[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2019
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


void
spf_lib_version_report(FILE * fp)
{
int maj, min, patch;
SPF_get_lib_version(&maj, &min, &patch);
fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
fprintf(fp, "                       Runtime: %d.%d.%d\n",
	 maj, min, patch);
}


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
    srr.rr[found++] = (void *) s;
    }

srr.num_rr = found;
/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
8523533c TK	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
8e669ac1	4
b8e97684	5	/* SPF support.
5a66c31b	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
80fea873	7	License: GPL
b8e97684	8	Copyright (c) The Exim Maintainers 2015 - 2019
80fea873	9	*/
8e669ac1	10
8523533c TK	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
7952eef9	14	#ifdef SUPPORT_SPF
8523533c	15
6d06cf48 TK	16	/* must be kept in numeric order */
6d06cf48 TK	17	static spf_result_id spf_result_id_list[] = {
f2ed27cf JH	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
f2ed27cf JH	25	{ US"temperror", 6 }, /* RFC 4408 defined */
f2ed27cf JH	26	{ US"permerror", 7 } /* RFC 4408 defined */
6d06cf48 TK	27	};
6d06cf48 TK	28
384152a6 TK	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
8523533c	33
b8e97684 JH	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
85e453f6 JH	37	void
	38	spf_lib_version_report(FILE * fp)
	39	{
	40	int maj, min, patch;
	41	SPF_get_lib_version(&maj, &min, &patch);
	42	fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	43	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
	44	fprintf(fp, " Runtime: %d.%d.%d\n",
	45	maj, min, patch);
	46	}
	47
	48
b8e97684 JH	49
	50	static SPF_dns_rr_t *
	51	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
44e90dfa	52	const char *domain, ns_type rr_type, int should_cache)
b8e97684	53	{
8743d3ac	54	dns_answer * dnsa = store_get_dns_answer();
b8e97684 JH	55	dns_scan dnss;
b8e97684 JH	56	SPF_dns_rr_t * spfrr;
4533e306 JH	57	unsigned found = 0;
	58
	59	SPF_dns_rr_t srr = {
	60	.domain = CS domain, /* query information */
	61	.domain_buf_len = 0,
	62	.rr_type = rr_type,
	63
	64	.rr_buf_len = 0, /* answer information */
	65	.rr_buf_num = 0, /* no free of s */
	66	.utc_ttl = 0,
	67
	68	.hook = NULL, /* misc information */
	69	.source = spf_dns_server
	70	};
44e90dfa	71	int dns_rc;
b8e97684	72
4a3709fb	73	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
b8e97684	74
44e90dfa	75	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
4533e306	76	{
44e90dfa WB	77	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	78	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	79	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
	80	case DNS_FAIL:
	81	default: srr.herrno = NO_RECOVERY; break;
	82	}
4533e306 JH	83
	84	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	85	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	86	if (rr->type == rr_type) found++;
	87
44e90dfa WB	88	if (found == 0)
	89	{
	90	SPF_dns_rr_dup(&spfrr, &srr);
	91	return spfrr;
	92	}
	93
4533e306	94	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
4533e306 JH	95
	96	found = 0;
	97	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	98	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	99	if (rr->type == rr_type)
	100	{
	101	const uschar * s = rr->data;
	102
	103	srr.ttl = rr->ttl;
	104	switch(rr_type)
b8e97684	105	{
4533e306	106	case T_MX:
44e90dfa	107	s += 2; /* skip the MX precedence field */
4533e306	108	case T_PTR:
b8e97684	109	{
4533e306 JH	110	uschar * buf = store_malloc(256);
	111	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	112	(DN_EXPAND_ARG4_TYPE)buf, 256);
	113	s = buf;
	114	break;
	115	}
	116
	117	case T_TXT:
	118	{
	119	gstring * g = NULL;
	120	uschar chunk_len;
4a3709fb	121
85e453f6	122	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
4a3709fb	123	{
4533e306 JH	124	HDEBUG(D_host_lookup) debug_printf("not an spf record\n");
4533e306 JH	125	continue;
4a3709fb WB	126	}
4a3709fb WB	127
4533e306	128	for (int off = 0; off < rr->size; off += chunk_len)
4a3709fb	129	{
4533e306 JH	130	if (!(chunk_len = s[off++])) break;
4533e306 JH	131	g = string_catn(g, s+off, chunk_len);
4a3709fb	132	}
4533e306 JH	133	if (!g)
	134	continue;
	135	gstring_release_unused(g);
	136	s = string_copy_malloc(string_from_gstring(g));
	137	break;
b8e97684	138	}
b8e97684	139
4533e306 JH	140	case T_A:
	141	case T_AAAA:
	142	default:
	143	{
	144	uschar * buf = store_malloc(dnsa->answerlen + 1);
	145	s = memcpy(buf, s, dnsa->answerlen + 1);
	146	break;
	147	}
b8e97684	148	}
4533e306 JH	149	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	150	srr.rr[found++] = (void *) s;
	151	}
b8e97684	152
44e90dfa	153	srr.num_rr = found;
4533e306 JH	154	/* spfrr->rr must have been malloc()d for this */
4533e306 JH	155	SPF_dns_rr_dup(&spfrr, &srr);
b8e97684 JH	156	return spfrr;
	157	}
	158
	159
	160
	161	SPF_dns_server_t *
	162	SPF_dns_exim_new(int debug)
	163	{
4533e306	164	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
b8e97684 JH	165
	166	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	167
b8e97684	168	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
b8e97684 JH	169	spf_dns_server->destroy = NULL;
	170	spf_dns_server->lookup = SPF_dns_exim_lookup;
	171	spf_dns_server->get_spf = NULL;
	172	spf_dns_server->get_exp = NULL;
	173	spf_dns_server->add_cache = NULL;
	174	spf_dns_server->layer_below = NULL;
	175	spf_dns_server->name = "exim";
	176	spf_dns_server->debug = debug;
	177
	178	/* XXX This might have to return NO_DATA sometimes. */
	179
	180	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	181	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	182	if (!spf_nxdomain)
	183	{
	184	free(spf_dns_server);
	185	return NULL;
	186	}
	187
	188	return spf_dns_server;
	189	}
	190
	191
eb52e2cb	192
8e669ac1	193
73ec116f JH	194	/* Construct the SPF library stack.
	195	Return: Boolean success.
	196	*/
8e669ac1	197
eb52e2cb	198	BOOL
73ec116f	199	spf_init(void)
eb52e2cb	200	{
b8e97684	201	SPF_dns_server_t * dc;
73ec116f	202	int debug = 0;
b8e97684	203
73ec116f	204	DEBUG(D_receive) debug = 1;
b8e97684 JH	205
	206	/* We insert our own DNS access layer rather than letting the spf library
	207	do it, so that our dns access path is used for debug tracing and for the
	208	testsuite. */
8e669ac1	209
b8e97684 JH	210	if (!(dc = SPF_dns_exim_new(debug)))
	211	{
	212	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	213	return FALSE;
	214	}
	215	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	216	{
	217	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	218	return FALSE;
	219	}
	220	if (!(spf_server = SPF_server_new_dns(dc, debug)))
eb52e2cb JH	221	{
	222	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	223	return FALSE;
8523533c	224	}
05e4f4de HSHR	225	/* Quick hack to override the outdated explanation URL.
	226	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	227	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	228	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	229	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	230
73ec116f JH	231	return TRUE;
	232	}
	233
	234
	235	/* Set up a context that can be re-used for several
	236	messages on the same SMTP connection (that come from the
	237	same host with the same HELO string).
	238
	239	Return: Boolean success
	240	*/
	241
	242	BOOL
	243	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	244	{
	245	DEBUG(D_receive)
	246	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	247
	248	if (!spf_server && !spf_init()) return FALSE;
8523533c	249
eb52e2cb JH	250	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	251	{
	252	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	253	primary_hostname);
	254	spf_server = NULL;
	255	return FALSE;
7b3a77e5 TK	256	}
7b3a77e5 TK	257
eb52e2cb JH	258	spf_request = SPF_request_new(spf_server);
	259
	260	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	261	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	262	)
	263	{
	264	DEBUG(D_receive)
	265	debug_printf("spf: SPF_request_set_ipv4_str() and "
	266	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	267	spf_server = NULL;
	268	spf_request = NULL;
	269	return FALSE;
8523533c TK	270	}
8523533c TK	271
eb52e2cb JH	272	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	273	{
	274	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	275	spf_helo_domain);
	276	spf_server = NULL;
	277	spf_request = NULL;
	278	return FALSE;
8523533c	279	}
8e669ac1	280
eb52e2cb	281	return TRUE;
8523533c TK	282	}
	283
	284
	285	/* spf_process adds the envelope sender address to the existing
	286	context (if any), retrieves the result, sets up expansion
eb52e2cb	287	strings and evaluates the condition outcome.
f9ba5e22	288
eb52e2cb JH	289	Return: OK/FAIL */
	290
	291	int
	292	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	293	{
	294	int sep = 0;
	295	const uschar list = listptr;
	296	uschar *spf_result_id;
	297	int rc = SPF_RESULT_PERMERROR;
	298
b8e97684 JH	299	DEBUG(D_receive) debug_printf("spf_process\n");
b8e97684 JH	300
eb52e2cb JH	301	if (!(spf_server && spf_request))
	302	/* no global context, assume temp error and skip to evaluation */
	303	rc = SPF_RESULT_PERMERROR;
	304
	305	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
aded2255	306	/* Invalid sender address. This should be a real rare occurrence */
eb52e2cb JH	307	rc = SPF_RESULT_PERMERROR;
	308
	309	else
	310	{
8523533c	311	/* get SPF result */
65a7d8c3	312	if (action == SPF_PROCESS_FALLBACK)
87e9d061	313	{
7156b1ef	314	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
87e9d061 JH	315	spf_result_guessed = TRUE;
87e9d061 JH	316	}
65a7d8c3 NM	317	else
65a7d8c3 NM	318	SPF_request_query_mailfrom(spf_request, &spf_response);
8523533c TK	319
8523533c TK	320	/* set up expansion items */
5903c6ff JH	321	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	322	spf_received = US SPF_response_get_received_spf(spf_response);
	323	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	324	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
8523533c	325
384152a6	326	rc = SPF_response_result(spf_response);
eb52e2cb JH	327	}
	328
	329	/* We got a result. Now see if we should return OK or FAIL for it */
	330	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	331
	332	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	333	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	334
	335	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	336	{
	337	BOOL negate, result;
	338
	339	if ((negate = spf_result_id[0] == '!'))
	340	spf_result_id++;
	341
	342	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	343	if (negate != result) return OK;
	344	}
8523533c	345
eb52e2cb JH	346	/* no match */
eb52e2cb JH	347	return FAIL;
8523533c TK	348	}
8523533c TK	349
dfbcb5ac JH	350
	351
	352	gstring *
	353	authres_spf(gstring * g)
	354	{
87e9d061	355	uschar * s;
dfbcb5ac JH	356	if (!spf_result) return g;
dfbcb5ac JH	357
87e9d061 JH	358	g = string_append(g, 2, US";\n\tspf=", spf_result);
	359	if (spf_result_guessed)
	360	g = string_cat(g, US" (best guess record for domain)");
	361
	362	s = expand_string(US"$sender_address_domain");
	363	return s && *s
	364	? string_append(g, 2, US" smtp.mailfrom=", s)
	365	: string_cat(g, US" smtp.mailfrom=<>");
dfbcb5ac JH	366	}
	367
	368
8523533c	369	#endif