From ebd2a08ccc5c72c2302f5550983025958b434f5d Mon Sep 17 00:00:00 2001 From: Andrew Lewis Date: Fri, 30 Sep 2016 12:36:25 +0200 Subject: [PATCH] [Minor] SPF: Make (almost) all unresolveable records PERMFAIL --- src/libserver/spf.c | 34 ++++++++++++++++----------- src/plugins/spf.c | 16 ++++++++++--- test/functional/cases/115_dmarc.robot | 34 +++++++++++++++++++++------ 3 files changed, 60 insertions(+), 24 deletions(-) diff --git a/src/libserver/spf.c b/src/libserver/spf.c index 362c96255..fb3d39385 100644 --- a/src/libserver/spf.c +++ b/src/libserver/spf.c @@ -708,7 +708,11 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg) else if (reply->code == RDNS_RC_NXDOMAIN || reply->code == RDNS_RC_NOREC) { switch (cb->cur_action) { case SPF_RESOLVE_MX: - if (rdns_request_has_type (reply->request, RDNS_REQUEST_MX)) { + if (!rdns_request_has_type (reply->request, RDNS_REQUEST_MX) + && !rdns_request_has_type (reply->request, RDNS_REQUEST_A) + && !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) { + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; msg_debug_spf ( "<%s>: spf error for domain %s: cannot find MX record for %s", task->message_id, @@ -716,7 +720,10 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg) cb->resolved->cur_domain); spf_record_addr_set (addr, FALSE); } - else { + else if (!rdns_request_has_type (reply->request, RDNS_REQUEST_A) + && !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) { + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; msg_debug_spf ( "<%s>: spf error for domain %s: cannot resolve MX record for %s", task->message_id, @@ -726,25 +733,32 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg) } break; case SPF_RESOLVE_A: + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; if (rdns_request_has_type (reply->request, RDNS_REQUEST_A)) { spf_record_addr_set (addr, FALSE); } break; case SPF_RESOLVE_AAA: + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; if (rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) { spf_record_addr_set (addr, FALSE); } break; case SPF_RESOLVE_PTR: + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; spf_record_addr_set (addr, FALSE); break; case SPF_RESOLVE_REDIRECT: + cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; msg_debug_spf ( "<%s>: spf error for domain %s: cannot resolve TXT record for %s", task->message_id, cb->rec->sender_domain, cb->resolved->cur_domain); - cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; break; case SPF_RESOLVE_INCLUDE: msg_debug_spf ( @@ -752,8 +766,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg) task->message_id, cb->rec->sender_domain, cb->resolved->cur_domain); + cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED; - cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL; break; case SPF_RESOLVE_EXP: break; @@ -762,16 +776,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg) break; } } - else if ((cb->cur_action == SPF_RESOLVE_INCLUDE || - cb->cur_action == SPF_RESOLVE_REDIRECT) || - reply->code == RDNS_RC_TIMEOUT) { - if ((cb->cur_action == SPF_RESOLVE_INCLUDE || cb->cur_action == SPF_RESOLVE_REDIRECT) && - (reply->code == RDNS_RC_NOREC && reply->code == RDNS_RC_NXDOMAIN)) { - cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL; - } - else { - cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL; - } + else { + cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL; msg_info_spf ( "<%s>: spf error for domain %s: cannot resolve %s DNS record for" " %s: %s", diff --git a/src/plugins/spf.c b/src/plugins/spf.c index 99d09fd01..aa09eecac 100644 --- a/src/plugins/spf.c +++ b/src/plugins/spf.c @@ -397,7 +397,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr, spf_result[0] = '-'; spf_message = "(SPF): spf fail"; if (addr->flags & RSPAMD_SPF_FLAG_ANY) { - if (rec->temp_failed) { + if (rec->perm_failed) { + msg_info_task ("do not apply SPF failed policy, as we have " + "some addresses unresolved"); + spf_symbol = spf_module_ctx->symbol_permfail; + } + else if (rec->temp_failed) { msg_info_task ("do not apply SPF failed policy, as we have " "some addresses unresolved"); spf_symbol = spf_module_ctx->symbol_dnsfail; @@ -411,7 +416,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr, spf_result[0] = '~'; if (addr->flags & RSPAMD_SPF_FLAG_ANY) { - if (rec->temp_failed) { + if (rec->perm_failed) { + msg_info_task ("do not apply SPF failed policy, as we have " + "some addresses unresolved"); + spf_symbol = spf_module_ctx->symbol_permfail; + } + else if (rec->temp_failed) { msg_info_task ("do not apply SPF failed policy, as we have " "some addresses unresolved"); spf_symbol = spf_module_ctx->symbol_dnsfail; @@ -478,7 +488,7 @@ spf_plugin_callback (struct spf_resolved *record, struct rspamd_task *task, 1, NULL); } - else if (record && record->perm_failed) { + else if (record && record->elts->len == 0 && record->perm_failed) { rspamd_task_insert_result (task, spf_module_ctx->symbol_permfail, 1, diff --git a/test/functional/cases/115_dmarc.robot b/test/functional/cases/115_dmarc.robot index 583786e64..4dda829e5 100644 --- a/test/functional/cases/115_dmarc.robot +++ b/test/functional/cases/115_dmarc.robot @@ -77,10 +77,10 @@ DKIM PERMFAIL BAD RECORD ... -i 37.48.67.26 Check Rspamc ${result} R_DKIM_PERMFAIL -SPF DNSFAIL UNRESOLVEABLE INCLUDE +SPF PERMFAIL UNRESOLVEABLE INCLUDE ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml - ... -i 37.48.67.26 -F x@openarena.za.net - Check Rspamc ${result} R_SPF_DNSFAIL + ... -i 37.48.67.26 -F x@fail3.org.org.za + Check Rspamc ${result} R_SPF_PERMFAIL SPF DNSFAIL FAILED INCLUDE ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml @@ -89,7 +89,7 @@ SPF DNSFAIL FAILED INCLUDE SPF ALLOW UNRESOLVEABLE INCLUDE ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml - ... -i 8.8.8.8 -F x@openarena.za.net + ... -i 8.8.8.8 -F x@fail3.org.org.za Check Rspamc ${result} R_SPF_ALLOW SPF ALLOW FAILED INCLUDE @@ -114,7 +114,7 @@ SPF NA NXDOMAIN SPF PERMFAIL UNRESOLVEABLE REDIRECT ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml - ... -i 8.8.8.8 -F x@cacophony.za.org + ... -i 8.8.8.8 -F x@fail4.org.org.za Check Rspamc ${result} R_SPF_PERMFAIL SPF DNSFAIL FAILED REDIRECT @@ -122,9 +122,9 @@ SPF DNSFAIL FAILED REDIRECT ... -i 8.8.8.8 -F x@fail1.org.org.za Check Rspamc ${result} R_SPF_DNSFAIL -SPF PERMFAIL +SPF PERMFAIL NO USEABLE ELEMENTS ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml - ... -i 8.8.8.8 -F x@xzghgh.za.org + ... -i 8.8.8.8 -F x@fail5.org.org.za Check Rspamc ${result} R_SPF_PERMFAIL SPF FAIL @@ -132,6 +132,26 @@ SPF FAIL ... -i 8.8.8.8 -F x@example.net Check Rspamc ${result} R_SPF_FAIL +SPF PERMFAIL UNRESOLVEABLE MX + ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml + ... -i 1.2.3.4 -F x@fail6.org.org.za + Check Rspamc ${result} R_SPF_PERMFAIL + +SPF PERMFAIL UNRESOLVEABLE A + ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml + ... -i 1.2.3.4 -F x@fail7.org.org.za + Check Rspamc ${result} R_SPF_PERMFAIL + +SPF DNSFAIL FAILED A + ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml + ... -i 1.2.3.4 -F x@fail8.org.org.za + Check Rspamc ${result} R_SPF_DNSFAIL + +SPF DNSFAIL FAILED MX + ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml + ... -i 1.2.3.4 -F x@fail9.org.org.za + Check Rspamc ${result} R_SPF_DNSFAIL + *** Keywords *** DMARC Setup ${PLUGIN_CONFIG} = Get File ${TESTDIR}/configs/dmarc.conf -- 2.39.5