happyDomain/postfix-policyd-spf-perl
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

* Change reject reply to 550 for RFC 2821 complianse.

Browse source 
* Clarified wording for some verbose logging.
  * Added more information about HELO checking to README
This commit is contained in:
Scott Kitterman 2007-02-06 18:18:42 +00:00
commit f876c707b9
4 changed files with 60 additions and 27 deletions
Download patch file Download diff file Expand all files Collapse all files

5
CHANGES
View file

@ -5,13 +5,16 @@
# * = Fixed a bug, or made a minor improvement
--- 2.000 (2007-02-06 16:00)
* Updated version for final release.
* Change reject reply to 550 for RFC 2821 complianse.
* Clarified wording for some verbose logging.
* Added more information about HELO checking to README.
--- 1.990 (2007-02-03 16:00)
postfix-policyd-spf-perl:
! Changed from Mail::SPF::Query to Mail::SPF for RFC 4408 compliance
! Removed Testing handler (usage was undocumented).
! Removed debian/ dir from release tarball (still provided via SVN).
* Simplified logging. Policy server is less chatty. Logs are clearer.
--- 1.08.1 (2007-01-10 21:00)

37
README
View file

@ -1,8 +1,8 @@
postfix-policyd-spf-perl 1.990
postfix-policyd-spf-perl 2.000
A Postfix SMTPd policy server for SPF checking
(C) 2007 Scott Kitterman <scott@kitterman.com>
2003-2004 Meng Weng Wong <mengwong@pobox.com>
Contributions by various members of the SPF project
Thanks for contributions by various members of the SPF project
<http://www.openspf.org/Software#postfix-policyd-spf-perl>
==============================================================================
@ -13,15 +13,23 @@ RFC 4408. It shares no code with the older Mail::SPF::Query that was the
original SPF development implementation. If you are upgrading from on older
version of this policy server you will need to install Mail::SPF.
This version of the policy server will reject mail that fails either Mail From
or HELO SPF checks. It always checks HELO (older versions just checked HELO if
Mail From was null). It will defer mail if there is a temporary SPF error and
the message would othersise be permitted (DEFER_IF_PERMIT). Otherwise, it will
PREPEND the appropriate SPF Received header. In the case of multi-recipient
mail, multiple headers will get appended. Error conditions within the policy
server (that don't result in a crash) or from Mail::SPF will return DUNNO.
This version of the policy server always checks HELO before Mail From (older
versions just checked HELO if Mail From was null). It will reject mail that
fails either Mail From or HELO SPF checks. It will defer mail if there is a
temporary SPF error and the message would othersise be permitted
(DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From
will not be checked.
See INSTALL or README.Debian for installation instructions.
If the message is not rejected or deferred, the policy server will PREPEND the
appropriate SPF Received header. In the case of multi-recipient mail, multiple
headers will get appended. If Mail From is anything other than completely empty
(i.e. <>) then the Mail From result will be used for SPF Received (e.g. Mail
From None even if HELO is Pass).
Error conditions within the policy server (that don't result in a crash) or from
Mail::SPF will return DUNNO.
See INSTALL for installation instructions.
Usage:
policyd-spf-perl [-v]
@ -66,7 +74,14 @@ uses only a few of all the attributes shown below:
The policy daemon will answer in the same style, with an attribute list
followed by a empty line:
action=dunno
action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
receiver=bar@foo.tld
[empty line]
To test HELO checking sender should be empty:
sender=
... More attributes...
[empty line]
If you want more detail in the system logs change $VERBOSE to 1.

35
debian/postfix-policyd-spf-perl.8 vendored
View file

@ -152,15 +152,24 @@ postfix-policyd-spf-perl is a Postfix SMTPd policy daemon for SPF checking.
It is implemented in pure Perl and uses the Mail::SPF CPAN module. Note that
Mail::SPF is a complete re-implementation of SPF based on the final SPF RFC,
RFC 4408. It shares no code with the older Mail::SPF::Query that was the
original SPF development implementation.
original SPF development implementation. If you are upgrading from on older
version of this policy server you will need to install Mail::SPF.
This version of the policy server will reject mail that fails either Mail From
or HELO SPF checks. It always checks HELO (older versions just checked HELO if
Mail From was null). It will defer mail if there is a temporary SPF error and
the message would othersise be permitted (DEFER_IF_PERMIT). Otherwise, it will
PREPEND the appropriate SPF Received header. In the case of multi-recipient
mail, multiple headers will get appended. Error conditions within the policy
server (that don't result in a crash) or from Mail::SPF will return DUNNO.
This version of the policy server always checks HELO before Mail From (older
versions just checked HELO if Mail From was null). It will reject mail that
fails either Mail From or HELO SPF checks. It will defer mail if there is a
temporary SPF error and the message would othersise be permitted
(DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From
will not be checked.
If the message is not rejected or deferred, the policy server will PREPEND the
appropriate SPF Received header. In the case of multi-recipient mail, multiple
headers will get appended. If Mail From is anything other than completely empty
(i.e. <>) then the Mail From result will be used for SPF Received (e.g. Mail
From None even if HELO is Pass).
Error conditions within the policy server (that don't result in a crash) or from
Mail::SPF will return DUNNO.
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
@ -203,7 +212,14 @@ uses only a few of all the attributes shown below:
The policy daemon will answer in the same style, with an attribute list
followed by a empty line:
action=dunno
action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
receiver=bar@foo.tld
[empty line]
To test HELO checking sender should be empty:
sender=
... More attributes...
[empty line]
If you want more detail in the system logs change $VERBOSE to 1.
@ -228,7 +244,6 @@ If you want more detail in the system logs change $VERBOSE to 1.
NOTE: Specify check_policy_service AFTER reject_unauth_destination or
else your system can become an open relay.
3. Restart Postfix.
.SH "SEE ALSO"

10
postfix-policyd-spf-perl
View file

@ -43,7 +43,7 @@ my @HANDLERS = (
}
);
my $VERBOSE = 0;
my $VERBOSE = 1;
my $DEFAULT_RESPONSE = 'DUNNO';
@ -159,7 +159,7 @@ sub sender_policy_framework {
my $errmsg = $@;
$errmsg = $errmsg->text if UNIVERSAL::isa($@, 'Mail::SPF::Exception');
syslog(
info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
info => "%s:HELO check failed - Mail::SPF->new(%s, %s, %s) failed: %s",
$attr->{queue_id}, $attr->{client_address}, $attr->{sender}, $attr->{helo_name}, $errmsg
);
return "DUNNO";
@ -183,7 +183,7 @@ sub sender_policy_framework {
# Reject on HELO fail. Defer on HELO temperror if message would otherwise
# be accepted. Use the HELO result and return for null sender.
if ($helo_result->is_code('fail')) {
return "REJECT $helo_authority_exp";
return "550 $helo_authority_exp";
}
elsif ($helo_result->is_code('temperror')) {
return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp";
@ -207,7 +207,7 @@ sub sender_policy_framework {
my $errmsg = $@;
$errmsg = $errmsg->text if UNIVERSAL::isa($@, 'Mail::SPF::Exception');
syslog(
info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
info => "%s: Mail From (sender) check failed - Mail::SPF->new(%s, %s, %s) failed: %s",
$attr->{queue_id}, $attr->{client_address}, $attr->{sender}, $attr->{helo_name}, $errmsg
);
return "DUNNO";
@ -231,7 +231,7 @@ sub sender_policy_framework {
# Same approach as HELO....
if ($mfrom_result->is_code('fail')) {
return "REJECT $mfrom_authority_exp";
return "550 $mfrom_authority_exp";
}
elsif ($mfrom_result->is_code('temperror')) {
return "DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp";