Merge pull request #80 from jcbf/#79_feature_skipauth

Add test for skipAuth feature
jcbf · Nov 9, 2020 · 63f730c · 63f730c
2 parents e0e4713 + 15f17cf
commit 63f730c
Show file tree

Hide file tree

Showing 6 changed files with 155 additions and 11 deletions.
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -0,0 +1,26 @@
+#-------------------------------------------------------------------------------------------------------------
+# Copyright (c) Microsoft Corporation. All rights reserved.
+# Licensed under the MIT License. See https://go.microsoft.com/fwlink/?linkid=2090316 for license information.
+#-------------------------------------------------------------------------------------------------------------
+
+# To fully customize the contents of this image, use the following Dockerfile instead:
+# https://github.com/microsoft/vscode-dev-containers/tree/v0.112.0/containers/ubuntu-18.04-git/.devcontainer/Dockerfile
+FROM mcr.microsoft.com/vscode/devcontainers/base:0-ubuntu-18.04
+
+# ** [Optional] Uncomment this section to install additional packages. **
+#
+ENV LC_ALL en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US.UTF-8
+ ENV DEBIAN_FRONTEND=noninteractive
+ ENV NODE_TLS_REJECT_UNAUTHORIZED=0
+ RUN apt-get update \
+    && apt-get -y upgrade \
+    && apt-get -y install --no-install-recommends locales build-essential libmilter-dev libspf2-dev opendkim-tools lcov\
+    && localedef -i en_US -f UTF-8 en_US.UTF-8 \
+    && apt-get autoremove -y \
+    && apt-get clean -y \
+    && rm -rf /var/lib/apt/lists/*
+ ENV DEBIAN_FRONTEND=dialog
+
+
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -0,0 +1,29 @@
+// For format details, see https://aka.ms/vscode-remote/devcontainer.json or this file's README at:
+// https://github.com/microsoft/vscode-dev-containers/tree/v0.112.0/containers/ubuntu-18.04-git
+{
+	"name": "Ubuntu 18.04 mf-spf devel",
+	"dockerFile": "Dockerfile",
+
+	// Set *default* container specific settings.json values on container create.
+	"settings": { 
+		"terminal.integrated.shell.linux": "/bin/bash"
+	},
+
+	// Add the IDs of extensions you want installed when the container is created.
+	"extensions": []
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+
+	// Use 'postCreateCommand' to run commands after the container is created.
+	// "postCreateCommand": "uname -a",
+
+	// Uncomment to use the Docker CLI from inside the container. See https://aka.ms/vscode-remote/samples/docker-in-docker.
+	// "mounts": [ "source=/var/run/docker.sock,target=/var/run/docker.sock,type=bind" ],
+
+	// Uncomment when using a ptrace-based debugger like C++, Go, and Rust
+	// "runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined" ],
+
+	// Uncomment to connect as a non-root user. See https://aka.ms/vscode-remote/containers/non-root.
+	// "remoteUser": "vscode"
+}
diff --git a/.travis.yml b/.travis.yml
@@ -15,7 +15,7 @@ before_install:
 script:
   -  make
   -  make coverage
-  - ./run_tests.sh
+  -  make test
 after_success:
   - lcov --directory . --capture --output-file coverage.info
   - lcov --remove coverage.info 'tests/*' 'usr/*' --output-file coverage.info

diff --git a/smf-spf.c b/smf-spf.c
@@ -49,6 +49,7 @@
 #define OCONN			"unix:" WORK_SPACE "/smf-spf.sock"
 #define USER			"smfs"
 #define TAG_STRING		"[SPF:fail]"
+#define DEFHOSTNAME		"localhost"
 #define QUARANTINE_BOX		"postmaster"
 #define SYSLOG_FACILITY		LOG_MAIL
 #define SPF_TTL			3600
@@ -67,6 +68,7 @@
 #define VERSION			"2.5.0"
 #define REJECT_REASON	"Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s"
 #define SYSLOG_DISABLE	-2
+#define SKIP_NDR		false
 
 #define MAX_HEADER_SIZE		2048
 #define MAXLINE			258
@@ -162,6 +164,7 @@ typedef struct config {
     int quarantine;
     int syslog_facility;
     int daemonize;
+    bool skip_ndr;
     unsigned long spf_ttl;
     char *fixed_ip;
     bool skip_auth;
@@ -458,6 +461,7 @@ static int load_config(void) {
     conf.spf_ttl = SPF_TTL;
     conf.daemonize = DAEMONIZE;
     conf.skip_auth = SKIP_AUTH;
+    conf.skip_ndr = SKIP_NDR;
     if (!(fp = fopen(config_file, "r"))) return 0;
     while (fgets(buf, sizeof(buf) - 1, fp)) {
 	char key[MAXLINE];
@@ -622,6 +626,10 @@ static int load_config(void) {
 	    conf.add_recv_spf_header = 1;
 	    continue;
 	}
+	if (!strcasecmp(key, "skipndr") && !strcasecmp(val, "on")) {
+	    conf.skip_ndr = true;
+	    continue;
+	}
 	if (!strcasecmp(key, "skipauth") && !strcasecmp(val, "off")) {
 	    conf.skip_auth = false;
 	    continue;
@@ -810,9 +818,8 @@ static sfsistat smf_connect(SMFICTX *ctx, char *name, _SOCK_ADDR *sa) {
         char* p = NULL;
         if (((p = smfi_getsymval(ctx, "{j}"))) == NULL) {
             log_message(LOG_ERR, "[ERROR] can't get MTA-name");
-            return SMFIS_ACCEPT;
-        }
-        if ((authserv_id = strdup(p)) == NULL) {
+            authserv_id = strdup(DEFHOSTNAME);
+        } else if ((authserv_id = strdup(p)) == NULL) {
             log_message(LOG_ERR, "[ERROR] can't save MTA-name"); // LCOV_EXCL_LINE
             return SMFIS_ACCEPT; // LCOV_EXCL_LINE
         }
@@ -875,18 +882,16 @@ static sfsistat smf_envfrom(SMFICTX *ctx, char **args) {
     SPF_response_t *spf_response = NULL;
     SPF_result_t status;
 
-    if ((conf.skip_auth) && (smfi_getsymval(ctx, "{auth_authen}"))){
-	    log_message(LOG_INFO, "SPF skip : username %s, from=%s", smfi_getsymval(ctx, "{auth_authen}"), context->from);
-		return SMFIS_ACCEPT;
-	}
     if (verify && strcmp(verify, "OK") == 0) return SMFIS_ACCEPT;
     if (*args) strscpy(context->from, *args, sizeof(context->from) - 1);
     if (strstr(context->from, "<>")) {
+		if (conf.skip_ndr) {
+			log_message(LOG_INFO, "SPF skip : empty sender, helo=%s, ip=%s",context->helo,context->addr);
+			return SMFIS_ACCEPT;
+		}
 	strtolower(context->helo);
 	snprintf(context->sender, sizeof(context->sender), "postmaster@%s", context->helo);
-    }
-    else
-	if (!address_preparation(context->sender, context->from)) {
+    } else if (!address_preparation(context->sender, context->from)) {
         if (conf.soft_fail) {
                 smfi_setreply(ctx, "450", "4.1.7", "Sender address does not conform to RFC-2821 syntax");
                 return SMFIS_TEMPFAIL;
@@ -895,6 +900,10 @@ static sfsistat smf_envfrom(SMFICTX *ctx, char **args) {
                 return SMFIS_REJECT;
         }
 	}
+    if ((conf.skip_auth) && (smfi_getsymval(ctx, "{auth_authen}"))){
+	    log_message(LOG_INFO, "SPF skip : username %s, from=%s", smfi_getsymval(ctx, "{auth_authen}"), context->from);
+		return SMFIS_ACCEPT;
+	}
     if (!strstr(context->from, "<>")) {
 	strtolower(context->sender);
 	if (conf.froms && from_check(context->sender)) return SMFIS_ACCEPT;

diff --git a/tests/04-helo-skipndr-pass.lua b/tests/04-helo-skipndr-pass.lua
@@ -0,0 +1,41 @@
+-- Copyright (c) 2009-2013, The Trusted Domain Project.  All rights reserved.
+mt.echo("SPF helo pass test")
+
+-- try to start the filter
+mt.startfilter("./smf-spf", "-f", "-c","tests/conf/smf-spf-tests-natip.conf")
+
+-- try to connect to it
+conn = mt.connect("inet:2424@127.0.0.1", 40, 0.25)
+if conn == nil then
+	error("mt.connect() failed")
+end
+
+-- send connection information
+-- mt.negotiate() is called implicitly
+mt.macro(conn, SMFIC_CONNECT, "j", "mta.name.local")
+if mt.conninfo(conn, "helo.underspell.com","10.11.12.13") ~= nil then
+	error("mt.conninfo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.conninfo() unexpected reply")
+end
+
+if mt.helo(conn, "helo.underspell.com") ~= nil then
+	error("mt.helo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.helo() unexpected reply")
+end
+
+-- send envelope macros and sender data
+-- mt.helo() is called implicitly
+mt.macro(conn, SMFIC_MAIL, "i", "t-empty-sender")
+if mt.mailfrom(conn, "<>") ~= nil then
+	error("mt.mailfrom() failed")
+end
+if mt.getreply(conn) ~= SMFIR_ACCEPT then
+	error("mt.mailfrom() unexpected reply")
+else
+	mt.echo ("Got ACCEPT")
+end
+mt.disconnect(conn)
diff --git a/tests/04-skip-auth-pass.lua b/tests/04-skip-auth-pass.lua
@@ -0,0 +1,39 @@
+-- Copyright (c) 2009-2013, The Trusted Domain Project.  All rights reserved.
+mt.echo("SPF skip auth test")
+
+-- try to start the filter
+mt.startfilter("./smf-spf", "-f", "-c","tests/conf/smf-spf-tests-skipauth.conf")
+
+-- try to connect to it
+conn = mt.connect("inet:2424@127.0.0.1", 40, 0.25)
+if conn == nil then
+	error("mt.connect() failed")
+end
+
+-- send connection information
+-- mt.negotiate() is called implicitly
+mt.macro(conn, SMFIC_CONNECT, "{j)", "mta.name.local")
+if mt.conninfo(conn, "localhost", "192.0.0.194") ~= nil then
+	error("mt.conninfo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.conninfo() unexpected reply")
+end
+
+if mt.helo(conn, "underspell.com") ~= nil then
+  error("mt.helo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+  error("mt.helo() unexpected reply")
+end
+-- send envelope macros and sender data
+mt.macro(conn, SMFIC_MAIL, "{i}", "t-verify-malformed")
+mt.macro(conn, SMFIC_MAIL, "{auth_authen}", "username@example.net")
+if mt.mailfrom(conn, "<user@underspell.com>") ~= nil then
+	error("mt.mailfrom() failed")
+end
+if mt.getreply(conn) == SMFIR_ACCEPT then
+	error("mt.mailfrom() unexpected reply")
+end
+
+mt.disconnect(conn)