[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2020
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


void
spf_lib_version_report(FILE * fp)
{
int maj, min, patch;
SPF_get_lib_version(&maj, &min, &patch);
fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
fprintf(fp, "                       Runtime: %d.%d.%d\n",
	 maj, min, patch);
}


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

/* Shortcircuit SPF RR lookups by returning NO_DATA.  They were obsoleted by
RFC 6686/7208 years ago. see bug #1294 */

if (rr_type == T_SPF)
  {
  HDEBUG(D_host_lookup) debug_printf("faking NO_DATA for SPF RR(99) lookup\n");
  srr.herrno = NO_DATA;
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_NODATA:	srr.herrno = NO_DATA;		break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
	    (int) s[0], s+1);
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    srr.rr[found++] = (void *) s;
    }

/* Did we filter out all TXT RRs? Return NO_DATA instead of SUCCESS with
empty ANSWER section. */

if (!(srr.num_rr = found))
  srr.herrno = NO_DATA;

/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


void
spf_response_debug(SPF_response_t * spf_response)
{
if (SPF_response_messages(spf_response) == 0)
  debug_printf(" (no errors)\n");
else for (int i = 0; i < SPF_response_messages(spf_response); i++)
  {
  SPF_error_t * err = SPF_response_message(spf_response, i);
  debug_printf( "%s_msg = (%d) %s\n",
		  (SPF_error_errorp(err) ? "warn" : "err"),
		  SPF_error_code(err),
		  SPF_error_message(err));
  }
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);

  DEBUG(D_acl) spf_response_debug(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
53ef3d84	8	Copyright (c) The Exim Maintainers 2015 - 2020
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
85e453f6 JH	37	void
	38	spf_lib_version_report(FILE * fp)
	39	{
	40	int maj, min, patch;
	41	SPF_get_lib_version(&maj, &min, &patch);
	42	fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	43	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
	44	fprintf(fp, " Runtime: %d.%d.%d\n",
	45	maj, min, patch);
	46	}
	47
	48
b8e97684 JH	49
	50	static SPF_dns_rr_t *
	51	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
44e90dfa	52	const char *domain, ns_type rr_type, int should_cache)
b8e97684	53	{
8743d3ac	54	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	55	dns_scan dnss;
b8e97684 JH	56	SPF_dns_rr_t * spfrr;
4533e306 JH	57	unsigned found = 0;
	58
	59	SPF_dns_rr_t srr = {
	60	.domain = CS domain, /* query information */
	61	.domain_buf_len = 0,
	62	.rr_type = rr_type,
	63
	64	.rr_buf_len = 0, /* answer information */
	65	.rr_buf_num = 0, /* no free of s */
	66	.utc_ttl = 0,
	67
	68	.hook = NULL, /* misc information */
	69	.source = spf_dns_server
	70	};
44e90dfa	71	int dns_rc;
b8e97684	72
4a3709fb	73	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
b8e97684	74
549d36dd WB	75	/* Shortcircuit SPF RR lookups by returning NO_DATA. They were obsoleted by
549d36dd WB	76	RFC 6686/7208 years ago. see bug #1294 */
79e5ebf9 WB	77
	78	if (rr_type == T_SPF)
	79	{
549d36dd WB	80	HDEBUG(D_host_lookup) debug_printf("faking NO_DATA for SPF RR(99) lookup\n");
549d36dd WB	81	srr.herrno = NO_DATA;
79e5ebf9 WB	82	SPF_dns_rr_dup(&spfrr, &srr);
	83	return spfrr;
	84	}
	85
44e90dfa	86	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
4533e306	87	{
44e90dfa WB	88	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	89	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	90	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
f73eb7e3	91	case DNS_NODATA: srr.herrno = NO_DATA; break;
44e90dfa WB	92	case DNS_FAIL:
	93	default: srr.herrno = NO_RECOVERY; break;
	94	}
4533e306 JH	95
	96	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	97	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	98	if (rr->type == rr_type) found++;
	99
44e90dfa WB	100	if (found == 0)
	101	{
	102	SPF_dns_rr_dup(&spfrr, &srr);
	103	return spfrr;
	104	}
	105
4533e306	106	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
4533e306 JH	107
	108	found = 0;
	109	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	110	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	111	if (rr->type == rr_type)
	112	{
	113	const uschar * s = rr->data;
	114
	115	srr.ttl = rr->ttl;
	116	switch(rr_type)
b8e97684	117	{
4533e306	118	case T_MX:
44e90dfa	119	s += 2; /* skip the MX precedence field */
4533e306	120	case T_PTR:
b8e97684	121	{
4533e306 JH	122	uschar * buf = store_malloc(256);
	123	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	124	(DN_EXPAND_ARG4_TYPE)buf, 256);
	125	s = buf;
	126	break;
	127	}
	128
	129	case T_TXT:
	130	{
	131	gstring * g = NULL;
	132	uschar chunk_len;
4a3709fb	133
85e453f6	134	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
4a3709fb	135	{
53ef3d84 JH	136	HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
53ef3d84 JH	137	(int) s[0], s+1);
4533e306	138	continue;
4a3709fb WB	139	}
4a3709fb WB	140
4533e306	141	for (int off = 0; off < rr->size; off += chunk_len)
4a3709fb	142	{
4533e306 JH	143	if (!(chunk_len = s[off++])) break;
4533e306 JH	144	g = string_catn(g, s+off, chunk_len);
4a3709fb	145	}
4533e306 JH	146	if (!g)
	147	continue;
	148	gstring_release_unused(g);
	149	s = string_copy_malloc(string_from_gstring(g));
53ef3d84	150	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
4533e306	151	break;
b8e97684	152	}
b8e97684	153
4533e306 JH	154	case T_A:
	155	case T_AAAA:
	156	default:
	157	{
	158	uschar * buf = store_malloc(dnsa->answerlen + 1);
	159	s = memcpy(buf, s, dnsa->answerlen + 1);
	160	break;
	161	}
b8e97684	162	}
4533e306 JH	163	srr.rr[found++] = (void *) s;
4533e306 JH	164	}
b8e97684	165
67794d2b WB	166	/* Did we filter out all TXT RRs? Return NO_DATA instead of SUCCESS with
	167	empty ANSWER section. */
	168
	169	if (!(srr.num_rr = found))
	170	srr.herrno = NO_DATA;
	171
4533e306 JH	172	/* spfrr->rr must have been malloc()d for this */
4533e306 JH	173	SPF_dns_rr_dup(&spfrr, &srr);
b8e97684 JH	174	return spfrr;
	175	}
	176
	177
	178
	179	SPF_dns_server_t *
	180	SPF_dns_exim_new(int debug)
	181	{
4533e306	182	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
b8e97684 JH	183
	184	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	185
b8e97684	186	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
b8e97684 JH	187	spf_dns_server->destroy = NULL;
	188	spf_dns_server->lookup = SPF_dns_exim_lookup;
	189	spf_dns_server->get_spf = NULL;
	190	spf_dns_server->get_exp = NULL;
	191	spf_dns_server->add_cache = NULL;
	192	spf_dns_server->layer_below = NULL;
	193	spf_dns_server->name = "exim";
	194	spf_dns_server->debug = debug;
	195
	196	/* XXX This might have to return NO_DATA sometimes. */
	197
	198	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	199	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	200	if (!spf_nxdomain)
	201	{
	202	free(spf_dns_server);
	203	return NULL;
	204	}
	205
	206	return spf_dns_server;
	207	}
	208
	209
eb52e2cb	210
8e669ac1	211
73ec116f JH	212	/* Construct the SPF library stack.
	213	Return: Boolean success.
	214	*/
8e669ac1	215
eb52e2cb	216	BOOL
73ec116f	217	spf_init(void)
eb52e2cb	218	{
b8e97684	219	SPF_dns_server_t * dc;
73ec116f	220	int debug = 0;
b8e97684	221
73ec116f	222	DEBUG(D_receive) debug = 1;
b8e97684 JH	223
	224	/* We insert our own DNS access layer rather than letting the spf library
	225	do it, so that our dns access path is used for debug tracing and for the
	226	testsuite. */
8e669ac1	227
b8e97684 JH	228	if (!(dc = SPF_dns_exim_new(debug)))
	229	{
	230	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	231	return FALSE;
	232	}
	233	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	234	{
	235	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	236	return FALSE;
	237	}
	238	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	239	{
	240	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	241	return FALSE;
8523533c	242	}
05e4f4de HSHR	243	/* Quick hack to override the outdated explanation URL.
	244	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	245	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	246	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	247	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	248
73ec116f JH	249	return TRUE;
	250	}
	251
	252
	253	/* Set up a context that can be re-used for several
	254	messages on the same SMTP connection (that come from the
	255	same host with the same HELO string).
	256
	257	Return: Boolean success
	258	*/
	259
	260	BOOL
	261	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	262	{
	263	DEBUG(D_receive)
	264	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	265
	266	if (!spf_server && !spf_init()) return FALSE;
8523533c	267
eb52e2cb JH	268	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	269	{
	270	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	271	primary_hostname);
	272	spf_server = NULL;
	273	return FALSE;
7b3a77e5 TK	274	}
7b3a77e5 TK	275
eb52e2cb JH	276	spf_request = SPF_request_new(spf_server);
	277
	278	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	279	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	280	)
	281	{
	282	DEBUG(D_receive)
	283	debug_printf("spf: SPF_request_set_ipv4_str() and "
	284	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	285	spf_server = NULL;
	286	spf_request = NULL;
	287	return FALSE;
8523533c TK	288	}
8523533c TK	289
eb52e2cb JH	290	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	291	{
	292	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	293	spf_helo_domain);
	294	spf_server = NULL;
	295	spf_request = NULL;
	296	return FALSE;
8523533c	297	}
8e669ac1	298
eb52e2cb	299	return TRUE;
8523533c TK	300	}
	301
	302
53ef3d84 JH	303	void
	304	spf_response_debug(SPF_response_t * spf_response)
	305	{
	306	if (SPF_response_messages(spf_response) == 0)
	307	debug_printf(" (no errors)\n");
	308	else for (int i = 0; i < SPF_response_messages(spf_response); i++)
	309	{
	310	SPF_error_t * err = SPF_response_message(spf_response, i);
	311	debug_printf( "%s_msg = (%d) %s\n",
	312	(SPF_error_errorp(err) ? "warn" : "err"),
	313	SPF_error_code(err),
	314	SPF_error_message(err));
	315	}
	316	}
	317
	318
8523533c TK	319	/* spf_process adds the envelope sender address to the existing
8523533c TK	320	context (if any), retrieves the result, sets up expansion
eb52e2cb	321	strings and evaluates the condition outcome.
f9ba5e22	322
eb52e2cb JH	323	Return: OK/FAIL */
	324
	325	int
	326	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	327	{
	328	int sep = 0;
	329	const uschar list = listptr;
	330	uschar *spf_result_id;
	331	int rc = SPF_RESULT_PERMERROR;
	332
b8e97684 JH	333	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	334
eb52e2cb JH	335	if (!(spf_server && spf_request))
	336	/* no global context, assume temp error and skip to evaluation */
	337	rc = SPF_RESULT_PERMERROR;
	338
	339	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	340	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	341	rc = SPF_RESULT_PERMERROR;
	342
	343	else
	344	{
8523533c	345	/* get SPF result */
65a7d8c3	346	if (action == SPF_PROCESS_FALLBACK)
87e9d061	347	{
7156b1ef	348	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	349	spf_result_guessed = TRUE;
87e9d061 JH	350	}
65a7d8c3 NM	351	else
65a7d8c3 NM	352	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	353
8523533c TK	354	/* set up expansion items */
5903c6ff JH	355	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	356	spf_received = US SPF_response_get_received_spf(spf_response);
	357	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	358	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	359
384152a6	360	rc = SPF_response_result(spf_response);
53ef3d84 JH	361
53ef3d84 JH	362	DEBUG(D_acl) spf_response_debug(spf_response);
eb52e2cb JH	363	}
	364
	365	/* We got a result. Now see if we should return OK or FAIL for it */
	366	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	367
	368	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	369	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	370
	371	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	372	{
	373	BOOL negate, result;
	374
	375	if ((negate = spf_result_id[0] == '!'))
	376	spf_result_id++;
	377
	378	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	379	if (negate != result) return OK;
	380	}
8523533c	381
eb52e2cb JH	382	/* no match */
eb52e2cb JH	383	return FAIL;
8523533c TK	384	}
8523533c TK	385
dfbcb5ac JH	386
	387
	388	gstring *
	389	authres_spf(gstring * g)
	390	{
87e9d061	391	uschar * s;
dfbcb5ac JH	392	if (!spf_result) return g;
dfbcb5ac JH	393
87e9d061 JH	394	g = string_append(g, 2, US";\n\tspf=", spf_result);
	395	if (spf_result_guessed)
	396	g = string_cat(g, US" (best guess record for domain)");
	397
	398	s = expand_string(US"$sender_address_domain");
	399	return s && *s
	400	? string_append(g, 2, US" smtp.mailfrom=", s)
	401	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	402	}
	403
	404
8523533c	405	#endif