X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/687cac44312c8adc6f999882b49f0705bcb8613c..3203e7baa4148a7068bc69caef3b63dcb3971b92:/src/src/dmarc.c diff --git a/src/src/dmarc.c b/src/src/dmarc.c index 275ad46c7..2ac0ac550 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -12,7 +12,7 @@ #include "exim.h" #ifdef EXPERIMENTAL_DMARC -# if !defined EXPERIMENTAL_SPF +# if !defined SUPPORT_SPF # error SPF must also be enabled for DMARC # elif defined DISABLE_DKIM # error DKIM must also be enabled for DMARC @@ -44,6 +44,7 @@ typedef struct dmarc_exim_p { } dmarc_exim_p; static dmarc_exim_p dmarc_policy_description[] = { + /* name value */ { US"", DMARC_RECORD_P_UNSPECIFIED }, { US"none", DMARC_RECORD_P_NONE }, { US"quarantine", DMARC_RECORD_P_QUARANTINE }, @@ -78,12 +79,11 @@ return eblock; messages on the same SMTP connection (that come from the same host with the same HELO string) */ -int dmarc_init() +int +dmarc_init() { int *netmask = NULL; /* Ignored */ int is_ipv6 = 0; -char *tld_file = (dmarc_tld_file == NULL) ? - DMARC_TLD_FILE : (char *)dmarc_tld_file; /* Set some sane defaults. Also clears previous results when * multiple messages in one connection. */ @@ -92,7 +92,6 @@ dmarc_status = US"none"; dmarc_abort = FALSE; dmarc_pass_fail = US"skipped"; dmarc_used_domain = US""; -dmarc_ar_header = NULL; dmarc_has_been_checked = FALSE; header_from_sender = NULL; spf_sender_domain = NULL; @@ -111,22 +110,27 @@ if (libdm_status != DMARC_PARSE_OKAY) opendmarc_policy_status_to_str(libdm_status)); dmarc_abort = TRUE; } -if (dmarc_tld_file == NULL) +if (!dmarc_tld_file) + { + DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n"); dmarc_abort = TRUE; -else if (opendmarc_tld_read_file(tld_file, NULL, NULL, NULL)) + } +else if (opendmarc_tld_read_file(dmarc_tld_file, NULL, NULL, NULL)) { log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d", - tld_file, errno); + dmarc_tld_file, errno); dmarc_abort = TRUE; } -if (sender_host_address == NULL) +if (!sender_host_address) + { + DEBUG(D_receive) debug_printf("DMARC: no sender_host_address\n"); dmarc_abort = TRUE; + } /* This catches locally originated email and startup errors above. */ if (!dmarc_abort) { is_ipv6 = string_is_ip_address(sender_host_address, netmask) == 6; - dmarc_pctx = opendmarc_policy_connect_init(sender_host_address, is_ipv6); - if (dmarc_pctx == NULL) + if (!(dmarc_pctx = opendmarc_policy_connect_init(sender_host_address, is_ipv6))) { log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure creating policy context: ip=%s", sender_host_address); @@ -139,13 +143,15 @@ return OK; /* dmarc_store_data stores the header data so that subsequent - * dmarc_process can access the data */ +dmarc_process can access the data */ -int dmarc_store_data(header_line *hdr) { - /* No debug output because would change every test debug output */ - if (dmarc_disable_verify != TRUE) - from_header = hdr; - return OK; +int +dmarc_store_data(header_line *hdr) +{ +/* No debug output because would change every test debug output */ +if (!dmarc_disable_verify) + from_header = hdr; +return OK; } @@ -207,8 +213,8 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT } /* dmarc_process adds the envelope sender address to the existing - context (if any), retrieves the result, sets up expansion - strings and evaluates the condition outcome. */ +context (if any), retrieves the result, sets up expansion +strings and evaluates the condition outcome. */ int dmarc_process() @@ -222,10 +228,7 @@ u_char **ruf; /* forensic report addressees, if called for */ /* ACLs have "control=dmarc_disable_verify" */ if (dmarc_disable_verify) - { - dmarc_ar_header = dmarc_auth_results_header(from_header, NULL); return OK; - } /* Store the header From: sender domain for this part of DMARC. * If there is no from_header struct, then it's likely this message @@ -233,9 +236,12 @@ if (dmarc_disable_verify) * the entire DMARC system if we can't find a From: header....or if * there was a previous error. */ -if (!from_header || dmarc_abort) +if (!from_header) + { + DEBUG(D_receive) debug_printf("DMARC: no From: header\n"); dmarc_abort = TRUE; -else + } +else if (!dmarc_abort) { uschar * errormsg; int dummy, domain; @@ -307,7 +313,7 @@ if (!dmarc_abort && !sender_host_authenticated) sr == SPF_RESULT_PERMERROR ? ARES_RESULT_PERMERROR : ARES_RESULT_UNKNOWN; origin = DMARC_POLICY_SPF_ORIGIN_MAILFROM; - spf_human_readable = (uschar *)spf_response->header_comment; + spf_human_readable = US spf_response->header_comment; DEBUG(D_receive) debug_printf("DMARC using SPF sender domain = %s\n", spf_sender_domain); } @@ -329,13 +335,13 @@ if (!dmarc_abort && !sender_host_authenticated) while (sig) { int dkim_result, dkim_ares_result, vs, ves; - vs = sig->verify_status; + vs = sig->verify_status & ~PDKIM_VERIFY_POLICY; ves = sig->verify_ext_status; dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS : vs == PDKIM_VERIFY_FAIL ? DMARC_POLICY_DKIM_OUTCOME_FAIL : vs == PDKIM_VERIFY_INVALID ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : DMARC_POLICY_DKIM_OUTCOME_NONE; - libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, (uschar *)sig->domain, + libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, US sig->domain, dkim_result, US""); DEBUG(D_receive) debug_printf("DMARC adding DKIM sender domain = %s\n", sig->domain); @@ -399,7 +405,7 @@ if (!dmarc_abort && !sender_host_authenticated) /* Can't use exim's string manipulation functions so allocate memory * for libopendmarc using its max hostname length definition. */ - uschar *dmarc_domain = (uschar *)calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); + uschar *dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, DMARC_MAXHOSTNAMELEN-1); dmarc_used_domain = string_copy(dmarc_domain); @@ -463,13 +469,13 @@ if (!dmarc_abort && !sender_host_authenticated) log_write(0, LOG_MAIN|LOG_PANIC, "failure to read DMARC alignment: %s", opendmarc_policy_status_to_str(libdm_status)); - if (has_dmarc_record == TRUE) + if (has_dmarc_record) { log_write(0, LOG_MAIN, "DMARC results: spf_domain=%s dmarc_domain=%s " "spf_align=%s dkim_align=%s enforcement='%s'", spf_sender_domain, dmarc_used_domain, - (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?"yes":"no", - (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?"yes":"no", + sa==DMARC_POLICY_SPF_ALIGNMENT_PASS ?"yes":"no", + da==DMARC_POLICY_DKIM_ALIGNMENT_PASS ?"yes":"no", dmarc_status_text); history_file_status = dmarc_write_history_file(); /* Now get the forensic reporting addresses, if any */ @@ -478,19 +484,16 @@ if (!dmarc_abort && !sender_host_authenticated) } } -/* set some global variables here */ -dmarc_ar_header = dmarc_auth_results_header(from_header, NULL); - /* shut down libopendmarc */ -if ( dmarc_pctx != NULL ) +if (dmarc_pctx) (void) opendmarc_policy_connect_shutdown(dmarc_pctx); -if ( dmarc_disable_verify == FALSE ) +if (!dmarc_disable_verify) (void) opendmarc_policy_library_shutdown(&dmarc_ctx); return OK; } -int +static int dmarc_write_history_file() { int history_file_fd; @@ -500,15 +503,18 @@ u_char **rua; /* aggregate report addressees */ uschar *history_buffer = NULL; if (!dmarc_history_file) + { + DEBUG(D_receive) debug_printf("DMARC history file not set\n"); return DMARC_HIST_DISABLED; + } history_file_fd = log_create(dmarc_history_file); if (history_file_fd < 0) -{ + { log_write(0, LOG_MAIN|LOG_PANIC, "failure to create DMARC history file: %s", dmarc_history_file); return DMARC_HIST_FILE_ERR; -} + } /* Generate the contents of the history file */ history_buffer = string_sprintf( @@ -574,71 +580,40 @@ else return DMARC_HIST_OK; } + uschar * dmarc_exim_expand_query(int what) { if (dmarc_disable_verify || !dmarc_pctx) return dmarc_exim_expand_defaults(what); -switch(what) - { - case DMARC_VERIFY_STATUS: - return(dmarc_status); - default: - return US""; - } +if (what == DMARC_VERIFY_STATUS) + return dmarc_status; +return US""; } uschar * dmarc_exim_expand_defaults(int what) { -switch(what) - { - case DMARC_VERIFY_STATUS: - return dmarc_disable_verify ? US"off" : US"none"; - default: - return US""; - } +if (what == DMARC_VERIFY_STATUS) + return dmarc_disable_verify ? US"off" : US"none"; +return US""; } -uschar * -dmarc_auth_results_header(header_line *from_header, uschar *hostname) -{ -uschar *hdr_tmp = US""; - -/* Allow a server hostname to be passed to this function, but is - * currently unused */ -if (!hostname) - hostname = primary_hostname; -hdr_tmp = string_sprintf("%s %s;", DMARC_AR_HEADER, hostname); - -#if 0 -/* I don't think this belongs here, but left it here commented out - * because it was a lot of work to get working right. */ -if (spf_response != NULL) { - uschar *dmarc_ar_spf = US""; - int sr = 0; - sr = spf_response->result; - dmarc_ar_spf = (sr == SPF_RESULT_NEUTRAL) ? US"neutral" : - (sr == SPF_RESULT_PASS) ? US"pass" : - (sr == SPF_RESULT_FAIL) ? US"fail" : - (sr == SPF_RESULT_SOFTFAIL) ? US"softfail" : - US"none"; - hdr_tmp = string_sprintf("%s spf=%s (%s) smtp.mail=%s;", - hdr_tmp, dmarc_ar_spf_result, - spf_response->header_comment, - expand_string(US"$sender_address") ); -} -#endif -hdr_tmp = string_sprintf("%s dmarc=%s", hdr_tmp, dmarc_pass_fail); -if (header_from_sender) - hdr_tmp = string_sprintf("%s header.from=%s", - hdr_tmp, header_from_sender); -return hdr_tmp; +gstring * +authres_dmarc(gstring * g) +{ +if (dmarc_has_been_checked) + { + g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail); + if (header_from_sender) + g = string_append(g, 2, US" header.from=", header_from_sender); + } +return g; } -# endif /* EXPERIMENTAL_SPF */ +# endif /* SUPPORT_SPF */ #endif /* EXPERIMENTAL_DMARC */ /* vi: aw ai sw=2 */