From 620df281ca6618bddb7ae6f996ccfc06b148ec3e Mon Sep 17 00:00:00 2001 From: Todd Lyons Date: Tue, 9 Apr 2013 12:41:50 -0700 Subject: [PATCH 1/1] Fix history file logging to use correct variables Remove SPF domain synthesis, just use HELO. --- src/src/dmarc.c | 58 +++++++++++++++++++++++++------------------------ src/src/dmarc.h | 16 ++++++++++++++ 2 files changed, 46 insertions(+), 28 deletions(-) diff --git a/src/src/dmarc.c b/src/src/dmarc.c index f451fa650..825c2aa99 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -31,7 +31,7 @@ uschar *dmarc_pass_fail = US"skipped"; extern pdkim_signature *dkim_signatures; header_line *from_header = NULL; extern SPF_response_t *spf_response; -int dmarc_spf_result = 0; +int dmarc_spf_ares_result = 0; uschar *spf_sender_domain = NULL; uschar *spf_human_readable = NULL; u_char *header_from_sender = NULL; @@ -143,7 +143,8 @@ int dmarc_store_data(header_line *hdr) { strings and evaluates the condition outcome. */ int dmarc_process() { - int sr, origin; /* used in SPF section */ + int sr, origin; /* used in SPF section */ + int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ pdkim_signature *sig = NULL; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ @@ -198,34 +199,17 @@ int dmarc_process() { if ( spf_response == NULL ) { /* No spf data means null envelope sender so generate a domain name - * from the sender_host_name || sender_helo_name */ + * from the sender_helo_name */ if (spf_sender_domain == NULL) { - spf_sender_domain = (sender_host_name == NULL) ? sender_helo_name : sender_host_name; - uschar *subdomain = spf_sender_domain; - int count = 0; - while (subdomain && *subdomain != '.') - { - subdomain++; - count++; - } - /* If parsed characters in temp var "subdomain" and is pointing to - * a period now, get rid of the period and use that. Otherwise - * will use whatever was first set in spf_sender_domain. Goal is to - * generate a sane answer, not necessarily the right/best answer b/c - * at this point with a null sender, it's a bounce message, making - * the spf domain be subjective. */ - if (count > 0 && *subdomain == '.') - { - subdomain++; - spf_sender_domain = subdomain; - } + spf_sender_domain = sender_helo_name; log_write(0, LOG_MAIN, "DMARC using synthesized SPF sender domain = %s\n", spf_sender_domain); DEBUG(D_receive) debug_printf("DMARC using synthesized SPF sender domain = %s\n", spf_sender_domain); } dmarc_spf_result = DMARC_POLICY_SPF_OUTCOME_NONE; + dmarc_spf_ares_result = ARES_RESULT_UNKNOWN; origin = DMARC_POLICY_SPF_ORIGIN_HELO; spf_human_readable = US""; } @@ -237,6 +221,14 @@ int dmarc_process() { (sr == SPF_RESULT_FAIL) ? DMARC_POLICY_SPF_OUTCOME_FAIL : (sr == SPF_RESULT_SOFTFAIL) ? DMARC_POLICY_SPF_OUTCOME_TMPFAIL : DMARC_POLICY_SPF_OUTCOME_NONE; + dmarc_spf_ares_result = (sr == SPF_RESULT_NEUTRAL) ? ARES_RESULT_NEUTRAL : + (sr == SPF_RESULT_PASS) ? ARES_RESULT_PASS : + (sr == SPF_RESULT_FAIL) ? ARES_RESULT_FAIL : + (sr == SPF_RESULT_SOFTFAIL) ? ARES_RESULT_SOFTFAIL : + (sr == SPF_RESULT_NONE) ? ARES_RESULT_NONE : + (sr == SPF_RESULT_TEMPERROR) ? ARES_RESULT_TEMPERROR : + (sr == SPF_RESULT_PERMERROR) ? ARES_RESULT_PERMERROR : + ARES_RESULT_UNKNOWN; origin = DMARC_POLICY_SPF_ORIGIN_MAILFROM; spf_human_readable = (uschar *)spf_response->header_comment; DEBUG(D_receive) @@ -259,11 +251,12 @@ int dmarc_process() { dkim_history_buffer = US""; while (sig != NULL) { - int dkim_result, vs; - vs = sig->verify_status; + int dkim_result, dkim_ares_result, vs, ves; + vs = sig->verify_status; + ves = sig->verify_ext_status; dkim_result = ( vs == PDKIM_VERIFY_PASS ) ? DMARC_POLICY_DKIM_OUTCOME_PASS : - ( vs == PDKIM_VERIFY_FAIL ) ? DMARC_POLICY_DKIM_OUTCOME_FAIL : - ( vs == PDKIM_VERIFY_INVALID ) ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : + ( vs == PDKIM_VERIFY_FAIL ) ? DMARC_POLICY_DKIM_OUTCOME_FAIL : + ( vs == PDKIM_VERIFY_INVALID ) ? DMARC_POLICY_DKIM_OUTCOME_TMPFAIL : DMARC_POLICY_DKIM_OUTCOME_NONE; libdm_status = opendmarc_policy_store_dkim(dmarc_pctx, (uschar *)sig->domain, dkim_result, US""); @@ -273,8 +266,17 @@ int dmarc_process() { log_write(0, LOG_MAIN|LOG_PANIC, "failure to store dkim (%s) for DMARC: %s", sig->domain, opendmarc_policy_status_to_str(libdm_status)); + dkim_ares_result = ( vs == PDKIM_VERIFY_PASS ) ? ARES_RESULT_PASS : + ( vs == PDKIM_VERIFY_FAIL ) ? ARES_RESULT_FAIL : + ( vs == PDKIM_VERIFY_NONE ) ? ARES_RESULT_NONE : + ( vs == PDKIM_VERIFY_INVALID ) ? + ( ves == PDKIM_VERIFY_INVALID_PUBKEY_UNAVAILABLE ? ARES_RESULT_PERMERROR : + ves == PDKIM_VERIFY_INVALID_BUFFER_SIZE ? ARES_RESULT_PERMERROR : + ves == PDKIM_VERIFY_INVALID_PUBKEY_PARSING ? ARES_RESULT_PERMERROR : + ARES_RESULT_UNKNOWN ) : + ARES_RESULT_UNKNOWN; dkim_history_buffer = string_sprintf("%sdkim %s %d\n", dkim_history_buffer, - sig->domain, dkim_result); + sig->domain, dkim_ares_result); sig = sig->next; } libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US""); @@ -426,7 +428,7 @@ int dmarc_write_history_file() expand_string(US"$sender_address_domain")); if (spf_response != NULL) - history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_result); + history_buffer = string_sprintf("%sspf %d\n", history_buffer, dmarc_spf_ares_result); // history_buffer = string_sprintf("%sspf -1\n", history_buffer); history_buffer = string_sprintf("%s%s", history_buffer, dkim_history_buffer); diff --git a/src/src/dmarc.h b/src/src/dmarc.h index 8537a62ab..356a8e423 100644 --- a/src/src/dmarc.h +++ b/src/src/dmarc.h @@ -42,6 +42,22 @@ void dmarc_send_forensic_report(u_char **); #define DMARC_RESULT_TEMPFAIL 3 #define DMARC_RESULT_QUARANTINE 4 +/* From opendmarc-ar.h */ +/* ARES_RESULT_T -- type for specifying an authentication result */ +#define ARES_RESULT_UNDEFINED (-1) +#define ARES_RESULT_PASS 0 +#define ARES_RESULT_UNUSED 1 +#define ARES_RESULT_SOFTFAIL 2 +#define ARES_RESULT_NEUTRAL 3 +#define ARES_RESULT_TEMPERROR 4 +#define ARES_RESULT_PERMERROR 5 +#define ARES_RESULT_NONE 6 +#define ARES_RESULT_FAIL 7 +#define ARES_RESULT_POLICY 8 +#define ARES_RESULT_NXDOMAIN 9 +#define ARES_RESULT_SIGNED 10 +#define ARES_RESULT_UNKNOWN 11 +#define ARES_RESULT_DISCARD 12 #endif /* EXPERIMENTAL_DMARC */ -- 2.30.2