From: Vsevolod Stakhov Date: Tue, 31 Mar 2026 16:00:29 +0000 (+0100) Subject: [Feature] Mark genuinely hard dependencies in plugins X-Git-Tag: 4.0.1~6^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=30d9a0dfaa9029fe6b607b43869fc8ebbbf78e67;p=thirdparty%2Frspamd.git [Feature] Mark genuinely hard dependencies in plugins Annotate dependencies where the dependent truly cannot function without the dep's output: - DMARC_MUNGED → DMARC_CHECK (nothing to munge without policy) - ARC_SIGNED → ARC_CHECK, DMARC_CHECK (needs cache and AAR data) - ARC_DMARC_ADJUSTMENT → DMARC_CHECK, ARC_CHECK (reads both) - BIMI_CHECK → DMARC_CHECK (BIMI requires DMARC pass) - SETTINGS_APPLY → SETTINGS_CHECK, REDIS_SETTINGS (merge needs data) DMARC → SPF/DKIM remains weak: DMARC falls back to whichever mechanism is available. Disabling one shouldn't kill DMARC. --- diff --git a/src/plugins/lua/arc.lua b/src/plugins/lua/arc.lua index 67446e207e..eec0cc4f04 100644 --- a/src/plugins/lua/arc.lua +++ b/src/plugins/lua/arc.lua @@ -951,11 +951,10 @@ end rspamd_config:register_symbol(sym_reg_tbl) --- Do not sign unless checked -rspamd_config:register_dependency(settings['sign_symbol'], 'ARC_CHECK') --- We need to check dmarc before signing as we have to produce valid AAR header --- see #3613 -rspamd_config:register_dependency(settings['sign_symbol'], 'DMARC_CHECK') +-- Hard: ARC signing needs arc-seals cache from ARC_CHECK +rspamd_config:register_dependency(settings['sign_symbol'], 'ARC_CHECK', true) +-- Hard: ARC signing needs DMARC result for valid AAR header (#3613) +rspamd_config:register_dependency(settings['sign_symbol'], 'DMARC_CHECK', true) if settings.adjust_dmarc and settings.whitelisted_signers_map then local function arc_dmarc_adjust_cb(task) @@ -985,6 +984,7 @@ if settings.adjust_dmarc and settings.whitelisted_signers_map then callback = arc_dmarc_adjust_cb, type = 'callback', }) - rspamd_config:register_dependency('ARC_DMARC_ADJUSTMENT', 'DMARC_CHECK') - rspamd_config:register_dependency('ARC_DMARC_ADJUSTMENT', 'ARC_CHECK') + -- Hard: reads both DMARC policy symbols and ARC trusted cache + rspamd_config:register_dependency('ARC_DMARC_ADJUSTMENT', 'DMARC_CHECK', true) + rspamd_config:register_dependency('ARC_DMARC_ADJUSTMENT', 'ARC_CHECK', true) end diff --git a/src/plugins/lua/bimi.lua b/src/plugins/lua/bimi.lua index a030327397..9f4dc51ef9 100644 --- a/src/plugins/lua/bimi.lua +++ b/src/plugins/lua/bimi.lua @@ -415,7 +415,8 @@ if redis_params then score = 0.0 } - rspamd_config:register_dependency('BIMI_CHECK', 'DMARC_CHECK') + -- Hard: BIMI requires DMARC pass + rspamd_config:register_dependency('BIMI_CHECK', 'DMARC_CHECK', true) else lua_util.disable_module(N, "redis") end diff --git a/src/plugins/lua/dmarc.lua b/src/plugins/lua/dmarc.lua index e2b3dedcc9..64e7a6f15e 100644 --- a/src/plugins/lua/dmarc.lua +++ b/src/plugins/lua/dmarc.lua @@ -794,7 +794,8 @@ if settings.munging then augmentations = { lua_util.dns_timeout_augmentation(rspamd_config) }, }) - rspamd_config:register_dependency('DMARC_MUNGED', 'DMARC_CHECK') + -- Hard: without DMARC policy there is nothing to munge + rspamd_config:register_dependency('DMARC_MUNGED', 'DMARC_CHECK', true) -- Weak: signing works without munging, just ensures proper header rewrite order rspamd_config:register_dependency('DKIM_SIGNED', 'DMARC_MUNGED') rspamd_config:register_dependency('ARC_SIGNED', 'DMARC_MUNGED') diff --git a/src/plugins/lua/settings.lua b/src/plugins/lua/settings.lua index 379289c197..0eddf3d307 100644 --- a/src/plugins/lua/settings.lua +++ b/src/plugins/lua/settings.lua @@ -1457,13 +1457,13 @@ rspamd_config:register_symbol({ flags = 'empty,nostat,explicit_disable,ignore_passthrough', }) --- SETTINGS_APPLY depends on SETTINGS_CHECK (waits for it to finish collecting) -rspamd_config:register_dependency('SETTINGS_APPLY', 'SETTINGS_CHECK') +-- Hard dep: SETTINGS_APPLY must wait for SETTINGS_CHECK to finish collecting +rspamd_config:register_dependency('SETTINGS_APPLY', 'SETTINGS_CHECK', true) --- Also depend on REDIS_SETTINGS symbols if redis is configured +-- Also hard-depend on REDIS_SETTINGS symbols if redis is configured if redis_sym_names then for _, sym_name in ipairs(redis_sym_names) do - rspamd_config:register_dependency('SETTINGS_APPLY', sym_name) + rspamd_config:register_dependency('SETTINGS_APPLY', sym_name, true) end end