int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;
if (!(spf_server && spf_request))
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
/* Invalid sender address. This should be a real rare occurrence */
rc = SPF_RESULT_PERMERROR;
else
{
/* get SPF result */
if (action == SPF_PROCESS_FALLBACK)
{
SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
spf_result_guessed = TRUE;
}
else
SPF_request_query_mailfrom(spf_request, &spf_response);
/* set up expansion items */
spf_header_comment = US SPF_response_get_header_comment(spf_response);
spf_received = US SPF_response_get_received_spf(spf_response);
spf_result = US SPF_strresult(SPF_response_result(spf_response));
spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
rc = SPF_response_result(spf_response);
}
/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
{
BOOL negate, result;
if ((negate = spf_result_id[0] == '!'))
spf_result_id++;
result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
if (negate != result) return OK;
}
/* no match */
return FAIL;
}
static void
response_print(const char *context, SPF_response_t *spf_response)
{
syslog(LOG_DEBUG,"--vv--\n");
syslog(LOG_DEBUG,"Context: %s\n", context);
if (spf_response == NULL) {
syslog(LOG_DEBUG, "NULL RESPONSE!\n");
}
else {
syslog(LOG_DEBUG, "Response result: %s\n",
SPF_strresult(SPF_response_result(spf_response)));
syslog(LOG_DEBUG, "Response reason: %s\n",
SPF_strreason(SPF_response_reason(spf_response)));
syslog(LOG_DEBUG, "Response err: %s\n",
SPF_strerror(SPF_response_errcode(spf_response)));
response_print_errors(NULL, spf_response,
SPF_response_errcode(spf_response));
}
syslog(LOG_DEBUG,"--^^--\n");
}
int spf_process(uschar **listptr, uschar *spf_envelope_sender, int action) {
int sep = 0;
uschar *list = *listptr;
uschar *spf_result_id;
uschar spf_result_id_buffer[128];
int rc = SPF_RESULT_PERMERROR;
if (!(spf_server && spf_request)) {
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
goto SPF_EVALUATE;
};
if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender)) {
/* Invalid sender address. This should be a real rare occurence */
rc = SPF_RESULT_PERMERROR;
goto SPF_EVALUATE;
}
/* get SPF result */
if (action == SPF_PROCESS_FALLBACK)
SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
else
SPF_request_query_mailfrom(spf_request, &spf_response);
/* set up expansion items */
spf_header_comment = (uschar *)SPF_response_get_header_comment(spf_response);
spf_received = (uschar *)SPF_response_get_received_spf(spf_response);
spf_result = (uschar *)SPF_strresult(SPF_response_result(spf_response));
spf_smtp_comment = (uschar *)SPF_response_get_smtp_comment(spf_response);
rc = SPF_response_result(spf_response);
/* We got a result. Now see if we should return OK or FAIL for it */
SPF_EVALUATE:
debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
while ((spf_result_id = string_nextinlist(&list, &sep,
spf_result_id_buffer,
sizeof(spf_result_id_buffer))) != NULL) {
int negate = 0;
int result = 0;
/* Check for negation */
if (spf_result_id[0] == '!') {
negate = 1;
spf_result_id++;
};
/* Check the result identifier */
result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name);
if (!negate && result==0) return OK;
if (negate && result!=0) return OK;
};
/* no match */
return FAIL;
}
SPF_errcode_t
SPF_record_interpret(SPF_record_t *spf_record,
SPF_request_t *spf_request, SPF_response_t *spf_response,
int depth)
{
SPF_server_t *spf_server;
/* Temporaries */
int i, j;
int m; /* Mechanism iterator */
SPF_mech_t *mech;
SPF_data_t *data;
SPF_data_t *data_end; /* XXX Replace with size_t data_len */
/* Where to insert the local policy (whitelist) */
SPF_mech_t *local_policy; /* Not the local policy */
int found_all; /* A crappy temporary. */
char *buf = NULL;
size_t buf_len = 0;
ns_type fetch_ns_type;
const char *lookup;
SPF_dns_rr_t *rr_a;
SPF_dns_rr_t *rr_aaaa;
SPF_dns_rr_t *rr_ptr;
SPF_dns_rr_t *rr_mx;
SPF_errcode_t err;
SPF_dns_server_t*resolver;
/* An SPF record for subrequests - replaces c_results */
SPF_record_t *spf_record_subr;
SPF_response_t *save_spf_response;
SPF_response_t *spf_response_subr;
const char *save_cur_dom;
struct in_addr addr4;
struct in6_addr addr6;
int max_ptr;
int max_mx;
int max_exceeded;
char ip4_buf[ INET_ADDRSTRLEN ];
char ip6_buf[ INET6_ADDRSTRLEN ];
/*
* make sure we were passed valid data to work with
*/
SPF_ASSERT_NOTNULL(spf_record);
SPF_ASSERT_NOTNULL(spf_request);
SPF_ASSERT_NOTNULL(spf_response);
spf_server = spf_record->spf_server;
SPF_ASSERT_NOTNULL(spf_server);
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
if (depth > 20)
return DONE_PERMERR(SPF_E_RECURSIVE);
if ( spf_request->client_ver != AF_INET && spf_request->client_ver != AF_INET6 )
return DONE_PERMERR(SPF_E_NOT_CONFIG);
if (spf_request->cur_dom == NULL)
return DONE_PERMERR(SPF_E_NOT_CONFIG);
/*
* localhost always gets a free ride
*/
#if 0
/* This should have been done already before we got here. */
if ( SPF_request_is_loopback( spf_request ) )
return DONE(SPF_RESULT_PASS,SPF_REASON_LOCALHOST,SPF_E_SUCCESS);
#endif
/*
* Do some start up stuff if we haven't recursed yet
*/
local_policy = NULL;
if ( spf_request->use_local_policy ) {
/*
* find the location for the whitelist execution
*
* Philip Gladstone says:
*
* I think that the localpolicy should only be inserted if the
* final mechanism is '-all', and it should be inserted after
* the last mechanism which is not '-'.
*
* Thus for the case of 'v=spf1 +a +mx -all', this would be
* interpreted as 'v=spf1 +a +mx +localpolicy -all'. Whereas
* 'v=spf1 -all' would remain the same (no non-'-'
* mechanism). 'v=spf1 +a +mx -exists:%stuff -all' would
* become 'v=spf1 +a +mx +localpolicy -exists:%stuff -all'.
*/
if ( spf_server->local_policy ) {
mech = spf_record->mech_first;
found_all = FALSE;
for(m = 0; m < spf_record->num_mech; m++)
{
if ( mech->mech_type == MECH_ALL
&& (mech->prefix_type == PREFIX_FAIL
|| mech->prefix_type == PREFIX_UNKNOWN
|| mech->prefix_type == PREFIX_SOFTFAIL
)
)
found_all = TRUE;
if ( mech->prefix_type != PREFIX_FAIL
&& mech->prefix_type != PREFIX_SOFTFAIL
)
local_policy = mech;
mech = SPF_mech_next( mech );
}
if ( !found_all )
local_policy = NULL;
}
}
/*
* evaluate the mechanisms
*/
#define SPF_ADD_DNS_MECH() do { spf_response->num_dns_mech++; } while(0)
#define SPF_MAYBE_SKIP_CIDR() \
do { \
if ( data < data_end && data->dc.parm_type == PARM_CIDR ) \
data = SPF_data_next( data ); \
} while(0)
#define SPF_GET_LOOKUP_DATA() \
do { \
if ( data == data_end ) \
lookup = spf_request->cur_dom; \
else { \
err = SPF_record_expand_data( spf_server, \
spf_request, spf_response, \
data, ((char *)data_end - (char *)data), \
&buf, &buf_len ); \
if (err == SPF_E_NO_MEMORY) { \
SPF_FREE_LOOKUP_DATA(); \
return DONE_TEMPERR(err); \
} \
if (err) { \
SPF_FREE_LOOKUP_DATA(); \
return DONE_PERMERR(err); \
} \
lookup = buf; \
} \
} while(0)
#define SPF_FREE_LOOKUP_DATA() \
do { if (buf != NULL) { free(buf); buf = NULL; } } while(0)
resolver = spf_server->resolver;
mech = spf_record->mech_first;
for (m = 0; m < spf_record->num_mech; m++) {
/* This is as good a place as any. */
/* XXX Rip this out and put it into a macro which can go into inner loops. */
if (spf_response->num_dns_mech > spf_server->max_dns_mech) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
data = SPF_mech_data(mech);
data_end = SPF_mech_end_data(mech);
switch (mech->mech_type) {
case MECH_A:
SPF_ADD_DNS_MECH();
SPF_MAYBE_SKIP_CIDR();
SPF_GET_LOOKUP_DATA();
if (spf_request->client_ver == AF_INET)
fetch_ns_type = ns_t_a;
else
fetch_ns_type = ns_t_aaaa;
rr_a = SPF_dns_lookup(resolver, lookup, fetch_ns_type, TRUE);
if (spf_server->debug)
SPF_debugf("found %d A records for %s (herrno: %d)",
rr_a->num_rr, lookup, rr_a->herrno);
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR); /* REASON_MECH */
}
for (i = 0; i < rr_a->num_rr; i++) {
/* XXX Should this be hoisted? */
if (rr_a->rr_type != fetch_ns_type)
continue;
if (spf_request->client_ver == AF_INET) {
if (SPF_i_match_ip4(spf_server, spf_request, mech, rr_a->rr[i]->a)) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
else {
if (SPF_i_match_ip6(spf_server, spf_request, mech, rr_a->rr[i]->aaaa)) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
}
SPF_dns_rr_free(rr_a);
break;
case MECH_MX:
SPF_ADD_DNS_MECH();
SPF_MAYBE_SKIP_CIDR();
SPF_GET_LOOKUP_DATA();
rr_mx = SPF_dns_lookup(resolver, lookup, ns_t_mx, TRUE);
if (spf_server->debug)
SPF_debugf("found %d MX records for %s (herrno: %d)",
rr_mx->num_rr, lookup, rr_mx->herrno);
if (rr_mx->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_mx);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
/* The maximum number of MX records we will inspect. */
max_mx = rr_mx->num_rr;
max_exceeded = 0;
if (max_mx > spf_server->max_dns_mx) {
max_exceeded = 1;
max_mx = SPF_server_get_max_dns_mx(spf_server);
}
for (j = 0; j < max_mx; j++) {
/* XXX Should this be hoisted? */
if (rr_mx->rr_type != ns_t_mx)
continue;
if (spf_request->client_ver == AF_INET)
fetch_ns_type = ns_t_a;
else
fetch_ns_type = ns_t_aaaa;
rr_a = SPF_dns_lookup(resolver, rr_mx->rr[j]->mx,
fetch_ns_type, TRUE );
if (spf_server->debug)
SPF_debugf("%d: found %d A records for %s (herrno: %d)",
j, rr_a->num_rr, rr_mx->rr[j]->mx, rr_a->herrno);
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
for (i = 0; i < rr_a->num_rr; i++) {
/* XXX Should this be hoisted? */
if (rr_a->rr_type != fetch_ns_type)
continue;
if (spf_request->client_ver == AF_INET) {
if (SPF_i_match_ip4(spf_server, spf_request, mech,
rr_a->rr[i]->a)) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE(mech->prefix_type, SPF_REASON_MECH,
SPF_E_SUCCESS);
}
}
else {
if (SPF_i_match_ip6(spf_server, spf_request, mech,
rr_a->rr[i]->aaaa)) {
SPF_dns_rr_free(rr_mx);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE(mech->prefix_type, SPF_REASON_MECH,
SPF_E_SUCCESS);
}
}
}
SPF_dns_rr_free(rr_a);
}
SPF_dns_rr_free( rr_mx );
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
break;
case MECH_PTR:
SPF_ADD_DNS_MECH();
SPF_GET_LOOKUP_DATA();
if (spf_request->client_ver == AF_INET) {
rr_ptr = SPF_dns_rlookup(resolver,
spf_request->ipv4, ns_t_ptr, TRUE);
if (spf_server->debug) {
INET_NTOP(AF_INET, &spf_request->ipv4.s_addr,
ip4_buf, sizeof(ip4_buf));
SPF_debugf("got %d PTR records for %s (herrno: %d)",
rr_ptr->num_rr, ip4_buf, rr_ptr->herrno);
}
if (rr_ptr->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_ptr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
/* The maximum number of PTR records we will inspect. */
max_ptr = rr_ptr->num_rr;
max_exceeded = 0;
if (max_ptr > spf_server->max_dns_ptr) {
max_exceeded = 1;
max_ptr = SPF_server_get_max_dns_ptr(spf_server);
}
for (i = 0; i < max_ptr; i++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
rr_a = SPF_dns_lookup(resolver,
rr_ptr->rr[i]->ptr, ns_t_a, TRUE);
if (spf_server->debug)
SPF_debugf( "%d: found %d A records for %s (herrno: %d)",
i, rr_a->num_rr, rr_ptr->rr[i]->ptr, rr_a->herrno );
if (rr_a->herrno == TRY_AGAIN) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
for (j = 0; j < rr_a->num_rr; j++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
if (spf_server->debug) {
INET_NTOP(AF_INET, &rr_a->rr[j]->a.s_addr,
ip4_buf, sizeof(ip4_buf));
SPF_debugf("%d: %d: found %s",
i, j, ip4_buf);
}
if (rr_a->rr[j]->a.s_addr ==
spf_request->ipv4.s_addr) {
if (SPF_i_match_domain(spf_server,
rr_ptr->rr[i]->ptr, lookup)) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
}
}
SPF_dns_rr_free(rr_a);
}
SPF_dns_rr_free(rr_ptr);
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
}
else if ( spf_request->client_ver == AF_INET6 ) {
rr_ptr = SPF_dns_rlookup6(resolver,
spf_request->ipv6, ns_t_ptr, TRUE);
if ( spf_server->debug ) {
INET_NTOP( AF_INET6, &spf_request->ipv6.s6_addr,
ip6_buf, sizeof( ip6_buf ) );
SPF_debugf( "found %d PTR records for %s (herrno: %d)",
rr_ptr->num_rr, ip6_buf, rr_ptr->herrno );
}
if( rr_ptr->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_ptr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
max_ptr = rr_ptr->num_rr;
max_exceeded = 0;
if (max_ptr > spf_server->max_dns_ptr) {
max_ptr = SPF_server_get_max_dns_ptr(spf_server);
max_exceeded = 1;
}
for (i = 0; i < max_ptr; i++) {
/* XXX MX has a 'continue' case here which should be hoisted. */
rr_aaaa = SPF_dns_lookup(resolver,
rr_ptr->rr[i]->ptr, ns_t_aaaa, TRUE);
if ( spf_server->debug )
SPF_debugf("%d: found %d AAAA records for %s (herrno: %d)",
i, rr_aaaa->num_rr, rr_ptr->rr[i]->ptr, rr_aaaa->herrno);
if( rr_aaaa->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_ptr);
SPF_dns_rr_free(rr_aaaa);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( SPF_E_DNS_ERROR );
}
for( j = 0; j < rr_aaaa->num_rr; j++ ) {
/* XXX MX has a 'continue' case here which should be hoisted. */
if ( spf_server->debug ) {
INET_NTOP(AF_INET6, &rr_aaaa->rr[j]->aaaa.s6_addr,
ip6_buf, sizeof(ip6_buf));
SPF_debugf( "%d: %d: found %s",
i, j, ip6_buf );
}
if (memcmp(&rr_aaaa->rr[j]->aaaa,
&spf_request->ipv6,
sizeof(spf_request->ipv6)) == 0) {
if (SPF_i_match_domain(spf_server,
rr_ptr->rr[i]->ptr, lookup)) {
SPF_dns_rr_free( rr_ptr );
SPF_dns_rr_free(rr_aaaa);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
}
}
SPF_dns_rr_free(rr_aaaa);
}
SPF_dns_rr_free(rr_ptr);
if (max_exceeded) {
SPF_FREE_LOOKUP_DATA();
return DONE(SPF_RESULT_PERMERROR, SPF_REASON_NONE, SPF_E_BIG_DNS);
}
}
break;
case MECH_INCLUDE:
case MECH_REDIRECT:
SPF_ADD_DNS_MECH();
err = SPF_record_expand_data(spf_server,
spf_request, spf_response,
SPF_mech_data(mech), SPF_mech_data_len(mech),
&buf, &buf_len );
if ( err == SPF_E_NO_MEMORY ) {
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( err );
}
if ( err ) {
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR( err );
}
lookup = buf;
/* XXX Maintain a stack depth here. Limit at 10. */
if (strcmp(lookup, spf_request->cur_dom) == 0) {
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR( SPF_E_RECURSIVE );
}
/*
* get the (compiled) SPF record
*/
spf_record_subr = NULL;
/* Remember to reset this. */
save_cur_dom = spf_request->cur_dom;
spf_request->cur_dom = lookup;
err = SPF_server_get_record(spf_server, spf_request,
spf_response, &spf_record_subr);
if ( spf_server->debug > 0 )
SPF_debugf( "include/redirect: got SPF record: %s",
SPF_strerror( err ) );
if (err != SPF_E_SUCCESS) {
spf_request->cur_dom = save_cur_dom;
if (spf_record_subr)
SPF_record_free(spf_record_subr);
SPF_FREE_LOOKUP_DATA();
if (err == SPF_E_DNS_ERROR)
return DONE_TEMPERR( err );
else
return DONE_PERMERR( err );
}
SPF_ASSERT_NOTNULL(spf_record_subr);
/*
* If we are a redirect which is not within the scope
* of any include.
*/
if (mech->mech_type == MECH_REDIRECT) {
save_spf_response = NULL;
if (spf_response->spf_record_exp == spf_record)
spf_response->spf_record_exp = spf_record_subr;
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
}
else {
save_spf_response = spf_response;
spf_response = SPF_response_new(spf_request);
if (! spf_response) {
if (spf_record_subr)
SPF_record_free(spf_record_subr);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_NO_MEMORY);
}
spf_response->spf_record_exp = spf_record;
SPF_ASSERT_NOTNULL(spf_response->spf_record_exp);
}
/*
* find out whether this configuration passes
*/
err = SPF_record_interpret(spf_record_subr,
spf_request, spf_response, depth + 1);
spf_request->cur_dom = save_cur_dom;
/* Now, if we were a redirect, the child called done()
* and used spf_record_exp. In that case, we need not
* worry that spf_record_subr is invalid after the free.
* If we were not a redirect, then spf_record_subr
* is still the record it was in the first place.
* Thus we do not need to reset it now. */
SPF_record_free(spf_record_subr);
spf_record_subr = NULL;
if ( spf_server->debug > 0 )
SPF_debugf( "include/redirect: executed SPF record: %s result: %s reason: %s",
SPF_strerror( err ),
SPF_strresult( spf_response->result ),
SPF_strreason( spf_response->reason ) );
if (mech->mech_type == MECH_REDIRECT) {
SPF_FREE_LOOKUP_DATA();
return err; /* One way or the other */
}
else { // if (spf_response->result != SPF_RESULT_INVALID) {
/* Set everything up properly again. */
spf_response_subr = spf_response;
spf_response = save_spf_response;
save_spf_response = NULL;
/* Rewrite according to prefix of include */
switch (SPF_response_result(spf_response_subr)) {
case SPF_RESULT_PASS:
/* Pass */
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_MECH( mech->prefix_type );
case SPF_RESULT_FAIL:
case SPF_RESULT_SOFTFAIL:
case SPF_RESULT_NEUTRAL:
/* No match */
SPF_response_free(spf_response_subr);
break;
case SPF_RESULT_TEMPERROR:
/* Generate TempError */
err = SPF_response_errcode(spf_response_subr);
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_TEMPERR( err );
case SPF_RESULT_NONE:
/* Generate PermError */
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_PERMERR(SPF_E_INCLUDE_RETURNED_NONE);
case SPF_RESULT_PERMERROR:
case SPF_RESULT_INVALID:
/* Generate PermError */
err = SPF_response_errcode(spf_response_subr);
SPF_FREE_LOOKUP_DATA();
SPF_response_free(spf_response_subr);
return DONE_PERMERR( err );
}
#if 0
SPF_FREE_LOOKUP_DATA();
return err; /* The sub-interpret called done() */
#endif
}
break;
case MECH_IP4:
memcpy(&addr4, SPF_mech_ip4_data(mech), sizeof(addr4));
if ( SPF_i_match_ip4( spf_server, spf_request, mech, addr4 ) ) {
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
break;
case MECH_IP6:
memcpy(&addr6, SPF_mech_ip6_data(mech), sizeof(addr6));
if ( SPF_i_match_ip6( spf_server, spf_request, mech, addr6 ) ) {
SPF_FREE_LOOKUP_DATA();
return DONE_MECH( mech->prefix_type );
}
break;
case MECH_EXISTS:
SPF_ADD_DNS_MECH();
err = SPF_record_expand_data(spf_server,
spf_request, spf_response,
SPF_mech_data(mech),SPF_mech_data_len(mech),
&buf, &buf_len);
if (err != SPF_E_SUCCESS) {
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR( err );
}
lookup = buf;
rr_a = SPF_dns_lookup(resolver, lookup, ns_t_a, FALSE );
if ( spf_server->debug )
SPF_debugf( "found %d A records for %s (herrno: %d)",
rr_a->num_rr, lookup, rr_a->herrno );
if( rr_a->herrno == TRY_AGAIN ) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_TEMPERR(SPF_E_DNS_ERROR);
}
if ( rr_a->num_rr > 0 ) {
SPF_dns_rr_free(rr_a);
SPF_FREE_LOOKUP_DATA();
return DONE_MECH(mech->prefix_type);
}
SPF_dns_rr_free(rr_a);
break;
case MECH_ALL:
SPF_FREE_LOOKUP_DATA();
if (mech->prefix_type == PREFIX_UNKNOWN)
return DONE_PERMERR(SPF_E_UNKNOWN_MECH);
return DONE_MECH(mech->prefix_type);
break;
default:
SPF_FREE_LOOKUP_DATA();
return DONE_PERMERR(SPF_E_UNKNOWN_MECH);
break;
}
/*
* execute the local policy
*/
if ( mech == local_policy ) {
err = SPF_record_interpret(spf_server->local_policy,
spf_request, spf_response, depth + 1);
if ( spf_server->debug > 0 )
SPF_debugf( "local_policy: executed SPF record: %s result: %s reason: %s",
SPF_strerror( err ),
SPF_strresult( spf_response->result ),
SPF_strreason( spf_response->reason ) );
if (spf_response->result != SPF_RESULT_INVALID) {
SPF_FREE_LOOKUP_DATA();
return err;
}
}
mech = SPF_mech_next( mech );
}
SPF_FREE_LOOKUP_DATA();
/* falling off the end is the same as ?all */
return DONE( SPF_RESULT_NEUTRAL, SPF_REASON_DEFAULT, SPF_E_SUCCESS );
}
static SPF_errcode_t
SPF_i_set_received_spf(SPF_response_t *spf_response)
{
SPF_server_t *spf_server;
SPF_request_t *spf_request;
char ip4_buf[ INET_ADDRSTRLEN ];
char ip6_buf[ INET6_ADDRSTRLEN ];
const char *ip;
char *buf;
size_t buflen = SPF_RECEIVED_SPF_SIZE;
char *buf_value;
char *p, *p_end;
SPF_ASSERT_NOTNULL(spf_response);
spf_request = spf_response->spf_request;
SPF_ASSERT_NOTNULL(spf_request);
spf_server = spf_request->spf_server;
SPF_ASSERT_NOTNULL(spf_server);
if (spf_response->received_spf)
free(spf_response->received_spf);
spf_response->received_spf = NULL;
buf = malloc( buflen );
if ( buf == NULL )
return SPF_E_INTERNAL_ERROR;
p = buf;
p_end = p + buflen;
/* create the stock Received-SPF: header */
p += snprintf( p, p_end - p, "Received-SPF: ");
buf_value = p;
do { /* A prop for a structured goto called 'break' */
p += snprintf( p, p_end - p, "%s (%s)",
SPF_strresult( spf_response->result ),
spf_response->header_comment );
if ( p_end - p <= 0 ) break;
/* add in the optional ip address keyword */
ip = NULL;
if ( spf_request->client_ver == AF_INET ) {
ip = inet_ntop( AF_INET, &spf_request->ipv4,
ip4_buf, sizeof( ip4_buf ) );
}
else if (spf_request->client_ver == AF_INET6 ) {
ip = inet_ntop( AF_INET6, &spf_request->ipv6,
ip6_buf, sizeof( ip6_buf ) );
}
if ( ip != NULL ) {
p += snprintf( p, p_end - p, " client-ip=%s;", ip );
if ( p_end - p <= 0 ) break;
}
/* add in the optional envelope-from keyword */
if ( spf_request->env_from != NULL ) {
p += snprintf( p, p_end - p, " envelope-from=%s;", spf_request->env_from );
if ( p_end - p <= 0 ) break;
}
/* add in the optional helo domain keyword */
if ( spf_request->helo_dom != NULL ) {
p += snprintf( p, p_end - p, " helo=%s;", spf_request->helo_dom );
if ( p_end - p <= 0 ) break;
}
/* FIXME: Add in full compiler errors. */
#if 0
/* add in the optional compiler error keyword */
if ( output.err_msg != NULL ) {
p += snprintf( p, p_end - p, " problem=%s;", output.err_msg );
if ( p_end - p <= 0 ) break;
}
else if ( c_results.err_msg != NULL ) {
p += snprintf( p, p_end - p, " problem=%s;", c_results.err_msg );
if ( p_end - p <= 0 ) break;
}
#endif
/* FIXME should the explanation string be included in the header? */
/* FIXME should the header be reformated to include line breaks? */
} while(0);
spf_response->received_spf = SPF_sanitize(spf_server, buf);
spf_response->received_spf_value = buf_value;
return SPF_E_SUCCESS;
}
static int
spf(milter_stage_t stage, char *name, var_t *attrs)
{
SPF_request_t *req = NULL;
SPF_response_t *res = NULL;
SPF_response_t *res_2mx = NULL;
char *helo;
char *envfrom;
char from[321];
char *envrcpt;
char rcpt[321];
char *spfstr;
char *spfreason;
struct sockaddr_storage *ss;
struct sockaddr_in *sin;
struct sockaddr_in6 *sin6;
int r;
if (acl_symbol_dereference(attrs, "hostaddr", &ss,
"envfrom", &envfrom, "envrcpt", &envrcpt,
"helo", &helo, NULL))
{
log_error("spf: acl_symbol_dereference failed");
goto error;
}
sin = (struct sockaddr_in *) ss;
sin6 = (struct sockaddr_in6 *) ss;
if (util_strmail(from, sizeof from, envfrom) == -1 ||
util_strmail(rcpt, sizeof rcpt, envrcpt) == -1)
{
log_error("spf: util_strmail failed");
goto error;
}
req = SPF_request_new(spf_server);
if (req == NULL) {
log_error("spf: SPF_request_new failed");
goto error;
}
/*
* Set client address
*/
if (ss->ss_family == AF_INET6) {
r = SPF_request_set_ipv6(req, sin6->sin6_addr);
}
else {
r = SPF_request_set_ipv4(req, sin->sin_addr);
}
if (r) {
log_error("spf: SPF_request_set_ip failed");
goto error;
}
/*
* Set helo
*/
r = SPF_request_set_helo_dom(req, helo);
if (r) {
log_error("spf: SPF_request_set_helo_dom failed");
goto error;
}
/*
* Set envelope from
*/
r = SPF_request_set_env_from(req, from);
if (r) {
log_error("spf_query: SPF_request_set_env_from failed");
goto error;
}
/*
* Perform SPF query
*/
SPF_request_query_mailfrom(req, &res);
if(SPF_response_result(res) == SPF_RESULT_PASS) {
goto result;
}
/*
* If SPF fails check if we received the email from a secondary mx.
*/
SPF_request_query_rcptto(req, &res_2mx, rcpt);
if(SPF_response_result(res_2mx) != SPF_RESULT_PASS) {
goto result;
}
/*
* Secondary mx
*/
log_notice("spf: \"%s\" is a secodary mx for \"%s\"", helo, rcpt);
goto exit;
result:
spfstr = (char *) SPF_strresult(SPF_response_result(res));
if (spfstr == NULL) {
log_error("spf: SPF_strresult failed");
goto error;
}
spfreason = (char *) SPF_strreason(SPF_response_result(res));
if (spfreason == NULL)
{
log_error("spf: SPF_strreason failed");
goto error;
}
log_message(LOG_ERR, attrs, "spf: helo=%s from=%s spf=%s", helo, from,
spfstr);
if (vtable_setv(attrs, VT_STRING, "spf", spfstr, VF_KEEP, VT_STRING,
"spf_reason", spfreason, VF_KEEP, VT_NULL))
{
log_error("spf: vtable_setv failed");
goto error;
}
exit:
SPF_request_free(req);
SPF_response_free(res);
if(res_2mx) {
SPF_response_free(res_2mx);
}
return 0;
error:
if(req) {
SPF_request_free(req);
}
if(res) {
SPF_response_free(res);
}
if(res_2mx) {
SPF_response_free(res_2mx);
}
return -1;
}
