[exim-cvs] spf dynamic module

Góra strony
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Dla: exim-cvs
Temat: [exim-cvs] spf dynamic module
Gitweb: https://git.exim.org/exim.git/commitdiff/cccb2c06bbb96fa98edf6867f0eba4059aa757a0
Commit:     cccb2c06bbb96fa98edf6867f0eba4059aa757a0
Parent:     a0ecb20496a00e26cf7345a75cc1137eb3ac0709
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Wed Aug 28 00:16:43 2024 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Wed Aug 28 11:17:07 2024 +0100


    spf dynamic module
---
 doc/doc-docbook/spec.xfpt      |   6 ++
 doc/doc-txt/NewStuff           |   6 +-
 src/OS/Makefile-Base           |  21 +++--
 src/scripts/Configure-Makefile |   1 +
 src/scripts/MakeLinks          |  11 +++
 src/scripts/lookups-Makefile   |   4 +-
 src/src/EDITME                 |   9 +-
 src/src/acl.c                  |  90 +++++++++++++++++---
 src/src/daemon.c               |   4 +-
 src/src/dmarc.c                |  37 ++++++--
 src/src/dmarc.h                |   1 +
 src/src/drtables.c             | 153 ++++++++++++++++++++++++++++-----
 src/src/exim.c                 |  13 ++-
 src/src/exim.h                 |   2 +-
 src/src/expand.c               | 107 ++++++++++--------------
 src/src/functions.h            |   5 +-
 src/src/globals.c              |  14 ----
 src/src/globals.h              |  10 ---
 src/src/lookups/Makefile       |   2 -
 src/src/lookups/spf.c          |  92 +++++---------------
 src/src/macros.h               |   2 +-
 src/src/miscmods/Makefile      |  31 +++++++
 src/src/{ => miscmods}/spf.c   | 186 ++++++++++++++++++++++++++++++++++++++---
 src/src/{ => miscmods}/spf.h   |   7 --
 src/src/readconf.c             |  20 ++++-
 src/src/receive.c              |   2 +-
 src/src/smtp_in.c              |  28 ++++++-
 src/src/structs.h              |  69 +++++++++++++++
 test/runtest                   |  15 ++--
 test/stderr/2610               |   2 -
 30 files changed, 697 insertions(+), 253 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 600eee4af..428cbc079 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -42314,6 +42314,12 @@ This includes retransmissions done by traditional forwarders.
SPF verification support is built into Exim if SUPPORT_SPF=yes is set in
&_Local/Makefile_&. The support uses the &_libspf2_& library
&url(https://www.libspf2.org/).
+.new
+.cindex "dynamic modules"
+The support can be built as a dynamic-load module if desired;
+see the comments in that Makefile.
+.wen
+
There is no Exim involvement in the transmission of messages;
publishing certain DNS records is all that is required.

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 9a34f8ac2..640bd58cd 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -14,9 +14,9 @@ Version 4.98

3. Events smtp:fail:protocol and smtp:fail:syntax

- 4. JSON and LDAP lookup support, all the router and authenticator drivers,
-    and all the transport drivers except smtp, can now be built as loadable
-    modules
+ 4. JSON and LDAP lookup support, SPF support, all the router and authenticator
+    drivers, and all the transport drivers except smtp, can now be built as
+    loadable modules


Version 4.98
------------
diff --git a/src/OS/Makefile-Base b/src/OS/Makefile-Base
index 2e8728ae2..caae1e536 100644
--- a/src/OS/Makefile-Base
+++ b/src/OS/Makefile-Base
@@ -245,7 +245,7 @@ macro.c: macro_predef

 .PHONY: all config utils \
     buildauths buildlookups buildpdkim buildrouters \
-        buildtransports dynmodules checklocalmake clean
+        buildtransports buildmisc dynmodules checklocalmake clean



 utils: $(EXIM_MONITOR) exicyclog exinext exiwhat \
@@ -501,7 +501,6 @@ OBJ_EXPERIMENTAL =    arc.o \
             dcc.o \
             dmarc.o \
             imap_utf7.o \
-            spf.o \
             utf8.o \
             xclient.o


@@ -529,12 +528,12 @@ OBJ_EXIM = acl.o base64.o child.o crypt16.o daemon.o dbfn.o debug.o deliver.o \
         $(OBJ_EXPERIMENTAL)


 exim:   buildlookups buildauths pdkim/pdkim.a \
-        buildrouters buildtransports \
+        buildrouters buildtransports buildmisc \
         $(OBJ_EXIM) version.o
     @echo "$(LNCC) -o exim"
     $(FE)$(PURIFY) $(LNCC) -o exim $(LFLAGS) $(OBJ_EXIM) version.o \
       routers/routers.a transports/transports.a lookups/lookups.a \
-      auths/auths.a pdkim/pdkim.a \
+      auths/auths.a pdkim/pdkim.a miscmods/miscmods.a \
       $(LIBRESOLV) $(LIBS) $(LIBS_EXIM) $(IPV6_LIBS) $(EXTRALIBS) \
       $(EXTRALIBS_EXIM) $(DBMLIB) $(LOOKUP_LIBS) $(AUTH_LIBS) \
       $(PERL_LIBS) $(TLS_LIBS) $(PCRE_LIBS) $(LDFLAGS)
@@ -904,7 +903,6 @@ dane.o:        $(HDRS) dane.c dane-openssl.c
 dcc.o:        $(HDRS) dcc.h dcc.c
 dmarc.o:    $(HDRS) pdkim/pdkim.h dmarc.h dmarc.c
 imap_utf7.o:    $(HDRS) imap_utf7.c
-spf.o:        $(HDRS) spf.h spf.c
 utf8.o:        $(HDRS) utf8.c
 xclient.o:    $(HDRS) xclient.c


@@ -1018,10 +1016,11 @@ $(MONBIN): $(HDRS)

# Copies of modules built as dynamic-load libraries

-dynmodules: buildlookups buildrouters buildtransports buildauths
+dynmodules: buildlookups buildrouters buildtransports buildauths \
+        buildmisc
     rm -fr dynmodules
     mkdir dynmodules
-    for d in lookup router transport auth; do \
+    for d in lookup router transport auth miscmod; do \
       for f in $${d}s/*.so; do \
         [ -e $$f ] && ln $$f dynmodules/`basename $$f .so`_$$d.so; \
       done; \
@@ -1073,6 +1072,14 @@ pdkim/pdkim.a: config
        INCLUDE="$(INCLUDE) $(IPV6_INCLUDE) $(TLS_INCLUDE)"
      @echo " "


+buildmisc: config
+     @cd miscmods && $(MAKE) SHELL=$(SHELL) AR="$(AR)" $(MFLAGS) \
+       CC="$(CC)" CFLAGS="$(CFLAGS)" \
+         CFLAGS_DYNAMIC="$(CFLAGS_DYNAMIC)" HDRS="../version.h $(PHDRS)" \
+         FE="$(FE)" RANLIB="$(RANLIB)" RM_COMMAND="$(RM_COMMAND)" \
+         INCLUDE="$(INCLUDE) $(IPV6_INCLUDE)"
+     @echo " "
+
 # The "clean", "install", and "makefile" targets just pass themselves back to
 # the main Exim makefile. These targets will be obeyed only if "make" is obeyed
 # for them in the build directory.
diff --git a/src/scripts/Configure-Makefile b/src/scripts/Configure-Makefile
index 9179392f3..427ce0cb7 100755
--- a/src/scripts/Configure-Makefile
+++ b/src/scripts/Configure-Makefile
@@ -301,6 +301,7 @@ done <<-END
  routers    ROUTER    ACCEPT DNSLOOKUP IPLITERAL IPLOOKUP MANUALROUTE QUERYPROGRAM REDIRECT
  transports TRANSPORT    APPENDFILE AUTOREPLY LMTP PIPE QUEUEFILE SMTP
  auths        AUTH    CRAM_MD5 CYRUS_SASL DOVECOT EXTERNAL GSASL HEIMDAL_GSSAPI PLAINTEXT SPA TLS
+ miscmods   SUPPORT    SPF
 END


# See if there is a definition of EXIM_PERL in what we have built so far.
diff --git a/src/scripts/MakeLinks b/src/scripts/MakeLinks
index 76859ce9a..09d18b63c 100755
--- a/src/scripts/MakeLinks
+++ b/src/scripts/MakeLinks
@@ -89,6 +89,17 @@ do
done
cd ..

+# miscellaneous modules
+d="miscmods"
+mkdir $d
+cd $d
+# Makefile is generated
+for f in spf.c spf.h
+do
+ ln -s ../../src/$d/$f $f
+done
+cd ..
+
# and the hintsdb implementations
d="hintsdb"
mkdir $d
diff --git a/src/scripts/lookups-Makefile b/src/scripts/lookups-Makefile
index 40cca603f..188c22d14 100755
--- a/src/scripts/lookups-Makefile
+++ b/src/scripts/lookups-Makefile
@@ -169,8 +169,8 @@ do
emit_module_rule $name_mod
done

-# Because the variable is EXPERIMENTAL_SPF and not LOOKUP_SPF we
-# always include spf.o and compile a dummy if EXPERIMENTAL_SPF is not
+# Because the variable is SUPPORT_SPF and not LOOKUP_SPF we
+# always include spf.o and compile a dummy if SUPPORT_SPF is not
# defined.

OBJ="${OBJ} spf.o"
diff --git a/src/src/EDITME b/src/src/EDITME
index 7d0b07331..e507ab3cd 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -832,8 +832,8 @@ FIXED_NEVER_USERS=root
# is historic).
# You need to add -export-dynamic -rdynamic to EXTRALIBS. You may also need to
# add -ldl to EXTRALIBS so that dlopen() is available to Exim. You need to
-# define CFLAGS_DYNAIC and LOOKUP_MODULE_DIR below so the builds are done right,
-# and so the exim binary actually loads dynamic lookup modules.
+# define CFLAGS_DYNAMIC and LOOKUP_MODULE_DIR below so the builds are done
+# right and so the exim binary actually loads dynamic lookup modules.
#
# Libraries being built as modules should be added to respective
# LOOKUP_*_INCLUDE and LOOKUP_*_LIBS rather than the the ones for the
@@ -1119,6 +1119,11 @@ ZCAT_COMMAND=/usr/bin/zcat
# Uncomment the following lines to add SPF support. You need to have libspf2
# installed on your system (www.libspf2.org). Depending on where it is installed
# you may have to edit the CFLAGS and LDFLAGS lines.
+#
+# If set to "2" instead of "yes" then the support will be
+# built as a module and must be installed into LOOKUP_MODULE_DIR (the name
+# is historic). The same rules as for other module builds apply; use
+# SUPPORT_SPF_{INCLUDE,LIBS}.

 # SUPPORT_SPF=yes
 # CFLAGS  += -I/usr/local/include
diff --git a/src/src/acl.c b/src/src/acl.c
index 533dcd60a..e285da65c 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -129,14 +129,16 @@ being the prefix of another; the binary-search in the list will go wrong. */
 typedef struct condition_def {
   uschar    *name;


+  /* Flags for actions or checks to do during readconf for this condition */
   unsigned    flags;
 #define ACD_EXP        BIT(0)    /* do expansion at outer level*/
 #define ACD_MOD        BIT(1)    /* is a modifier */
+#define ACD_LOAD    BIT(2)    /* supported by a dynamic-load module */


-/* Bit map vector of which conditions and modifiers are not allowed at certain
-times. For each condition and modifier, there's a bitmap of dis-allowed times.
-For some, it is easier to specify the negation of a small number of allowed
-times. */
+  /* Bit map vector of which conditions and modifiers are not allowed at certain
+  times. For each condition and modifier, there's a bitmap of dis-allowed times.
+  For some, it is easier to specify the negation of a small number of allowed
+  times. */
   unsigned    forbids;
 #define FORBIDDEN(times)    (times)
 #define PERMITTED(times)    ((unsigned) ~(times))
@@ -339,14 +341,22 @@ static condition_def conditions[] = {
   },
 #endif
 #ifdef SUPPORT_SPF
-  [ACLC_SPF] =            { US"spf",        ACD_EXP,
+  [ACLC_SPF] =            { US"spf",
+# if SUPPORT_SPF==2
+                  ACD_LOAD |
+# endif
+                  ACD_EXP,
                   FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                     ACL_BIT_ETRN | ACL_BIT_EXPN |
                     ACL_BIT_STARTTLS | ACL_BIT_VRFY |
                     ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START),
   },
-  [ACLC_SPF_GUESS] =        { US"spf_guess",    ACD_EXP,
+  [ACLC_SPF_GUESS] =        { US"spf_guess",
+# if SUPPORT_SPF==2
+                  ACD_LOAD |
+# endif
+                  ACD_EXP,
                   FORBIDDEN(ACL_BIT_AUTH | ACL_BIT_CONNECT |
                     ACL_BIT_HELO | ACL_BIT_MAILAUTH |
                     ACL_BIT_ETRN | ACL_BIT_EXPN |
@@ -383,6 +393,25 @@ for (condition_def * c = conditions; c < conditions + nelem(conditions); c++)


#ifndef MACRO_PREDEF

+# ifdef LOOKUP_MODULE_DIR
+typedef struct condition_module {
+  const uschar *    mod_name;    /* module for the givien conditions */
+  misc_module_info *    info;        /* NULL when not loaded */
+  const int *        conditions;    /* array of ACLC_*, -1 terminated */
+} condition_module;
+
+#  if SUPPORT_SPF==2
+static int spf_condx[] = { ACLC_SPF, ACLC_SPF_GUESS, -1 };
+#  endif
+
+static condition_module condition_modules[] = {
+#  if SUPPORT_SPF==2
+  {.mod_name = US"spf", .conditions = spf_condx},
+#  endif
+};
+
+# endif
+
 /* Return values from decode_control() */


enum {
@@ -936,7 +965,7 @@ while ((s = (*func)()))

/* The modifiers may not be negated */

-  if (negated && conditions[c].flags & ACD_MOD )
+  if (negated && conditions[c].flags & ACD_MOD)
     {
     *error = string_sprintf("ACL error: negation is not allowed with "
       "\"%s\"", conditions[c].name);
@@ -954,6 +983,34 @@ while ((s = (*func)()))
     return NULL;
     }


+#ifdef LOOKUP_MODULE_DIR
+  if (conditions[c].flags & ACD_LOAD)
+    {                /* a loadable module supports this condition */
+    condition_module * cm;
+    uschar * s = NULL;
+
+    for (cm = condition_modules;
+        cm < condition_modules + nelem(condition_modules); cm++)
+      for (const int * cond = cm->conditions; *cond != -1; cond++)
+    if (*cond == c) goto found;
+    found:
+
+    if (cm >= condition_modules + nelem(condition_modules))
+      {                        /* shouldn't happen */
+      *error = string_sprintf("ACL error: failed to locate support for '%s'",
+                  conditions[c].name);
+      return NULL;
+      }
+    if (  !cm->info                /* module not loaded */
+       && !(cm->info = misc_mod_find(cm->mod_name, &s)))
+      {
+      *error = string_sprintf("ACL error: failed to find module for '%s': %s",
+                  conditions[c].name, s);
+      return NULL;
+      }
+    }
+#endif
+
   cond = store_get(sizeof(acl_condition_block), GET_UNTAINTED);
   cond->next = NULL;
   cond->type = c;
@@ -4127,12 +4184,23 @@ for (; cb; cb = cb->next)


 #ifdef SUPPORT_SPF
     case ACLC_SPF:
-      rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
-      break;
-
     case ACLC_SPF_GUESS:
-      rc = spf_process(&arg, sender_address, SPF_PROCESS_GUESS);
+      /* Hardwire the offset of the function in the module functions table
+      for now.  Work out a more general mech later. */
+      {
+      misc_module_info * mi = misc_mod_find(US"spf", &log_message);
+      typedef int (*fn_t)(const uschar **, const uschar *, int);
+      fn_t fn;
+
+      if (!mi)
+    { rc = DEFER; break; }            /* shouldn't happen */
+
+      fn = ((fn_t *) mi->functions)[1];
+
+      rc = fn(&arg, sender_address,
+          cb->type == ACLC_SPF ? SPF_PROCESS_NORMAL : SPF_PROCESS_GUESS);
       break;
+      }
 #endif


     case ACLC_UDPSEND:
diff --git a/src/src/daemon.c b/src/src/daemon.c
index 4088cb532..49bf74a11 100644
--- a/src/src/daemon.c
+++ b/src/src/daemon.c
@@ -2578,8 +2578,8 @@ smtp_deliver_init();    /* Used for callouts */
 #ifdef WITH_CONTENT_SCAN
 malware_init();
 #endif
-#ifdef SUPPORT_SPF
-spf_init();
+#ifdef SUPPORT_DMARC
+dmarc_init();
 #endif
 #ifndef DISABLE_TLS
 tls_daemon_init();
diff --git a/src/src/dmarc.c b/src/src/dmarc.c
index 28fce0624..664daa737 100644
--- a/src/src/dmarc.c
+++ b/src/src/dmarc.c
@@ -31,7 +31,9 @@ OPENDMARC_STATUS_T  da, sa, action;
 BOOL dmarc_abort  = FALSE;
 uschar *dmarc_pass_fail = US"skipped";
 header_line *from_header   = NULL;
-extern SPF_response_t   *spf_response;
+
+misc_module_info * spf_mod_info;
+SPF_response_t   *spf_response_p;
 int dmarc_spf_ares_result  = 0;
 uschar *spf_sender_domain  = NULL;
 uschar *spf_human_readable = NULL;
@@ -53,6 +55,16 @@ static dmarc_exim_p dmarc_policy_description[] = {
 };



+int
+dmarc_init(void)
+{
+uschar * errstr;
+if (!(spf_mod_info = misc_mod_find(US"spf", &errstr)))
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+        "dmarc: failed to find SPF module: %s", errstr);
+return TRUE;
+}
+
 gstring *
 dmarc_version_report(gstring * g)
 {
@@ -86,12 +98,12 @@ eb->next  = NULL;
 return eblock;
 }


-/* dmarc_init sets up a context that can be re-used for several
+/* dmarc_conn_init sets up a context that can be re-used for several
messages on the same SMTP connection (that come from the
same host with the same HELO string) */

 int
-dmarc_init(void)
+dmarc_conn_init(void)
 {
 int *netmask   = NULL;   /* Ignored */
 int is_ipv6    = 0;
@@ -106,11 +118,12 @@ dmarc_pass_fail    = US"skipped";
 dmarc_used_domain  = US"";
 f.dmarc_has_been_checked = FALSE;
 header_from_sender = NULL;
+spf_response_p       = NULL;
 spf_sender_domain  = NULL;
 spf_human_readable = NULL;


/* ACLs have "control=dmarc_disable_verify" */
-if (f.dmarc_disable_verify == TRUE)
+if (f.dmarc_disable_verify)
return OK;

(void) memset(&dmarc_ctx, '\0', sizeof dmarc_ctx);
@@ -274,7 +287,7 @@ g = string_fmt_append(NULL,
message_id, primary_hostname, time(NULL), sender_host_address,
header_from_sender, expand_string(US"$sender_address_domain"));

-if (spf_response)
+if (spf_response_p)
g = string_fmt_append(g, "spf %d\n", dmarc_spf_ares_result);

if (dkim_history_buffer)
@@ -418,7 +431,15 @@ if (!dmarc_abort && !sender_host_authenticated)
/* Use the envelope sender domain for this part of DMARC */

   spf_sender_domain = expand_string(US"$sender_address_domain");
-  if (!spf_response)
+
+    {
+    misc_module_info * mi = misc_mod_findonly(US"spf");
+    typedef SPF_response_t * (*fn_t)(void);
+    if (mi)
+      spf_response_p = ((fn_t *) mi->functions)[3]();    /* spf_get_response */
+    }
+
+  if (!spf_response_p)
     {
     /* No spf data means null envelope sender so generate a domain name
     from the sender_helo_name  */
@@ -439,7 +460,7 @@ if (!dmarc_abort && !sender_host_authenticated)
     }
   else
     {
-    sr = spf_response->result;
+    sr = spf_response_p->result;
     dmarc_spf_result = sr == SPF_RESULT_NEUTRAL  ? DMARC_POLICY_SPF_OUTCOME_NONE :
                sr == SPF_RESULT_PASS     ? DMARC_POLICY_SPF_OUTCOME_PASS :
                sr == SPF_RESULT_FAIL     ? DMARC_POLICY_SPF_OUTCOME_FAIL :
@@ -454,7 +475,7 @@ if (!dmarc_abort && !sender_host_authenticated)
                 sr == SPF_RESULT_PERMERROR ? ARES_RESULT_PERMERROR :
                 ARES_RESULT_UNKNOWN;
     origin = DMARC_POLICY_SPF_ORIGIN_MAILFROM;
-    spf_human_readable = US spf_response->header_comment;
+    spf_human_readable = US spf_response_p->header_comment;
     DEBUG(D_receive)
       debug_printf_indent("DMARC using SPF sender domain = %s\n", spf_sender_domain);
     }
diff --git a/src/src/dmarc.h b/src/src/dmarc.h
index fa366dd06..dcf289f2d 100644
--- a/src/src/dmarc.h
+++ b/src/src/dmarc.h
@@ -21,6 +21,7 @@
 /* prototypes */
 gstring * dmarc_version_report(gstring *);
 int dmarc_init(void);
+int dmarc_conn_init(void);
 int dmarc_store_data(header_line *);
 int dmarc_process(void);
 uschar *dmarc_exim_expand_query(int);
diff --git a/src/src/drtables.c b/src/src/drtables.c
index a144085c5..35a376dd1 100644
--- a/src/src/drtables.c
+++ b/src/src/drtables.c
@@ -325,7 +325,7 @@ extern lookup_module_info redis_lookup_module_info;
 extern lookup_module_info lmdb_lookup_module_info;
 #endif
 #if defined(SUPPORT_SPF)
-extern lookup_module_info spf_lookup_module_info;
+extern lookup_module_info spf_lookup_module_info;    /* see below */
 #endif
 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
 extern lookup_module_info sqlite_lookup_module_info;
@@ -341,6 +341,31 @@ extern lookup_module_info readsock_lookup_module_info;



 #ifdef LOOKUP_MODULE_DIR
+static void *
+mod_open(const uschar * name, const uschar * class, uschar ** errstr)
+{
+const uschar * path = string_sprintf(
+  LOOKUP_MODULE_DIR "/%s_%s." DYNLIB_FN_EXT, name, class);
+void * dl;
+if (!(dl = dlopen(CS path, RTLD_NOW)))
+  {
+  if (errstr)
+    *errstr = string_sprintf("Error loading %s: %s", name, dlerror());
+  else
+    (void) dlerror();        /* clear out error state */
+  return NULL;
+  }
+
+/* FreeBSD nsdispatch() can trigger dlerror() errors about
+_nss_cache_cycle_prevention_function; we need to clear the dlerror()
+state before calling dlsym(), so that any error afterwards only comes
+from dlsym().  */
+
+(void) dlerror();
+return dl;
+}
+
+
 /* Try to load a lookup module with the given name.


Arguments:
@@ -353,27 +378,12 @@ Return: boolean success
static BOOL
lookup_mod_load(const uschar * name, uschar ** errstr)
{
-const uschar * path = string_sprintf(
- LOOKUP_MODULE_DIR "/%s_lookup." DYNLIB_FN_EXT, name);
void * dl;
struct lookup_module_info * info;
const char * errormsg;

-if (!(dl = dlopen(CS path, RTLD_NOW)))
-  {
-  if (errstr)
-    *errstr = string_sprintf("Error loading %s: %s", name, dlerror());
-  else
-    (void) dlerror();        /* clear out error state */
+if (!(dl = mod_open(name, US"lookup", errstr)))
   return FALSE;
-  }
-
-/* FreeBSD nsdispatch() can trigger dlerror() errors about
-_nss_cache_cycle_prevention_function; we need to clear the dlerror()
-state before calling dlsym(), so that any error afterwards only comes
-from dlsym().  */
-
-errormsg = dlerror();


info = (struct lookup_module_info *) dlsym(dl, "_lookup_module_info");
if ((errormsg = dlerror()))
@@ -416,6 +426,89 @@ return TRUE;



+misc_module_info * misc_module_list = NULL;
+
+static void
+misc_mod_add(misc_module_info * mi)
+{
+if (mi->init) mi->init(mi);
+DEBUG(D_lookup) if (mi->lib_vers_report)
+  debug_printf_indent("%Y\n", mi->lib_vers_report(NULL));
+
+mi->next = misc_module_list;
+misc_module_list = mi;
+}
+
+
+#ifdef LOOKUP_MODULE_DIR
+
+/* Load a "misc" module, and add to list */
+
+static misc_module_info *
+misc_mod_load(const uschar * name, uschar ** errstr)
+{
+void * dl;
+struct misc_module_info * mi;
+const char * errormsg;
+
+DEBUG(D_any) debug_printf_indent("loading module '%s'\n", name);
+if (!(dl = mod_open(name, US"miscmod", errstr)))
+  return NULL;
+
+mi = (struct misc_module_info *) dlsym(dl,
+                    CS string_sprintf("%s_module_info", name));
+if ((errormsg = dlerror()))
+  {
+  fprintf(stderr, "%s does not appear to be an spf module (%s)\n", name, errormsg);
+  log_write(0, LOG_MAIN|LOG_PANIC, "%s does not appear to be an spf module (%s)", name, errormsg);
+  dlclose(dl);
+  return NULL;
+  }
+if (mi->dyn_magic != MISC_MODULE_MAGIC)
+  {
+  fprintf(stderr, "Module %s is not compatible with this version of Exim\n", name);
+  log_write(0, LOG_MAIN|LOG_PANIC, "Module %s is not compatible with this version of Exim", name);
+  dlclose(dl);
+  return FALSE;
+  }
+
+DEBUG(D_lookup) debug_printf_indent("Loaded \"%s\"\n", name);
+misc_mod_add(mi);
+return mi;
+}
+
+#endif    /*LOOKUP_MODULE_DIR*/
+
+
+/* Find a "misc" module by name, if loaded.
+For now use a linear search down a linked list.  If the number of
+modules gets large, we might consider a tree.
+*/
+
+misc_module_info *
+misc_mod_findonly(const uschar * name)
+{
+for (misc_module_info * mi = misc_module_list; mi; mi = mi->next)
+  if (Ustrcmp(name, mi->name) == 0)
+    return mi;
+}
+
+/* Find a "misc" module, possibly already loaded, by name. */
+
+misc_module_info *
+misc_mod_find(const uschar * name, uschar ** errstr)
+{
+misc_module_info * mi;
+if ((mi = misc_mod_findonly(name))) return mi;
+#ifdef LOOKUP_MODULE_DIR
+return misc_mod_load(name, errstr);
+#else
+return NULL;
+#endif    /*LOOKUP_MODULE_DIR*/
+}
+
+
+



void
@@ -495,10 +588,6 @@ addlookupmodule(&redis_lookup_module_info);
addlookupmodule(&lmdb_lookup_module_info);
#endif

-#ifdef SUPPORT_SPF
-addlookupmodule(&spf_lookup_module_info);
-#endif
-
#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
addlookupmodule(&sqlite_lookup_module_info);
#endif
@@ -511,6 +600,14 @@ addlookupmodule(&testdb_lookup_module_info);
addlookupmodule(&whoson_lookup_module_info);
#endif

+/* This is provided by the spf "misc" module, and the lookup aspect is always
+linked statically whether or not the "misc" module (and hence libspf2) is
+dynamic-load. */
+
+#if defined(SUPPORT_SPF)
+addlookupmodule(&spf_lookup_module_info);
+#endif
+
/* This is a custom expansion, and not available as either
a list-syntax lookup or a lookup expansion. However, it is
implemented by a lookup module. */
@@ -558,8 +655,22 @@ else

DEBUG(D_lookup) debug_printf("Loaded %d lookup modules\n", countmodules);
#endif
+}


+#if defined(SUPPORT_SPF) && SUPPORT_SPF!=2
+extern misc_module_info spf_module_info;
+#endif
+
+void
+init_misc_mod_list(void)
+{
+static BOOL onetime = FALSE;
+if (onetime) return;
+#if defined(SUPPORT_SPF) && SUPPORT_SPF!=2
+misc_mod_add(&spf_module_info);
+#endif
+onetime = TRUE;
}


diff --git a/src/src/exim.c b/src/src/exim.c
index de1f48434..ecc25d6bc 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -33,6 +33,7 @@ Also a few functions that don't naturally fit elsewhere. */
#endif

extern void init_lookup_list(void);
+extern void init_misc_mod_list(void);



@@ -1155,6 +1156,13 @@ gstring * b = NULL, * d = NULL;
d = string_cat(d, US" redis");
# endif
#endif
+#ifdef SUPPORT_SPF
+# if SUPPORT_SPF!=2
+ b = string_cat(b, US" spf");
+# else
+ d = string_cat(d, US" spf");
+# endif
+#endif
#ifdef LOOKUP_SQLITE
# if LOOKUP_SQLITE!=2
b = string_cat(b, US" sqlite");
@@ -1390,9 +1398,6 @@ DEBUG(D_any)
#ifdef SUPPORT_DMARC
g = dmarc_version_report(g);
#endif
-#ifdef SUPPORT_SPF
- g = spf_lib_version_report(g);
-#endif

show_string(is_stdout, g);
g = NULL;
@@ -1428,6 +1433,7 @@ DEBUG(D_any)
tree_walk(lookups_tree, lookup_version_report_cb, &g);
show_string(is_stdout, g);
g = NULL;
+ init_misc_mod_list();

#ifdef WHITELIST_D_MACROS
g = string_fmt_append(g, "WHITELIST_D_MACROS: \"%s\"\n", WHITELIST_D_MACROS);
@@ -4204,6 +4210,7 @@ is equivalent to the ability to modify a setuid binary!

This needs to happen before we read the main configuration. */
init_lookup_list();
+init_misc_mod_list();

/*XXX this excrescence could move to the testsuite standard config setup file */
#ifdef SUPPORT_I18N
diff --git a/src/src/exim.h b/src/src/exim.h
index c4d80c694..470adb351 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -543,7 +543,7 @@ config.h, mytypes.h, and store.h, so we don't need to mention them explicitly.
# include "bmi_spam.h"
#endif
#ifdef SUPPORT_SPF
-# include "spf.h"
+# include "miscmods/spf.h"
#endif
#ifndef DISABLE_DKIM
# include "dkim.h"
diff --git a/src/src/expand.c b/src/src/expand.c
index 08d72f213..b3a1575a7 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -421,51 +421,6 @@ enum {
};


-/* Types of table entry */
-
-enum vtypes {
-  vtype_int,            /* value is address of int */
-  vtype_filter_int,     /* ditto, but recognized only when filtering */
-  vtype_ino,            /* value is address of ino_t (not always an int) */
-  vtype_uid,            /* value is address of uid_t (not always an int) */
-  vtype_gid,            /* value is address of gid_t (not always an int) */
-  vtype_bool,           /* value is address of bool */
-  vtype_stringptr,      /* value is address of pointer to string */
-  vtype_msgbody,        /* as stringptr, but read when first required */
-  vtype_msgbody_end,    /* ditto, the end of the message */
-  vtype_msgheaders,     /* the message's headers, processed */
-  vtype_msgheaders_raw, /* the message's headers, unprocessed */
-  vtype_localpart,      /* extract local part from string */
-  vtype_domain,         /* extract domain from string */
-  vtype_string_func,    /* value is string returned by given function */
-  vtype_todbsdin,       /* value not used; generate BSD inbox tod */
-  vtype_tode,           /* value not used; generate tod in epoch format */
-  vtype_todel,          /* value not used; generate tod in epoch/usec format */
-  vtype_todf,           /* value not used; generate full tod */
-  vtype_todl,           /* value not used; generate log tod */
-  vtype_todlf,          /* value not used; generate log file datestamp tod */
-  vtype_todzone,        /* value not used; generate time zone only */
-  vtype_todzulu,        /* value not used; generate zulu tod */
-  vtype_reply,          /* value not used; get reply from headers */
-  vtype_pid,            /* value not used; result is pid */
-  vtype_host_lookup,    /* value not used; get host name */
-  vtype_load_avg,       /* value not used; result is int from os_getloadavg */
-  vtype_pspace,         /* partition space; value is T/F for spool/log */
-  vtype_pinodes,        /* partition inodes; value is T/F for spool/log */
-  vtype_cert        /* SSL certificate */
-#ifndef DISABLE_DKIM
-  ,vtype_dkim           /* Lookup of value in DKIM signature */
-#endif
-};
-
-/* Type for main variable table */
-
-typedef struct {
-  const char *name;
-  enum vtypes type;
-  void       *value;
-} var_entry;
-
 /* Type for entries pointing to address/length pairs. Not currently
 in use. */


@@ -754,12 +709,12 @@ static var_entry var_table[] = {
   { "spam_score_int",      vtype_stringptr,   &spam_score_int },
 #endif
 #ifdef SUPPORT_SPF
-  { "spf_guess",           vtype_stringptr,   &spf_guess },
-  { "spf_header_comment",  vtype_stringptr,   &spf_header_comment },
-  { "spf_received",        vtype_stringptr,   &spf_received },
-  { "spf_result",          vtype_stringptr,   &spf_result },
-  { "spf_result_guessed",  vtype_bool,        &spf_result_guessed },
-  { "spf_smtp_comment",    vtype_stringptr,   &spf_smtp_comment },
+  { "spf_guess",           vtype_module,    US"spf" },
+  { "spf_header_comment",  vtype_module,    US"spf" },
+  { "spf_received",        vtype_module,    US"spf" },
+  { "spf_result",          vtype_module,    US"spf" },
+  { "spf_result_guessed",  vtype_module,    US"spf" },
+  { "spf_smtp_comment",    vtype_module,    US"spf" },
 #endif
   { "spool_directory",     vtype_stringptr,   &spool_directory },
   { "spool_inodes",        vtype_pinodes,     (void *)TRUE },
@@ -1281,19 +1236,19 @@ return NULL;



static var_entry *
-find_var_ent(uschar * name)
+find_var_ent(uschar * name, var_entry * table, unsigned nent)
{
int first = 0;
-int last = nelem(var_table);
+int last = nent;

while (last > first)
{
int middle = (first + last)/2;
- int c = Ustrcmp(name, var_table[middle].name);
+ int c = Ustrcmp(name, table[middle].name);

if (c > 0) { first = middle + 1; continue; }
if (c < 0) { last = middle; continue; }
- return &var_table[middle];
+ return &table[middle];
}
return NULL;
}
@@ -1420,7 +1375,7 @@ expand_getcertele(uschar * field, uschar * certvar)
{
var_entry * vp;

-if (!(vp = find_var_ent(certvar)))
+if (!(vp = find_var_ent(certvar, var_table, nelem(var_table))))
   {
   expand_string_message =
     string_sprintf("no variable named \"%s\"", certvar);
@@ -1935,9 +1890,11 @@ static const uschar *
 find_variable(uschar * name, esi_flags flags, int * newsize)
 {
 var_entry * vp;
-uschar *s, *domain;
-uschar **ss;
+uschar * s, * domain;
+uschar ** ss;
 void * val;
+var_entry * table = var_table;
+unsigned table_count = nelem(var_table);


/* Handle ACL variables, whose names are of the form acl_cxxx or acl_mxxx.
Originally, xxx had to be a number in the range 0-9 (later 0-19), but from
@@ -1982,9 +1939,11 @@ else if (Ustrncmp(name, "regex", 5) == 0)
}
#endif

+sublist:
+
/* For all other variables, search the table */

-if (!(vp = find_var_ent(name)))
+if (!(vp = find_var_ent(name, table, table_count)))
   return NULL;          /* Unknown variable name */


 /* Found an existing variable. If in skipping state, the value isn't needed,
@@ -2175,6 +2134,20 @@ switch (vp->type)
     return dkim_exim_expand_query((int)(long)val);
 #endif


+  case vtype_module:
+    {
+    uschar * errstr;
+    misc_module_info * mi = misc_mod_find(val, &errstr);
+    if (mi)
+      {
+      table = mi->variables;
+      table_count = mi->variables_count;
+      goto sublist;
+      }
+    log_write(0, LOG_MAIN|LOG_PANIC,
+      "failed to find %s module for %s: %s", US val, name, errstr);
+    return US"";
+    }
   }


 return NULL;  /* Unknown variable. Silences static checkers. */
@@ -2187,7 +2160,8 @@ void
 modify_variable(uschar *name, void * value)
 {
 var_entry * vp;
-if ((vp = find_var_ent(name))) vp->value = value;
+if ((vp = find_var_ent(name, var_table, nelem(var_table))))
+  vp->value = value;
 return;          /* Unknown variable name, fail silently */
 }


@@ -4909,7 +4883,15 @@ while (*s)
       yield = authres_iprev(yield);
       yield = authres_smtpauth(yield);
 #ifdef SUPPORT_SPF
-      yield = authres_spf(yield);
+    {
+    misc_module_info * mi = misc_mod_findonly(US"spf");
+    if (mi)
+      {
+      typedef gstring * (*fn_t)(gstring *);
+      fn_t fn = ((fn_t *) mi->functions)[2];    /* authres_spf */
+      yield = fn(yield);
+      }
+    }
 #endif
 #ifndef DISABLE_DKIM
       yield = authres_dkim(yield);
@@ -7225,7 +7207,8 @@ NOT_ITEM: ;
           string_sprintf("missing '}' closing cert arg of %s", name);
         goto EXPAND_FAILED_CURLY;
         }
-      if ((vp = find_var_ent(sub)) && vp->type == vtype_cert)
+      if (  (vp = find_var_ent(sub, var_table, nelem(var_table)))
+         && vp->type == vtype_cert)
         {
         s = s1+1;
         break;
diff --git a/src/src/functions.h b/src/src/functions.h
index be60d5fc9..aaec6461f 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -151,9 +151,6 @@ extern gstring *authres_dkim(gstring *);
 extern gstring *authres_dmarc(gstring *);
 #endif
 extern gstring *authres_smtpauth(gstring *);
-#ifdef SUPPORT_SPF
-extern gstring *authres_spf(gstring *);
-#endif


 extern uschar *b64encode(const uschar *, int);
 extern uschar *b64encode_taint(const uschar *, int, const void *);
@@ -380,6 +377,8 @@ extern ssize_t mime_decode_base64(FILE *, FILE *, uschar *);
 extern int     mime_regex(const uschar **, BOOL);
 extern void    mime_set_anomaly(int);
 #endif
+extern misc_module_info * misc_mod_find(const uschar * modname, uschar **);
+extern misc_module_info * misc_mod_findonly(const uschar * modname);
 extern uschar *moan_check_errorcopy(const uschar *);
 extern BOOL    moan_skipped_syntax_errors(uschar *, error_block *, uschar *,
                  BOOL, uschar *);
diff --git a/src/src/globals.c b/src/src/globals.c
index 9efc389a6..f2287d41c 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -411,9 +411,6 @@ BOOL    smtp_enforce_sync      = TRUE;
 BOOL    smtp_etrn_serialize    = TRUE;
 BOOL    smtp_input             = FALSE;
 BOOL    smtp_return_error_details = FALSE;
-#ifdef SUPPORT_SPF
-BOOL    spf_result_guessed     = FALSE;
-#endif
 BOOL    split_spool_directory  = FALSE;
 BOOL    spool_wireformat       = FALSE;
 BOOL    strict_acl_vars        = FALSE;
@@ -1501,17 +1498,6 @@ uschar *spam_action            = NULL;
 uschar *spam_score             = NULL;
 uschar *spam_score_int         = NULL;
 #endif
-#ifdef SUPPORT_SPF
-uschar *spf_guess              = US"v=spf1 a/24 mx/24 ptr ?all";
-uschar *spf_header_comment     = NULL;
-uschar *spf_received           = NULL;
-uschar *spf_result             = NULL;
-uschar *spf_smtp_comment       = NULL;
-uschar *spf_smtp_comment_template
-                    /* Used to be: "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}" */
-                               = US"Please%_see%_http://www.open-spf.org/Why";
-
-#endif


 FILE   *spool_data_file           = NULL;
 uschar *spool_directory        = US SPOOL_DIRECTORY
diff --git a/src/src/globals.h b/src/src/globals.h
index a542a179f..9b30e502c 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -1049,16 +1049,6 @@ extern uschar *spam_action;            /* the spamd recommended-action */
 extern uschar *spam_score;             /* the spam score (float) */
 extern uschar *spam_score_int;         /* spam_score * 10 (int) */
 #endif
-#ifdef SUPPORT_SPF
-extern uschar *spf_guess;              /* spf best-guess record */
-extern uschar *spf_header_comment;     /* spf header comment */
-extern uschar *spf_received;           /* Received-SPF: header */
-extern uschar *spf_result;             /* spf result in string form */
-extern BOOL    spf_result_guessed;     /* spf result is of best-guess operation */
-extern uschar *spf_smtp_comment;       /* spf comment to include in SMTP reply */
-extern uschar *spf_smtp_comment_template;
-                                       /* template to construct the spf comment by libspf2 */
-#endif
 extern BOOL    split_spool_directory;  /* TRUE to use multiple subdirs */
 extern FILE   *spool_data_file;           /* handle for -D file */
 extern uschar *spool_directory;        /* Name of spool directory */
diff --git a/src/src/lookups/Makefile b/src/src/lookups/Makefile
index 5193520f9..2bfd691a1 100644
--- a/src/src/lookups/Makefile
+++ b/src/src/lookups/Makefile
@@ -10,8 +10,6 @@


# MAGIC-TAG-MODS-OBJ-RULES-GO-HERE

-OBJ += spf.o
-
 all:             lookups.a $(MODS)


 lookups.a:       $(OBJ)
diff --git a/src/src/lookups/spf.c b/src/src/lookups/spf.c
index a1052d7fc..4e0824911 100644
--- a/src/src/lookups/spf.c
+++ b/src/src/lookups/spf.c
@@ -31,92 +31,46 @@ static void dummy(int x) { dummy2(x-1); }
 #include <spf2/spf_dns_resolv.h>
 #include <spf2/spf_dns_cache.h>


-extern SPF_dns_server_t * SPF_dns_exim_new(int);
-

 static void *
 spf_open(const uschar * filename, uschar ** errmsg)
 {
-SPF_dns_server_t * dc;
-SPF_server_t *spf_server = NULL;
-int debug = 0;
-
-DEBUG(D_lookup) debug = 1;
-
-if ((dc = SPF_dns_exim_new(debug)))
-  if ((dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
-    spf_server = SPF_server_new_dns(dc, debug);
-
-if (!spf_server)
+misc_module_info * mi = misc_mod_find(US"spf", errmsg);
+if (mi)
   {
-  *errmsg = US"SPF_dns_exim_nnew() failed";
-  return NULL;
+  typedef void * (*fn_t)(const uschar *, uschar **);
+  return (((fn_t *) mi->functions)[5]) (filename, errmsg);
   }
-return (void *) spf_server;
+return NULL;
 }



static void
-spf_close(void *handle)
+spf_close(void * handle)
{
-SPF_server_t *spf_server = handle;
-if (spf_server) SPF_server_free(spf_server);
+misc_module_info * mi = misc_mod_find(US"spf", NULL);
+if (mi)
+ {
+ typedef void (*fn_t)(void *);
+ return (((fn_t *) mi->functions)[6]) (handle);
+ }
}

+
 static int
 spf_find(void * handle, const uschar * filename, const uschar * keystring,
   int key_len, uschar ** result, uschar ** errmsg, uint * do_cache,
   const uschar * opts)
 {
-SPF_server_t *spf_server = handle;
-SPF_request_t *spf_request;
-SPF_response_t *spf_response = NULL;
-
-if (!(spf_request = SPF_request_new(spf_server)))
-  {
-  *errmsg = US"SPF_request_new() failed";
-  return FAIL;
-  }
-
-#if HAVE_IPV6
-switch (string_is_ip_address(filename, NULL))
-#else
-switch (4)
-#endif
+misc_module_info * mi = misc_mod_find(US"spf", errmsg);
+if (mi)
   {
-  case 4:
-    if (!SPF_request_set_ipv4_str(spf_request, CS filename))
-      break;
-    *errmsg = string_sprintf("invalid IPv4 address '%s'", filename);
-    return FAIL;
-#if HAVE_IPV6
-
-  case 6:
-    if (!SPF_request_set_ipv6_str(spf_request, CS filename))
-      break;
-    *errmsg = string_sprintf("invalid IPv6 address '%s'", filename);
-    return FAIL;
-
-  default:
-    *errmsg = string_sprintf("invalid IP address '%s'", filename);
-    return FAIL;
-#endif
+  typedef int (*fn_t) (void *, const uschar *, const uschar *,
+              int, uschar **, uschar **, uint *, const uschar *);
+  return (((fn_t *) mi->functions)[7]) (handle, filename, keystring, key_len,
+                      result, errmsg, do_cache, opts);
   }
-
-if (SPF_request_set_env_from(spf_request, CS keystring))
-    {
-  *errmsg = string_sprintf("invalid envelope from address '%s'", keystring);
-  return FAIL;
-}
-
-SPF_request_query_mailfrom(spf_request, &spf_response);
-*result = string_copy(US SPF_strresult(SPF_response_result(spf_response)));
-
-DEBUG(D_lookup) spf_response_debug(spf_response);
-
-SPF_response_free(spf_response);
-SPF_request_free(spf_request);
-return OK;
+return FAIL;
 }



@@ -138,7 +92,7 @@ return g;
}


-static lookup_info _lookup_info = {
+static lookup_info spf_lookup_info = {
   .name = US"spf",            /* lookup name */
   .type = 0,                /* not absfile, not query style */
   .open = spf_open,            /* open function */
@@ -150,11 +104,11 @@ static lookup_info _lookup_info = {
   .version_report = spf_version_report             /* version reporting */
 };


-#ifdef DYNLOOKUP
+#ifdef notdef_DYNLOOKUP
#define spf_lookup_module_info _lookup_module_info
#endif

-static lookup_info *_lookup_list[] = { &_lookup_info };
+static lookup_info *_lookup_list[] = { &spf_lookup_info };
lookup_module_info spf_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };

#endif /* SUPPORT_SPF */
diff --git a/src/src/macros.h b/src/src/macros.h
index 3bfcf51d5..7bcc7cd04 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -704,7 +704,7 @@ can be easily tested as a group. That is the only use of opt_bool_last. */
enum { opt_bit = 32, opt_bool_verify, opt_bool_set, opt_expand_bool,
opt_bool_last,
opt_rewrite, opt_timelist, opt_uid, opt_gid, opt_uidlist, opt_gidlist,
- opt_expand_uid, opt_expand_gid, opt_func, opt_void };
+ opt_expand_uid, opt_expand_gid, opt_func, opt_void, opt_module };

 /* There's a high-ish bit which is used to flag duplicate options, kept
 for compatibility, which shouldn't be output. Also used for hidden options
diff --git a/src/src/miscmods/Makefile b/src/src/miscmods/Makefile
new file mode 100644
index 000000000..59bf29836
--- /dev/null
+++ b/src/src/miscmods/Makefile
@@ -0,0 +1,31 @@
+# Make file for building Exim's lookup modules.
+# This is called from the main make file, after cd'ing
+# to the misc_modulessubdirectory.
+#
+# Copyright (c) The Exim Maintainers 2024
+
+# nb: at build time, the version of this file used will have had some
+#     extra variable definitions and prepended to it and module build rules
+#     interpolated below. This is done by scripts/lookups-Makefile.
+
+# MAGIC-TAG-MODS-OBJ-RULES-GO-HERE
+
+
+all:        miscmods.a $(MODS)
+
+miscmods.a:    $(OBJ)
+        @$(RM_COMMAND) -f miscmods.a
+        @echo "$(AR) miscmods.a"
+        @$(AR) miscmods.a $(OBJ)
+        $(RANLIB) $@
+
+.SUFFIXES:      .o .c .so
+.c.o:;          @echo "$(CC) $*.c"
+        $(FE)$(CC) -c $(CFLAGS) $(INCLUDE) $*.c
+
+.c.so:;         @echo "$(CC) -shared $*.c"
+        $(FE)$(CC) $(SUPPORT_$*_INCLUDE) $(SUPPORT_$*_LIBS) -DDYNLOOKUP $(CFLAGS_DYNAMIC) $(CFLAGS) $(INCLUDE) $(DLFLAGS) $*.c -o $@
+
+spf.o spf.so:    $(HDRS) spf.h spf.c
+
+# End
diff --git a/src/src/spf.c b/src/src/miscmods/spf.c
similarity index 71%
rename from src/src/spf.c
rename to src/src/miscmods/spf.c
index 9abe18fc3..a7b6c6a8d 100644
--- a/src/src/spf.c
+++ b/src/src/miscmods/spf.c
@@ -11,7 +11,7 @@


/* Code for calling spf checks via libspf-alt. Called from acl.c. */

-#include "exim.h"
+#include "../exim.h"
#ifdef SUPPORT_SPF

/* must be kept in numeric order */
@@ -34,8 +34,20 @@ SPF_response_t *spf_response_2mx = NULL;

SPF_dns_rr_t * spf_nxdomain = NULL;

+uschar * spf_guess              = US"v=spf1 a/24 mx/24 ptr ?all";
+uschar * spf_header_comment     = NULL;
+uschar * spf_received           = NULL;
+uschar * spf_result             = NULL;
+uschar * spf_smtp_comment       = NULL;
+uschar * spf_smtp_comment_template
+                    /* Used to be: "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}" */
+                = US"Please%_see%_http://www.open-spf.org/Why";
+BOOL    spf_result_guessed     = FALSE;


-gstring *
+
+
+
+static gstring *
spf_lib_version_report(gstring * g)
{
int maj, min, patch;
@@ -188,12 +200,12 @@ return spfrr;



-SPF_dns_server_t *
+static SPF_dns_server_t *
SPF_dns_exim_new(int debug)
{
SPF_dns_server_t * spf_dns_server = store_malloc(sizeof(SPF_dns_server_t));

-DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n");
+/* DEBUG(D_receive) debug_printf("SPF_dns_exim_new\n"); */

 memset(spf_dns_server, 0, sizeof(SPF_dns_server_t));
 spf_dns_server->destroy      = NULL;
@@ -225,8 +237,8 @@ return spf_dns_server;
    Return: Boolean success.
 */


-BOOL
-spf_init(void)
+static BOOL
+spf_init(void * dummy_ctx)
{
SPF_dns_server_t * dc;
int debug = 0;
@@ -278,13 +290,13 @@ return TRUE;
Return: Boolean success
*/

-BOOL
+static BOOL
spf_conn_init(uschar * spf_helo_domain, uschar * spf_remote_addr)
{
DEBUG(D_receive)
debug_printf("spf_conn_init: %s %s\n", spf_helo_domain, spf_remote_addr);

-if (!spf_server && !spf_init()) return FALSE;
+if (!spf_server && !spf_init(NULL)) return FALSE;

if (SPF_server_set_rec_dom(spf_server, CS primary_hostname))
{
@@ -320,8 +332,15 @@ if (SPF_request_set_helo_dom(spf_request, CS spf_helo_domain))
return TRUE;
}

+static void
+spf_smtp_reset(void)
+{
+spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
+spf_result_guessed = FALSE;
+}
+

-void
+static void
spf_response_debug(SPF_response_t * spf_response)
{
if (SPF_response_messages(spf_response) == 0)
@@ -343,7 +362,7 @@ else for (int i = 0; i < SPF_response_messages(spf_response); i++)

Return: OK/FAIL */

-int
+static int
spf_process(const uschar ** listptr, const uschar * spf_envelope_sender,
int action)
{
@@ -407,7 +426,7 @@ return FAIL;



-gstring *
+static gstring *
authres_spf(gstring * g)
{
uschar * s;
@@ -439,4 +458,149 @@ return g;
}


+/* Ugly; used only by dmarc (peeking into our data!)
+Exposure of values as $variables might be better? */
+
+static SPF_response_t *
+spf_get_response(void)
+{
+return spf_response;
+}
+
+/******************************************************************************/
+/* Lookup support */
+
+static void *
+spf_lookup_open(const uschar * filename, uschar ** errmsg)
+{
+SPF_dns_server_t * dc;
+SPF_server_t * spf_server = NULL;
+int debug = 0;
+
+DEBUG(D_lookup) debug = 1;
+
+if ((dc = SPF_dns_exim_new(debug)))
+  if ((dc = SPF_dns_cache_new(dc, NULL, debug, 8)))
+    spf_server = SPF_server_new_dns(dc, debug);
+
+if (!spf_server)
+  {
+  *errmsg = US"SPF_dns_exim_nnew() failed";
+  return NULL;
+  }
+return (void *) spf_server;
+}
+
+static void
+spf_lookup_close(void * handle)
+{
+SPF_server_t * spf_server = handle;
+if (spf_server) SPF_server_free(spf_server);
+}
+
+static int
+spf_lookup_find(void * handle, const uschar * filename,
+  const uschar * keystring, int key_len, uschar ** result, uschar ** errmsg,
+  uint * do_cache, const uschar * opts)
+{
+SPF_server_t *spf_server = handle;
+SPF_request_t *spf_request;
+SPF_response_t *spf_response = NULL;
+
+if (!(spf_request = SPF_request_new(spf_server)))
+  {
+  *errmsg = US"SPF_request_new() failed";
+  return FAIL;
+  }
+
+#if HAVE_IPV6
+switch (string_is_ip_address(filename, NULL))
+#else
+switch (4)
+#endif
+  {
+  case 4:
+    if (!SPF_request_set_ipv4_str(spf_request, CS filename))
+      break;
+    *errmsg = string_sprintf("invalid IPv4 address '%s'", filename);
+    return FAIL;
+#if HAVE_IPV6
+
+  case 6:
+    if (!SPF_request_set_ipv6_str(spf_request, CS filename))
+      break;
+    *errmsg = string_sprintf("invalid IPv6 address '%s'", filename);
+    return FAIL;
+
+  default:
+    *errmsg = string_sprintf("invalid IP address '%s'", filename);
+    return FAIL;
 #endif
+  }
+
+if (SPF_request_set_env_from(spf_request, CS keystring))
+    {
+  *errmsg = string_sprintf("invalid envelope from address '%s'", keystring);
+  return FAIL;
+}
+
+SPF_request_query_mailfrom(spf_request, &spf_response);
+*result = string_copy(US SPF_strresult(SPF_response_result(spf_response)));
+
+DEBUG(D_lookup) spf_response_debug(spf_response);
+
+SPF_response_free(spf_response);
+SPF_request_free(spf_request);
+return OK;
+}
+
+
+/******************************************************************************/
+/* Module API */
+
+static optionlist spf_options[] = {
+  { "spf_guess",                opt_stringptr,   {&spf_guess} },
+  { "spf_smtp_comment_template",opt_stringptr,   {&spf_smtp_comment_template} },
+};
+
+static void * spf_functions[] = {
+  spf_conn_init,
+  spf_process,
+  authres_spf,
+  spf_get_response,        /* ugly; for dmarc */
+  spf_smtp_reset,
+  
+  spf_lookup_open,
+  spf_lookup_close,
+  spf_lookup_find,
+};
+
+static var_entry spf_variables[] = {
+  { "spf_guess",        vtype_stringptr,    &spf_guess },
+  { "spf_header_comment",    vtype_stringptr,    &spf_header_comment },
+  { "spf_received",        vtype_stringptr,    &spf_received },
+  { "spf_result",        vtype_stringptr,    &spf_result },
+  { "spf_result_guessed",    vtype_bool,        &spf_result_guessed },
+  { "spf_smtp_comment",        vtype_stringptr,    &spf_smtp_comment },
+};
+
+misc_module_info spf_module_info =
+{
+  .name =        US"spf",
+# if SUPPORT_SPF==2
+  .dyn_magic =        MISC_MODULE_MAGIC,
+# endif
+  .init =        spf_init,
+  .lib_vers_report =    spf_lib_version_report,
+
+  .options =        spf_options,
+  .options_count =    nelem(spf_options),
+
+  .functions =        spf_functions,
+  .functions_count =    nelem(spf_functions),
+
+  .variables =        spf_variables,
+  .variables_count =    nelem(spf_variables),
+};
+
+#endif    /* almost all the file */
diff --git a/src/src/spf.h b/src/src/miscmods/spf.h
similarity index 77%
rename from src/src/spf.h
rename to src/src/miscmods/spf.h
index 7e9a6ca2a..679eab44b 100644
--- a/src/src/spf.h
+++ b/src/src/miscmods/spf.h
@@ -25,13 +25,6 @@ typedef struct spf_result_id {
   int    value;
 } spf_result_id;


-/* prototypes */
-gstring * spf_lib_version_report(gstring *);
-BOOL spf_init(void);
-BOOL spf_conn_init(uschar *, uschar *);
-int  spf_process(const uschar **, const uschar *, int);
-void spf_response_debug(SPF_response_t *);
-
 #define SPF_PROCESS_NORMAL  0
 #define SPF_PROCESS_GUESS   1
 #define SPF_PROCESS_FALLBACK    2
diff --git a/src/src/readconf.c b/src/src/readconf.c
index a090cfb30..1fe6b7341 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -344,8 +344,8 @@ static optionlist optionlist_config[] = {
   { "spamd_address",            opt_stringptr,   {&spamd_address} },
 #endif
 #ifdef SUPPORT_SPF
-  { "spf_guess",                opt_stringptr,   {&spf_guess} },
-  { "spf_smtp_comment_template",opt_stringptr,   {&spf_smtp_comment_template} },
+  { "spf_guess",                opt_module,     {US"spf"} },
+  { "spf_smtp_comment_template",opt_module,     {US"spf"} },
 #endif
   { "split_spool_directory",    opt_bool,        {&split_spool_directory} },
   { "spool_directory",          opt_stringptr,   {&spool_directory} },
@@ -1764,6 +1764,8 @@ if (Ustrncmp(name, "not_", 4) == 0)
   offset = 4;
   }


+sublist:
+
/* Search the list for the given name. A non-existent name, or an option that
is set twice, is a disaster. */

@@ -2443,6 +2445,20 @@ switch (type)
   case opt_func:
     ol->v.fn(name, s, 0);
     break;
+
+  case opt_module:
+    {
+    uschar * errstr;
+    misc_module_info * mi = misc_mod_find(US ol->v.value, &errstr);
+    if (!mi)
+      log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN,
+    "failed to find %s module for %s: %s", US ol->v.value, name, errstr);
+
+debug_printf("hunting for option %s in module %s\n", name, mi->name);
+    oltop = mi->options;
+    last = mi->options_count;
+    goto sublist;
+    }
   }


return TRUE;
diff --git a/src/src/receive.c b/src/src/receive.c
index 1ee02c5b7..336b37410 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1836,7 +1836,7 @@ if (smtp_input && !smtp_batched_input && !f.dkim_disable_verify)
#endif

 #ifdef SUPPORT_DMARC
-if (sender_host_address) dmarc_init();    /* initialize libopendmarc */
+if (sender_host_address) dmarc_conn_init();    /* initialize libopendmarc */
 #endif


 /* In SMTP sessions we may receive several messages in one connection. Before
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 7c2b4a292..f9bd3ece8 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1682,8 +1682,14 @@ bmi_verdicts = NULL;
 #endif
 dnslist_domain = dnslist_matched = NULL;
 #ifdef SUPPORT_SPF
-spf_header_comment = spf_received = spf_result = spf_smtp_comment = NULL;
-spf_result_guessed = FALSE;
+  {
+  misc_module_info * mi = misc_mod_findonly(US"spf");
+  if (mi)
+    {
+    typedef void (*fn_t)(void);
+    (((fn_t *) mi->functions)[4])();    /* spf_smtp_reset*/
+    }
+  }
 #endif
 #ifndef DISABLE_DKIM
 dkim_cur_signer = dkim_signers =
@@ -4020,8 +4026,22 @@ while (done <= 0)
     }


 #ifdef SUPPORT_SPF
-      /* set up SPF context */
-      spf_conn_init(sender_helo_name, sender_host_address);
+      /* If we have an spf module, set up SPF context */
+      {
+      misc_module_info * mi = misc_mod_findonly(US"spf");
+      if (mi)
+    {
+    /* We have hardwired function-call numbers, and also prototypes for the
+    functions.  We could do a function name table search for the number
+    but I can't see how to deal with prototypes.  Is a K&R non-prototyped
+    function still usable with today's compilers? */
+
+    typedef BOOL (*fn_t)(uschar *, uschar *);
+    fn_t fn = ((fn_t *) mi->functions)[0];    /* spf_conn_init */
+
+    (void) fn(sender_helo_name, sender_host_address);
+    }
+      }
 #endif


       /* Apply an ACL check if one is defined; afterwards, recheck
diff --git a/src/src/structs.h b/src/src/structs.h
index 9492dbac2..2c8c77c43 100644
--- a/src/src/structs.h
+++ b/src/src/structs.h
@@ -965,4 +965,73 @@ typedef struct qrunner {
   BOOL queue_2stage :1;
 } qrunner;


+
+/* Types of variable table entry */
+
+enum vtypes {
+  vtype_int,            /* value is address of int */
+  vtype_filter_int,     /* ditto, but recognized only when filtering */
+  vtype_ino,            /* value is address of ino_t (not always an int) */
+  vtype_uid,            /* value is address of uid_t (not always an int) */
+  vtype_gid,            /* value is address of gid_t (not always an int) */
+  vtype_bool,           /* value is address of bool */
+  vtype_stringptr,      /* value is address of pointer to string */
+  vtype_msgbody,        /* as stringptr, but read when first required */
+  vtype_msgbody_end,    /* ditto, the end of the message */
+  vtype_msgheaders,     /* the message's headers, processed */
+  vtype_msgheaders_raw, /* the message's headers, unprocessed */
+  vtype_localpart,      /* extract local part from string */
+  vtype_domain,         /* extract domain from string */
+  vtype_string_func,    /* value is string returned by given function */
+  vtype_todbsdin,       /* value not used; generate BSD inbox tod */
+  vtype_tode,           /* value not used; generate tod in epoch format */
+  vtype_todel,          /* value not used; generate tod in epoch/usec format */
+  vtype_todf,           /* value not used; generate full tod */
+  vtype_todl,           /* value not used; generate log tod */
+  vtype_todlf,          /* value not used; generate log file datestamp tod */
+  vtype_todzone,        /* value not used; generate time zone only */
+  vtype_todzulu,        /* value not used; generate zulu tod */
+  vtype_reply,          /* value not used; get reply from headers */
+  vtype_pid,            /* value not used; result is pid */
+  vtype_host_lookup,    /* value not used; get host name */
+  vtype_load_avg,       /* value not used; result is int from os_getloadavg */
+  vtype_pspace,         /* partition space; value is T/F for spool/log */
+  vtype_pinodes,        /* partition inodes; value is T/F for spool/log */
+  vtype_cert,        /* SSL certificate */
+#ifndef DISABLE_DKIM
+  vtype_dkim,           /* Lookup of value in DKIM signature */
+#endif
+  vtype_module,        /* variable lives in a module; value is module name */
+};
+
+/* Type for main variable table */
+
+typedef struct {
+  const char *name;
+  enum vtypes type;
+  void       *value;
+} var_entry;
+
+
+
+/* dynamic-load module info */
+
+typedef struct misc_module_info {
+  struct misc_module_info * next;
+
+  const uschar * name;
+  unsigned    dyn_magic;
+  BOOL        (*init)(void *);    /* arg is the misc_module_info ptr */
+  gstring *    (*lib_vers_report)(gstring *);    /* underlying library */
+
+  void *    options;
+  unsigned    options_count;
+  void *    functions;
+  unsigned    functions_count;
+  void *    variables;
+  unsigned    variables_count;
+} misc_module_info;
+
+#define MISC_MODULE_MAGIC    0x4d4d4d31    /* MMM1 */
+
 /* End of structs.h */
diff --git a/test/runtest b/test/runtest
index 3e10a5ab7..dcf6d76b2 100755
--- a/test/runtest
+++ b/test/runtest
@@ -383,7 +383,7 @@ $date = "\\d{2}-\\w{3}-\\d{4}\\s\\d{2}:\\d{2}:\\d{2}";


# Debug time & pid

-$time_pid = "(?:\\d{2}:\\d{2}:\\d{2}\\s+\\d+\\s)";
+$time_pid = "(?:(?:\\d{2}:\\d{2}:\\d{2}\\s+)?\\d+\\s)";

 # Pattern for matching pids at start of stderr lines; initially something
 # that won't match.
@@ -1315,11 +1315,14 @@ RESET_AFTER_EXTRA_LINE_READ:
     # different libraries will have different numbers (possibly 0) of follow-up
     # lines, indenting with more data
     if (/^$time_pid?Library version:/) {
-      while (1) {
+      $_ = <IN>;
+      if (/^$time_pid?\s/) {
     $_ = <IN>;
-    next if /^$time_pid?\s/;
-    goto RESET_AFTER_EXTRA_LINE_READ;
+    if (/^$time_pid?\s/) {
+      $_ = <IN>;
+    }
       }
+      goto RESET_AFTER_EXTRA_LINE_READ;
     }


     # drop other build-time controls emitted for debugging
@@ -1556,8 +1559,10 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^DKIM >> Body data for hash, canonicalized/;


     # Not all platforms build with SPF enabled
-    next if /(^spf_conn_init|^SPF_dns_exim_new|spf_compile\.c)/;
+    next if /(^$time_pid?spf_conn_init|spf_compile\.c)/;
     next if /try option spf_smtp_comment_template$/;
+    next if /loading module 'spf'$/;
+    next if /^Loaded "spf"$/;


     # Not all platforms have sendfile support
     next if /^cannot use sendfile for body: no support$/;
diff --git a/test/stderr/2610 b/test/stderr/2610
index c762e0340..564fb7b11 100644
--- a/test/stderr/2610
+++ b/test/stderr/2610
@@ -304,8 +304,6 @@ close MYSQL connection: 127.0.0.1:PORT_N/test/root
 01:01:01 p1235  sender_fullhost = (test) [10.0.0.0]
 01:01:01 p1235  sender_rcvhost = [10.0.0.0] (helo=test)
 01:01:01 p1235  set_process_info: pppp handling incoming connection from (test) [10.0.0.0]
-01:01:01 p1235  spf_conn_init: test 10.0.0.0
-01:01:01 p1235  SPF_dns_exim_new
 01:01:01 p1235  try option acl_smtp_helo
 01:01:01 p1235  SMTP>> 250 myhost.test.ex Hello test [10.0.0.0]
 01:01:01 p1235  SMTP<< mail from:<a@b>


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/