happyDomain/postfix-policyd-spf-perl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Correct error trapping so policy server won't crash on bad input.

Browse source
This commit is contained in:
Scott Kitterman 2007-02-04 02:25:39 +00:00
commit 9c264c3867
5 changed files with 57 additions and 56 deletions
Download patch file Download diff file Expand all files Collapse all files

10
CHANGES
View file

@ -4,21 +4,13 @@
# ! = Changed something significant, or removed a feature # ! = Changed something significant, or removed a feature
# * = Fixed a bug, or made a minor improvement # * = Fixed a bug, or made a minor improvement
--- 1.99 (2007-02-10 16:00) --- 1.990 (2007-02-10 16:00)
postfix-policyd-spf-perl: postfix-policyd-spf-perl:
! Changed from Mail::SPF::Query to Mail::SPF for RFC 4408 compliance ! Changed from Mail::SPF::Query to Mail::SPF for RFC 4408 compliance
! Removed Testing handler (usage was undocumented). ! Removed Testing handler (usage was undocumented).
* Simplified logging. Policy server is less chatty. Logs are clearer. * Simplified logging. Policy server is less chatty. Logs are clearer.
Miscellaneous:
* Updated README file:
- Updated for new SPF library
- Added more detail on results/responses
- Explained how to get verbose logging
Debian:
--- 1.08.1 (2007-01-10 21:00) --- 1.08.1 (2007-01-10 21:00)
postfix-policyd-spf-perl: postfix-policyd-spf-perl:

2
INSTALL
View file

@ -6,7 +6,7 @@ postfix-policyd-spf-perl:
Perl 5.6 Perl 5.6
version version
Mail::SPF (not Mail::SPF::Query) Mail-SPF (not Mail-SPF-Query)
Installing Installing
---------- ----------

2
README
View file

@ -1,4 +1,4 @@
postfix-policyd-spf-perl 1.99 postfix-policyd-spf-perl 1.990
A Postfix SMTPd policy server for SPF checking A Postfix SMTPd policy server for SPF checking
(C) 2007 Scott Kitterman <scott@kitterman.com> (C) 2007 Scott Kitterman <scott@kitterman.com>
2003-2004 Meng Weng Wong <mengwong@pobox.com> 2003-2004 Meng Weng Wong <mengwong@pobox.com>

2
debian/changelog vendored
View file

@ -1,4 +1,4 @@
postfix-policyd-spf-perl (1.99-0ubuntu1) feisty; urgency=low postfix-policyd-spf-perl (1.990-0ubuntu1) feisty; urgency=low
* New upstream release for RFC compliant SPF checking. * New upstream release for RFC compliant SPF checking.
* Updated control to use libmail-spf-perl instead of the unmaintained * Updated control to use libmail-spf-perl instead of the unmaintained

91
postfix-policyd-spf-perl
View file

@ -2,7 +2,7 @@
# postfix-policyd-spf-perl # postfix-policyd-spf-perl
# http://www.openspf.org/Software # http://www.openspf.org/Software
# version 1.99 # version 1.990
# $Id$ # $Id$
#(C) 2007 Scott Kitterman <scott@kitterman.com> #(C) 2007 Scott Kitterman <scott@kitterman.com>
#(C) 2003-2004 Meng Weng Wong <mengwong@pobox.com> #(C) 2003-2004 Meng Weng Wong <mengwong@pobox.com>
@ -21,7 +21,7 @@
# with this program; if not, write to the Free Software Foundation, Inc., # with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
use version; our $VERSION = qv('1.99'); use version; our $VERSION = qv('1.990');
use strict; use strict;
@ -96,9 +96,7 @@ while (<STDIN>) {
syslog(debug => "Attribute: %s=%s", $_, $attr{$_}); syslog(debug => "Attribute: %s=%s", $_, $attr{$_});
} }
} }
fatal_exit("unrecognized request type: '$attr{request}'") unless $attr{request} eq "smtpd_access_policy";
my $action = $DEFAULT_RESPONSE; my $action = $DEFAULT_RESPONSE;
my %responses; my %responses;
foreach my $handler (@HANDLERS) { foreach my $handler (@HANDLERS) {
@ -107,7 +105,7 @@ while (<STDIN>) {
if ($VERBOSE) { if ($VERBOSE) {
syslog(debug => "handler %s: %s", $handler, $response); syslog(debug => "handler %s: %s", $handler, $response);
} }
#Picks whatever response is not dunno # Picks whatever response is not dunno
if ($response and $response !~ /^dunno/i) { if ($response and $response !~ /^dunno/i) {
syslog(info => "handler %s: is decisive.", $handler); syslog(info => "handler %s: is decisive.", $handler);
$action = $response; last; $action = $response; last;
@ -127,8 +125,8 @@ sub sender_policy_framework {
local %_ = @_; local %_ = @_;
my %attr = %{ $_{attr} }; my %attr = %{ $_{attr} };
#Always do HELO check first. If no HELO policy it's only one lookup. # Always do HELO check first. If no HELO policy it's only one lookup.
#Avoids the need to do any Mail From processing for null sender. # Avoids the need to do any Mail From processing for null sender.
my $helo_request = eval { my $helo_request = eval {
Mail::SPF::Request->new( Mail::SPF::Request->new(
scope => 'helo', # 'mfrom' or 'helo', 'pra' scope => 'helo', # 'mfrom' or 'helo', 'pra'
@ -138,26 +136,35 @@ sub sender_policy_framework {
=> $attr{helo_name} => $attr{helo_name}
); );
}; };
my $helo_result = $spf_server->process($helo_request); # If initializing helo_request throws an error, don't use it.
if ($@) {
syslog(
info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
$attr{queue_id}, $attr{client_address}, $attr{sender}, $attr{helo_name}, $@
);
return "DUNNO";
}
else {
my $helo_result = $spf_server->process($helo_request);
my $helo_result_code = $helo_result->code; # 'pass', 'fail', etc. my $helo_result_code = $helo_result->code; # 'pass', 'fail', etc.
my $helo_local_exp = $helo_result->local_explanation; my $helo_local_exp = $helo_result->local_explanation;
my $helo_authority_exp = $helo_result->authority_explanation my $helo_authority_exp = $helo_result->authority_explanation
if $helo_result->is_code('fail'); if $helo_result->is_code('fail');
my $helo_spf_header = $helo_result->received_spf_header; my $helo_spf_header = $helo_result->received_spf_header;
syslog( syslog(
info => "%s: SPF %s: HELO/EHLO: %s, IP Address: %s, Recipient: %s", info => "%s: SPF %s: HELO/EHLO: %s, IP Address: %s, Recipient: %s",
$attr{queue_id}, $helo_result, $attr{helo_name}, $attr{client_address}, $attr{recipient} $attr{queue_id}, $helo_result, $attr{helo_name}, $attr{client_address}, $attr{recipient}
); );
# Reject on HELO fail. Defer on HELO temperror if message would otherwis # Reject on HELO fail. Defer on HELO temperror if message would otherwis
# be accepted. Use the HELO result and return for null sender. # be accepted. Use the HELO result and return for null sender.
if ($helo_result_code eq "fail") { return "REJECT $helo_authority_exp"; } if ($helo_result_code eq "fail") { return "REJECT $helo_authority_exp"; }
elsif ($helo_result_code eq "temperror") { return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp"; } elsif ($helo_result_code eq "temperror") { return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp"; }
elsif ($attr{sender} eq '') { return "PREPEND $helo_spf_header"; } elsif ($attr{sender} eq '') { return "PREPEND $helo_spf_header"; }
};
#Do mail from is HELO doesn't give a definitive result. # Do mail from is HELO doesn't give a definitive result.
my $mfrom_request = eval { my $mfrom_request = eval {
Mail::SPF::Request->new( Mail::SPF::Request->new(
scope => 'mfrom', # 'mfrom' or 'helo', 'pra' scope => 'mfrom', # 'mfrom' or 'helo', 'pra'
@ -167,27 +174,29 @@ sub sender_policy_framework {
=> $attr{helo_name} # for %{h} macro expansion => $attr{helo_name} # for %{h} macro expansion
); );
}; };
my $mfrom_result = $spf_server->process($mfrom_request);
my $mfrom_result_code = $mfrom_result->code; # 'pass', 'fail', etc.
my $mfrom_local_exp = $mfrom_result->local_explanation;
my $mfrom_authority_exp = $mfrom_result->authority_explanation
if $mfrom_result->is_code('fail');
my $mfrom_spf_header = $mfrom_result->received_spf_header;
if ($@) { if ($@) {
syslog( syslog(
info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s", info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
$attr{queue_id}, $attr{client_address}, $attr{sender}, $attr{helo_name}, $@ $attr{queue_id}, $attr{client_address}, $attr{sender}, $attr{helo_name}, $@
); );
return "DUNNO"; return "DUNNO";
} }
syslog( else {
info => "%s: SPF %s: Envelope-from: %s, IP Address: %s, Recipient: %s", my $mfrom_result = $spf_server->process($mfrom_request);
$attr{queue_id}, $mfrom_result, $attr{sender}, $attr{client_address}, $attr{recipient}
); my $mfrom_result_code = $mfrom_result->code; # 'pass', 'fail', etc.
my $mfrom_local_exp = $mfrom_result->local_explanation;
my $mfrom_authority_exp = $mfrom_result->authority_explanation
if $mfrom_result->is_code('fail');
my $mfrom_spf_header = $mfrom_result->received_spf_header;
syslog(
info => "%s: SPF %s: Envelope-from: %s, IP Address: %s, Recipient: %s",
$attr{queue_id}, $mfrom_result, $attr{sender}, $attr{client_address}, $attr{recipient}
);
#Same approach as HELO.... # Same approach as HELO....
if ($mfrom_result_code eq "fail") { return "REJECT $mfrom_authority_exp"; } if ($mfrom_result_code eq "fail") { return "REJECT $mfrom_authority_exp"; }
elsif ($mfrom_result_code eq "mfrom_temperror") { return "DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp"; } elsif ($mfrom_result_code eq "mfrom_temperror") { return "DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp"; }
else { return "PREPEND $mfrom_spf_header"; } else { return "PREPEND $mfrom_spf_header"; }
}
} }