Forwarding hosts: use SPF records if present

data/web/admin.php

@@ -313,7 +313,8 @@ $tfa_data = get_tfa();
           <table class="table table-striped" id="forwardinghoststable">
             <thead>
             <tr>
-              <th style="min-width: 100px;"><?=$lang['edit']['hostname'];?></th>
+              <th style="min-width: 100px;"><?=$lang['edit']['host'];?></th>
+              <th style="min-width: 100px;"><?=$lang['edit']['source'];?></th>
               <th style="text-align: right; min-width: 200px;"><?=$lang['admin']['action'];?></th>
             </tr>
             </thead>
@@ -321,20 +322,23 @@ $tfa_data = get_tfa();
               <?php
               $forwarding_hosts = get_forwarding_hosts();
               if ($forwarding_hosts) {
-              foreach ($forwarding_hosts as $host) {
-              ?>
-              <tr id="data">
-                <td><?=htmlspecialchars(strtolower($host));?></td>
-                <td style="text-align: right;">
-                  <div class="btn-group">
-                    <a href="delete.php?forwardinghost=<?=$host;?>" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> <?=$lang['admin']['remove'];?></a>
-                  </div>
-                </td>
-                </td>
-              </tr>
+                foreach ($forwarding_hosts as $host) {
+                  $source = $host->source;
+                  $host = $host->host;
+                ?>
+                <tr id="data">
+                  <td><?=htmlspecialchars(strtolower($host));?></td>
+                  <td><?=htmlspecialchars(strtolower($source));?></td>
+                  <td style="text-align: right;">
+                    <div class="btn-group">
+                      <a href="delete.php?forwardinghost=<?=$host;?>" class="btn btn-xs btn-danger"><span class="glyphicon glyphicon-trash"></span> <?=$lang['admin']['remove'];?></a>
+                    </div>
+                  </td>
+                  </td>
+                </tr>
 
-              <?php
-              }
+                <?php
+                }
               } else {
               ?>
                 <tr id="no-data"><td colspan="4" style="text-align: center; font-style: italic;"><?=$lang['admin']['no_record'];?></td></tr>
@@ -347,9 +351,10 @@ $tfa_data = get_tfa();
         </form>
         <small>
         <legend><?=$lang['admin']['add_forwarding_host'];?></legend>
+        <p style="margin-bottom:10px"><?=$lang['admin']['forwarding_hosts_add_hint'];?></p>
         <form class="form-horizontal" role="form" method="post">
           <div class="form-group">
-            <label class="control-label col-sm-2" for="hostname"><?=$lang['edit']['hostname'];?>:</label>
+            <label class="control-label col-sm-2" for="hostname"><?=$lang['edit']['host'];?>:</label>
             <div class="col-sm-10">
               <input type="text" class="form-control" name="hostname" id="hostname" required>
             </div>

data/web/delete.php

@@ -105,7 +105,7 @@ if (isset($_SESSION['mailcow_cc_role']) && ($_SESSION['mailcow_cc_role'] == "adm
 				</form>
 				<?php
 		}
-		// DELETE DOMAIN ADMIN
+		// DELETE FORWARDING HOST
 		elseif (isset($_GET["forwardinghost"]) &&
 			!empty($_GET["forwardinghost"]) &&
         $_SESSION['mailcow_cc_role'] == "admin") {

data/web/inc/functions.inc.php

@@ -98,6 +98,8 @@ function init_db_schema() {
 			'msg' => 'Database initialization completed.'
 		);
 	}
+  // Add newly added tables
+  $stmt = $pdo->query("CREATE TABLE IF NOT EXISTS `forwarding_hosts` (`host` VARCHAR(255) NOT NULL, PRIMARY KEY (`host`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC");
   // Add newly added columns
   $stmt = $pdo->query("SHOW COLUMNS FROM `mailbox` LIKE 'kind'");
   $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
@@ -124,9 +126,11 @@ function init_db_schema() {
   if ($num_results == 0) {
     $pdo->query("ALTER TABLE `tfa` ADD `key_id` VARCHAR(255) DEFAULT 'unidentified'");
   }
-  
-  // Add newly added tables
-  $stmt = $pdo->query("CREATE TABLE IF NOT EXISTS `forwarding_hosts` (`host` VARCHAR(255) NOT NULL, PRIMARY KEY (`host`)) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC");
+  $stmt = $pdo->query("SHOW COLUMNS FROM `forwarding_hosts` LIKE 'source'");
+  $num_results = count($stmt->fetchAll(PDO::FETCH_ASSOC));
+  if ($num_results == 0) {
+    $pdo->query("ALTER TABLE `forwarding_hosts` ADD `source` VARCHAR(255) DEFAULT ''");
+  }
 }
 function verify_ssha256($hash, $password) {
 	// Remove tag if any
@@ -5044,11 +5048,12 @@ function get_u2f_registrations($username) {
 }
 function get_forwarding_hosts() {
 	global $pdo;
-  $sel = $pdo->prepare("SELECT host FROM `forwarding_hosts`");
+  $sel = $pdo->prepare("SELECT host, source FROM `forwarding_hosts`");
   $sel->execute();
-  return $sel->fetchAll(PDO::FETCH_COLUMN);
+  return $sel->fetchAll(PDO::FETCH_OBJ);
 }
 function add_forwarding_host($postarray) {
+	require_once 'spf.inc.php';
 	global $pdo;
 	global $lang;
 	if ($_SESSION['mailcow_cc_role'] != "admin") {
@@ -5058,23 +5063,47 @@ function add_forwarding_host($postarray) {
 		);
 		return false;
 	}
+	$source = $postarray['hostname'];
 	$host = $postarray['hostname'];
-	try {
-		$stmt = $pdo->prepare("INSERT INTO `forwarding_hosts` (`host`) VALUES (:host)");
-		$stmt->execute(array(
-			':host' => $host,
-		));
+	$hosts = array();
+	if (preg_match('/^[0-9a-fA-F:\/]+$/', $host)) { // IPv6 address
+		$hosts = array($host);
 	}
-	catch (PDOException $e) {
+	elseif (preg_match('/^[0-9\.\/]+$/', $host)) { // IPv4 address
+		$hosts = array($host);
+	}
+	else {
+		$hosts = get_outgoing_hosts_best_guess($host);
+	}
+	if (!$hosts)
+	{
 		$_SESSION['return'] = array(
 			'type' => 'danger',
-			'msg' => 'MySQL: '.$e
+			'msg' => 'Invalid host specified: '. htmlspecialchars($host)
 		);
 		return false;
 	}
+	foreach ($hosts as $host) {
+		if ($source == $host)
+			$source = '';
+		try {
+			$stmt = $pdo->prepare("INSERT IGNORE INTO `forwarding_hosts` (`host`, `source`) VALUES (:host, :source)");
+			$stmt->execute(array(
+				':host' => $host,
+				':source' => $source,
+			));
+		}
+		catch (PDOException $e) {
+			$_SESSION['return'] = array(
+				'type' => 'danger',
+				'msg' => 'MySQL: '.$e
+			);
+			return false;
+		}
+	}
 	$_SESSION['return'] = array(
 		'type' => 'success',
-		'msg' => sprintf($lang['success']['forwarding_host_added'], htmlspecialchars($host))
+		'msg' => sprintf($lang['success']['forwarding_host_added'], htmlspecialchars(implode(', ', $hosts)))
 	);
 }
 function delete_forwarding_host($postarray) {

data/web/inc/init.sql

@@ -142,6 +142,7 @@ CREATE TABLE IF NOT EXISTS `tfa` (
 
 CREATE TABLE IF NOT EXISTS `forwarding_hosts` (
   `host` VARCHAR(255) NOT NULL,
+  `source` VARCHAR(255) NOT NULL,
   PRIMARY KEY (`host`)
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 ROW_FORMAT=DYNAMIC;
 

data/web/inc/spf.inc.php

@@ -0,0 +1,127 @@
+<?php
+function get_spf_allowed_hosts($domain)
+{
+	$hosts = array();
+	
+	$records = dns_get_record($domain, DNS_TXT);
+	foreach ($records as $record)
+	{
+		$txt = explode(' ', $record['entries'][0]);
+		if (array_shift($txt) != 'v=spf1') // only handle SPF records
+			continue;
+		
+		foreach ($txt as $mech)
+		{
+			$qual = substr($mech, 0, 1);
+			if ($qual == '-' || $qual == '~') // only handle pass or neutral records
+				continue(2);
+			
+			if ($qual == '+' || $qual == '?')
+				$mech = substr($mech, 1); // remove the qualifier
+			
+			if (strpos($mech, '=') !== FALSE) // handle a modifier
+			{
+				$mod = explode('=', $mech);
+				if ($mod[0] == 'redirect') // handle a redirect
+				{
+					$hosts = get_spf_allowed_hosts($mod[1]);
+					return $hosts;
+				}
+			}
+			else
+			{
+				unset($cidr);
+				if (strpos($mech, ':') !== FALSE) // handle a domain specification
+				{
+					$split = explode(':', $mech);
+					$mech = array_shift($split);
+					$domain = implode(':', $split);
+					if (strpos($domain, '/') !== FALSE) // remove CIDR specification
+					{
+						$split = explode('/', $domain);
+						$domain = $split[0];
+						$cidr = $split[1];
+					}
+				}
+				
+				$new_hosts = array();
+				if ($mech == 'include') // handle an inclusion
+				{
+					$new_hosts = get_spf_allowed_hosts($domain);
+				}
+				elseif ($mech == 'a') // handle a mechanism
+				{
+					$new_hosts = get_a_hosts($domain);
+				}
+				elseif ($mech == 'mx') // handle mx mechanism
+				{
+					$new_hosts = get_mx_hosts($domain);
+				}
+				elseif ($mech == 'ip4' || $mech == 'ip6') // handle ip mechanism
+				{
+					$new_hosts = array($domain);
+				}
+				
+				if (isset($cidr)) // add CIDR specification if present
+				{
+					foreach ($new_hosts as &$host)
+					{
+						$host .= '/' . $cidr;
+					}
+					unset($host);
+				}
+				
+				$hosts = array_unique(array_merge($hosts,$new_hosts), SORT_REGULAR);
+			}
+		}
+	}
+	
+	return $hosts;
+}
+
+function get_mx_hosts($domain)
+{
+	$hosts = array();
+	
+	$mx_records = dns_get_record($domain, DNS_MX);
+	foreach ($mx_records as $mx_record)
+	{
+		$new_hosts = get_a_hosts($mx_record['target']);
+		$hosts = array_unique(array_merge($hosts,$new_hosts), SORT_REGULAR);
+	}
+	
+	return $hosts;
+}
+
+function get_a_hosts($domain)
+{
+	$hosts = array();
+	
+	$a_records = dns_get_record($domain, DNS_A);
+	foreach ($a_records as $a_record)
+	{
+		$hosts[] = $a_record['ip'];
+	}
+	$a_records = dns_get_record($domain, DNS_AAAA);
+	foreach ($a_records as $a_record)
+	{
+		$hosts[] = $a_record['ipv6'];
+	}
+	
+	return $hosts;
+}
+
+function get_outgoing_hosts_best_guess($domain)
+{
+	// try the SPF record to get hosts that are allowed to send outgoing mails for this domain
+	$hosts = get_spf_allowed_hosts($domain);
+	if ($hosts) return $hosts;
+	
+	// try the MX record to get mail servers for this domain
+	$hosts = get_mx_hosts($domain);
+	if ($hosts) return $hosts;
+	
+	// fall back to the A record to get the host name for this domain
+	return get_a_hosts($domain);
+}
+?>

data/web/lang/lang.de.php

@@ -450,11 +450,20 @@ $lang['admin']['unchanged_if_empty'] = 'Unverändert, wenn leer';
 $lang['admin']['yes'] = '✔';
 $lang['admin']['no'] = '✘';
 $lang['admin']['access'] = 'Zugang';
-$lang['admin']['invalid_max_msg_size'] = 'Invalid max. message size'; // NEEDS TRANSLATION
+$lang['admin']['invalid_max_msg_size'] = 'Ungültige maximale Nachrichtengröße';
 $lang['admin']['site_not_found'] = 'Kann mailcow Site-Konfiguration nicht finden';
-$lang['admin']['public_folder_empty'] = 'Public folder name must not be empty'; // NEEDS TRANSLATION
+$lang['admin']['public_folder_empty'] = 'Name des öffentlichen Ordners darf nicht leer sein';
 $lang['admin']['set_rr_failed'] = 'Kann Postfix Restriktionen nicht setzen';
 $lang['admin']['no_record'] = 'Kein Eintrag';
 $lang['admin']['filter_table'] = 'Tabelle Filtern';
 $lang['admin']['empty'] = 'Keine Einträge vorhanden';
+$lang['admin']['forwarding_hosts'] = 'Weiterleitungs-Hosts';
+$lang['admin']['forwarding_hosts_hint'] = 'Eingehende Nachrichten werden von den hier gelisteten Hosts bedingungslos akzeptiert. Diese Hosts werden dann nicht mit DNSBLs abgeglichen oder Greylisting unterworfen. Von ihnen empfangener Spam wird nie abgelehnt und immer in den Spam-Ordner einsortiert. Die übliche Verwendung für diese Funktion ist, um Mailserver anzugeben, auf denen eine Weiterleitung zu Ihrem Mailcow-Server eingerichtet wurde.';
+$lang['admin']['forwarding_hosts_add_hint'] = 'Sie können entweder IPv4/IPv6-Adressen, Netzwerke in CIDR-Notation, Hostnamen (die zu IP-Adressen aufgelöst werden), oder Domainnamen (die zu IP-Adressen aufgelöst werden, indem ihr SPF-Record abgefragt wird oder, in dessen Abwesenheit, ihre MX-Records) angeben.';
+$lang['edit']['host'] = 'Host';
+$lang['edit']['source'] = 'Quelle';
+$lang['admin']['add_forwarding_host'] = 'Weiterleitungs-Host hinzufügen';
+$lang['delete']['remove_forwardinghost_warning'] = '<b>Warnung:</b> Sie entfernen den Weiterleitungs-Host <b>%s</b>!';
+$lang['success']['forwarding_host_removed'] = "Weiterleitungs-Host %s wurde entfernt";
+$lang['success']['forwarding_host_added'] = "Weiterleitungs-Host %s wurde hinzugefügt";
 ?>

data/web/lang/lang.en.php

@@ -469,7 +469,10 @@ $lang['admin']['no_record'] = 'No record';
 $lang['admin']['filter_table'] = 'Filter table';
 $lang['admin']['empty'] = 'No results';
 $lang['admin']['forwarding_hosts'] = 'Forwarding Hosts';
-$lang['admin']['forwarding_hosts_hint'] = 'Specify any networks (in CIDR notation) from which you unconditionally want to accept incoming messages. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected and always filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a forwarding rule.';
+$lang['admin']['forwarding_hosts_hint'] = 'Incoming messages are unconditionally accepted from any hosts listed here. These hosts are then not checked against DNSBLs or subjected to greylisting. Spam received from them is never rejected and always filed into the Junk folder. The most common use for this is to specify mail servers on which you have set up a rule that forwards incoming emails to your Mailcow server.';
+$lang['admin']['forwarding_hosts_add_hint'] = 'You can either specify IPv4/IPv6 addresses, networks in CIDR notation, host names (which will be resolved to IP addresses), or domain names (which will be resolved to IP addresses by querying SPF records or, in their absence, MX records).';
+$lang['edit']['host'] = 'Host';
+$lang['edit']['source'] = 'Source';
 $lang['admin']['add_forwarding_host'] = 'Add Forwarding Host';
 $lang['delete']['remove_forwardinghost_warning'] = '<b>Warning:</b> You are about to remove the forwarding host <b>%s</b>!';
 $lang['success']['forwarding_host_removed'] = "Forwarding host %s has been removed";