It's only a little bit overdue (haha, really, haha) but you can now submit patches to libspf2 as PRs on github. https://github.com/shevek/libspf2 I will make an endeavour to get these in as soon as possible. S.
Hi! The attached patch fixes two things in libspf2 1.2.9 *) if spf results to NONE or anything else without SPF record no received_header and comment was set *) if DNS fails either temporary or permanent the result was (invalid). It returns TEMPERROR and PERMERROR now. Greetings, Wolfgang -- -- Wolfgang Breyha <wbreyha <at> gmx.net> | http://www.blafasel.at/ Vienna University Computer Center | Austria ------------------------------------------- Sender Policy Framework: http://www.openspf.org [http://www.openspf.org] Modify Your Subscription: http://www.listbox.com/member/ [http://www.listbox.com/member/] Archives: https://www.listbox.com/member/archive/1007/=now RSS Feed: https://www.listbox.com/member/archive/rss/1007/6959932-f3d1312d Modify Your Subscription: https://www.listbox.com/member/?member_id=6959932&id_secret=6959932-d95100fc Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=6959932&id_secret=6959932-4aedb9c4&post_id=20110601114626:8995D932-8C66-11E0-93B4-DD67F559ED1D Powered by Listbox: http://www.listbox.com
diff --git a/src/libspf2/spf_request.c b/src/libspf2/spf_request.c index 7614141..b502fb2 100644 --- a/src/libspf2/spf_request.c +++ b/src/libspf2/spf_request.c(Continue reading)
Hi,
I think I might have found a bug in the libspf2 library, please correct me
if I'm wrong. I wrote some code that uses SPF_dns_lookup to resolve an A
record. I get an answer, and the response includes the answer, but the
SPF_dns_lookup function returns NO_DATA (integer value of 4). As far as I
can see, this occurs when the response doesn't have an ADDITIONAL section.
I'll try to describe what the problem is below. In the function
SPF_dns_resolv_lookup the variable cnt is incremented per answer, but it is
reset per section (ns_sect) in the first for loop. Since I have no
ADDITIONAL section, which comes after the AUTHORITY section, cnt is reset
to 0 (zero). Outside the second for loop the following statement is placed:
spfrr->num_rr = cnt;
Then outside the first for loop the following if statement is placed.
if (spfrr->num_rr == 0)
spfrr->herrno = NO_DATA;
I included some extra debug statements in the code, and the output looks as
follows:
spf_dns.c:54 Debug: DNS[cache] lookup: www.isc.org A (1)
spf_dns.c:54 Debug: DNS[resolv] lookup: www.isc.org A (1)
spf_dns_resolv.c:373 Debug: msg id: 20905
spf_dns_resolv.c:374 Debug: ns_f_qr quest/resp: 1
spf_dns_resolv.c:375 Debug: ns_f_opcode: 0
spf_dns_resolv.c:376 Debug: ns_f_aa auth ans: 0
(Continue reading)
From: Florian Forster <ff <at> octo.it>
It's very annoying to be shown the "usage" output and not know *why*.
This patch prints an explanation to STDERR before the usage information,
so it's easier for users to recognize typos and misconceptions.
---
src/spfquery/spfquery.c | 9 +++++++--
1 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/spfquery/spfquery.c b/src/spfquery/spfquery.c
index c4dc5bb..1904c8a 100644
--- a/src/spfquery/spfquery.c
+++ b/src/spfquery/spfquery.c
@@ -547,8 +547,13 @@ int main( int argc, char *argv[] )
else {
fin = NULL;
- if ((req->ip == NULL) ||
- (req->sender == NULL && req->helo == NULL) ) {
+ if (req->ip == NULL) {
+ fprintf( stderr, "The required \"-ip\" option is missing.\n" );
+ usage();
+ FAIL_ERROR;
+ }
+ else if (req->sender == NULL && req->helo == NULL) {
+ fprintf( stderr, "Either the \"-sender\" or \"-helo\" option is required.\n" );
usage();
FAIL_ERROR;
}
(Continue reading)
From: Florian Forster <ff <at> octo.it>
The function SPF_request_query_rcptto() checks whether the "rcpt_to"
string argument contains the "@" character. If so, everything before the
at-sign is stripped. However, the at-sign itself left in front of the
string, so that the generated SPF record reads:
v=spf1 mx:@example.com
The actual checking code then tries to resolve "@example.com" rather than
"example.com", fails and returns "neutral" even when it should return
"pass".
This patch adds the missing `rcpt_to_dom++` so the at-sign is stripped,
too.
---
src/libspf2/spf_request.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/src/libspf2/spf_request.c b/src/libspf2/spf_request.c
index 7614141..b502fb2 100644
--- a/src/libspf2/spf_request.c
+++ b/src/libspf2/spf_request.c
@@ -363,6 +363,8 @@ SPF_request_query_rcptto(SPF_request_t *spf_request,
rcpt_to_dom = strchr(rcpt_to, '@');
if (rcpt_to_dom == NULL)
rcpt_to_dom = rcpt_to;
+ else
+ rcpt_to_dom++;
spf_request->cur_dom = rcpt_to_dom;
(Continue reading)Is anyone else bothered by the fact that the grammar requires backtracking? Specifically, because a domain-spec can include forward slashes, and because some of the terms allow cidr masks after a domain-spec, you have to support backtracking. Frankly I'm not sure I want to bother supporting this. I use Ragel to parse the policies, which is a pure regular langage parser generator. I could use Ragel's scanner feature, or just hack the support, but as a general rule I don't like backtracking grammars for untrusted input. Perhaps it would have been wise to have included a %-encoded forward-slash, as was done for spaces. Anybody open to such an amendment? My asynchronous spf.c library passes 90% of the 2009.10 OpenSPF test suite (I can't yet simulate timeouts to pass the TempError tests). Many, many thanks to those who put in the time and effort to write those test specifications. I gratuitously wrote an RFC 1035 master file parser and composer in C (w/ Ragel), and am of course parsing the YAML tests from C (w/ libyaml). So if anybody was waiting for the ability to generate zone files from the test suite, it's all but done--rfc4408-tests.c in my regress/ directory already spits out the zones files, the code would just need to be tweaked to output them in a more useful manner than as part of the debug output for failed tests.
Hello, If I publish a SPF record like this: testspf.univ-paris1.fr descriptive text "v=spf1 ip6:2001:660:3305::71 ip4:193.55.96.71 -all" then execute some queries on it using libspf2 (through the spfquery command): spfquery -i 193.55.96.71 -s testspf.univ-paris1.fr -> pass spfquery -i 2001:660:3305::71 -s testspf.univ-paris1.fr -> fail I would have expected both queries to return "pass". Tested lipspf2/spfquery versions are: 1.2.5 and 1.2.9, with same faulty results. Testing environment is on Debian Lenny, libspf2 are from Debian packages (Lenny and Sid). I arrived to the conclusion of a libspf2 bug after seeing a libspf2-linked mail filter (milter-greylist) not behave as expected on incoming SPF-enabled IPv6 SMTP connexions. After thoroughly examining the faulty SPF record, I concluded the SPF test should have passed, whereas it failed. Then I did some manual queries using spfquery on the same SPF record with same results. I then created the above simple test SPF record which obviously illustrates the bug.(Continue reading)
The project is now hosted on: https://launchpad.net/postfix-policyd-spf-perl/ In addition to the release tarballs and the code (now in bzr instead of svn) there is also the ability to file bugs. I should also mention that for both this and https://launchpad.net/pypolicyd- spf/ the latest release is now signed with my GPG key. I did a bugfix release of pypolicyd-spf yesterday that restores it's ability to run on Python 2.4. Unless you need that, there is no particular reason to upgrade. The new site has atom feeds for project announcements and so I'll probably just announce minor updates in those feeds from now on (so subscribe if you care): http://feeds.launchpad.net/pypolicyd-spf/announcements.atom http://feeds.launchpad.net/postfix-policyd-spf-perlf/announcements.atom Major releases I will still announce on the SPF mailing lists. spf-help is still the best place to ask for support. Scott K
The project is now hosted on: https://launchpad.net/pypolicyd-spf/ In addition to the release tarballs and the code (now in bzr instead of svn) there is also the ability to file bugs. Scott K
Is there a DNS server up somewhere that can provide answers according to the regression suite zone data? (Perhaps this isn't feasible because of the way the test suite reuses example.com sub-domains; I haven't looked closely enough.) Short of that, does anybody have any scripts to generate BIND zone files from the test suite? I just got an asynchronous SPF resolver in passably working order, and want to use the test suite to round out the corners, but bootstrapping an environment according to the test suite is going to be almost as much work! My resolver can be found here: http://www.25thandclement.com/~william/projects/dns.c.html (Use Git; the utility/regression code in the tarball was fixed over the weekend.)
Hi,
I raised the following bug in the Ubuntu bug tracker:
https://bugs.launchpad.net/ubuntu/+source/pypolicyd-spf/+bug/455991
The problem is code like:
sender_domain = string.split(sender, '@', 1)
if spf.domainmatch(reject_domain_list, sender_domain[1]):
If sender has no '@' character, sender_domain ends up as a single
element list and trying to index it by [1] results in an IndexError
exception.
A robust solution to this (available for python >= 2.5) is:
sender_domain = sender.partition ('@')[2]
if spf.domainmatch(reject_domain_list, sender_domain):
The parition method applied to the sender string is guaranteed to return
a 3 element tuple of which the [2] indexing grabs the last element.
Cheers,
Erik
--
--
----------------------------------------------------------------------
Erik de Castro Lopo
http://www.mega-nerd.com/
(Continue reading) |
|
|
|
|
|
|
| Mon | Tue | Wed | Thu | Fri | Sat | Sun |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 |
RSS Feed1 | |
|---|---|
2 | |
1 | |
3 | |
2 | |
5 | |
1 | |
2 | |
3 | |
8 | |
2 | |
4 | |
1 | |
12 | |
2 | |
1 | |
5 | |
1 | |
28 | |
65 | |
11 | |
25 | |
6 | |
25 | |
10 | |
1 | |
14 | |
51 | |
18 | |
12 | |
38 | |
3 | |
27 | |
52 | |
17 | |
128 | |
30 | |
70 | |
82 | |
99 | |
42 | |
94 | |
67 | |
103 | |
51 | |
30 | |
8 | |
17 | |
11 | |
28 | |
39 | |
21 | |
1 | |
5 | |
10 | |
28 | |
3 | |
40 | |
51 | |
1 | |
7 | |
12 | |
12 | |
4 | |
11 | |
15 | |
91 | |
46 | |
22 | |
81 | |
52 | |
129 | |
87 |