Subject: Re: MSA SPF Policy Checks - msg#00019

Previous Message by Date: click to view message preview

Re: MSA SPF Policy Checks

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Kitterman wrote: > It ocurred to me that it might be useful for an MSA to check and see if > a message that is being submitted to it for transmission would pass an > SPF check using the MSA's local IP address. I'm trying this in Postfix > 2.1. That's called "outbound SPF checking". I've implemented it in Courier:: Filter::Module::SPFout[1], if you're interested (it's not all that interesting, though, as it is a pretty basic principle as you described). > I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian > Testing installed and running. I need to modify postfix-SPF-policyd to > use the local IP address rather than the client IP address. > > So, what I need to do is insert one line of code here: > > sub sender_permitted_from { >  local %_ = @_; >  my %attr = %{ $_{attr} }; > > ................................. > >  my $query = eval { new Mail::SPF::Query (ip  Â=>$attr{client_address}, >  sender=>$attr{sender}, >  helo =>$attr{helo_name}) }; > > That line of code needs to change $attr{client_address} to the local IP > address. ÂThis would be a manual entry (or if there's an easy way to get > the local IP address automagically be gotten that's fine too). In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to discover the local IP address. If you want to reimplement that yourself, the trick is to create a UDP/DGRAM socket to some stable public IP address (I used that of a.root-servers.net, but you could use that of the target MX, too). There is no need to actually connect the socket. The socket creationg causes the OS to do a routing table lookup. Then you can get the local IP address of yours of the network interface selected by the OS. > I assume that for anyone versed in PERL, this is trivial. ÂI'm not at > all, so I was wondering if someone here could tell me what needs to be > changed. I'm not sure if what I wrote above answers your question. > On a related note, I've started working on re-implementing postfix-SPF- > policyd in Python. Doesn't Stuart's Python Milter[3] support SPF already? In any case, there seems to be a multitude of SPF milters[4]. Perhaps we should try to consolidate them or at least find out which ones are the best and drop the others from the implementations list. Julian. References: 1. http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm 2. http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm 3. http://www.bmsi.com/python/milter.html 4. http://new.openspf.org/Implementations -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU yQ9j8I46lsAFQDgJWBJwtWI= =BqRq -----END PGP SIGNATURE----- ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx

Next Message by Date: click to view message preview

Re: Re: MSA SPF Policy Checks

On 05/15/2006 15:41, Julian Mehnle wrote: > Doesn't Stuart's Python Milter[3] support SPF already? > > In any case, there seems to be a multitude of SPF milters[4]. Perhaps we > should try to consolidate them or at least find out which ones are the best > and drop the others from the implementations list. > It does, but Postfix does not currently support the milter API. This is being implemented as part of the Postfix 2.3 development effort. The current (Postfix 2.1/2.2) policy interface is much simpler. Meng's policyd works exactly correctly for those Postfix versions. The Python re-implementation is just because of my inability/unwillingness to deal with PERL. There are other Python implementations out there, such as tumgreyspf: http://www.tummy.com/Community/software/tumgreyspf/ but they are more complex than what I need. Scott K ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx

Previous Message by Thread: click to view message preview

Re: MSA SPF Policy Checks

spf2@xxxxxxxxxxxxx wrote: > It ocurred to me that it might be useful for an MSA to check and see if a > message that is being submitted to it for transmission would pass an SPF > check using the MSA's local IP address. I'm trying this in Postfix 2.1. I think you're much better off checking out 'smtpd_sender_login_maps' and 'reject_sender_login_mismatch'. When properly setup, this will also prevent cross-user forgeries and in general prevent relaying of messages with non-approved sender addresses. Regards, Arjen ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx

Next Message by Thread: click to view message preview

Re: MSA SPF Policy Checks

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Scott Kitterman wrote: > It ocurred to me that it might be useful for an MSA to check and see if > a message that is being submitted to it for transmission would pass an > SPF check using the MSA's local IP address. I'm trying this in Postfix > 2.1. That's called "outbound SPF checking". I've implemented it in Courier:: Filter::Module::SPFout[1], if you're interested (it's not all that interesting, though, as it is a pretty basic principle as you described). > I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian > Testing installed and running. I need to modify postfix-SPF-policyd to > use the local IP address rather than the client IP address. > > So, what I need to do is insert one line of code here: > > sub sender_permitted_from { >  local %_ = @_; >  my %attr = %{ $_{attr} }; > > ................................. > >  my $query = eval { new Mail::SPF::Query (ip  Â=>$attr{client_address}, >  sender=>$attr{sender}, >  helo =>$attr{helo_name}) }; > > That line of code needs to change $attr{client_address} to the local IP > address. ÂThis would be a manual entry (or if there's an easy way to get > the local IP address automagically be gotten that's fine too). In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to discover the local IP address. If you want to reimplement that yourself, the trick is to create a UDP/DGRAM socket to some stable public IP address (I used that of a.root-servers.net, but you could use that of the target MX, too). There is no need to actually connect the socket. The socket creationg causes the OS to do a routing table lookup. Then you can get the local IP address of yours of the network interface selected by the OS. > I assume that for anyone versed in PERL, this is trivial. ÂI'm not at > all, so I was wondering if someone here could tell me what needs to be > changed. I'm not sure if what I wrote above answers your question. > On a related note, I've started working on re-implementing postfix-SPF- > policyd in Python. Doesn't Stuart's Python Milter[3] support SPF already? In any case, there seems to be a multitude of SPF milters[4]. Perhaps we should try to consolidate them or at least find out which ones are the best and drop the others from the implementations list. Julian. References: 1. http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm 2. http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm 3. http://www.bmsi.com/python/milter.html 4. http://new.openspf.org/Implementations -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU yQ9j8I46lsAFQDgJWBJwtWI= =BqRq -----END PGP SIGNATURE----- ------- To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx