jcbf · jcbf · Mar 17, 2020 · Mar 5, 2020 · Mar 5, 2020 · Mar 5, 2020
diff --git a/smf-spf-tests-fixedip-fail.conf b/smf-spf-tests-fixedip-fail.conf
@@ -0,0 +1,9 @@
+WhitelistIP	192.168.0.0/16
+relaxedlocalpart on
+tagsubject off
+RejectReason 	"Rejeitado"
+User		nobody
+Socket		inet:2424@127.0.0.1
+Syslog		mail	# (daemon|mail|local0...local7)
+Daemonize off # (on|off)
+AuthservID  mail.example.com
diff --git a/smf-spf-tests-fixedip.conf b/smf-spf-tests-fixedip.conf
@@ -0,0 +1,12 @@
+WhitelistIP	192.168.0.0/16
+RefuseFail	off	# (on|off)
+
+relaxedlocalpart on
+tagsubject off
+FixedClientIP 195.22.26.194
+RefuseFail on
+User		nobody
+Socket		inet:2424@127.0.0.1
+Syslog		mail	# (daemon|mail|local0...local7)
+Daemonize off # (on|off)
+AuthservID  mail.example.com
diff --git a/smf-spf.c b/smf-spf.c
@@ -62,6 +62,7 @@
 #define QUARANTINE		0
 #define DAEMONIZE		1
 #define VERSION			"2.4.3"
+#define REJECT_REASON	"Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s"
 
 #define MAXLINE			258
 #define MAXLOCALPART	64
@@ -136,7 +137,7 @@ typedef struct config {
     STR *ptrs;
     STR *froms;
     STR *tos;
-    int relaxed_locapart;
+    int relaxed_localpart;
     int refuse_fail;
     int refuse_none;
     int refuse_none_helo;
@@ -149,6 +150,8 @@ typedef struct config {
     int syslog_facility;
     int daemonize;
     unsigned long spf_ttl;
+    char *fixed_ip;
+    char *reject_reason;
 } config;
 
 typedef struct facilities {
@@ -328,6 +331,8 @@ static void free_config(void) {
     SAFE_FREE(conf.quarantine_box);
     SAFE_FREE(conf.run_as_user);
     SAFE_FREE(conf.sendmail_socket);
+    SAFE_FREE(conf.fixed_ip);
+    SAFE_FREE(conf.reject_reason);
     if (conf.cidrs) {
 	CIDR *it = conf.cidrs, *it_next;
 
@@ -375,11 +380,13 @@ static int load_config(void) {
 
     conf.tag = strdup(TAG_STRING);
     conf.quarantine_box = strdup(QUARANTINE_BOX);
+    conf.fixed_ip = NULL;
+    conf.reject_reason = strdup(REJECT_REASON);
     conf.run_as_user = strdup(USER);
     conf.sendmail_socket = strdup(OCONN);
     conf.syslog_facility = SYSLOG_FACILITY;
     conf.refuse_fail = REFUSE_FAIL;
-    conf.relaxed_locapart = RELAXED_LOCALPART;
+    conf.relaxed_localpart = RELAXED_LOCALPART;
     conf.refuse_none = REFUSE_NONE;
     conf.refuse_none_helo = REFUSE_NONE_HELO;
     conf.soft_fail = SOFT_FAIL;
@@ -488,7 +495,7 @@ static int load_config(void) {
 	    continue;
 	}
 	if (!strcasecmp(key, "relaxedlocalpart") && !strcasecmp(val, "on")) {
-	    conf.relaxed_locapart= 1;
+	    conf.relaxed_localpart= 1;
 	    continue;
 	}
 	if (!strcasecmp(key, "refusefail") && !strcasecmp(val, "off")) {
@@ -520,6 +527,15 @@ static int load_config(void) {
 	    conf.daemonize = 0;
 	    continue;
 	}
+	if (!strcasecmp(key, "fixedclientip")) {
+	    conf.fixed_ip = strdup(val);
+	    continue;
+	}
+	if (!strcasecmp(key, "rejectreason")) {
+	    SAFE_FREE(conf.reject_reason);
+	    conf.reject_reason = strdup(val);
+	    continue;
+	}
 	if (!strcasecmp(key, "quarantinebox")) {
 	    SAFE_FREE(conf.quarantine_box);
 	    conf.quarantine_box = strdup(val);
@@ -642,7 +658,7 @@ static int address_preparation(register char *dst, register const char *src) {
     if ((dst[tail] >= 0x07 && dst[tail] <= 0x0d) || dst[tail] == 0x20) return 0;
     local = strchr(start, '@');
     if (!local) return 0;
-    if (!conf.relaxed_locapart && ((local - start) > MAXLOCALPART)) return 0;
+    if (!conf.relaxed_localpart && ((local - start) > MAXLOCALPART)) return 0;
     return 1;
 }
 
@@ -703,7 +719,10 @@ static sfsistat smf_connect(SMFICTX *ctx, char *name, _SOCK_ADDR *sa) {
 			return SMFIS_ACCEPT; // LCOV_EXCL_LINE
     }
     smfi_setpriv(ctx, context);
-    strscpy(context->addr, host, sizeof(context->addr) - 1);
+    if (conf.fixed_ip) 
+            strscpy(context->addr, conf.fixed_ip, sizeof(context->addr) - 1);
+    else
+            strscpy(context->addr, host, sizeof(context->addr) - 1);
     strscpy(context->fqdn, name, sizeof(context->fqdn) - 1);
     strscpy(context->helo, "undefined", sizeof(context->helo) - 1);
     return SMFIS_CONTINUE;
@@ -773,7 +792,7 @@ static sfsistat smf_envfrom(SMFICTX *ctx, char **args) {
 	    if (status == SPF_RESULT_FAIL && conf.refuse_fail && !conf.tos) {
 		char reject[2 * MAXLINE];
 
-		snprintf(reject, sizeof(reject), "Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s", context->sender, context->addr, context->site);
+		snprintf(reject, sizeof(reject), conf.reject_reason, context->sender, context->addr, context->site);
         if (conf.soft_fail) {
                 smfi_setreply(ctx, "450", "4.7.23", reject);
                 return SMFIS_TEMPFAIL;
@@ -859,7 +878,7 @@ static sfsistat smf_envfrom(SMFICTX *ctx, char **args) {
     if (status == SPF_RESULT_FAIL && conf.refuse_fail && !conf.tos) {
 	char reject[2 * MAXLINE];
 
-	snprintf(reject, sizeof(reject), "Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s", context->sender, context->addr, context->site);
+	snprintf(reject, sizeof(reject), conf.reject_reason, context->sender, context->addr, context->site);
 	if (spf_response) SPF_response_free(spf_response);
 	if (spf_request) SPF_request_free(spf_request);
 	if (spf_server) SPF_server_free(spf_server);
@@ -897,7 +916,7 @@ static sfsistat smf_envrcpt(SMFICTX *ctx, char **args) {
 	if (context->status == SPF_RESULT_FAIL && conf.refuse_fail) {
 	    char reject[2 * MAXLINE];
 
-	    snprintf(reject, sizeof(reject), "Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s", context->sender, context->addr, context->site);
+	    snprintf(reject, sizeof(reject), conf.reject_reason, context->sender, context->addr, context->site);
         if (conf.soft_fail) {
                 smfi_setreply(ctx, "450", "4.1.1", reject);
                 return SMFIS_TEMPFAIL;

diff --git a/smf-spf.conf b/smf-spf.conf
@@ -36,6 +36,15 @@ WhitelistIP	192.168.0.0/16
 #WhitelistTo	@yourspamloverdomain.tld
 #WhitelistTo	spamlover@yourdomain.tld
 
+# FixedClientIP allows SPF evaluation with a fixed IP
+# This can be applied in submission port and would allow to block
+# messages that will fail SPF evaluation on the next hop.
+#
+# Default: none
+#
+#FixedClientIP	 192.0.0.1
+
+#
 # Don't check localpart size. RFC 821/2821/5321 states
 # localpart must be less that 64 octects. With relaxed on
 # only total mailfrom ( localpart @ domain.tld ) size is checked

diff --git a/tests/04-fixed-client-fail.lua b/tests/04-fixed-client-fail.lua
@@ -0,0 +1,33 @@
+-- Copyright (c) 2009-2013, The Trusted Domain Project.  All rights reserved.
+mt.echo("SPF pass  test")
+
+-- try to start the filter
+mt.startfilter("./smf-spf", "-f", "-c","./smf-spf-tests-fixedip-fail.conf")
+
+-- try to connect to it
+conn = mt.connect("inet:2424@127.0.0.1", 40, 0.25)
+if conn == nil then
+	error("mt.connect() failed")
+end
+
+-- send connection information
+-- mt.negotiate() is called implicitly
+mt.macro(conn, SMFIC_CONNECT, "j", "mta.name.local")
+if mt.conninfo(conn, "localhost", "192.0.0.194") ~= nil then
+	error("mt.conninfo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.conninfo() unexpected reply")
+end
+
+-- send envelope macros and sender data
+-- mt.helo() is called implicitly
+mt.macro(conn, SMFIC_MAIL, "i", "t-verify-malformed")
+if mt.mailfrom(conn, "<user@underspell.com>") ~= nil then
+	error("mt.mailfrom() failed")
+end
+if mt.getreply(conn) ~= SMFIR_REPLYCODE then
+	error("mt.mailfrom() unexpected reply")
+end
+
+mt.disconnect(conn)
diff --git a/tests/04-fixed-client-pass.lua b/tests/04-fixed-client-pass.lua
@@ -0,0 +1,81 @@
+-- Copyright (c) 2009-2013, The Trusted Domain Project.  All rights reserved.
+mt.echo("SPF pass  test")
+
+-- try to start the filter
+mt.startfilter("./smf-spf", "-f", "-c","./smf-spf-tests-fixedip.conf")
+
+-- try to connect to it
+conn = mt.connect("inet:2424@127.0.0.1", 40, 0.25)
+if conn == nil then
+	error("mt.connect() failed")
+end
+
+-- send connection information
+-- mt.negotiate() is called implicitly
+mt.macro(conn, SMFIC_CONNECT, "j", "mta.name.local")
+if mt.conninfo(conn, "localhost", "192.0.0.194") ~= nil then
+	error("mt.conninfo() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.conninfo() unexpected reply")
+end
+
+-- send envelope macros and sender data
+-- mt.helo() is called implicitly
+mt.macro(conn, SMFIC_MAIL, "i", "t-verify-malformed")
+if mt.mailfrom(conn, "<user@underspell.com>") ~= nil then
+	error("mt.mailfrom() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.mailfrom() unexpected reply")
+end
+
+mt.macro(conn, SMFIC_RCPT, "i", "t-verify-malformed")
+if mt.rcptto(conn, "<user@example.net>") ~= nil then
+	error("mt.rcptto() failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.rcptto() unexpected reply")
+end
+
+-- send headers
+-- mt.rcptto() is called implicitly
+if mt.header(conn, "From", "user") ~= nil then
+	error("mt.header(From) failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.header(From) unexpected reply")
+end
+if mt.header(conn, "Date", "Tue, 22 Dec 2009 13:04:12 -0800") ~= nil then
+	error("mt.header(Date) failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.header(Date) unexpected reply")
+end
+if mt.header(conn, "Subject", "Signing test") ~= nil then
+	error("mt.header(Subject) failed")
+end
+if mt.getreply(conn) ~= SMFIR_CONTINUE then
+	error("mt.header(Subject) unexpected reply")
+end
+
+-- end of message; let the filter react
+if mt.eom(conn) ~= nil then
+	error("mt.eom() failed")
+end
+
+-- verify that the right Authentication-Results header field got added
+if mt.eom_check(conn, MT_HDRINSERT, "Authentication-Results") or
+   mt.eom_check(conn, MT_HDRADD, "Authentication-Results") then
+	ar = mt.getheader(conn, "Authentication-Results", 0)
+	if string.find(ar, "spf=pass", 1, true) == nil then
+		error("incorrect Authentication-Results field")
+	else
+		mt.echo("SPF pass ")
+	end
+else
+	mt.echo ("Got header Authentication-Results: " .. ar)
+	error("missing Authentication-Results field")
+end
+
+mt.disconnect(conn)