target->na = TRUE;
continue;
}
+ if (cur->flags & RSPAMD_SPF_FLAG_INVALID) {
+ /* Ignore invalid elements */
+ continue;
+ }
if ((cur->flags & (RSPAMD_SPF_FLAG_PARSED|RSPAMD_SPF_FLAG_RESOLVED)) !=
(RSPAMD_SPF_FLAG_RESOLVED|RSPAMD_SPF_FLAG_PARSED)) {
/* Ignore unparsed addrs */
addr->flags |= RSPAMD_SPF_FLAG_ANY|RSPAMD_SPF_FLAG_RESOLVED;
msg_debug_spf ("parsed all elt");
+ /* Disallow +all */
+ if (addr->mech == SPF_PASS) {
+ addr->flags |= RSPAMD_SPF_FLAG_INVALID;
+ msg_info_spf ("allow any SPF record for %s, ignore it",
+ rec->sender_domain);
+ }
+
return TRUE;
}
gsize len;
gchar ipbuf[INET_ADDRSTRLEN + 1];
guint32 mask;
+ static const guint32 min_valid_mask = 8;
semicolon = strchr (addr->spf_string, ':');
if (mask > 32) {
return FALSE;
}
+
addr->m.dual.mask_v4 = mask;
+
+ if (mask < min_valid_mask) {
+ addr->flags |= RSPAMD_SPF_FLAG_INVALID;
+ msg_info_spf ("too wide SPF record for %s: %s/%d",
+ rec->sender_domain,
+ ipbuf, addr->m.dual.mask_v4);
+ }
}
else {
addr->m.dual.mask_v4 = 32;
gsize len;
gchar ipbuf[INET6_ADDRSTRLEN + 1];
guint32 mask;
+ static const guint32 min_valid_mask = 8;
semicolon = strchr (addr->spf_string, ':');
if (mask > 128) {
return FALSE;
}
+
addr->m.dual.mask_v6 = mask;
+
+ if (mask < min_valid_mask) {
+ addr->flags |= RSPAMD_SPF_FLAG_INVALID;
+ msg_info_spf ("too wide SPF record for %s: %s/%d",
+ rec->sender_domain,
+ ipbuf, addr->m.dual.mask_v6);
+ }
}
else {
addr->m.dual.mask_v6 = 128;
#define RSPAMD_SPF_FLAG_PROCESSED (1 << 2)
#define RSPAMD_SPF_FLAG_ANY (1 << 3)
#define RSPAMD_SPF_FLAG_PARSED (1 << 4)
-#define RSPAMD_SPF_FLAG_VALID (1 << 5)
+#define RSPAMD_SPF_FLAG_INVALID (1 << 5)
#define RSPAMD_SPF_FLAG_REFERENCE (1 << 6)
#define RSPAMD_SPF_FLAG_REDIRECT (1 << 7)
#define RSPAMD_SPF_FLAG_TEMPFAIL (1 << 8)
projects / rspamd.git / commitdiff