[exim.git] / src / src / spf.c

/*************************************************
*     Exim - an Internet mail transport agent    *
*************************************************/

/* SPF support.
   Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
   License: GPL
   Copyright (c) The Exim Maintainers 2015 - 2020
*/

/* Code for calling spf checks via libspf-alt. Called from acl.c. */

#include "exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
  /* name		value */
  { US"invalid",	0},
  { US"neutral",	1 },
  { US"pass",		2 },
  { US"fail",		3 },
  { US"softfail",	4 },
  { US"none",		5 },
  { US"temperror",	6 }, /* RFC 4408 defined */
  { US"permerror",	7 }  /* RFC 4408 defined */
};

SPF_server_t    *spf_server = NULL;
SPF_request_t   *spf_request = NULL;
SPF_response_t  *spf_response = NULL;
SPF_response_t  *spf_response_2mx = NULL;

SPF_dns_rr_t  * spf_nxdomain = NULL;


void
spf_lib_version_report(FILE * fp)
{
int maj, min, patch;
SPF_get_lib_version(&maj, &min, &patch);
fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
fprintf(fp, "                       Runtime: %d.%d.%d\n",
	 maj, min, patch);
}


static SPF_dns_rr_t *
SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
  const char *domain, ns_type rr_type, int should_cache)
{
dns_answer * dnsa = store_get_dns_answer();
dns_scan dnss;
SPF_dns_rr_t * spfrr;
unsigned found = 0;

SPF_dns_rr_t srr = {
  .domain = CS domain,			/* query information */
  .domain_buf_len = 0,
  .rr_type = rr_type,

  .rr_buf_len = 0,			/* answer information */
  .rr_buf_num = 0, /* no free of s */
  .utc_ttl = 0,

  .hook = NULL,				/* misc information */
  .source = spf_dns_server
};
int dns_rc;

DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);

/* Shortcircuit SPF RR lookups by returning NO_DATA.  They were obsoleted by
RFC 6686/7208 years ago. see bug #1294 */

if (rr_type == T_SPF)
  {
  HDEBUG(D_host_lookup) debug_printf("faking NO_DATA for SPF RR(99) lookup\n");
  srr.herrno = NO_DATA;
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
  {
  case DNS_SUCCEED:	srr.herrno = NETDB_SUCCESS;	break;
  case DNS_AGAIN:	srr.herrno = TRY_AGAIN;		break;
  case DNS_NOMATCH:	srr.herrno = HOST_NOT_FOUND;	break;
  case DNS_NODATA:	srr.herrno = NO_DATA;		break;
  case DNS_FAIL:
  default:		srr.herrno = NO_RECOVERY;	break;
  } 

for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type) found++;

if (found == 0)
  {
  SPF_dns_rr_dup(&spfrr, &srr);
  return spfrr;
  }

srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);

found = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
   rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
  if (rr->type == rr_type)
    {
    const uschar * s = rr->data;

    srr.ttl = rr->ttl;
    switch(rr_type)
      {
      case T_MX:
	s += 2;	/* skip the MX precedence field */
      case T_PTR:
	{
	uschar * buf = store_malloc(256);
	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	  (DN_EXPAND_ARG4_TYPE)buf, 256);
	s = buf;
	break;
	}

      case T_TXT:
	{
	gstring * g = NULL;
	uschar chunk_len;

	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	  {
	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
	    (int) s[0], s+1);
	  continue;
	  }

	for (int off = 0; off < rr->size; off += chunk_len)
	  {
	  if (!(chunk_len = s[off++])) break;
	  g = string_catn(g, s+off, chunk_len);
	  }
	if (!g)
	  continue;
	gstring_release_unused(g);
	s = string_copy_malloc(string_from_gstring(g));
	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	break;
	}

      case T_A:
      case T_AAAA:
      default:
	{
	uschar * buf = store_malloc(dnsa->answerlen + 1);
	s = memcpy(buf, s, dnsa->answerlen + 1);
	break;
	}
      }
    srr.rr[found++] = (void *) s;
    }

/* Did we filter out all TXT RRs? Return NO_DATA instead of SUCCESS with
empty ANSWER section. */

if (!(srr.num_rr = found))
  srr.herrno = NO_DATA;

/* spfrr->rr must have been malloc()d for this */
SPF_dns_rr_dup(&spfrr, &srr);
return spfrr;
}


SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");

memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
spf_dns_server->destroy      = NULL;
spf_dns_server->lookup       = SPF_dns_exim_lookup;
spf_dns_server->get_spf      = NULL;
spf_dns_server->get_exp      = NULL;
spf_dns_server->add_cache    = NULL;
spf_dns_server->layer_below  = NULL;
spf_dns_server->name         = "exim";
spf_dns_server->debug        = debug;

/* XXX This might have to return NO_DATA sometimes. */

spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
  "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
if (!spf_nxdomain)
  {
  free(spf_dns_server);
  return NULL;
  }

return spf_dns_server;
}


/* Construct the SPF library stack.
   Return: Boolean success.
*/

BOOL
spf_init(void)
{
SPF_dns_server_t * dc;
int debug = 0;

DEBUG(D_receive) debug = 1;

/* We insert our own DNS access layer rather than letting the spf library
do it, so that our dns access path is used for debug tracing and for the
testsuite. */

if (!(dc = SPF_dns_exim_new(debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
  return FALSE;
  }
if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
  return FALSE;
  }
if (!(spf_server = SPF_server_new_dns(dc, debug)))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
  return FALSE;
  }
  /* Quick hack to override the outdated explanation URL.
  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
  SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
  if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));

return TRUE;
}


/* Set up a context that can be re-used for several
   messages on the same SMTP connection (that come from the
   same host with the same HELO string).

Return: Boolean success
*/

BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
  debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

if (!spf_server && !spf_init()) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
    primary_hostname);
  spf_server = NULL;
  return FALSE;
  }

spf_request = SPF_request_new(spf_server);

if (  SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
   && SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
   )
  {
  DEBUG(D_receive)
    debug_printf("spf: SPF_request_set_ipv4_str() and "
      "SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
  {
  DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
    spf_helo_domain);
  spf_server = NULL;
  spf_request = NULL;
  return FALSE;
  }

return TRUE;
}


void
spf_response_debug(SPF_response_t * spf_response)
{
if (SPF_response_messages(spf_response) == 0)
  debug_printf(" (no errors)\n");
else for (int i = 0; i < SPF_response_messages(spf_response); i++)
  {
  SPF_error_t * err = SPF_response_message(spf_response, i);
  debug_printf( "%s_msg = (%d) %s\n",
		  (SPF_error_errorp(err) ? "warn" : "err"),
		  SPF_error_code(err),
		  SPF_error_message(err));
  }
}


/* spf_process adds the envelope sender address to the existing
   context (if any), retrieves the result, sets up expansion
   strings and evaluates the condition outcome.

Return: OK/FAIL  */

int
spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
{
int sep = 0;
const uschar *list = *listptr;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;

DEBUG(D_receive) debug_printf("spf_process\n");

if (!(spf_server && spf_request))
  /* no global context, assume temp error and skip to evaluation */
  rc = SPF_RESULT_PERMERROR;

else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
  /* Invalid sender address. This should be a real rare occurrence */
  rc = SPF_RESULT_PERMERROR;

else
  {
  /* get SPF result */
  if (action == SPF_PROCESS_FALLBACK)
    {
    SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
    spf_result_guessed = TRUE;
    }
  else
    SPF_request_query_mailfrom(spf_request, &spf_response);

  /* set up expansion items */
  spf_header_comment     = US SPF_response_get_header_comment(spf_response);
  spf_received           = US SPF_response_get_received_spf(spf_response);
  spf_result             = US SPF_strresult(SPF_response_result(spf_response));
  spf_smtp_comment       = US SPF_response_get_smtp_comment(spf_response);

  rc = SPF_response_result(spf_response);

  DEBUG(D_acl) spf_response_debug(spf_response);
  }

/* We got a result. Now see if we should return OK or FAIL for it */
DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);

if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
  return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);

while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
  {
  BOOL negate, result;

  if ((negate = spf_result_id[0] == '!'))
    spf_result_id++;

  result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
  if (negate != result) return OK;
  }

/* no match */
return FAIL;
}


gstring *
authres_spf(gstring * g)
{
uschar * s;
if (!spf_result) return g;

g = string_append(g, 2, US";\n\tspf=", spf_result);
if (spf_result_guessed)
  g = string_cat(g, US" (best guess record for domain)");

s = expand_string(US"$sender_address_domain");
return s && *s
  ? string_append(g, 2, US" smtp.mailfrom=", s)
  : string_cat(g, US" smtp.mailfrom=<>");
}


#endif
Commit	Line	Data
	1	/*************************************************
	2	* Exim - an Internet mail transport agent *
	3	*************************************************/
	4
	5	/* SPF support.
	6	Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
	7	License: GPL
	8	Copyright (c) The Exim Maintainers 2015 - 2020
	9	*/
	10
	11	/* Code for calling spf checks via libspf-alt. Called from acl.c. */
	12
	13	#include "exim.h"
	14	#ifdef SUPPORT_SPF
	15
	16	/* must be kept in numeric order */
	17	static spf_result_id spf_result_id_list[] = {
	18	/* name value */
	19	{ US"invalid", 0},
	20	{ US"neutral", 1 },
	21	{ US"pass", 2 },
	22	{ US"fail", 3 },
	23	{ US"softfail", 4 },
	24	{ US"none", 5 },
	25	{ US"temperror", 6 }, /* RFC 4408 defined */
	26	{ US"permerror", 7 } /* RFC 4408 defined */
	27	};
	28
	29	SPF_server_t *spf_server = NULL;
	30	SPF_request_t *spf_request = NULL;
	31	SPF_response_t *spf_response = NULL;
	32	SPF_response_t *spf_response_2mx = NULL;
	33
	34	SPF_dns_rr_t * spf_nxdomain = NULL;
	35
	36
	37	void
	38	spf_lib_version_report(FILE * fp)
	39	{
	40	int maj, min, patch;
	41	SPF_get_lib_version(&maj, &min, &patch);
	42	fprintf(fp, "Library version: spf2: Compile: %d.%d.%d\n",
	43	SPF_LIB_VERSION_MAJOR, SPF_LIB_VERSION_MINOR, SPF_LIB_VERSION_PATCH);
	44	fprintf(fp, " Runtime: %d.%d.%d\n",
	45	maj, min, patch);
	46	}
	47
	48
	49
	50	static SPF_dns_rr_t *
	51	SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
	52	const char *domain, ns_type rr_type, int should_cache)
	53	{
	54	dns_answer * dnsa = store_get_dns_answer();
	55	dns_scan dnss;
	56	SPF_dns_rr_t * spfrr;
	57	unsigned found = 0;
	58
	59	SPF_dns_rr_t srr = {
	60	.domain = CS domain, /* query information */
	61	.domain_buf_len = 0,
	62	.rr_type = rr_type,
	63
	64	.rr_buf_len = 0, /* answer information */
	65	.rr_buf_num = 0, /* no free of s */
	66	.utc_ttl = 0,
	67
	68	.hook = NULL, /* misc information */
	69	.source = spf_dns_server
	70	};
	71	int dns_rc;
	72
	73	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", domain);
	74
	75	/* Shortcircuit SPF RR lookups by returning NO_DATA. They were obsoleted by
	76	RFC 6686/7208 years ago. see bug #1294 */
	77
	78	if (rr_type == T_SPF)
	79	{
	80	HDEBUG(D_host_lookup) debug_printf("faking NO_DATA for SPF RR(99) lookup\n");
	81	srr.herrno = NO_DATA;
	82	SPF_dns_rr_dup(&spfrr, &srr);
	83	return spfrr;
	84	}
	85
	86	switch (dns_rc = dns_lookup(dnsa, US domain, rr_type, NULL))
	87	{
	88	case DNS_SUCCEED: srr.herrno = NETDB_SUCCESS; break;
	89	case DNS_AGAIN: srr.herrno = TRY_AGAIN; break;
	90	case DNS_NOMATCH: srr.herrno = HOST_NOT_FOUND; break;
	91	case DNS_NODATA: srr.herrno = NO_DATA; break;
	92	case DNS_FAIL:
	93	default: srr.herrno = NO_RECOVERY; break;
	94	}
	95
	96	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	97	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	98	if (rr->type == rr_type) found++;
	99
	100	if (found == 0)
	101	{
	102	SPF_dns_rr_dup(&spfrr, &srr);
	103	return spfrr;
	104	}
	105
	106	srr.rr = store_malloc(sizeof(SPF_dns_rr_data_t) * found);
	107
	108	found = 0;
	109	for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
	110	rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
	111	if (rr->type == rr_type)
	112	{
	113	const uschar * s = rr->data;
	114
	115	srr.ttl = rr->ttl;
	116	switch(rr_type)
	117	{
	118	case T_MX:
	119	s += 2; /* skip the MX precedence field */
	120	case T_PTR:
	121	{
	122	uschar * buf = store_malloc(256);
	123	(void)dn_expand(dnsa->answer, dnsa->answer + dnsa->answerlen, s,
	124	(DN_EXPAND_ARG4_TYPE)buf, 256);
	125	s = buf;
	126	break;
	127	}
	128
	129	case T_TXT:
	130	{
	131	gstring * g = NULL;
	132	uschar chunk_len;
	133
	134	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
	135	{
	136	HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
	137	(int) s[0], s+1);
	138	continue;
	139	}
	140
	141	for (int off = 0; off < rr->size; off += chunk_len)
	142	{
	143	if (!(chunk_len = s[off++])) break;
	144	g = string_catn(g, s+off, chunk_len);
	145	}
	146	if (!g)
	147	continue;
	148	gstring_release_unused(g);
	149	s = string_copy_malloc(string_from_gstring(g));
	150	DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup '%s'\n", s);
	151	break;
	152	}
	153
	154	case T_A:
	155	case T_AAAA:
	156	default:
	157	{
	158	uschar * buf = store_malloc(dnsa->answerlen + 1);
	159	s = memcpy(buf, s, dnsa->answerlen + 1);
	160	break;
	161	}
	162	}
	163	srr.rr[found++] = (void *) s;
	164	}
	165
	166	/* Did we filter out all TXT RRs? Return NO_DATA instead of SUCCESS with
	167	empty ANSWER section. */
	168
	169	if (!(srr.num_rr = found))
	170	srr.herrno = NO_DATA;
	171
	172	/* spfrr->rr must have been malloc()d for this */
	173	SPF_dns_rr_dup(&spfrr, &srr);
	174	return spfrr;
	175	}
	176
	177
	178
	179	SPF_dns_server_t *
	180	SPF_dns_exim_new(int debug)
	181	{
	182	SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));
	183
	184	DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
	185
	186	memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
	187	spf_dns_server->destroy = NULL;
	188	spf_dns_server->lookup = SPF_dns_exim_lookup;
	189	spf_dns_server->get_spf = NULL;
	190	spf_dns_server->get_exp = NULL;
	191	spf_dns_server->add_cache = NULL;
	192	spf_dns_server->layer_below = NULL;
	193	spf_dns_server->name = "exim";
	194	spf_dns_server->debug = debug;
	195
	196	/* XXX This might have to return NO_DATA sometimes. */
	197
	198	spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
	199	"", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
	200	if (!spf_nxdomain)
	201	{
	202	free(spf_dns_server);
	203	return NULL;
	204	}
	205
	206	return spf_dns_server;
	207	}
	208
	209
	210
	211
	212	/* Construct the SPF library stack.
	213	Return: Boolean success.
	214	*/
	215
	216	BOOL
	217	spf_init(void)
	218	{
	219	SPF_dns_server_t * dc;
	220	int debug = 0;
	221
	222	DEBUG(D_receive) debug = 1;
	223
	224	/* We insert our own DNS access layer rather than letting the spf library
	225	do it, so that our dns access path is used for debug tracing and for the
	226	testsuite. */
	227
	228	if (!(dc = SPF_dns_exim_new(debug)))
	229	{
	230	DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
	231	return FALSE;
	232	}
	233	if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
	234	{
	235	DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
	236	return FALSE;
	237	}
	238	if (!(spf_server = SPF_server_new_dns(dc, debug)))
	239	{
	240	DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
	241	return FALSE;
	242	}
	243	/* Quick hack to override the outdated explanation URL.
	244	See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */
	245	SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response);
	246	if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS)
	247	log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response)));
	248
	249	return TRUE;
	250	}
	251
	252
	253	/* Set up a context that can be re-used for several
	254	messages on the same SMTP connection (that come from the
	255	same host with the same HELO string).
	256
	257	Return: Boolean success
	258	*/
	259
	260	BOOL
	261	spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
	262	{
	263	DEBUG(D_receive)
	264	debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);
	265
	266	if (!spf_server && !spf_init()) return FALSE;
	267
	268	if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
	269	{
	270	DEBUG(D_receive) debug_printf("spf: SPF_server_set_rec_dom(\"%s\") failed.\n",
	271	primary_hostname);
	272	spf_server = NULL;
	273	return FALSE;
	274	}
	275
	276	spf_request = SPF_request_new(spf_server);
	277
	278	if ( SPF_request_set_ipv4_str(spf_request, CS spf_remote_addr)
	279	&& SPF_request_set_ipv6_str(spf_request, CS spf_remote_addr)
	280	)
	281	{
	282	DEBUG(D_receive)
	283	debug_printf("spf: SPF_request_set_ipv4_str() and "
	284	"SPF_request_set_ipv6_str() failed [%s]\n", spf_remote_addr);
	285	spf_server = NULL;
	286	spf_request = NULL;
	287	return FALSE;
	288	}
	289
	290	if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
	291	{
	292	DEBUG(D_receive) debug_printf("spf: SPF_set_helo_dom(\"%s\") failed.\n",
	293	spf_helo_domain);
	294	spf_server = NULL;
	295	spf_request = NULL;
	296	return FALSE;
	297	}
	298
	299	return TRUE;
	300	}
	301
	302
	303	void
	304	spf_response_debug(SPF_response_t * spf_response)
	305	{
	306	if (SPF_response_messages(spf_response) == 0)
	307	debug_printf(" (no errors)\n");
	308	else for (int i = 0; i < SPF_response_messages(spf_response); i++)
	309	{
	310	SPF_error_t * err = SPF_response_message(spf_response, i);
	311	debug_printf( "%s_msg = (%d) %s\n",
	312	(SPF_error_errorp(err) ? "warn" : "err"),
	313	SPF_error_code(err),
	314	SPF_error_message(err));
	315	}
	316	}
	317
	318
	319	/* spf_process adds the envelope sender address to the existing
	320	context (if any), retrieves the result, sets up expansion
	321	strings and evaluates the condition outcome.
	322
	323	Return: OK/FAIL */
	324
	325	int
	326	spf_process(const uschar *listptr, uschar spf_envelope_sender, int action)
	327	{
	328	int sep = 0;
	329	const uschar list = listptr;
	330	uschar *spf_result_id;
	331	int rc = SPF_RESULT_PERMERROR;
	332
	333	DEBUG(D_receive) debug_printf("spf_process\n");
	334
	335	if (!(spf_server && spf_request))
	336	/* no global context, assume temp error and skip to evaluation */
	337	rc = SPF_RESULT_PERMERROR;
	338
	339	else if (SPF_request_set_env_from(spf_request, CS spf_envelope_sender))
	340	/* Invalid sender address. This should be a real rare occurrence */
	341	rc = SPF_RESULT_PERMERROR;
	342
	343	else
	344	{
	345	/* get SPF result */
	346	if (action == SPF_PROCESS_FALLBACK)
	347	{
	348	SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess);
	349	spf_result_guessed = TRUE;
	350	}
	351	else
	352	SPF_request_query_mailfrom(spf_request, &spf_response);
	353
	354	/* set up expansion items */
	355	spf_header_comment = US SPF_response_get_header_comment(spf_response);
	356	spf_received = US SPF_response_get_received_spf(spf_response);
	357	spf_result = US SPF_strresult(SPF_response_result(spf_response));
	358	spf_smtp_comment = US SPF_response_get_smtp_comment(spf_response);
	359
	360	rc = SPF_response_result(spf_response);
	361
	362	DEBUG(D_acl) spf_response_debug(spf_response);
	363	}
	364
	365	/* We got a result. Now see if we should return OK or FAIL for it */
	366	DEBUG(D_acl) debug_printf("SPF result is %s (%d)\n", SPF_strresult(rc), rc);
	367
	368	if (action == SPF_PROCESS_GUESS && (!strcmp (SPF_strresult(rc), "none")))
	369	return spf_process(listptr, spf_envelope_sender, SPF_PROCESS_FALLBACK);
	370
	371	while ((spf_result_id = string_nextinlist(&list, &sep, NULL, 0)))
	372	{
	373	BOOL negate, result;
	374
	375	if ((negate = spf_result_id[0] == '!'))
	376	spf_result_id++;
	377
	378	result = Ustrcmp(spf_result_id, spf_result_id_list[rc].name) == 0;
	379	if (negate != result) return OK;
	380	}
	381
	382	/* no match */
	383	return FAIL;
	384	}
	385
	386
	387
	388	gstring *
	389	authres_spf(gstring * g)
	390	{
	391	uschar * s;
	392	if (!spf_result) return g;
	393
	394	g = string_append(g, 2, US";\n\tspf=", spf_result);
	395	if (spf_result_guessed)
	396	g = string_cat(g, US" (best guess record for domain)");
	397
	398	s = expand_string(US"$sender_address_domain");
	399	return s && *s
	400	? string_append(g, 2, US" smtp.mailfrom=", s)
	401	: string_cat(g, US" smtp.mailfrom=<>");
	402	}
	403
	404
	405	#endif