feature #58501 [Mailer] Add configuration for dkim and smime signers (elias-playfinder, eliasfernandez)

fabpot · fabpot · commit 7b6d3a20cdc7 · 2025-02-10T10:33:06.000+01:00
This PR was squashed before being merged into the 7.3 branch.

Discussion
----------

[Mailer] Add configuration for dkim and smime signers

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | yes
| Deprecations? |  no
| Issues        | Fix #53941
| License       | MIT

DKIM is becoming a must have for emails but the current workflow to sign messages on symfony requires to do it in the controller or the application and it causes failures when the email is signed before some other listener needs to get it.

This PR adds the needed configuration as part of the mailer configuration and sign all the messages if configured at the mailer level. By instance, we can add these two new blocks under mailer.yml:
```yml
framework:
    mailer:
        dsn: '%env(MAILER_DSN)%'
        dkim_signer:
            key: 'file://private.key'
            domain: 'symfony.com'
            select: 's1'
            passphrase: ''
            options:

```

or

```yml
framework:
    mailer:
        dsn: '%env(MAILER_DSN)%'
        smime_signer:
            key: '/path/to/certificate-private-key.key'
            certificate: '/path/to/certificate.crt'
            passphrase: ''
            extra_certificates: '/path/to/certificate.crt'
            sign_options: 1
```

Commits
-------

244cbf1aad4 [Mailer] Add configuration for dkim and smime signers
diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php
@@ -2239,6 +2239,88 @@ private function addMailerSection(ArrayNodeDefinition $rootNode, callable $enabl
                                 ->end()
                             ->end()
                         ->end()
+                        ->arrayNode('dkim_signer')
+                            ->addDefaultsIfNotSet()
+                            ->fixXmlConfig('option')
+                            ->canBeEnabled()
+                            ->info('DKIM signer configuration')
+                            ->children()
+                                ->scalarNode('key')
+                                    ->info('Key content, or path to key (in PEM format with the `file://` prefix)')
+                                    ->defaultValue('')
+                                    ->cannotBeEmpty()
+                                ->end()
+                                ->scalarNode('domain')->defaultValue('')->end()
+                                ->scalarNode('select')->defaultValue('')->end()
+                                ->scalarNode('passphrase')
+                                    ->info('The private key passphrase')
+                                    ->defaultValue('')
+                                ->end()
+                                ->arrayNode('options')
+                                    ->performNoDeepMerging()
+                                    ->normalizeKeys(false)
+                                    ->useAttributeAsKey('name')
+                                    ->prototype('variable')->end()
+                                ->end()
+                            ->end()
+                        ->end()
+                        ->arrayNode('smime_signer')
+                            ->addDefaultsIfNotSet()
+                            ->canBeEnabled()
+                            ->info('S/MIME signer configuration')
+                            ->children()
+                                ->scalarNode('key')
+                                    ->info('Path to key (in PEM format)')
+                                    ->defaultValue('')
+                                    ->cannotBeEmpty()
+                                ->end()
+                                ->scalarNode('certificate')
+                                    ->info('Path to certificate (in PEM format without the `file://` prefix)')
+                                    ->defaultValue('')
+                                    ->cannotBeEmpty()
+                                ->end()
+                                ->scalarNode('passphrase')
+                                    ->info('The private key passphrase')
+                                    ->defaultNull()
+                                ->end()
+                                ->scalarNode('extra_certificates')->defaultNull()->end()
+                                ->integerNode('sign_options')->defaultNull()->end()
+                            ->end()
+                        ->end()
+                        ->arrayNode('smime_encrypter')
+                            ->addDefaultsIfNotSet()
+                            ->canBeEnabled()
+                            ->info('S/MIME encrypter configuration')
+                            ->children()
+                                ->scalarNode('certificate')
+                                    ->info('Path to certificate (in PEM format without the `file://` prefix)')
+                                    ->defaultValue('')
+                                    ->cannotBeEmpty()
+                                ->end()
+                                ->integerNode('cipher')
+                                    ->info('A set of algorithms used to encrypt the message')
+                                    ->defaultNull()
+                                    ->beforeNormalization()
+                                        ->always(function ($v): ?int {
+                                            if (null === $v) {
+                                                return null;
+                                            }
+                                            if (\defined('OPENSSL_CIPHER_'.$v)) {
+                                                return \constant('OPENSSL_CIPHER_'.$v);
+                                            }
+
+                                            throw new \InvalidArgumentException(\sprintf('"%s" is not a valid OPENSSL cipher.', $v));
+                                        })
+                                    ->end()
+                                    ->validate()
+                                        ->ifTrue(function ($v) {
+                                            return \extension_loaded('openssl') && null !== $v && !\defined('OPENSSL_CIPHER_'.$v);
+                                        })
+                                        ->thenInvalid('You must provide a valid cipher.')
+                                    ->end()
+                                ->end()
+                            ->end()
+                        ->end()
                     ->end()
                 ->end()
             ->end()
diff --git a/DependencyInjection/FrameworkExtension.php b/DependencyInjection/FrameworkExtension.php
@@ -112,7 +112,10 @@
 use Symfony\Component\Lock\Store\StoreFactory;
 use Symfony\Component\Mailer\Bridge as MailerBridge;
 use Symfony\Component\Mailer\Command\MailerTestCommand;
+use Symfony\Component\Mailer\EventListener\DkimSignedMessageListener;
 use Symfony\Component\Mailer\EventListener\MessengerTransportListener;
+use Symfony\Component\Mailer\EventListener\SmimeEncryptedMessageListener;
+use Symfony\Component\Mailer\EventListener\SmimeSignedMessageListener;
 use Symfony\Component\Mailer\Mailer;
 use Symfony\Component\Mercure\HubRegistry;
 use Symfony\Component\Messenger\Attribute\AsMessageHandler;
@@ -2861,6 +2864,48 @@ private function registerMailerConfiguration(array $config, ContainerBuilder $co
             $container->removeDefinition('mailer.messenger_transport_listener');
         }
 
+        if ($config['dkim_signer']['enabled']) {
+            if (!class_exists(DkimSignedMessageListener::class)) {
+                throw new LogicException('DKIM signed messages support cannot be enabled as this version of the Mailer component does not support it.');
+            }
+            $dkimSigner = $container->getDefinition('mailer.dkim_signer');
+            $dkimSigner->setArgument(0, $config['dkim_signer']['key']);
+            $dkimSigner->setArgument(1, $config['dkim_signer']['domain']);
+            $dkimSigner->setArgument(2, $config['dkim_signer']['select']);
+            $dkimSigner->setArgument(3, $config['dkim_signer']['options']);
+            $dkimSigner->setArgument(4, $config['dkim_signer']['passphrase']);
+        } else {
+            $container->removeDefinition('mailer.dkim_signer');
+            $container->removeDefinition('mailer.dkim_signer.listener');
+        }
+
+        if ($config['smime_signer']['enabled']) {
+            if (!class_exists(SmimeSignedMessageListener::class)) {
+                throw new LogicException('SMIME signed messages support cannot be enabled as this version of the Mailer component does not support it.');
+            }
+            $smimeSigner = $container->getDefinition('mailer.smime_signer');
+            $smimeSigner->setArgument(0, $config['smime_signer']['key']);
+            $smimeSigner->setArgument(1, $config['smime_signer']['certificate']);
+            $smimeSigner->setArgument(2, $config['smime_signer']['passphrase']);
+            $smimeSigner->setArgument(3, $config['smime_signer']['extra_certificates']);
+            $smimeSigner->setArgument(4, $config['smime_signer']['sign_options']);
+        } else {
+            $container->removeDefinition('mailer.smime_signer');
+            $container->removeDefinition('mailer.smime_signer.listener');
+        }
+
+        if ($config['smime_encrypter']['enabled']) {
+            if (!class_exists(SmimeEncryptedMessageListener::class)) {
+                throw new LogicException('S/MIME encrypted messages support cannot be enabled as this version of the Mailer component does not support it.');
+            }
+            $smimeDecrypter = $container->getDefinition('mailer.smime_encrypter');
+            $smimeDecrypter->setArgument(0, $config['smime_encrypter']['certificate']);
+            $smimeDecrypter->setArgument(1, $config['smime_encrypter']['cipher']);
+        } else {
+            $container->removeDefinition('mailer.smime_encrypter');
+            $container->removeDefinition('mailer.smime_encrypter.listener');
+        }
+
         if ($webhookEnabled) {
             $loader->load('mailer_webhook.php');
         }
diff --git a/Resources/config/mailer.php b/Resources/config/mailer.php
@@ -12,16 +12,22 @@
 namespace Symfony\Component\DependencyInjection\Loader\Configurator;
 
 use Symfony\Component\Mailer\Command\MailerTestCommand;
+use Symfony\Component\Mailer\EventListener\DkimSignedMessageListener;
 use Symfony\Component\Mailer\EventListener\EnvelopeListener;
 use Symfony\Component\Mailer\EventListener\MessageListener;
 use Symfony\Component\Mailer\EventListener\MessageLoggerListener;
 use Symfony\Component\Mailer\EventListener\MessengerTransportListener;
+use Symfony\Component\Mailer\EventListener\SmimeEncryptedMessageListener;
+use Symfony\Component\Mailer\EventListener\SmimeSignedMessageListener;
 use Symfony\Component\Mailer\Mailer;
 use Symfony\Component\Mailer\MailerInterface;
 use Symfony\Component\Mailer\Messenger\MessageHandler;
 use Symfony\Component\Mailer\Transport;
 use Symfony\Component\Mailer\Transport\TransportInterface;
 use Symfony\Component\Mailer\Transport\Transports;
+use Symfony\Component\Mime\Crypto\DkimSigner;
+use Symfony\Component\Mime\Crypto\SMimeEncrypter;
+use Symfony\Component\Mime\Crypto\SMimeSigner;
 
 return static function (ContainerConfigurator $container) {
     $container->services()
@@ -78,6 +84,48 @@
         ->set('mailer.messenger_transport_listener', MessengerTransportListener::class)
             ->tag('kernel.event_subscriber')
 
+         ->set('mailer.dkim_signer', DkimSigner::class)
+            ->args([
+                abstract_arg('key'),
+                abstract_arg('domain'),
+                abstract_arg('select'),
+                abstract_arg('options'),
+                abstract_arg('passphrase'),
+            ])
+
+        ->set('mailer.smime_signer', SMimeSigner::class)
+            ->args([
+                abstract_arg('key'),
+                abstract_arg('certificate'),
+                abstract_arg('passphrase'),
+                abstract_arg('extraCertificates'),
+                abstract_arg('signOptions'),
+            ])
+
+        ->set('mailer.smime_encrypter', SMimeEncrypter::class)
+            ->args([
+                abstract_arg('certificate'),
+                abstract_arg('cipher'),
+            ])
+
+        ->set('mailer.dkim_signer.listener', DkimSignedMessageListener::class)
+            ->args([
+                service(DkimSigner::class),
+            ])
+            ->tag('kernel.event_subscriber')
+
+        ->set('mailer.smime_signer.listener', SmimeSignedMessageListener::class)
+            ->args([
+                service('mailer.smime_signer'),
+            ])
+            ->tag('kernel.event_subscriber')
+
+        ->set('mailer.smime_encrypter.listener', SmimeEncryptedMessageListener::class)
+            ->args([
+                service('mailer.smime_encrypter'),
+            ])
+            ->tag('kernel.event_subscriber')
+
         ->set('console.command.mailer_test', MailerTestCommand::class)
             ->args([
                 service('mailer.transports'),
diff --git a/Resources/config/schema/symfony-1.0.xsd b/Resources/config/schema/symfony-1.0.xsd
@@ -790,6 +790,9 @@
             <xsd:element name="transport" type="mailer_transport" minOccurs="0" maxOccurs="unbounded" />
             <xsd:element name="envelope" type="mailer_envelope" minOccurs="0" maxOccurs="1" />
             <xsd:element name="header" type="header" minOccurs="0" maxOccurs="unbounded" />
+            <xsd:element name="dkim-signer" type="mailer_dkim_signer" minOccurs="0" />
+            <xsd:element name="smime-signer" type="mailer_smime_signer" minOccurs="0" />
+            <xsd:element name="smime-encrypter" type="mailer_smime_encrypter" minOccurs="0" />
         </xsd:sequence>
         <xsd:attribute name="enabled" type="xsd:boolean" />
         <xsd:attribute name="dsn" type="xsd:string" />
@@ -812,6 +815,30 @@
         </xsd:sequence>
     </xsd:complexType>
 
+
+    <xsd:complexType name="mailer_dkim_signer">
+        <xsd:sequence>
+            <xsd:element name="option" type="metadata" minOccurs="0" maxOccurs="unbounded" />
+        </xsd:sequence>
+        <xsd:attribute name="key" type="xsd:string"/>
+        <xsd:attribute name="domain" type="xsd:string"/>
+        <xsd:attribute name="select" type="xsd:string"/>
+        <xsd:attribute name="passphrase" type="xsd:string" />
+    </xsd:complexType>
+
+    <xsd:complexType name="mailer_smime_signer">
+        <xsd:attribute name="key" type="xsd:string"/>
+        <xsd:attribute name="certificate" type="xsd:string"/>
+        <xsd:attribute name="passphrase" type="xsd:string" />
+        <xsd:attribute name="extraCertificates" type="xsd:string" />
+        <xsd:attribute name="signOptions" type="xsd:integer" />
+    </xsd:complexType>
+
+    <xsd:complexType name="mailer_smime_encrypter">
+        <xsd:attribute name="certificate" type="xsd:string"/>
+        <xsd:attribute name="cipher" type="xsd:integer" />
+    </xsd:complexType>
+
     <xsd:complexType name="http_cache">
         <xsd:sequence>
             <xsd:element name="private-header" type="xsd:string" minOccurs="0" maxOccurs="unbounded" />
diff --git a/Tests/DependencyInjection/ConfigurationTest.php b/Tests/DependencyInjection/ConfigurationTest.php
@@ -923,6 +923,27 @@ class_exists(SemaphoreStore::class) && SemaphoreStore::isSupported() ? 'semaphor
                 'enabled' => !class_exists(FullStack::class) && class_exists(Mailer::class),
                 'message_bus' => null,
                 'headers' => [],
+                'dkim_signer' => [
+                    'enabled' => false,
+                    'options' => [],
+                    'key' => '',
+                    'domain' => '',
+                    'select' => '',
+                    'passphrase' => '',
+                ],
+                'smime_signer' => [
+                    'enabled' => false,
+                    'key' => '',
+                    'certificate' => '',
+                    'passphrase' => null,
+                    'extra_certificates' => null,
+                    'sign_options' => null,
+                ],
+                'smime_encrypter' => [
+                    'enabled' => false,
+                    'certificate' => '',
+                    'cipher' => null,
+                ],
             ],
             'notifier' => [
                 'enabled' => !class_exists(FullStack::class) && class_exists(Notifier::class),
