jcbf / smf-spf Goto Github PK

Would you be so kind to move v2.1.0 and v2.2.0 tags (and releases) up to 55593a8 commit?
Cause I can't compile from v2.1.0 release with following error:

smf-spf.c: In function 'smf_envfrom':
smf-spf.c:772:44: error: 'accept_temperror' undeclared (first use in this function)
     if (status == SPF_RESULT_TEMPERROR && !accept_temperror) {
                                            ^~~~~~~~~~~~~~~~

When a user authenticates, smf-spf skips SPF evaluation. Please make this behavior configurable.

When implementing a systemd service file, I found out that for the milter to run in the foreground, the config file option Daemonize needs to be enabled per se.

I would expect that the command-line option -foverrides any config file option, making it easier to implement a working systemd service, without ever caring about what the end user might set in the config file. This is how command-line options work normally.

Hi,

I used the original code v2.0.2 for a long time and now found this, v2.3.0, compiled and started it, but somehow headers in emails are gone, but the conf file is old and contains:

AddHeader on

How to fix it?

Hi, Sendmail 8.15.2 on Ubunti 17.10

In the logs I see

Nov 3 04:07:19 ws1-fra smf-spf[19861]: SPF fail: ip=107.174.52.151, fqdn=[107.174.52.151], helo=so578sy.com, from=[email protected]
Nov 3 04:07:19 ws1-fra sm-mta[23903]: vA347GJM023903: Milter: from=[email protected], reject=550 5.7.1 Command rejected

Any ideas why sendmail is not passing back the proper return string.

I saw this comment in spf-milter.pl source code

            # Need to escape unprotected % characters in spf_smtp_comment,
            # or sendmail will use the default "Command rejected" message instead.
            # Noted by Paul Howarth

Could it be something to do with that?

This can be applied in submission port and would allow to block messages that will fail SPF evaluation on the next hop.

Hi,

1. https://github.com/jcbf/smf-spf/blob/v2.4.2/smf-spf.c
   #define VERSION "2.4.1"'

2. https://github.com/jcbf/smf-spf/blob/v2.4.2/smf-spf.conf

2.4.1> 2.4.2

Refuse e-Mail messages when there is an empty sender
and there isn't an SPF policy fro the server name
Server name is the HELO identity

fro > from

Should return a temp error according to RFC 7208
https://tools.ietf.org/html/rfc7208#section-8.6

8.6. Temperror

A "temperror" result means the SPF verifier encountered a transient
(generally DNS) error while performing the check. Checking software
can choose to accept or temporarily reject the message. If the
message is rejected during the SMTP transaction for this reason, the
software SHOULD use an SMTP reply code of 451 and, if supported, the
4.4.3 enhanced status code (see Section 3.5 of [RFC3463]). These
errors can be caused by problems in either the sender's or receiver's
DNS software. See Appendix G.4 for considerations on developing
local policy.

A configuration keyword may be used to specify the behaviour ( accept or temp reject ).

If you have a configuration value with spaces only the first word is considered.
Example:

RejectReason Rejected - Please configure your SPF record

When rejecting you only got

550 5.7.23 Rejected

Sometimes Google docs send emails with large local parts.

In all SMTP related RFCs, the limit is set to 64 octets**, but the observed "MAIL FROM" have 86 octets.

**
https://tools.ietf.org/html/rfc5321#section-4.5.3.1.1
https://tools.ietf.org/html/rfc2821#section-4.5.3.1
https://tools.ietf.org/html/rfc821#section-4.5.3

Need to create test cases

Reject bounces messages for DSN ( HELO identity ) when there isn't a defined policy

There is a check in the address size and that only check the domain part. When localpart is bigger the allowed 64 octets, it should return a reject message.

References :

• rfc5321 section 4.5.3.1.1

4.5.3.1.1.

Local-part

The maximum total length of a user name or other local-part is 64 octets.

• Create basic tests ( docker build && docker run )
• Change currents tests to test local filter and "docker" filter

Hi,

For a minimized docker image, it would be great if smf-spf can be configured to log to a file (e.g. /dev/stdout) instead of relying on syslog. What do you think?

Best regards,
Chris

Create a configuration keyword to force a given hostname to be used in Authentication-Results headers.

When Bounce rejection is on ( feature #44 ), select between hard fail or soft fail

FixedIP has precedence over ClientIPNat. Usually, this is not desired.

I would like to use the tool on Debian. When compiling I always get "

~/smf-spf# make
gcc -O2 -D_REENTRANT -fomit-frame-pointer -I/usr/local/include -c smf-spf.c
smf-spf.c:22:10: fatal error: arpa/inet.h: No such file or directory
#include <arpa/inet.h>
^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:31: smf-spf.o] Error 1

". Do you have an idea why? :S

Release with test and coverage

Hi,

I have issue with one sender:

Received: from mda-out.datacenter.fi (mda-out.datacenter.fi [89.250.48.136])
Authentication-Results: SPF; spf=fail smtp.mailfrom=[email protected] smtp.helo=mda-out.datacenter.fi

But sender -s SPF record and DNS is correct;

nslookup mda-out.datacenter.fi
Address: 89.250.48.136

nslookup -q=txt huuto.net
huuto.net text = "v=spf1 mx a:mda-out.datacenter.fi include:mktomail.com include:spf.protection.outlook.com -all"

I guess the reason is, that sender is using also deprecated type 99 record, which is not equal to TXT record:

nslookup -q=spf huuto.net
huuto.net rdata_99 = "v=spf1 include:spf.protection.outlook.com -all"

Based https://mxtoolbox.com/problem/spf/spf-record-deprecated

"Hostname has returned a SPF Record that has been deprecated

The use of alternative DNS RR types that was formerly supported during the experimental phase of SPF was discontinued in 2014. SPF records must now only be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035]. See RFC 7208 for further detail on this change.

According to RFC 7208 Section 3.1: During the period when SPF was in development, requirements for assigning a new DNS RR type were more stringent than they are today and support for the deployment of new DNS RR types was not deployed in DNS servers and provisioning systems. The end result was that developers of SPF discovered it was easier and more practical to follow the TXT RR type for SPF."

So please modify smf-spf either permanently or optionally to ignore deprecated type 99 SPF record.

Hello,

Thanks for this beautiful software.

I'd like to be able to reject emails at SPF None results. I mean, I'd want to reject all mail from domains that do not have an SPF policy.

# Refuse e-Mail messages at SPF None results
#
# Default: off
#
RefuseNone      off      # (on|off)

Do you know if that could be an accepted new feature?
Thanks.

Should extract de application name used in Syslog from the command line.
Ex.

unixbox # /home/user/smf-spf/spf-milter -f -c ./smf-spf.conf

Apr 30 18:13:18 unixbox spf-milter[9191]: starting spf-milter 2.4.3 listening on unix:/var/run/smfs/smf-spf.sock

When a e-Mail is refuse use 450 code instead of 550.

When a domain doesn't have a SPF record , try to guess.
Use "v=spf1 a/24 mx/24 ptr ?all" as defaut record.

Is it possible to make a release or version tag for this repo?
Wanna to use it for compiling from sources.

Hello,

Any idea when you plan to release a new version?

The smf-spf package for Fedora was just approved and I need the latest version (which includes the COPYING file up to date) to continue with the packaging.

Thanks!

When RCPT TO matches WhitelistTo message should be accepted

Hi,

From https://github.com/jcbf/smf-spf/blob/master/smf-spf.conf

RejectReason specifies the message that will be return to milter client
You can use %s placeholders where :
1st %s - sender address or postmaster@<helo name> if empty sender
2nd %s - sender IP Address
3rd %s - server name ( {j} macro

Default: Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s

As www.openspf.org has now been closed for two years, the RejectReason generated URL is not clickable, and that's why this message should be disabled by default, but it's impossible, there isn't available on/off option. As I could not find any alternative, and as currently parameters order is fixed, at the moment I changed RejectReason to static - "An SPF enabled mail server rejected message from %s, because sender address %s does not exist in the domain corresponding SPF record."

For better customization, please change parameters and allow any parameters order somehing like:
%sa - sender address or postmaster@ if empty sender
%sd - sender domain
%ip - sender IP address
%sn - server name

01-fixwarnings.patch.txt
02-ar-header.patch.txt
03-no_daemon.patch.txt
04-logging.patch.txt
05-insert_header.patch.txt
06-ipv6.patch.txt

src_prepare() {
epatch "${FILESDIR}"/01-fixwarnings.patch
epatch "${FILESDIR}"/02-ar-header.patch
epatch "${FILESDIR}"/03-no_daemon.patch
epatch "${FILESDIR}"/04-logging.patch
epatch "${FILESDIR}"/05-insert_header.patch
epatch "${FILESDIR}"/06-ipv6.patch
}

can this patches be added ?

According to Section 4.5.3.1.3. of RFC 5321

The maximum total length of a reverse-path or forward-path is 256
octets (including the punctuation and element separators).

The spf-milter inserts the Authentication-Results header below the Received header inserted by its own MTA. This can be problematic if you use the spf milter only for tagging and want to delegate processing to a later stage (e.g. Spamassassin on a different machine). Spamassassin will never use this Authentication-Results header because when correctly configured due to the position of the header it will never consider it trustworthy.

The Authentication-Results header is specified in RFC 8601. It is a trace header field and therefore expected to come before the Received header. See the explicit requirements on this in sections 4 and 7.1 of RFC 8601.

For MTAs that add this header field, adding header fields in order (at the top), per Section 3.6 of [MAIL], is particularly important. Moreover, this header field SHOULD be inserted above any other trace header fields such MTAs might prepend. This placement allows easy detection of header fields that can be trusted.

OpenDKIM has a similar issue open github

Following patch solves the problem

--- /tmp/smf-spf.c      2020-11-12 22:44:54.000000000 +0100
+++ smf-spf.c   2022-03-07 12:00:18.150462870 +0100
@@ -1136,7 +1136,7 @@
                        authserv_id, "none", context->sender, context->helo);
                    break;
            }
-           smfi_insheader(ctx, 1, "Authentication-Results", spf_hdr);
+           smfi_insheader(ctx, 0, "Authentication-Results", spf_hdr);
            free(spf_hdr);
        }
     }

Are you interested to implement "official" Docker image for this project?
I would like to contribute this.

Set a specific policy for DSN ( empty senders )