#!/bin/rc
rfork en

# force non-explicit matches to fail.  gmail specifies allowed hosts, but
# then says ?all, defeating all that work.  just fail jerks impersonating google.
spfescalate=(gmail.com)

# ignore spf results from these domains
spfign=()

fn usage{
	echo 'usage: validatesender [-n /net] dom user [ip [hellodom]]' >[1=2]
	exit usage
}

fn checkspf{
	str=($h spf $*)
	spfflag=-v
	if(~ $1 $escalatespf)
		spfflag=$spfflag^e
	upas/spf $spfflag $* >[2=1] | sed 's:^:'^$"str^' -> :g' >>$log
	spfstatus=$status
	spfstatus=`{echo $spfstatus | sed 's:\|.*::g'}
	if(! ~ $#spfstatus 0 && ! ~ $"spfstatus *none){
		if(~ $spfstatus deferred:*)
			exit $"spfstatus
		if(! ~ $dom $spfign)
			exit 'rejected: '^$"spfstatus
	}
}

h=`{date -n} ^ ' ' ^ $sysname ^ ' ' ^ $pid
h=$"h
log=/sys/log/smtpd.mx	#/fd/2
echo $h validatesender $* >>$log

netroot=/net.alt
if(~ $1 -n){
	shift
	netroot=$1
	shift
}
if(! ~ $#* [234])
	usage

dom=$1; addr=$2; ip=$3; helo=$4

if(! ~ $#ip 0 && test -x /mail/lib/spamhaus){
	spamhaus=`{/mail/lib/spamhaus $ip}
	if(! ~ $spamhaus ''){
		echo $h spamhaus '->' $spamhaus>>$log
		exit 'rejected: spamhaus: '^$"spamhaus
	}
}

if(x=`{upas/smtp -p $netroot/tcp!$dom /dev/null $addr >[2=1] | 
		tee >{sed 's/^/'$h' /' >> $log} |
		tail -1}){
	if(~ $#ip 0 || ! test -x /bin/upas/spf)
		exit ''
	echo $h spf $dom $ip $addr $helo>>$log
	checkspf $dom $ip $addr $helo
	exit ''
}

smtpstatus=$status
if(~ $#x 0)
	x=$smtpstatus
if(~ $smtpstatus *'Permanent Failure'*)
	exit 'rejected: smtp ping: '^$"x
exit 'deferred: smtp ping: '^$"x