mirrors
/
rspamd
mirror of https://github.com/vstakhov/rspamd.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 159 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
15574 Commits
28 Branches
Tree: 69f50374bb
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '69f50374bb'
${ noResults }
rspamd/src/plugins/spf.c

spf.c 17KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686 
  1. /*-

  2.  * Copyright 2016 Vsevolod Stakhov

  3.  *

  4.  * Licensed under the Apache License, Version 2.0 (the "License");

  5.  * you may not use this file except in compliance with the License.

  6.  * You may obtain a copy of the License at

  7.  *

  8.  *   http://www.apache.org/licenses/LICENSE-2.0

  9.  *

  10.  * Unless required by applicable law or agreed to in writing, software

  11.  * distributed under the License is distributed on an "AS IS" BASIS,

  12.  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

  13.  * See the License for the specific language governing permissions and

  14.  * limitations under the License.

  15.  */

  16. /***MODULE:spf

  17.  * rspamd module that checks spf records of incoming email

  18.  *

  19.  * Allowed options:

  20.  * - symbol_allow (string): symbol to insert (default: 'R_SPF_ALLOW')

  21.  * - symbol_fail (string): symbol to insert (default: 'R_SPF_FAIL')

  22.  * - symbol_softfail (string): symbol to insert (default: 'R_SPF_SOFTFAIL')

  23.  * - symbol_na (string): symbol to insert (default: 'R_SPF_NA')

  24.  * - symbol_dnsfail (string): symbol to insert (default: 'R_SPF_DNSFAIL')

  25.  * - symbol_permfail (string): symbol to insert (default: 'R_SPF_PERMFAIL')

  26.  * - whitelist (map): map of whitelisted networks

  27.  */

  28. 

  29. 

  30. #include "config.h"

  31. #include "libmime/message.h"

  32. #include "libserver/spf.h"

  33. #include "libutil/hash.h"

  34. #include "libutil/map.h"

  35. #include "libutil/map_helpers.h"

  36. #include "rspamd.h"

  37. #include "libserver/mempool_vars_internal.h"

  38. 

  39. #define DEFAULT_SYMBOL_FAIL "R_SPF_FAIL"

  40. #define DEFAULT_SYMBOL_SOFTFAIL "R_SPF_SOFTFAIL"

  41. #define DEFAULT_SYMBOL_NEUTRAL "R_SPF_NEUTRAL"

  42. #define DEFAULT_SYMBOL_ALLOW "R_SPF_ALLOW"

  43. #define DEFAULT_SYMBOL_DNSFAIL "R_SPF_DNSFAIL"

  44. #define DEFAULT_SYMBOL_PERMFAIL "R_SPF_PERMFAIL"

  45. #define DEFAULT_SYMBOL_NA "R_SPF_NA"

  46. #define DEFAULT_CACHE_SIZE 2048

  47. 

  48. static const gchar *M = "rspamd spf plugin";

  49. 

  50. struct spf_ctx {

  51. 	struct module_ctx ctx;

  52. 	const gchar *symbol_fail;

  53. 	const gchar *symbol_softfail;

  54. 	const gchar *symbol_neutral;

  55. 	const gchar *symbol_allow;

  56. 	const gchar *symbol_dnsfail;

  57. 	const gchar *symbol_na;

  58. 	const gchar *symbol_permfail;

  59. 

  60. 	struct rspamd_radix_map_helper *whitelist_ip;

  61. 	rspamd_lru_hash_t *spf_hash;

  62. 

  63. 	gboolean check_local;

  64. 	gboolean check_authed;

  65. };

  66. 

  67. static void spf_symbol_callback (struct rspamd_task *task,

  68. 								 struct rspamd_symcache_item *item,

  69. 								 void *unused);

  70. 

  71. /* Initialization */

  72. gint spf_module_init (struct rspamd_config *cfg, struct module_ctx **ctx);

  73. gint spf_module_config (struct rspamd_config *cfg);

  74. gint spf_module_reconfig (struct rspamd_config *cfg);

  75. 

  76. module_t spf_module = {

  77. 		"spf",

  78. 		spf_module_init,

  79. 		spf_module_config,

  80. 		spf_module_reconfig,

  81. 		NULL,

  82. 		RSPAMD_MODULE_VER,

  83. 		(guint)-1,

  84. };

  85. 

  86. static inline struct spf_ctx *

  87. spf_get_context (struct rspamd_config *cfg)

  88. {

  89. 	return (struct spf_ctx *)g_ptr_array_index (cfg->c_modules,

  90. 			spf_module.ctx_offset);

  91. }

  92. 

  93. 

  94. gint

  95. spf_module_init (struct rspamd_config *cfg, struct module_ctx **ctx)

  96. {

  97. 	struct spf_ctx *spf_module_ctx;

  98. 

  99. 	spf_module_ctx = rspamd_mempool_alloc0 (cfg->cfg_pool,

  100. 			sizeof (*spf_module_ctx));

  101. 	*ctx = (struct module_ctx *)spf_module_ctx;

  102. 

  103. 	rspamd_rcl_add_doc_by_path (cfg,

  104. 			NULL,

  105. 			"SPF check plugin",

  106. 			"spf",

  107. 			UCL_OBJECT,

  108. 			NULL,

  109. 			0,

  110. 			NULL,

  111. 			0);

  112. 

  113. 	rspamd_rcl_add_doc_by_path (cfg,

  114. 			"spf",

  115. 			"Map of IP addresses that should be excluded from SPF checks (in addition to `local_networks`)",

  116. 			"whitelist",

  117. 			UCL_STRING,

  118. 			NULL,

  119. 			0,

  120. 			NULL,

  121. 			0);

  122. 	rspamd_rcl_add_doc_by_path (cfg,

  123. 			"spf",

  124. 			"Symbol that is added if SPF check is successful",

  125. 			"symbol_allow",

  126. 			UCL_STRING,

  127. 			NULL,

  128. 			0,

  129. 			NULL,

  130. 			0);

  131. 	rspamd_rcl_add_doc_by_path (cfg,

  132. 			"spf",

  133. 			"Symbol that is added if SPF policy is set to 'deny'",

  134. 			"symbol_fail",

  135. 			UCL_STRING,

  136. 			NULL,

  137. 			0,

  138. 			NULL,

  139. 			0);

  140. 	rspamd_rcl_add_doc_by_path (cfg,

  141. 			"spf",

  142. 			"Symbol that is added if SPF policy is set to 'undefined'",

  143. 			"symbol_softfail",

  144. 			UCL_STRING,

  145. 			NULL,

  146. 			0,

  147. 			NULL,

  148. 			0);

  149. 	rspamd_rcl_add_doc_by_path (cfg,

  150. 			"spf",

  151. 			"Symbol that is added if SPF policy is set to 'neutral'",

  152. 			"symbol_neutral",

  153. 			UCL_STRING,

  154. 			NULL,

  155. 			0,

  156. 			NULL,

  157. 			0);

  158. 	rspamd_rcl_add_doc_by_path (cfg,

  159. 			"spf",

  160. 			"Symbol that is added if SPF policy is failed due to DNS failure",

  161. 			"symbol_dnsfail",

  162. 			UCL_STRING,

  163. 			NULL,

  164. 			0,

  165. 			NULL,

  166. 			0);

  167. 	rspamd_rcl_add_doc_by_path (cfg,

  168. 			"spf",

  169. 			"Symbol that is added if no SPF policy is found",

  170. 			"symbol_na",

  171. 			UCL_STRING,

  172. 			NULL,

  173. 			0,

  174. 			NULL,

  175. 			0);

  176. 	rspamd_rcl_add_doc_by_path (cfg,

  177. 			"spf",

  178. 			"Symbol that is added if SPF policy is invalid",

  179. 			"symbol_permfail",

  180. 			UCL_STRING,

  181. 			NULL,

  182. 			0,

  183. 			NULL,

  184. 			0);

  185. 	rspamd_rcl_add_doc_by_path (cfg,

  186. 			"spf",

  187. 			"Size of SPF parsed records cache",

  188. 			"spf_cache_size",

  189. 			UCL_INT,

  190. 			NULL,

  191. 			0,

  192. 			NULL,

  193. 			0);

  194. 

  195. 	return 0;

  196. }

  197. 

  198. 

  199. gint

  200. spf_module_config (struct rspamd_config *cfg)

  201. {

  202. 	const ucl_object_t *value;

  203. 	gint res = TRUE, cb_id;

  204. 	guint cache_size;

  205. 	struct spf_ctx *spf_module_ctx = spf_get_context (cfg);

  206. 

  207. 	if (!rspamd_config_is_module_enabled (cfg, "spf")) {

  208. 		return TRUE;

  209. 	}

  210. 

  211. 	spf_module_ctx->whitelist_ip = NULL;

  212. 

  213. 	value = rspamd_config_get_module_opt (cfg, "spf", "check_local");

  214. 

  215. 	if (value == NULL) {

  216. 		rspamd_config_get_module_opt (cfg, "options", "check_local");

  217. 	}

  218. 

  219. 	if (value != NULL) {

  220. 		spf_module_ctx->check_local = ucl_obj_toboolean (value);

  221. 	}

  222. 	else {

  223. 		spf_module_ctx->check_local = FALSE;

  224. 	}

  225. 

  226. 	value = rspamd_config_get_module_opt (cfg, "spf", "check_authed");

  227. 

  228. 	if (value == NULL) {

  229. 		rspamd_config_get_module_opt (cfg, "options", "check_authed");

  230. 	}

  231. 

  232. 	if (value != NULL) {

  233. 		spf_module_ctx->check_authed = ucl_obj_toboolean (value);

  234. 	}

  235. 	else {

  236. 		spf_module_ctx->check_authed = FALSE;

  237. 	}

  238. 	if ((value =

  239. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_fail")) != NULL) {

  240. 		spf_module_ctx->symbol_fail = ucl_obj_tostring (value);

  241. 	}

  242. 	else {

  243. 		spf_module_ctx->symbol_fail = DEFAULT_SYMBOL_FAIL;

  244. 	}

  245. 	if ((value =

  246. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_softfail")) != NULL) {

  247. 		spf_module_ctx->symbol_softfail = ucl_obj_tostring (value);

  248. 	}

  249. 	else {

  250. 		spf_module_ctx->symbol_softfail = DEFAULT_SYMBOL_SOFTFAIL;

  251. 	}

  252. 	if ((value =

  253. 			rspamd_config_get_module_opt (cfg, "spf", "symbol_neutral")) != NULL) {

  254. 		spf_module_ctx->symbol_neutral = ucl_obj_tostring (value);

  255. 	}

  256. 	else {

  257. 		spf_module_ctx->symbol_neutral = DEFAULT_SYMBOL_NEUTRAL;

  258. 	}

  259. 	if ((value =

  260. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_allow")) != NULL) {

  261. 		spf_module_ctx->symbol_allow = ucl_obj_tostring (value);

  262. 	}

  263. 	else {

  264. 		spf_module_ctx->symbol_allow = DEFAULT_SYMBOL_ALLOW;

  265. 	}

  266. 	if ((value =

  267. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_dnsfail")) != NULL) {

  268. 		spf_module_ctx->symbol_dnsfail = ucl_obj_tostring (value);

  269. 	}

  270. 	else {

  271. 		spf_module_ctx->symbol_dnsfail = DEFAULT_SYMBOL_DNSFAIL;

  272. 	}

  273. 	if ((value =

  274. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_na")) != NULL) {

  275. 		spf_module_ctx->symbol_na = ucl_obj_tostring (value);

  276. 	}

  277. 	else {

  278. 		spf_module_ctx->symbol_na = DEFAULT_SYMBOL_NA;

  279. 	}

  280. 	if ((value =

  281. 		rspamd_config_get_module_opt (cfg, "spf", "symbol_permfail")) != NULL) {

  282. 		spf_module_ctx->symbol_permfail = ucl_obj_tostring (value);

  283. 	}

  284. 	else {

  285. 		spf_module_ctx->symbol_permfail = DEFAULT_SYMBOL_PERMFAIL;

  286. 	}

  287. 	if ((value =

  288. 		rspamd_config_get_module_opt (cfg, "spf", "spf_cache_size")) != NULL) {

  289. 		cache_size = ucl_obj_toint (value);

  290. 	}

  291. 	else {

  292. 		cache_size = DEFAULT_CACHE_SIZE;

  293. 	}

  294. 

  295. 	if ((value =

  296. 		rspamd_config_get_module_opt (cfg, "spf", "whitelist")) != NULL) {

  297. 

  298. 		rspamd_config_radix_from_ucl (cfg, value, "SPF whitelist",

  299. 				&spf_module_ctx->whitelist_ip, NULL);

  300. 	}

  301. 

  302. 	cb_id = rspamd_symcache_add_symbol (cfg->cache,

  303. 			"SPF_CHECK",

  304. 			0,

  305. 			spf_symbol_callback,

  306. 			NULL,

  307. 			SYMBOL_TYPE_CALLBACK | SYMBOL_TYPE_FINE | SYMBOL_TYPE_EMPTY, -1);

  308. 	rspamd_config_add_symbol (cfg,

  309. 			"SPF_CHECK",

  310. 			0.0,

  311. 			"SPF check callback",

  312. 			"policies",

  313. 			RSPAMD_SYMBOL_FLAG_IGNORE,

  314. 			1,

  315. 			1);

  316. 	rspamd_config_add_symbol_group (cfg, "SPF_CHECK", "spf");

  317. 

  318. 	rspamd_symcache_add_symbol (cfg->cache,

  319. 			spf_module_ctx->symbol_fail, 0,

  320. 			NULL, NULL,

  321. 			SYMBOL_TYPE_VIRTUAL,

  322. 			cb_id);

  323. 	rspamd_symcache_add_symbol (cfg->cache,

  324. 			spf_module_ctx->symbol_softfail, 0,

  325. 			NULL, NULL,

  326. 			SYMBOL_TYPE_VIRTUAL,

  327. 			cb_id);

  328. 	rspamd_symcache_add_symbol (cfg->cache,

  329. 			spf_module_ctx->symbol_permfail, 0,

  330. 			NULL, NULL,

  331. 			SYMBOL_TYPE_VIRTUAL,

  332. 			cb_id);

  333. 	rspamd_symcache_add_symbol (cfg->cache,

  334. 			spf_module_ctx->symbol_na, 0,

  335. 			NULL, NULL,

  336. 			SYMBOL_TYPE_VIRTUAL,

  337. 			cb_id);

  338. 	rspamd_symcache_add_symbol (cfg->cache,

  339. 			spf_module_ctx->symbol_neutral, 0,

  340. 			NULL, NULL,

  341. 			SYMBOL_TYPE_VIRTUAL,

  342. 			cb_id);

  343. 	rspamd_symcache_add_symbol (cfg->cache,

  344. 			spf_module_ctx->symbol_allow, 0,

  345. 			NULL, NULL,

  346. 			SYMBOL_TYPE_VIRTUAL,

  347. 			cb_id);

  348. 	rspamd_symcache_add_symbol (cfg->cache,

  349. 			spf_module_ctx->symbol_dnsfail, 0,

  350. 			NULL, NULL,

  351. 			SYMBOL_TYPE_VIRTUAL,

  352. 			cb_id);

  353. 

  354. 	if (cache_size > 0) {

  355. 		spf_module_ctx->spf_hash = rspamd_lru_hash_new (

  356. 				cache_size,

  357. 				NULL,

  358. 				(GDestroyNotify) spf_record_unref);

  359. 		rspamd_mempool_add_destructor (cfg->cfg_pool,

  360. 				(rspamd_mempool_destruct_t)rspamd_lru_hash_destroy,

  361. 				spf_module_ctx->spf_hash);

  362. 	}

  363. 

  364. 	rspamd_mempool_add_destructor (cfg->cfg_pool,

  365. 			(rspamd_mempool_destruct_t)rspamd_map_helper_destroy_radix,

  366. 			spf_module_ctx->whitelist_ip);

  367. 

  368. 	msg_info_config ("init internal spf module");

  369. 

  370. 	return res;

  371. }

  372. 

  373. gint

  374. spf_module_reconfig (struct rspamd_config *cfg)

  375. {

  376. 	return spf_module_config (cfg);

  377. }

  378. 

  379. static gboolean

  380. spf_check_element (struct spf_resolved *rec, struct spf_addr *addr,

  381. 		struct rspamd_task *task, gboolean cached)

  382. {

  383. 	gboolean res = FALSE;

  384. 	const guint8 *s, *d;

  385. 	gchar *spf_result;

  386. 	guint af, mask, bmask, addrlen;

  387. 	const gchar *spf_message, *spf_symbol;

  388. 	struct spf_ctx *spf_module_ctx = spf_get_context (task->cfg);

  389. 

  390. 	if (task->from_addr == NULL) {

  391. 		return FALSE;

  392. 	}

  393. 

  394. 	if (addr->flags & RSPAMD_SPF_FLAG_TEMPFAIL) {

  395. 		/* Ignore failed addresses */

  396. 		return FALSE;

  397. 	}

  398. 

  399. 	af = rspamd_inet_address_get_af (task->from_addr);

  400. 	/* Basic comparing algorithm */

  401. 	if (((addr->flags & RSPAMD_SPF_FLAG_IPV6) && af == AF_INET6) ||

  402. 		((addr->flags & RSPAMD_SPF_FLAG_IPV4) && af == AF_INET)) {

  403. 		d = rspamd_inet_address_get_hash_key (task->from_addr, &addrlen);

  404. 

  405. 		if (af == AF_INET6) {

  406. 			s = (const guint8 *)addr->addr6;

  407. 			mask = addr->m.dual.mask_v6;

  408. 		}

  409. 		else {

  410. 			s = (const guint8 *)addr->addr4;

  411. 			mask = addr->m.dual.mask_v4;

  412. 		}

  413. 

  414. 		/* Compare the first bytes */

  415. 		bmask = mask / CHAR_BIT;

  416. 		if (mask > addrlen * CHAR_BIT) {

  417. 			msg_info_task ("bad mask length: %d", mask);

  418. 		}

  419. 		else if (memcmp (s, d, bmask) == 0) {

  420. 			if (bmask * CHAR_BIT < mask) {

  421. 				/* Compare the remaining bits */

  422. 				s += bmask;

  423. 				d += bmask;

  424. 				mask = (0xff << (CHAR_BIT - (mask - bmask * 8))) & 0xff;

  425. 

  426. 				if ((*s & mask) == (*d & mask)) {

  427. 					res = TRUE;

  428. 				}

  429. 			}

  430. 			else {

  431. 				res = TRUE;

  432. 			}

  433. 		}

  434. 	}

  435. 	else {

  436. 		if (addr->flags & RSPAMD_SPF_FLAG_ANY) {

  437. 			res = TRUE;

  438. 		}

  439. 		else {

  440. 			res = FALSE;

  441. 		}

  442. 	}

  443. 

  444. 	if (res) {

  445. 		spf_result = rspamd_mempool_alloc (task->task_pool,

  446. 				strlen (addr->spf_string) + 5);

  447. 

  448. 		switch (addr->mech) {

  449. 		case SPF_FAIL:

  450. 			spf_symbol = spf_module_ctx->symbol_fail;

  451. 			spf_result[0] = '-';

  452. 			spf_message = "(SPF): spf fail";

  453. 			if (addr->flags & RSPAMD_SPF_FLAG_ANY) {

  454. 				if (rec->perm_failed) {

  455. 					msg_info_task ("do not apply SPF failed policy, as we have "

  456. 							"some addresses unresolved");

  457. 					spf_symbol = spf_module_ctx->symbol_permfail;

  458. 				}

  459. 				else if (rec->temp_failed) {

  460. 					msg_info_task ("do not apply SPF failed policy, as we have "

  461. 							"some addresses unresolved");

  462. 					spf_symbol = spf_module_ctx->symbol_dnsfail;

  463. 					spf_message = "(SPF): spf DNS fail";

  464. 				}

  465. 			}

  466. 			break;

  467. 		case SPF_SOFT_FAIL:

  468. 			spf_symbol = spf_module_ctx->symbol_softfail;

  469. 			spf_message = "(SPF): spf softfail";

  470. 			spf_result[0] = '~';

  471. 

  472. 			if (addr->flags & RSPAMD_SPF_FLAG_ANY) {

  473. 				if (rec->perm_failed) {

  474. 					msg_info_task ("do not apply SPF failed policy, as we have "

  475. 							"some addresses unresolved");

  476. 					spf_symbol = spf_module_ctx->symbol_permfail;

  477. 				}

  478. 				else if (rec->temp_failed) {

  479. 					msg_info_task ("do not apply SPF failed policy, as we have "

  480. 							"some addresses unresolved");

  481. 					spf_symbol = spf_module_ctx->symbol_dnsfail;

  482. 					spf_message = "(SPF): spf DNS fail";

  483. 				}

  484. 			}

  485. 			break;

  486. 		case SPF_NEUTRAL:

  487. 			spf_symbol = spf_module_ctx->symbol_neutral;

  488. 			spf_message = "(SPF): spf neutral";

  489. 			spf_result[0] = '?';

  490. 			break;

  491. 		default:

  492. 			spf_symbol = spf_module_ctx->symbol_allow;

  493. 			spf_message = "(SPF): spf allow";

  494. 			spf_result[0] = '+';

  495. 			break;

  496. 		}

  497. 

  498. 		gint r = rspamd_strlcpy (spf_result + 1, addr->spf_string,

  499. 				strlen (addr->spf_string) + 1);

  500. 

  501. 		if (cached) {

  502. 			rspamd_strlcpy (spf_result + r + 1, ":c", 3);

  503. 		}

  504. 

  505. 		rspamd_task_insert_result (task,

  506. 				spf_symbol,

  507. 				1,

  508. 				spf_result);

  509. 		ucl_object_insert_key (task->messages,

  510. 				ucl_object_fromstring (spf_message), "spf", 0,

  511. 				false);

  512. 

  513. 		return TRUE;

  514. 	}

  515. 

  516. 	return FALSE;

  517. }

  518. 

  519. static void

  520. spf_check_list (struct spf_resolved *rec, struct rspamd_task *task, gboolean cached)

  521. {

  522. 	guint i;

  523. 	struct spf_addr *addr;

  524. 	struct spf_ctx *spf_module_ctx = spf_get_context (task->cfg);

  525. 

  526. 	if (cached) {

  527. 		msg_info_task ("use cached record for %s (0x%xuL) in LRU cache for %d seconds, "

  528. 					   "%d/%d elements in the cache",

  529. 				rec->domain,

  530. 				rec->digest,

  531. 				rec->ttl,

  532. 				rspamd_lru_hash_size (spf_module_ctx->spf_hash),

  533. 				rspamd_lru_hash_capacity (spf_module_ctx->spf_hash));

  534. 	}

  535. 

  536. 	for (i = 0; i < rec->elts->len; i ++) {

  537. 		addr = &g_array_index (rec->elts, struct spf_addr, i);

  538. 		if (spf_check_element (rec, addr, task, cached)) {

  539. 			break;

  540. 		}

  541. 	}

  542. }

  543. 

  544. static void

  545. spf_plugin_callback (struct spf_resolved *record, struct rspamd_task *task,

  546. 		gpointer ud)

  547. {

  548. 	struct spf_resolved *l = NULL;

  549. 	struct rspamd_symcache_item *item = (struct rspamd_symcache_item *)ud;

  550. 	struct spf_ctx *spf_module_ctx = spf_get_context (task->cfg);

  551. 

  552. 	if (record && record->na) {

  553. 		rspamd_task_insert_result (task,

  554. 				spf_module_ctx->symbol_na,

  555. 				1,

  556. 				NULL);

  557. 	}

  558. 	else if (record && record->elts->len == 0 && record->temp_failed) {

  559. 		rspamd_task_insert_result (task,

  560. 				spf_module_ctx->symbol_dnsfail,

  561. 				1,

  562. 				NULL);

  563. 	}

  564. 	else if (record && record->elts->len == 0 && record->perm_failed) {

  565. 		rspamd_task_insert_result (task,

  566. 				spf_module_ctx->symbol_permfail,

  567. 				1,

  568. 				NULL);

  569. 	}

  570. 	else if (record && record->elts->len == 0) {

  571. 		rspamd_task_insert_result (task,

  572. 				spf_module_ctx->symbol_permfail,

  573. 				1,

  574. 				NULL);

  575. 	}

  576. 	else if (record && record->domain) {

  577. 

  578. 		spf_record_ref (record);

  579. 

  580. 		if (!spf_module_ctx->spf_hash ||

  581. 			(l = rspamd_lru_hash_lookup (spf_module_ctx->spf_hash,

  582. 					record->domain, task->task_timestamp)) == NULL) {

  583. 			l = record;

  584. 

  585. 			if (record->ttl > 0 &&

  586. 					!record->temp_failed &&

  587. 					!record->perm_failed &&

  588. 					!record->na) {

  589. 

  590. 				if (spf_module_ctx->spf_hash) {

  591. 					rspamd_lru_hash_insert (spf_module_ctx->spf_hash,

  592. 							record->domain, spf_record_ref (l),

  593. 							task->task_timestamp, record->ttl);

  594. 

  595. 					msg_info_task ("stored record for %s (0x%xuL) in LRU cache for %d seconds, "

  596. 								   "%d/%d elements in the cache",

  597. 							record->domain,

  598. 							record->digest,

  599. 							record->ttl,

  600. 							rspamd_lru_hash_size (spf_module_ctx->spf_hash),

  601. 							rspamd_lru_hash_capacity (spf_module_ctx->spf_hash));

  602. 				}

  603. 			}

  604. 

  605. 		}

  606. 

  607. 		spf_record_ref (l);

  608. 		spf_check_list (l, task, FALSE);

  609. 		spf_record_unref (l);

  610. 

  611. 		spf_record_unref (record);

  612. 	}

  613. 

  614. 	rspamd_symcache_item_async_dec_check (task, item, M);

  615. }

  616. 

  617. 

  618. static void

  619. spf_symbol_callback (struct rspamd_task *task,

  620. 					 struct rspamd_symcache_item *item,

  621. 					 void *unused)

  622. {

  623. 	const gchar *domain;

  624. 	struct spf_resolved *l;

  625. 	gint *dmarc_checks;

  626. 	struct spf_ctx *spf_module_ctx = spf_get_context (task->cfg);

  627. 

  628. 	/* Allow dmarc */

  629. 	dmarc_checks = rspamd_mempool_get_variable (task->task_pool,

  630. 			RSPAMD_MEMPOOL_DMARC_CHECKS);

  631. 

  632. 	if (dmarc_checks) {

  633. 		(*dmarc_checks) ++;

  634. 	}

  635. 	else {

  636. 		dmarc_checks = rspamd_mempool_alloc (task->task_pool,

  637. 				sizeof (*dmarc_checks));

  638. 		*dmarc_checks = 1;

  639. 		rspamd_mempool_set_variable (task->task_pool,

  640. 				RSPAMD_MEMPOOL_DMARC_CHECKS,

  641. 				dmarc_checks, NULL);

  642. 	}

  643. 

  644. 	if (rspamd_match_radix_map_addr (spf_module_ctx->whitelist_ip,

  645. 			task->from_addr) != NULL) {

  646. 		rspamd_symcache_finalize_item (task, item);

  647. 		return;

  648. 	}

  649. 

  650. 	if ((!spf_module_ctx->check_authed && task->user != NULL)

  651. 			|| (!spf_module_ctx->check_local &&

  652. 					rspamd_inet_address_is_local (task->from_addr, TRUE))) {

  653. 		msg_info_task ("skip SPF checks for local networks and authorized users");

  654. 		rspamd_symcache_finalize_item (task, item);

  655. 

  656. 		return;

  657. 	}

  658. 

  659. 	domain = rspamd_spf_get_domain (task);

  660. 	rspamd_symcache_item_async_inc (task, item, M);

  661. 

  662. 	if (domain) {

  663. 		if (spf_module_ctx->spf_hash &&

  664. 				(l = rspamd_lru_hash_lookup (spf_module_ctx->spf_hash, domain,

  665. 					task->task_timestamp)) != NULL) {

  666. 			spf_record_ref (l);

  667. 			spf_check_list (l, task, TRUE);

  668. 			spf_record_unref (l);

  669. 		}

  670. 		else {

  671. 

  672. 			if (!rspamd_spf_resolve (task, spf_plugin_callback, item)) {

  673. 				msg_info_task ("cannot make spf request for %s", domain);

  674. 				rspamd_task_insert_result (task,

  675. 						spf_module_ctx->symbol_dnsfail,

  676. 						1,

  677. 						"(SPF): spf DNS fail");

  678. 			}

  679. 			else {

  680. 				rspamd_symcache_item_async_inc (task, item, M);

  681. 			}

  682. 		}

  683. 	}

  684. 

  685. 	rspamd_symcache_item_async_dec_check (task, item, M);

  686. }