Re: MSA SPF Policy Checks

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Scott Kitterman wrote:
> It ocurred to me that it might be useful for an MSA to check and see if
> a message that is being submitted to it for transmission would pass an
> SPF check using the MSA's local IP address.  I'm trying this in Postfix
> 2.1.

That's called "outbound SPF checking".  I've implemented it in Courier::
Filter::Module::SPFout[1], if you're interested (it's not all that
interesting, though, as it is a pretty basic principle as you described).

> I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian
> Testing installed and running.  I need to modify postfix-SPF-policyd to
> use the local IP address rather than the client IP address.
>
> So, what I need to do is insert one line of code here:
>
> sub sender_permitted_from {
>   local %_ = @_;
>   my %attr = %{ $_{attr} };
>
> .................................
>
>   my $query = eval { new Mail::SPF::Query (ip    =>$attr{client_address},
>                                            sender=>$attr{sender},
>                                            helo  =>$attr{helo_name}) };
>
> That line of code needs to change $attr{client_address} to the local IP
> address.  This would be a manual entry (or if there's an easy way to get
> the local IP address automagically be gotten that's fine too).

In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to
discover the local IP address.  If you want to reimplement that yourself,
the trick is to create a UDP/DGRAM socket to some stable public IP address
(I used that of a.root-servers.net, but you could use that of the target
MX, too).  There is no need to actually connect the socket.  The socket
creationg causes the OS to do a routing table lookup.  Then you can get the
local IP address of yours of the network interface selected by the OS.

> I assume that for anyone versed in PERL, this is trivial.  I'm not at
> all, so I was wondering if someone here could tell me what needs to be
> changed.

I'm not sure if what I wrote above answers your question.

> On a related note, I've started working on re-implementing postfix-SPF-
> policyd in Python.

Doesn't Stuart's Python Milter[3] support SPF already?

In any case, there seems to be a multitude of SPF milters[4].  Perhaps we
should try to consolidate them or at least find out which ones are the best
and drop the others from the implementations list.

Julian.

References:
 1. 
http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm
 2. 
http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm
 3. http://www.bmsi.com/python/milter.html
 4. http://new.openspf.org/Implementations

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU
yQ9j8I46lsAFQDgJWBJwtWI=
=BqRq
-----END PGP SIGNATURE-----

-------
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx