NAME

Mail::SpamAssassin::Plugin::SPF - perform SPF verification tests


SYNOPSIS

  loadplugin     Mail::SpamAssassin::Plugin::SPF


DESCRIPTION

This plugin checks a message against Sender Policy Framework (SPF) records published by the domain owners in DNS to fight email address forgery and make it easier to identify spams.


USER SETTINGS

whitelist_from_spf user@example.com

Works similarly to whitelist_from, except that in addition to matching a sender address, a check against the domain's SPF record must pass. The first parameter is an address to whitelist, and the second is a string to match the relay's rDNS.

Just like whitelist_from, multiple addresses per line, separated by spaces, are OK. Multiple whitelist_from_spf lines are also OK.

The headers checked for whitelist_from_spf addresses are the same headers used for SPF checks (Envelope-From, Return-Path, X-Envelope-From, etc).

Since this whitelist requires an SPF check to be made, network tests must be enabled. It is also required that your trust path be correctly configured. See the section on trusted_networks for more info on trust paths.

e.g.

  whitelist_from_spf joe@example.com fred@example.com
  whitelist_from_spf *@example.com
def_whitelist_from_spf user@example.com

Same as whitelist_from_spf, but used for the default whitelist entries in the SpamAssassin distribution. The whitelist score is lower, because these are often targets for spammer spoofing.


ADMINISTRATOR OPTIONS

spf_timeout n (default: 5)

How many seconds to wait for an SPF query to complete, before scanning continues without the SPF result. A numeric value is optionally suffixed by a time unit (s, m, h, d, w, indicating seconds (default), minutes, hours, days, weeks).

do_not_use_mail_spf (0|1) (default: 0)

By default the plugin will try to use the Mail::SPF module for SPF checks if it can be loaded. If Mail::SPF cannot be used the plugin will fall back to using the legacy Mail::SPF::Query module if it can be loaded.

Use this option to stop the plugin from using Mail::SPF and cause it to try to use Mail::SPF::Query instead.

do_not_use_mail_spf_query (0|1) (default: 0)

As above, but instead stop the plugin from trying to use Mail::SPF::Query and cause it to only try to use Mail::SPF.

ignore_received_spf_header (0|1) (default: 0)

By default, to avoid unnecessary DNS lookups, the plugin will try to use the SPF results found in any Received-SPF headers it finds in the message that could only have been added by an internal relay.

Set this option to 1 to ignore any Received-SPF headers present and to have the plugin perform the SPF check itself.

Note that unless the plugin finds an identity=helo, or some unsupported identity, it will assume that the result is a mfrom SPF check result. The only identities supported are mfrom, mailfrom and helo.

use_newest_received_spf_header (0|1) (default: 0)

By default, when using Received-SPF headers, the plugin will attempt to use the oldest (bottom most) Received-SPF headers, that were added by internal relays, that it can parse results from since they are the most likely to be accurate. This is done so that if you have an incoming mail setup where one of your primary MXes doesn't know about a secondary MX (or your MXes don't know about some sort of forwarding relay that SA considers trusted+internal) but SA is aware of the actual domain boundary (internal_networks setting) SA will use the results that are most accurate.

Use this option to start with the newest (top most) Received-SPF headers, working downwards until results are successfully parsed.

has_check_for_spf_errors

Adds capability check for "if can()" for check_for_spf_permerror, check_for_spf_temperror, check_for_spf_helo_permerror and check_for_spf_helo_permerror


=cut

sub has_check_for_spf_errors { 1 }

# SPF support sub check_for_spf_pass { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_pass}; }

sub check_for_spf_neutral { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_neutral}; }

sub check_for_spf_none { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_none}; }

sub check_for_spf_fail { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; if ($scanner->{spf_failure_comment}) { $scanner->test_log ($scanner->{spf_failure_comment}); } $scanner->{spf_fail}; }

sub check_for_spf_softfail { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_softfail}; }

sub check_for_spf_permerror { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_permerror}; }

sub check_for_spf_temperror { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 0) unless $scanner->{spf_checked}; $scanner->{spf_temperror}; }

sub check_for_spf_helo_pass { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_pass}; }

sub check_for_spf_helo_neutral { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_neutral}; }

sub check_for_spf_helo_none { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_none}; }

sub check_for_spf_helo_fail { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; if ($scanner->{spf_helo_failure_comment}) { $scanner->test_log ($scanner->{spf_helo_failure_comment}); } $scanner->{spf_helo_fail}; }

sub check_for_spf_helo_softfail { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_softfail}; }

sub check_for_spf_helo_permerror { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_permerror}; }

sub check_for_spf_helo_temperror { my ($self, $scanner) = @_; $self->_check_spf ($scanner, 1) unless $scanner->{spf_helo_checked}; $scanner->{spf_helo_temperror}; }

sub check_for_spf_whitelist_from { my ($self, $scanner) = @_; $self->_check_spf_whitelist($scanner) unless $scanner->{spf_whitelist_from_checked}; $scanner->{spf_whitelist_from}; }

sub check_for_def_spf_whitelist_from { my ($self, $scanner) = @_; $self->_check_def_spf_whitelist($scanner) unless $scanner->{def_spf_whitelist_from_checked}; $scanner->{def_spf_whitelist_from}; }

sub _check_spf { my ($self, $scanner, $ishelo) = @_;

  my $timer = $self->{main}->time_method("check_spf");
  # we can re-use results from any *INTERNAL* Received-SPF header in the message...
  # we can't use results from trusted but external hosts since (i) spf checks are
  # supposed to be done "on the domain boundary", (ii) even if an external header 
  # has a result that matches what we would get, the check was probably done on a
  # different envelope (like the apache.org list servers checking the ORCPT and
  # then using a new envelope to send the mail from the list) and (iii) if the
  # checks are being done right and the envelope isn't being changed it's 99%
  # likely that the trusted+external host really should be defined as part of your
  # internal network
  if ($scanner->{conf}->{ignore_received_spf_header}) {
    dbg("spf: ignoring any Received-SPF headers from internal hosts, by admin setting");
  } elsif ($scanner->{checked_for_received_spf_header}) {
    dbg("spf: already checked for Received-SPF headers, proceeding with DNS based checks");
  } else {
    $scanner->{checked_for_received_spf_header} = 1;
    dbg("spf: checking to see if the message has a Received-SPF header that we can use");
    my @internal_hdrs = split("\n", $scanner->get('ALL-INTERNAL'));
    unless ($scanner->{conf}->{use_newest_received_spf_header}) {
      # look for the LAST (earliest in time) header, it'll be the most accurate
      @internal_hdrs = reverse(@internal_hdrs);
    } else {
      dbg("spf: starting with the newest Received-SPF headers first");
    }
    foreach my $hdr (@internal_hdrs) {
      local($1,$2);
      if ($hdr =~ /^received-spf:/i) {
        dbg("spf: found a Received-SPF header added by an internal host: $hdr");
        # old version:
        # Received-SPF: pass (herse.apache.org: domain of spamassassin@dostech.ca
        #       designates 69.61.78.188 as permitted sender)
        # new version:
        # Received-SPF: pass (dostech.ca: 69.61.78.188 is authorized to use
        #       'spamassassin@dostech.ca' in 'mfrom' identity (mechanism 'mx' matched))
        #       receiver=FC5-VPC; identity=mfrom; envelope-from="spamassassin@dostech.ca";
        #       helo=smtp.dostech.net; client-ip=69.61.78.188
        # Received-SPF: pass (dostech.ca: 69.61.78.188 is authorized to use 'dostech.ca'
        #       in 'helo' identity (mechanism 'mx' matched)) receiver=FC5-VPC; identity=helo;
        #       helo=dostech.ca; client-ip=69.61.78.188
        # http://www.openspf.org/RFC_4408#header-field
        # wtf - for some reason something is sticking an extra space between the header name and field value
        if ($hdr =~ /^received-spf:\s*(pass|neutral|(?:soft)?fail|none)\b(?:.*\bidentity=(\S+?);?\b)?/i) {
          my $result = lc($1);
          my $identity = '';    # we assume it's a mfrom check if we can't tell otherwise
          if (defined $2) {
            $identity = lc($2);
            if ($identity eq 'mfrom' || $identity eq 'mailfrom') {
              next if $scanner->{spf_checked};
              $identity = '';
            } elsif ($identity eq 'helo') {
              next if $scanner->{spf_helo_checked};
              $identity = 'helo_';
            } else {
              dbg("spf: found unknown identity value, cannot use: $identity");
              next;     # try the next Received-SPF header, if any
            }
          } else {
            next if $scanner->{spf_checked};
          }
          # we'd set these if we actually did the check
          $scanner->{"spf_${identity}checked"} = 1;
          $scanner->{"spf_${identity}pass"} = 0;
          $scanner->{"spf_${identity}neutral"} = 0;
          $scanner->{"spf_${identity}none"} = 0;
          $scanner->{"spf_${identity}fail"} = 0;
          $scanner->{"spf_${identity}softfail"} = 0;
          $scanner->{"spf_${identity}failure_comment"} = undef;
          # and the result
          $scanner->{"spf_${identity}${result}"} = 1;
          dbg("spf: re-using %s result from Received-SPF header: %s",
              ($identity ? 'helo' : 'mfrom'), $result);
          # if we've got *both* the mfrom and helo results we're done
          return if ($scanner->{spf_checked} && $scanner->{spf_helo_checked});
        } else {
          dbg("spf: could not parse result from existing Received-SPF header");
        }
      } elsif ($hdr =~ /^Authentication-Results:.*;\s*SPF\s*=\s*([^;]*)/i) {
        dbg("spf: found an Authentication-Results header added by an internal host: $hdr");
        # RFC 5451 header parser - added by D. Stussy 2010-09-09:
        # Authentication-Results: mail.example.com; SPF=none smtp.mailfrom=example.org (comment)
        my $tmphdr = $1;
        if ($tmphdr =~ /^(pass|neutral|(?:hard|soft)?fail|none)(?:[^;]*?\bsmtp\.(\S+)\s*=[^;]+)?/i) {
          my $result = lc($1);
          $result = 'fail'  if $result eq 'hardfail';  # RFC5451 permits this
          my $identity = '';    # we assume it's a mfrom check if we can't tell otherwise
          if (defined $2) {
            $identity = lc($2);
            if ($identity eq 'mfrom' || $identity eq 'mailfrom') {
              next if $scanner->{spf_checked};
              $identity = '';
            } elsif ($identity eq 'helo') {
              next if $scanner->{spf_helo_checked};
              $identity = 'helo_';
            } else {
              dbg("spf: found unknown identity value, cannot use: $identity");
              next;     # try the next Authentication-Results header, if any
            }
          } else {
            next if $scanner->{spf_checked};
          }
          # we'd set these if we actually did the check
          $scanner->{"spf_${identity}checked"} = 1;
          $scanner->{"spf_${identity}pass"} = 0;
          $scanner->{"spf_${identity}neutral"} = 0;
          $scanner->{"spf_${identity}none"} = 0;
          $scanner->{"spf_${identity}fail"} = 0;
          $scanner->{"spf_${identity}softfail"} = 0;
          $scanner->{"spf_${identity}failure_comment"} = undef;
          # and the result
          $scanner->{"spf_${identity}${result}"} = 1;
          dbg("spf: re-using %s result from Authentication-Results header: %s",
               ($identity ? 'helo' : 'mfrom'), $result);
          # if we've got *both* the mfrom and helo results we're done
          return if ($scanner->{spf_checked} && $scanner->{spf_helo_checked});
        } else {
          dbg("spf: could not parse result from existing Authentication-Results header");
        }
      }
    }
    # we can return if we've found the one we're being asked to get
    return if ( ($ishelo && $scanner->{spf_helo_checked}) ||
                (!$ishelo && $scanner->{spf_checked}) );
  }
  # abort if dns or an spf module isn't available
  return unless $scanner->is_dns_available();
  return if $self->{no_spf_module};
  # select the SPF module we're going to use
  unless (defined $self->{has_mail_spf}) {
    my $eval_stat;
    eval {
      die("Mail::SPF disabled by admin setting\n") if $scanner->{conf}->{do_not_use_mail_spf};
      require Mail::SPF;
      if (!defined $Mail::SPF::VERSION || $Mail::SPF::VERSION < 2.001) {
        die "Mail::SPF 2.001 or later required, this is ".
          (defined $Mail::SPF::VERSION ? $Mail::SPF::VERSION : 'unknown')."\n";
      }
      # Mail::SPF::Server can be re-used, and we get to use our own resolver object!
      $self->{spf_server} = Mail::SPF::Server->new(
                                hostname     => $scanner->get_tag('HOSTNAME'),
                                dns_resolver => $self->{main}->{resolver},
                                max_dns_interactive_terms => 15);
      # Bug 7112: max_dns_interactive_terms defaults to 10, but even 14 is
      # not enough for ebay.com, setting it to 15
      1;
    } or do {
      $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;
    };
    if (!defined($eval_stat)) {
      dbg("spf: using Mail::SPF for SPF checks");
      $self->{has_mail_spf} = 1;
    } else {
      # strip the @INC paths... users are going to see it and think there's a problem even though
      # we're going to fall back to Mail::SPF::Query (which will display the same paths if it fails)
      $eval_stat =~ s#^Can't locate Mail/SPFd.pm in \@INC .*#Can't locate Mail/SPFd.pm#;
      dbg("spf: cannot load Mail::SPF module or create Mail::SPF::Server object: $eval_stat");
      dbg("spf: attempting to use legacy Mail::SPF::Query module instead");
      undef $eval_stat;
      eval {
        die("Mail::SPF::Query disabled by admin setting\n") if $scanner->{conf}->{do_not_use_mail_spf_query};
        require Mail::SPF::Query;
        if (!defined $Mail::SPF::Query::VERSION || $Mail::SPF::Query::VERSION < 1.996) {
          die "Mail::SPF::Query 1.996 or later required, this is ".
            (defined $Mail::SPF::Query::VERSION ? $Mail::SPF::Query::VERSION : 'unknown')."\n";
        }
        1;
      } or do {
        $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;
      };
      if (!defined($eval_stat)) {
        dbg("spf: using Mail::SPF::Query for SPF checks");
        $self->{has_mail_spf} = 0;
      } else {
        dbg("spf: cannot load Mail::SPF::Query module: $eval_stat");
        dbg("spf: one of Mail::SPF or Mail::SPF::Query is required for SPF checks, SPF checks disabled");
        $self->{no_spf_module} = 1;
        return;
      }
    }
  }
  # skip SPF checks if the A/MX records are nonexistent for the From
  # domain, anyway, to avoid crappy messages from slowing us down
  # (bug 3016)
  return if $scanner->check_for_from_dns();
  if ($ishelo) {
    # SPF HELO-checking variant
    $scanner->{spf_helo_checked} = 1;
    $scanner->{spf_helo_pass} = 0;
    $scanner->{spf_helo_neutral} = 0;
    $scanner->{spf_helo_none} = 0;
    $scanner->{spf_helo_fail} = 0;
    $scanner->{spf_helo_softfail} = 0;
    $scanner->{spf_helo_permerror} = 0;
    $scanner->{spf_helo_temperror} = 0;
    $scanner->{spf_helo_failure_comment} = undef;
  } else {
    # SPF on envelope sender (where possible)
    $scanner->{spf_checked} = 1;
    $scanner->{spf_pass} = 0;
    $scanner->{spf_neutral} = 0;
    $scanner->{spf_none} = 0;
    $scanner->{spf_fail} = 0;
    $scanner->{spf_softfail} = 0;
    $scanner->{spf_permerror} = 0;
    $scanner->{spf_temperror} = 0;
    $scanner->{spf_failure_comment} = undef;
  }
  my $lasthop = $self->_get_relay($scanner);
  if (!defined $lasthop) {
    dbg("spf: no suitable relay for spf use found, skipping SPF%s check",
        $ishelo ? '-helo' : '');
    return;
  }
  my $ip = $lasthop->{ip};      # always present
  my $helo = $lasthop->{helo};  # could be missing
  $scanner->{sender} = '' unless $scanner->{sender_got};
  if ($ishelo) {
    unless ($helo) {
      dbg("spf: cannot check HELO, HELO value unknown");
      return;
    }
    dbg("spf: checking HELO (helo=$helo, ip=$ip)");
  } else {
    $self->_get_sender($scanner) unless $scanner->{sender_got};
    # TODO: we're supposed to use the helo domain as the sender identity (for
    # mfrom checks) if the sender is the null sender, however determining that
    # it's the null sender, and not just a failure to get the envelope isn't
    # exactly trivial... so for now we'll just skip the check
    if (!$scanner->{sender}) {
      # we already dbg'd that we couldn't get an Envelope-From and can't do SPF
      return;
    }
    dbg("spf: checking EnvelopeFrom (helo=%s, ip=%s, envfrom=%s)",
        ($helo ? $helo : ''), $ip, $scanner->{sender});
  }
  # this test could probably stand to be more strict, but try to test
  # any invalid HELO hostname formats with a header rule
  if ($ishelo && ($helo =~ /^[\[!]?\d+\.\d+\.\d+\.\d+[\]!]?$/ || $helo =~ /^[^.]+$/)) {
    dbg("spf: cannot check HELO of '$helo', skipping");
    return;
  }
  if ($helo && $scanner->server_failed_to_respond_for_domain($helo)) {
    dbg("spf: we had a previous timeout on '$helo', skipping");
    return;
  }
  my ($result, $comment, $text, $err);
  # use Mail::SPF if it was available, otherwise use the legacy Mail::SPF::Query
  if ($self->{has_mail_spf}) {
    # TODO: currently we won't get to here for a mfrom check with a null sender
    my $identity = $ishelo ? $helo : ($scanner->{sender}); # || $helo);
    unless ($identity) {
      dbg("spf: cannot determine %s identity, skipping %s SPF check",
          ($ishelo ? 'helo' : 'mfrom'),  ($ishelo ? 'helo' : 'mfrom') );
      return;
    }
    $helo ||= 'unknown';  # only used for macro expansion in the mfrom explanation
    my $request;
    eval {
      $request = Mail::SPF::Request->new( scope         => $ishelo ? 'helo' : 'mfrom',
                                          identity      => $identity,
                                          ip_address    => $ip,
                                          helo_identity => $helo );
      1;
    } or do {
      my $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;
      dbg("spf: cannot create Mail::SPF::Request object: $eval_stat");
      return;
    };
    my $timeout = $scanner->{conf}->{spf_timeout};
    my $timer = Mail::SpamAssassin::Timeout->new(
                { secs => $timeout, deadline => $scanner->{master_deadline} });
    $err = $timer->run_and_catch(sub {
      my $query = $self->{spf_server}->process($request);
      $result = $query->code;
      $comment = $query->authority_explanation if $query->can("authority_explanation");
      $text = $query->text;
    });
  } else {
    if (!$helo) {
      dbg("spf: cannot get HELO, cannot use Mail::SPF::Query, consider installing Mail::SPF");
      return;
    }
    # TODO: if we start doing checks on the null sender using the helo domain
    # be sure to fix this so that it uses the correct sender identity
    my $query;
    eval {
      $query = Mail::SPF::Query->new (ip => $ip,
                                    sender => $scanner->{sender},
                                    helo => $helo,
                                    debug => 0,
                                    trusted => 0);
      1;
    } or do {
      my $eval_stat = $@ ne '' ? $@ : "errno=$!";  chomp $eval_stat;
      dbg("spf: cannot create Mail::SPF::Query object: $eval_stat");
      return;
    };
    my $timeout = $scanner->{conf}->{spf_timeout};
    my $timer = Mail::SpamAssassin::Timeout->new(
                { secs => $timeout, deadline => $scanner->{master_deadline} });
    $err = $timer->run_and_catch(sub {
      ($result, $comment) = $query->result();
    });
  } # end of differences between Mail::SPF and Mail::SPF::Query
  if ($err) {
    chomp $err;
    warn("spf: lookup failed: $err\n");
    return 0;
  }
  $result ||= 'timeout';        # bug 5077
  $comment ||= '';
  $comment =~ s/\s+/ /gs;       # no newlines please
  $text ||= '';
  $text =~ s/\s+/ /gs;          # no newlines please
  if ($ishelo) {
    if ($result eq 'pass') { $scanner->{spf_helo_pass} = 1; }
    elsif ($result eq 'neutral') { $scanner->{spf_helo_neutral} = 1; }
    elsif ($result eq 'none') { $scanner->{spf_helo_none} = 1; }
    elsif ($result eq 'fail') { $scanner->{spf_helo_fail} = 1; }
    elsif ($result eq 'softfail') { $scanner->{spf_helo_softfail} = 1; }
    elsif ($result eq 'permerror') { $scanner->{spf_helo_permerror} = 1; }
    elsif ($result eq 'temperror') { $scanner->{spf_helo_temperror} = 1; }
    elsif ($result eq 'error') { $scanner->{spf_helo_temperror} = 1; }
    if ($result eq 'fail') {    # RFC 4408 6.2
      $scanner->{spf_helo_failure_comment} = "SPF failed: $comment";
    }
  } else {
    if ($result eq 'pass') { $scanner->{spf_pass} = 1; }
    elsif ($result eq 'neutral') { $scanner->{spf_neutral} = 1; }
    elsif ($result eq 'none') { $scanner->{spf_none} = 1; }
    elsif ($result eq 'fail') { $scanner->{spf_fail} = 1; }
    elsif ($result eq 'softfail') { $scanner->{spf_softfail} = 1; }
    elsif ($result eq 'permerror') { $scanner->{spf_permerror} = 1; }
    elsif ($result eq 'temperror') { $scanner->{spf_temperror} = 1; }
    elsif ($result eq 'error') { $scanner->{spf_temperror} = 1; }
    if ($result eq 'fail') {    # RCF 4408 6.2
      $scanner->{spf_failure_comment} = "SPF failed: $comment";
    }
  }
  dbg("spf: query for $scanner->{sender}/$ip/$helo: result: $result, comment: $comment, text: $text");
}

sub _get_relay { my ($self, $scanner) = @_;

  # dos: first external relay, not first untrusted
  return $scanner->{relays_external}->[0];
}

sub _get_sender { my ($self, $scanner) = @_; my $sender;

  $scanner->{sender_got} = 1;
  $scanner->{sender} = '';
  my $relay = $self->_get_relay($scanner);
  if (defined $relay) {
    $sender = $relay->{envfrom};
  }
  if ($sender) {
    dbg("spf: found Envelope-From in first external Received header");
  }
  else {
    # We cannot use the env-from data, since it went through 1 or more relays 
    # since the untrusted sender and they may have rewritten it.
    if ($scanner->{num_relays_trusted} > 0 && !$scanner->{conf}->{always_trust_envelope_sender}) {
      dbg("spf: relayed through one or more trusted relays, cannot use header-based Envelope-From, skipping");
      return;
    }
    # we can (apparently) use whatever the current Envelope-From was,
    # from the Return-Path, X-Envelope-From, or whatever header.
    # it's better to get it from Received though, as that is updated
    # hop-by-hop.
    $sender = $scanner->get("EnvelopeFrom:addr");
  }
  if (!$sender) {
    dbg("spf: cannot get Envelope-From, cannot use SPF");
    return;  # avoid setting $scanner->{sender} to undef
  }
  return $scanner->{sender} = lc $sender;
}

sub _check_spf_whitelist { my ($self, $scanner) = @_;

  $scanner->{spf_whitelist_from_checked} = 1;
  $scanner->{spf_whitelist_from} = 0;
  # if we've already checked for an SPF PASS and didn't get it don't waste time
  # checking to see if the sender address is in the spf whitelist
  if ($scanner->{spf_checked} && !$scanner->{spf_pass}) {
    dbg("spf: whitelist_from_spf: already checked spf and didn't get pass, skipping whitelist check");
    return;
  }
  $self->_get_sender($scanner) unless $scanner->{sender_got};
  unless ($scanner->{sender}) {
    dbg("spf: spf_whitelist_from: could not find useable envelope sender");
    return;
  }
  $scanner->{spf_whitelist_from} = $self->_wlcheck($scanner,'whitelist_from_spf');
  if (!$scanner->{spf_whitelist_from}) {
    $scanner->{spf_whitelist_from} = $self->_wlcheck($scanner, 'whitelist_auth');
  }
  # if the message doesn't pass SPF validation, it can't pass an SPF whitelist
  if ($scanner->{spf_whitelist_from}) {
    if ($self->check_for_spf_pass($scanner)) {
      dbg("spf: whitelist_from_spf: $scanner->{sender} is in user's WHITELIST_FROM_SPF and passed SPF check");
    } else {
      dbg("spf: whitelist_from_spf: $scanner->{sender} is in user's WHITELIST_FROM_SPF but failed SPF check");
      $scanner->{spf_whitelist_from} = 0;
    }
  } else {
    dbg("spf: whitelist_from_spf: $scanner->{sender} is not in user's WHITELIST_FROM_SPF");
  }
}

sub _check_def_spf_whitelist { my ($self, $scanner) = @_;

  $scanner->{def_spf_whitelist_from_checked} = 1;
  $scanner->{def_spf_whitelist_from} = 0;
  # if we've already checked for an SPF PASS and didn't get it don't waste time
  # checking to see if the sender address is in the spf whitelist
  if ($scanner->{spf_checked} && !$scanner->{spf_pass}) {
    dbg("spf: def_spf_whitelist_from: already checked spf and didn't get pass, skipping whitelist check");
    return;
  }
  $self->_get_sender($scanner) unless $scanner->{sender_got};
  unless ($scanner->{sender}) {
    dbg("spf: def_spf_whitelist_from: could not find useable envelope sender");
    return;
  }
  $scanner->{def_spf_whitelist_from} = $self->_wlcheck($scanner,'def_whitelist_from_spf');
  if (!$scanner->{def_spf_whitelist_from}) {
    $scanner->{def_spf_whitelist_from} = $self->_wlcheck($scanner, 'def_whitelist_auth');
  }
  # if the message doesn't pass SPF validation, it can't pass an SPF whitelist
  if ($scanner->{def_spf_whitelist_from}) {
    if ($self->check_for_spf_pass($scanner)) {
      dbg("spf: def_whitelist_from_spf: $scanner->{sender} is in DEF_WHITELIST_FROM_SPF and passed SPF check");
    } else {
      dbg("spf: def_whitelist_from_spf: $scanner->{sender} is in DEF_WHITELIST_FROM_SPF but failed SPF check");
      $scanner->{def_spf_whitelist_from} = 0;
    }
  } else {
    dbg("spf: def_whitelist_from_spf: $scanner->{sender} is not in DEF_WHITELIST_FROM_SPF");
  }
}

sub _wlcheck { my ($self, $scanner, $param) = @_; if (defined ($scanner->{conf}->{$param}->{$scanner->{sender}})) { return 1; } else { study $scanner->{sender}; # study is a no-op since perl 5.16.0 foreach my $regexp (values %{$scanner->{conf}->{$param}}) { if ($scanner->{sender} =~ qr/$regexp/i) { return 1; } } } return 0; }

###########################################################################

1;