CAMLprim value caml_spf_request_free(value req_val) { CAMLparam1(req_val); SPF_request_t *req = (SPF_request_t *)req_val; SPF_request_free(req); CAMLreturn(Val_unit); }
int main() { int spf; char *me, *remote, *helo, *sender, *spf_env; const char *header; SPF_server_t *spf_server; SPF_request_t *spf_request; SPF_response_t *spf_response; /** * env variables **/ if (getenv("RELAYCLIENT") || /* known user */ !(spf_env = getenv("SPF"))) return 0; /* plugin disabled */ spf = atoi(spf_env); if (spf < 1 || spf > 6) { if (spf > 6) fprintf(stderr, "spf: ERROR: invalid value (%d) of SPF variable\n", spf); return 0; } remote = getenv("TCPREMOTEIP"); me = getenv("TCPLOCALHOST"); if (!me) me = getenv("TCPLOCALIP"); if (!remote || !me) { /* should never happen */ fprintf(stderr, "spf: ERROR: can't get tcpserver variables\n"); if(!remote) fprintf(stderr, "spf: can't read TCPREMOTEIP\n"); else fprintf(stderr, "spf: can't read TCPLOCALHOST nor TCPLOCALIP\n"); return 0; } sender = getenv("SMTPMAILFROM"); if (!sender) { /* should never happen */ fprintf(stderr, "spf: ERROR: can't get envelope sender address\n"); fprintf(stderr, "spf: can't read SMTPMAILFROM\n"); return 0; } if (!*sender) return 0; /* null sender mail */ helo = getenv("SMTPHELOHOST"); /** * SPF **/ spf_server = SPF_server_new(SPF_DNS_CACHE, 0); if (!spf_server) { fprintf(stderr, "spf: ERROR: can't initialize libspf2\n"); return 0; } spf_request = SPF_request_new(spf_server); if (!spf_request) { fprintf(stderr, "spf: ERROR: can't initialize libspf2\n"); return 0; } if (SPF_request_set_ipv4_str(spf_request, remote)) { fprintf(stderr, "spf: can't parse TCPREMOTEIP\n"); return 0; } SPF_server_set_rec_dom(spf_server, me); if (helo) SPF_request_set_helo_dom(spf_request, helo); SPF_request_set_env_from(spf_request, sender); /* Perform actual lookup */ SPF_request_query_mailfrom(spf_request, &spf_response); /* check whether mail needn`t to be blocked */ switch (SPF_response_result(spf_response)) { case SPF_RESULT_PASS: break; case SPF_RESULT_FAIL: if (spf > 0) { block(spf_response); return 0; } break; case SPF_RESULT_SOFTFAIL: if (spf > 1) { block(spf_response); return 0; } break; case SPF_RESULT_NEUTRAL: if (spf > 2) { block(spf_response); return 0; } break; case SPF_RESULT_NONE: if (spf > 3) { block(spf_response); return 0; } break; case SPF_RESULT_TEMPERROR: case SPF_RESULT_PERMERROR: if (spf > 4) { block(spf_response); return 0; } break; #if 0 case SPF_RESULT_UNKNOWN: if (spf > 5) { block(spf_response); return 0; } break; case SPF_RESULT_UNMECH: break; #else // FIXME: UNKNOWN and UNMECH above map how? // INVALID should not ever occur, it indicates a bug. case SPF_RESULT_INVALID: if (spf > 5) { block(spf_response); return 0; } break; #endif } /* add header */ header = SPF_response_get_received_spf(spf_response); if (header) printf("H%s\n", header); else { fprintf(stderr, "spf: libspf2 library failed to produce Received-SPF header\n", SPF_strerror(SPF_response_errcode(spf_response))); /* Example taken from libspf2: */ /* fprintf ( stderr, "spf: diag: result = %s (%d)\n", SPF_strresult(SPF_response_result(spf_response)), SPF_response_result(spf_response)); fprintf ( stderr, "spf: diag: err = %s (%d)\n", SPF_strerror(SPF_response_errcode(spf_response)), SPF_response_errcode(spf_response)); for (i = 0; i < SPF_response_messages(spf_response); i++) { SPF_error_t *err = SPF_response_message(spf_response, i); fprintf ( stderr, "spf: diag: %s_msg = (%d) %s\n", (SPF_error_errorp(err) ? "warn" : "err"), SPF_error_code(err), SPF_error_message(err)); } */ } SPF_response_free(spf_response); SPF_request_free(spf_request); SPF_server_free(spf_server); return 0; }
static int verify_data(spctx_t* ctx) { char ebuf[256]; int n; SPF_request_t *spf_request = NULL; char * xforwardaddr = NULL; char * xforwardhelo = NULL; if(spf_server == NULL) { /* redirect errors */ SPF_error_handler = SPF_error_syslog; SPF_warning_handler = SPF_warning_syslog; SPF_info_handler = SPF_info_syslog; SPF_debug_handler = SPF_debug_syslog; spf_server = SPF_server_new(SPF_DNS_CACHE, 1); if (spf_server == NULL) return -1; } /* trim string */ if(ctx->xforwardaddr) xforwardaddr = trim_space(ctx->xforwardaddr); if(ctx->xforwardhelo) xforwardhelo = trim_space(ctx->xforwardhelo); sp_messagex(ctx, LOG_DEBUG, "New connection: ADDR %s - MAIL FROM %s - XF-ADDR %s - XF-HELO %s", ctx->client.peername, ctx->sender, xforwardaddr, xforwardhelo); spf_request = SPF_request_new(spf_server); if( xforwardaddr ) SPF_request_set_ipv4_str( spf_request, xforwardaddr ); else if ( ctx->client.peername ) SPF_request_set_ipv4_str( spf_request, ctx->client.peername ); if( xforwardhelo ) SPF_request_set_helo_dom( spf_request, xforwardhelo ); if( ctx->sender ) SPF_request_set_env_from( spf_request, ctx->sender ); SPF_response_t *spf_response = NULL; SPF_request_query_mailfrom(spf_request, &spf_response); char hostname[100]; strncpy(hostname, SPF_request_get_rec_dom(spf_request), 99); char *result_spf = NULL; switch(SPF_response_result(spf_response)) { case SPF_RESULT_NONE: sp_messagex(ctx, LOG_DEBUG, "No SPF policy found for %s", ctx->sender); result_spf = "none"; break; case SPF_RESULT_NEUTRAL: result_spf = "neutral"; sp_messagex(ctx, LOG_DEBUG, "SPF: NEUTRAL for %s", ctx->sender); break; case SPF_RESULT_SOFTFAIL: result_spf = "softfail"; sp_messagex(ctx, LOG_DEBUG, "SPF: SOFTFAIL for %s", ctx->sender); break; case SPF_RESULT_PASS: result_spf = "pass"; sp_messagex(ctx, LOG_DEBUG, "SPF: PASS for %s", ctx->sender); break; case SPF_RESULT_FAIL: buffer_reject_message("550 SPF Reject", ebuf, sizeof(ebuf)); buffer_reject_message(SPF_response_get_smtp_comment(spf_response), ebuf, sizeof(ebuf)); final_reject_message(ebuf, sizeof(ebuf)); sp_messagex(ctx, LOG_DEBUG, "SPF FAIL for %s, ignore message", ctx->sender); SPF_response_free(spf_response); SPF_request_free(spf_request); if(sp_fail_data(ctx, ebuf) == -1) return -1; else return 0; break; case SPF_RESULT_TEMPERROR: case SPF_RESULT_PERMERROR: case SPF_RESULT_INVALID: buffer_reject_message("450 temporary failure", ebuf, sizeof(ebuf)); final_reject_message(ebuf, sizeof(ebuf)); sp_messagex(ctx, LOG_DEBUG, "TEMP ERROR or INVALID RECORD in SPF for %s", ctx->sender); SPF_response_free(spf_response); SPF_request_free(spf_request); if(sp_fail_data(ctx, ebuf) == -1) return -1; else return 0; break; }; char auth_result_spf[1025]; snprintf(auth_result_spf, 1024, "spf=%s smtp.mailfrom=%s", result_spf, ctx->sender); SPF_response_free(spf_response); SPF_request_free(spf_request); /* Tell client to start sending data */ if(sp_start_data (ctx) < 0) return -1; /* Message already printed */ /* Setup DKIM verifier */ DKIMContext ctxt; DKIMVerifyOptions vopts = {0}; vopts.nCheckPractices = 1; vopts.pfnSelectorCallback = NULL; //SelectorCallback; n = DKIMVerifyInit( &ctxt, &vopts ); /* Read data into verifier */ int len = -1; const char *buffer = 0; do { len = sp_read_data(ctx, &buffer); if(len == -1) return -1; if(len > 0) { DKIMVerifyProcess( &ctxt, buffer, len ); sp_write_data( ctx, buffer, len ); } } while(len > 0); sp_write_data( ctx, NULL, 0 ); /* Verify DKIM */ n = DKIMVerifyResults( &ctxt ); /* Get verification details */ int nSigCount = 0; DKIMVerifyDetails* pDetails; char szPolicy[512]; DKIMVerifyGetDetails(&ctxt, &nSigCount, &pDetails, szPolicy ); /* Proxy based on verification results */ char auth_result_dkim[1025]; if(nSigCount == 0) { sp_messagex(ctx, LOG_DEBUG, "No DKIM signature, passthrough"); snprintf(auth_result_dkim, 1024, "dkim=none"); } else if (n == DKIM_SUCCESS || n == DKIM_PARTIAL_SUCCESS) { sp_messagex(ctx, LOG_DEBUG, "DKIM verification: Success, adding header information"); int strpos = 0; int i=0; for(; i<nSigCount; ++i) { snprintf(&auth_result_dkim[strpos], 1024 - strpos, "%sdkim=%s header.d=%s", (i>0 ? ";\n" : ""), (pDetails[i].nResult == DKIM_SUCCESS ? "pass" : "fail"), pDetails[i].szSignatureDomain); strpos = strlen(auth_result_dkim); } } else { sp_messagex(ctx, LOG_DEBUG, "DKIM verification: Failed, report error and ignore message."); buffer_reject_message("550 DKIM Signature failed verification (http://www.dkim.org/info/dkim-faq.html)", ebuf, sizeof(ebuf)); final_reject_message(ebuf, sizeof(ebuf)); DKIMVerifyFree( &ctxt ); if(sp_fail_data(ctx, ebuf) == -1) return -1; else return 0; } DKIMVerifyFree( &ctxt ); char auth_results_header[1025]; snprintf(auth_results_header, 1024, "Authentication-Results: %s;\n %s;\n %s;", hostname, auth_result_spf, auth_result_dkim); if( sp_done_data(ctx, auth_results_header) == -1) return -1; return 0; }
int spfc(thread_pool_t *info, thread_ctx_t *thread_ctx, edict_t *edict) { struct timespec ts, start, now, timeleft; chkresult_t *result; grey_tuple_t *request; SPF_server_t *spf_server = NULL; SPF_request_t *spf_request = NULL; SPF_response_t *spf_response = NULL; SPF_response_t *spf_response_2mx = NULL; const char *smtp_error; int ret; logstr(GLOG_DEBUG, "spfc called"); request = (grey_tuple_t *)edict->job; assert(request); result = (chkresult_t *)Malloc(sizeof(chkresult_t)); memset(result, 0, sizeof(*result)); result->judgment = J_UNDEFINED; result->checkname = "spf"; /* initialize if we are not yet initialized */ if (NULL == thread_ctx->state) { /* Initialize */ spf_server = SPF_server_new(SPF_DNS_CACHE, SPF_DEBUG_LEVEL); if (NULL == spf_server) { logstr(GLOG_ERROR, "SPF_server_new failed"); goto FINISH; } thread_ctx->state = spf_server; thread_ctx->cleanup = &cleanup_spfc; } else { spf_server = (SPF_server_t *) thread_ctx->state; } /* Now we are ready to query */ ret = SPF_server_set_explanation(spf_server, "Please see http://www.openspf.org/Why?id=%{S}&ip=%{C}", &spf_response); if (ret) logstr(GLOG_ERROR, "SPF: setting explanation failed"); spf_request = SPF_request_new(spf_server); ret = SPF_request_set_ipv4_str(spf_request, request->client_address); if (ret) { logstr(GLOG_ERROR, "invalid IP address %s", request->client_address); goto CLEANUP; } if (request->helo_name) { ret = SPF_request_set_helo_dom(spf_request, request->helo_name); if (ret) { logstr(GLOG_ERROR, "invalid HELO domain: %s.", request->helo_name); goto CLEANUP; } } ret = SPF_request_set_env_from(spf_request, request->sender); if (ret) { logstr(GLOG_ERROR, "invalid envelope sender address %s", request->sender); goto CLEANUP; } ret = SPF_request_query_mailfrom(spf_request, &spf_response); switch (ret) { case SPF_E_SUCCESS: case SPF_E_NOT_SPF: break; default: logstr(GLOG_ERROR, "spf: sender based query failed: %s", SPF_strerror(ret)); goto CLEANUP; } /* XXX: do we need 2mx checks? */ ret = SPF_response_result(spf_response); switch (ret) { case SPF_RESULT_FAIL: result->judgment = J_BLOCK; logstr(GLOG_DEBUG, "SPF: fail"); smtp_error = SPF_response_get_smtp_comment(spf_response); if (smtp_error) result->reason = strdup(smtp_error); else result->reason = strdup("SPF: policy violation: (no message available)"); break; case SPF_RESULT_SOFTFAIL: result->judgment = J_SUSPICIOUS; logstr(GLOG_DEBUG, "SPF softfail"); result->weight = 1; /* FIXME: configurable */ break; case SPF_RESULT_PASS: result->judgment = J_UNDEFINED; logstr(GLOG_DEBUG, "SPF: pass"); break; case SPF_RESULT_NEUTRAL: result->judgment = J_UNDEFINED; logstr(GLOG_DEBUG, "SPF: neutral"); break; case SPF_RESULT_NONE: result->judgment = J_UNDEFINED; logstr(GLOG_DEBUG, "SPF: no record"); break; default: logstr(GLOG_DEBUG, "Unexpected SPF result (%d)", ret); } CLEANUP: if (spf_request) SPF_request_free(spf_request); if (spf_response) SPF_response_free(spf_response); FINISH: send_result(edict, result); logstr(GLOG_DEBUG, "spfc returning"); request_unlink(request); return 0; }
static int spf(milter_stage_t stage, char *name, var_t *attrs) { SPF_request_t *req = NULL; SPF_response_t *res = NULL; SPF_response_t *res_2mx = NULL; char *helo; char *envfrom; char from[321]; char *envrcpt; char rcpt[321]; char *spfstr; char *spfreason; struct sockaddr_storage *ss; struct sockaddr_in *sin; struct sockaddr_in6 *sin6; int r; if (acl_symbol_dereference(attrs, "hostaddr", &ss, "envfrom", &envfrom, "envrcpt", &envrcpt, "helo", &helo, NULL)) { log_error("spf: acl_symbol_dereference failed"); goto error; } sin = (struct sockaddr_in *) ss; sin6 = (struct sockaddr_in6 *) ss; if (util_strmail(from, sizeof from, envfrom) == -1 || util_strmail(rcpt, sizeof rcpt, envrcpt) == -1) { log_error("spf: util_strmail failed"); goto error; } req = SPF_request_new(spf_server); if (req == NULL) { log_error("spf: SPF_request_new failed"); goto error; } /* * Set client address */ if (ss->ss_family == AF_INET6) { r = SPF_request_set_ipv6(req, sin6->sin6_addr); } else { r = SPF_request_set_ipv4(req, sin->sin_addr); } if (r) { log_error("spf: SPF_request_set_ip failed"); goto error; } /* * Set helo */ r = SPF_request_set_helo_dom(req, helo); if (r) { log_error("spf: SPF_request_set_helo_dom failed"); goto error; } /* * Set envelope from */ r = SPF_request_set_env_from(req, from); if (r) { log_error("spf_query: SPF_request_set_env_from failed"); goto error; } /* * Perform SPF query */ SPF_request_query_mailfrom(req, &res); if(SPF_response_result(res) == SPF_RESULT_PASS) { goto result; } /* * If SPF fails check if we received the email from a secondary mx. */ SPF_request_query_rcptto(req, &res_2mx, rcpt); if(SPF_response_result(res_2mx) != SPF_RESULT_PASS) { goto result; } /* * Secondary mx */ log_notice("spf: \"%s\" is a secodary mx for \"%s\"", helo, rcpt); goto exit; result: spfstr = (char *) SPF_strresult(SPF_response_result(res)); if (spfstr == NULL) { log_error("spf: SPF_strresult failed"); goto error; } spfreason = (char *) SPF_strreason(SPF_response_result(res)); if (spfreason == NULL) { log_error("spf: SPF_strreason failed"); goto error; } log_message(LOG_ERR, attrs, "spf: helo=%s from=%s spf=%s", helo, from, spfstr); if (vtable_setv(attrs, VT_STRING, "spf", spfstr, VF_KEEP, VT_STRING, "spf_reason", spfreason, VF_KEEP, VT_NULL)) { log_error("spf: vtable_setv failed"); goto error; } exit: SPF_request_free(req); SPF_response_free(res); if(res_2mx) { SPF_response_free(res_2mx); } return 0; error: if(req) { SPF_request_free(req); } if(res) { SPF_response_free(res); } if(res_2mx) { SPF_response_free(res_2mx); } return -1; }