Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. SPF>
  3. SRS
SRS sendmail integration
kees at outflux
Mar 25, 2004, 7:45 PM
Post #1 of 4 (3293 views)
Permalink
Hi! I just joined the list, but I've been reading through the archives
(somewhat crazy: jumping from spf-discuss to here).

Is there a "working" m4 hack for joe-job protection? It sounded like
people had one, but I couldn't piece it together from the archives.

--
Kees Cook @outflux.net
Re: SRS sendmail integration [ In reply to ]
stuart at bmsi
Mar 25, 2004, 8:12 PM
Post #2 of 4 (3134 views)
Permalink
On Thu, 25 Mar 2004, Kees Cook wrote:

> Is there a "working" m4 hack for joe-job protection? It sounded like
> people had one, but I couldn't piece it together from the archives.

I am not sure which kind of forgery "joe-job" refers to. However, the
m4 hack discussed here signs your outgoing mail so that you can recognize
forged bounces, as well as rewriting forwarded mail so that SPF is
satisfied. A working, fairly well tested (5 production machines)
version using a Python port of SRS and m4 sendmail hack can be found at:

http://bmsi.com/python/pysrs.html

Links to Perl and C versions of SRS as well as Marks instructions
for manually hacking sendmail.cf are at

http://spf.pobox.com/srs.html

SPF provides a way to let others detect forged email claiming to be from
you. However, only a tiny percentage of MTAs check it so far. Even so,
it stops a signficant portion of spam on my system (especially since I
cheat and reject neutral results for aol.com). If nothing else, it
provides a very flexible way to specify where your own mail legitimately
comes from, so I don't get any more spam from my colleagues. :-)

http://spf.pobox.com

A python milter that rejects unsigned bounces that reach the DATA phase
and checks SPF is at:

http://bmsi.com/python/milter.html

The SPF download page has links to a C SPF checking milter and Perl
C, and Python libraries for checking SPF.

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Very few of our customers are going to have a pure Unix
or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation
Re: SRS sendmail integration [ In reply to ]
kees at outflux
Mar 25, 2004, 10:17 PM
Post #3 of 4 (3139 views)
Permalink
On Thu, Mar 25, 2004 at 10:12:04PM -0500, Stuart D. Gathman wrote:
> satisfied. A working, fairly well tested (5 production machines)
> version using a Python port of SRS and m4 sendmail hack can be found at:
>
> http://bmsi.com/python/pysrs.html

Great, I'll dig into it. I'll most likely be using the Perl
implementation since I'm already using MIMEDefang and Mail::SPF::Query
and a load of other tools.

> Links to Perl and C versions of SRS as well as Marks instructions
> for manually hacking sendmail.cf are at
>
> http://spf.pobox.com/srs.html

Yeah, I was trying to avoid having to a mc -> cf + patch. :)

> SPF provides a way to let others detect forged email claiming to be from
> you. However, only a tiny percentage of MTAs check it so far. Even so,

Yup, I'm a huge fan already! And I'm in that tiny percent, too.
However...

> (especially since I cheat and reject neutral results for aol.com).

I tried to find details on this, but I haven't had any luck on how to
turn ?all's into -all's. What're you doing?

Thanks for the m4 link!

--
Kees Cook @outflux.net
Re: SRS sendmail integration [ In reply to ]
stuart at bmsi
Mar 26, 2004, 6:57 AM
Post #4 of 4 (3148 views)
Permalink
On Thu, 25 Mar 2004, Kees Cook wrote:

> Great, I'll dig into it. I'll most likely be using the Perl
> implementation since I'm already using MIMEDefang and Mail::SPF::Query
> and a load of other tools.

I have attached the current incarnation of pysrs.m4, which is trivial
to change py to pl to invoke perl. One semantic change I have made is
passing the forwarding domain to the script from cf - which I'm sure
you'll be able to modify the Perl to handle.

> > (especially since I cheat and reject neutral results for aol.com).
>
> I tried to find details on this, but I haven't had any luck on how to
> turn ?all's into -all's. What're you doing?

res,code,txt = spf.check(self.connectip,self.canon_from,self.hello_name)
if res in ('deny', 'fail'):
self.log('REJECT: SPF %s %i %s' % (res,code,txt))
# improve default explanation, but don't wipe out text from SPF record
if txt == 'access denied':
txt = 'SPF fail: see http://spf.pobox.com/why.html'
self.setreply(str(code),'5.7.1',txt)
return Milter.REJECT
# ... other cases elided
elif res == 'neutral':
# spf_reject_neutral configured for [ 'aol.com' ] currently.
if host in spf_reject_neutral:
self.log('REJECT: SPF neutral for',self.sender)
self.setreply('550','5.7.1',
'mail from %s must pass SPF: http://spf.pobox.com/why.html' % host
)
return Milter.REJECT
# Received-SPF: neutral (mybox.example.org: 192.0.2.1 is neither
# permitted nor denied by domain of
# myname@example.com)
self.add_header('Received-SPF',
"""neutral (%(receiver)s: %(connectip)s is neither
permitted nor denied by domain of %(sender)s)""" % self.__dict__)
# ...

--
Stuart D. Gathman <stuart@bmsi.com>
Business Management Systems Inc. Phone: 703 591-0911 Fax: 703 591-6154
"Very few of our customers are going to have a pure Unix
or pure Windows environment." - Dennis Oldroyd, Microsoft Corporation

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal