#include <spf2/spf_dns_resolv.h>
#include <spf2/spf_dns_cache.h>
+extern SPF_dns_server_t * SPF_dns_exim_new(int);
+
+
static void *
spf_open(uschar *filename, uschar **errmsg)
{
-SPF_server_t *spf_server;
-if ((spf_server = SPF_server_new(SPF_DNS_CACHE, 0)))
- return (void *) spf_server;
-*errmsg = US"SPF_server_new() failed";
-return NULL;
+SPF_dns_server_t * dc;
+SPF_server_t *spf_server = NULL;
+int debug = 0;
+
+DEBUG(D_lookup) debug = 1;
+
+if ((dc = SPF_dns_exim_new(debug)))
+ if ((dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
+ spf_server = SPF_server_new_dns(dc, debug);
+
+if (!spf_server)
+ {
+ *errmsg = US"SPF_dns_exim_nnew() failed";
+ return NULL;
+ }
+return (void *) spf_server;
}
+
static void
spf_close(void *handle)
{
* Exim - an Internet mail transport agent *
*************************************************/
-/* Experimental SPF support.
+/* SPF support.
Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
License: GPL
- Copyright (c) The Exim Maintainers 2015 - 2018
+ Copyright (c) The Exim Maintainers 2015 - 2019
*/
/* Code for calling spf checks via libspf-alt. Called from acl.c. */
SPF_response_t *spf_response = NULL;
SPF_response_t *spf_response_2mx = NULL;
+SPF_dns_rr_t * spf_nxdomain = NULL;
+
+
+
+static SPF_dns_rr_t *
+SPF_dns_exim_lookup(SPF_dns_server_t *spf_dns_server,
+const char *domain, ns_type rr_type, int should_cache)
+{
+dns_answer dnsa;
+dns_scan dnss;
+SPF_dns_rr_t * spfrr;
+
+DEBUG(D_receive) debug_printf("SPF_dns_exim_lookup\n");
+
+if (dns_lookup(&dnsa, US domain, rr_type, NULL) == DNS_SUCCEED)
+ for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr;
+ rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
+ if ( rr->type == rr_type
+ && Ustrncmp(rr->data+1, "v=spf1", 6) == 0)
+ {
+ gstring * g = NULL;
+ uschar chunk_len;
+ uschar * s;
+ SPF_dns_rr_t srr = {
+ .domain = CS rr->name, /* query information */
+ .domain_buf_len = DNS_MAXNAME,
+ .rr_type = rr->type,
+
+ .num_rr = 1, /* answer information */
+ .rr = NULL,
+ .rr_buf_len = 0,
+ .rr_buf_num = 0,
+ .ttl = rr->ttl,
+ .utc_ttl = 0,
+ .herrno = NETDB_SUCCESS,
+
+ .hook = NULL, /* misc information */
+ .source = spf_dns_server
+ };
+
+ for (int off = 0; off < rr->size; off += chunk_len)
+ {
+ chunk_len = (rr->data)[off++];
+ g = string_catn(g, US ((rr->data)+off), chunk_len);
+ }
+ if (!g)
+ {
+ HDEBUG(D_host_lookup) debug_printf("IP address lookup yielded an "
+ "empty name: treated as non-existent host name\n");
+ continue;
+ }
+ gstring_release_unused(g);
+ s = string_copy_malloc(string_from_gstring(g));
+ srr.rr = (void *) &s;
+
+ /* spfrr->rr must have been malloc()d for this */
+ SPF_dns_rr_dup(&spfrr, &srr);
+
+ return spfrr;
+ }
+
+SPF_dns_rr_dup(&spfrr, spf_nxdomain);
+return spfrr;
+}
+
+
+
+SPF_dns_server_t *
+SPF_dns_exim_new(int debug)
+{
+SPF_dns_server_t *spf_dns_server;
+
+DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
+
+if (!(spf_dns_server = malloc(sizeof(SPF_dns_server_t))))
+ return NULL;
+memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
+
+spf_dns_server->destroy = NULL;
+spf_dns_server->lookup = SPF_dns_exim_lookup;
+spf_dns_server->get_spf = NULL;
+spf_dns_server->get_exp = NULL;
+spf_dns_server->add_cache = NULL;
+spf_dns_server->layer_below = NULL;
+spf_dns_server->name = "exim";
+spf_dns_server->debug = debug;
+
+/* XXX This might have to return NO_DATA sometimes. */
+
+spf_nxdomain = SPF_dns_rr_new_init(spf_dns_server,
+ "", ns_t_any, 24 * 60 * 60, HOST_NOT_FOUND);
+if (!spf_nxdomain)
+ {
+ free(spf_dns_server);
+ return NULL;
+ }
+
+return spf_dns_server;
+}
+
+
/* spf_init sets up a context that can be re-used for several
messages on the same SMTP connection (that come from the
- same host with the same HELO string)
+ same host with the same HELO string).
+XXX the spf_server layer could usefully be separately init'd
+given that it sets up a dns cache.
Return: Boolean success */
BOOL
spf_init(uschar *spf_helo_domain, uschar *spf_remote_addr)
{
-spf_server = SPF_server_new(SPF_DNS_CACHE, 0);
+int debug = 0;
+SPF_dns_server_t * dc;
+
+DEBUG(D_receive)
+ {
+ debug_printf("spf_init: %s %s\n", spf_helo_domain, spf_remote_addr);
+ debug = 1;
+ }
+
+/* We insert our own DNS access layer rather than letting the spf library
+do it, so that our dns access path is used for debug tracing and for the
+testsuite. */
-if (!spf_server)
+if (!(dc = SPF_dns_exim_new(debug)))
+ {
+ DEBUG(D_receive) debug_printf("spf: SPF_dns_exim_new() failed\n");
+ return FALSE;
+ }
+if (!(dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
+ {
+ DEBUG(D_receive) debug_printf("spf: SPF_dns_cache_new() failed\n");
+ return FALSE;
+ }
+if (!(spf_server = SPF_server_new_dns(dc, debug)))
{
DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
return FALSE;
uschar *spf_result_id;
int rc = SPF_RESULT_PERMERROR;
+DEBUG(D_receive) debug_printf("spf_process\n");
+
if (!(spf_server && spf_request))
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
logwrite = ${authresults {$primary_hostname}}
accept condition = ${if eq {$received_port}{PORT_S}}
- spf = pass : softfail : neutral
+ spf = pass : softfail : neutral : none
logwrite = spf_result $spf_result
logwrite = spf_header_comment $spf_header_comment
logwrite = spf_smtp_comment $spf_smtp_comment
example.com. NS exim.example.com.
+; The real example.com has an SPF record; duplicate that here
+
+example.com. TXT v=spf1 -all
+
; Alias A record for the local host, under the name "server1"
server1 A HOSTIPV4
******** SERVER ********
-1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D port PORT_S
-1999-03-02 09:44:33 spf_result pass (guess <no>)
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D port PORT_S port PORT_N
+1999-03-02 09:44:33 spf_result pass
1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed.
1999-03-02 09:44:33 spf_smtp_comment
1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=a@example.com; helo=testclient;
1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com
-1999-03-02 09:44:33 spf_result pass (guess <no>)
-1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed.
+1999-03-02 09:44:33 spf_result none
+1999-03-02 09:44:33 spf_header_comment myhost.test.ex: domain of test.example.com does not provide an SPF record
1999-03-02 09:44:33 spf_smtp_comment
-1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=b@test.example.com; helo=testclient;
-1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=test.example.com
-1999-03-02 09:44:33 spf_result pass
+1999-03-02 09:44:33 spf_received Received-SPF: none (myhost.test.ex: domain of test.example.com does not provide an SPF record) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient;
+1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=none smtp.mailfrom=test.example.com
+1999-03-02 09:44:33 spf_result pass (guess <no>)
1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed.
1999-03-02 09:44:33 spf_smtp_comment
1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=c@example.com; helo=testclient;
1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com
+1999-03-02 09:44:33 spf_result neutral (guess <yes>)
+1999-03-02 09:44:33 spf_header_comment myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com
+1999-03-02 09:44:33 spf_smtp_comment Please see http://www.openspf.org/Why?id=b%40test.example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism
+1999-03-02 09:44:33 spf_received Received-SPF: neutral (myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient;
+1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=neutral (best guess record for domain) smtp.mailfrom=test.example.com
+1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F=<b@test.example.com> rejected RCPT <fred@test.ex>
+1999-03-02 09:44:33 spf_result (guess <no>)
+1999-03-02 09:44:33 spf_header_comment
+1999-03-02 09:44:33 spf_smtp_comment
+1999-03-02 09:44:33 spf_received
+1999-03-02 09:44:33 Authentication-Results: myhost.test.ex
+1999-03-02 09:44:33 H=(testclient) [127.0.0.1] F=<c@example.com> rejected RCPT <fred@test.ex>
# acl condition and variables
#
-# It is rather difficult to properly test spf. We use libspf2 to do the work, and it
-# does the DNS lookups, so we cannot intercept them in the testsuite's usual fashion
-# to provide values for testcases.
+# The 127.0.0.1 source addr seems to be a builtin in the spf library; no dns lookup is done.
+# HOSTIPV4 does get a series of lookups (see server debug output to verify that).
#
-# For now just check that what should be working syntax does not cause us to fall over.
-# Be careful with envelope-domains and IPs used for testcases, as real DNS lookups will be done.
-#
-exim -bd -DSERVER=server -oX PORT_D:PORT_S
+exim -bd -DSERVER=server -oX PORT_D:PORT_S:PORT_N
****
-client 127.0.0.1 PORT_D
+client 127.0.0.1 PORT_S
??? 220
helo testclient
??? 250
??? 250
quit
****
-client 127.0.0.1 PORT_D
+client HOSTIPV4 PORT_S
??? 220
helo testclient
??? 250
??? 250
quit
****
-client 127.0.0.1 PORT_S
+client 127.0.0.1 PORT_D
??? 220
helo testclient
??? 250
??? 250
quit
****
+client HOSTIPV4 PORT_D
+??? 220
+helo testclient
+??? 250
+mail from:<b@test.example.com>
+??? 250
+rcpt to:<fred@test.ex>
+??? 550
+quit
+****
+client 127.0.0.1 PORT_N
+??? 220
+helo testclient
+??? 250
+mail from:<c@example.com>
+??? 250
+rcpt to:<fred@test.ex>
+??? 550
+quit
+****
#
killdaemon
sender_fullhost = (test) [127.0.0.1]
sender_rcvhost = [127.0.0.1] (helo=test)
set_process_info: pppp handling incoming connection from (test) [127.0.0.1]
+spf_init: test 127.0.0.1
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
SMTP>> 250 myhost.test.ex Hello test [127.0.0.1]
SMTP<< MAIL FROM:<test@test.ex>
spool directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 msg_size = 0
sender_fullhost = ([V4NET.2.3.4]) [V4NET.2.3.4]
sender_rcvhost = [V4NET.2.3.4]
set_process_info: pppp handling incoming connection from ([V4NET.2.3.4]) [V4NET.2.3.4]
+spf_init: [V4NET.2.3.4] V4NET.2.3.4
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in chunking_advertise_hosts? no (end of list)
sender_fullhost = host.name.tld [V4NET.2.3.4]
sender_rcvhost = host.name.tld ([V4NET.2.3.4])
set_process_info: pppp handling incoming connection from host.name.tld [V4NET.2.3.4]
+spf_init: [V4NET.2.3.4] V4NET.2.3.4
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in chunking_advertise_hosts? no (end of list)
sender_fullhost = (something) [V4NET.0.0.0]
sender_rcvhost = [V4NET.0.0.0] (helo=something)
set_process_info: pppp handling incoming connection from (something) [V4NET.0.0.0]
+spf_init: something V4NET.0.0.0
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in chunking_advertise_hosts? no (end of list)
sender_fullhost = ([1.2.3.4]) [1.2.3.4]
sender_rcvhost = [1.2.3.4]
set_process_info: pppp handling incoming connection from ([1.2.3.4]) [1.2.3.4]
+spf_init: [1.2.3.4] 1.2.3.4
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
SMTP>> 250 the.local.host.name Hello [1.2.3.4] [1.2.3.4]
SMTP<< mail from:<a@b>
spool directory space = nnnnnK inodes = nnnnn check_space = 10240K inodes = 100 msg_size = 0
SMTP>> 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
smtp_setup_msg entered
SMTP<< ehlo x.y
+spf_init: x.y NULL
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
in dsn_advertise_hosts? no (option unset)
in pipelining_advertise_hosts? yes (matched "*")
in chunking_advertise_hosts? no (end of list)
sender_fullhost = (testing.testing) [10.0.0.5]
sender_rcvhost = [10.0.0.5] (helo=testing.testing ident=CALLER)
set_process_info: pppp handling incoming connection from (testing.testing) [10.0.0.5] U=CALLER
+spf_init: testing.testing 10.0.0.5
+SPF_dns_exim_new
+spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
+spf_compile.c:1210 Debug: Compiling record v=spf1
host in dsn_advertise_hosts? no (option unset)
host in pipelining_advertise_hosts? yes (matched "*")
host in "10.0.0.1"? no (end of list)
-Connecting to 127.0.0.1 port 1225 ... connected
+Connecting to 127.0.0.1 port 1224 ... connected
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
>>> helo testclient
<<< 250 Accepted
>>> quit
End of script
-Connecting to 127.0.0.1 port 1225 ... connected
+Connecting to ip4.ip4.ip4.ip4 port 1224 ... connected
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
>>> helo testclient
??? 250
-<<< 250 myhost.test.ex Hello testclient [127.0.0.1]
+<<< 250 myhost.test.ex Hello testclient [ip4.ip4.ip4.ip4]
>>> mail from:<b@test.example.com>
??? 250
<<< 250 OK
<<< 250 Accepted
>>> quit
End of script
-Connecting to 127.0.0.1 port 1224 ... connected
+Connecting to 127.0.0.1 port 1225 ... connected
??? 220
<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
>>> helo testclient
<<< 250 Accepted
>>> quit
End of script
+Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> helo testclient
+??? 250
+<<< 250 myhost.test.ex Hello testclient [ip4.ip4.ip4.ip4]
+>>> mail from:<b@test.example.com>
+??? 250
+<<< 250 OK
+>>> rcpt to:<fred@test.ex>
+??? 550
+<<< 550 Administrative prohibition
+>>> quit
+End of script
+Connecting to 127.0.0.1 port 1223 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> helo testclient
+??? 250
+<<< 250 myhost.test.ex Hello testclient [127.0.0.1]
+>>> mail from:<c@example.com>
+??? 250
+<<< 250 OK
+>>> rcpt to:<fred@test.ex>
+??? 550
+<<< 550 Administrative prohibition
+>>> quit
+End of script
git://git.exim.org / exim.git / commitdiff