/usr/share/perl5/Mail/SpamAssassin/Plugin/SPF.pm is in spamassassin 3.4.1-8build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 | # <@LICENSE>
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to you under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at:
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# </@LICENSE>
=head1 NAME
Mail::SpamAssassin::Plugin::SPF - perform SPF verification tests
=head1 SYNOPSIS
loadplugin Mail::SpamAssassin::Plugin::SPF
=head1 DESCRIPTION
This plugin checks a message against Sender Policy Framework (SPF)
records published by the domain owners in DNS to fight email address
forgery and make it easier to identify spams.
=cut
package Mail::SpamAssassin::Plugin::SPF;
use Mail::SpamAssassin::Plugin;
use Mail::SpamAssassin::Logger;
use Mail::SpamAssassin::Timeout;
use strict;
use warnings;
use bytes;
use re 'taint';
use vars qw(@ISA);
@ISA = qw(Mail::SpamAssassin::Plugin);
# constructor: register the eval rule
sub new {
my $class = shift;
my $mailsaobject = shift;
# some boilerplate...
$class = ref($class) || $class;
my $self = $class->SUPER::new($mailsaobject);
bless ($self, $class);
$self->register_eval_rule ("check_for_spf_pass");
$self->register_eval_rule ("check_for_spf_neutral");
$self->register_eval_rule ("check_for_spf_none");
$self->register_eval_rule ("check_for_spf_fail");
$self->register_eval_rule ("check_for_spf_softfail");
$self->register_eval_rule ("check_for_spf_permerror");
$self->register_eval_rule ("check_for_spf_temperror");
$self->register_eval_rule ("check_for_spf_helo_pass");
$self->register_eval_rule ("check_for_spf_helo_neutral");
$self->register_eval_rule ("check_for_spf_helo_none");
$self->register_eval_rule ("check_for_spf_helo_fail");
$self->register_eval_rule ("check_for_spf_helo_softfail");
$self->register_eval_rule ("check_for_spf_helo_permerror");
$self->register_eval_rule ("check_for_spf_helo_temperror");
$self->register_eval_rule ("check_for_spf_whitelist_from");
$self->register_eval_rule ("check_for_def_spf_whitelist_from");
$self->set_config($mailsaobject->{conf});
return $self;
}
###########################################################################
sub set_config {
my($self, $conf) = @_;
my @cmds;
=head1 USER SETTINGS
=over 4
=item whitelist_from_spf user@example.com
Works similarly to whitelist_from, except that in addition to matching
a sender address, a check against the domain's SPF record must pass.
The first parameter is an address to whitelist, and the second is a string
to match the relay's rDNS.
Just like whitelist_from, multiple addresses per line, separated by spaces,
are OK. Multiple C<whitelist_from_spf> lines are also OK.
The headers checked for whitelist_from_spf addresses are the same headers
used for SPF checks (Envelope-From, Return-Path, X-Envelope-From, etc).
Since this whitelist requires an SPF check to be made, network tests must be
enabled. It is also required that your trust path be correctly configured.
See the section on C<trusted_networks> for more info on trust paths.
e.g.
whitelist_from_spf joe@example.com fred@example.com
whitelist_from_spf *@example.com
=item def_whitelist_from_spf user@example.com
Same as C<whitelist_from_spf>, but used for the default whitelist entries
in the SpamAssassin distribution. The whitelist score is lower, because
these are often targets for spammer spoofing.
=cut
push (@cmds, {
setting => 'whitelist_from_spf',
type => $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST
});
push (@cmds, {
setting => 'def_whitelist_from_spf',
type => $Mail::SpamAssassin::Conf::CONF_TYPE_ADDRLIST
});
=back
=head1 ADMINISTRATOR OPTIONS
=over 4
=item spf_timeout n (default: 5)
How many seconds to wait for an SPF query to complete, before scanning
continues without the SPF result. A numeric value is optionally suffixed
by a time unit (s, m, h, d, w, indicating seconds (default), minutes, hours,
days, weeks).
=cut
push (@cmds, {
setting => 'spf_timeout',
is_admin => 1,
default => 5,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_DURATION
});
=item do_not_use_mail_spf (0|1) (default: 0)
By default the plugin will try to use the Mail::SPF module for SPF checks if
it can be loaded. If Mail::SPF cannot be used the plugin will fall back to
using the legacy Mail::SPF::Query module if it can be loaded.
Use this option to stop the plugin from using Mail::SPF and cause it to try to
use Mail::SPF::Query instead.
=cut
push(@cmds, {
setting => 'do_not_use_mail_spf',
is_admin => 1,
default => 0,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
});
=item do_not_use_mail_spf_query (0|1) (default: 0)
As above, but instead stop the plugin from trying to use Mail::SPF::Query and
cause it to only try to use Mail::SPF.
=cut
push(@cmds, {
setting => 'do_not_use_mail_spf_query',
is_admin => 1,
default => 0,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
});
=item ignore_received_spf_header (0|1) (default: 0)
By default, to avoid unnecessary DNS lookups, the plugin will try to use the
SPF results found in any C<Received-SPF> headers it finds in the message that
could only have been added by an internal relay.
Set this option to 1 to ignore any C<Received-SPF> headers present and to have
the plugin perform the SPF check itself.
Note that unless the plugin finds an C<identity=helo>, or some unsupported
identity, it will assume that the result is a mfrom SPF check result. The
only identities supported are C<mfrom>, C<mailfrom> and C<helo>.
=cut
push(@cmds, {
setting => 'ignore_received_spf_header',
is_admin => 1,
default => 0,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
});
=item use_newest_received_spf_header (0|1) (default: 0)
By default, when using C<Received-SPF> headers, the plugin will attempt to use
the oldest (bottom most) C<Received-SPF> headers, that were added by internal
relays, that it can parse results from since they are the most likely to be
accurate. This is done so that if you have an incoming mail setup where one
of your primary MXes doesn't know about a secondary MX (or your MXes don't
know about some sort of forwarding relay that SA considers trusted+internal)
but SA is aware of the actual domain boundary (internal_networks setting) SA
will use the results that are most accurate.
Use this option to start with the newest (top most) C<Received-SPF> headers,
working downwards until results are successfully parsed.
=cut
push(@cmds, {
setting => 'use_newest_received_spf_header',
is_admin => 1,
default => 0,
type => $Mail::SpamAssassin::Conf::CONF_TYPE_BOOL,
});
$conf->{parser}->register_commands(\@cmds);
}
=item has_check_for_spf_errors
Adds capability check for "if can()" for check_for_spf_permerror, check_for_spf_temperror, check_for_spf_helo_permerror and check_for_spf_helo_permerror
=cut
sub has_check_for_spf_errors { 1 }
# SPF support
sub check_for_spf_pass {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_pass};
}
sub check_for_spf_neutral {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_neutral};
}
sub check_for_spf_none {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_none};
}
sub check_for_spf_fail {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
if ($scanner->{spf_failure_comment}) {
$scanner->test_log ($scanner->{spf_failure_comment});
}
$scanner->{spf_fail};
}
sub check_for_spf_softfail {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_softfail};
}
sub check_for_spf_permerror {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_permerror};
}
sub check_for_spf_temperror {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 0) unless $scanner->{spf_checked};
$scanner->{spf_temperror};
}
sub check_for_spf_helo_pass {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_pass};
}
sub check_for_spf_helo_neutral {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_neutral};
}
sub check_for_spf_helo_none {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_none};
}
sub check_for_spf_helo_fail {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
if ($scanner->{spf_helo_failure_comment}) {
$scanner->test_log ($scanner->{spf_helo_failure_comment});
}
$scanner->{spf_helo_fail};
}
sub check_for_spf_helo_softfail {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_softfail};
}
sub check_for_spf_helo_permerror {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_permerror};
}
sub check_for_spf_helo_temperror {
my ($self, $scanner) = @_;
$self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked};
$scanner->{spf_helo_temperror};
}
sub check_for_spf_whitelist_from {
my ($self, $scanner) = @_;
$self->_check_spf_whitelist($scanner) unless $scanner->{spf_whitelist_from_checked};
$scanner->{spf_whitelist_from};
}
sub check_for_def_spf_whitelist_from {
my ($self, $scanner) = @_;
$self->_check_def_spf_whitelist($scanner) unless $scanner->{def_spf_whitelist_from_checked};
$scanner->{def_spf_whitelist_from};
}
sub _check_spf {
my ($self, $scanner, $ishelo) = @_;
my $timer = $self->{main}->time_method("check_spf");
# we can re-use results from any *INTERNAL* Received-SPF header in the message...
# we can't use results from trusted but external hosts since (i) spf checks are
# supposed to be done "on the domain boundary", (ii) even if an external header
# has a result that matches what we would get, the check was probably done on a
# different envelope (like the apache.org list servers checking the ORCPT and
# then using a new envelope to send the mail from the list) and (iii) if the
# checks are being done right and the envelope isn't being changed it's 99%
# likely that the trusted+external host really should be defined as part of your
# internal network
if ($scanner->{conf}->{ignore_received_spf_header}) {
dbg("spf: ignoring any Received-SPF headers from internal hosts, by admin setting");
} elsif ($scanner->{checked_for_received_spf_header}) {
dbg("spf: already checked for Received-SPF headers, proceeding with DNS based checks");
} else {
$scanner->{checked_for_received_spf_header} = 1;
dbg("spf: checking to see if the message has a Received-SPF header that we can use");
my @internal_hdrs = split("\n", $scanner->get('ALL-INTERNAL'));
unless ($scanner->{conf}->{use_newest_received_spf_header}) {
# look for the LAST (earliest in time) header, it'll be the most accurate
@internal_hdrs = reverse(@internal_hdrs);
} else {
dbg("spf: starting with the newest Received-SPF headers first");
}
foreach my $hdr (@internal_hdrs) {
local($1,$2);
if ($hdr =~ /^received-spf:/i) {
dbg("spf: found a Received-SPF header added by an internal host: $hdr");
# old version:
# Received-SPF: pass (herse.apache.org: domain of spamassassin@dostech.ca
# designates 69.61.78.188 as permitted sender)
# new version:
# Received-SPF: pass (dostech.ca: 69.61.78.188 is authorized to use
# 'spamassassin@dostech.ca' in 'mfrom' identity (mechanism 'mx' matched))
# receiver=FC5-VPC; identity=mfrom; envelope-from="spamassassin@dostech.ca";
# helo=smtp.dostech.net; client-ip=69.61.78.188
# Received-SPF: pass (dostech.ca: 69.61.78.188 is authorized to use 'dostech.ca'
# in 'helo' identity (mechanism 'mx' matched)) receiver=FC5-VPC; identity=helo;
# helo=dostech.ca; client-ip=69.61.78.188
# http://www.openspf.org/RFC_4408#header-field
# wtf - for some reason something is sticking an extra space between the header name and field value
if ($hdr =~ /^received-spf:\s*(pass|neutral|(?:soft)?fail|none)\b(?:.*\bidentity=(\S+?);?\b)?/i) {
my $result = lc($1);
my $identity = ''; # we assume it's a mfrom check if we can't tell otherwise
if (defined $2) {
$identity = lc($2);
if ($identity eq 'mfrom' || $identity eq 'mailfrom') {
next if $scanner->{spf_checked};
$identity = '';
} elsif ($identity eq 'helo') {
next if $scanner->{spf_helo_checked};
$identity = 'helo_';
} else {
dbg("spf: found unknown identity value, cannot use: $identity");
next; # try the next Received-SPF header, if any
}
} else {
next if $scanner->{spf_checked};
}
# we'd set these if we actually did the check
$scanner->{"spf_${identity}checked"} = 1;
$scanner->{"spf_${identity}pass"} = 0;
$scanner->{"spf_${identity}neutral"} = 0;
$scanner->{"spf_${identity}none"} = 0;
$scanner->{"spf_${identity}fail"} = 0;
$scanner->{"spf_${identity}softfail"} = 0;
$scanner->{"spf_${identity}failure_comment"} = undef;
# and the result
$scanner->{"spf_${identity}${result}"} = 1;
dbg("spf: re-using %s result from Received-SPF header: %s",
($identity ? 'helo' : 'mfrom'), $result);
# if we've got *both* the mfrom and helo results we're done
return if ($scanner->{spf_checked} && $scanner->{spf_helo_checked});
} else {
dbg("spf: could not parse result from existing Received-SPF header");
}
} elsif ($hdr =~ /^Authentication-Results:.*;\s*SPF\s*=\s*([^;]*)/i) {
dbg("spf: found an Authentication-Results header added by an internal host: $hdr");
# RFC 5451 header parser - added by D. Stussy 2010-09-09:
# Authentication-Results: mail.example.com; SPF=none smtp.mailfrom=example.org (comment)
my $tmphdr = $1;
if ($tmphdr =~ /^(pass|neutral|(?:hard|soft)?fail|none)(?:[^;]*?\bsmtp\.(\S+)\s*=[^;]+)?/i) {
my $result = lc($1);
$result = 'fail' if $result eq 'hardfail'; # RFC5451 permits this
my $identity = ''; # we assume it's a mfrom check if we can't tell otherwise
if (defined $2) {
$identity = lc($2);
if ($identity eq 'mfrom' || $identity eq 'mailfrom') {
next if $scanner->{spf_checked};
$identity = '';
} elsif ($identity eq 'helo') {
next if $scanner->{spf_helo_checked};
$identity = 'helo_';
} else {
dbg("spf: found unknown identity value, cannot use: $identity");
next; # try the next Authentication-Results header, if any
}
} else {
next if $scanner->{spf_checked};
}
# we'd set these if we actually did the check
$scanner->{"spf_${identity}checked"} = 1;
$scanner->{"spf_${identity}pass"} = 0;
$scanner->{"spf_${identity}neutral"} = 0;
$scanner->{"spf_${identity}none"} = 0;
$scanner->{"spf_${identity}fail"} = 0;
$scanner->{"spf_${identity}softfail"} = 0;
$scanner->{"spf_${identity}failure_comment"} = undef;
# and the result
$scanner->{"spf_${identity}${result}"} = 1;
dbg("spf: re-using %s result from Authentication-Results header: %s",
($identity ? 'helo' : 'mfrom'), $result);
# if we've got *both* the mfrom and helo results we're done
return if ($scanner->{spf_checked} && $scanner->{spf_helo_checked});
} else {
dbg("spf: could not parse result from existing Authentication-Results header");
}
}
}
# we can return if we've found the one we're being asked to get
return if ( ($ishelo && $scanner->{spf_helo_checked}) ||
(!$ishelo && $scanner->{spf_checked}) );
}
# abort if dns or an spf module isn't available
return unless $scanner->is_dns_available();
return if $self->{no_spf_module};
# select the SPF module we're going to use
unless (defined $self->{has_mail_spf}) {
my $eval_stat;
eval {
die("Mail::SPF disabled by admin setting\n") if $scanner->{conf}->{do_not_use_mail_spf};
require Mail::SPF;
if (!defined $Mail::SPF::VERSION || $Mail::SPF::VERSION < 2.001) {
die "Mail::SPF 2.001 or later required, this is ".
(defined $Mail::SPF::VERSION ? $Mail::SPF::VERSION : 'unknown')."\n";
}
# Mail::SPF::Server can be re-used, and we get to use our own resolver object!
$self->{spf_server} = Mail::SPF::Server->new(
hostname => $scanner->get_tag('HOSTNAME'),
dns_resolver => $self->{main}->{resolver},
max_dns_interactive_terms => 15);
# Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is
# not enough for ebay.com, setting it to 15
1;
} or do {
$eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
};
if (!defined($eval_stat)) {
dbg("spf: using Mail::SPF for SPF checks");
$self->{has_mail_spf} = 1;
} else {
# strip the @INC paths... users are going to see it and think there's a problem even though
# we're going to fall back to Mail::SPF::Query (which will display the same paths if it fails)
$eval_stat =~ s#^Can't locate Mail/SPFd.pm in \@INC .*#Can't locate Mail/SPFd.pm#;
dbg("spf: cannot load Mail::SPF module or create Mail::SPF::Server object: $eval_stat");
dbg("spf: attempting to use legacy Mail::SPF::Query module instead");
undef $eval_stat;
eval {
die("Mail::SPF::Query disabled by admin setting\n") if $scanner->{conf}->{do_not_use_mail_spf_query};
require Mail::SPF::Query;
if (!defined $Mail::SPF::Query::VERSION || $Mail::SPF::Query::VERSION < 1.996) {
die "Mail::SPF::Query 1.996 or later required, this is ".
(defined $Mail::SPF::Query::VERSION ? $Mail::SPF::Query::VERSION : 'unknown')."\n";
}
1;
} or do {
$eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
};
if (!defined($eval_stat)) {
dbg("spf: using Mail::SPF::Query for SPF checks");
$self->{has_mail_spf} = 0;
} else {
dbg("spf: cannot load Mail::SPF::Query module: $eval_stat");
dbg("spf: one of Mail::SPF or Mail::SPF::Query is required for SPF checks, SPF checks disabled");
$self->{no_spf_module} = 1;
return;
}
}
}
# skip SPF checks if the A/MX records are nonexistent for the From
# domain, anyway, to avoid crappy messages from slowing us down
# (bug 3016)
return if $scanner->check_for_from_dns();
if ($ishelo) {
# SPF HELO-checking variant
$scanner->{spf_helo_checked} = 1;
$scanner->{spf_helo_pass} = 0;
$scanner->{spf_helo_neutral} = 0;
$scanner->{spf_helo_none} = 0;
$scanner->{spf_helo_fail} = 0;
$scanner->{spf_helo_softfail} = 0;
$scanner->{spf_helo_permerror} = 0;
$scanner->{spf_helo_temperror} = 0;
$scanner->{spf_helo_failure_comment} = undef;
} else {
# SPF on envelope sender (where possible)
$scanner->{spf_checked} = 1;
$scanner->{spf_pass} = 0;
$scanner->{spf_neutral} = 0;
$scanner->{spf_none} = 0;
$scanner->{spf_fail} = 0;
$scanner->{spf_softfail} = 0;
$scanner->{spf_permerror} = 0;
$scanner->{spf_temperror} = 0;
$scanner->{spf_failure_comment} = undef;
}
my $lasthop = $self->_get_relay($scanner);
if (!defined $lasthop) {
dbg("spf: no suitable relay for spf use found, skipping SPF%s check",
$ishelo ? '-helo' : '');
return;
}
my $ip = $lasthop->{ip}; # always present
my $helo = $lasthop->{helo}; # could be missing
$scanner->{sender} = '' unless $scanner->{sender_got};
if ($ishelo) {
unless ($helo) {
dbg("spf: cannot check HELO, HELO value unknown");
return;
}
dbg("spf: checking HELO (helo=$helo, ip=$ip)");
} else {
$self->_get_sender($scanner) unless $scanner->{sender_got};
# TODO: we're supposed to use the helo domain as the sender identity (for
# mfrom checks) if the sender is the null sender, however determining that
# it's the null sender, and not just a failure to get the envelope isn't
# exactly trivial... so for now we'll just skip the check
if (!$scanner->{sender}) {
# we already dbg'd that we couldn't get an Envelope-From and can't do SPF
return;
}
dbg("spf: checking EnvelopeFrom (helo=%s, ip=%s, envfrom=%s)",
($helo ? $helo : ''), $ip, $scanner->{sender});
}
# this test could probably stand to be more strict, but try to test
# any invalid HELO hostname formats with a header rule
if ($ishelo && ($helo =~ /^[\[!]?\d+\.\d+\.\d+\.\d+[\]!]?$/ || $helo =~ /^[^.]+$/)) {
dbg("spf: cannot check HELO of '$helo', skipping");
return;
}
if ($helo && $scanner->server_failed_to_respond_for_domain($helo)) {
dbg("spf: we had a previous timeout on '$helo', skipping");
return;
}
my ($result, $comment, $text, $err);
# use Mail::SPF if it was available, otherwise use the legacy Mail::SPF::Query
if ($self->{has_mail_spf}) {
# TODO: currently we won't get to here for a mfrom check with a null sender
my $identity = $ishelo ? $helo : ($scanner->{sender}); # || $helo);
unless ($identity) {
dbg("spf: cannot determine %s identity, skipping %s SPF check",
($ishelo ? 'helo' : 'mfrom'), ($ishelo ? 'helo' : 'mfrom') );
return;
}
$helo ||= 'unknown'; # only used for macro expansion in the mfrom explanation
my $request;
eval {
$request = Mail::SPF::Request->new( scope => $ishelo ? 'helo' : 'mfrom',
identity => $identity,
ip_address => $ip,
helo_identity => $helo );
1;
} or do {
my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
dbg("spf: cannot create Mail::SPF::Request object: $eval_stat");
return;
};
my $timeout = $scanner->{conf}->{spf_timeout};
my $timer = Mail::SpamAssassin::Timeout->new(
{ secs => $timeout, deadline => $scanner->{master_deadline} });
$err = $timer->run_and_catch(sub {
my $query = $self->{spf_server}->process($request);
$result = $query->code;
$comment = $query->authority_explanation if $query->can("authority_explanation");
$text = $query->text;
});
} else {
if (!$helo) {
dbg("spf: cannot get HELO, cannot use Mail::SPF::Query, consider installing Mail::SPF");
return;
}
# TODO: if we start doing checks on the null sender using the helo domain
# be sure to fix this so that it uses the correct sender identity
my $query;
eval {
$query = Mail::SPF::Query->new (ip => $ip,
sender => $scanner->{sender},
helo => $helo,
debug => 0,
trusted => 0);
1;
} or do {
my $eval_stat = $@ ne '' ? $@ : "errno=$!"; chomp $eval_stat;
dbg("spf: cannot create Mail::SPF::Query object: $eval_stat");
return;
};
my $timeout = $scanner->{conf}->{spf_timeout};
my $timer = Mail::SpamAssassin::Timeout->new(
{ secs => $timeout, deadline => $scanner->{master_deadline} });
$err = $timer->run_and_catch(sub {
($result, $comment) = $query->result();
});
} # end of differences between Mail::SPF and Mail::SPF::Query
if ($err) {
chomp $err;
warn("spf: lookup failed: $err\n");
return 0;
}
$result ||= 'timeout'; # bug 5077
$comment ||= '';
$comment =~ s/\s+/ /gs; # no newlines please
$text ||= '';
$text =~ s/\s+/ /gs; # no newlines please
if ($ishelo) {
if ($result eq 'pass') { $scanner->{spf_helo_pass} = 1; }
elsif ($result eq 'neutral') { $scanner->{spf_helo_neutral} = 1; }
elsif ($result eq 'none') { $scanner->{spf_helo_none} = 1; }
elsif ($result eq 'fail') { $scanner->{spf_helo_fail} = 1; }
elsif ($result eq 'softfail') { $scanner->{spf_helo_softfail} = 1; }
elsif ($result eq 'permerror') { $scanner->{spf_helo_permerror} = 1; }
elsif ($result eq 'temperror') { $scanner->{spf_helo_temperror} = 1; }
elsif ($result eq 'error') { $scanner->{spf_helo_temperror} = 1; }
if ($result eq 'fail') { # RFC 4408 6.2
$scanner->{spf_helo_failure_comment} = "SPF failed: $comment";
}
} else {
if ($result eq 'pass') { $scanner->{spf_pass} = 1; }
elsif ($result eq 'neutral') { $scanner->{spf_neutral} = 1; }
elsif ($result eq 'none') { $scanner->{spf_none} = 1; }
elsif ($result eq 'fail') { $scanner->{spf_fail} = 1; }
elsif ($result eq 'softfail') { $scanner->{spf_softfail} = 1; }
elsif ($result eq 'permerror') { $scanner->{spf_permerror} = 1; }
elsif ($result eq 'temperror') { $scanner->{spf_temperror} = 1; }
elsif ($result eq 'error') { $scanner->{spf_temperror} = 1; }
if ($result eq 'fail') { # RCF 4408 6.2
$scanner->{spf_failure_comment} = "SPF failed: $comment";
}
}
dbg("spf: query for $scanner->{sender}/$ip/$helo: result: $result, comment: $comment, text: $text");
}
sub _get_relay {
my ($self, $scanner) = @_;
# dos: first external relay, not first untrusted
return $scanner->{relays_external}->[0];
}
sub _get_sender {
my ($self, $scanner) = @_;
my $sender;
$scanner->{sender_got} = 1;
$scanner->{sender} = '';
my $relay = $self->_get_relay($scanner);
if (defined $relay) {
$sender = $relay->{envfrom};
}
if ($sender) {
dbg("spf: found Envelope-From in first external Received header");
}
else {
# We cannot use the env-from data, since it went through 1 or more relays
# since the untrusted sender and they may have rewritten it.
if ($scanner->{num_relays_trusted} > 0 && !$scanner->{conf}->{always_trust_envelope_sender}) {
dbg("spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping");
return;
}
# we can (apparently) use whatever the current Envelope-From was,
# from the Return-Path, X-Envelope-From, or whatever header.
# it's better to get it from Received though, as that is updated
# hop-by-hop.
$sender = $scanner->get("EnvelopeFrom:addr");
}
if (!$sender) {
dbg("spf: cannot get Envelope-From, cannot use SPF");
return; # avoid setting $scanner->{sender} to undef
}
return $scanner->{sender} = lc $sender;
}
sub _check_spf_whitelist {
my ($self, $scanner) = @_;
$scanner->{spf_whitelist_from_checked} = 1;
$scanner->{spf_whitelist_from} = 0;
# if we've already checked for an SPF PASS and didn't get it don't waste time
# checking to see if the sender address is in the spf whitelist
if ($scanner->{spf_checked} && !$scanner->{spf_pass}) {
dbg("spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check");
return;
}
$self->_get_sender($scanner) unless $scanner->{sender_got};
unless ($scanner->{sender}) {
dbg("spf: spf_whitelist_from: could not find useable envelope sender");
return;
}
$scanner->{spf_whitelist_from} = $self->_wlcheck($scanner,'whitelist_from_spf');
if (!$scanner->{spf_whitelist_from}) {
$scanner->{spf_whitelist_from} = $self->_wlcheck($scanner, 'whitelist_auth');
}
# if the message doesn't pass SPF validation, it can't pass an SPF whitelist
if ($scanner->{spf_whitelist_from}) {
if ($self->check_for_spf_pass($scanner)) {
dbg("spf: whitelist_from_spf: $scanner->{sender} is in user's WHITELIST_FROM_SPF and passed SPF check");
} else {
dbg("spf: whitelist_from_spf: $scanner->{sender} is in user's WHITELIST_FROM_SPF but failed SPF check");
$scanner->{spf_whitelist_from} = 0;
}
} else {
dbg("spf: whitelist_from_spf: $scanner->{sender} is not in user's WHITELIST_FROM_SPF");
}
}
sub _check_def_spf_whitelist {
my ($self, $scanner) = @_;
$scanner->{def_spf_whitelist_from_checked} = 1;
$scanner->{def_spf_whitelist_from} = 0;
# if we've already checked for an SPF PASS and didn't get it don't waste time
# checking to see if the sender address is in the spf whitelist
if ($scanner->{spf_checked} && !$scanner->{spf_pass}) {
dbg("spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check");
return;
}
$self->_get_sender($scanner) unless $scanner->{sender_got};
unless ($scanner->{sender}) {
dbg("spf: def_spf_whitelist_from: could not find useable envelope sender");
return;
}
$scanner->{def_spf_whitelist_from} = $self->_wlcheck($scanner,'def_whitelist_from_spf');
if (!$scanner->{def_spf_whitelist_from}) {
$scanner->{def_spf_whitelist_from} = $self->_wlcheck($scanner, 'def_whitelist_auth');
}
# if the message doesn't pass SPF validation, it can't pass an SPF whitelist
if ($scanner->{def_spf_whitelist_from}) {
if ($self->check_for_spf_pass($scanner)) {
dbg("spf: def_whitelist_from_spf: $scanner->{sender} is in DEF_WHITELIST_FROM_SPF and passed SPF check");
} else {
dbg("spf: def_whitelist_from_spf: $scanner->{sender} is in DEF_WHITELIST_FROM_SPF but failed SPF check");
$scanner->{def_spf_whitelist_from} = 0;
}
} else {
dbg("spf: def_whitelist_from_spf: $scanner->{sender} is not in DEF_WHITELIST_FROM_SPF");
}
}
sub _wlcheck {
my ($self, $scanner, $param) = @_;
if (defined ($scanner->{conf}->{$param}->{$scanner->{sender}})) {
return 1;
} else {
study $scanner->{sender}; # study is a no-op since perl 5.16.0
foreach my $regexp (values %{$scanner->{conf}->{$param}}) {
if ($scanner->{sender} =~ qr/$regexp/i) {
return 1;
}
}
}
return 0;
}
###########################################################################
1;
=back
=cut
|