Ir al contenido principal

Ralsina.Me — El sitio web de Roberto Alsina

Itching.

Ok, the SPF im­ple­men­ta­tion sit­u­a­tion is kin­da pa­thet­ic.

There seems to be ex­act­ly one main­tained C im­ple­men­ta­tion. And it's win­dows-on­ly.

  • lib­spf's we­b­site seems to have dis­­ap­­peared

  • lib­spf2's not RFC-­­com­­pli­ant (ver­i­­fied for 1.2.5) and their is­­sue re­­port­ing sys­tem bounces.

So, I have tak­en the most com­pli­ant one I found whose code I can ac­tu­al­ly fol­low (that would be the python one) and am reim­ple­ment­ing it in C (us­ing bstr­lib and lib­d­jbdns).

It will prob­a­bly not come to a good end, but hey, it may work ;-)

There is one thing worse than not having a test suite

UP­DATE: There is *an­oth­er* *bet­ter* test suite It is in YAM­L, though, so I need to parse it be­fore I can use it, but that's my prob­lem.

It's hav­ing a test suite that makes no sense.

I have writ­ten, for my ra-­plu­g­ins project (y­ou don't have to know what it is for this post any­way) a piece of code that tries to check mail senders us­ing SPF.

SPF is an open stan­dard. It has stan­dard im­ple­men­ta­tion­s. It has a test suite (http://www.schlit­t.net/spf/test­s/).

The test suite says this:

spf­query -ip=192.0.2.1 -sender=05.spf1-test.­mail­zone.­com -h­elo=05.spf1-test.­mail­zone.­com re­sult /.*/ fail smt­p-­com­ment /.*/ ex­pla­na­tion head­er-­com­ment /.*/ spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender re­ceived-spf /.*/ Re­ceived-SPF: fail (spf­query: do­main of 05.spf1-test.­mail­zone.­com does not des­ig­nate 192.0.2.1 as per­mit­ted sender) clien­t-ip=192.0.2.1; en­velope-from=­post­mas­ter@05.spf1-test.­mail­zone.­com; helo=05.spf1-test.­mail­zone.­com;

So, yeah:

$ spfquery -ip=192.0.2.1 -sender=05.spf1-test.mailzone.com -helo=05.spf1-test.mailzone.com
fail
Please see http://www.openspf.org/why.html?sender=05.spf1-test.mailzone.com&ip=192.0.2.1&receiver=spfquery
spfquery: domain of 05.spf1-test.mailzone.com does not designate 192.0.2.1 as permitted sender
Received-SPF: fail (spfquery: domain of 05.spf1-test.mailzone.com does not designate
192.0.2.1 as permitted sender) client-ip=192.0.2.1;
envelope-from=05.spf1-test.mailzone.com; helo=05.spf1-test.mailzone.com;

So, the stan­dard im­ple­men­ta­tion does what the test suite says.

Too bad that, if you both­er check­ing the URL you are told to "please see"...

The do­main 05.spf1-test.­mail­zone.­com has pub­lished an SPF pol­i­cy, how­ev­er the pol­i­cy is neu­tral on whether 192.0.2.1 is au­tho­rized to send mail on its be­half.

Ei­ther both the test suite and the sam­ple im­ple­men­ta­tion are wrong, or the site is wrong. And I am lean­ing to­wards "the test suite is wrong", be­cause...

$ host -t txt 05.spf1-test.mailzone.com
05.spf1-test.mailzone.com descriptive text "v=spf1 default=deny"

If you check the record syn­tax (http://www.open­spf.org/SPF_Record_Syn­tax) de­fault is an un­known mod­i­fier, and should be ig­nored, so the record is sim­ply "v=spf1", and in­deed the re­sult is neu­tral and there is no rea­son why this should be a fail.

My qmail-courier-whatever munin plugins

A few peo­ple have asked me for the code. Ok, here it goes.

First, get qm­rt­g.

Then you need this: qmunin.­tar.bz2

Then build and in­stall it. You may need to mod­i­fy the sources, de­pend­ing on just how your qmail work­s. There are some ex­am­ple munin plug­ins in­clud­ed (in span­ish, I am not trans­lat­ing them ;-), which 99% sure­ly will not work for you, but they are sim­ple shell script­s, so you should be able to hack them.

Cre­at­ing a re­al re­lease of this is just use­less, be­cause ev­ery­one's qmail logs look dif­fer­en­t, so take it and hack it.

And that's it.


Contents © 2000-2020 Roberto Alsina