[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2020
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


void
spf_lib_version_report(FILE * fp)
{
int maj, min, patch;
SPF_get_lib_version(&maj, &min, &patch);
fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
fprintf(fp, "                       Runtime: %d.%d.%d\n",
	 maj, min, patch);
}


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_NODATA:	srr.herrno = NO_DATA;		break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
	    (int) s[0], s+1);
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    srr.rr[found++] = (void *) s;
    }

srr.num_rr = found;
/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


void
spf_response_debug(SPF_response_t * spf_response)
{
if (SPF_response_messages(spf_response) == 0)
  debug_printf(" (no errors)\n");
else for (int i = 0; i < SPF_response_messages(spf_response); i++)
  {
  SPF_error_t * err = SPF_response_message(spf_response, i);
  debug_printf( "%s_msg = (%d) %s\n",
		  (SPF_error_errorp(err) ? "warn" : "err"),
		  SPF_error_code(err),
		  SPF_error_message(err));
  }
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);

  DEBUG(D_acl) spf_response_debug(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
53ef3d84	8	Copyright (c) The Exim Maintainers 2015 - 2020
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
85e453f6 JH	37	void
	38	spf_lib_version_report(FILE * fp)
	39	{
	40	int maj, min, patch;
	41	SPF_get_lib_version(&maj, &min, &patch);
	42	fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	43	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
	44	fprintf(fp, " Runtime: %d.%d.%d\n",
	45	maj, min, patch);
	46	}
	47
	48
b8e97684 JH	49
	50	static SPF_dns_rr_t *
	51	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
44e90dfa	52	const char *domain, ns_type rr_type, int should_cache)
b8e97684	53	{
8743d3ac	54	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	55	dns_scan dnss;
b8e97684 JH	56	SPF_dns_rr_t * spfrr;
4533e306 JH	57	unsigned found = 0;
	58
	59	SPF_dns_rr_t srr = {
	60	.domain = CS domain, /* query information */
	61	.domain_buf_len = 0,
	62	.rr_type = rr_type,
	63
	64	.rr_buf_len = 0, /* answer information */
	65	.rr_buf_num = 0, /* no free of s */
	66	.utc_ttl = 0,
	67
	68	.hook = NULL, /* misc information */
	69	.source = spf_dns_server
	70	};
44e90dfa	71	int dns_rc;
b8e97684	72
4a3709fb	73	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
b8e97684	74
44e90dfa	75	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
4533e306	76	{
44e90dfa WB	77	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	78	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	79	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
f73eb7e3	80	case DNS_NODATA: srr.herrno = NO_DATA; break;
44e90dfa WB	81	case DNS_FAIL:
	82	default: srr.herrno = NO_RECOVERY; break;
	83	}
4533e306 JH	84
	85	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	86	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	87	if (rr->type == rr_type) found++;
	88
44e90dfa WB	89	if (found == 0)
	90	{
	91	SPF_dns_rr_dup(&spfrr, &srr);
	92	return spfrr;
	93	}
	94
4533e306	95	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
4533e306 JH	96
	97	found = 0;
	98	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	99	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	100	if (rr->type == rr_type)
	101	{
	102	const uschar * s = rr->data;
	103
	104	srr.ttl = rr->ttl;
	105	switch(rr_type)
b8e97684	106	{
4533e306	107	case T_MX:
44e90dfa	108	s += 2; /* skip the MX precedence field */
4533e306	109	case T_PTR:
b8e97684	110	{
4533e306 JH	111	uschar * buf = store_malloc(256);
	112	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	113	(DN_EXPAND_ARG4_TYPE)buf, 256);
	114	s = buf;
	115	break;
	116	}
	117
	118	case T_TXT:
	119	{
	120	gstring * g = NULL;
	121	uschar chunk_len;
4a3709fb	122
85e453f6	123	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
4a3709fb	124	{
53ef3d84 JH	125	HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
53ef3d84 JH	126	(int) s[0], s+1);
4533e306	127	continue;
4a3709fb WB	128	}
4a3709fb WB	129
4533e306	130	for (int off = 0; off < rr->size; off += chunk_len)
4a3709fb	131	{
4533e306 JH	132	if (!(chunk_len = s[off++])) break;
4533e306 JH	133	g = string_catn(g, s+off, chunk_len);
4a3709fb	134	}
4533e306 JH	135	if (!g)
	136	continue;
	137	gstring_release_unused(g);
	138	s = string_copy_malloc(string_from_gstring(g));
53ef3d84	139	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
4533e306	140	break;
b8e97684	141	}
b8e97684	142
4533e306 JH	143	case T_A:
	144	case T_AAAA:
	145	default:
	146	{
	147	uschar * buf = store_malloc(dnsa->answerlen + 1);
	148	s = memcpy(buf, s, dnsa->answerlen + 1);
	149	break;
	150	}
b8e97684	151	}
4533e306 JH	152	srr.rr[found++] = (void *) s;
4533e306 JH	153	}
b8e97684	154
44e90dfa	155	srr.num_rr = found;
4533e306 JH	156	/* spfrr->rr must have been malloc()d for this */
4533e306 JH	157	SPF_dns_rr_dup(&spfrr, &srr);
b8e97684 JH	158	return spfrr;
	159	}
	160
	161
	162
	163	SPF_dns_server_t *
	164	SPF_dns_exim_new(int debug)
	165	{
4533e306	166	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
b8e97684 JH	167
	168	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	169
b8e97684	170	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
b8e97684 JH	171	spf_dns_server->destroy = NULL;
	172	spf_dns_server->lookup = SPF_dns_exim_lookup;
	173	spf_dns_server->get_spf = NULL;
	174	spf_dns_server->get_exp = NULL;
	175	spf_dns_server->add_cache = NULL;
	176	spf_dns_server->layer_below = NULL;
	177	spf_dns_server->name = "exim";
	178	spf_dns_server->debug = debug;
	179
	180	/* XXX This might have to return NO_DATA sometimes. */
	181
	182	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	183	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	184	if (!spf_nxdomain)
	185	{
	186	free(spf_dns_server);
	187	return NULL;
	188	}
	189
	190	return spf_dns_server;
	191	}
	192
	193
eb52e2cb	194
8e669ac1	195
73ec116f JH	196	/* Construct the SPF library stack.
	197	Return: Boolean success.
	198	*/
8e669ac1	199
eb52e2cb	200	BOOL
73ec116f	201	spf_init(void)
eb52e2cb	202	{
b8e97684	203	SPF_dns_server_t * dc;
73ec116f	204	int debug = 0;
b8e97684	205
73ec116f	206	DEBUG(D_receive) debug = 1;
b8e97684 JH	207
	208	/* We insert our own DNS access layer rather than letting the spf library
	209	do it, so that our dns access path is used for debug tracing and for the
	210	testsuite. */
8e669ac1	211
b8e97684 JH	212	if (!(dc = SPF_dns_exim_new(debug)))
	213	{
	214	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	215	return FALSE;
	216	}
	217	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	218	{
	219	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	220	return FALSE;
	221	}
	222	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	223	{
	224	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	225	return FALSE;
8523533c	226	}
05e4f4de HSHR	227	/* Quick hack to override the outdated explanation URL.
	228	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	229	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	230	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	231	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	232
73ec116f JH	233	return TRUE;
	234	}
	235
	236
	237	/* Set up a context that can be re-used for several
	238	messages on the same SMTP connection (that come from the
	239	same host with the same HELO string).
	240
	241	Return: Boolean success
	242	*/
	243
	244	BOOL
	245	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	246	{
	247	DEBUG(D_receive)
	248	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	249
	250	if (!spf_server && !spf_init()) return FALSE;
8523533c	251
eb52e2cb JH	252	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	253	{
	254	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	255	primary_hostname);
	256	spf_server = NULL;
	257	return FALSE;
7b3a77e5 TK	258	}
7b3a77e5 TK	259
eb52e2cb JH	260	spf_request = SPF_request_new(spf_server);
	261
	262	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	263	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	264	)
	265	{
	266	DEBUG(D_receive)
	267	debug_printf("spf: SPF_request_set_ipv4_str() and "
	268	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	269	spf_server = NULL;
	270	spf_request = NULL;
	271	return FALSE;
8523533c TK	272	}
8523533c TK	273
eb52e2cb JH	274	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	275	{
	276	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	277	spf_helo_domain);
	278	spf_server = NULL;
	279	spf_request = NULL;
	280	return FALSE;
8523533c	281	}
8e669ac1	282
eb52e2cb	283	return TRUE;
8523533c TK	284	}
	285
	286
53ef3d84 JH	287	void
	288	spf_response_debug(SPF_response_t * spf_response)
	289	{
	290	if (SPF_response_messages(spf_response) == 0)
	291	debug_printf(" (no errors)\n");
	292	else for (int i = 0; i < SPF_response_messages(spf_response); i++)
	293	{
	294	SPF_error_t * err = SPF_response_message(spf_response, i);
	295	debug_printf( "%s_msg = (%d) %s\n",
	296	(SPF_error_errorp(err) ? "warn" : "err"),
	297	SPF_error_code(err),
	298	SPF_error_message(err));
	299	}
	300	}
	301
	302
8523533c TK	303	/* spf_process adds the envelope sender address to the existing
8523533c TK	304	context (if any), retrieves the result, sets up expansion
eb52e2cb	305	strings and evaluates the condition outcome.
f9ba5e22	306
eb52e2cb JH	307	Return: OK/FAIL */
	308
	309	int
	310	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	311	{
	312	int sep = 0;
	313	const uschar list = listptr;
	314	uschar *spf_result_id;
	315	int rc = SPF_RESULT_PERMERROR;
	316
b8e97684 JH	317	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	318
eb52e2cb JH	319	if (!(spf_server && spf_request))
	320	/* no global context, assume temp error and skip to evaluation */
	321	rc = SPF_RESULT_PERMERROR;
	322
	323	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	324	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	325	rc = SPF_RESULT_PERMERROR;
	326
	327	else
	328	{
8523533c	329	/* get SPF result */
65a7d8c3	330	if (action == SPF_PROCESS_FALLBACK)
87e9d061	331	{
7156b1ef	332	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	333	spf_result_guessed = TRUE;
87e9d061 JH	334	}
65a7d8c3 NM	335	else
65a7d8c3 NM	336	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	337
8523533c TK	338	/* set up expansion items */
5903c6ff JH	339	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	340	spf_received = US SPF_response_get_received_spf(spf_response);
	341	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	342	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	343
384152a6	344	rc = SPF_response_result(spf_response);
53ef3d84 JH	345
53ef3d84 JH	346	DEBUG(D_acl) spf_response_debug(spf_response);
eb52e2cb JH	347	}
	348
	349	/* We got a result. Now see if we should return OK or FAIL for it */
	350	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	351
	352	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	353	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	354
	355	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	356	{
	357	BOOL negate, result;
	358
	359	if ((negate = spf_result_id[0] == '!'))
	360	spf_result_id++;
	361
	362	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	363	if (negate != result) return OK;
	364	}
8523533c	365
eb52e2cb JH	366	/* no match */
eb52e2cb JH	367	return FAIL;
8523533c TK	368	}
8523533c TK	369
dfbcb5ac JH	370
	371
	372	gstring *
	373	authres_spf(gstring * g)
	374	{
87e9d061	375	uschar * s;
dfbcb5ac JH	376	if (!spf_result) return g;
dfbcb5ac JH	377
87e9d061 JH	378	g = string_append(g, 2, US";\n\tspf=", spf_result);
	379	if (spf_result_guessed)
	380	g = string_cat(g, US" (best guess record for domain)");
	381
	382	s = expand_string(US"$sender_address_domain");
	383	return s && *s
	384	? string_append(g, 2, US" smtp.mailfrom=", s)
	385	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	386	}
	387
	388
8523533c	389	#endif