X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d7978c0f8af20ff4c3f770589b1bb81568aecff3..0b049796b89a59fc322119b54199d92c404ef687:/src/src/dmarc.c diff --git a/src/src/dmarc.c b/src/src/dmarc.c index c4edc9159..2e43f846d 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -1,8 +1,9 @@ /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Experimental DMARC support. +/* DMARC support. Copyright (c) Todd Lyons 2012 - 2014 + Copyright (c) The Exim Maintainers 2019 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; @@ -11,7 +12,7 @@ /* Code for calling dmarc checks via libopendmarc. Called from acl.c. */ #include "exim.h" -#ifdef EXPERIMENTAL_DMARC +#ifdef SUPPORT_DMARC # if !defined SUPPORT_SPF # error SPF must also be enabled for DMARC # elif defined DISABLE_DKIM @@ -109,15 +110,15 @@ if (libdm_status != DMARC_PARSE_OKAY) opendmarc_policy_status_to_str(libdm_status)); dmarc_abort = TRUE; } -if (!dmarc_tld_file) +if (!dmarc_tld_file || !*dmarc_tld_file) { DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n"); dmarc_abort = TRUE; } else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL)) { - log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d", - dmarc_tld_file, errno); + log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list '%s': %s", + dmarc_tld_file, strerror(errno)); dmarc_abort = TRUE; } if (!sender_host_address) @@ -203,6 +204,25 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT } } + +/* Look up a DNS dmarc record for the given domain. Return it or NULL */ + +static uschar * +dmarc_dns_lookup(uschar * dom) +{ +dns_answer * dnsa = store_get_dns_answer(); +dns_scan dnss; +int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL); + +if (rc == DNS_SUCCEED) + for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) + if (rr->type == T_TXT && rr->size > 3) + return string_copyn(US rr->data, rr->size); +return NULL; +} + + /* dmarc_process adds the envelope sender address to the existing context (if any), retrieves the result, sets up expansion strings and evaluates the condition outcome. */ @@ -214,6 +234,7 @@ int sr, origin; /* used in SPF section */ int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ int tmp_ans, c; pdkim_signature * sig = dkim_signatures; +uschar * rr; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ @@ -358,7 +379,15 @@ if (!dmarc_abort && !sender_host_authenticated) sig->domain, dkim_ares_result); sig = sig->next; } - libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US""); + + /* Look up DMARC policy record in DNS. We do this explicitly, rather than + letting the dmarc library do it with opendmarc_policy_query_dmarc(), so that + our dns access path is used for debug tracing and for the testsuite + diversion. */ + + libdm_status = (rr = dmarc_dns_lookup(header_from_sender)) + ? opendmarc_policy_store_dmarc(dmarc_pctx, rr, header_from_sender, NULL) + : DMARC_DNS_ERROR_NO_RECORD; switch (libdm_status) { case DMARC_DNS_ERROR_NXDOMAIN: @@ -398,11 +427,11 @@ if (!dmarc_abort && !sender_host_authenticated) /* Can't use exim's string manipulation functions so allocate memory for libopendmarc using its max hostname length definition. */ - dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); + dmarc_domain = store_get(DMARC_MAXHOSTNAMELEN, TRUE); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, DMARC_MAXHOSTNAMELEN-1); - dmarc_used_domain = string_copy(dmarc_domain); - free(dmarc_domain); + store_release_above(dmarc_domain + Ustrlen(dmarc_domain)+1); + dmarc_used_domain = dmarc_domain; if (libdm_status != DMARC_PARSE_OKAY) log_write(0, LOG_MAIN|LOG_PANIC, @@ -606,6 +635,6 @@ return g; } # endif /* SUPPORT_SPF */ -#endif /* EXPERIMENTAL_DMARC */ +#endif /* SUPPORT_DMARC */ /* vi: aw ai sw=2 */