X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdmarc.c;h=2e43f846d39155e8116a7f067bc20a30a4292e2e;hb=12b7f811de4a540d0724585aecfa33b5881e2a30;hp=a7e08c5e8a7a0ef77af2146f66d8fdcf5f40f07e;hpb=8768d5483a5894400ae1f70cda1beb44ed9b087c;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/dmarc.c b/src/src/dmarc.c index a7e08c5e8..2e43f846d 100644 --- a/src/src/dmarc.c +++ b/src/src/dmarc.c @@ -1,8 +1,9 @@ /************************************************* * Exim - an Internet mail transport agent * *************************************************/ -/* Experimental DMARC support. +/* DMARC support. Copyright (c) Todd Lyons 2012 - 2014 + Copyright (c) The Exim Maintainers 2019 License: GPL */ /* Portions Copyright (c) 2012, 2013, The Trusted Domain Project; @@ -11,7 +12,7 @@ /* Code for calling dmarc checks via libopendmarc. Called from acl.c. */ #include "exim.h" -#ifdef EXPERIMENTAL_DMARC +#ifdef SUPPORT_DMARC # if !defined SUPPORT_SPF # error SPF must also be enabled for DMARC # elif defined DISABLE_DKIM @@ -109,15 +110,15 @@ if (libdm_status != DMARC_PARSE_OKAY) opendmarc_policy_status_to_str(libdm_status)); dmarc_abort = TRUE; } -if (!dmarc_tld_file) +if (!dmarc_tld_file || !*dmarc_tld_file) { DEBUG(D_receive) debug_printf("DMARC: no dmarc_tld_file\n"); dmarc_abort = TRUE; } -else if (opendmarc_tld_read_file(dmarc_tld_file, NULL, NULL, NULL)) +else if (opendmarc_tld_read_file(CS dmarc_tld_file, NULL, NULL, NULL)) { - log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list %s: %d", - dmarc_tld_file, errno); + log_write(0, LOG_MAIN|LOG_PANIC, "DMARC failure to load tld list '%s': %s", + dmarc_tld_file, strerror(errno)); dmarc_abort = TRUE; } if (!sender_host_address) @@ -157,7 +158,6 @@ return OK; static void dmarc_send_forensic_report(u_char **ruf) { -int c; uschar *recipient, *save_sender; BOOL send_status = FALSE; error_block *eblock = NULL; @@ -178,15 +178,12 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT eblock = add_to_eblock(eblock, US"Sender IP Address", sender_host_address); eblock = add_to_eblock(eblock, US"Received Date", tod_stamp(tod_full)); eblock = add_to_eblock(eblock, US"SPF Alignment", - (sa==DMARC_POLICY_SPF_ALIGNMENT_PASS) ?US"yes":US"no"); + sa == DMARC_POLICY_SPF_ALIGNMENT_PASS ? US"yes" : US"no"); eblock = add_to_eblock(eblock, US"DKIM Alignment", - (da==DMARC_POLICY_DKIM_ALIGNMENT_PASS)?US"yes":US"no"); + da == DMARC_POLICY_DKIM_ALIGNMENT_PASS ? US"yes" : US"no"); eblock = add_to_eblock(eblock, US"DMARC Results", dmarc_status_text); - /* Set a sane default envelope sender */ - dsn_from = dmarc_forensic_sender ? dmarc_forensic_sender : - dsn_from ? dsn_from : - string_sprintf("do-not-reply@%s",primary_hostname); - for (c = 0; ruf[c]; c++) + + for (int c = 0; ruf[c]; c++) { recipient = string_copylc(ruf[c]); if (Ustrncmp(recipient, "mailto:",7)) @@ -199,18 +196,33 @@ if ( dmarc_policy == DMARC_POLICY_REJECT && action == DMARC_RESULT_REJECT if (host_checking || f.running_in_test_harness) continue; - save_sender = sender_address; - sender_address = recipient; - send_status = moan_to_sender(ERRMESS_DMARC_FORENSIC, eblock, - header_list, message_file, FALSE); - sender_address = save_sender; - if (!send_status) + if (!moan_send_message(recipient, ERRMESS_DMARC_FORENSIC, eblock, + header_list, message_file, NULL)) log_write(0, LOG_MAIN|LOG_PANIC, "failure to send DMARC forensic report to %s", recipient); } } } + +/* Look up a DNS dmarc record for the given domain. Return it or NULL */ + +static uschar * +dmarc_dns_lookup(uschar * dom) +{ +dns_answer * dnsa = store_get_dns_answer(); +dns_scan dnss; +int rc = dns_lookup(dnsa, string_sprintf("_dmarc.%s", dom), T_TXT, NULL); + +if (rc == DNS_SUCCEED) + for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; + rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)) + if (rr->type == T_TXT && rr->size > 3) + return string_copyn(US rr->data, rr->size); +return NULL; +} + + /* dmarc_process adds the envelope sender address to the existing context (if any), retrieves the result, sets up expansion strings and evaluates the condition outcome. */ @@ -222,6 +234,7 @@ int sr, origin; /* used in SPF section */ int dmarc_spf_result = 0; /* stores spf into dmarc conn ctx */ int tmp_ans, c; pdkim_signature * sig = dkim_signatures; +uschar * rr; BOOL has_dmarc_record = TRUE; u_char **ruf; /* forensic report addressees, if called for */ @@ -366,7 +379,15 @@ if (!dmarc_abort && !sender_host_authenticated) sig->domain, dkim_ares_result); sig = sig->next; } - libdm_status = opendmarc_policy_query_dmarc(dmarc_pctx, US""); + + /* Look up DMARC policy record in DNS. We do this explicitly, rather than + letting the dmarc library do it with opendmarc_policy_query_dmarc(), so that + our dns access path is used for debug tracing and for the testsuite + diversion. */ + + libdm_status = (rr = dmarc_dns_lookup(header_from_sender)) + ? opendmarc_policy_store_dmarc(dmarc_pctx, rr, header_from_sender, NULL) + : DMARC_DNS_ERROR_NO_RECORD; switch (libdm_status) { case DMARC_DNS_ERROR_NXDOMAIN: @@ -406,11 +427,11 @@ if (!dmarc_abort && !sender_host_authenticated) /* Can't use exim's string manipulation functions so allocate memory for libopendmarc using its max hostname length definition. */ - dmarc_domain = US calloc(DMARC_MAXHOSTNAMELEN, sizeof(uschar)); + dmarc_domain = store_get(DMARC_MAXHOSTNAMELEN, TRUE); libdm_status = opendmarc_policy_fetch_utilized_domain(dmarc_pctx, dmarc_domain, DMARC_MAXHOSTNAMELEN-1); - dmarc_used_domain = string_copy(dmarc_domain); - free(dmarc_domain); + store_release_above(dmarc_domain + Ustrlen(dmarc_domain)+1); + dmarc_used_domain = dmarc_domain; if (libdm_status != DMARC_PARSE_OKAY) log_write(0, LOG_MAIN|LOG_PANIC, @@ -614,6 +635,6 @@ return g; } # endif /* SUPPORT_SPF */ -#endif /* EXPERIMENTAL_DMARC */ +#endif /* SUPPORT_DMARC */ /* vi: aw ai sw=2 */