[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2019
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US"v=spf1", 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
    srr.rr[found++] = (void *) s;
    }

srr.num_rr = found;
/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
b8e97684	8	Copyright (c) The Exim Maintainers 2015 - 2019
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
	37
	38	static SPF_dns_rr_t *
	39	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
44e90dfa	40	const char *domain, ns_type rr_type, int should_cache)
b8e97684	41	{
8743d3ac	42	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	43	dns_scan dnss;
b8e97684 JH	44	SPF_dns_rr_t * spfrr;
4533e306 JH	45	unsigned found = 0;
	46
	47	SPF_dns_rr_t srr = {
	48	.domain = CS domain, /* query information */
	49	.domain_buf_len = 0,
	50	.rr_type = rr_type,
	51
	52	.rr_buf_len = 0, /* answer information */
	53	.rr_buf_num = 0, /* no free of s */
	54	.utc_ttl = 0,
	55
	56	.hook = NULL, /* misc information */
	57	.source = spf_dns_server
	58	};
44e90dfa	59	int dns_rc;
b8e97684	60
4a3709fb	61	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
b8e97684	62
44e90dfa	63	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
4533e306	64	{
44e90dfa WB	65	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	66	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	67	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
	68	case DNS_FAIL:
	69	default: srr.herrno = NO_RECOVERY; break;
	70	}
4533e306 JH	71
	72	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	73	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	74	if (rr->type == rr_type) found++;
	75
44e90dfa WB	76	if (found == 0)
	77	{
	78	SPF_dns_rr_dup(&spfrr, &srr);
	79	return spfrr;
	80	}
	81
4533e306	82	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
4533e306 JH	83
	84	found = 0;
	85	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	86	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	87	if (rr->type == rr_type)
	88	{
	89	const uschar * s = rr->data;
	90
	91	srr.ttl = rr->ttl;
	92	switch(rr_type)
b8e97684	93	{
4533e306	94	case T_MX:
44e90dfa	95	s += 2; /* skip the MX precedence field */
4533e306	96	case T_PTR:
b8e97684	97	{
4533e306 JH	98	uschar * buf = store_malloc(256);
	99	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	100	(DN_EXPAND_ARG4_TYPE)buf, 256);
	101	s = buf;
	102	break;
	103	}
	104
	105	case T_TXT:
	106	{
	107	gstring * g = NULL;
	108	uschar chunk_len;
4a3709fb	109
4533e306	110	if (strncmpic(rr->data+1, US"v=spf1", 6) != 0)
4a3709fb	111	{
4533e306 JH	112	HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
4533e306 JH	113	continue;
4a3709fb WB	114	}
4a3709fb WB	115
4533e306	116	for (int off = 0; off < rr->size; off += chunk_len)
4a3709fb	117	{
4533e306 JH	118	if (!(chunk_len = s[off++])) break;
4533e306 JH	119	g = string_catn(g, s+off, chunk_len);
4a3709fb	120	}
4533e306 JH	121	if (!g)
	122	continue;
	123	gstring_release_unused(g);
	124	s = string_copy_malloc(string_from_gstring(g));
	125	break;
b8e97684	126	}
b8e97684	127
4533e306 JH	128	case T_A:
	129	case T_AAAA:
	130	default:
	131	{
	132	uschar * buf = store_malloc(dnsa->answerlen + 1);
	133	s = memcpy(buf, s, dnsa->answerlen + 1);
	134	break;
	135	}
b8e97684	136	}
4533e306 JH	137	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	138	srr.rr[found++] = (void *) s;
	139	}
b8e97684	140
44e90dfa	141	srr.num_rr = found;
4533e306 JH	142	/* spfrr->rr must have been malloc()d for this */
4533e306 JH	143	SPF_dns_rr_dup(&spfrr, &srr);
b8e97684 JH	144	return spfrr;
	145	}
	146
	147
	148
	149	SPF_dns_server_t *
	150	SPF_dns_exim_new(int debug)
	151	{
4533e306	152	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
b8e97684 JH	153
	154	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	155
b8e97684	156	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
b8e97684 JH	157	spf_dns_server->destroy = NULL;
	158	spf_dns_server->lookup = SPF_dns_exim_lookup;
	159	spf_dns_server->get_spf = NULL;
	160	spf_dns_server->get_exp = NULL;
	161	spf_dns_server->add_cache = NULL;
	162	spf_dns_server->layer_below = NULL;
	163	spf_dns_server->name = "exim";
	164	spf_dns_server->debug = debug;
	165
	166	/* XXX This might have to return NO_DATA sometimes. */
	167
	168	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	169	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	170	if (!spf_nxdomain)
	171	{
	172	free(spf_dns_server);
	173	return NULL;
	174	}
	175
	176	return spf_dns_server;
	177	}
	178
	179
eb52e2cb	180
8e669ac1	181
73ec116f JH	182	/* Construct the SPF library stack.
	183	Return: Boolean success.
	184	*/
8e669ac1	185
eb52e2cb	186	BOOL
73ec116f	187	spf_init(void)
eb52e2cb	188	{
b8e97684	189	SPF_dns_server_t * dc;
73ec116f	190	int debug = 0;
b8e97684	191
73ec116f	192	DEBUG(D_receive) debug = 1;
b8e97684 JH	193
	194	/* We insert our own DNS access layer rather than letting the spf library
	195	do it, so that our dns access path is used for debug tracing and for the
	196	testsuite. */
8e669ac1	197
b8e97684 JH	198	if (!(dc = SPF_dns_exim_new(debug)))
	199	{
	200	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	201	return FALSE;
	202	}
	203	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	204	{
	205	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	206	return FALSE;
	207	}
	208	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	209	{
	210	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	211	return FALSE;
8523533c	212	}
05e4f4de HSHR	213	/* Quick hack to override the outdated explanation URL.
	214	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	215	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	216	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	217	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	218
73ec116f JH	219	return TRUE;
	220	}
	221
	222
	223	/* Set up a context that can be re-used for several
	224	messages on the same SMTP connection (that come from the
	225	same host with the same HELO string).
	226
	227	Return: Boolean success
	228	*/
	229
	230	BOOL
	231	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	232	{
	233	DEBUG(D_receive)
	234	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	235
	236	if (!spf_server && !spf_init()) return FALSE;
8523533c	237
eb52e2cb JH	238	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	239	{
	240	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	241	primary_hostname);
	242	spf_server = NULL;
	243	return FALSE;
7b3a77e5 TK	244	}
7b3a77e5 TK	245
eb52e2cb JH	246	spf_request = SPF_request_new(spf_server);
	247
	248	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	249	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	250	)
	251	{
	252	DEBUG(D_receive)
	253	debug_printf("spf: SPF_request_set_ipv4_str() and "
	254	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	255	spf_server = NULL;
	256	spf_request = NULL;
	257	return FALSE;
8523533c TK	258	}
8523533c TK	259
eb52e2cb JH	260	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	261	{
	262	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	263	spf_helo_domain);
	264	spf_server = NULL;
	265	spf_request = NULL;
	266	return FALSE;
8523533c	267	}
8e669ac1	268
eb52e2cb	269	return TRUE;
8523533c TK	270	}
	271
	272
	273	/* spf_process adds the envelope sender address to the existing
	274	context (if any), retrieves the result, sets up expansion
eb52e2cb	275	strings and evaluates the condition outcome.
f9ba5e22	276
eb52e2cb JH	277	Return: OK/FAIL */
	278
	279	int
	280	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	281	{
	282	int sep = 0;
	283	const uschar list = listptr;
	284	uschar *spf_result_id;
	285	int rc = SPF_RESULT_PERMERROR;
	286
b8e97684 JH	287	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	288
eb52e2cb JH	289	if (!(spf_server && spf_request))
	290	/* no global context, assume temp error and skip to evaluation */
	291	rc = SPF_RESULT_PERMERROR;
	292
	293	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	294	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	295	rc = SPF_RESULT_PERMERROR;
	296
	297	else
	298	{
8523533c	299	/* get SPF result */
65a7d8c3	300	if (action == SPF_PROCESS_FALLBACK)
87e9d061	301	{
7156b1ef	302	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	303	spf_result_guessed = TRUE;
87e9d061 JH	304	}
65a7d8c3 NM	305	else
65a7d8c3 NM	306	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	307
8523533c TK	308	/* set up expansion items */
5903c6ff JH	309	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	310	spf_received = US SPF_response_get_received_spf(spf_response);
	311	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	312	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	313
384152a6	314	rc = SPF_response_result(spf_response);
eb52e2cb JH	315	}
	316
	317	/* We got a result. Now see if we should return OK or FAIL for it */
	318	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	319
	320	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	321	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	322
	323	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	324	{
	325	BOOL negate, result;
	326
	327	if ((negate = spf_result_id[0] == '!'))
	328	spf_result_id++;
	329
	330	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	331	if (negate != result) return OK;
	332	}
8523533c	333
eb52e2cb JH	334	/* no match */
eb52e2cb JH	335	return FAIL;
8523533c TK	336	}
8523533c TK	337
dfbcb5ac JH	338
	339
	340	gstring *
	341	authres_spf(gstring * g)
	342	{
87e9d061	343	uschar * s;
dfbcb5ac JH	344	if (!spf_result) return g;
dfbcb5ac JH	345
87e9d061 JH	346	g = string_append(g, 2, US";\n\tspf=", spf_result);
	347	if (spf_result_guessed)
	348	g = string_cat(g, US" (best guess record for domain)");
	349
	350	s = expand_string(US"$sender_address_domain");
	351	return s && *s
	352	? string_append(g, 2, US" smtp.mailfrom=", s)
	353	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	354	}
	355
	356
8523533c	357	#endif