/*************************************************
* Exim - an Internet mail transport agent *
*************************************************/
-/* Experimental DMARC support.
+/* DMARC support.
+ Copyright (c) The Exim Maintainers 2019 - 2023
Copyright (c) Todd Lyons <tlyons@exim.org> 2012 - 2014
License: GPL */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Portions Copyright (c) 2012, 2013, The Trusted Domain Project;
All rights reserved, licensed for use per LICENSE.opendmarc. */
/* Code for calling dmarc checks via libopendmarc. Called from acl.c. */
#include "exim.h"
-#ifdef EXPERIMENTAL_DMARC
-# if !defined EXPERIMENTAL_SPF
+#ifdef SUPPORT_DMARC
+# if !defined SUPPORT_SPF
# error SPF must also be enabled for DMARC
# elif defined DISABLE_DKIM
# error DKIM must also be enabled for DMARC
OPENDMARC_STATUS_T da, sa, action;
BOOL dmarc_abort = FALSE;
uschar *dmarc_pass_fail = US"skipped";
-extern pdkim_signature *dkim_signatures;
header_line *from_header = NULL;
extern SPF_response_t *spf_response;
int dmarc_spf_ares_result = 0;
uschar *spf_human_readable = NULL;
u_char *header_from_sender = NULL;
int history_file_status = DMARC_HIST_OK;
-uschar *dkim_history_buffer= NULL;
typedef struct dmarc_exim_p {
uschar *name;
{ US"reject", DMARC_RECORD_P_REJECT },
{ NULL, 0 }
};
+
+
+gstring *
+dmarc_version_report(gstring * g)
+{
+return string_fmt_append(g, "Library version: dmarc: Compile: %d.%d.%d.%d\n",
+ (OPENDMARC_LIB_VERSION & 0xff000000) >> 24, (OPENDMARC_LIB_VERSION & 0x00ff0000) >> 16,
+ (OPENDMARC_LIB_VERSION & 0x0000ff00) >> 8, OPENDMARC_LIB_VERSION & 0x000000ff);
+}
+
+
/* Accept an error_block struct, initialize if empty, parse to the
- * end, and append the two strings passed to it. Used for adding
- * variable amounts of value:pair data to the forensic emails. */
+end, and append the two strings passed to it. Used for adding
+variable amounts of value:pair data to the forensic emails. */
static error_block *
add_to_eblock(error_block *eblock, uschar *t1, uschar *t2)
{
error_block *eb = store_malloc(sizeof(error_block));
-if (eblock == NULL)
+if (!eblock)
eblock = eb;
else
{
/* Find the end of the eblock struct and point it at eb */
error_block *tmp = eblock;
- while(tmp->next != NULL)
+ while(tmp->next)
tmp = tmp->next;
tmp->next = eb;
}
}
/* dmarc_init sets up a context that can be re-used for several
- messages on the same SMTP connection (that come from the
- same host with the same HELO string) */
+messages on the same SMTP connection (that come from the
+same host with the same HELO string) */
int
-dmarc_init()
+dmarc_init(void)
{
int *netmask = NULL; /* Ignored */
int is_ipv6 = 0;
-char *tld_file = dmarc_tld_file ? CS dmarc_tld_file : DMARC_TLD_FILE;
/* Set some sane defaults. Also clears previous results when
- * multiple messages in one connection. */
+multiple messages in one connection. */
+
dmarc_pctx = NULL;
dmarc_status = US"none";
dmarc_abort = FALSE;
dmarc_pass_fail = US"skipped";
dmarc_used_domain = US"";
-dmarc_ar_header = NULL;
-dmarc_has_been_checked = FALSE;
+f.dmarc_has_been_checked = FALSE;
header_from_sender = NULL;
spf_sender_domain = NULL;
spf_human_readable = NULL;
/* ACLs have "control=dmarc_disable_verify" */
-if (dmarc_disable_verify == TRUE)
+if (f.dmarc_disable_verify == TRUE)
return OK;
(void) memset(&dmarc_ctx, '\0', sizeof dmarc_ctx);
opendmarc_policy_status_to_str(libdm_status));
dmarc_abort = TRUE;
}
-if (dmarc_tld_file == NULL)
+if (!dmarc_tld_file || !*dmarc_tld_file)
+ {
+ DEBUG(D_receive) debug_printf_indent("DMARC: no dmarc_tld_file\n");
dmarc_abort = TRUE;
-else if (opendmarc_tld_read_file(tld_file, NULL, NULL, NULL))
+ }
+else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL))
{
- log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d",
- tld_file, errno);
+ log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list '%s': %s",
+ dmarc_tld_file, strerror(errno));
dmarc_abort = TRUE;
}
-if (sender_host_address == NULL)
+if (!sender_host_address)
+ {
+ DEBUG(D_receive) debug_printf_indent("DMARC: no sender_host_address\n");
dmarc_abort = TRUE;
+ }
/* This catches locally originated email and startup errors above. */
if (!dmarc_abort)
{
is_ipv6 = string_is_ip_address(sender_host_address, netmask) == 6;
- dmarc_pctx = opendmarc_policy_connect_init(sender_host_address, is_ipv6);
- if (dmarc_pctx == NULL)
+ if (!(dmarc_pctx = opendmarc_policy_connect_init(sender_host_address, is_ipv6)))
{
log_write(0, LOG_MAIN|LOG_PANIC,
"DMARC failure creating policy context: ip=%s", sender_host_address);
}
-/* dmarc_store_data stores the header data so that subsequent
- * dmarc_process can access the data */
+/* dmarc_store_data stores the header data so that subsequent dmarc_process can
+access the data.
+Called after the entire message has been received, with the From: header. */
-int dmarc_store_data(header_line *hdr) {
- /* No debug output because would change every test debug output */
- if (dmarc_disable_verify != TRUE)
- from_header = hdr;
- return OK;
+int
+dmarc_store_data(header_line * hdr)
+{
+/* No debug output because would change every test debug output */
+if (!f.dmarc_disable_verify)
+ from_header = hdr;
+return OK;
}
static void
-dmarc_send_forensic_report(u_char **ruf)
+dmarc_send_forensic_report(u_char ** ruf)
{
-int c;
uschar *recipient, *save_sender;
BOOL send_status = FALSE;
error_block *eblock = NULL;
FILE *message_file = NULL;
/* Earlier ACL does not have *required* control=dmarc_enable_forensic */
-if (!dmarc_enable_forensic)
+if (!f.dmarc_enable_forensic)
return;
if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT
eblock = add_to_eblock(eblock, US"Sender IP Address", sender_host_address);
eblock = add_to_eblock(eblock, US"Received Date", tod_stamp(tod_full));
eblock = add_to_eblock(eblock, US"SPF Alignment",
- (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?US"yes":US"no");
+ sa == DMARC_POLICY_SPF_ALIGNMENT_PASS ? US"yes" : US"no");
eblock = add_to_eblock(eblock, US"DKIM Alignment",
- (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?US"yes":US"no");
+ da == DMARC_POLICY_DKIM_ALIGNMENT_PASS ? US"yes" : US"no");
eblock = add_to_eblock(eblock, US"DMARC Results", dmarc_status_text);
- /* Set a sane default envelope sender */
- dsn_from = dmarc_forensic_sender ? dmarc_forensic_sender :
- dsn_from ? dsn_from :
- string_sprintf("do-not-reply@%s",primary_hostname);
- for (c = 0; ruf[c]; c++)
+
+ for (int c = 0; ruf[c]; c++)
{
recipient = string_copylc(ruf[c]);
if (Ustrncmp(recipient, "mailto:",7))
/* Move to first character past the colon */
recipient += 7;
DEBUG(D_receive)
- debug_printf("DMARC forensic report to %s%s\n", recipient,
- (host_checking || running_in_test_harness) ? " (not really)" : "");
- if (host_checking || running_in_test_harness)
+ debug_printf_indent("DMARC forensic report to %s%s\n", recipient,
+ (host_checking || f.running_in_test_harness) ? " (not really)" : "");
+ if (host_checking || f.running_in_test_harness)
continue;
- save_sender = sender_address;
- sender_address = recipient;
- send_status = moan_to_sender(ERRMESS_DMARC_FORENSIC, eblock,
- header_list, message_file, FALSE);
- sender_address = save_sender;
- if (!send_status)
+ if (!moan_send_message(recipient, ERRMESS_DMARC_FORENSIC, eblock,
+ header_list, message_file, NULL))
log_write(0, LOG_MAIN|LOG_PANIC,
"failure to send DMARC forensic report to %s", recipient);
}
}
}
+
+/* Look up a DNS dmarc record for the given domain. Return it or NULL */
+
+static uschar *
+dmarc_dns_lookup(uschar * dom)
+{
+dns_answer * dnsa = store_get_dns_answer();
+dns_scan dnss;
+int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL);
+
+if (rc == DNS_SUCCEED)
+ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
+ rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
+ if (rr->type == T_TXT && rr->size > 3)
+ {
+ uschar *record = string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
+ store_free_dns_answer(dnsa);
+ return record;
+ }
+store_free_dns_answer(dnsa);
+return NULL;
+}
+
+
+static int
+dmarc_write_history_file(const gstring * dkim_history_buffer)
+{
+int history_file_fd = 0;
+ssize_t written_len;
+int tmp_ans;
+u_char ** rua; /* aggregate report addressees */
+gstring * g;
+
+if (!dmarc_history_file)
+ {
+ DEBUG(D_receive) debug_printf_indent("DMARC history file not set\n");
+ return DMARC_HIST_DISABLED;
+ }
+if (!host_checking)
+ {
+ uschar * s = string_copy(dmarc_history_file); /* need a writeable copy */
+ if ((history_file_fd = log_open_as_exim(s)) < 0)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC,
+ "failure to create DMARC history file: %s: %s",
+ s, strerror(errno));
+ return DMARC_HIST_FILE_ERR;
+ }
+ }
+
+/* Generate the contents of the history file entry */
+
+g = string_fmt_append(NULL,
+ "job %s\nreporter %s\nreceived %ld\nipaddr %s\nfrom %s\nmfrom %s\n",
+ message_id, primary_hostname, time(NULL), sender_host_address,
+ header_from_sender, expand_string(US"$sender_address_domain"));
+
+if (spf_response)
+ g = string_fmt_append(g, "spf %d\n", dmarc_spf_ares_result);
+
+if (dkim_history_buffer)
+ g = string_fmt_append(g, "%Y", dkim_history_buffer);
+
+g = string_fmt_append(g, "pdomain %s\npolicy %d\n",
+ dmarc_used_domain, dmarc_policy);
+
+if ((rua = opendmarc_policy_fetch_rua(dmarc_pctx, NULL, 0, 1)))
+ for (tmp_ans = 0; rua[tmp_ans]; tmp_ans++)
+ g = string_fmt_append(g, "rua %s\n", rua[tmp_ans]);
+else
+ g = string_catn(g, US"rua -\n", 6);
+
+opendmarc_policy_fetch_pct(dmarc_pctx, &tmp_ans);
+g = string_fmt_append(g, "pct %d\n", tmp_ans);
+
+opendmarc_policy_fetch_adkim(dmarc_pctx, &tmp_ans);
+g = string_fmt_append(g, "adkim %d\n", tmp_ans);
+
+opendmarc_policy_fetch_aspf(dmarc_pctx, &tmp_ans);
+g = string_fmt_append(g, "aspf %d\n", tmp_ans);
+
+opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
+g = string_fmt_append(g, "p %d\n", tmp_ans);
+
+opendmarc_policy_fetch_sp(dmarc_pctx, &tmp_ans);
+g = string_fmt_append(g, "sp %d\n", tmp_ans);
+
+g = string_fmt_append(g, "align_dkim %d\nalign_spf %d\naction %d\n",
+ da, sa, action);
+
+#if DMARC_API >= 100400
+# ifdef EXPERIMENTAL_ARC
+g = arc_dmarc_hist_append(g);
+# else
+g = string_fmt_append(g, "arc %d\narc_policy %d json:[]\n",
+ ARES_RESULT_UNKNOWN, DMARC_ARC_POLICY_RESULT_UNUSED);
+# endif
+#endif
+
+/* Write the contents to the history file */
+DEBUG(D_receive)
+ {
+ debug_printf_indent("DMARC logging history data for opendmarc reporting%s\n",
+ host_checking ? " (not really)" : "");
+ debug_printf_indent("DMARC history data for debugging:\n");
+ expand_level++;
+ debug_printf_indent("%Y", g);
+ expand_level--;
+ }
+
+if (!host_checking)
+ {
+ written_len = write_to_fd_buf(history_file_fd,
+ g->s,
+ gstring_length(g));
+ if (written_len == 0)
+ {
+ log_write(0, LOG_MAIN|LOG_PANIC, "failure to write to DMARC history file: %s",
+ dmarc_history_file);
+ return DMARC_HIST_WRITE_ERR;
+ }
+ (void)close(history_file_fd);
+ }
+return DMARC_HIST_OK;
+}
+
+
/* dmarc_process adds the envelope sender address to the existing
- context (if any), retrieves the result, sets up expansion
- strings and evaluates the condition outcome. */
+context (if any), retrieves the result, sets up expansion
+strings and evaluates the condition outcome.
+Called for the first ACL dmarc= condition. */
int
-dmarc_process()
+dmarc_process(void)
{
int sr, origin; /* used in SPF section */
int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */
int tmp_ans, c;
-pdkim_signature *sig = NULL;
+pdkim_signature * sig = dkim_signatures;
+uschar * rr;
BOOL has_dmarc_record = TRUE;
-u_char **ruf; /* forensic report addressees, if called for */
+u_char ** ruf; /* forensic report addressees, if called for */
/* ACLs have "control=dmarc_disable_verify" */
-if (dmarc_disable_verify)
- {
- dmarc_ar_header = dmarc_auth_results_header(from_header, NULL);
+if (f.dmarc_disable_verify)
return OK;
- }
/* Store the header From: sender domain for this part of DMARC.
- * If there is no from_header struct, then it's likely this message
- * is locally generated and relying on fixups to add it. Just skip
- * the entire DMARC system if we can't find a From: header....or if
- * there was a previous error.
- */
-if (!from_header || dmarc_abort)
+If there is no from_header struct, then it's likely this message
+is locally generated and relying on fixups to add it. Just skip
+the entire DMARC system if we can't find a From: header....or if
+there was a previous error. */
+
+if (!from_header)
+ {
+ DEBUG(D_receive) debug_printf_indent("DMARC: no From: header\n");
dmarc_abort = TRUE;
-else
+ }
+else if (!dmarc_abort)
{
- uschar * errormsg;
- int dummy, domain;
- uschar * p;
- uschar saveend;
-
- parse_allow_group = TRUE;
- p = parse_find_address_end(from_header->text, FALSE);
- saveend = *p; *p = '\0';
- if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
- &dummy, &dummy, &domain, FALSE)))
- header_from_sender += domain;
- *p = saveend;
-
- /* The opendmarc library extracts the domain from the email address, but
- * only try to store it if it's not empty. Otherwise, skip out of DMARC. */
- if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
- dmarc_abort = TRUE;
- libdm_status = dmarc_abort ?
- DMARC_PARSE_OKAY :
- opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
- if (libdm_status != DMARC_PARSE_OKAY)
+ uschar * errormsg;
+ int dummy, domain;
+ uschar * p;
+ uschar saveend;
+
+ f.parse_allow_group = TRUE;
+ p = parse_find_address_end(from_header->text, FALSE);
+ saveend = *p; *p = '\0';
+ if ((header_from_sender = parse_extract_address(from_header->text, &errormsg,
+ &dummy, &dummy, &domain, FALSE)))
+ header_from_sender += domain;
+ *p = saveend;
+
+ /* The opendmarc library extracts the domain from the email address, but
+ only try to store it if it's not empty. Otherwise, skip out of DMARC. */
+
+ if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0))
+ dmarc_abort = TRUE;
+ libdm_status = dmarc_abort
+ ? DMARC_PARSE_OKAY
+ : opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender);
+ if (libdm_status != DMARC_PARSE_OKAY)
{
log_write(0, LOG_MAIN|LOG_PANIC,
"failure to store header From: in DMARC: %s, header was '%s'",
}
/* Skip DMARC if connection is SMTP Auth. Temporarily, admin should
- * instead do this in the ACLs. */
+instead do this in the ACLs. */
+
if (!dmarc_abort && !sender_host_authenticated)
{
+ uschar * dmarc_domain;
+ gstring * dkim_history_buffer = NULL;
+
/* Use the envelope sender domain for this part of DMARC */
+
spf_sender_domain = expand_string(US"$sender_address_domain");
if (!spf_response)
{
/* No spf data means null envelope sender so generate a domain name
- * from the sender_helo_name */
+ from the sender_helo_name */
+
if (!spf_sender_domain)
{
spf_sender_domain = sender_helo_name;
log_write(0, LOG_MAIN, "DMARC using synthesized SPF sender domain = %s\n",
spf_sender_domain);
DEBUG(D_receive)
- debug_printf("DMARC using synthesized SPF sender domain = %s\n",
+ debug_printf_indent("DMARC using synthesized SPF sender domain = %s\n",
spf_sender_domain);
}
dmarc_spf_result = DMARC_POLICY_SPF_OUTCOME_NONE;
origin = DMARC_POLICY_SPF_ORIGIN_MAILFROM;
spf_human_readable = US spf_response->header_comment;
DEBUG(D_receive)
- debug_printf("DMARC using SPF sender domain = %s\n", spf_sender_domain);
+ debug_printf_indent("DMARC using SPF sender domain = %s\n", spf_sender_domain);
}
if (strcmp( CCS spf_sender_domain, "") == 0)
dmarc_abort = TRUE;
}
/* Now we cycle through the dkim signature results and put into
- * the opendmarc context, further building the DMARC reply. */
- sig = dkim_signatures;
- dkim_history_buffer = US"";
- while (sig)
+ the opendmarc context, further building the DMARC reply. */
+
+ for(pdkim_signature * sig = dkim_signatures; sig; sig = sig->next)
{
int dkim_result, dkim_ares_result, vs, ves;
- vs = sig->verify_status;
+
+ vs = sig->verify_status & ~PDKIM_VERIFY_POLICY;
ves = sig->verify_ext_status;
dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS :
vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL :
vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL :
DMARC_POLICY_DKIM_OUTCOME_NONE;
libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain,
- dkim_result, US"");
+
+/* The opendmarc project broke its API in a way we can't detect easily.
+The EDITME provides a DMARC_API variable */
+#if DMARC_API >= 100400
+ sig->selector,
+#endif
+ dkim_result, US"");
DEBUG(D_receive)
- debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain);
+ debug_printf_indent("DMARC adding DKIM sender domain = %s\n", sig->domain);
if (libdm_status != DMARC_PARSE_OKAY)
log_write(0, LOG_MAIN|LOG_PANIC,
"failure to store dkim (%s) for DMARC: %s",
ves == PDKIM_VERIFY_INVALID_PUBKEY_IMPORT ? ARES_RESULT_PERMERROR :
ARES_RESULT_UNKNOWN :
ARES_RESULT_UNKNOWN;
- dkim_history_buffer = string_sprintf("%sdkim %s %d\n", dkim_history_buffer,
- sig->domain, dkim_ares_result);
- sig = sig->next;
+#if DMARC_API >= 100400
+ dkim_history_buffer = string_fmt_append(dkim_history_buffer,
+ "dkim %s %s %d\n", sig->domain, sig->selector, dkim_ares_result);
+#else
+ dkim_history_buffer = string_fmt_append(dkim_history_buffer,
+ "dkim %s %d\n", sig->domain, dkim_ares_result);
+#endif
}
- libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US"");
+
+ /* Look up DMARC policy record in DNS. We do this explicitly, rather than
+ letting the dmarc library do it with opendmarc_policy_query_dmarc(), so that
+ our dns access path is used for debug tracing and for the testsuite
+ diversion. */
+
+ libdm_status = (rr = dmarc_dns_lookup(header_from_sender))
+ ? opendmarc_policy_store_dmarc(dmarc_pctx, rr, header_from_sender, NULL)
+ : DMARC_DNS_ERROR_NO_RECORD;
switch (libdm_status)
{
case DMARC_DNS_ERROR_NXDOMAIN:
case DMARC_DNS_ERROR_NO_RECORD:
DEBUG(D_receive)
- debug_printf("DMARC no record found for %s\n", header_from_sender);
+ debug_printf_indent("DMARC no record found for %s\n", header_from_sender);
has_dmarc_record = FALSE;
break;
case DMARC_PARSE_OKAY:
DEBUG(D_receive)
- debug_printf("DMARC record found for %s\n", header_from_sender);
+ debug_printf_indent("DMARC record found for %s\n", header_from_sender);
break;
case DMARC_PARSE_ERROR_BAD_VALUE:
DEBUG(D_receive)
- debug_printf("DMARC record parse error for %s\n", header_from_sender);
+ debug_printf_indent("DMARC record parse error for %s\n", header_from_sender);
has_dmarc_record = FALSE;
break;
default:
/* everything else, skip dmarc */
DEBUG(D_receive)
- debug_printf("DMARC skipping (%d), unsure what to do with %s",
- libdm_status, from_header->text);
+ debug_printf_indent("DMARC skipping (%s), unsure what to do with %s",
+ opendmarc_policy_status_to_str(libdm_status),
+ from_header->text);
has_dmarc_record = FALSE;
break;
}
-/* Store the policy string in an expandable variable. */
+ /* Store the policy string in an expandable variable. */
libdm_status = opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
for (c = 0; dmarc_policy_description[c].name; c++)
}
/* Can't use exim's string manipulation functions so allocate memory
- * for libopendmarc using its max hostname length definition. */
+ for libopendmarc using its max hostname length definition. */
- uschar *dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar));
+ dmarc_domain = store_get(DMARC_MAXHOSTNAMELEN, GET_TAINTED);
libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx,
dmarc_domain, DMARC_MAXHOSTNAMELEN-1);
- dmarc_used_domain = string_copy(dmarc_domain);
- free(dmarc_domain);
+ store_release_above(dmarc_domain + Ustrlen(dmarc_domain)+1);
+ dmarc_used_domain = dmarc_domain;
if (libdm_status != DMARC_PARSE_OKAY)
log_write(0, LOG_MAIN|LOG_PANIC,
"failure to read domainname used for DMARC lookup: %s",
opendmarc_policy_status_to_str(libdm_status));
- libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx);
- dmarc_policy = libdm_status;
+ dmarc_policy = libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx);
switch(libdm_status)
{
case DMARC_POLICY_ABSENT: /* No DMARC record found */
log_write(0, LOG_MAIN|LOG_PANIC, "failure to read DMARC alignment: %s",
opendmarc_policy_status_to_str(libdm_status));
- if (has_dmarc_record == TRUE)
+ if (has_dmarc_record)
{
log_write(0, LOG_MAIN, "DMARC results: spf_domain=%s dmarc_domain=%s "
"spf_align=%s dkim_align=%s enforcement='%s'",
spf_sender_domain, dmarc_used_domain,
- (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?"yes":"no",
- (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?"yes":"no",
+ sa==DMARC_POLICY_SPF_ALIGNMENT_PASS ?"yes":"no",
+ da==DMARC_POLICY_DKIM_ALIGNMENT_PASS ?"yes":"no",
dmarc_status_text);
- history_file_status = dmarc_write_history_file();
+ history_file_status = dmarc_write_history_file(dkim_history_buffer);
/* Now get the forensic reporting addresses, if any */
ruf = opendmarc_policy_fetch_ruf(dmarc_pctx, NULL, 0, 1);
dmarc_send_forensic_report(ruf);
}
}
-/* set some global variables here */
-dmarc_ar_header = dmarc_auth_results_header(from_header, NULL);
-
/* shut down libopendmarc */
-if ( dmarc_pctx != NULL )
+if (dmarc_pctx)
(void) opendmarc_policy_connect_shutdown(dmarc_pctx);
-if ( dmarc_disable_verify == FALSE )
+if (!f.dmarc_disable_verify)
(void) opendmarc_policy_library_shutdown(&dmarc_ctx);
return OK;
}
-int
-dmarc_write_history_file()
-{
-int history_file_fd;
-ssize_t written_len;
-int tmp_ans;
-u_char **rua; /* aggregate report addressees */
-uschar *history_buffer = NULL;
-
-if (!dmarc_history_file)
- return DMARC_HIST_DISABLED;
-history_file_fd = log_create(dmarc_history_file);
-
-if (history_file_fd < 0)
- {
- log_write(0, LOG_MAIN|LOG_PANIC, "failure to create DMARC history file: %s",
- dmarc_history_file);
- return DMARC_HIST_FILE_ERR;
- }
-
-/* Generate the contents of the history file */
-history_buffer = string_sprintf(
- "job %s\nreporter %s\nreceived %ld\nipaddr %s\nfrom %s\nmfrom %s\n",
- message_id, primary_hostname, time(NULL), sender_host_address,
- header_from_sender, expand_string(US"$sender_address_domain"));
-
-if (spf_response)
- history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_ares_result);
- /* history_buffer = string_sprintf("%sspf -1\n", history_buffer); */
-
-history_buffer = string_sprintf(
- "%s%spdomain %s\npolicy %d\n",
- history_buffer, dkim_history_buffer, dmarc_used_domain, dmarc_policy);
-
-if ((rua = opendmarc_policy_fetch_rua(dmarc_pctx, NULL, 0, 1)))
- for (tmp_ans = 0; rua[tmp_ans]; tmp_ans++)
- history_buffer = string_sprintf("%srua %s\n", history_buffer, rua[tmp_ans]);
-else
- history_buffer = string_sprintf("%srua -\n", history_buffer);
-
-opendmarc_policy_fetch_pct(dmarc_pctx, &tmp_ans);
-history_buffer = string_sprintf("%spct %d\n", history_buffer, tmp_ans);
-
-opendmarc_policy_fetch_adkim(dmarc_pctx, &tmp_ans);
-history_buffer = string_sprintf("%sadkim %d\n", history_buffer, tmp_ans);
-
-opendmarc_policy_fetch_aspf(dmarc_pctx, &tmp_ans);
-history_buffer = string_sprintf("%saspf %d\n", history_buffer, tmp_ans);
-
-opendmarc_policy_fetch_p(dmarc_pctx, &tmp_ans);
-history_buffer = string_sprintf("%sp %d\n", history_buffer, tmp_ans);
-
-opendmarc_policy_fetch_sp(dmarc_pctx, &tmp_ans);
-history_buffer = string_sprintf("%ssp %d\n", history_buffer, tmp_ans);
-
-history_buffer = string_sprintf(
- "%salign_dkim %d\nalign_spf %d\naction %d\n",
- history_buffer, da, sa, action);
-
-/* Write the contents to the history file */
-DEBUG(D_receive)
- debug_printf("DMARC logging history data for opendmarc reporting%s\n",
- (host_checking || running_in_test_harness) ? " (not really)" : "");
-if (host_checking || running_in_test_harness)
- {
- DEBUG(D_receive)
- debug_printf("DMARC history data for debugging:\n%s", history_buffer);
- }
-else
- {
- written_len = write_to_fd_buf(history_file_fd,
- history_buffer,
- Ustrlen(history_buffer));
- if (written_len == 0)
- {
- log_write(0, LOG_MAIN|LOG_PANIC, "failure to write to DMARC history file: %s",
- dmarc_history_file);
- return DMARC_HIST_WRITE_ERR;
- }
- (void)close(history_file_fd);
- }
-return DMARC_HIST_OK;
-}
-
-
uschar *
dmarc_exim_expand_query(int what)
{
-if (dmarc_disable_verify || !dmarc_pctx)
+if (f.dmarc_disable_verify || !dmarc_pctx)
return dmarc_exim_expand_defaults(what);
if (what == DMARC_VERIFY_STATUS)
dmarc_exim_expand_defaults(int what)
{
if (what == DMARC_VERIFY_STATUS)
- return dmarc_disable_verify ? US"off" : US"none";
+ return f.dmarc_disable_verify ? US"off" : US"none";
return US"";
}
-uschar *
-dmarc_auth_results_header(header_line *from_header, uschar *hostname)
-{
-uschar *hdr_tmp = US"";
-
-/* Allow a server hostname to be passed to this function, but is
- * currently unused */
-if (!hostname)
- hostname = primary_hostname;
-hdr_tmp = string_sprintf("%s %s;", DMARC_AR_HEADER, hostname);
-
-#if 0
-/* I don't think this belongs here, but left it here commented out
- * because it was a lot of work to get working right. */
-if (spf_response != NULL) {
- uschar *dmarc_ar_spf = US"";
- int sr = 0;
- sr = spf_response->result;
- dmarc_ar_spf = (sr == SPF_RESULT_NEUTRAL) ? US"neutral" :
- (sr == SPF_RESULT_PASS) ? US"pass" :
- (sr == SPF_RESULT_FAIL) ? US"fail" :
- (sr == SPF_RESULT_SOFTFAIL) ? US"softfail" :
- US"none";
- hdr_tmp = string_sprintf("%s spf=%s (%s) smtp.mail=%s;",
- hdr_tmp, dmarc_ar_spf_result,
- spf_response->header_comment,
- expand_string(US"$sender_address") );
-}
-#endif
-hdr_tmp = string_sprintf("%s dmarc=%s", hdr_tmp, dmarc_pass_fail);
-if (header_from_sender)
- hdr_tmp = string_sprintf("%s header.from=%s",
- hdr_tmp, header_from_sender);
-return hdr_tmp;
+gstring *
+authres_dmarc(gstring * g)
+{
+if (f.dmarc_has_been_checked)
+ {
+ int start = 0; /* Compiler quietening */
+ DEBUG(D_acl) start = gstring_length(g);
+ g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail);
+ if (header_from_sender)
+ g = string_append(g, 2, US" header.from=", header_from_sender);
+ DEBUG(D_acl) debug_printf("DMARC:\tauthres '%.*s'\n",
+ gstring_length(g) - start - 3, g->s + start + 3);
+ }
+else
+ DEBUG(D_acl) debug_printf("DMARC:\tno authres\n");
+return g;
}
-# endif /* EXPERIMENTAL_SPF */
-#endif /* EXPERIMENTAL_DMARC */
+# endif /* SUPPORT_SPF */
+#endif /* SUPPORT_DMARC */
/* vi: aw ai sw=2
*/