Giter Site home page Giter Site logo

jcbf / smf-spf Goto Github PK

View Code? Open in Web Editor NEW
14.0 5.0 5.0 264 KB

It's a lightweight, fast and reliable Sendmail milter that implements the Sender Policy Framework

License: GNU General Public License v3.0

Makefile 2.33% Shell 4.90% C 35.17% Lua 54.84% Dockerfile 2.76%
milter spf postfix c sendmail email

smf-spf's Introduction

smf-spf

GitHub release Build Status Coverage Status Docker Pulls

It's a lightweight, fast and reliable Sendmail/Postfix milter that implements the Sender Policy Framework

This was abandoned code and has several bugfixes and enhancements. like:

  • Caches evaluation results for performance
  • Make MAIL and RCPT limits RFC 5321 compliant ( both localpart and domain )
  • Reply codes aligned with RFC 7208
  • Daemonize option via command line
  • Fix SPF_RESULT_TEMPERROR handling
  • fix segfault when server address is unknown
  • Create a test suite and coverage tests
  • Configurable refuse when SPF is none
  • Reject NDR when there is no SPF policy defined
  • Added outbound mail related features
  • Skip evaluation for authenticated users
  • Allow source IP replacement for outbound evaluation

v2.5.1 (2020-11-12)

Full Changelog

Fixed bugs:

  • Config values with spaces are ignore #82
  • Fix travis #84 (jcbf)
  • Added missing commits for skipAuth feature #80 (jcbf)

Full Changelog

v2.5.0 (2020-10-04)

Implemented enhancements:

  • Allow logging to file without syslog #69
  • Implement SpikAuth and SkipNDR#75 (jcbf) Skip Authenticated users when configured to do so. Similar to empty users.
  • Changed tests location #78 (jcbf)

Fixed bugs:

  • ClientIPNat will not work if FixedIP is set. #76

v2.4.5 (2020-07-16)

Implemented enhancements:

  • Feature/client ipnat #74 (jcbf) ClientIPNAT allows IP address translation of the connecting IP. This is particularly useful when you have internal email flows and still, have an SPF evaluation.
  • use application name in syslog #67

v2.4.4 (2020-06-21)

Implemented enhancements:

  • Docker image improvments
  • Misc fixes #72 (jcbf)
  • Log to file #71 (jcbf)
  • specfile and patches for building on Fedora and CentOS Linux #70 (mikaku)
  • Get daemon name from cmd line as requested in #67 #68 (jcbf)

v2.4.3 (2020-03-25)

Full Changelog

Implemented enhancements:

  • Make SPF evaluation with a fixed IP #65
  • Disable localpart size check #52

Fixed bugs:

  • Typos #55
  • smf-spf -f does not override config file value Daemonize #62

Merged pull requests:

v2.4.2 (2018-07-18)

Full Changelog between 2.4.1 and 2.4.2

Implemented enhancements:

  • Fix codewarnings #54 (jcbf)
  • Only domain size is checked #50

Merged pull requests:

  • Allow relaxed localpart size verification #53 (jcbf)

v2.4.1 (2018-04-19)

Full Changelog between 2.4.0 and 2.4.1

Implemented enhancements:

  • Reject bounces when there is no SPF policy defined #46
  • Reject messages with an empty sender #49 (jcbf)
  • Add SPF result on log #48 (jcbf)

Merged pull requests:

  • Check for the localpart size. #51 (jcbf)

v2.4.0 (2018-02-08)

Full Changelog

Implemented enhancements:

  • Configurable refuse when SPF is none #42 (jcbf)
  • Configurable hostname #40 (jcbf)

Fixed bugs:

  • WhitelistTo should accept message #37
  • WhitelistTo should return SMFIS_ACCEPT #38 (jcbf)

Closed issues:

  • Possible issue reporting Fail string in sendmail reject message #33

Merged pull requests:

v2.3.1 (2017-11-07)

Full Changelog

Implemented enhancements:

  • Allow Received-SPF header back. #32 (jcbf)

Fixed bugs:

  • Reply codes aligned with RFC #34 (jcbf)

Merged pull requests:

v2.3 (2016-11-30)

Full Changelog

Implemented enhancements:

  • Create a test suite #17
  • Add debug output to test script #24 (jcbf)

Merged pull requests:

v2.2 (2016-11-03)

Full Changelog

Fixed bugs:

  • fix segfault when server address is unknown #21 (Milek7)

Merged pull requests:

  • don't include <> characters in Authentication-Results header #20 (Milek7)

v2.1.1 (2016-09-21)

Full Changelog

Implemented enhancements:

  • handle SPF_RESULT_TEMPERROR result #14

Fixed bugs:

  • Uncompilable release #19

Closed issues:

  • Make a release #10

v2.1.0 (2016-09-19)

Full Changelog

v2.2.0 (2016-09-19)

Implemented enhancements:

  • Refuse messages with softfail #8
  • MAIL and RCPT limits are not RFC compliant #4
  • mail-filter/smf-spf-2.0.2 patches #1
  • daemonize option via command line #7 (jcbf)
  • * Bumped version #6 (jcbf)
  • Debian init #3 (whyscream)
  • Add support for daemonisation in config file #2 (whyscream)

Fixed bugs:

  • Fix RFC5321 path limit #5 (jcbf)

Merged pull requests:

  • Support for temperror handling. #18 (jcbf)
  • Fix for #8 #16 (jcbf)
  • Bump version to 2.1.0 #15 (jcbf)
  • Fix version usage #13 (tyranron)
  • One more typo fix for conf.soft_fail property #12 (tyranron)
  • Fix for #8 - Allow softfail when refusing email #9 (jcbf)

* This Change Log was automatically generated by github_changelog_generator

smf-spf's People

Contributors

jcbf avatar mikaku avatar milek7 avatar tyranron avatar whyscream avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar

smf-spf's Issues

Authentication-Results header - wrong position

The spf-milter inserts the Authentication-Results header below the Received header inserted by its own MTA. This can be problematic if you use the spf milter only for tagging and want to delegate processing to a later stage (e.g. Spamassassin on a different machine). Spamassassin will never use this Authentication-Results header because when correctly configured due to the position of the header it will never consider it trustworthy.

The Authentication-Results header is specified in RFC 8601. It is a trace header field and therefore expected to come before the Received header. See the explicit requirements on this in sections 4 and 7.1 of RFC 8601.

For MTAs that add this header field, adding header fields in order (at the top), per Section 3.6 of [MAIL], is particularly important. Moreover, this header field SHOULD be inserted above any other trace header fields such MTAs might prepend. This placement allows easy detection of header fields that can be trusted.

OpenDKIM has a similar issue open github

Following patch solves the problem

--- /tmp/smf-spf.c      2020-11-12 22:44:54.000000000 +0100
+++ smf-spf.c   2022-03-07 12:00:18.150462870 +0100
@@ -1136,7 +1136,7 @@
                        authserv_id, "none", context->sender, context->helo);
                    break;
            }
-           smfi_insheader(ctx, 1, "Authentication-Results", spf_hdr);
+           smfi_insheader(ctx, 0, "Authentication-Results", spf_hdr);
            free(spf_hdr);
        }
     }

Allow logging to file without syslog

Hi,

For a minimized docker image, it would be great if smf-spf can be configured to log to a file (e.g. /dev/stdout) instead of relying on syslog. What do you think?

Best regards,
Chris

`smf-spf -f` does not override config file value `Daemonize`

When implementing a systemd service file, I found out that for the milter to run in the foreground, the config file option Daemonize needs to be enabled per se.

I would expect that the command-line option -foverrides any config file option, making it easier to implement a working systemd service, without ever caring about what the end user might set in the config file. This is how command-line options work normally.

Make a release

Is it possible to make a release or version tag for this repo?
Wanna to use it for compiling from sources.

Possible issue reporting Fail string in sendmail reject message

Hi, Sendmail 8.15.2 on Ubunti 17.10

In the logs I see

Nov 3 04:07:19 ws1-fra smf-spf[19861]: SPF fail: ip=107.174.52.151, fqdn=[107.174.52.151], helo=so578sy.com, from=[email protected]
Nov 3 04:07:19 ws1-fra sm-mta[23903]: vA347GJM023903: Milter: from=[email protected], reject=550 5.7.1 Command rejected

Any ideas why sendmail is not passing back the proper return string.

I saw this comment in spf-milter.pl source code

            # Need to escape unprotected % characters in spf_smtp_comment,
            # or sendmail will use the default "Command rejected" message instead.
            # Noted by Paul Howarth

Could it be something to do with that?

use application name in syslog

Should extract de application name used in Syslog from the command line.
Ex.

unixbox # /home/user/smf-spf/spf-milter -f -c ./smf-spf.conf

Apr 30 18:13:18 unixbox spf-milter[9191]: starting spf-milter 2.4.3 listening on unix:/var/run/smfs/smf-spf.sock

Uncompilable release

Would you be so kind to move v2.1.0 and v2.2.0 tags (and releases) up to 55593a8 commit?
Cause I can't compile from v2.1.0 release with following error:

smf-spf.c: In function 'smf_envfrom':
smf-spf.c:772:44: error: 'accept_temperror' undeclared (first use in this function)
     if (status == SPF_RESULT_TEMPERROR && !accept_temperror) {
                                            ^~~~~~~~~~~~~~~~

RejectReason URL and parameters issue

Hi,

From https://github.com/jcbf/smf-spf/blob/master/smf-spf.conf


RejectReason specifies the message that will be return to milter client
You can use %s placeholders where :
1st %s - sender address or postmaster@<helo name> if empty sender
2nd %s - sender IP Address
3rd %s - server name ( {j} macro

Default: Rejected, look at http://www.openspf.org/why.html?sender=%s&ip=%s&receiver=%s

As www.openspf.org has now been closed for two years, the RejectReason generated URL is not clickable, and that's why this message should be disabled by default, but it's impossible, there isn't available on/off option. As I could not find any alternative, and as currently parameters order is fixed, at the moment I changed RejectReason to static - "An SPF enabled mail server rejected message from %s, because sender address %s does not exist in the domain corresponding SPF record."

For better customization, please change parameters and allow any parameters order somehing like:
%sa - sender address or postmaster@ if empty sender
%sd - sender domain
%ip - sender IP address
%sn - server name

MAIL and RCPT limits are not RFC compliant

According to Section 4.5.3.1.3. of RFC 5321

The maximum total length of a reverse-path or forward-path is 256
octets (including the punctuation and element separators).

Only domain size is checked

There is a check in the address size and that only check the domain part. When localpart is bigger the allowed 64 octets, it should return a reject message.

References :

4.5.3.1.1.

Local-part

The maximum total length of a user name or other local-part is 64 octets.

Permit hostname in config

Create a configuration keyword to force a given hostname to be used in Authentication-Results headers.

Config value with spaces are ignore

If you have a configuration value with spaces only the first word is considered.
Example:

RejectReason Rejected - Please configure your SPF record

When rejecting you only got

550 5.7.23 Rejected

New feature: Reject at SPF None results

Hello,

Thanks for this beautiful software.

I'd like to be able to reject emails at SPF None results. I mean, I'd want to reject all mail from domains that do not have an SPF policy.

# Refuse e-Mail messages at SPF None results
#
# Default: off
#
RefuseNone      off      # (on|off)

Do you know if that could be an accepted new feature?
Thanks.

Deprecated DNS record type of SPF (type 99) issue.

Hi,

I have issue with one sender:

Received: from mda-out.datacenter.fi (mda-out.datacenter.fi [89.250.48.136])
Authentication-Results: SPF; spf=fail smtp.mailfrom=[email protected] smtp.helo=mda-out.datacenter.fi

But sender -s SPF record and DNS is correct;

nslookup mda-out.datacenter.fi
Address: 89.250.48.136

nslookup -q=txt huuto.net
huuto.net text = "v=spf1 mx a:mda-out.datacenter.fi include:mktomail.com include:spf.protection.outlook.com -all"

I guess the reason is, that sender is using also deprecated type 99 record, which is not equal to TXT record:

nslookup -q=spf huuto.net
huuto.net rdata_99 = "v=spf1 include:spf.protection.outlook.com -all"

Based https://mxtoolbox.com/problem/spf/spf-record-deprecated

"Hostname has returned a SPF Record that has been deprecated

The use of alternative DNS RR types that was formerly supported during the experimental phase of SPF was discontinued in 2014. SPF records must now only be published as a DNS TXT (type 16) Resource Record (RR) [RFC1035]. See RFC 7208 for further detail on this change.

According to RFC 7208 Section 3.1: During the period when SPF was in development, requirements for assigning a new DNS RR type were more stringent than they are today and support for the deployment of new DNS RR types was not deployed in DNS servers and provisioning systems. The end result was that developers of SPF discovered it was easier and more practical to follow the TXT RR type for SPF."

So please modify smf-spf either permanently or optionally to ignore deprecated type 99 SPF record.

Compile failure on Debian

I would like to use the tool on Debian. When compiling I always get "

~/smf-spf# make
gcc -O2 -D_REENTRANT -fomit-frame-pointer -I/usr/local/include -c smf-spf.c
smf-spf.c:22:10: fatal error: arpa/inet.h: No such file or directory
#include <arpa/inet.h>
^~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:31: smf-spf.o] Error 1

". Do you have an idea why? :S

Add SPF best guess

When a domain doesn't have a SPF record , try to guess.
Use "v=spf1 a/24 mx/24 ptr ?all" as defaut record.

Docker image

Are you interested to implement "official" Docker image for this project?
I would like to contribute this.

Header "Received-SPF: " is missing.

Hi,

I used the original code v2.0.2 for a long time and now found this, v2.3.0, compiled and started it, but somehow headers in emails are gone, but the conf file is old and contains:

AddHeader on

How to fix it?

handle SPF_RESULT_TEMPERROR result

Should return a temp error according to RFC 7208
https://tools.ietf.org/html/rfc7208#section-8.6

8.6. Temperror

A "temperror" result means the SPF verifier encountered a transient
(generally DNS) error while performing the check. Checking software
can choose to accept or temporarily reject the message. If the
message is rejected during the SMTP transaction for this reason, the
software SHOULD use an SMTP reply code of 451 and, if supported, the
4.4.3 enhanced status code (see Section 3.5 of [RFC3463]). These
errors can be caused by problems in either the sender's or receiver's
DNS software. See Appendix G.4 for considerations on developing
local policy.

A configuration keyword may be used to specify the behaviour ( accept or temp reject ).

New version scheduled?

Hello,

Any idea when you plan to release a new version?

The smf-spf package for Fedora was just approved and I need the latest version (which includes the COPYING file up to date) to continue with the packaging.

Thanks!

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.