From f876c707b90f71754d2b42b8c1d328bdedca16e1 Mon Sep 17 00:00:00 2001
From: Scott Kitterman <>
Date: Tue, 6 Feb 2007 18:18:42 +0000
Subject: [PATCH]   * Change reject reply to 550 for RFC 2821 complianse.   *
 Clarified wording for some verbose logging.   * Added more information about
 HELO checking to README

---
 CHANGES                           |  5 ++++-
 README                            | 37 ++++++++++++++++++++++---------
 debian/postfix-policyd-spf-perl.8 | 35 ++++++++++++++++++++---------
 postfix-policyd-spf-perl          | 10 ++++-----
 4 files changed, 60 insertions(+), 27 deletions(-)

diff --git a/CHANGES b/CHANGES
index cbe39be..571d141 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,13 +5,16 @@
 #   * = Fixed a bug, or made a minor improvement
 
 --- 2.000 (2007-02-06 16:00)
-  * Updated version for final release.  
+  * Change reject reply to 550 for RFC 2821 complianse.
+  * Clarified wording for some verbose logging.
+  * Added more information about HELO checking to README.
 
 --- 1.990 (2007-02-03 16:00)
 
   postfix-policyd-spf-perl:
   ! Changed from Mail::SPF::Query to Mail::SPF for RFC 4408 compliance
   ! Removed Testing handler (usage was undocumented).
+  ! Removed debian/ dir from release tarball (still provided via SVN).
   * Simplified logging. Policy server is less chatty.  Logs are clearer.
 
 --- 1.08.1 (2007-01-10 21:00)
diff --git a/README b/README
index cabef8b..d29ca39 100644
--- a/README
+++ b/README
@@ -1,8 +1,8 @@
-postfix-policyd-spf-perl 1.990
+postfix-policyd-spf-perl 2.000
 A Postfix SMTPd policy server for SPF checking
 (C) 2007      Scott Kitterman <scott@kitterman.com>
     2003-2004 Meng Weng Wong <mengwong@pobox.com>
-Contributions by various members of the SPF project
+Thanks for contributions by various members of the SPF project
 <http://www.openspf.org/Software#postfix-policyd-spf-perl>
 ==============================================================================
 
@@ -13,15 +13,23 @@ RFC 4408.  It shares no code with the older Mail::SPF::Query that was the
 original SPF development implementation.  If you are upgrading from on older 
 version of this policy server you will need to install Mail::SPF.
 
-This version of the policy server will reject mail that fails either Mail From
-or HELO SPF checks.  It always checks HELO (older versions just checked HELO if
-Mail From was null).  It will defer mail if there is a temporary SPF error and
-the message would othersise be permitted (DEFER_IF_PERMIT).  Otherwise, it will
-PREPEND the appropriate SPF Received header.  In the case of multi-recipient 
-mail, multiple headers will get appended.  Error conditions within the policy
-server (that don't result in a crash) or from Mail::SPF will return DUNNO.
+This version of the policy server always checks HELO before Mail From (older 
+versions just checked HELO if Mail From was null).  It will reject mail that 
+fails either Mail From or HELO SPF checks.  It will defer mail if there is a 
+temporary SPF error and the message would othersise be permitted 
+(DEFER_IF_PERMIT).  If the HELO check produces a REJECT/DEFER result, Mail From
+will not be checked.
 
-See INSTALL or README.Debian for installation instructions.
+If the message is not rejected or deferred, the policy server will PREPEND the 
+appropriate SPF Received header.  In the case of multi-recipient mail, multiple 
+headers will get appended.  If Mail From is anything other than completely empty 
+(i.e. <>) then the Mail From result will be used for SPF Received (e.g. Mail 
+From None even if HELO is Pass).  
+
+Error conditions within the policy server (that don't result in a crash) or from 
+Mail::SPF will return DUNNO.  
+
+See INSTALL for installation instructions.
 
 Usage:
     policyd-spf-perl [-v]
@@ -66,7 +74,14 @@ uses only a few of all the attributes shown below:
 The policy daemon will answer in the same style, with an attribute list
 followed by a empty line:
 
-    action=dunno
+    action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
+           receiver=bar@foo.tld
+    [empty line]
+
+To test HELO checking sender should be empty:
+
+    sender=
+    ... More attributes...
     [empty line]
 
 If you want more detail in the system logs change $VERBOSE to 1.
diff --git a/debian/postfix-policyd-spf-perl.8 b/debian/postfix-policyd-spf-perl.8
index af75208..a68287c 100644
--- a/debian/postfix-policyd-spf-perl.8
+++ b/debian/postfix-policyd-spf-perl.8
@@ -152,15 +152,24 @@ postfix-policyd-spf-perl is a Postfix SMTPd policy daemon for SPF checking.
 It is implemented in pure Perl and uses the Mail::SPF CPAN module.  Note that
 Mail::SPF is a complete re-implementation of SPF based on the final SPF RFC,
 RFC 4408.  It shares no code with the older Mail::SPF::Query that was the 
-original SPF development implementation.
+original SPF development implementation.  If you are upgrading from on older 
+version of this policy server you will need to install Mail::SPF.
 
-This version of the policy server will reject mail that fails either Mail From
-or HELO SPF checks.  It always checks HELO (older versions just checked HELO if
-Mail From was null).  It will defer mail if there is a temporary SPF error and
-the message would othersise be permitted (DEFER_IF_PERMIT).  Otherwise, it will
-PREPEND the appropriate SPF Received header.  In the case of multi-recipient 
-mail, multiple headers will get appended.  Error conditions within the policy
-server (that don't result in a crash) or from Mail::SPF will return DUNNO.
+This version of the policy server always checks HELO before Mail From (older 
+versions just checked HELO if Mail From was null).  It will reject mail that 
+fails either Mail From or HELO SPF checks.  It will defer mail if there is a 
+temporary SPF error and the message would othersise be permitted 
+(DEFER_IF_PERMIT).  If the HELO check produces a REJECT/DEFER result, Mail From
+will not be checked.
+
+If the message is not rejected or deferred, the policy server will PREPEND the 
+appropriate SPF Received header.  In the case of multi-recipient mail, multiple 
+headers will get appended.  If Mail From is anything other than completely empty 
+(i.e. <>) then the Mail From result will be used for SPF Received (e.g. Mail 
+From None even if HELO is Pass).  
+
+Error conditions within the policy server (that don't result in a crash) or from 
+Mail::SPF will return DUNNO.  
 
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -203,7 +212,14 @@ uses only a few of all the attributes shown below:
 The policy daemon will answer in the same style, with an attribute list
 followed by a empty line:
 
-    action=dunno
+    action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4&
+           receiver=bar@foo.tld
+    [empty line]
+
+To test HELO checking sender should be empty:
+
+    sender=
+    ... More attributes...
     [empty line]
 
 If you want more detail in the system logs change $VERBOSE to 1.
@@ -228,7 +244,6 @@ If you want more detail in the system logs change $VERBOSE to 1.
     NOTE:  Specify check_policy_service AFTER reject_unauth_destination or
     else your system can become an open relay.
 
-
  3. Restart Postfix.
 
 .SH "SEE ALSO"
diff --git a/postfix-policyd-spf-perl b/postfix-policyd-spf-perl
index 37ca138..dc6f612 100755
--- a/postfix-policyd-spf-perl
+++ b/postfix-policyd-spf-perl
@@ -43,7 +43,7 @@ my @HANDLERS = (
     }
 );
 
-my $VERBOSE = 0;
+my $VERBOSE = 1;
 
 my $DEFAULT_RESPONSE = 'DUNNO';
 
@@ -159,7 +159,7 @@ sub sender_policy_framework {
         my $errmsg = $@;
         $errmsg = $errmsg->text if UNIVERSAL::isa($@, 'Mail::SPF::Exception');
         syslog(
-            info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
+            info => "%s:HELO check failed - Mail::SPF->new(%s, %s, %s) failed: %s",
             $attr->{queue_id}, $attr->{client_address}, $attr->{sender}, $attr->{helo_name}, $errmsg
         );
         return "DUNNO";
@@ -183,7 +183,7 @@ sub sender_policy_framework {
         # Reject on HELO fail.  Defer on HELO temperror if message would otherwise
         # be accepted.  Use the HELO result and return for null sender.
         if ($helo_result->is_code('fail')) {
-            return "REJECT $helo_authority_exp";
+            return "550 $helo_authority_exp";
         }
         elsif ($helo_result->is_code('temperror')) {
             return "DEFER_IF_PERMIT SPF-Result=$helo_local_exp";
@@ -207,7 +207,7 @@ sub sender_policy_framework {
         my $errmsg = $@;
         $errmsg = $errmsg->text if UNIVERSAL::isa($@, 'Mail::SPF::Exception');
         syslog(
-            info => "%s: Mail::SPF->new(%s, %s, %s) failed: %s",
+            info => "%s: Mail From (sender) check failed - Mail::SPF->new(%s, %s, %s) failed: %s",
             $attr->{queue_id}, $attr->{client_address}, $attr->{sender}, $attr->{helo_name}, $errmsg
         );
         return "DUNNO";
@@ -231,7 +231,7 @@ sub sender_policy_framework {
     
         # Same approach as HELO....
         if ($mfrom_result->is_code('fail')) {
-            return "REJECT $mfrom_authority_exp";
+            return "550 $mfrom_authority_exp";
         }
         elsif ($mfrom_result->is_code('temperror')) {
             return "DEFER_IF_PERMIT SPF-Result=$mfrom_local_exp";