X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/d7b5f2ab122c3de70f1f6672fe07b87e011338c6..8c513105fde2b8be3397216a0153f9b266fc7dfb:/src/src/dmarc.c?ds=sidebyside diff --git a/src/src/dmarc.c b/src/src/dmarc.c index ba9aa6695..f29f7eba6 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -28,7 +28,6 @@ OPENDMARC_STATUS_T libdm_status, action, dmarc_policy; OPENDMARC_STATUS_T da, sa, action; BOOL dmarc_abort = FALSE; uschar *dmarc_pass_fail = US"skipped"; -extern pdkim_signature *dkim_signatures; header_line *from_header = NULL; extern SPF_response_t *spf_response; int dmarc_spf_ares_result = 0; @@ -92,13 +91,13 @@ dmarc_status = US"none"; dmarc_abort = FALSE; dmarc_pass_fail = US"skipped"; dmarc_used_domain = US""; -dmarc_has_been_checked = FALSE; +f.dmarc_has_been_checked = FALSE; header_from_sender = NULL; spf_sender_domain = NULL; spf_human_readable = NULL; /* ACLs have "control=dmarc_disable_verify" */ -if (dmarc_disable_verify == TRUE) +if (f.dmarc_disable_verify == TRUE) return OK; (void) memset(&dmarc_ctx, '\0', sizeof dmarc_ctx); @@ -115,7 +114,7 @@ if (!dmarc_tld_file) DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n"); dmarc_abort = TRUE; } -else if (opendmarc_tld_read_file(dmarc_tld_file, NULL, NULL, NULL)) +else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL)) { log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d", dmarc_tld_file, errno); @@ -149,7 +148,7 @@ int dmarc_store_data(header_line *hdr) { /* No debug output because would change every test debug output */ -if (!dmarc_disable_verify) +if (!f.dmarc_disable_verify) from_header = hdr; return OK; } @@ -165,7 +164,7 @@ error_block *eblock = NULL; FILE *message_file = NULL; /* Earlier ACL does not have *required* control=dmarc_enable_forensic */ -if (!dmarc_enable_forensic) +if (!f.dmarc_enable_forensic) return; if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT @@ -179,14 +178,11 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT eblock = add_to_eblock(eblock, US"Sender IP Address", sender_host_address); eblock = add_to_eblock(eblock, US"Received Date", tod_stamp(tod_full)); eblock = add_to_eblock(eblock, US"SPF Alignment", - (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?US"yes":US"no"); + sa == DMARC_POLICY_SPF_ALIGNMENT_PASS ? US"yes" : US"no"); eblock = add_to_eblock(eblock, US"DKIM Alignment", - (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?US"yes":US"no"); + da == DMARC_POLICY_DKIM_ALIGNMENT_PASS ? US"yes" : US"no"); eblock = add_to_eblock(eblock, US"DMARC Results", dmarc_status_text); - /* Set a sane default envelope sender */ - dsn_from = dmarc_forensic_sender ? dmarc_forensic_sender : - dsn_from ? dsn_from : - string_sprintf("do-not-reply@%s",primary_hostname); + for (c = 0; ruf[c]; c++) { recipient = string_copylc(ruf[c]); @@ -196,16 +192,12 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT recipient += 7; DEBUG(D_receive) debug_printf("DMARC forensic report to %s%s\n", recipient, - (host_checking || running_in_test_harness) ? " (not really)" : ""); - if (host_checking || running_in_test_harness) + (host_checking || f.running_in_test_harness) ? " (not really)" : ""); + if (host_checking || f.running_in_test_harness) continue; - save_sender = sender_address; - sender_address = recipient; - send_status = moan_to_sender(ERRMESS_DMARC_FORENSIC, eblock, - header_list, message_file, FALSE); - sender_address = save_sender; - if (!send_status) + if (!moan_send_message(recipient, ERRMESS_DMARC_FORENSIC, eblock, + header_list, message_file, NULL)) log_write(0, LOG_MAIN|LOG_PANIC, "failure to send DMARC forensic report to %s", recipient); } @@ -222,12 +214,12 @@ dmarc_process() int sr, origin; /* used in SPF section */ int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ int tmp_ans, c; -pdkim_signature *sig = NULL; +pdkim_signature * sig = dkim_signatures; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ /* ACLs have "control=dmarc_disable_verify" */ -if (dmarc_disable_verify) +if (f.dmarc_disable_verify) return OK; /* Store the header From: sender domain for this part of DMARC. @@ -243,27 +235,27 @@ if (!from_header) } else if (!dmarc_abort) { - uschar * errormsg; - int dummy, domain; - uschar * p; - uschar saveend; - - parse_allow_group = TRUE; - p = parse_find_address_end(from_header->text, FALSE); - saveend = *p; *p = '\0'; - if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, - &dummy, &dummy, &domain, FALSE))) - header_from_sender += domain; - *p = saveend; - - /* The opendmarc library extracts the domain from the email address, but - * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ - if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) - dmarc_abort = TRUE; - libdm_status = dmarc_abort ? - DMARC_PARSE_OKAY : - opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); - if (libdm_status != DMARC_PARSE_OKAY) + uschar * errormsg; + int dummy, domain; + uschar * p; + uschar saveend; + + f.parse_allow_group = TRUE; + p = parse_find_address_end(from_header->text, FALSE); + saveend = *p; *p = '\0'; + if ((header_from_sender = parse_extract_address(from_header->text, &errormsg, + &dummy, &dummy, &domain, FALSE))) + header_from_sender += domain; + *p = saveend; + + /* The opendmarc library extracts the domain from the email address, but + * only try to store it if it's not empty. Otherwise, skip out of DMARC. */ + if (!header_from_sender || (strcmp( CCS header_from_sender, "") == 0)) + dmarc_abort = TRUE; + libdm_status = dmarc_abort + ? DMARC_PARSE_OKAY + : opendmarc_policy_store_from_domain(dmarc_pctx, header_from_sender); + if (libdm_status != DMARC_PARSE_OKAY) { log_write(0, LOG_MAIN|LOG_PANIC, "failure to store header From: in DMARC: %s, header was '%s'", @@ -276,6 +268,8 @@ else if (!dmarc_abort) * instead do this in the ACLs. */ if (!dmarc_abort && !sender_host_authenticated) { + uschar * dmarc_domain; + /* Use the envelope sender domain for this part of DMARC */ spf_sender_domain = expand_string(US"$sender_address_domain"); if (!spf_response) @@ -330,11 +324,11 @@ if (!dmarc_abort && !sender_host_authenticated) /* Now we cycle through the dkim signature results and put into * the opendmarc context, further building the DMARC reply. */ - sig = dkim_signatures; dkim_history_buffer = US""; while (sig) { int dkim_result, dkim_ares_result, vs, ves; + vs = sig->verify_status & ~PDKIM_VERIFY_POLICY; ves = sig->verify_ext_status; dkim_result = vs == PDKIM_VERIFY_PASS ? DMARC_POLICY_DKIM_OUTCOME_PASS : @@ -403,9 +397,9 @@ if (!dmarc_abort && !sender_host_authenticated) } /* Can't use exim's string manipulation functions so allocate memory - * for libopendmarc using its max hostname length definition. */ + for libopendmarc using its max hostname length definition. */ - uschar *dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); + dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, DMARC_MAXHOSTNAMELEN-1); dmarc_used_domain = string_copy(dmarc_domain); @@ -416,8 +410,7 @@ if (!dmarc_abort && !sender_host_authenticated) "failure to read domainname used for DMARC lookup: %s", opendmarc_policy_status_to_str(libdm_status)); - libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx); - dmarc_policy = libdm_status; + dmarc_policy = libdm_status = opendmarc_get_policy_to_enforce(dmarc_pctx); switch(libdm_status) { case DMARC_POLICY_ABSENT: /* No DMARC record found */ @@ -474,8 +467,8 @@ if (!dmarc_abort && !sender_host_authenticated) log_write(0, LOG_MAIN, "DMARC results: spf_domain=%s dmarc_domain=%s " "spf_align=%s dkim_align=%s enforcement='%s'", spf_sender_domain, dmarc_used_domain, - (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?"yes":"no", - (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?"yes":"no", + sa==DMARC_POLICY_SPF_ALIGNMENT_PASS ?"yes":"no", + da==DMARC_POLICY_DKIM_ALIGNMENT_PASS ?"yes":"no", dmarc_status_text); history_file_status = dmarc_write_history_file(); /* Now get the forensic reporting addresses, if any */ @@ -487,13 +480,13 @@ if (!dmarc_abort && !sender_host_authenticated) /* shut down libopendmarc */ if (dmarc_pctx) (void) opendmarc_policy_connect_shutdown(dmarc_pctx); -if (!dmarc_disable_verify) +if (!f.dmarc_disable_verify) (void) opendmarc_policy_library_shutdown(&dmarc_ctx); return OK; } -int +static int dmarc_write_history_file() { int history_file_fd; @@ -503,7 +496,10 @@ u_char **rua; /* aggregate report addressees */ uschar *history_buffer = NULL; if (!dmarc_history_file) + { + DEBUG(D_receive) debug_printf("DMARC history file not set\n"); return DMARC_HIST_DISABLED; + } history_file_fd = log_create(dmarc_history_file); if (history_file_fd < 0) @@ -555,8 +551,8 @@ history_buffer = string_sprintf( /* Write the contents to the history file */ DEBUG(D_receive) debug_printf("DMARC logging history data for opendmarc reporting%s\n", - (host_checking || running_in_test_harness) ? " (not really)" : ""); -if (host_checking || running_in_test_harness) + (host_checking || f.running_in_test_harness) ? " (not really)" : ""); +if (host_checking || f.running_in_test_harness) { DEBUG(D_receive) debug_printf("DMARC history data for debugging:\n%s", history_buffer); @@ -581,7 +577,7 @@ return DMARC_HIST_OK; uschar * dmarc_exim_expand_query(int what) { -if (dmarc_disable_verify || !dmarc_pctx) +if (f.dmarc_disable_verify || !dmarc_pctx) return dmarc_exim_expand_defaults(what); if (what == DMARC_VERIFY_STATUS) @@ -593,7 +589,7 @@ uschar * dmarc_exim_expand_defaults(int what) { if (what == DMARC_VERIFY_STATUS) - return dmarc_disable_verify ? US"off" : US"none"; + return f.dmarc_disable_verify ? US"off" : US"none"; return US""; } @@ -601,11 +597,11 @@ return US""; gstring * authres_dmarc(gstring * g) { -if (dmarc_has_been_checked) +if (f.dmarc_has_been_checked) { g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail); if (header_from_sender) - g = string_append(g, 2, US"header.from=", header_from_sender); + g = string_append(g, 2, US" header.from=", header_from_sender); } return g; }