[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2019
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n");

if (dns_lookup(dnsa, US domain, rr_type, NULL) == DNS_SUCCEED)
  for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
       rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
    if (  rr->type == rr_type
       && Ustrncmp(rr->data+1, "v=spf1", 6) == 0)
      {
      gstring * g = NULL;
      uschar chunk_len;
      uschar * s;
      SPF_dns_rr_t srr = {
	.domain = CS rr->name,			/* query information */
	.domain_buf_len = DNS_MAXNAME,
	.rr_type = rr->type,

	.num_rr = 1,				/* answer information */
	.rr = NULL,
	.rr_buf_len = 0,
	.rr_buf_num = 0,
	.ttl = rr->ttl,
	.utc_ttl = 0,
	.herrno = NETDB_SUCCESS,

	.hook = NULL,				/* misc information */
	.source = spf_dns_server
      };

      for (int off = 0; off < rr->size; off += chunk_len)
	{
	chunk_len = (rr->data)[off++];
	g = string_catn(g, US ((rr->data)+off), chunk_len);
	}
      if (!g)
	{
	HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
	  "empty name: treated as non-existent host name\n");
	continue;
	}
      gstring_release_unused(g);
      s = string_copy_malloc(string_from_gstring(g));
      srr.rr = (void *) &s;

      /* spfrr->rr must have been malloc()d for this */
      SPF_dns_rr_dup(&spfrr, &srr);

      return spfrr;
      }

SPF_dns_rr_dup(&spfrr, spf_nxdomain);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t *spf_dns_server;

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t))))
  return NULL;
memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));

spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* SPF support.
	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
	7	License: GPL
	8	Copyright (c) The Exim Maintainers 2015 - 2019
	9	*/
	10
	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
	14	#ifdef SUPPORT_SPF
	15
	16	/* must be kept in numeric order */
	17	static spf_result_id spf_result_id_list[] = {
	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
	25	{ US"temperror", 6 }, /* RFC 4408 defined */
	26	{ US"permerror", 7 } /* RFC 4408 defined */
	27	};
	28
	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
	33
	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
	37
	38	static SPF_dns_rr_t *
	39	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
	40	const char *domain, ns_type rr_type, int should_cache)
	41	{
	42	dns_answer * dnsa = store_get_dns_answer();
	43	dns_scan dnss;
	44	SPF_dns_rr_t * spfrr;
	45
	46	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n");
	47
	48	if (dns_lookup(dnsa, US domain, rr_type, NULL) == DNS_SUCCEED)
	49	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	50	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	51	if ( rr->type == rr_type
	52	&& Ustrncmp(rr->data+1, "v=spf1", 6) == 0)
	53	{
	54	gstring * g = NULL;
	55	uschar chunk_len;
	56	uschar * s;
	57	SPF_dns_rr_t srr = {
	58	.domain = CS rr->name, /* query information */
	59	.domain_buf_len = DNS_MAXNAME,
	60	.rr_type = rr->type,
	61
	62	.num_rr = 1, /* answer information */
	63	.rr = NULL,
	64	.rr_buf_len = 0,
	65	.rr_buf_num = 0,
	66	.ttl = rr->ttl,
	67	.utc_ttl = 0,
	68	.herrno = NETDB_SUCCESS,
	69
	70	.hook = NULL, /* misc information */
	71	.source = spf_dns_server
	72	};
	73
	74	for (int off = 0; off < rr->size; off += chunk_len)
	75	{
	76	chunk_len = (rr->data)[off++];
	77	g = string_catn(g, US ((rr->data)+off), chunk_len);
	78	}
	79	if (!g)
	80	{
	81	HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
	82	"empty name: treated as non-existent host name\n");
	83	continue;
	84	}
	85	gstring_release_unused(g);
	86	s = string_copy_malloc(string_from_gstring(g));
	87	srr.rr = (void *) &s;
	88
	89	/* spfrr->rr must have been malloc()d for this */
	90	SPF_dns_rr_dup(&spfrr, &srr);
	91
	92	return spfrr;
	93	}
	94
	95	SPF_dns_rr_dup(&spfrr, spf_nxdomain);
	96	return spfrr;
	97	}
	98
	99
	100
	101	SPF_dns_server_t *
	102	SPF_dns_exim_new(int debug)
	103	{
	104	SPF_dns_server_t *spf_dns_server;
	105
	106	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	107
	108	if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t))))
	109	return NULL;
	110	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
	111
	112	spf_dns_server->destroy = NULL;
	113	spf_dns_server->lookup = SPF_dns_exim_lookup;
	114	spf_dns_server->get_spf = NULL;
	115	spf_dns_server->get_exp = NULL;
	116	spf_dns_server->add_cache = NULL;
	117	spf_dns_server->layer_below = NULL;
	118	spf_dns_server->name = "exim";
	119	spf_dns_server->debug = debug;
	120
	121	/* XXX This might have to return NO_DATA sometimes. */
	122
	123	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	124	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	125	if (!spf_nxdomain)
	126	{
	127	free(spf_dns_server);
	128	return NULL;
	129	}
	130
	131	return spf_dns_server;
	132	}
	133
	134
	135
	136
	137	/* Construct the SPF library stack.
	138	Return: Boolean success.
	139	*/
	140
	141	BOOL
	142	spf_init(void)
	143	{
	144	SPF_dns_server_t * dc;
	145	int debug = 0;
	146
	147	DEBUG(D_receive) debug = 1;
	148
	149	/* We insert our own DNS access layer rather than letting the spf library
	150	do it, so that our dns access path is used for debug tracing and for the
	151	testsuite. */
	152
	153	if (!(dc = SPF_dns_exim_new(debug)))
	154	{
	155	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	156	return FALSE;
	157	}
	158	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	159	{
	160	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	161	return FALSE;
	162	}
	163	if (!(spf_server = SPF_server_new_dns(dc, debug)))
	164	{
	165	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	166	return FALSE;
	167	}
	168	return TRUE;
	169	}
	170
	171
	172	/* Set up a context that can be re-used for several
	173	messages on the same SMTP connection (that come from the
	174	same host with the same HELO string).
	175
	176	Return: Boolean success
	177	*/
	178
	179	BOOL
	180	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	181	{
	182	DEBUG(D_receive)
	183	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	184
	185	if (!spf_server && !spf_init()) return FALSE;
	186
	187	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	188	{
	189	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	190	primary_hostname);
	191	spf_server = NULL;
	192	return FALSE;
	193	}
	194
	195	spf_request = SPF_request_new(spf_server);
	196
	197	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	198	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	199	)
	200	{
	201	DEBUG(D_receive)
	202	debug_printf("spf: SPF_request_set_ipv4_str() and "
	203	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	204	spf_server = NULL;
	205	spf_request = NULL;
	206	return FALSE;
	207	}
	208
	209	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	210	{
	211	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	212	spf_helo_domain);
	213	spf_server = NULL;
	214	spf_request = NULL;
	215	return FALSE;
	216	}
	217
	218	return TRUE;
	219	}
	220
	221
	222	/* spf_process adds the envelope sender address to the existing
	223	context (if any), retrieves the result, sets up expansion
	224	strings and evaluates the condition outcome.
	225
	226	Return: OK/FAIL */
	227
	228	int
	229	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	230	{
	231	int sep = 0;
	232	const uschar list = listptr;
	233	uschar *spf_result_id;
	234	int rc = SPF_RESULT_PERMERROR;
	235
	236	DEBUG(D_receive) debug_printf("spf_process\n");
	237
	238	if (!(spf_server && spf_request))
	239	/* no global context, assume temp error and skip to evaluation */
	240	rc = SPF_RESULT_PERMERROR;
	241
	242	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
	243	/* Invalid sender address. This should be a real rare occurrence */
	244	rc = SPF_RESULT_PERMERROR;
	245
	246	else
	247	{
	248	/* get SPF result */
	249	if (action == SPF_PROCESS_FALLBACK)
	250	{
	251	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
	252	spf_result_guessed = TRUE;
	253	}
	254	else
	255	SPF_request_query_mailfrom(spf_request, &spf_response);
	256
	257	/* set up expansion items */
	258	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	259	spf_received = US SPF_response_get_received_spf(spf_response);
	260	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	261	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
	262
	263	rc = SPF_response_result(spf_response);
	264	}
	265
	266	/* We got a result. Now see if we should return OK or FAIL for it */
	267	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	268
	269	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	270	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	271
	272	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	273	{
	274	BOOL negate, result;
	275
	276	if ((negate = spf_result_id[0] == '!'))
	277	spf_result_id++;
	278
	279	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	280	if (negate != result) return OK;
	281	}
	282
	283	/* no match */
	284	return FAIL;
	285	}
	286
	287
	288
	289	gstring *
	290	authres_spf(gstring * g)
	291	{
	292	uschar * s;
	293	if (!spf_result) return g;
	294
	295	g = string_append(g, 2, US";\n\tspf=", spf_result);
	296	if (spf_result_guessed)
	297	g = string_cat(g, US" (best guess record for domain)");
	298
	299	s = expand_string(US"$sender_address_domain");
	300	return s && *s
	301	? string_append(g, 2, US" smtp.mailfrom=", s)
	302	: string_cat(g, US" smtp.mailfrom=<>");
	303	}
	304
	305
	306	#endif