int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;
if (!(spf_server && spf_request))
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
/* Invalid sender address. This should be a real rare occurrence */
rc = SPF_RESULT_PERMERROR;
else
{
/* get SPF result */
if (action == SPF_PROCESS_FALLBACK)
{
SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
spf_result_guessed = TRUE;
}
else
SPF_request_query_mailfrom(spf_request, &spf_response);
/* set up expansion items */
spf_header_comment = US SPF_response_get_header_comment(spf_response);
spf_received = US SPF_response_get_received_spf(spf_response);
spf_result = US SPF_strresult(SPF_response_result(spf_response));
spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
rc = SPF_response_result(spf_response);
}
/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
{
BOOL negate, result;
if ((negate = spf_result_id[0] == '!'))
spf_result_id++;
result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
if (negate != result) return OK;
}
/* no match */
return FAIL;
}
CAMLprim value
caml_spf_request_query_mailfrom(value req_val)
{
CAMLparam1(req_val);
CAMLlocal3(ret, cmt, res);
const char *s;
SPF_request_t *req = (SPF_request_t *)req_val;
SPF_response_t *resp;
SPF_result_t result;
caml_enter_blocking_section();
SPF_request_query_mailfrom(req, &resp);
caml_leave_blocking_section();
ret = caml_alloc(5, 0);
result = SPF_response_result(resp);
res = caml_alloc(1, tag_of_result(result));
switch (result) {
case SPF_RESULT_FAIL:
case SPF_RESULT_SOFTFAIL:
case SPF_RESULT_NEUTRAL:
cmt = caml_alloc(2, 0);
Store_field(cmt, 0,
caml_copy_string(SPF_response_get_smtp_comment(resp)));
Store_field(cmt, 1,
caml_copy_string(SPF_response_get_explanation(resp)));
res = caml_alloc(1, tag_of_result(result));
Store_field(res, 0, cmt);
Store_field(ret, 0, res);
break;
case SPF_RESULT_INVALID:
case SPF_RESULT_PASS:
case SPF_RESULT_TEMPERROR:
case SPF_RESULT_PERMERROR:
case SPF_RESULT_NONE:
Store_field(ret, 0, Val_int(tag_of_result(result)));
break;
}
Store_field(ret, 1, Val_int(SPF_response_reason(resp)));
/* For buggy libspf2 - avoid a segfault */
#define BUG_HEADER_COMMENT "internal error"
#define BUG_RECEIVED_SPF_VALUE "none (" BUG_HEADER_COMMENT ")"
#define BUG_RECEIVED_SPF "Received-SPF: " BUG_RECEIVED_SPF_VALUE
s = SPF_response_get_received_spf(resp);
Store_field(ret, 2, caml_copy_string(s ? s : BUG_RECEIVED_SPF));
s = SPF_response_get_received_spf_value(resp);
Store_field(ret, 3, caml_copy_string(s ? s : BUG_RECEIVED_SPF_VALUE));
s = SPF_response_get_header_comment(resp);
Store_field(ret, 4, caml_copy_string(s ? s : BUG_HEADER_COMMENT));
SPF_response_free(resp);
CAMLreturn(ret);
}
static VALUE
t_query (VALUE self, VALUE map)
{
int retcode = SPF_RESULT_PASS;
SPF_server_t *spf_server = NULL;
SPF_request_t *spf_request = NULL;
SPF_response_t *spf_response = NULL;
SPF_response_t *spf_response_2mx = NULL;
char * ip = STR2CSTR (rb_hash_aref (map,rb_str_new2 ("client_address")));
char * helo = STR2CSTR (rb_hash_aref (map,rb_str_new2 ("helo_name")));
char * sender = STR2CSTR (rb_hash_aref (map,rb_str_new2 ("sender")));
char * recipient = STR2CSTR (rb_hash_aref (map,rb_str_new2 ("recipient")));
spf_server = SPF_server_new (SPF_DNS_CACHE, 0);
if (spf_server == NULL) rb_raise (rb_eRuntimeError, "can't initialize SPF library");
spf_request = SPF_request_new (spf_server);
if (SPF_request_set_ipv4_str (spf_request, ip)) rb_raise (rb_eTypeError, "error, invalid IP address");
if (SPF_request_set_helo_dom (spf_request, helo)) rb_raise (rb_eTypeError, "error, invalid helo domain");
if (SPF_request_set_env_from (spf_request, sender)) rb_raise (rb_eTypeError, "error, invalid envelope from address");
SPF_request_query_mailfrom (spf_request, &spf_response);
if (SPF_response_result (spf_response) != SPF_RESULT_PASS)
{
SPF_request_query_rcptto (spf_request, &spf_response_2mx, recipient);
if (SPF_response_result (spf_response_2mx) == SPF_RESULT_PASS)
{
return INT2NUM(SPF_RESULT_PASS);
}
retcode = SPF_response_result (spf_response);
}
SPF_server_free(spf_server);
return INT2NUM(retcode);
}
static void
response_print(const char *context, SPF_response_t *spf_response)
{
syslog(LOG_DEBUG,"--vv--\n");
syslog(LOG_DEBUG,"Context: %s\n", context);
if (spf_response == NULL) {
syslog(LOG_DEBUG, "NULL RESPONSE!\n");
}
else {
syslog(LOG_DEBUG, "Response result: %s\n",
SPF_strresult(SPF_response_result(spf_response)));
syslog(LOG_DEBUG, "Response reason: %s\n",
SPF_strreason(SPF_response_reason(spf_response)));
syslog(LOG_DEBUG, "Response err: %s\n",
SPF_strerror(SPF_response_errcode(spf_response)));
response_print_errors(NULL, spf_response,
SPF_response_errcode(spf_response));
}
syslog(LOG_DEBUG,"--^^--\n");
}
int main()
{
int spf;
char *me, *remote, *helo, *sender, *spf_env;
const char *header;
SPF_server_t *spf_server;
SPF_request_t *spf_request;
SPF_response_t *spf_response;
/**
* env variables
**/
if (getenv("RELAYCLIENT") || /* known user */
!(spf_env = getenv("SPF"))) return 0; /* plugin disabled */
spf = atoi(spf_env);
if (spf < 1 || spf > 6) {
if (spf > 6)
fprintf(stderr, "spf: ERROR: invalid value (%d) of SPF variable\n", spf);
return 0;
}
remote = getenv("TCPREMOTEIP");
me = getenv("TCPLOCALHOST");
if (!me) me = getenv("TCPLOCALIP");
if (!remote || !me) { /* should never happen */
fprintf(stderr, "spf: ERROR: can't get tcpserver variables\n");
if(!remote) fprintf(stderr, "spf: can't read TCPREMOTEIP\n");
else fprintf(stderr, "spf: can't read TCPLOCALHOST nor TCPLOCALIP\n");
return 0;
}
sender = getenv("SMTPMAILFROM");
if (!sender) { /* should never happen */
fprintf(stderr, "spf: ERROR: can't get envelope sender address\n");
fprintf(stderr, "spf: can't read SMTPMAILFROM\n");
return 0;
}
if (!*sender) return 0; /* null sender mail */
helo = getenv("SMTPHELOHOST");
/**
* SPF
**/
spf_server = SPF_server_new(SPF_DNS_CACHE, 0);
if (!spf_server) {
fprintf(stderr, "spf: ERROR: can't initialize libspf2\n");
return 0;
}
spf_request = SPF_request_new(spf_server);
if (!spf_request) {
fprintf(stderr, "spf: ERROR: can't initialize libspf2\n");
return 0;
}
if (SPF_request_set_ipv4_str(spf_request, remote)) {
fprintf(stderr, "spf: can't parse TCPREMOTEIP\n");
return 0;
}
SPF_server_set_rec_dom(spf_server, me);
if (helo) SPF_request_set_helo_dom(spf_request, helo);
SPF_request_set_env_from(spf_request, sender);
/* Perform actual lookup */
SPF_request_query_mailfrom(spf_request, &spf_response);
/* check whether mail needn`t to be blocked */
switch (SPF_response_result(spf_response)) {
case SPF_RESULT_PASS: break;
case SPF_RESULT_FAIL: if (spf > 0) { block(spf_response); return 0; } break;
case SPF_RESULT_SOFTFAIL: if (spf > 1) { block(spf_response); return 0; } break;
case SPF_RESULT_NEUTRAL: if (spf > 2) { block(spf_response); return 0; } break;
case SPF_RESULT_NONE: if (spf > 3) { block(spf_response); return 0; } break;
case SPF_RESULT_TEMPERROR:
case SPF_RESULT_PERMERROR: if (spf > 4) { block(spf_response); return 0; } break;
#if 0
case SPF_RESULT_UNKNOWN: if (spf > 5) { block(spf_response); return 0; } break;
case SPF_RESULT_UNMECH: break;
#else
// FIXME: UNKNOWN and UNMECH above map how?
// INVALID should not ever occur, it indicates a bug.
case SPF_RESULT_INVALID: if (spf > 5) { block(spf_response); return 0; } break;
#endif
}
/* add header */
header = SPF_response_get_received_spf(spf_response);
if (header)
printf("H%s\n", header);
else {
fprintf(stderr, "spf: libspf2 library failed to produce Received-SPF header\n",
SPF_strerror(SPF_response_errcode(spf_response)));
/* Example taken from libspf2: */
/*
fprintf ( stderr, "spf: diag: result = %s (%d)\n",
SPF_strresult(SPF_response_result(spf_response)),
SPF_response_result(spf_response));
fprintf ( stderr, "spf: diag: err = %s (%d)\n",
SPF_strerror(SPF_response_errcode(spf_response)),
SPF_response_errcode(spf_response));
for (i = 0; i < SPF_response_messages(spf_response); i++) {
SPF_error_t *err = SPF_response_message(spf_response, i);
fprintf ( stderr, "spf: diag: %s_msg = (%d) %s\n",
(SPF_error_errorp(err) ? "warn" : "err"),
SPF_error_code(err),
SPF_error_message(err));
}
*/
}
SPF_response_free(spf_response);
SPF_request_free(spf_request);
SPF_server_free(spf_server);
return 0;
}
int spf_process(uschar **listptr, uschar *spf_envelope_sender, int action) {
int sep = 0;
uschar *list = *listptr;
uschar *spf_result_id;
uschar spf_result_id_buffer[128];
int rc = SPF_RESULT_PERMERROR;
if (!(spf_server && spf_request)) {
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
goto SPF_EVALUATE;
};
if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender)) {
/* Invalid sender address. This should be a real rare occurence */
rc = SPF_RESULT_PERMERROR;
goto SPF_EVALUATE;
}
/* get SPF result */
if (action == SPF_PROCESS_FALLBACK)
SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
else
SPF_request_query_mailfrom(spf_request, &spf_response);
/* set up expansion items */
spf_header_comment = (uschar *)SPF_response_get_header_comment(spf_response);
spf_received = (uschar *)SPF_response_get_received_spf(spf_response);
spf_result = (uschar *)SPF_strresult(SPF_response_result(spf_response));
spf_smtp_comment = (uschar *)SPF_response_get_smtp_comment(spf_response);
rc = SPF_response_result(spf_response);
/* We got a result. Now see if we should return OK or FAIL for it */
SPF_EVALUATE:
debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
while ((spf_result_id = string_nextinlist(&list, &sep,
spf_result_id_buffer,
sizeof(spf_result_id_buffer))) != NULL) {
int negate = 0;
int result = 0;
/* Check for negation */
if (spf_result_id[0] == '!') {
negate = 1;
spf_result_id++;
};
/* Check the result identifier */
result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name);
if (!negate && result==0) return OK;
if (negate && result!=0) return OK;
};
/* no match */
return FAIL;
}
SPF_errcode_t
SPF_record_interpret(SPF_record_t *spf_record,
SPF_request_t *spf_request, SPF_response_t *spf_response,
int depth)
{
SPF_server_t *spf_server;
/* Temporaries */
int i, j;
int m; /* Mechanism iterator */
SPF_mech_t *mech;
SPF_data_t *data;
SPF_data_t *data_end; /* XXX Replace with size_t data_len */
/* Where to insert the local policy (whitelist) */
SPF_mech_t *local_policy; /* Not the local policy */
int found_all; /* A crappy temporary. */
char *buf = NULL;
size_t buf_len = 0;
ns_type fetch_ns_type;
const char *lookup;
SPF_dns_rr_t *rr_a;
SPF_dns_rr_t *rr_aaaa;
SPF_dns_rr_t *rr_ptr;
SPF_dns_rr_t *rr_mx;
SPF_errcode_t err;
SPF_dns_server_t*resolver;
/* An SPF record for subrequests - replaces c_results */
SPF_record_t *spf_record_subr;
SPF_response_t *save_spf_response;
SPF_response_t *spf_response_subr;
const char *save_cur_dom;
struct in_addr addr4;
struct in6_addr addr6;
int max_ptr;
int max_mx;
int max_exceeded;
char ip4_buf[ INET_ADDRSTRLEN ];
char ip6_buf[ INET6_ADDRSTRLEN ];
/*
* make sure we were passed valid data to work with
*/
SPF_ASSERT_NOTNULL(spf_record);
SPF_ASSERT_NOTNULL(spf_request);
SPF_ASSERT_NOTNULL(spf_response);
spf_server = spf_record->spf_server;
SPF_ASSERT_NOTNULL(spf_server);
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
if (depth > 20)
return DONE_PERMERR(SPF_E_RECURSIVE);
if ( spf_request->client_ver != AF_INET && spf_request->client_ver != AF_INET6 )
return DONE_PERMERR(SPF_E_NOT_CONFIG);
if (spf_request->cur_dom == NULL)
return DONE_PERMERR(SPF_E_NOT_CONFIG);
/*
* localhost always gets a free ride
*/
#if 0
/* This should have been done already before we got here. */
if ( SPF_request_is_loopback( spf_request ) )
return DONE(SPF_RESULT_PASS,SPF_REASON_LOCALHOST,SPF_E_SUCCESS);
#endif
/*
* Do some start up stuff if we haven't recursed yet
*/
local_policy = NULL;
if ( spf_request->use_local_policy ) {
/*
* find the location for the whitelist execution
*
* Philip Gladstone says:
*
* I think that the localpolicy should only be inserted if the
* final mechanism is '-all', and it should be inserted after
* the last mechanism which is not '-'.
*
* Thus for the case of 'v=spf1 +a +mx -all', this would be
* interpreted as 'v=spf1 +a +mx +localpolicy -all'. Whereas
* 'v=spf1 -all' would remain the same (no non-'-'
* mechanism). 'v=spf1 +a +mx -exists:%stuff -all' would
* become 'v=spf1 +a +mx +localpolicy -exists:%stuff -all'.
*/
if ( spf_server->local_policy ) {
mech = spf_record->mech_first;
found_all = FALSE;
for(m = 0; m < spf_record->num_mech; m++)
{
if ( mech->mech_type == MECH_ALL
&& (mech->prefix_type == PREFIX_FAIL
|| mech->prefix_type == PREFIX_UNKNOWN
|| mech->prefix_type == PREFIX_SOFTFAIL
)
)
found_all = TRUE;
if ( mech->prefix_type != PREFIX_FAIL
&& mech->prefix_type != PREFIX_SOFTFAIL
)
local_policy = mech;
mech = SPF_mech_next( mech );
}
if ( !found_all )
local_policy = NULL;
}
}
/*
* evaluate the mechanisms
*/
#define SPF_ADD_DNS_MECH() do { spf_response->num_dns_mech++; } while(0)
#define SPF_MAYBE_SKIP_CIDR() \
do { \
if ( data < data_end && data->dc.parm_type == PARM_CIDR ) \
data = SPF_data_next( data ); \
} while(0)
#define SPF_GET_LOOKUP_DATA() \
do { \
if ( data == data_end ) \
lookup = spf_request->cur_dom; \
else { \
err = SPF_record_expand_data( spf_server, \
spf_request, spf_response, \
data, ((char *)data_end - (char *)data), \
&buf, &buf_len ); \
if (err == SPF_E_NO_MEMORY) { \
SPF_FREE_LOOKUP_DATA(); \
return DONE_TEMPERR(err); \
} \
if (err) { \
SPF_FREE_LOOKUP_DATA(); \
return DONE_PERMERR(err); \
} \
lookup = buf; \
} \
} while(0)
#define SPF_FREE_LOOKUP_DATA() \
do { if (buf != NULL) { free(buf); buf = NULL; } } while(0)
resolver = spf_server->resolver;
mech = spf_record->mech_first;
for (m = 0; m < spf_record->num_mech; m++) {
/* This is as good a place as any. */
/* XXX Rip this out and put it into a macro which can go into inner loops. */
if (spf_response->num_dns_mech > spf_server->max_dns_mech) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
data = SPF_mech_data(mech);
data_end = SPF_mech_end_data(mech);
switch (mech->mech_type) {
case MECH_A:
SPF_ADD_DNS_MECH();
SPF_MAYBE_SKIP_CIDR();
SPF_GET_LOOKUP_DATA();
if (spf_request->client_ver == AF_INET)
fetch_ns_type = ns_t_a;
else
fetch_ns_type = ns_t_aaaa;
rr_a = SPF_dns_lookup(resolver, lookup, fetch_ns_type, TRUE);
if (spf_server->debug)
SPF_debugf("found %d A records for %s (herrno: %d)",
rr_a->num_rr, lookup, rr_a->herrno);
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR); /* REASON_MECH */
}
for (i = 0; i < rr_a->num_rr; i++) {
/* XXX Should this be hoisted? */
if (rr_a->rr_type != fetch_ns_type)
continue;
if (spf_request->client_ver == AF_INET) {
if (SPF_i_match_ip4(spf_server, spf_request, mech, rr_a->rr[i]->a)) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
else {
if (SPF_i_match_ip6(spf_server, spf_request, mech, rr_a->rr[i]->aaaa)) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
}
SPF_dns_rr_free(rr_a);
break;
case MECH_MX:
SPF_ADD_DNS_MECH();
SPF_MAYBE_SKIP_CIDR();
SPF_GET_LOOKUP_DATA();
rr_mx = SPF_dns_lookup(resolver, lookup, ns_t_mx, TRUE);
if (spf_server->debug)
SPF_debugf("found %d MX records for %s (herrno: %d)",
rr_mx->num_rr, lookup, rr_mx->herrno);
if (rr_mx->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_mx);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
/* The maximum number of MX records we will inspect. */
max_mx = rr_mx->num_rr;
max_exceeded = 0;
if (max_mx > spf_server->max_dns_mx) {
max_exceeded = 1;
max_mx = SPF_server_get_max_dns_mx(spf_server);
}
for (j = 0; j < max_mx; j++) {
/* XXX Should this be hoisted? */
if (rr_mx->rr_type != ns_t_mx)
continue;
if (spf_request->client_ver == AF_INET)
fetch_ns_type = ns_t_a;
else
fetch_ns_type = ns_t_aaaa;
rr_a = SPF_dns_lookup(resolver, rr_mx->rr[j]->mx,
fetch_ns_type, TRUE );
if (spf_server->debug)
SPF_debugf("%d: found %d A records for %s (herrno: %d)",
j, rr_a->num_rr, rr_mx->rr[j]->mx, rr_a->herrno);
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
for (i = 0; i < rr_a->num_rr; i++) {
/* XXX Should this be hoisted? */
if (rr_a->rr_type != fetch_ns_type)
continue;
if (spf_request->client_ver == AF_INET) {
if (SPF_i_match_ip4(spf_server, spf_request, mech,
rr_a->rr[i]->a)) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE(mech->prefix_type, SPF_REASON_MECH,
SPF_E_SUCCESS);
}
}
else {
if (SPF_i_match_ip6(spf_server, spf_request, mech,
rr_a->rr[i]->aaaa)) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE(mech->prefix_type, SPF_REASON_MECH,
SPF_E_SUCCESS);
}
}
}
SPF_dns_rr_free(rr_a);
}
SPF_dns_rr_free( rr_mx );
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
break;
case MECH_PTR:
SPF_ADD_DNS_MECH();
SPF_GET_LOOKUP_DATA();
if (spf_request->client_ver == AF_INET) {
rr_ptr = SPF_dns_rlookup(resolver,
spf_request->ipv4, ns_t_ptr, TRUE);
if (spf_server->debug) {
INET_NTOP(AF_INET, &spf_request->ipv4.s_addr,
ip4_buf, sizeof(ip4_buf));
SPF_debugf("got %d PTR records for %s (herrno: %d)",
rr_ptr->num_rr, ip4_buf, rr_ptr->herrno);
}
if (rr_ptr->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_ptr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
/* The maximum number of PTR records we will inspect. */
max_ptr = rr_ptr->num_rr;
max_exceeded = 0;
if (max_ptr > spf_server->max_dns_ptr) {
max_exceeded = 1;
max_ptr = SPF_server_get_max_dns_ptr(spf_server);
}
for (i = 0; i < max_ptr; i++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
rr_a = SPF_dns_lookup(resolver,
rr_ptr->rr[i]->ptr, ns_t_a, TRUE);
if (spf_server->debug)
SPF_debugf( "%d: found %d A records for %s (herrno: %d)",
i, rr_a->num_rr, rr_ptr->rr[i]->ptr, rr_a->herrno );
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
for (j = 0; j < rr_a->num_rr; j++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
if (spf_server->debug) {
INET_NTOP(AF_INET, &rr_a->rr[j]->a.s_addr,
ip4_buf, sizeof(ip4_buf));
SPF_debugf("%d: %d: found %s",
i, j, ip4_buf);
}
if (rr_a->rr[j]->a.s_addr ==
spf_request->ipv4.s_addr) {
if (SPF_i_match_domain(spf_server,
rr_ptr->rr[i]->ptr, lookup)) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
}
SPF_dns_rr_free(rr_a);
}
SPF_dns_rr_free(rr_ptr);
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
}
else if ( spf_request->client_ver == AF_INET6 ) {
rr_ptr = SPF_dns_rlookup6(resolver,
spf_request->ipv6, ns_t_ptr, TRUE);
if ( spf_server->debug ) {
INET_NTOP( AF_INET6, &spf_request->ipv6.s6_addr,
ip6_buf, sizeof( ip6_buf ) );
SPF_debugf( "found %d PTR records for %s (herrno: %d)",
rr_ptr->num_rr, ip6_buf, rr_ptr->herrno );
}
if( rr_ptr->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_ptr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
max_ptr = rr_ptr->num_rr;
max_exceeded = 0;
if (max_ptr > spf_server->max_dns_ptr) {
max_ptr = SPF_server_get_max_dns_ptr(spf_server);
max_exceeded = 1;
}
for (i = 0; i < max_ptr; i++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
rr_aaaa = SPF_dns_lookup(resolver,
rr_ptr->rr[i]->ptr, ns_t_aaaa, TRUE);
if ( spf_server->debug )
SPF_debugf("%d: found %d AAAA records for %s (herrno: %d)",
i, rr_aaaa->num_rr, rr_ptr->rr[i]->ptr, rr_aaaa->herrno);
if( rr_aaaa->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_aaaa);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
for( j = 0; j < rr_aaaa->num_rr; j++ ) {
/* XXX MX has a 'continue' case here which should be hoisted. */
if ( spf_server->debug ) {
INET_NTOP(AF_INET6, &rr_aaaa->rr[j]->aaaa.s6_addr,
ip6_buf, sizeof(ip6_buf));
SPF_debugf( "%d: %d: found %s",
i, j, ip6_buf );
}
if (memcmp(&rr_aaaa->rr[j]->aaaa,
&spf_request->ipv6,
sizeof(spf_request->ipv6)) == 0) {
if (SPF_i_match_domain(spf_server,
rr_ptr->rr[i]->ptr, lookup)) {
SPF_dns_rr_free( rr_ptr );
SPF_dns_rr_free(rr_aaaa);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
}
}
SPF_dns_rr_free(rr_aaaa);
}
SPF_dns_rr_free(rr_ptr);
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
}
break;
case MECH_INCLUDE:
case MECH_REDIRECT:
SPF_ADD_DNS_MECH();
err = SPF_record_expand_data(spf_server,
spf_request, spf_response,
SPF_mech_data(mech), SPF_mech_data_len(mech),
&buf, &buf_len );
if ( err == SPF_E_NO_MEMORY ) {
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( err );
}
if ( err ) {
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR( err );
}
lookup = buf;
/* XXX Maintain a stack depth here. Limit at 10. */
if (strcmp(lookup, spf_request->cur_dom) == 0) {
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR( SPF_E_RECURSIVE );
}
/*
* get the (compiled) SPF record
*/
spf_record_subr = NULL;
/* Remember to reset this. */
save_cur_dom = spf_request->cur_dom;
spf_request->cur_dom = lookup;
err = SPF_server_get_record(spf_server, spf_request,
spf_response, &spf_record_subr);
if ( spf_server->debug > 0 )
SPF_debugf( "include/redirect: got SPF record: %s",
SPF_strerror( err ) );
if (err != SPF_E_SUCCESS) {
spf_request->cur_dom = save_cur_dom;
if (spf_record_subr)
SPF_record_free(spf_record_subr);
SPF_FREE_LOOKUP_DATA();
if (err == SPF_E_DNS_ERROR)
return DONE_TEMPERR( err );
else
return DONE_PERMERR( err );
}
SPF_ASSERT_NOTNULL(spf_record_subr);
/*
* If we are a redirect which is not within the scope
* of any include.
*/
if (mech->mech_type == MECH_REDIRECT) {
save_spf_response = NULL;
if (spf_response->spf_record_exp == spf_record)
spf_response->spf_record_exp = spf_record_subr;
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
}
else {
save_spf_response = spf_response;
spf_response = SPF_response_new(spf_request);
if (! spf_response) {
if (spf_record_subr)
SPF_record_free(spf_record_subr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_NO_MEMORY);
}
spf_response->spf_record_exp = spf_record;
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
}
/*
* find out whether this configuration passes
*/
err = SPF_record_interpret(spf_record_subr,
spf_request, spf_response, depth + 1);
spf_request->cur_dom = save_cur_dom;
/* Now, if we were a redirect, the child called done()
* and used spf_record_exp. In that case, we need not
* worry that spf_record_subr is invalid after the free.
* If we were not a redirect, then spf_record_subr
* is still the record it was in the first place.
* Thus we do not need to reset it now. */
SPF_record_free(spf_record_subr);
spf_record_subr = NULL;
if ( spf_server->debug > 0 )
SPF_debugf( "include/redirect: executed SPF record: %s result: %s reason: %s",
SPF_strerror( err ),
SPF_strresult( spf_response->result ),
SPF_strreason( spf_response->reason ) );
if (mech->mech_type == MECH_REDIRECT) {
SPF_FREE_LOOKUP_DATA();
return err; /* One way or the other */
}
else { // if (spf_response->result != SPF_RESULT_INVALID) {
/* Set everything up properly again. */
spf_response_subr = spf_response;
spf_response = save_spf_response;
save_spf_response = NULL;
/* Rewrite according to prefix of include */
switch (SPF_response_result(spf_response_subr)) {
case SPF_RESULT_PASS:
/* Pass */
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_MECH( mech->prefix_type );
case SPF_RESULT_FAIL:
case SPF_RESULT_SOFTFAIL:
case SPF_RESULT_NEUTRAL:
/* No match */
SPF_response_free(spf_response_subr);
break;
case SPF_RESULT_TEMPERROR:
/* Generate TempError */
err = SPF_response_errcode(spf_response_subr);
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_TEMPERR( err );
case SPF_RESULT_NONE:
/* Generate PermError */
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_PERMERR(SPF_E_INCLUDE_RETURNED_NONE);
case SPF_RESULT_PERMERROR:
case SPF_RESULT_INVALID:
/* Generate PermError */
err = SPF_response_errcode(spf_response_subr);
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_PERMERR( err );
}
#if 0
SPF_FREE_LOOKUP_DATA();
return err; /* The sub-interpret called done() */
#endif
}
break;
case MECH_IP4:
memcpy(&addr4, SPF_mech_ip4_data(mech), sizeof(addr4));
if ( SPF_i_match_ip4( spf_server, spf_request, mech, addr4 ) ) {
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
break;
case MECH_IP6:
memcpy(&addr6, SPF_mech_ip6_data(mech), sizeof(addr6));
if ( SPF_i_match_ip6( spf_server, spf_request, mech, addr6 ) ) {
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
break;
case MECH_EXISTS:
SPF_ADD_DNS_MECH();
err = SPF_record_expand_data(spf_server,
spf_request, spf_response,
SPF_mech_data(mech),SPF_mech_data_len(mech),
&buf, &buf_len);
if (err != SPF_E_SUCCESS) {
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( err );
}
lookup = buf;
rr_a = SPF_dns_lookup(resolver, lookup, ns_t_a, FALSE );
if ( spf_server->debug )
SPF_debugf( "found %d A records for %s (herrno: %d)",
rr_a->num_rr, lookup, rr_a->herrno );
if( rr_a->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
if ( rr_a->num_rr > 0 ) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
SPF_dns_rr_free(rr_a);
break;
case MECH_ALL:
SPF_FREE_LOOKUP_DATA();
if (mech->prefix_type == PREFIX_UNKNOWN)
return DONE_PERMERR(SPF_E_UNKNOWN_MECH);
return DONE_MECH(mech->prefix_type);
break;
default:
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR(SPF_E_UNKNOWN_MECH);
break;
}
/*
* execute the local policy
*/
if ( mech == local_policy ) {
err = SPF_record_interpret(spf_server->local_policy,
spf_request, spf_response, depth + 1);
if ( spf_server->debug > 0 )
SPF_debugf( "local_policy: executed SPF record: %s result: %s reason: %s",
SPF_strerror( err ),
SPF_strresult( spf_response->result ),
SPF_strreason( spf_response->reason ) );
if (spf_response->result != SPF_RESULT_INVALID) {
SPF_FREE_LOOKUP_DATA();
return err;
}
}
mech = SPF_mech_next( mech );
}
SPF_FREE_LOOKUP_DATA();
/* falling off the end is the same as ?all */
return DONE( SPF_RESULT_NEUTRAL, SPF_REASON_DEFAULT, SPF_E_SUCCESS );
}
int main( int argc, char *argv[] )
{
SPF_client_options_t *opts;
SPF_client_request_t *req = NULL;
SPF_server_t *spf_server = NULL;
SPF_request_t *spf_request = NULL;
SPF_response_t *spf_response = NULL;
SPF_response_t *spf_response_2mx = NULL;
SPF_errcode_t err;
int opt_keep_comments = 0;
#ifdef TO_MX
char *p, *p_end;
#endif
int request_limit=0;
int major, minor, patch;
int res = 0;
int c;
const char *partial_result;
char *result = NULL;
int result_len = 0;
char hostname[255];
char pf_result[100];
struct hostent *fullhostname;
/* Figure out our name */
progname = strrchr(argv[0], '/');
if (progname != NULL)
++progname;
else
progname = argv[0];
/*open syslog*/
openlog(progname, LOG_PID|LOG_CONS|LOG_NDELAY|LOG_NOWAIT, LOG_MAIL);
/* Redefine libSPF2 output routines to go to syslog */
SPF_error_handler = SPF_error_syslog;
SPF_warning_handler = SPF_warning_syslog;
SPF_info_handler = SPF_info_syslog;
SPF_debug_handler = SPF_debug_syslog;
opts = (SPF_client_options_t *)malloc(sizeof(SPF_client_options_t));
memset(opts, 0, sizeof(SPF_client_options_t));
/*
* check the arguments
*/
for (;;) {
int option_index; /* Largely unused */
c = getopt_long_only (argc, argv, "f:i:s:h:r:lt::gemcnd::kz:a:v",
long_options, &option_index);
if (c == -1)
break;
switch (c) {
case 'l':
opts->localpolicy = optarg;
break;
case 't':
if (optarg == NULL)
opts->use_trusted = 1;
else
opts->use_trusted = atoi(optarg);
break;
case 'g':
opts->fallback = optarg;
break;
case 'e':
opts->explanation = optarg;
break;
case 'm':
opts->max_lookup = atoi(optarg);
break;
case 'c': /* "clean" */
opts->sanitize = atoi(optarg);
break;
case 'n': /* name of host doing SPF checking */
opts->rec_dom = optarg;
break;
case 'a':
unimplemented('a');
break;
case 'z':
unimplemented('z');
break;
case 'v':
fprintf( stderr, "policyd-spf-fs version information:\n" );
fprintf( stderr, "policyd-spf-fs version: $Rev: 27 $\n");
fprintf( stderr, "SPF test system version: %s\n",
SPF_TEST_VERSION );
fprintf( stderr, "Compiled with SPF library version: %d.%d.%d\n",
SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR,
SPF_LIB_VERSION_PATCH );
SPF_get_lib_version( &major, &minor, &patch );
fprintf( stderr, "Running with SPF library version: %d.%d.%d\n",
major, minor, patch );
fprintf( stderr, "\n" );
FAIL_ERROR;
break;
case 0:
case '?':
help();
FAIL_ERROR;
break;
case 'k':
opt_keep_comments = 1;
break;
case 'd':
if (optarg == NULL)
opts->debug = 1;
else
opts->debug = atoi( optarg );
break;
default:
fprintf( stderr, "Error: getopt returned character code 0%o ??\n", c);
FAIL_ERROR;
}
}
if (optind != argc) {
help();
FAIL_ERROR;
}
if (!opts->rec_dom) {
gethostname(hostname, 255);
fullhostname = gethostbyname(hostname);
if (opts->debug > 1)
syslog(LOG_DEBUG, "Hostname: %s\n",fullhostname->h_name);
opts->rec_dom = fullhostname->h_name;
}
/*
* set up the SPF configuration
*/
spf_server = SPF_server_new(SPF_DNS_CACHE, opts->debug > 2 ? opts->debug-2 : 0);
if ( opts->rec_dom )
SPF_server_set_rec_dom( spf_server, opts->rec_dom );
if ( opts->sanitize )
SPF_server_set_sanitize( spf_server, opts->sanitize );
if ( opts->max_lookup )
SPF_server_set_max_dns_mech(spf_server, opts->max_lookup);
if (opts->localpolicy) {
err = SPF_server_set_localpolicy( spf_server, opts->localpolicy, opts->use_trusted, &spf_response);
if ( err ) {
response_print_errors("Error setting local policy",
spf_response, err);
WARN_ERROR;
}
FREE_RESPONSE(spf_response);
}
if ( !opts->explanation ) {
opts->explanation = DEFAULT_EXPLANATION;
}
err = SPF_server_set_explanation( spf_server, opts->explanation, &spf_response );
if ( err ) {
response_print_errors("Error setting default explanation",
spf_response, err);
WARN_ERROR;
}
FREE_RESPONSE(spf_response);
/*
* process the SPF request
*/
request_limit=0;
while ( request_limit < REQUEST_LIMIT ) {
request_limit++;
if (request_limit == 0) {
free(req);
}
req = (SPF_client_request_t *)malloc(sizeof(SPF_client_request_t));
memset(req, 0, sizeof(SPF_client_request_t));
if (read_request_from_pf(opts, req)) {
syslog(LOG_WARNING, "IO Closed while reading, exiting");
EXIT_OK;
}
if (opts->debug > 1)
syslog(LOG_DEBUG, "Reincarnation %d\n", request_limit);
/* We have to do this here else we leak on CONTINUE_ERROR */
FREE_REQUEST(spf_request);
FREE_RESPONSE(spf_response);
spf_request = SPF_request_new(spf_server);
if (SPF_request_set_ipv4_str(spf_request, req->ip) && SPF_request_set_ipv6_str(spf_request, req->ip)) {
syslog(LOG_WARNING, "Invalid IP address.\n" );
CONTINUE_ERROR;
}
if (req->helo) {
if (SPF_request_set_helo_dom( spf_request, req->helo ) ) {
syslog(LOG_WARNING, "Invalid HELO domain.\n" );
CONTINUE_ERROR;
}
}
if (strchr(req->sender, '@') > 0) {
if (SPF_request_set_env_from( spf_request, req->sender ) ) {
syslog(LOG_WARNING, "Invalid envelope from address.\n" );
CONTINUE_ERROR;
}
} else { /* This is something we can not check*/
CONTINUE_DUNNO("no valid email address found");
}
err = SPF_request_query_mailfrom(spf_request, &spf_response);
if (opts->debug > 1)
response_print("Main query", spf_response);
if (err) {
if (opts->debug > 1)
response_print_errors("Failed to query MAIL-FROM",
spf_response, err);
CONTINUE_DUNNO("no SPF record found");
}
if (result != NULL)
result[0] = '\0';
APPEND_RESULT(SPF_response_result(spf_response));
#ifdef TO_MX /* This code returns usualy neutral and oferwrites a fail from the above spf code
which is not what we like. So we disable it for the time deing ... */
if (req->rcpt_to != NULL && *req->rcpt_to != '\0' ) {
p = req->rcpt_to;
p_end = p + strcspn(p, ",;");
/* This is some incarnation of 2mx mode. */
while (SPF_response_result(spf_response)!=SPF_RESULT_PASS) {
if (*p_end)
*p_end = '\0';
else
p_end = NULL; /* Note this is last rcpt */
err = SPF_request_query_rcptto(spf_request,
&spf_response_2mx, p);
if (opts->debug > 1)
response_print("2mx query", spf_response_2mx);
if (err) {
response_print_errors("Failed to query RCPT-TO",
spf_response, err);
CONTINUE_ERROR;
}
/* append the result */
APPEND_RESULT(SPF_response_result(spf_response_2mx));
spf_response = SPF_response_combine(spf_response,
spf_response_2mx);
if (!p_end)
break;
p = p_end + 1;
}
}
#endif /* TO_MX */
/* We now have an option to call SPF_request_query_fallback */
if (opts->fallback) {
err = SPF_request_query_fallback(spf_request,
&spf_response, opts->fallback);
if (opts->debug > 1)
response_print("fallback query", spf_response_2mx);
if (err) {
response_print_errors("Failed to query best-guess",
spf_response, err);
CONTINUE_ERROR;
}
/* append the result */
APPEND_RESULT(SPF_response_result(spf_response_2mx));
spf_response = SPF_response_combine(spf_response,
spf_response_2mx);
}
/* printf( "R: %s\nSC: %s\nHC: %s\nRS: %s\n",
result,
X_OR_EMPTY(SPF_response_get_smtp_comment(spf_response)),
X_OR_EMPTY(SPF_response_get_header_comment(spf_response)),
X_OR_EMPTY(SPF_response_get_received_spf(spf_response))
);
*/
pf_response(opts, spf_response, req);
res = SPF_response_result(spf_response);
fflush(stdout);
}
error:
FREE(result, free);
FREE_RESPONSE(spf_response);
FREE_REQUEST(spf_request);
FREE(spf_server, SPF_server_free);
syslog(LOG_INFO, "Terminating with result %d, Reincarnation: %d\n", res, request_limit);
return res;
}
int
spfc(thread_pool_t *info, thread_ctx_t *thread_ctx, edict_t *edict)
{
struct timespec ts, start, now, timeleft;
chkresult_t *result;
grey_tuple_t *request;
SPF_server_t *spf_server = NULL;
SPF_request_t *spf_request = NULL;
SPF_response_t *spf_response = NULL;
SPF_response_t *spf_response_2mx = NULL;
const char *smtp_error;
int ret;
logstr(GLOG_DEBUG, "spfc called");
request = (grey_tuple_t *)edict->job;
assert(request);
result = (chkresult_t *)Malloc(sizeof(chkresult_t));
memset(result, 0, sizeof(*result));
result->judgment = J_UNDEFINED;
result->checkname = "spf";
/* initialize if we are not yet initialized */
if (NULL == thread_ctx->state) {
/* Initialize */
spf_server = SPF_server_new(SPF_DNS_CACHE, SPF_DEBUG_LEVEL);
if (NULL == spf_server) {
logstr(GLOG_ERROR, "SPF_server_new failed");
goto FINISH;
}
thread_ctx->state = spf_server;
thread_ctx->cleanup = &cleanup_spfc;
} else {
spf_server = (SPF_server_t *) thread_ctx->state;
}
/* Now we are ready to query */
ret = SPF_server_set_explanation(spf_server,
"Please see http://www.openspf.org/Why?id=%{S}&ip=%{C}", &spf_response);
if (ret)
logstr(GLOG_ERROR, "SPF: setting explanation failed");
spf_request = SPF_request_new(spf_server);
ret = SPF_request_set_ipv4_str(spf_request, request->client_address);
if (ret) {
logstr(GLOG_ERROR, "invalid IP address %s", request->client_address);
goto CLEANUP;
}
if (request->helo_name) {
ret = SPF_request_set_helo_dom(spf_request, request->helo_name);
if (ret) {
logstr(GLOG_ERROR, "invalid HELO domain: %s.", request->helo_name);
goto CLEANUP;
}
}
ret = SPF_request_set_env_from(spf_request, request->sender);
if (ret) {
logstr(GLOG_ERROR, "invalid envelope sender address %s", request->sender);
goto CLEANUP;
}
ret = SPF_request_query_mailfrom(spf_request, &spf_response);
switch (ret) {
case SPF_E_SUCCESS:
case SPF_E_NOT_SPF:
break;
default:
logstr(GLOG_ERROR, "spf: sender based query failed: %s", SPF_strerror(ret));
goto CLEANUP;
}
/* XXX: do we need 2mx checks? */
ret = SPF_response_result(spf_response);
switch (ret) {
case SPF_RESULT_FAIL:
result->judgment = J_BLOCK;
logstr(GLOG_DEBUG, "SPF: fail");
smtp_error = SPF_response_get_smtp_comment(spf_response);
if (smtp_error)
result->reason = strdup(smtp_error);
else
result->reason = strdup("SPF: policy violation: (no message available)");
break;
case SPF_RESULT_SOFTFAIL:
result->judgment = J_SUSPICIOUS;
logstr(GLOG_DEBUG, "SPF softfail");
result->weight = 1; /* FIXME: configurable */
break;
case SPF_RESULT_PASS:
result->judgment = J_UNDEFINED;
logstr(GLOG_DEBUG, "SPF: pass");
break;
case SPF_RESULT_NEUTRAL:
result->judgment = J_UNDEFINED;
logstr(GLOG_DEBUG, "SPF: neutral");
break;
case SPF_RESULT_NONE:
result->judgment = J_UNDEFINED;
logstr(GLOG_DEBUG, "SPF: no record");
break;
default:
logstr(GLOG_DEBUG, "Unexpected SPF result (%d)", ret);
}
CLEANUP:
if (spf_request)
SPF_request_free(spf_request);
if (spf_response)
SPF_response_free(spf_response);
FINISH:
send_result(edict, result);
logstr(GLOG_DEBUG, "spfc returning");
request_unlink(request);
return 0;
}
static int verify_data(spctx_t* ctx)
{
char ebuf[256];
int n;
SPF_request_t *spf_request = NULL;
char * xforwardaddr = NULL;
char * xforwardhelo = NULL;
if(spf_server == NULL)
{
/* redirect errors */
SPF_error_handler = SPF_error_syslog;
SPF_warning_handler = SPF_warning_syslog;
SPF_info_handler = SPF_info_syslog;
SPF_debug_handler = SPF_debug_syslog;
spf_server = SPF_server_new(SPF_DNS_CACHE, 1);
if (spf_server == NULL)
return -1;
}
/* trim string */
if(ctx->xforwardaddr)
xforwardaddr = trim_space(ctx->xforwardaddr);
if(ctx->xforwardhelo)
xforwardhelo = trim_space(ctx->xforwardhelo);
sp_messagex(ctx, LOG_DEBUG, "New connection: ADDR %s - MAIL FROM %s - XF-ADDR %s - XF-HELO %s",
ctx->client.peername, ctx->sender, xforwardaddr, xforwardhelo);
spf_request = SPF_request_new(spf_server);
if( xforwardaddr )
SPF_request_set_ipv4_str( spf_request, xforwardaddr );
else if ( ctx->client.peername )
SPF_request_set_ipv4_str( spf_request, ctx->client.peername );
if( xforwardhelo )
SPF_request_set_helo_dom( spf_request, xforwardhelo );
if( ctx->sender )
SPF_request_set_env_from( spf_request, ctx->sender );
SPF_response_t *spf_response = NULL;
SPF_request_query_mailfrom(spf_request, &spf_response);
char hostname[100];
strncpy(hostname, SPF_request_get_rec_dom(spf_request), 99);
char *result_spf = NULL;
switch(SPF_response_result(spf_response))
{
case SPF_RESULT_NONE:
sp_messagex(ctx, LOG_DEBUG, "No SPF policy found for %s", ctx->sender);
result_spf = "none";
break;
case SPF_RESULT_NEUTRAL:
result_spf = "neutral";
sp_messagex(ctx, LOG_DEBUG, "SPF: NEUTRAL for %s", ctx->sender);
break;
case SPF_RESULT_SOFTFAIL:
result_spf = "softfail";
sp_messagex(ctx, LOG_DEBUG, "SPF: SOFTFAIL for %s", ctx->sender);
break;
case SPF_RESULT_PASS:
result_spf = "pass";
sp_messagex(ctx, LOG_DEBUG, "SPF: PASS for %s", ctx->sender);
break;
case SPF_RESULT_FAIL:
buffer_reject_message("550 SPF Reject", ebuf, sizeof(ebuf));
buffer_reject_message(SPF_response_get_smtp_comment(spf_response), ebuf, sizeof(ebuf));
final_reject_message(ebuf, sizeof(ebuf));
sp_messagex(ctx, LOG_DEBUG, "SPF FAIL for %s, ignore message", ctx->sender);
SPF_response_free(spf_response);
SPF_request_free(spf_request);
if(sp_fail_data(ctx, ebuf) == -1)
return -1;
else
return 0;
break;
case SPF_RESULT_TEMPERROR:
case SPF_RESULT_PERMERROR:
case SPF_RESULT_INVALID:
buffer_reject_message("450 temporary failure", ebuf, sizeof(ebuf));
final_reject_message(ebuf, sizeof(ebuf));
sp_messagex(ctx, LOG_DEBUG, "TEMP ERROR or INVALID RECORD in SPF for %s", ctx->sender);
SPF_response_free(spf_response);
SPF_request_free(spf_request);
if(sp_fail_data(ctx, ebuf) == -1)
return -1;
else
return 0;
break;
};
char auth_result_spf[1025];
snprintf(auth_result_spf, 1024, "spf=%s smtp.mailfrom=%s", result_spf, ctx->sender);
SPF_response_free(spf_response);
SPF_request_free(spf_request);
/* Tell client to start sending data */
if(sp_start_data (ctx) < 0)
return -1; /* Message already printed */
/* Setup DKIM verifier */
DKIMContext ctxt;
DKIMVerifyOptions vopts = {0};
vopts.nCheckPractices = 1;
vopts.pfnSelectorCallback = NULL; //SelectorCallback;
n = DKIMVerifyInit( &ctxt, &vopts );
/* Read data into verifier */
int len = -1;
const char *buffer = 0;
do
{
len = sp_read_data(ctx, &buffer);
if(len == -1)
return -1;
if(len > 0)
{
DKIMVerifyProcess( &ctxt, buffer, len );
sp_write_data( ctx, buffer, len );
}
} while(len > 0);
sp_write_data( ctx, NULL, 0 );
/* Verify DKIM */
n = DKIMVerifyResults( &ctxt );
/* Get verification details */
int nSigCount = 0;
DKIMVerifyDetails* pDetails;
char szPolicy[512];
DKIMVerifyGetDetails(&ctxt, &nSigCount, &pDetails, szPolicy );
/* Proxy based on verification results */
char auth_result_dkim[1025];
if(nSigCount == 0)
{
sp_messagex(ctx, LOG_DEBUG, "No DKIM signature, passthrough");
snprintf(auth_result_dkim, 1024, "dkim=none");
}
else if (n == DKIM_SUCCESS || n == DKIM_PARTIAL_SUCCESS)
{
sp_messagex(ctx, LOG_DEBUG, "DKIM verification: Success, adding header information");
int strpos = 0;
int i=0;
for(; i<nSigCount; ++i)
{
snprintf(&auth_result_dkim[strpos], 1024 - strpos,
"%sdkim=%s header.d=%s", (i>0 ? ";\n" : ""),
(pDetails[i].nResult == DKIM_SUCCESS ? "pass" : "fail"),
pDetails[i].szSignatureDomain);
strpos = strlen(auth_result_dkim);
}
} else {
sp_messagex(ctx, LOG_DEBUG, "DKIM verification: Failed, report error and ignore message.");
buffer_reject_message("550 DKIM Signature failed verification (http://www.dkim.org/info/dkim-faq.html)", ebuf, sizeof(ebuf));
final_reject_message(ebuf, sizeof(ebuf));
DKIMVerifyFree( &ctxt );
if(sp_fail_data(ctx, ebuf) == -1)
return -1;
else
return 0;
}
DKIMVerifyFree( &ctxt );
char auth_results_header[1025];
snprintf(auth_results_header, 1024, "Authentication-Results: %s;\n %s;\n %s;",
hostname, auth_result_spf, auth_result_dkim);
if( sp_done_data(ctx, auth_results_header) == -1)
return -1;
return 0;
}
static int
spf(milter_stage_t stage, char *name, var_t *attrs)
{
SPF_request_t *req = NULL;
SPF_response_t *res = NULL;
SPF_response_t *res_2mx = NULL;
char *helo;
char *envfrom;
char from[321];
char *envrcpt;
char rcpt[321];
char *spfstr;
char *spfreason;
struct sockaddr_storage *ss;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
int r;
if (acl_symbol_dereference(attrs, "hostaddr", &ss,
"envfrom", &envfrom, "envrcpt", &envrcpt,
"helo", &helo, NULL))
{
log_error("spf: acl_symbol_dereference failed");
goto error;
}
sin = (struct sockaddr_in *) ss;
sin6 = (struct sockaddr_in6 *) ss;
if (util_strmail(from, sizeof from, envfrom) == -1 ||
util_strmail(rcpt, sizeof rcpt, envrcpt) == -1)
{
log_error("spf: util_strmail failed");
goto error;
}
req = SPF_request_new(spf_server);
if (req == NULL) {
log_error("spf: SPF_request_new failed");
goto error;
}
/*
* Set client address
*/
if (ss->ss_family == AF_INET6) {
r = SPF_request_set_ipv6(req, sin6->sin6_addr);
}
else {
r = SPF_request_set_ipv4(req, sin->sin_addr);
}
if (r) {
log_error("spf: SPF_request_set_ip failed");
goto error;
}
/*
* Set helo
*/
r = SPF_request_set_helo_dom(req, helo);
if (r) {
log_error("spf: SPF_request_set_helo_dom failed");
goto error;
}
/*
* Set envelope from
*/
r = SPF_request_set_env_from(req, from);
if (r) {
log_error("spf_query: SPF_request_set_env_from failed");
goto error;
}
/*
* Perform SPF query
*/
SPF_request_query_mailfrom(req, &res);
if(SPF_response_result(res) == SPF_RESULT_PASS) {
goto result;
}
/*
* If SPF fails check if we received the email from a secondary mx.
*/
SPF_request_query_rcptto(req, &res_2mx, rcpt);
if(SPF_response_result(res_2mx) != SPF_RESULT_PASS) {
goto result;
}
/*
* Secondary mx
*/
log_notice("spf: \"%s\" is a secodary mx for \"%s\"", helo, rcpt);
goto exit;
result:
spfstr = (char *) SPF_strresult(SPF_response_result(res));
if (spfstr == NULL) {
log_error("spf: SPF_strresult failed");
goto error;
}
spfreason = (char *) SPF_strreason(SPF_response_result(res));
if (spfreason == NULL)
{
log_error("spf: SPF_strreason failed");
goto error;
}
log_message(LOG_ERR, attrs, "spf: helo=%s from=%s spf=%s", helo, from,
spfstr);
if (vtable_setv(attrs, VT_STRING, "spf", spfstr, VF_KEEP, VT_STRING,
"spf_reason", spfreason, VF_KEEP, VT_NULL))
{
log_error("spf: vtable_setv failed");
goto error;
}
exit:
SPF_request_free(req);
SPF_response_free(res);
if(res_2mx) {
SPF_response_free(res_2mx);
}
return 0;
error:
if(req) {
SPF_request_free(req);
}
if(res) {
SPF_response_free(res);
}
if(res_2mx) {
SPF_response_free(res_2mx);
}
return -1;
}
