From 87e9d061c94e3fdd721b7b04ccbdba7a061f6ca3 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 22 Mar 2018 13:26:58 +0000 Subject: [PATCH 1/1] SPF: additional variable $spf_result_guessed; tweak authresults string indicating guess --- doc/doc-docbook/spec.xfpt | 6 ++++++ src/src/dmarc.c | 2 +- src/src/expand.c | 1 + src/src/globals.c | 1 + src/src/globals.h | 1 + src/src/smtp_in.c | 1 + src/src/spf.c | 14 ++++++++++++-- test/confs/4600 | 4 ++-- test/log/4600 | 10 ++++++++-- test/rejectlog/4600 | 1 + test/scripts/4600-SPF/4600 | 12 +++++++++++- test/stdout/4600 | 16 +++++++++++++++- 12 files changed, 60 insertions(+), 9 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 295cb15c1..a439a7b5e 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -12891,6 +12891,7 @@ is compiled with the content-scanning extension. For details, see section .vitem &$spf_header_comment$& &&& &$spf_received$& &&& &$spf_result$& &&& + &$spf_result_guessed$& &&& &$spf_smtp_comment$& These variables are only available if Exim is built with SPF support. For details see section &<>&. @@ -39348,6 +39349,11 @@ variables: one of pass, fail, softfail, none, neutral, permerror or temperror. +.vitem &$spf_result_guessed$& +.vindex &$spf_result_guessed$& + This boolean is trus only if a best-guess operation was used + and required in order to obtain a result. + .vitem &$spf_smtp_comment$& .vindex &$spf_smtp_comment$& This contains a string that can be used in a SMTP response diff --git a/src/src/dmarc.c b/src/src/dmarc.c index ba9aa6695..1c917aa15 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -605,7 +605,7 @@ if (dmarc_has_been_checked) { g = string_append(g, 2, US";\n\tdmarc=", dmarc_pass_fail); if (header_from_sender) - g = string_append(g, 2, US"header.from=", header_from_sender); + g = string_append(g, 2, US" header.from=", header_from_sender); } return g; } diff --git a/src/src/expand.c b/src/src/expand.c index f1c8544c9..a1ac7d198 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -710,6 +710,7 @@ static var_entry var_table[] = { { "spf_header_comment", vtype_stringptr, &spf_header_comment }, { "spf_received", vtype_stringptr, &spf_received }, { "spf_result", vtype_stringptr, &spf_result }, + { "spf_result_guessed", vtype_bool, &spf_result_guessed }, { "spf_smtp_comment", vtype_stringptr, &spf_smtp_comment }, #endif { "spool_directory", vtype_stringptr, &spool_directory }, diff --git a/src/src/globals.c b/src/src/globals.c index 55154646c..aed695066 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -1382,6 +1382,7 @@ uschar *spf_guess = US"v=spf1 a/24 mx/24 ptr ?all"; uschar *spf_header_comment = NULL; uschar *spf_received = NULL; uschar *spf_result = NULL; +BOOL spf_result_guessed = FALSE; uschar *spf_smtp_comment = NULL; #endif diff --git a/src/src/globals.h b/src/src/globals.h index 7bd681fe9..66d6c26be 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -881,6 +881,7 @@ extern uschar *spf_guess; /* spf best-guess record */ extern uschar *spf_header_comment; /* spf header comment */ extern uschar *spf_received; /* Received-SPF: header */ extern uschar *spf_result; /* spf result in string form */ +extern BOOL spf_result_guessed; /* spf result is of best-guess operation */ extern uschar *spf_smtp_comment; /* spf comment to include in SMTP reply */ #endif extern BOOL split_spool_directory; /* TRUE to use multiple subdirs */ diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index c7eedf346..7d6298160 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -2006,6 +2006,7 @@ prdr_requested = FALSE; #endif #ifdef SUPPORT_SPF spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL; +spf_result_guessed = FALSE; #endif #ifdef EXPERIMENTAL_DMARC dmarc_has_been_checked = dmarc_disable_verify = dmarc_enable_forensic = FALSE; diff --git a/src/src/spf.c b/src/src/spf.c index 12994a690..0f0a05d4d 100644 --- a/src/src/spf.c +++ b/src/src/spf.c @@ -112,7 +112,10 @@ else { /* get SPF result */ if (action == SPF_PROCESS_FALLBACK) + { SPF_request_query_fallback(spf_request, &spf_response, CS spf_guess); + spf_result_guessed = TRUE; + } else SPF_request_query_mailfrom(spf_request, &spf_response); @@ -151,10 +154,17 @@ return FAIL; gstring * authres_spf(gstring * g) { +uschar * s; if (!spf_result) return g; -return string_append(g, 4, US";\n\tspf=", spf_result, - US" smtp.mailfrom=", expand_string(US"$sender_address_domain")); +g = string_append(g, 2, US";\n\tspf=", spf_result); +if (spf_result_guessed) + g = string_cat(g, US" (best guess record for domain)"); + +s = expand_string(US"$sender_address_domain"); +return s && *s + ? string_append(g, 2, US" smtp.mailfrom=", s) + : string_cat(g, US" smtp.mailfrom=<>"); } diff --git a/test/confs/4600 b/test/confs/4600 index 2934bf160..cce583909 100644 --- a/test/confs/4600 +++ b/test/confs/4600 @@ -13,7 +13,7 @@ begin acl check_rcpt: accept hosts = HOSTIPV4 spf_guess = pass - logwrite = spf_result $spf_result + logwrite = spf_result $spf_result (guess <$spf_result_guessed>) logwrite = spf_header_comment $spf_header_comment logwrite = spf_smtp_comment $spf_smtp_comment logwrite = spf_received $spf_received @@ -28,7 +28,7 @@ check_rcpt: logwrite = ${authresults {$primary_hostname}} deny - logwrite = spf_result $spf_result + logwrite = spf_result $spf_result (guess <$spf_result_guessed>) logwrite = spf_header_comment $spf_header_comment logwrite = spf_smtp_comment $spf_smtp_comment logwrite = spf_received $spf_received diff --git a/test/log/4600 b/test/log/4600 index 4a5e6e3e3..c59607edb 100644 --- a/test/log/4600 +++ b/test/log/4600 @@ -1,14 +1,20 @@ ******** SERVER ******** 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 spf_result fail +1999-03-02 09:44:33 spf_result fail (guess ) 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: domain of example.com does not designate ip4.ip4.ip4.ip4 as permitted sender 1999-03-02 09:44:33 spf_smtp_comment Please see http://www.openspf.org/Why?id=a%40example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism 1999-03-02 09:44:33 spf_received Received-SPF: fail (myhost.test.ex: domain of example.com does not designate ip4.ip4.ip4.ip4 as permitted sender) client-ip=ip4.ip4.ip4.ip4; envelope-from=a@example.com; helo=testclient; 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=fail smtp.mailfrom=example.com 1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT +1999-03-02 09:44:33 spf_result neutral (guess ) +1999-03-02 09:44:33 spf_header_comment myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com +1999-03-02 09:44:33 spf_smtp_comment Please see http://www.openspf.org/Why?id=b%40test.example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism +1999-03-02 09:44:33 spf_received Received-SPF: neutral (myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient; +1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=neutral (best guess record for domain) smtp.mailfrom=test.example.com +1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT 1999-03-02 09:44:33 spf_result pass 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: localhost is always allowed. 1999-03-02 09:44:33 spf_smtp_comment -1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=b@example.com; helo=testclient; +1999-03-02 09:44:33 spf_received Received-SPF: pass (myhost.test.ex: localhost is always allowed.) client-ip=127.0.0.1; envelope-from=c@example.com; helo=testclient; 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com diff --git a/test/rejectlog/4600 b/test/rejectlog/4600 index 6eeab86c5..abd86c874 100644 --- a/test/rejectlog/4600 +++ b/test/rejectlog/4600 @@ -1,3 +1,4 @@ ******** SERVER ******** 1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT +1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT diff --git a/test/scripts/4600-SPF/4600 b/test/scripts/4600-SPF/4600 index 3907f6861..825efb959 100644 --- a/test/scripts/4600-SPF/4600 +++ b/test/scripts/4600-SPF/4600 @@ -19,11 +19,21 @@ rcpt to: ??? 550 quit **** +client HOSTIPV4 PORT_D +??? 220 +helo testclient +??? 250 +mail from: +??? 250 +rcpt to: +??? 550 +quit +**** client 127.0.0.1 PORT_D ??? 220 helo testclient ??? 250 -mail from: +mail from: ??? 250 rcpt to: ??? 250 diff --git a/test/stdout/4600 b/test/stdout/4600 index c33a531c2..3b75a04e3 100644 --- a/test/stdout/4600 +++ b/test/stdout/4600 @@ -12,13 +12,27 @@ Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected <<< 550 Administrative prohibition >>> quit End of script +Connecting to ip4.ip4.ip4.ip4 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> helo testclient +??? 250 +<<< 250 myhost.test.ex Hello testclient [ip4.ip4.ip4.ip4] +>>> mail from: +??? 250 +<<< 250 OK +>>> rcpt to: +??? 550 +<<< 550 Administrative prohibition +>>> quit +End of script Connecting to 127.0.0.1 port 1225 ... connected ??? 220 <<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 >>> helo testclient ??? 250 <<< 250 myhost.test.ex Hello testclient [127.0.0.1] ->>> mail from: +>>> mail from: ??? 250 <<< 250 OK >>> rcpt to: -- 2.30.2