From b8e976847808b6a4d1ba51ce70ee4f114d91e357 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 13 Aug 2019 11:58:10 +0100 Subject: [PATCH] SPF: use exim facilities for DNS lookups This enables testing with the testsuite --- src/src/lookups/spf.c | 25 ++++-- src/src/spf.c | 136 +++++++++++++++++++++++++++++-- test/confs/4600 | 2 +- test/dnszones-src/db.example.com | 4 + test/log/4600 | 26 ++++-- test/scripts/4600-SPF/4600 | 36 +++++--- test/stderr/0275 | 4 + test/stderr/0303 | 8 ++ test/stderr/0371 | 4 + test/stderr/0479 | 4 + test/stderr/0487 | 4 + test/stderr/3400 | 4 + test/stdout/4600 | 36 +++++++- 13 files changed, 261 insertions(+), 32 deletions(-) diff --git a/src/src/lookups/spf.c b/src/src/lookups/spf.c index db2c33631..ef0c791cc 100644 --- a/src/src/lookups/spf.c +++ b/src/src/lookups/spf.c @@ -32,16 +32,31 @@ static void dummy(int x) { dummy2(x-1); } #include #include +extern SPF_dns_server_t * SPF_dns_exim_new(int); + + static void * spf_open(uschar *filename, uschar **errmsg) { -SPF_server_t *spf_server; -if ((spf_server = SPF_server_new(SPF_DNS_CACHE, 0))) - return (void *) spf_server; -*errmsg = US"SPF_server_new() failed"; -return NULL; +SPF_dns_server_t * dc; +SPF_server_t *spf_server = NULL; +int debug = 0; + +DEBUG(D_lookup) debug = 1; + +if ((dc = SPF_dns_exim_new(debug))) + if ((dc = SPF_dns_cache_new(dc, NULL, debug, 8))) + spf_server = SPF_server_new_dns(dc, debug); + +if (!spf_server) + { + *errmsg = US"SPF_dns_exim_nnew() failed"; + return NULL; + } +return (void *) spf_server; } + static void spf_close(void *handle) { diff --git a/src/src/spf.c b/src/src/spf.c index 0b00a5c7c..cf8176e8e 100644 --- a/src/src/spf.c +++ b/src/src/spf.c @@ -2,10 +2,10 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Experimental SPF support. +/* SPF support. Copyright (c) Tom Kistner 2004 - 2014 License: GPL - Copyright (c) The Exim Maintainers 2015 - 2018 + Copyright (c) The Exim Maintainers 2015 - 2019 */ /* Code for calling spf checks via libspf-alt. Called from acl.c. */ @@ -31,19 +31,143 @@ SPF_request_t *spf_request = NULL; SPF_response_t *spf_response = NULL; SPF_response_t *spf_response_2mx = NULL; +SPF_dns_rr_t * spf_nxdomain = NULL; + + + +static SPF_dns_rr_t * +SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server, +const char *domain, ns_type rr_type, int should_cache) +{ +dns_answer dnsa; +dns_scan dnss; +SPF_dns_rr_t * spfrr; + +DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n"); + +if (dns_lookup(&dnsa, US domain, rr_type, NULL) == DNS_SUCCEED) + for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) + if ( rr->type == rr_type + && Ustrncmp(rr->data+1, "v=spf1", 6) == 0) + { + gstring * g = NULL; + uschar chunk_len; + uschar * s; + SPF_dns_rr_t srr = { + .domain = CS rr->name, /* query information */ + .domain_buf_len = DNS_MAXNAME, + .rr_type = rr->type, + + .num_rr = 1, /* answer information */ + .rr = NULL, + .rr_buf_len = 0, + .rr_buf_num = 0, + .ttl = rr->ttl, + .utc_ttl = 0, + .herrno = NETDB_SUCCESS, + + .hook = NULL, /* misc information */ + .source = spf_dns_server + }; + + for (int off = 0; off < rr->size; off += chunk_len) + { + chunk_len = (rr->data)[off++]; + g = string_catn(g, US ((rr->data)+off), chunk_len); + } + if (!g) + { + HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an " + "empty name: treated as non-existent host name\n"); + continue; + } + gstring_release_unused(g); + s = string_copy_malloc(string_from_gstring(g)); + srr.rr = (void *) &s; + + /* spfrr->rr must have been malloc()d for this */ + SPF_dns_rr_dup(&spfrr, &srr); + + return spfrr; + } + +SPF_dns_rr_dup(&spfrr, spf_nxdomain); +return spfrr; +} + + + +SPF_dns_server_t * +SPF_dns_exim_new(int debug) +{ +SPF_dns_server_t *spf_dns_server; + +DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n"); + +if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t)))) + return NULL; +memset(spf_dns_server, 0, sizeof(SPF_dns_server_t)); + +spf_dns_server->destroy = NULL; +spf_dns_server->lookup = SPF_dns_exim_lookup; +spf_dns_server->get_spf = NULL; +spf_dns_server->get_exp = NULL; +spf_dns_server->add_cache = NULL; +spf_dns_server->layer_below = NULL; +spf_dns_server->name = "exim"; +spf_dns_server->debug = debug; + +/* XXX This might have to return NO_DATA sometimes. */ + +spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server, + "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND); +if (!spf_nxdomain) + { + free(spf_dns_server); + return NULL; + } + +return spf_dns_server; +} + + /* spf_init sets up a context that can be re-used for several messages on the same SMTP connection (that come from the - same host with the same HELO string) + same host with the same HELO string). +XXX the spf_server layer could usefully be separately init'd +given that it sets up a dns cache. Return: Boolean success */ BOOL spf_init(uschar *spf_helo_domain, uschar *spf_remote_addr) { -spf_server = SPF_server_new(SPF_DNS_CACHE, 0); +int debug = 0; +SPF_dns_server_t * dc; + +DEBUG(D_receive) + { + debug_printf("spf_init: %s %s\n", spf_helo_domain, spf_remote_addr); + debug = 1; + } + +/* We insert our own DNS access layer rather than letting the spf library +do it, so that our dns access path is used for debug tracing and for the +testsuite. */ -if (!spf_server) +if (!(dc = SPF_dns_exim_new(debug))) + { + DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n"); + return FALSE; + } +if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8))) + { + DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n"); + return FALSE; + } +if (!(spf_server = SPF_server_new_dns(dc, debug))) { DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n"); return FALSE; @@ -98,6 +222,8 @@ const uschar *list = *listptr; uschar *spf_result_id; int rc = SPF_RESULT_PERMERROR; +DEBUG(D_receive) debug_printf("spf_process\n"); + if (!(spf_server && spf_request)) /* no global context, assume temp error and skip to evaluation */ rc = SPF_RESULT_PERMERROR; diff --git a/test/confs/4600 b/test/confs/4600 index a566535cd..34baa999b 100644 --- a/test/confs/4600 +++ b/test/confs/4600 @@ -20,7 +20,7 @@ check_rcpt: logwrite = ${authresults {$primary_hostname}} accept condition = ${if eq {$received_port}{PORT_S}} - spf = pass : softfail : neutral + spf = pass : softfail : neutral : none logwrite = spf_result $spf_result logwrite = spf_header_comment $spf_header_comment logwrite = spf_smtp_comment $spf_smtp_comment diff --git a/test/dnszones-src/db.example.com b/test/dnszones-src/db.example.com index ba0e35a2f..b9aca04d1 100644 --- a/test/dnszones-src/db.example.com +++ b/test/dnszones-src/db.example.com @@ -18,6 +18,10 @@ example.com. NS exim.example.com. +; The real example.com has an SPF record; duplicate that here + +example.com. TXT v=spf1 -all + ; Alias A record for the local host, under the name "server1" server1 A HOSTIPV4 diff --git a/test/log/4600 b/test/log/4600 index cafe722c9..195cb4b7b 100644 --- a/test/log/4600 +++ b/test/log/4600 @@ -1,18 +1,30 @@ ******** SERVER ******** -1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D port PORT_S -1999-03-02 09:44:33 spf_result pass (guess ) +1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D port PORT_S port PORT_N +1999-03-02 09:44:33 spf_result pass 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed. 1999-03-02 09:44:33 spf_smtp_comment 1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=a@example.com; helo=testclient; 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com -1999-03-02 09:44:33 spf_result pass (guess ) -1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed. +1999-03-02 09:44:33 spf_result none +1999-03-02 09:44:33 spf_header_comment myhost.test.ex: domain of test.example.com does not provide an SPF record 1999-03-02 09:44:33 spf_smtp_comment -1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=b@test.example.com; helo=testclient; -1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=test.example.com -1999-03-02 09:44:33 spf_result pass +1999-03-02 09:44:33 spf_received Received-SPF: none (myhost.test.ex: domain of test.example.com does not provide an SPF record) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient; +1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=none smtp.mailfrom=test.example.com +1999-03-02 09:44:33 spf_result pass (guess ) 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed. 1999-03-02 09:44:33 spf_smtp_comment 1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=c@example.com; helo=testclient; 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com +1999-03-02 09:44:33 spf_result neutral (guess ) +1999-03-02 09:44:33 spf_header_comment myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com +1999-03-02 09:44:33 spf_smtp_comment Please see http://www.openspf.org/Why?id=b%40test.example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism +1999-03-02 09:44:33 spf_received Received-SPF: neutral (myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient; +1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=neutral (best guess record for domain) smtp.mailfrom=test.example.com +1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT +1999-03-02 09:44:33 spf_result (guess ) +1999-03-02 09:44:33 spf_header_comment +1999-03-02 09:44:33 spf_smtp_comment +1999-03-02 09:44:33 spf_received +1999-03-02 09:44:33 Authentication-Results: myhost.test.ex +1999-03-02 09:44:33 H=(testclient) [127.0.0.1] F= rejected RCPT diff --git a/test/scripts/4600-SPF/4600 b/test/scripts/4600-SPF/4600 index d24fa9d94..582394879 100644 --- a/test/scripts/4600-SPF/4600 +++ b/test/scripts/4600-SPF/4600 @@ -1,15 +1,11 @@ # acl condition and variables # -# It is rather difficult to properly test spf. We use libspf2 to do the work, and it -# does the DNS lookups, so we cannot intercept them in the testsuite's usual fashion -# to provide values for testcases. +# The 127.0.0.1 source addr seems to be a builtin in the spf library; no dns lookup is done. +# HOSTIPV4 does get a series of lookups (see server debug output to verify that). # -# For now just check that what should be working syntax does not cause us to fall over. -# Be careful with envelope-domains and IPs used for testcases, as real DNS lookups will be done. -# -exim -bd -DSERVER=server -oX PORT_D:PORT_S +exim -bd -DSERVER=server -oX PORT_D:PORT_S:PORT_N **** -client 127.0.0.1 PORT_D +client 127.0.0.1 PORT_S ??? 220 helo testclient ??? 250 @@ -19,7 +15,7 @@ rcpt to: ??? 250 quit **** -client 127.0.0.1 PORT_D +client HOSTIPV4 PORT_S ??? 220 helo testclient ??? 250 @@ -29,7 +25,7 @@ rcpt to: ??? 250 quit **** -client 127.0.0.1 PORT_S +client 127.0.0.1 PORT_D ??? 220 helo testclient ??? 250 @@ -39,5 +35,25 @@ rcpt to: ??? 250 quit **** +client HOSTIPV4 PORT_D +??? 220 +helo testclient +??? 250 +mail from: +??? 250 +rcpt to: +??? 550 +quit +**** +client 127.0.0.1 PORT_N +??? 220 +helo testclient +??? 250 +mail from: +??? 250 +rcpt to: +??? 550 +quit +**** # killdaemon diff --git a/test/stderr/0275 b/test/stderr/0275 index af5aaef50..4b60d4e3f 100644 --- a/test/stderr/0275 +++ b/test/stderr/0275 @@ -361,6 +361,10 @@ test in helo_lookup_domains? no (end of list) sender_fullhost = (test) [127.0.0.1] sender_rcvhost = [127.0.0.1] (helo=test) set_process_info: pppp handling incoming connection from (test) [127.0.0.1] +spf_init: test 127.0.0.1 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 SMTP>> 250 myhost.test.ex Hello test [127.0.0.1] SMTP<< MAIL FROM: spool directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 msg_size = 0 diff --git a/test/stderr/0303 b/test/stderr/0303 index 3ed99b66b..02b811307 100644 --- a/test/stderr/0303 +++ b/test/stderr/0303 @@ -68,6 +68,10 @@ SMTP<< EHLO [V4NET.2.3.4] sender_fullhost = ([V4NET.2.3.4]) [V4NET.2.3.4] sender_rcvhost = [V4NET.2.3.4] set_process_info: pppp handling incoming connection from ([V4NET.2.3.4]) [V4NET.2.3.4] +spf_init: [V4NET.2.3.4] V4NET.2.3.4 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 host in dsn_advertise_hosts? no (option unset) host in pipelining_advertise_hosts? yes (matched "*") host in chunking_advertise_hosts? no (end of list) @@ -142,6 +146,10 @@ SMTP<< EHLO [V4NET.2.3.4] sender_fullhost = host.name.tld [V4NET.2.3.4] sender_rcvhost = host.name.tld ([V4NET.2.3.4]) set_process_info: pppp handling incoming connection from host.name.tld [V4NET.2.3.4] +spf_init: [V4NET.2.3.4] V4NET.2.3.4 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 host in dsn_advertise_hosts? no (option unset) host in pipelining_advertise_hosts? yes (matched "*") host in chunking_advertise_hosts? no (end of list) diff --git a/test/stderr/0371 b/test/stderr/0371 index 1546b0279..d31d61580 100644 --- a/test/stderr/0371 +++ b/test/stderr/0371 @@ -35,6 +35,10 @@ something in helo_lookup_domains? no (end of list) sender_fullhost = (something) [V4NET.0.0.0] sender_rcvhost = [V4NET.0.0.0] (helo=something) set_process_info: pppp handling incoming connection from (something) [V4NET.0.0.0] +spf_init: something V4NET.0.0.0 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 host in dsn_advertise_hosts? no (option unset) host in pipelining_advertise_hosts? yes (matched "*") host in chunking_advertise_hosts? no (end of list) diff --git a/test/stderr/0479 b/test/stderr/0479 index d62ca39f3..4f73548c1 100644 --- a/test/stderr/0479 +++ b/test/stderr/0479 @@ -27,6 +27,10 @@ SMTP<< helo [1.2.3.4] sender_fullhost = ([1.2.3.4]) [1.2.3.4] sender_rcvhost = [1.2.3.4] set_process_info: pppp handling incoming connection from ([1.2.3.4]) [1.2.3.4] +spf_init: [1.2.3.4] 1.2.3.4 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 SMTP>> 250 the.local.host.name Hello [1.2.3.4] [1.2.3.4] SMTP<< mail from: spool directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 msg_size = 0 diff --git a/test/stderr/0487 b/test/stderr/0487 index 887f78ef5..97acc460a 100644 --- a/test/stderr/0487 +++ b/test/stderr/0487 @@ -19,6 +19,10 @@ LOG: smtp_connection MAIN SMTP>> 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 smtp_setup_msg entered SMTP<< ehlo x.y +spf_init: x.y NULL +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 in dsn_advertise_hosts? no (option unset) in pipelining_advertise_hosts? yes (matched "*") in chunking_advertise_hosts? no (end of list) diff --git a/test/stderr/3400 b/test/stderr/3400 index da04b7f37..c5d7c2787 100644 --- a/test/stderr/3400 +++ b/test/stderr/3400 @@ -432,6 +432,10 @@ testing.testing in helo_lookup_domains? no (end of list) sender_fullhost = (testing.testing) [10.0.0.5] sender_rcvhost = [10.0.0.5] (helo=testing.testing ident=CALLER) set_process_info: pppp handling incoming connection from (testing.testing) [10.0.0.5] U=CALLER +spf_init: testing.testing 10.0.0.5 +SPF_dns_exim_new +spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} +spf_compile.c:1210 Debug: Compiling record v=spf1 host in dsn_advertise_hosts? no (option unset) host in pipelining_advertise_hosts? yes (matched "*") host in "10.0.0.1"? no (end of list) diff --git a/test/stdout/4600 b/test/stdout/4600 index e1089a58b..030d1ebd4 100644 --- a/test/stdout/4600 +++ b/test/stdout/4600 @@ -1,4 +1,4 @@ -Connecting to 127.0.0.1 port 1225 ... connected +Connecting to 127.0.0.1 port 1224 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> helo testclient @@ -12,12 +12,12 @@ Connecting to 127.0.0.1 port 1225 ... connected <<< 250 Accepted >>> quit End of script -Connecting to 127.0.0.1 port 1225 ... connected +Connecting to ip4.ip4.ip4.ip4 port 1224 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> helo testclient ??? 250 -<<< 250 myhost.test.ex Hello testclient [127.0.0.1] +<<< 250 myhost.test.ex Hello testclient [ip4.ip4.ip4.ip4] >>> mail from: ??? 250 <<< 250 OK @@ -26,7 +26,7 @@ Connecting to 127.0.0.1 port 1225 ... connected <<< 250 Accepted >>> quit End of script -Connecting to 127.0.0.1 port 1224 ... connected +Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> helo testclient @@ -40,3 +40,31 @@ Connecting to 127.0.0.1 port 1224 ... connected <<< 250 Accepted >>> quit End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> helo testclient +??? 250 +<<< 250 myhost.test.ex Hello testclient [ip4.ip4.ip4.ip4] +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 550 +<<< 550 Administrative prohibition +>>> quit +End of script +Connecting to 127.0.0.1 port 1223 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> helo testclient +??? 250 +<<< 250 myhost.test.ex Hello testclient [127.0.0.1] +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 550 +<<< 550 Administrative prohibition +>>> quit +End of script -- 2.25.1