dnsbl: src/context.cpp comparison

comparison src/context.cpp @ 382:c378e9d03f37

start parsing spf txt records

author	Carl Byington <carl@five-ten-sg.com>
date	Mon, 06 Mar 2017 12:21:05 -0800
parents	879a470c6ac3
children	7b7066a51c33

comparison

equal deleted inserted replaced

-:879a470c6ac3
+:c378e9d03f37
 */
 #include "includes.h"
 #include <arpa/inet.h>
+#include <arpa/nameser.h>
 #include <net/if.h>
 #include <netdb.h>
 #include <netinet/in.h>
 #include <netinet/tcp.h>
 #include <sys/ioctl.h>
 p++;
 } while (true);
 }
-#ifdef NS_PACKETSZ
+bool CONTEXT::resolve_spf(const char *from, uint32_t ip, mlfiPriv *priv, int level)
-bool CONTEXT::resolve_spf(const char *from, int32_t ip, mlfiPriv *priv)
 {
 char buf[maxlen];
 dns_interface(*priv, from, ns_t_txt, false, NULL, buf, maxlen);
 if (*buf) {
-log(priv->queueid, "found txt record %s", buf);
+log(priv->queueid, "found txt record for %s", from);
+log(priv->queueid, "found txt record value %s", buf);
+char *p = buf;
+char *e = p + strlen(p);    // point to trailing null
+while (p = strstr(p, " ip4:")) {
+p += 5;
+char *b = strchr(p, ' ');
+if (b) *b = '\0';
+char *s = strchr(p, '/');
+if (s) *s = '\0';
+in_addr ipx;
+if (inet_aton(p, &ipx)) {
+if (s) {
+int mask = atoi(s+1);
+if ((mask >= 16) && (mask <= 32)) {
+int low = (1 << (32-mask)) - 1;
+ipx.s_addr &= low ^ 0xffffffff;
+if ((ip >= ipx.s_addr) && (ip <= ipx.s_addr + low)) {
+log(priv->queueid, "match %s", p);
+if (s) log(priv->queueid, "match /%s", s+1);
+return true;
+}
+}
+}
+}
+if (b) *b = ' ';
+if (s) *s = '/';
+p = (b) ? b+1 : e;
+}
+p = buf;
+while ((level < 5) && (p = strstr(p, " include:"))) {
+p += 9;
+char *b = strchr(p, ' ');
+if (b) *b = '\0';
+if (resolve_spf(p, ip, priv, level+1)) return true;
+if (b) *b = ' ';
+p = (b) ? b+1 : e;
+}
 }
 return false;
 }
-#endif
 const char *CONTEXT::acceptable_content(recorder &memory, int score, int bulk, const char *queueid, string_set &signers, const char *from, mlfiPriv *priv, string& msg) {
 DKIMP dk = find_dkim_from(from);
 }
 }
 if (dk) {
 const char *st = dk->action;
+if ((st == token_require_signed) &&
+dk->signer &&
+strcmp(dk->signer, " ") &&
+resolve_spf(from, priv->ip, priv)) {
+log(queueid, "spf pass for %s with required dkim signer", from);
+}
 for (string_set::iterator s=signers.begin(); s!=signers.end(); s++) {
 // signed by a white listed signer
 if ((st == token_signed_white)   && in_signing_set(*s,dk->signer)) {
 log(queueid, "whitelisted dkim signer %s", *s);
 return token_white;
 msg = string(buf);
 return token_black;
 }
 }
 if (st == token_require_signed) {
-#ifdef NS_PACKETSZ
+// not signed by a required signer, but maybe passes strong spf check
-// not signed by the required signers, but maybe passes strong spf check
+// only check spf if the list of required signers is not a single blank.
-if (resolve_spf(from, priv->ip, priv) {
+if (dk->signer && strcmp(dk->signer, " ") && resolve_spf(from, priv->ip, priv)) {
 log(queueid, "spf pass for %s rather than required dkim signer", from);
 return token_white;
 }
-#endif
 char buf[maxlen];
 snprintf(buf, sizeof(buf), "Mail rejected - not dkim signed by %s", dk->signer);
 msg = string(buf);
 return token_black;
 }

Mercurial > dnsbl

comparison src/context.cpp @ 382:c378e9d03f37