DKIM alignment policy override

2025-12-12 18:00:19 +00:00 · 2021-01-31 17:08:05 +01:00 · 2021-01-31 17:08:05 +01:00 · 1dc0c8d5d9
commit 1dc0c8d5d9
parent 507ab6d241
4 changed files with 54 additions and 27 deletions
--- a/app/exota-milter.py
+++ b/app/exota-milter.py
@ -353,10 +353,17 @@ class ExOTAMilter(Milter.Base):
            "/EOM: No aligned DKIM signatures found!"
          )
          if g_milter_dkim_alignment_required:
-            return self.smfir_reject(
-              queue_id = self.getsymval('i'),
-              reason = 'DKIM alignment required!'
-            )
+            if policy.is_dkim_alignment_required() == False:
+              logging.info(self.mconn_id + "/" + str(self.getsymval('i')) +
+                "/EOM: Policy overrides DKIM alignment requirement to '{0}'!".format(
+                  policy.is_dkim_alignment_required()
+                )
+              )
+            else:
+              return self.smfir_reject(
+                queue_id = self.getsymval('i'),
+                reason = 'DKIM alignment required!'
+              )
      else:
        logging.info(self.mconn_id + "/" + str(self.getsymval('i')) +
          "/EOM: No valid DKIM authentication result found"
--- a/app/policy.py
+++ b/app/policy.py
@ -16,7 +16,15 @@ class ExOTAPolicyInvalidException(ExOTAPolicyException):
 class ExOTAPolicy():
  def __init__(self, policy_dict):
    self.tenant_id = policy_dict['tenant_id']
-    self.dkim_enabled = policy_dict['dkim_enabled']
+    if 'dkim_enabled' in policy_dict:
+      self.dkim_enabled = policy_dict['dkim_enabled']
+    else:
+      self.dkim_enabled = True
+    if 'dkim_alignment_required' in policy_dict:
+      self.dkim_alignment_required = policy_dict['dkim_alignment_required']
+    else:
+      # DKIM alignment per policy enabled by default
+      self.dkim_alignment_required = True

  def get_tenant_id(self):
    return self.tenant_id
@ -24,31 +32,42 @@ class ExOTAPolicy():
  def is_dkim_enabled(self):
    return self.dkim_enabled

+  def is_dkim_alignment_required(self):
+    return self.dkim_alignment_required
+
  @staticmethod
  def check_policy(policy_dict):
    if 'tenant_id' not in policy_dict:
      raise ExOTAPolicyInvalidException(
-        "Policy must have a 'tenant_id' attribute!"
+        "Policy must have a 'tenant_id' key!"
      )
-    else:
-      try:
-        UUID(policy_dict['tenant_id'])
-      except ValueError as e:
+    for policy_key in policy_dict:
+      if policy_key == 'tenant_id':
+        try:
+          UUID(policy_dict[policy_key])
+        except ValueError as e:
+          raise ExOTAPolicyInvalidException(
+            "Invalid 'tenant_id': {0}".format(str(e))
+          ) from e
+        except Exception as e:
+          raise ExOTAPolicyInvalidException(
+            "Invalid 'tenant_id': {0}".format(traceback.format_exc())
+          ) from e
+      elif policy_key == 'dkim_enabled':
+        if not isinstance(policy_dict[policy_key], bool):
+          raise ExOTAPolicyInvalidException(
+            "'dkim_enabled'({0}) must be boolean!".format(policy_dict['dkim_enabled'])
+          )
+      elif policy_key == 'dkim_alignment_required':
+        if not isinstance(policy_dict[policy_key], bool):
+          raise ExOTAPolicyInvalidException(
+            "'dkim_alignment_required'({0}) must be boolean!".format(
+              policy_dict[policy_key]
+            )
+          )
+      else:
        raise ExOTAPolicyInvalidException(
-          "Invalid 'tenant_id': {0}".format(str(e))
-        ) from e
-      except Exception as e:
-        raise ExOTAPolicyInvalidException(
-          "Invalid 'tenant_id': {0}".format(traceback.format_exc())
-        ) from e
-    if 'dkim_enabled' not in policy_dict:
-      raise ExOTAPolicyInvalidException(
-        "Policy must have a 'dkim_enabled' attribute!"
-      )
-    else:
-      if not isinstance(policy_dict['dkim_enabled'], bool):
-        raise ExOTAPolicyInvalidException(
-          "'dkim_enabled'({0}) must be boolean!".format(policy_dict['dkim_enabled'])
+          "Invalid policy_key '{0}'!".format(policy_key)
        )

 class ExOTAPolicyBackend():
--- a/tests/miltertest.lua
+++ b/tests/miltertest.lua
@ -30,7 +30,7 @@ if mt.getreply(conn) ~= SMFIR_CONTINUE then
 end

 -- HEADER
-if mt.header(conn, "fRoM", '"Blah Blubb" <O365ConnectorValidation@yad.onmicrosoft.comx>') ~= nil then
+if mt.header(conn, "fRoM", '"Blah Blubb" <O365ConnectorValidation@yad.onmicrosoft.com>') ~= nil then
  error "mt.header(From) failed"  
 end
 if mt.header(conn, "resent-fRoM", '"Blah Blubb" <blah@yad.onmicrosoft.COM>') ~= nil then
@ -51,7 +51,7 @@ end
 if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  exota=pass") ~= nil then
  error "mt.header(Subject) failed"  
 end
-if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.com-blubb header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
+if mt.header(conn, "Authentication-RESULTS", "my-auth-serv-id;\n  dkim=pass header.d=yad.onmicrosoft.comx header.s=selector1-yad-onmicrosoft-com header.b=mmmjFpv8") ~= nil then
  error "mt.header(Subject) failed"  
 end
 if mt.header(conn, "Authentication-Results", "my-auth-serv-id;\n  dkim=fail header.d=yad.onmicrosoft.com header.s=selector2-asdf header.b=mmmjFpv8") ~= nil then
--- a/tests/policy.json
+++ b/tests/policy.json
@ -1,7 +1,8 @@
 {
  "yad.onmicrosoft.com": {
    "tenant_id": "1234abcd-18c5-45e8-88de-123456789abc",
-    "dkim_enabled": true
+    "dkim_enabled": true,
+    "dkim_alignment_required": true
  },
  "example.com": {
    "tenant_id": "abcd1234-18c5-45e8-88de-987654321cba",