static yastr spf_parse_domainspec_cidr( struct spf *s, yastr domain, yastr dsc, unsigned long *cidr, unsigned long *cidr6 ) { char *p; yastr tmp, domain_spec; if ( dsc[ 0 ] == ':' ) { yaslrange( dsc, 1, -1 ); tmp = yasldup( dsc ); if (( p = strchr( tmp, '/' )) != NULL ) { yaslrange( tmp, 0, ( p - tmp - 1 )); yaslrange( dsc, ( p - tmp ), -1 ); } else { yaslclear( dsc ); } domain_spec = spf_macro_expand( s, domain, tmp ); yaslfree( tmp ); if ( domain_spec == NULL ) { /* Macro expansion failed, probably a syntax problem. */ return( NULL ); } } else { domain_spec = yasldup( domain ); } *cidr = 32; *cidr6 = 128; if ( dsc[ 0 ] == '/' ) { *cidr = strtoul( dsc + 1, &p, 10 ); if ( *p == '/' ) { *cidr6 = strtoul( p + 1, NULL, 10 ); } } return( domain_spec ); }
int spf_check_host( struct spf *s, const yastr domain ) { int i, j, rc, qualifier, ret = SPF_RESULT_NONE; struct dnsr_result *dnsr_res, *dnsr_res_mech = NULL; struct dnsr_string *txt; yastr record = NULL, redirect = NULL, domain_spec, tmp; size_t tok_count = 0; yastr *split = NULL; char *p; unsigned long cidr, cidr6; int mech_queries = 0; /* RFC 7208 3.1 DNS Resource Records * SPF records MUST be published as a DNS TXT (type 16) Resource Record * (RR) [RFC1035] only. */ if (( dnsr_res = get_txt( domain )) == NULL ) { syslog( LOG_WARNING, "SPF %s [%s]: TXT lookup %s failed", s->spf_domain, domain, domain ); return( SPF_RESULT_TEMPERROR ); } for ( i = 0 ; i < dnsr_res->r_ancount ; i++ ) { if ( dnsr_res->r_answer[ i ].rr_type == DNSR_TYPE_TXT ) { txt = dnsr_res->r_answer[ i ].rr_txt.txt_data; /* RFC 7208 4.5 Selecting Records * Starting with the set of records that were returned by the * lookup, discard records that do not begin with a version section * of exactly "v=spf1". Note that the version section is * terminated by either an SP character or the end of the record. */ if (( strncasecmp( txt->s_string, "v=spf1", 6 ) == 0 ) && (( txt->s_string[ 6 ] == ' ' ) || ( txt->s_string[ 6 ] == '\0' ))) { if ( record != NULL ) { /* RFC 7208 3.2 Multiple DNS Records * A domain name MUST NOT have multiple records that would * cause an authorization check to select more than one * record. */ syslog( LOG_ERR, "SPF %s [%s]: multiple v=spf1 records found", s->spf_domain, domain ); ret = SPF_RESULT_PERMERROR; goto cleanup; } record = yaslempty( ); /* RFC 7208 3.3 Multiple Strings in a Single DNS Record * If a published record contains multiple character-strings, * then the record MUST be treated as if those strings are * concatenated together without adding spaces. */ for ( ; txt != NULL ; txt = txt->s_next ) { record = yaslcat( record, txt->s_string ); } } } } if ( record == NULL ) { simta_debuglog( 1, "SPF %s [%s]: no SPF record found", s->spf_domain, domain ); goto cleanup; } simta_debuglog( 2, "SPF %s [%s]: record: %s", s->spf_domain, domain, record ); split = yaslsplitlen( record, yasllen( record ), " ", 1, &tok_count ); /* Start at 1, 0 is v=spf1 */ for ( i = 1 ; i < tok_count ; i++ ) { /* multiple spaces in a record will result in empty elements */ if ( yasllen( split[ i ] ) == 0 ) { continue; } /* RFC 7208 4.6.4 DNS Lookup Limits * Some mechanisms and modifiers (collectively, "terms") cause DNS * queries at the time of evaluation [...] SPF implementations MUST * limit the total number of those terms to 10 during SPF evaluation, * to avoid unreasonable load on the DNS. If this limit is exceeded, * the implementation MUST return "permerror". */ /* In real life strictly enforcing a limit of ten will break SPF * evaluation of multiple major domains, so we use a higher limit. */ if ( s->spf_queries > 25 ) { syslog( LOG_WARNING, "SPF %s [%s]: DNS lookup limit exceeded", s->spf_domain, domain ); ret = SPF_RESULT_PERMERROR; goto cleanup; } /* RFC 7208 4.6.2 Mechanisms * The possible qualifiers, and the results they cause check_host() to * return, are as follows: * * "+" pass * "-" fail * "~" softfail * "?" neutral * * The qualifier is optional and defaults to "+". */ switch ( *split[ i ] ) { case '+': qualifier = SPF_RESULT_PASS; yaslrange( split[ i ], 1, -1 ); break; case '-': qualifier = SPF_RESULT_FAIL; yaslrange( split[ i ], 1, -1 ); break; case '~': qualifier = SPF_RESULT_SOFTFAIL; yaslrange( split[ i ], 1, -1 ); break; case '?': qualifier = SPF_RESULT_NEUTRAL; yaslrange( split[ i ], 1, -1 ); break; default: qualifier = SPF_RESULT_PASS; break; } if ( strncasecmp( split[ i ], "redirect=", 9 ) == 0 ) { s->spf_queries++; redirect = split[ i ]; yaslrange( redirect, 9, -1 ); simta_debuglog( 2, "SPF %s [%s]: redirect to %s", s->spf_domain, domain, redirect ); /* RFC 7208 5.1 "all" * The "all" mechanism is a test that always matches. */ } else if ( strcasecmp( split[ i ], "all" ) == 0 ) { simta_debuglog( 2, "SPF %s [%s]: matched all: %s", s->spf_domain, domain, spf_result_str( qualifier )); ret = qualifier; goto cleanup; /* RFC 7208 5.2 "include" * The "include" mechanism triggers a recursive evaluation of * check_host(). */ } else if ( strncasecmp( split[ i ], "include:", 8 ) == 0 ) { s->spf_queries++; yaslrange( split[ i ], 8, -1 ); simta_debuglog( 2, "SPF %s [%s]: include %s", s->spf_domain, domain, split[ i ] ); rc = spf_check_host( s, split[ i ] ); switch ( rc ) { case SPF_RESULT_NONE: ret = SPF_RESULT_PERMERROR; goto cleanup; case SPF_RESULT_PASS: ret = qualifier; goto cleanup; case SPF_RESULT_TEMPERROR: case SPF_RESULT_PERMERROR: ret = rc; goto cleanup; } /* RFC 7208 5.3 "a" */ } else if (( strcasecmp( split[ i ], "a" ) == 0 ) || ( strncasecmp( split[ i ], "a:", 2 ) == 0 ) || ( strncasecmp( split[ i ], "a/", 2 ) == 0 )) { s->spf_queries++; yaslrange( split[ i ], 1, -1 ); if (( domain_spec = spf_parse_domainspec_cidr( s, domain, split[ i ], &cidr, &cidr6 )) == NULL ) { /* Macro expansion failed, probably a syntax problem. */ ret = SPF_RESULT_PERMERROR; goto cleanup; } rc = spf_check_a( s, domain, cidr, cidr6, domain_spec ); switch( rc ) { case SPF_RESULT_PASS: simta_debuglog( 2, "SPF %s [%s]: matched a %s/%ld/%ld: %s", s->spf_domain, domain, domain_spec, cidr, cidr6, spf_result_str( qualifier )); yaslfree( domain_spec ); ret = qualifier; goto cleanup; case SPF_RESULT_TEMPERROR: yaslfree( domain_spec ); ret = rc; goto cleanup; default: break; } yaslfree( domain_spec ); /* RFC 7208 5.4 "mx" */ } else if (( strcasecmp( split[ i ], "mx" ) == 0 ) || ( strncasecmp( split[ i ], "mx:", 3 ) == 0 ) || ( strncasecmp( split[ i ], "mx/", 3 ) == 0 )) { s->spf_queries++; mech_queries = 0; yaslrange( split[ i ], 2, -1 ); if (( domain_spec = spf_parse_domainspec_cidr( s, domain, split[ i ], &cidr, &cidr6 )) == NULL ) { /* Macro expansion failed, probably a syntax problem. */ ret = SPF_RESULT_PERMERROR; goto cleanup; } if (( dnsr_res_mech = get_mx( domain_spec )) == NULL ) { syslog( LOG_WARNING, "SPF %s [%s]: MX lookup %s failed", s->spf_domain, domain, domain_spec ); yaslfree( domain_spec ); ret = SPF_RESULT_TEMPERROR; goto cleanup; } for ( j = 0 ; j < dnsr_res_mech->r_ancount ; j++ ) { if ( dnsr_res_mech->r_answer[ j ].rr_type == DNSR_TYPE_MX ) { /* RFC 7208 4.6.4 DNS Lookup Limits * When evaluating the "mx" mechanism, the number of "MX" * resource records queried is included in the overall * limit of 10 mechanisms/modifiers that cause DNS lookups */ s->spf_queries++; rc = spf_check_a( s, domain, cidr, cidr6, dnsr_res_mech->r_answer[ j ].rr_mx.mx_exchange ); switch( rc ) { case SPF_RESULT_PASS: simta_debuglog( 2, "SPF %s [%s]: matched mx %s/%ld/%ld: %s", s->spf_domain, domain, domain_spec, cidr, cidr6, spf_result_str( qualifier )); ret = qualifier; dnsr_free_result( dnsr_res_mech ); yaslfree( domain_spec ); goto cleanup; case SPF_RESULT_PERMERROR: case SPF_RESULT_TEMPERROR: ret = rc; dnsr_free_result( dnsr_res_mech ); yaslfree( domain_spec ); goto cleanup; default: break; } } } dnsr_free_result( dnsr_res_mech ); yaslfree( domain_spec ); /* RFC 7208 5.5 "ptr" (do not use) */ } else if (( strcasecmp( split[ i ], "ptr" ) == 0 ) || ( strncasecmp( split[ i ], "ptr:", 4 ) == 0 )) { s->spf_queries++; mech_queries = 0; if (( dnsr_res_mech = get_ptr( s->spf_sockaddr )) == NULL ) { /* RFC 7208 5.5 "ptr" (do not use ) * If a DNS error occurs while doing the PTR RR lookup, * then this mechanism fails to match. */ continue; } if ( dnsr_res_mech->r_ancount == 0 ) { dnsr_free_result( dnsr_res_mech ); continue; } if ( split[ i ][ 3 ] == ':' ) { domain_spec = yaslnew(( split[ i ] + 4 ), ( yasllen( split[ i ] ) - 4 )); } else { domain_spec = yasldup( domain ); } for ( j = 0 ; j < dnsr_res_mech->r_ancount ; j++ ) { if ( dnsr_res_mech->r_answer[ j ].rr_type != DNSR_TYPE_PTR ) { continue; } /* We only care if it's a pass; like the initial PTR query, * DNS errors are treated as a non-match rather than an error. */ /* RFC 7208 4.6.4 DNS Lookup Limits * the evaluation of each "PTR" record MUST NOT result in * querying more than 10 address records -- either "A" or * "AAAA" resource records. If this limit is exceeded, all * records other than the first 10 MUST be ignored. */ if (( mech_queries++ < 10 ) && ( spf_check_a( s, domain, 32, 128, dnsr_res_mech->r_answer[ j ].rr_dn.dn_name ) == SPF_RESULT_PASS )) { tmp = yaslauto( dnsr_res_mech->r_answer[ j ].rr_dn.dn_name ); while (( yasllen( tmp ) > yasllen( domain_spec )) && ( p = strchr( tmp, '.' ))) { yaslrange( tmp, ( p - tmp + 1 ), -1 ); } rc = strcasecmp( tmp, domain_spec ); yaslfree( tmp ); if ( rc == 0 ) { simta_debuglog( 2, "SPF %s [%s]: matched ptr %s (%s): %s", s->spf_domain, domain, domain_spec, dnsr_res_mech->r_answer[ j ].rr_dn.dn_name, spf_result_str( qualifier )); ret = qualifier; yaslfree( domain_spec ); dnsr_free_result( dnsr_res_mech ); goto cleanup; } } } yaslfree( domain_spec ); dnsr_free_result( dnsr_res_mech ); /* RFC 7208 5.6 "ip4" and "ip6" * These mechanisms test whether <ip> is contained within a given * IP network. */ } else if ( strncasecmp( split[ i ], "ip4:", 4 ) == 0 ) { if ( s->spf_sockaddr->sa_family != AF_INET ) { continue; } yaslrange( split[ i ], 4, -1 ); if (( p = strchr( split[ i ], '/' )) != NULL ) { errno = 0; cidr = strtoul( p + 1, NULL, 10 ); if ( errno ) { syslog( LOG_WARNING, "SPF %s [%s]: failed parsing CIDR mask %s: %m", s->spf_domain, domain, p + 1 ); ret = SPF_RESULT_PERMERROR; goto cleanup; } if ( cidr > 32 ) { syslog( LOG_WARNING, "SPF %s [%s]: invalid CIDR mask: %ld", s->spf_domain, domain, cidr ); ret = SPF_RESULT_PERMERROR; goto cleanup; } yaslrange( split[ i ], 0, p - split[ i ] - 1 ); } else { cidr = 32; } if (( rc = simta_cidr_compare( cidr, s->spf_sockaddr, NULL, split[ i ] )) < 0 ) { syslog( LOG_WARNING, "SPF %s [%s]: simta_cidr_compare failed for %s", s->spf_domain, domain, split[ i ] ); ret = SPF_RESULT_PERMERROR; goto cleanup; } else if ( rc == 0 ) { simta_debuglog( 2, "SPF %s [%s]: matched ip4 %s/%ld: %s", s->spf_domain, domain, split[ i ], cidr, spf_result_str( qualifier )); ret = qualifier; goto cleanup; } } else if ( strncasecmp( split[ i ], "ip6:", 4 ) == 0 ) { if ( s->spf_sockaddr->sa_family != AF_INET6 ) { continue; } yaslrange( split[ i ], 4, -1 ); if (( p = strchr( split[ i ], '/' )) != NULL ) { errno = 0; cidr = strtoul( p + 1, NULL, 10 ); if ( errno ) { syslog( LOG_WARNING, "SPF %s [%s]: failed parsing CIDR mask %s: %m", s->spf_domain, domain, p + 1 ); } if ( cidr > 128 ) { syslog( LOG_WARNING, "SPF %s [%s]: invalid CIDR mask: %ld", s->spf_domain, domain, cidr ); ret = SPF_RESULT_PERMERROR; goto cleanup; } yaslrange( split[ i ], 0, p - split[ i ] - 1 ); } else { cidr = 128; } if (( rc = simta_cidr_compare( cidr, s->spf_sockaddr, NULL, split[ i ] )) < 0 ) { syslog( LOG_WARNING, "SPF %s [%s]: simta_cidr_compare failed for %s", s->spf_domain, domain, split[ i ] ); ret = SPF_RESULT_PERMERROR; goto cleanup; } else if ( rc == 0 ) { simta_debuglog( 2, "SPF %s [%s]: matched ip6 %s/%ld: %s", s->spf_domain, domain, split[ i ], cidr, spf_result_str( qualifier )); ret = qualifier; goto cleanup; } /* RFC 7208 5.7 "exists" */ } else if ( strncasecmp( split[ i ], "exists:", 7 ) == 0 ) { s->spf_queries++; yaslrange( split[ i ], 7, -1 ); if (( domain_spec = spf_macro_expand( s, domain, split[ i ] )) == NULL ) { /* Macro expansion failed, probably a syntax problem. */ ret = SPF_RESULT_PERMERROR; goto cleanup; } if (( dnsr_res_mech = get_a( domain_spec )) == NULL ) { syslog( LOG_WARNING, "SPF %s [%s]: A lookup %s failed", s->spf_domain, domain, domain_spec ); yaslfree( domain_spec ); ret = SPF_RESULT_TEMPERROR; goto cleanup; } if ( dnsr_res_mech->r_ancount > 0 ) { simta_debuglog( 2, "SPF %s [%s]: matched exists %s: %s", s->spf_domain, domain, domain_spec, spf_result_str( qualifier )); dnsr_free_result( dnsr_res_mech ); yaslfree( domain_spec ); ret = qualifier; goto cleanup; } yaslfree( domain_spec ); dnsr_free_result( dnsr_res_mech ); } else { for ( p = split[ i ] ; isalnum( *p ) ; p++ ); if ( *p == '=' ) { /* RFC 7208 6 Modifier Definitions * Unrecognized modifiers MUST be ignored */ simta_debuglog( 1, "SPF %s [%s]: %s unknown modifier %s", s->spf_domain, domain, spf_result_str( qualifier ), split[ i ] ); } else { syslog( LOG_WARNING, "SPF %s [%s]: %s unknown mechanism %s", s->spf_domain, domain, spf_result_str( qualifier ), split[ i ] ); ret = SPF_RESULT_PERMERROR; goto cleanup; } } } if ( redirect != NULL ) { if (( domain_spec = spf_macro_expand( s, domain, redirect )) == NULL ) { /* Macro expansion failed, probably a syntax problem. */ ret = SPF_RESULT_PERMERROR; } else { ret = spf_check_host( s, domain_spec ); yaslfree( domain_spec ); } if ( ret == SPF_RESULT_NONE ) { ret = SPF_RESULT_PERMERROR; } } else { /* RFC 7208 4.7 Default Result * If none of the mechanisms match and there is no "redirect" modifier, * then the check_host() returns a result of "neutral", just as if * "?all" were specified as the last directive. */ ret = SPF_RESULT_NEUTRAL; simta_debuglog( 2, "SPF %s [%s]: default result: %s", s->spf_domain, domain, spf_result_str( ret )); } cleanup: if ( split != NULL ) { yaslfreesplitres( split, tok_count ); } yaslfree( record ); dnsr_free_result( dnsr_res ); return( ret ); }
static int simalias_create( void ) { int linenum = 0, i; int state = ALIAS_WHITE; char rawline[ MAXPATHLEN ]; yastr line, key, value; char *p; #ifdef HAVE_LMDB int rc; struct simta_dbh *dbh = NULL; #endif /* HAVE_LMDB */ unlink( output ); #ifdef HAVE_LMDB if (( rc = simta_db_new( &dbh, output )) != 0 ) { fprintf( stderr, "simta_db_new: %s: %s\n", output, simta_db_strerror( rc )); return( 1 ); } #else /* HAVE_LMDB */ fprintf( stderr, "Compiled without DB support, data will not be saved.\n" ); #endif /* HAVE_LMDB */ line = yaslempty( ); key = yaslempty( ); value = yaslempty( ); while ( fgets( rawline, MAXPATHLEN, finput ) != NULL ) { linenum++; line = yaslcpy( line, rawline ); yasltrim( line, " \f\n\r\t\v" ); /* Blank line or comment */ if (( *line == '\0' ) || ( *line == '#' )) { continue; } yasltolower( line ); line = yaslcatlen( line, "\n", 1 ); if ( isspace( *rawline )) { if ( state == ALIAS_WHITE ) { /* How unexpected. */ fprintf( stderr, "%s line %d: Unexpected continuation line.\n", input, linenum ); state = ALIAS_CONT; } } else if ( state == ALIAS_CONT ) { fprintf( stderr, "%s line %d: Expected a continuation line.\n", input, linenum ); state = ALIAS_WHITE; } if ( state == ALIAS_WHITE ) { if (( p = strchr( line, ':' )) != NULL ) { key = yaslcpylen( key, line, (size_t) ( p - line )); yaslrange( line, p - line + 1, -1 ); if ( strncmp( key, "owner-", 6 ) == 0 ) { /* Canonicalise sendmail-style owner */ if ( verbose ) { fprintf ( stderr, "%s line %d: noncanonical owner %s " "will be made canonical\n", input, linenum, key ); } yaslrange( key, 6, -1 ); key = yaslcat( key, "-errors" ); } else if ((( p = strrchr( key, '-' )) != NULL ) && (( strcmp( p, "-owner" ) == 0 ) || ( strcmp( p, "-owners" ) == 0 ) || ( strcmp( p, "-error" ) == 0 ) || ( strcmp( p, "-request" ) == 0 ) || ( strcmp( p, "-requests" ) == 0 ))) { /* Canonicalise simta-style owner */ if ( verbose ) { fprintf ( stderr, "%s line %d: noncanonical owner %s " "will be made canonical\n", input, linenum, key ); } yaslrange( key, 0, p - key ); key = yaslcat( key, "-errors" ); } } else { fprintf( stderr, "%s line %d: Expected a colon somewhere. Skipping.\n", input, linenum ); continue; } } else { state = ALIAS_WHITE; } i = 0; yaslclear( value ); for ( p = line ; *p != '\0' ; p++ ) { if ( *p == '"' ) { if ( i > 0 && ( value[ i - 1 ] == '\\' )) { value[ i - 1 ] = '"'; } else if ( state == ALIAS_QUOTE ) { state = ALIAS_WHITE; if ( *value == '\0' ) { fprintf( stderr, "%s line %d: Empty quoted value.\n", input, linenum ); } } else if ( state == ALIAS_WORD ) { fprintf( stderr, "%s line %d: Unexpected quote.\n", input, linenum ); } else { state = ALIAS_QUOTE; } } else if ( *p == ',' ) { switch ( state ) { case ALIAS_QUOTE: value = yaslcatlen( value, p, 1 ); break; case ALIAS_CONT: fprintf( stderr, "%s line %d: Empty list element.\n", input, linenum ); break; default : state = ALIAS_CONT; } } else if ( isspace( *p )) { switch ( state ) { case ALIAS_QUOTE: value = yaslcatlen( value, p, 1 ); break; case ALIAS_WORD : state = ALIAS_WHITE; break; default : break; } } else { if ( state == ALIAS_WHITE || state == ALIAS_CONT ) { state = ALIAS_WORD; } value = yaslcatlen( value, p, 1 ); } if ( *value != '\0' && ( state == ALIAS_WHITE || state == ALIAS_CONT )) { /* Check for known but unsupported syntax */ if ( *value == '/' ) { /* We have special support for nullrouting, so that's OK. */ if ( strcmp( value, "/dev/null" ) != 0 ) { fprintf( stderr, "%s line %d: Unsupported: delivery to file\n", input, linenum ); } } else if ( *value == '|' ) { fprintf( stderr, "%s line %d: Unsupported: delivery to pipe\n", input, linenum ); } else if ( strncmp( value, ":include:", 9 ) == 0 ) { fprintf( stderr, "%s line %d: Unsupported: file include\n", input, linenum ); #ifdef HAVE_LMDB } else if (( rc = simta_db_put( dbh, key, value )) != 0 ) { fprintf( stderr, "simta_db_put: %s: %s\n", input, simta_db_strerror( rc )); return( 1 ); #endif /* HAVE_LMDB */ } else if ( verbose ) { printf( "%s line %d: Added %s -> %s\n", input, linenum, key, value ); } yaslclear( value ); i = 0; } } } #ifdef HAVE_LMDB simta_db_close( dbh ); if ( verbose ) printf( "%s: created\n", output ); #else /* HAVE_LMDB */ if ( verbose ) printf( "%s: not created\n", output ); #endif /* HAVE_LMDB */ yaslfree( line ); yaslfree( key ); yaslfree( value ); return( 0 ); }