_signature_apply_on'},
-                    'dkim_authenticated_messages')
-                and $message->{'dkim_pass'}
-                );
+                if grep { 'any' eq $_ } @apply_on
+                or (grep { 'smime_authenticated_messages' eq $_ } @apply_on
+                and $message->{'smime_signed'})
+                or (grep { 'dkim_authenticated_messages' eq $_ } @apply_on
+                and $message->{'dkim_pass'});
         } else {
             $message->add_header('X-Validation-by', $self->{confirmed_by});
 
             $message->{shelved}{dkim_sign} = 1
-                if Sympa::Tools::Data::is_in_array(
-                $list->{'admin'}{'dkim_signature_apply_on'}, 'any')
-                or Sympa::Tools::Data::is_in_array(
-                $list->{'admin'}{'dkim_signature_apply_on'},
-                'md5_authenticated_messages');
+                if grep { 'any' eq $_ } @apply_on
+                or grep { 'md5_authenticated_messages' eq $_ } @apply_on;
         }
 
         # Keep track of known message IDs...if any.

diff --git a/src/lib/Sympa/Spindle/DoForward.pm b/src/lib/Sympa/Spindle/DoForward.pm
@@ -47,18 +47,16 @@ sub _twist {
     # Fail-safe: Skip messages with unwanted types.
     return 0 unless $self->_splicing_to($message) eq __PACKAGE__;
 
-    my ($list, $robot, $arc_enabled);
+    my ($list, $robot);
     if (ref $message->{context} eq 'Sympa::List') {
-        $list        = $message->{context};
-        $robot       = $list->{'domain'};
-        $arc_enabled = 'on' eq $list->{'admin'}{'arc_feature'};
+        $list  = $message->{context};
+        $robot = $message->{context}->{'domain'};
     } elsif ($message->{context} and $message->{context} ne '*') {
         $robot = $message->{context};
-        $arc_enabled = 'on' eq Conf::get_robot_conf($robot, 'arc_feature');
     } else {
-        $robot       = $Conf::Conf{'domain'};
-        $arc_enabled = 'on' eq $Conf::Conf{'arc_feature'};
+        $robot = '*';
     }
+
     my $function = $message->{listtype};
     my $recipient = Sympa::get_address($message->{context}, $function);
 
@@ -153,30 +151,41 @@ sub _twist {
         return undef;
     }
 
+    my (@apply_on, @protection);
+    if (ref $list eq 'Sympa::List') {
+        @apply_on =
+            @{$list->{'admin'}{'dkim_signature_apply_on'} || []};
+        @protection = @{$list->{'admin'}{'dmarc_protection'}{'mode'} || []};
+    } else {
+        @apply_on =
+            @{Conf::get_robot_conf($robot, 'dkim_signature_apply_on') || []};
+        @protection =
+            @{Conf::get_robot_conf($robot, 'dmarc_protection.mode') || []};
+    }
+    $message->{shelved}{dkim_sign} = 1
+        if grep { 'any' eq $_ } @apply_on
+        or (grep { 'smime_authenticated_messages' eq $_ } @apply_on
+        and $message->{'smime_signed'})
+        or (grep { 'dkim_authenticated_messages' eq $_ } @apply_on
+        and $message->{'dkim_pass'});
+
+    $message->{shelved}{dmarc_protect} = 1
+        if grep { $_ and 'none' ne $_ } @protection;
+
     # Add or remove several headers to forward message safely.
     # - Add X-Loop: field to mitigate mail looping.
     # - The Sender: field should be added (overwritten) at least for Sender ID
     #   (a.k.a. SPF 2.0) compatibility.  Note that Resent-Sender: field will
     #   be removed.
     # - Add ARC seal if enabled, or try applying DMARC protection.
-    #FIXME: Existing DKIM signature depends on these headers will be broken.
-    #FIXME: Currently messages via -request and -editor addresses will be
-    #       protected against DMARC if neccessary.  The listmaster address
-    #       would be protected, too.
     $message->add_header('X-Loop', $recipient);
     $message->replace_header('Sender', Sympa::get_address($robot, 'owner'));
     $message->delete_header('Resent-Sender');
-    my %arc =
-        Sympa::Tools::DKIM::get_arc_parameters($message->{context},
-        $message->{shelved}{arc_cv})
-        if $arc_enabled and $message->{shelved}{arc_cv};
-    my $arc_sealed = $message->arc_seal(%arc) if %arc;
-    $message->dmarc_protect unless $arc_sealed;
 
     # Overwrite envelope sender.  It is REQUIRED for delivery.
     $message->{envelope_sender} = Sympa::get_address($robot, 'owner');
 
-    unless (defined Sympa::Mailer->instance->store($message, \@rcpt)) {
+    unless (defined Sympa::Spool::Outgoing->new->store($message, [@rcpt])) {
         $log->syslog('err', 'Impossible to forward mail for %s', $recipient);
         Sympa::send_notify_to_listmaster(
             $message->{context} || '*',

diff --git a/src/lib/Sympa/Spindle/ProcessModeration.pm b/src/lib/Sympa/Spindle/ProcessModeration.pm
@@ -8,8 +8,8 @@
 # Copyright (c) 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005,
 # 2006, 2007, 2008, 2009, 2010, 2011 Comite Reseau des Universites
 # Copyright (c) 2011, 2012, 2013, 2014, 2015, 2016, 2017 GIP RENATER
-# Copyright 2017 The Sympa Community. See the AUTHORS.md file at the top-level
-# directory of this distribution and at
+# Copyright 2017, 2024 The Sympa Community. See the
+# AUTHORS.md file at the top-level directory of this distribution and at
 # <https://github.com/sympa-community/sympa.git>.
 #
 # This program is free software; you can redistribute it and/or modify
@@ -34,7 +34,6 @@ use Sympa;
 use Conf;
 use Sympa::Language;
 use Sympa::Log;
-use Sympa::Tools::Data;
 
 use base qw(Sympa::Spindle);
 
@@ -191,12 +190,14 @@ sub _distribute {
 
     $message->add_header('X-Validation-by', $self->{distributed_by});
 
+    my @apply_on = @{$list->{'admin'}{'dkim_signature_apply_on'} || []};
     $message->{shelved}{dkim_sign} = 1
-        if Sympa::Tools::Data::is_in_array(
-        $list->{'admin'}{'dkim_signature_apply_on'}, 'any')
-        or Sympa::Tools::Data::is_in_array(
-        $list->{'admin'}{'dkim_signature_apply_on'},
-        'editor_validated_messages');
+        if grep { 'any' eq $_ } @apply_on
+        or (grep { 'smime_authenticated_messages' eq $_ } @apply_on
+        and $message->{'smime_signed'})
+        or (grep { 'dkim_authenticated_messages' eq $_ } @apply_on
+        and $message->{'dkim_pass'})
+        or grep { 'editor_validated_messages' eq $_ } @apply_on;
 
     # Notify author of message.
     $message->{envelope_sender} = $message->{sender};