jcbf / smf-spf Goto Github PK
View Code? Open in Web Editor NEWIt's a lightweight, fast and reliable Sendmail milter that implements the Sender Policy Framework
License: GNU General Public License v3.0
It's a lightweight, fast and reliable Sendmail milter that implements the Sender Policy Framework
License: GNU General Public License v3.0
Would you be so kind to move v2.1.0
and v2.2.0
tags (and releases) up to 55593a8
commit?
Cause I can't compile from v2.1.0
release with following error:
smf-spf.c: In function 'smf_envfrom':
smf-spf.c:772:44: error: 'accept_temperror' undeclared (first use in this function)
if (status == SPF_RESULT_TEMPERROR && !accept_temperror) {
^~~~~~~~~~~~~~~~
When a user authenticates, smf-spf skips SPF evaluation. Please make this behavior configurable.
When implementing a systemd service file, I found out that for the milter to run in the foreground, the config file option Daemonize
needs to be enabled per se.
I would expect that the command-line option -f
overrides any config file option, making it easier to implement a working systemd service, without ever caring about what the end user might set in the config file. This is how command-line options work normally.
Hi,
I used the original code v2.0.2 for a long time and now found this, v2.3.0, compiled and started it, but somehow headers in emails are gone, but the conf file is old and contains:
AddHeader on
How to fix it?
Hi, Sendmail 8.15.2 on Ubunti 17.10
In the logs I see
Nov 3 04:07:19 ws1-fra smf-spf[19861]: SPF fail: ip=107.174.52.151, fqdn=[107.174.52.151], helo=so578sy.com, from=[email protected]
Nov 3 04:07:19 ws1-fra sm-mta[23903]: vA347GJM023903: Milter: from=[email protected], reject=550 5.7.1 Command rejected
Any ideas why sendmail is not passing back the proper return string.
I saw this comment in spf-milter.pl source code
# Need to escape unprotected % characters in spf_smtp_comment,
# or sendmail will use the default "Command rejected" message instead.
# Noted by Paul Howarth
Could it be something to do with that?
This can be applied in submission port and would allow to block messages that will fail SPF evaluation on the next hop.
Hi,
https://github.com/jcbf/smf-spf/blob/v2.4.2/smf-spf.c
#define VERSION "2.4.1"'
2.4.1> 2.4.2
Refuse e-Mail messages when there is an empty sender
and there isn't an SPF policy fro the server name
Server name is the HELO identity
fro > from
Should return a temp error according to RFC 7208
https://tools.ietf.org/html/rfc7208#section-8.6
8.6. Temperror
A "temperror" result means the SPF verifier encountered a transient
(generally DNS) error while performing the check. Checking software
can choose to accept or temporarily reject the message. If the
message is rejected during the SMTP transaction for this reason, the
software SHOULD use an SMTP reply code of 451 and, if supported, the
4.4.3 enhanced status code (see Section 3.5 of [RFC3463]). These
errors can be caused by problems in either the sender's or receiver's
DNS software. See Appendix G.4 for considerations on developing
local policy.
A configuration keyword may be used to specify the behaviour ( accept or temp reject ).
If you have a configuration value with spaces only the first word is considered.
Example:
RejectReason Rejected - Please configure your SPF record
When rejecting you only got
550 5.7.23 Rejected
Sometimes Google docs send emails with large local parts.
In all SMTP related RFCs, the limit is set to 64 octets**, but the observed "MAIL FROM" have 86 octets.
**
https://tools.ietf.org/html/rfc5321#section-4.5.3.1.1
https://tools.ietf.org/html/rfc2821#section-4.5.3.1
https://tools.ietf.org/html/rfc821#section-4.5.3
Need to create test cases
Reject bounces messages for DSN ( HELO identity ) when there isn't a defined policy
There is a check in the address size and that only check the domain part. When localpart is bigger the allowed 64 octets, it should return a reject message.
References :
4.5.3.1.1.
Local-part
The maximum total length of a user name or other local-part is 64 octets.
Hi,
For a minimized docker image, it would be great if smf-spf can be configured to log to a file (e.g. /dev/stdout) instead of relying on syslog. What do you think?
Best regards,
Chris
Create a configuration keyword to force a given hostname to be used in Authentication-Results headers.
When Bounce rejection is on ( feature #44 ), select between hard fail or soft fail
FixedIP has precedence over ClientIPNat. Usually, this is not desired.
I would like to use the tool on Debian. When compiling I always get "
~/smf-spf# make
gcc -O2 -D_REENTRANT -fomit-frame-pointer -I/usr/local/include -c smf-spf.c
smf-spf.c:22:10: fatal error: arpa/inet.h: No such file or directory
#include <arpa/inet.h>
^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:31: smf-spf.o] Error 1
". Do you have an idea why? :S
Release with test and coverage
Hi,
I have issue with one sender:
Received: from mda-out.datacenter.fi (mda-out.datacenter.fi [89.250.48.136])
Authentication-Results: SPF; spf=fail smtp.mailfrom=[email protected] smtp.helo=mda-out.datacenter.fi
But sender -s SPF record and DNS is correct;
nslookup mda-out.datacenter.fi
Address: 89.250.48.136
nslookup -q=txt huuto.net
huuto.net text = "v=spf1 mx a:mda-out.datacenter.fi include:mktomail.com include:spf.protection.outlook.com -all"
I guess the reason is, that sender is using also deprecated type 99 record, which is not equal to TXT record:
nslookup -q=spf huuto.net
huuto.net rdata_99 = "v=spf1 include:spf.protection.outlook.com -all"
Based https://mxtoolbox.com/problem/spf/spf-record-deprecated
"Hostname has returned a SPF Record that has been deprecated
The use of alternative DNS RR types that was formerly supported during the experimental phase of SPF was discontinued in 2014. SPF records must now only be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035]. See RFC 7208 for further detail on this change.
According to RFC 7208 Section 3.1: During the period when SPF was in development, requirements for assigning a new DNS RR type were more stringent than they are today and support for the deployment of new DNS RR types was not deployed in DNS servers and provisioning systems. The end result was that developers of SPF discovered it was easier and more practical to follow the TXT RR type for SPF."
So please modify smf-spf either permanently or optionally to ignore deprecated type 99 SPF record.
Hello,
Thanks for this beautiful software.
I'd like to be able to reject emails at SPF None results. I mean, I'd want to reject all mail from domains that do not have an SPF policy.
# Refuse e-Mail messages at SPF None results
#
# Default: off
#
RefuseNone off # (on|off)
Do you know if that could be an accepted new feature?
Thanks.
Should extract de application name used in Syslog from the command line.
Ex.
unixbox # /home/user/smf-spf/spf-milter -f -c ./smf-spf.conf
Apr 30 18:13:18 unixbox spf-milter[9191]: starting spf-milter 2.4.3 listening on unix:/var/run/smfs/smf-spf.sock
When a e-Mail is refuse use 450 code instead of 550.
When a domain doesn't have a SPF record , try to guess.
Use "v=spf1 a/24 mx/24 ptr ?all" as defaut record.
Is it possible to make a release or version tag for this repo?
Wanna to use it for compiling from sources.
Hello,
Any idea when you plan to release a new version?
The smf-spf
package for Fedora was just approved and I need the latest version (which includes the COPYING
file up to date) to continue with the packaging.
Thanks!
When RCPT TO matches WhitelistTo message should be accepted
Hi,
From https://github.com/jcbf/smf-spf/blob/master/smf-spf.conf
RejectReason specifies the message that will be return to milter client
You can use %s placeholders where :
1st %s - sender address or postmaster@<helo name> if empty sender
2nd %s - sender IP Address
3rd %s - server name ( {j} macro
Default: Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s
As www.openspf.org has now been closed for two years, the RejectReason generated URL is not clickable, and that's why this message should be disabled by default, but it's impossible, there isn't available on/off option. As I could not find any alternative, and as currently parameters order is fixed, at the moment I changed RejectReason to static - "An SPF enabled mail server rejected message from %s, because sender address %s does not exist in the domain corresponding SPF record."
For better customization, please change parameters and allow any parameters order somehing like:
%sa - sender address or postmaster@ if empty sender
%sd - sender domain
%ip - sender IP address
%sn - server name
01-fixwarnings.patch.txt
02-ar-header.patch.txt
03-no_daemon.patch.txt
04-logging.patch.txt
05-insert_header.patch.txt
06-ipv6.patch.txt
src_prepare() {
epatch "${FILESDIR}"/01-fixwarnings.patch
epatch "${FILESDIR}"/02-ar-header.patch
epatch "${FILESDIR}"/03-no_daemon.patch
epatch "${FILESDIR}"/04-logging.patch
epatch "${FILESDIR}"/05-insert_header.patch
epatch "${FILESDIR}"/06-ipv6.patch
}
can this patches be added ?
According to Section 4.5.3.1.3. of RFC 5321
The maximum total length of a reverse-path or forward-path is 256
octets (including the punctuation and element separators).
The spf-milter inserts the Authentication-Results header below the Received header inserted by its own MTA. This can be problematic if you use the spf milter only for tagging and want to delegate processing to a later stage (e.g. Spamassassin on a different machine). Spamassassin will never use this Authentication-Results header because when correctly configured due to the position of the header it will never consider it trustworthy.
The Authentication-Results header is specified in RFC 8601. It is a trace header field and therefore expected to come before the Received header. See the explicit requirements on this in sections 4 and 7.1 of RFC 8601.
For MTAs that add this header field, adding header fields in order (at the top), per Section 3.6 of [MAIL], is particularly important. Moreover, this header field SHOULD be inserted above any other trace header fields such MTAs might prepend. This placement allows easy detection of header fields that can be trusted.
OpenDKIM has a similar issue open github
Following patch solves the problem
--- /tmp/smf-spf.c 2020-11-12 22:44:54.000000000 +0100
+++ smf-spf.c 2022-03-07 12:00:18.150462870 +0100
@@ -1136,7 +1136,7 @@
authserv_id, "none", context->sender, context->helo);
break;
}
- smfi_insheader(ctx, 1, "Authentication-Results", spf_hdr);
+ smfi_insheader(ctx, 0, "Authentication-Results", spf_hdr);
free(spf_hdr);
}
}
Are you interested to implement "official" Docker image for this project?
I would like to contribute this.
Set a specific policy for DSN ( empty senders )
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.