summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--src/libserver/spf.c34
-rw-r--r--src/plugins/spf.c16
-rw-r--r--test/functional/cases/115_dmarc.robot34
3 files changed, 60 insertions, 24 deletions
diff --git a/src/libserver/spf.c b/src/libserver/spf.c
index 362c96255..fb3d39385 100644
--- a/src/libserver/spf.c
+++ b/src/libserver/spf.c
@@ -708,7 +708,11 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
else if (reply->code == RDNS_RC_NXDOMAIN || reply->code == RDNS_RC_NOREC) {
switch (cb->cur_action) {
case SPF_RESOLVE_MX:
- if (rdns_request_has_type (reply->request, RDNS_REQUEST_MX)) {
+ if (!rdns_request_has_type (reply->request, RDNS_REQUEST_MX)
+ && !rdns_request_has_type (reply->request, RDNS_REQUEST_A)
+ && !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
msg_debug_spf (
"<%s>: spf error for domain %s: cannot find MX record for %s",
task->message_id,
@@ -716,7 +720,10 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
cb->resolved->cur_domain);
spf_record_addr_set (addr, FALSE);
}
- else {
+ else if (!rdns_request_has_type (reply->request, RDNS_REQUEST_A)
+ && !rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
msg_debug_spf (
"<%s>: spf error for domain %s: cannot resolve MX record for %s",
task->message_id,
@@ -726,25 +733,32 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
}
break;
case SPF_RESOLVE_A:
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
if (rdns_request_has_type (reply->request, RDNS_REQUEST_A)) {
spf_record_addr_set (addr, FALSE);
}
break;
case SPF_RESOLVE_AAA:
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
if (rdns_request_has_type (reply->request, RDNS_REQUEST_AAAA)) {
spf_record_addr_set (addr, FALSE);
}
break;
case SPF_RESOLVE_PTR:
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
spf_record_addr_set (addr, FALSE);
break;
case SPF_RESOLVE_REDIRECT:
+ cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
msg_debug_spf (
"<%s>: spf error for domain %s: cannot resolve TXT record for %s",
task->message_id,
cb->rec->sender_domain,
cb->resolved->cur_domain);
- cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
break;
case SPF_RESOLVE_INCLUDE:
msg_debug_spf (
@@ -752,8 +766,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
task->message_id,
cb->rec->sender_domain,
cb->resolved->cur_domain);
+ cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
cb->addr->flags &= ~RSPAMD_SPF_FLAG_PARSED;
- cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
break;
case SPF_RESOLVE_EXP:
break;
@@ -762,16 +776,8 @@ spf_record_dns_callback (struct rdns_reply *reply, gpointer arg)
break;
}
}
- else if ((cb->cur_action == SPF_RESOLVE_INCLUDE ||
- cb->cur_action == SPF_RESOLVE_REDIRECT) ||
- reply->code == RDNS_RC_TIMEOUT) {
- if ((cb->cur_action == SPF_RESOLVE_INCLUDE || cb->cur_action == SPF_RESOLVE_REDIRECT) &&
- (reply->code == RDNS_RC_NOREC && reply->code == RDNS_RC_NXDOMAIN)) {
- cb->addr->flags |= RSPAMD_SPF_FLAG_PERMFAIL;
- }
- else {
- cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
- }
+ else {
+ cb->addr->flags |= RSPAMD_SPF_FLAG_TEMPFAIL;
msg_info_spf (
"<%s>: spf error for domain %s: cannot resolve %s DNS record for"
" %s: %s",
diff --git a/src/plugins/spf.c b/src/plugins/spf.c
index 99d09fd01..aa09eecac 100644
--- a/src/plugins/spf.c
+++ b/src/plugins/spf.c
@@ -397,7 +397,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr,
spf_result[0] = '-';
spf_message = "(SPF): spf fail";
if (addr->flags & RSPAMD_SPF_FLAG_ANY) {
- if (rec->temp_failed) {
+ if (rec->perm_failed) {
+ msg_info_task ("do not apply SPF failed policy, as we have "
+ "some addresses unresolved");
+ spf_symbol = spf_module_ctx->symbol_permfail;
+ }
+ else if (rec->temp_failed) {
msg_info_task ("do not apply SPF failed policy, as we have "
"some addresses unresolved");
spf_symbol = spf_module_ctx->symbol_dnsfail;
@@ -411,7 +416,12 @@ spf_check_element (struct spf_resolved *rec, struct spf_addr *addr,
spf_result[0] = '~';
if (addr->flags & RSPAMD_SPF_FLAG_ANY) {
- if (rec->temp_failed) {
+ if (rec->perm_failed) {
+ msg_info_task ("do not apply SPF failed policy, as we have "
+ "some addresses unresolved");
+ spf_symbol = spf_module_ctx->symbol_permfail;
+ }
+ else if (rec->temp_failed) {
msg_info_task ("do not apply SPF failed policy, as we have "
"some addresses unresolved");
spf_symbol = spf_module_ctx->symbol_dnsfail;
@@ -478,7 +488,7 @@ spf_plugin_callback (struct spf_resolved *record, struct rspamd_task *task,
1,
NULL);
}
- else if (record && record->perm_failed) {
+ else if (record && record->elts->len == 0 && record->perm_failed) {
rspamd_task_insert_result (task,
spf_module_ctx->symbol_permfail,
1,
diff --git a/test/functional/cases/115_dmarc.robot b/test/functional/cases/115_dmarc.robot
index 583786e64..4dda829e5 100644
--- a/test/functional/cases/115_dmarc.robot
+++ b/test/functional/cases/115_dmarc.robot
@@ -77,10 +77,10 @@ DKIM PERMFAIL BAD RECORD
... -i 37.48.67.26
Check Rspamc ${result} R_DKIM_PERMFAIL
-SPF DNSFAIL UNRESOLVEABLE INCLUDE
+SPF PERMFAIL UNRESOLVEABLE INCLUDE
${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
- ... -i 37.48.67.26 -F x@openarena.za.net
- Check Rspamc ${result} R_SPF_DNSFAIL
+ ... -i 37.48.67.26 -F x@fail3.org.org.za
+ Check Rspamc ${result} R_SPF_PERMFAIL
SPF DNSFAIL FAILED INCLUDE
${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
@@ -89,7 +89,7 @@ SPF DNSFAIL FAILED INCLUDE
SPF ALLOW UNRESOLVEABLE INCLUDE
${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
- ... -i 8.8.8.8 -F x@openarena.za.net
+ ... -i 8.8.8.8 -F x@fail3.org.org.za
Check Rspamc ${result} R_SPF_ALLOW
SPF ALLOW FAILED INCLUDE
@@ -114,7 +114,7 @@ SPF NA NXDOMAIN
SPF PERMFAIL UNRESOLVEABLE REDIRECT
${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
- ... -i 8.8.8.8 -F x@cacophony.za.org
+ ... -i 8.8.8.8 -F x@fail4.org.org.za
Check Rspamc ${result} R_SPF_PERMFAIL
SPF DNSFAIL FAILED REDIRECT
@@ -122,9 +122,9 @@ SPF DNSFAIL FAILED REDIRECT
... -i 8.8.8.8 -F x@fail1.org.org.za
Check Rspamc ${result} R_SPF_DNSFAIL
-SPF PERMFAIL
+SPF PERMFAIL NO USEABLE ELEMENTS
${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
- ... -i 8.8.8.8 -F x@xzghgh.za.org
+ ... -i 8.8.8.8 -F x@fail5.org.org.za
Check Rspamc ${result} R_SPF_PERMFAIL
SPF FAIL
@@ -132,6 +132,26 @@ SPF FAIL
... -i 8.8.8.8 -F x@example.net
Check Rspamc ${result} R_SPF_FAIL
+SPF PERMFAIL UNRESOLVEABLE MX
+ ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+ ... -i 1.2.3.4 -F x@fail6.org.org.za
+ Check Rspamc ${result} R_SPF_PERMFAIL
+
+SPF PERMFAIL UNRESOLVEABLE A
+ ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+ ... -i 1.2.3.4 -F x@fail7.org.org.za
+ Check Rspamc ${result} R_SPF_PERMFAIL
+
+SPF DNSFAIL FAILED A
+ ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+ ... -i 1.2.3.4 -F x@fail8.org.org.za
+ Check Rspamc ${result} R_SPF_DNSFAIL
+
+SPF DNSFAIL FAILED MX
+ ${result} = Scan Message With Rspamc ${TESTDIR}/messages/dmarc/bad_dkim1.eml
+ ... -i 1.2.3.4 -F x@fail9.org.org.za
+ Check Rspamc ${result} R_SPF_DNSFAIL
+
*** Keywords ***
DMARC Setup
${PLUGIN_CONFIG} = Get File ${TESTDIR}/configs/dmarc.conf
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-28 08:07:09 +0000