I've been talking with Emmanuel Dreyfus about sendmail milters and
SPF. I mentioned this thread to him, and he asked me to post this
response:
In <1gbhkeo(_dot_)3puyorqf6is9M%manu(_at_)netbsd(_dot_)org>
manu(_at_)netbsd(_dot_)org (Emmanuel Dreyfus) writes:
See
http://archives.listbox.com/spf-discuss(_at_)v2(_dot_)listbox(_dot_)com/200403/0445.html
and the two immediate followups by Meng. If you understand can add to
this discussion, please post a reply! I'm sure there are several
people who would be interested in learning more about how to correctly
do SPF via milters.
I've got the answer, but how can I post? You act as a proxy for me?
Emmanuel:
To subscribe, use either:
<mailto:subscribe-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>,
<http://v2.listbox.com/subscribe/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com>
And, yes, I'm acting as a proxy for Emmanuel here...
All SSL info is available to the milter through sendmail macros. At
mlfi_helo() stage, you can check for the different macros using
smfi_getsymval():
tls_version, cipher, cipher_bits, cert_subject, cert_issuer
If the macros fit your taste, you keep track in your private data (see
mlfi_priv in milter-greylist) that this connexion is okay.
In mlfi_envfrom(), where you normally do the SPF check, you get your
private data, and check your flag. If SSL was okay, you return
immediatly SMFIS_CONTINUE, otherwise you proceed with SPF.
The same idea is used in milter-greylist, at mlfi_envrcpt() stage. If we
discovered that the sender was whitelisted for various reasons, any
other checks are bypassed at the beginning:
priv = (struct mlfi_priv *) smfi_getpriv(ctx);
(...)
if ((priv->priv_whitelist == EXF_ADDR) ||
(priv->priv_whitelist == EXF_FROM) ||
(priv->priv_whitelist == EXF_AUTH) ||
(priv->priv_whitelist == EXF_SPF))
return SMFIS_CONTINUE;