Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. Devel
MSA SPF Policy Checks
spf2 at kitterman
May 15, 2006, 11:28 AM
Post #1 of 7 (4097 views)
Permalink
It ocurred to me that it might be useful for an MSA to check and see if a
message that is being submitted to it for transmission would pass an SPF
check using the MSA's local IP address. I'm trying this in Postfix 2.1.

I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian Testing
installed and running. I need to modify postfix-SPF-policyd to use the local
IP address rather than the client IP address.

So, what I need to do is insert one line of code here:

sub sender_permitted_from {
  local %_ = @_;
  my %attr = %{ $_{attr} };

.................................

  my $query = eval { new Mail::SPF::Query (ip    =>$attr{client_address},
                                           sender=>$attr{sender},
                                           helo  =>$attr{helo_name}) };

That line of code needs to change $attr{client_address} to the local IP
address.  This would be a manual entry (or if there's an easy way to get the
local IP address automagically be gotten that's fine too).

I assume that for anyone versed in PERL, this is trivial.  I'm not at all, so
I was wondering if someone here could tell me what needs to be changed.

On a related note, I've started working on re-implementing postfix-SPF-policyd
in Python. If it were done in Python, then I'd know how to deal with it.

Thanks,

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: MSA SPF Policy Checks [ In reply to ]
spf+devel at de-korte
May 15, 2006, 11:41 AM
Post #2 of 7 (3950 views)
Permalink
spf2@kitterman.com wrote:

> It ocurred to me that it might be useful for an MSA to check and see if a
> message that is being submitted to it for transmission would pass an SPF
> check using the MSA's local IP address. I'm trying this in Postfix 2.1.

I think you're much better off checking out 'smtpd_sender_login_maps'
and 'reject_sender_login_mismatch'. When properly setup, this will also
prevent cross-user forgeries and in general prevent relaying of messages
with non-approved sender addresses.

Regards, Arjen

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: MSA SPF Policy Checks [ In reply to ]
julian at mehnle
May 15, 2006, 12:41 PM
Post #3 of 7 (3959 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:
> It ocurred to me that it might be useful for an MSA to check and see if
> a message that is being submitted to it for transmission would pass an
> SPF check using the MSA's local IP address. I'm trying this in Postfix
> 2.1.

That's called "outbound SPF checking". I've implemented it in Courier::
Filter::Module::SPFout[1], if you're interested (it's not all that
interesting, though, as it is a pretty basic principle as you described).

> I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian
> Testing installed and running. I need to modify postfix-SPF-policyd to
> use the local IP address rather than the client IP address.
>
> So, what I need to do is insert one line of code here:
>
> sub sender_permitted_from {
>   local %_ = @_;
>   my %attr = %{ $_{attr} };
>
> .................................
>
>   my $query = eval { new Mail::SPF::Query (ip    =>$attr{client_address},
>   sender=>$attr{sender},
>   helo =>$attr{helo_name}) };
>
> That line of code needs to change $attr{client_address} to the local IP
> address.  This would be a manual entry (or if there's an easy way to get
> the local IP address automagically be gotten that's fine too).

In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to
discover the local IP address. If you want to reimplement that yourself,
the trick is to create a UDP/DGRAM socket to some stable public IP address
(I used that of a.root-servers.net, but you could use that of the target
MX, too). There is no need to actually connect the socket. The socket
creationg causes the OS to do a routing table lookup. Then you can get the
local IP address of yours of the network interface selected by the OS.

> I assume that for anyone versed in PERL, this is trivial.  I'm not at
> all, so I was wondering if someone here could tell me what needs to be
> changed.

I'm not sure if what I wrote above answers your question.

> On a related note, I've started working on re-implementing postfix-SPF-
> policyd in Python.

Doesn't Stuart's Python Milter[3] support SPF already?

In any case, there seems to be a multitude of SPF milters[4]. Perhaps we
should try to consolidate them or at least find out which ones are the best
and drop the others from the implementations list.

Julian.

References:
1. http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm
2. http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm
3. http://www.bmsi.com/python/milter.html
4. http://new.openspf.org/Implementations

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU
yQ9j8I46lsAFQDgJWBJwtWI=
=BqRq
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: MSA SPF Policy Checks [ In reply to ]
spf2 at kitterman
May 15, 2006, 12:43 PM
Post #4 of 7 (3961 views)
Permalink
On 05/15/2006 14:41, Arjen de Korte wrote:
> spf2@kitterman.com wrote:
> > It ocurred to me that it might be useful for an MSA to check and see if a
> > message that is being submitted to it for transmission would pass an SPF
> > check using the MSA's local IP address. I'm trying this in Postfix 2.1.
>
> I think you're much better off checking out 'smtpd_sender_login_maps'
> and 'reject_sender_login_mismatch'. When properly setup, this will also
> prevent cross-user forgeries and in general prevent relaying of messages
> with non-approved sender addresses.
>
That is my intent when using SMTP Auth. The MSA box in question isn't set up
for it and I'm not in a position to change it right now.

The client IPs in question are authorized via permit_mynetworks.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Re: MSA SPF Policy Checks [ In reply to ]
spf2 at kitterman
May 15, 2006, 12:48 PM
Post #5 of 7 (3974 views)
Permalink
On 05/15/2006 15:41, Julian Mehnle wrote:

> Doesn't Stuart's Python Milter[3] support SPF already?
>
> In any case, there seems to be a multitude of SPF milters[4]. Perhaps we
> should try to consolidate them or at least find out which ones are the best
> and drop the others from the implementations list.
>
It does, but Postfix does not currently support the milter API. This is being
implemented as part of the Postfix 2.3 development effort.

The current (Postfix 2.1/2.2) policy interface is much simpler. Meng's
policyd works exactly correctly for those Postfix versions. The Python
re-implementation is just because of my inability/unwillingness to deal with
PERL.

There are other Python implementations out there, such as tumgreyspf:

http://www.tummy.com/Community/software/tumgreyspf/

but they are more complex than what I need.

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: MSA SPF Policy Checks [ In reply to ]
julian at mehnle
May 15, 2006, 12:52 PM
Post #6 of 7 (3967 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

spf2@kitterman.com wrote:
> On 05/15/2006 15:41, Julian Mehnle wrote:
> > Doesn't Stuart's Python Milter[3] support SPF already?
> >
> > In any case, there seems to be a multitude of SPF milters[4]. Perhaps
> > we should try to consolidate them or at least find out which ones are
> > the best and drop the others from the implementations list.
>
> It does, but Postfix does not currently support the milter API.

Oops, I confused Postfix's policy daemon and Sendmail's milter mechanisms.
Please ignore my blathering.

> This is being implemented as part of the Postfix 2.3 development effort.

Interesting, I didn't know that. That is probably a good idea.

> There are other Python implementations out there, such as tumgreyspf:
>
> http://www.tummy.com/Community/software/tumgreyspf/

I know, it's listed on the new SPF website.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEaNvxwL7PKlBZWjsRAivvAJ0eV/VzB4Zr2Lv8h+KwDO8g2SeVEQCbBIc6
l54j9Qkr0NuyPUyts2nL2Xs=
=mLMv
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com
Re: Re: MSA SPF Policy Checks [ In reply to ]
spf2 at kitterman
May 15, 2006, 6:41 PM
Post #7 of 7 (3971 views)
Permalink
On 05/15/2006 15:52, Julian Mehnle wrote:
> spf2@kitterman.com wrote:

> > This [Sendmail Milter] is being implemented as part of the Postfix 2.3
development effort.
>
> Interesting, I didn't know that. That is probably a good idea.
>
FYI,

http://archives.neohapsis.com/archives/postfix/2006-05/0750.html

Scott K

-------
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@v2.listbox.com

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal