[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2019
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


void
spf_lib_version_report(FILE * fp)
{
int maj, min, patch;
SPF_get_lib_version(&maj, &min, &patch);
fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
fprintf(fp, "                       Runtime: %d.%d.%d\n",
	 maj, min, patch);
}


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_NODATA:	srr.herrno = NO_DATA;		break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
    srr.rr[found++] = (void *) s;
    }

srr.num_rr = found;
/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
b8e97684	8	Copyright (c) The Exim Maintainers 2015 - 2019
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
85e453f6 JH	37	void
	38	spf_lib_version_report(FILE * fp)
	39	{
	40	int maj, min, patch;
	41	SPF_get_lib_version(&maj, &min, &patch);
	42	fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	43	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
	44	fprintf(fp, " Runtime: %d.%d.%d\n",
	45	maj, min, patch);
	46	}
	47
	48
b8e97684 JH	49
	50	static SPF_dns_rr_t *
	51	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
44e90dfa	52	const char *domain, ns_type rr_type, int should_cache)
b8e97684	53	{
8743d3ac	54	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	55	dns_scan dnss;
b8e97684 JH	56	SPF_dns_rr_t * spfrr;
4533e306 JH	57	unsigned found = 0;
	58
	59	SPF_dns_rr_t srr = {
	60	.domain = CS domain, /* query information */
	61	.domain_buf_len = 0,
	62	.rr_type = rr_type,
	63
	64	.rr_buf_len = 0, /* answer information */
	65	.rr_buf_num = 0, /* no free of s */
	66	.utc_ttl = 0,
	67
	68	.hook = NULL, /* misc information */
	69	.source = spf_dns_server
	70	};
44e90dfa	71	int dns_rc;
b8e97684	72
4a3709fb	73	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
b8e97684	74
44e90dfa	75	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
4533e306	76	{
44e90dfa WB	77	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	78	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	79	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
f73eb7e3	80	case DNS_NODATA: srr.herrno = NO_DATA; break;
44e90dfa WB	81	case DNS_FAIL:
	82	default: srr.herrno = NO_RECOVERY; break;
	83	}
4533e306 JH	84
	85	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	86	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	87	if (rr->type == rr_type) found++;
	88
44e90dfa WB	89	if (found == 0)
	90	{
	91	SPF_dns_rr_dup(&spfrr, &srr);
	92	return spfrr;
	93	}
	94
4533e306	95	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
4533e306 JH	96
	97	found = 0;
	98	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	99	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	100	if (rr->type == rr_type)
	101	{
	102	const uschar * s = rr->data;
	103
	104	srr.ttl = rr->ttl;
	105	switch(rr_type)
b8e97684	106	{
4533e306	107	case T_MX:
44e90dfa	108	s += 2; /* skip the MX precedence field */
4533e306	109	case T_PTR:
b8e97684	110	{
4533e306 JH	111	uschar * buf = store_malloc(256);
	112	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	113	(DN_EXPAND_ARG4_TYPE)buf, 256);
	114	s = buf;
	115	break;
	116	}
	117
	118	case T_TXT:
	119	{
	120	gstring * g = NULL;
	121	uschar chunk_len;
4a3709fb	122
85e453f6	123	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
4a3709fb	124	{
4533e306 JH	125	HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
4533e306 JH	126	continue;
4a3709fb WB	127	}
4a3709fb WB	128
4533e306	129	for (int off = 0; off < rr->size; off += chunk_len)
4a3709fb	130	{
4533e306 JH	131	if (!(chunk_len = s[off++])) break;
4533e306 JH	132	g = string_catn(g, s+off, chunk_len);
4a3709fb	133	}
4533e306 JH	134	if (!g)
	135	continue;
	136	gstring_release_unused(g);
	137	s = string_copy_malloc(string_from_gstring(g));
	138	break;
b8e97684	139	}
b8e97684	140
4533e306 JH	141	case T_A:
	142	case T_AAAA:
	143	default:
	144	{
	145	uschar * buf = store_malloc(dnsa->answerlen + 1);
	146	s = memcpy(buf, s, dnsa->answerlen + 1);
	147	break;
	148	}
b8e97684	149	}
4533e306 JH	150	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	151	srr.rr[found++] = (void *) s;
	152	}
b8e97684	153
44e90dfa	154	srr.num_rr = found;
4533e306 JH	155	/* spfrr->rr must have been malloc()d for this */
4533e306 JH	156	SPF_dns_rr_dup(&spfrr, &srr);
b8e97684 JH	157	return spfrr;
	158	}
	159
	160
	161
	162	SPF_dns_server_t *
	163	SPF_dns_exim_new(int debug)
	164	{
4533e306	165	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
b8e97684 JH	166
	167	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	168
b8e97684	169	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
b8e97684 JH	170	spf_dns_server->destroy = NULL;
	171	spf_dns_server->lookup = SPF_dns_exim_lookup;
	172	spf_dns_server->get_spf = NULL;
	173	spf_dns_server->get_exp = NULL;
	174	spf_dns_server->add_cache = NULL;
	175	spf_dns_server->layer_below = NULL;
	176	spf_dns_server->name = "exim";
	177	spf_dns_server->debug = debug;
	178
	179	/* XXX This might have to return NO_DATA sometimes. */
	180
	181	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	182	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	183	if (!spf_nxdomain)
	184	{
	185	free(spf_dns_server);
	186	return NULL;
	187	}
	188
	189	return spf_dns_server;
	190	}
	191
	192
eb52e2cb	193
8e669ac1	194
73ec116f JH	195	/* Construct the SPF library stack.
	196	Return: Boolean success.
	197	*/
8e669ac1	198
eb52e2cb	199	BOOL
73ec116f	200	spf_init(void)
eb52e2cb	201	{
b8e97684	202	SPF_dns_server_t * dc;
73ec116f	203	int debug = 0;
b8e97684	204
73ec116f	205	DEBUG(D_receive) debug = 1;
b8e97684 JH	206
	207	/* We insert our own DNS access layer rather than letting the spf library
	208	do it, so that our dns access path is used for debug tracing and for the
	209	testsuite. */
8e669ac1	210
b8e97684 JH	211	if (!(dc = SPF_dns_exim_new(debug)))
	212	{
	213	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	214	return FALSE;
	215	}
	216	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	217	{
	218	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	219	return FALSE;
	220	}
	221	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	222	{
	223	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	224	return FALSE;
8523533c	225	}
05e4f4de HSHR	226	/* Quick hack to override the outdated explanation URL.
	227	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	228	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	229	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	230	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	231
73ec116f JH	232	return TRUE;
	233	}
	234
	235
	236	/* Set up a context that can be re-used for several
	237	messages on the same SMTP connection (that come from the
	238	same host with the same HELO string).
	239
	240	Return: Boolean success
	241	*/
	242
	243	BOOL
	244	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	245	{
	246	DEBUG(D_receive)
	247	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	248
	249	if (!spf_server && !spf_init()) return FALSE;
8523533c	250
eb52e2cb JH	251	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	252	{
	253	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	254	primary_hostname);
	255	spf_server = NULL;
	256	return FALSE;
7b3a77e5 TK	257	}
7b3a77e5 TK	258
eb52e2cb JH	259	spf_request = SPF_request_new(spf_server);
	260
	261	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	262	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	263	)
	264	{
	265	DEBUG(D_receive)
	266	debug_printf("spf: SPF_request_set_ipv4_str() and "
	267	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	268	spf_server = NULL;
	269	spf_request = NULL;
	270	return FALSE;
8523533c TK	271	}
8523533c TK	272
eb52e2cb JH	273	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	274	{
	275	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	276	spf_helo_domain);
	277	spf_server = NULL;
	278	spf_request = NULL;
	279	return FALSE;
8523533c	280	}
8e669ac1	281
eb52e2cb	282	return TRUE;
8523533c TK	283	}
	284
	285
	286	/* spf_process adds the envelope sender address to the existing
	287	context (if any), retrieves the result, sets up expansion
eb52e2cb	288	strings and evaluates the condition outcome.
f9ba5e22	289
eb52e2cb JH	290	Return: OK/FAIL */
	291
	292	int
	293	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	294	{
	295	int sep = 0;
	296	const uschar list = listptr;
	297	uschar *spf_result_id;
	298	int rc = SPF_RESULT_PERMERROR;
	299
b8e97684 JH	300	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	301
eb52e2cb JH	302	if (!(spf_server && spf_request))
	303	/* no global context, assume temp error and skip to evaluation */
	304	rc = SPF_RESULT_PERMERROR;
	305
	306	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	307	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	308	rc = SPF_RESULT_PERMERROR;
	309
	310	else
	311	{
8523533c	312	/* get SPF result */
65a7d8c3	313	if (action == SPF_PROCESS_FALLBACK)
87e9d061	314	{
7156b1ef	315	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	316	spf_result_guessed = TRUE;
87e9d061 JH	317	}
65a7d8c3 NM	318	else
65a7d8c3 NM	319	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	320
8523533c TK	321	/* set up expansion items */
5903c6ff JH	322	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	323	spf_received = US SPF_response_get_received_spf(spf_response);
	324	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	325	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	326
384152a6	327	rc = SPF_response_result(spf_response);
eb52e2cb JH	328	}
	329
	330	/* We got a result. Now see if we should return OK or FAIL for it */
	331	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	332
	333	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	334	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	335
	336	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	337	{
	338	BOOL negate, result;
	339
	340	if ((negate = spf_result_id[0] == '!'))
	341	spf_result_id++;
	342
	343	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	344	if (negate != result) return OK;
	345	}
8523533c	346
eb52e2cb JH	347	/* no match */
eb52e2cb JH	348	return FAIL;
8523533c TK	349	}
8523533c TK	350
dfbcb5ac JH	351
	352
	353	gstring *
	354	authres_spf(gstring * g)
	355	{
87e9d061	356	uschar * s;
dfbcb5ac JH	357	if (!spf_result) return g;
dfbcb5ac JH	358
87e9d061 JH	359	g = string_append(g, 2, US";\n\tspf=", spf_result);
	360	if (spf_result_guessed)
	361	g = string_cat(g, US" (best guess record for domain)");
	362
	363	s = expand_string(US"$sender_address_domain");
	364	return s && *s
	365	? string_append(g, 2, US" smtp.mailfrom=", s)
	366	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	367	}
	368
	369
8523533c	370	#endif