[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2019
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n");

if (dns_lookup(dnsa, US domain, rr_type, NULL) == DNS_SUCCEED)
  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
    if (  rr->type == rr_type
       && Ustrncmp(rr->data+1, "v=spf1", 6) == 0)
      {
      gstring * g = NULL;
      uschar chunk_len;
      uschar * s;
      SPF_dns_rr_t srr = {
	.domain = CS rr->name,			/* query information */
	.domain_buf_len = DNS_MAXNAME,
	.rr_type = rr->type,

	.num_rr = 1,				/* answer information */
	.rr = NULL,
	.rr_buf_len = 0,
	.rr_buf_num = 0,
	.ttl = rr->ttl,
	.utc_ttl = 0,
	.herrno = NETDB_SUCCESS,

	.hook = NULL,				/* misc information */
	.source = spf_dns_server
      };

      for (int off = 0; off < rr->size; off += chunk_len)
	{
	chunk_len = (rr->data)[off++];
	g = string_catn(g, US ((rr->data)+off), chunk_len);
	}
      if (!g)
	{
	HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
	  "empty name: treated as non-existent host name\n");
	continue;
	}
      gstring_release_unused(g);
      s = string_copy_malloc(string_from_gstring(g));
      srr.rr = (void *) &s;

      /* spfrr->rr must have been malloc()d for this */
      SPF_dns_rr_dup(&spfrr, &srr);

      return spfrr;
      }

SPF_dns_rr_dup(&spfrr, spf_nxdomain);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t *spf_dns_server;

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t))))
  return NULL;
memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));

spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
b8e97684	8	Copyright (c) The Exim Maintainers 2015 - 2019
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
	37
	38	static SPF_dns_rr_t *
	39	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
	40	const char *domain, ns_type rr_type, int should_cache)
	41	{
8743d3ac	42	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	43	dns_scan dnss;
	44	SPF_dns_rr_t * spfrr;
	45
	46	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n");
	47
8743d3ac JH	48	if (dns_lookup(dnsa, US domain, rr_type, NULL) == DNS_SUCCEED)
	49	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	50	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
b8e97684 JH	51	if ( rr->type == rr_type
	52	&& Ustrncmp(rr->data+1, "v=spf1", 6) == 0)
	53	{
	54	gstring * g = NULL;
	55	uschar chunk_len;
	56	uschar * s;
	57	SPF_dns_rr_t srr = {
	58	.domain = CS rr->name, /* query information */
	59	.domain_buf_len = DNS_MAXNAME,
	60	.rr_type = rr->type,
	61
	62	.num_rr = 1, /* answer information */
	63	.rr = NULL,
	64	.rr_buf_len = 0,
	65	.rr_buf_num = 0,
	66	.ttl = rr->ttl,
	67	.utc_ttl = 0,
	68	.herrno = NETDB_SUCCESS,
	69
	70	.hook = NULL, /* misc information */
	71	.source = spf_dns_server
	72	};
	73
	74	for (int off = 0; off < rr->size; off += chunk_len)
	75	{
	76	chunk_len = (rr->data)[off++];
	77	g = string_catn(g, US ((rr->data)+off), chunk_len);
	78	}
	79	if (!g)
	80	{
	81	HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
	82	"empty name: treated as non-existent host name\n");
	83	continue;
	84	}
	85	gstring_release_unused(g);
	86	s = string_copy_malloc(string_from_gstring(g));
	87	srr.rr = (void *) &s;
	88
	89	/* spfrr->rr must have been malloc()d for this */
	90	SPF_dns_rr_dup(&spfrr, &srr);
	91
	92	return spfrr;
	93	}
	94
	95	SPF_dns_rr_dup(&spfrr, spf_nxdomain);
	96	return spfrr;
	97	}
	98
	99
	100
	101	SPF_dns_server_t *
	102	SPF_dns_exim_new(int debug)
	103	{
	104	SPF_dns_server_t *spf_dns_server;
	105
	106	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	107
	108	if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t))))
	109	return NULL;
	110	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
	111
	112	spf_dns_server->destroy = NULL;
	113	spf_dns_server->lookup = SPF_dns_exim_lookup;
	114	spf_dns_server->get_spf = NULL;
115	spf_dns_server->get_exp = NULL;
116	spf_dns_server->add_cache = NULL;
117	spf_dns_server->layer_below = NULL;
118	spf_dns_server->name = "exim";
119	spf_dns_server->debug = debug;
120
121	/* XXX This might have to return NO_DATA sometimes. */
122
123	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
124	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
125	if (!spf_nxdomain)
126	{
127	free(spf_dns_server);
128	return NULL;
129	}
130
131	return spf_dns_server;
132	}
133
134
eb52e2cb	135
8e669ac1	136
73ec116f JH	137	/* Construct the SPF library stack.
	138	Return: Boolean success.
	139	*/
8e669ac1	140
eb52e2cb	141	BOOL
73ec116f	142	spf_init(void)
eb52e2cb	143	{
b8e97684	144	SPF_dns_server_t * dc;
73ec116f	145	int debug = 0;
b8e97684	146
73ec116f	147	DEBUG(D_receive) debug = 1;
b8e97684 JH	148
	149	/* We insert our own DNS access layer rather than letting the spf library
	150	do it, so that our dns access path is used for debug tracing and for the
	151	testsuite. */
8e669ac1	152
b8e97684 JH	153	if (!(dc = SPF_dns_exim_new(debug)))
	154	{
	155	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	156	return FALSE;
	157	}
	158	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	159	{
	160	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	161	return FALSE;
	162	}
	163	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	164	{
	165	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	166	return FALSE;
8523533c	167	}
05e4f4de HSHR	168	/* Quick hack to override the outdated explanation URL.
	169	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	170	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	171	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	172	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	173
73ec116f JH	174	return TRUE;
	175	}
	176
	177
	178	/* Set up a context that can be re-used for several
	179	messages on the same SMTP connection (that come from the
	180	same host with the same HELO string).
	181
	182	Return: Boolean success
	183	*/
	184
	185	BOOL
	186	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	187	{
	188	DEBUG(D_receive)
	189	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	190
	191	if (!spf_server && !spf_init()) return FALSE;
8523533c	192
eb52e2cb JH	193	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	194	{
	195	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	196	primary_hostname);
	197	spf_server = NULL;
	198	return FALSE;
7b3a77e5 TK	199	}
7b3a77e5 TK	200
eb52e2cb JH	201	spf_request = SPF_request_new(spf_server);
	202
	203	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	204	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	205	)
	206	{
	207	DEBUG(D_receive)
	208	debug_printf("spf: SPF_request_set_ipv4_str() and "
	209	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	210	spf_server = NULL;
	211	spf_request = NULL;
	212	return FALSE;
8523533c TK	213	}
8523533c TK	214
eb52e2cb JH	215	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	216	{
	217	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	218	spf_helo_domain);
	219	spf_server = NULL;
	220	spf_request = NULL;
	221	return FALSE;
8523533c	222	}
8e669ac1	223
eb52e2cb	224	return TRUE;
8523533c TK	225	}
	226
	227
	228	/* spf_process adds the envelope sender address to the existing
	229	context (if any), retrieves the result, sets up expansion
eb52e2cb	230	strings and evaluates the condition outcome.
f9ba5e22	231
eb52e2cb JH	232	Return: OK/FAIL */
	233
	234	int
	235	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	236	{
	237	int sep = 0;
	238	const uschar list = listptr;
	239	uschar *spf_result_id;
	240	int rc = SPF_RESULT_PERMERROR;
	241
b8e97684 JH	242	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	243
eb52e2cb JH	244	if (!(spf_server && spf_request))
	245	/* no global context, assume temp error and skip to evaluation */
	246	rc = SPF_RESULT_PERMERROR;
	247
	248	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	249	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	250	rc = SPF_RESULT_PERMERROR;
	251
	252	else
	253	{
8523533c	254	/* get SPF result */
65a7d8c3	255	if (action == SPF_PROCESS_FALLBACK)
87e9d061	256	{
7156b1ef	257	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	258	spf_result_guessed = TRUE;
87e9d061 JH	259	}
65a7d8c3 NM	260	else
65a7d8c3 NM	261	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	262
8523533c TK	263	/* set up expansion items */
5903c6ff JH	264	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	265	spf_received = US SPF_response_get_received_spf(spf_response);
	266	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	267	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	268
384152a6	269	rc = SPF_response_result(spf_response);
eb52e2cb JH	270	}
	271
	272	/* We got a result. Now see if we should return OK or FAIL for it */
	273	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	274
	275	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	276	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	277
	278	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	279	{
	280	BOOL negate, result;
	281
	282	if ((negate = spf_result_id[0] == '!'))
	283	spf_result_id++;
	284
	285	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	286	if (negate != result) return OK;
	287	}
8523533c	288
eb52e2cb JH	289	/* no match */
eb52e2cb JH	290	return FAIL;
8523533c TK	291	}
8523533c TK	292
dfbcb5ac JH	293
	294
	295	gstring *
	296	authres_spf(gstring * g)
	297	{
87e9d061	298	uschar * s;
dfbcb5ac JH	299	if (!spf_result) return g;
dfbcb5ac JH	300
87e9d061 JH	301	g = string_append(g, 2, US";\n\tspf=", spf_result);
	302	if (spf_result_guessed)
	303	g = string_cat(g, US" (best guess record for domain)");
	304
	305	s = expand_string(US"$sender_address_domain");
	306	return s && *s
	307	? string_append(g, 2, US" smtp.mailfrom=", s)
	308	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	309	}
	310
	311
8523533c	312	#endif