spf-discuss
[Top] [All Lists]

[spf-discuss] Re: Apache SpamAssassin SPF checks

2006-11-11 12:41:14
"Scott" == Scott Kitterman
"Re: Re: Apache SpamAssassin SPF checks"
 Sat, 11 Nov 2006 10:27:14 -0500

    Scott> I just patched my test server to put a test header in using
    Scott> PREPEND (which is the same command that the PERL policyd
    Scott> uses and it is above the received header field:

    Scott> x-headercheck: This is where PREPEND puts it.
    Scott> Received: from [192.168.111.103]
    Scott>      (static-72-81-252-22.bltmmd.fios.verizon.net  
    Scott>      [72.81.252.22])
    Scott>      (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
    Scott>      (No client certificate requested)
    Scott>      by mailout00.controlledmail.com (Postfix) with ESMTP
    Scott>      id 27FC65CC0B3 
    Scott>      for <scott(_at_)kitterman(_dot_)com>; Sat, 11 Nov 2006 14:59:30 
+0000 (UTC)

    Scott> So, I wasn't sure before, but I am now.

There are three minor issues I'm aware of with PREPEND in Postfix:

        1.  Successive PREPENDs applied to the same message appear one
            below the other starting at the top and working down
            toward the Received: header field.

        2.  When PREPEND is used in Recipient Restrictions the
            pertinent PREPEND will be applied to the same message once
            for each recipient, ie. multiple identical PREPENDs appear
            for multiple recipients including "blind" recipients.

        3.  PREPEND cannot appear together with another action on the
            right hand side of an Access Table entry nor in an Action
            of a Policy.

The second issue can be minimized by not placing recipient information
in a PREPEND.  Then "sighted" recipients only see that "blinded"
recipients exist but not their identity.

The third issue has lead me to some ugly hackory.  I would greatly
appreciate suggestions how better to do, for example, "white listing"
only after SPF pass.  Here is what I do now:

,----[ EXTRACT: diff -wc /tmp/postfix-policyd-spf-1.06
       /usr/local/libexec/postfix/smtpd-policy-spf-jam.pl ]
*** /tmp/postfix-policyd-spf-1.06       Sat Nov 11 13:03:40 2006
--- /usr/local/libexec/postfix/smtpd-policy-spf-jam.pl  Thu Aug 24 09:43:57 2006
***************
[[ .... ]]
*** 197,203 ****
    syslog(info=>"%s: SPF %s: smtp_comment=%s, header_comment=%s",
           $attr{queue_id}, $result, $smtp_comment, $header_comment);

!   if    ($result eq "fail")     { return "REJECT $smtp_comment"; }
    elsif ($result eq "error")    { return "DEFER_IF_PERMIT $smtp_comment"; }
    else                          { return "PREPEND Received-SPF: $result 
($header_comment)"; }  }
--- 200,207 ----
    syslog(info => "%s: SPF %s: smtp_comment=%s, header_comment=%s",
           $attr{queue_id}, $result, $smtp_comment, $header_comment);

!   if    ($result eq "pass")     { return "passed_spf"; }
!   elsif ($result eq "fail")     { return "REJECT $smtp_comment"; }
    elsif ($result eq "error")    { return "DEFER_IF_PERMIT $smtp_comment"; }
    else                          { return "PREPEND Received-SPF: $result 
($header_comment)"; }  }

`----

Make /usr/local/libexec/postfix/smtpd-policy-spf-fin-jam.pl as another
copy of postfix-policyd-spf but with every thing below the line

        my $action = $DEFAULT_RESPONSE;

replaced with the following:

,----[ EXCERPT: /usr/local/libexec/postfix/smtpd-policy-spf-fin-jam.pl ]

  my $header_comment;
  if ($attr{client_address}=~ /^127\./) {
      $header_comment = "localhost is always allowed."
  }
  else {
      $header_comment = "$myhostname: domain of $attr{sender} designates 
$attr{client_address} as permitted sender"
  }

  $action = "PREPEND Received-SPF: pass ($header_comment)";
        
  syslog(info => "decided action=%s", $action);

  print STDOUT "action=$action\n\n";
  %attr = ();
}

`----

,----[ simplified EXCERPT: postfix/main.cf ]
smtpd_restriction_classes =
        check_spf
        passed_spf
        normal_restrictions
        relaxed_restrictions

smtpd_recipient_restrictions =
        reject_unauth_destination
        [[ ... ]]
        check_spf

check_spf =
        check_policy_service unix:private/policy-spf
        normal_restrictions

# from check_policy_service unix:private/policy-spf
passed_spf =
        check_policy_service unix:private/policy-spf-fin
        check_recipient_access hash:/etc/postfix/relaxed-recipient-check
        normal_restrictions     
        
normal_restrictions =
        [[ ... ]]

relaxed_restrictions =
        [[ ... ]]

`----

,----[ /etc/postfix/relaxed-recipient-check ]
joe(_at_)my(_dot_)domain        relaxed_restrictions
jane(_at_)my(_dot_)domain  normal_restrictions
`----

Using the ugly smtpd-policy-spf-fin-jam.pl makes the log look the same
as for an unmodified postfix-policyd-spf except for the additional log
record with the PREPEND and a different process number.

A better way?

        jam

-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?list_id=735

Attachment: pgpD2pOzSxVki.pgp
Description: PGP signature