"Scott" == Scott Kitterman
"Re: Re: Apache SpamAssassin SPF checks"
Sat, 11 Nov 2006 10:27:14 -0500
Scott> I just patched my test server to put a test header in using
Scott> PREPEND (which is the same command that the PERL policyd
Scott> uses and it is above the received header field:
Scott> x-headercheck: This is where PREPEND puts it.
Scott> Received: from [192.168.111.103]
Scott> (static-72-81-252-22.bltmmd.fios.verizon.net
Scott> [72.81.252.22])
Scott> (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
Scott> (No client certificate requested)
Scott> by mailout00.controlledmail.com (Postfix) with ESMTP
Scott> id 27FC65CC0B3
Scott> for <scott(_at_)kitterman(_dot_)com>; Sat, 11 Nov 2006 14:59:30
+0000 (UTC)
Scott> So, I wasn't sure before, but I am now.
There are three minor issues I'm aware of with PREPEND in Postfix:
1. Successive PREPENDs applied to the same message appear one
below the other starting at the top and working down
toward the Received: header field.
2. When PREPEND is used in Recipient Restrictions the
pertinent PREPEND will be applied to the same message once
for each recipient, ie. multiple identical PREPENDs appear
for multiple recipients including "blind" recipients.
3. PREPEND cannot appear together with another action on the
right hand side of an Access Table entry nor in an Action
of a Policy.
The second issue can be minimized by not placing recipient information
in a PREPEND. Then "sighted" recipients only see that "blinded"
recipients exist but not their identity.
The third issue has lead me to some ugly hackory. I would greatly
appreciate suggestions how better to do, for example, "white listing"
only after SPF pass. Here is what I do now:
,----[ EXTRACT: diff -wc /tmp/postfix-policyd-spf-1.06
/usr/local/libexec/postfix/smtpd-policy-spf-jam.pl ]
*** /tmp/postfix-policyd-spf-1.06 Sat Nov 11 13:03:40 2006
--- /usr/local/libexec/postfix/smtpd-policy-spf-jam.pl Thu Aug 24 09:43:57 2006
***************
[[ .... ]]
*** 197,203 ****
syslog(info=>"%s: SPF %s: smtp_comment=%s, header_comment=%s",
$attr{queue_id}, $result, $smtp_comment, $header_comment);
! if ($result eq "fail") { return "REJECT $smtp_comment"; }
elsif ($result eq "error") { return "DEFER_IF_PERMIT $smtp_comment"; }
else { return "PREPEND Received-SPF: $result
($header_comment)"; } }
--- 200,207 ----
syslog(info => "%s: SPF %s: smtp_comment=%s, header_comment=%s",
$attr{queue_id}, $result, $smtp_comment, $header_comment);
! if ($result eq "pass") { return "passed_spf"; }
! elsif ($result eq "fail") { return "REJECT $smtp_comment"; }
elsif ($result eq "error") { return "DEFER_IF_PERMIT $smtp_comment"; }
else { return "PREPEND Received-SPF: $result
($header_comment)"; } }
`----
Make /usr/local/libexec/postfix/smtpd-policy-spf-fin-jam.pl as another
copy of postfix-policyd-spf but with every thing below the line
my $action = $DEFAULT_RESPONSE;
replaced with the following:
,----[ EXCERPT: /usr/local/libexec/postfix/smtpd-policy-spf-fin-jam.pl ]
my $header_comment;
if ($attr{client_address}=~ /^127\./) {
$header_comment = "localhost is always allowed."
}
else {
$header_comment = "$myhostname: domain of $attr{sender} designates
$attr{client_address} as permitted sender"
}
$action = "PREPEND Received-SPF: pass ($header_comment)";
syslog(info => "decided action=%s", $action);
print STDOUT "action=$action\n\n";
%attr = ();
}
`----
,----[ simplified EXCERPT: postfix/main.cf ]
smtpd_restriction_classes =
check_spf
passed_spf
normal_restrictions
relaxed_restrictions
smtpd_recipient_restrictions =
reject_unauth_destination
[[ ... ]]
check_spf
check_spf =
check_policy_service unix:private/policy-spf
normal_restrictions
# from check_policy_service unix:private/policy-spf
passed_spf =
check_policy_service unix:private/policy-spf-fin
check_recipient_access hash:/etc/postfix/relaxed-recipient-check
normal_restrictions
normal_restrictions =
[[ ... ]]
relaxed_restrictions =
[[ ... ]]
`----
,----[ /etc/postfix/relaxed-recipient-check ]
joe(_at_)my(_dot_)domain relaxed_restrictions
jane(_at_)my(_dot_)domain normal_restrictions
`----
Using the ugly smtpd-policy-spf-fin-jam.pl makes the log look the same
as for an unmodified postfix-policyd-spf except for the additional log
record with the PREPEND and a different process number.
A better way?
jam
-------
Sender Policy Framework: http://www.openspf.org/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?list_id=735
pgpD2pOzSxVki.pgp
Description: PGP signature