|
|
Subject: Re: MSA SPF Policy Checks - msg#00019
List: mail.spam.spf.devel
On 05/15/2006 14:41, Arjen de Korte wrote:
> spf2@xxxxxxxxxxxxx wrote:
> > It ocurred to me that it might be useful for an MSA to check and see if a
> > message that is being submitted to it for transmission would pass an SPF
> > check using the MSA's local IP address. I'm trying this in Postfix 2.1.
>
> I think you're much better off checking out 'smtpd_sender_login_maps'
> and 'reject_sender_login_mismatch'. When properly setup, this will also
> prevent cross-user forgeries and in general prevent relaying of messages
> with non-approved sender addresses.
>
That is my intent when using SMTP Auth. The MSA box in question isn't set up
for it and I'm not in a position to change it right now.
The client IPs in question are authorized via permit_mynetworks.
Scott K
-------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx
Was this page helpful?
Thread at a glance:
Previous Message by Date:
click to view message preview
Re: MSA SPF Policy Checks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Scott Kitterman wrote:
> It ocurred to me that it might be useful for an MSA to check and see if
> a message that is being submitted to it for transmission would pass an
> SPF check using the MSA's local IP address. I'm trying this in Postfix
> 2.1.
That's called "outbound SPF checking". I've implemented it in Courier::
Filter::Module::SPFout[1], if you're interested (it's not all that
interesting, though, as it is a pretty basic principle as you described).
> I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian
> Testing installed and running. I need to modify postfix-SPF-policyd to
> use the local IP address rather than the client IP address.
>
> So, what I need to do is insert one line of code here:
>
> sub sender_permitted_from {
> Â local %_ = @_;
> Â my %attr = %{ $_{attr} };
>
> .................................
>
>  my $query = eval { new Mail::SPF::Query (ip  Â=>$attr{client_address},
> Â sender=>$attr{sender},
> Â helo =>$attr{helo_name}) };
>
> That line of code needs to change $attr{client_address} to the local IP
> address. ÂThis would be a manual entry (or if there's an easy way to get
> the local IP address automagically be gotten that's fine too).
In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to
discover the local IP address. If you want to reimplement that yourself,
the trick is to create a UDP/DGRAM socket to some stable public IP address
(I used that of a.root-servers.net, but you could use that of the target
MX, too). There is no need to actually connect the socket. The socket
creationg causes the OS to do a routing table lookup. Then you can get the
local IP address of yours of the network interface selected by the OS.
> I assume that for anyone versed in PERL, this is trivial. ÂI'm not at
> all, so I was wondering if someone here could tell me what needs to be
> changed.
I'm not sure if what I wrote above answers your question.
> On a related note, I've started working on re-implementing postfix-SPF-
> policyd in Python.
Doesn't Stuart's Python Milter[3] support SPF already?
In any case, there seems to be a multitude of SPF milters[4]. Perhaps we
should try to consolidate them or at least find out which ones are the best
and drop the others from the implementations list.
Julian.
References:
1.
http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm
2.
http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm
3. http://www.bmsi.com/python/milter.html
4. http://new.openspf.org/Implementations
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU
yQ9j8I46lsAFQDgJWBJwtWI=
=BqRq
-----END PGP SIGNATURE-----
-------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx
Next Message by Date:
click to view message preview
Re: Re: MSA SPF Policy Checks
On 05/15/2006 15:41, Julian Mehnle wrote:
> Doesn't Stuart's Python Milter[3] support SPF already?
>
> In any case, there seems to be a multitude of SPF milters[4]. Perhaps we
> should try to consolidate them or at least find out which ones are the best
> and drop the others from the implementations list.
>
It does, but Postfix does not currently support the milter API. This is being
implemented as part of the Postfix 2.3 development effort.
The current (Postfix 2.1/2.2) policy interface is much simpler. Meng's
policyd works exactly correctly for those Postfix versions. The Python
re-implementation is just because of my inability/unwillingness to deal with
PERL.
There are other Python implementations out there, such as tumgreyspf:
http://www.tummy.com/Community/software/tumgreyspf/
but they are more complex than what I need.
Scott K
-------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx
Previous Message by Thread:
click to view message preview
Re: MSA SPF Policy Checks
spf2@xxxxxxxxxxxxx wrote:
> It ocurred to me that it might be useful for an MSA to check and see if a
> message that is being submitted to it for transmission would pass an SPF
> check using the MSA's local IP address. I'm trying this in Postfix 2.1.
I think you're much better off checking out 'smtpd_sender_login_maps'
and 'reject_sender_login_mismatch'. When properly setup, this will also
prevent cross-user forgeries and in general prevent relaying of messages
with non-approved sender addresses.
Regards, Arjen
-------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx
Next Message by Thread:
click to view message preview
Re: MSA SPF Policy Checks
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Scott Kitterman wrote:
> It ocurred to me that it might be useful for an MSA to check and see if
> a message that is being submitted to it for transmission would pass an
> SPF check using the MSA's local IP address. I'm trying this in Postfix
> 2.1.
That's called "outbound SPF checking". I've implemented it in Courier::
Filter::Module::SPFout[1], if you're interested (it's not all that
interesting, though, as it is a pretty basic principle as you described).
> I have the latest Mail:SPF:Query and postfix-SPF-policyd from Debian
> Testing installed and running. I need to modify postfix-SPF-policyd to
> use the local IP address rather than the client IP address.
>
> So, what I need to do is insert one line of code here:
>
> sub sender_permitted_from {
> Â local %_ = @_;
> Â my %attr = %{ $_{attr} };
>
> .................................
>
>  my $query = eval { new Mail::SPF::Query (ip  Â=>$attr{client_address},
> Â sender=>$attr{sender},
> Â helo =>$attr{helo_name}) };
>
> That line of code needs to change $attr{client_address} to the local IP
> address. ÂThis would be a manual entry (or if there's an easy way to get
> the local IP address automagically be gotten that's fine too).
In C:F:M:SPFout, I'm using the Net::Address::IPv4::Local Perl module[2] to
discover the local IP address. If you want to reimplement that yourself,
the trick is to create a UDP/DGRAM socket to some stable public IP address
(I used that of a.root-servers.net, but you could use that of the target
MX, too). There is no need to actually connect the socket. The socket
creationg causes the OS to do a routing table lookup. Then you can get the
local IP address of yours of the network interface selected by the OS.
> I assume that for anyone versed in PERL, this is trivial. ÂI'm not at
> all, so I was wondering if someone here could tell me what needs to be
> changed.
I'm not sure if what I wrote above answers your question.
> On a related note, I've started working on re-implementing postfix-SPF-
> policyd in Python.
Doesn't Stuart's Python Milter[3] support SPF already?
In any case, there seems to be a multitude of SPF milters[4]. Perhaps we
should try to consolidate them or at least find out which ones are the best
and drop the others from the implementations list.
Julian.
References:
1.
http://search.cpan.org/dist/Courier-Filter/lib/Courier/Filter/Module/SPFout.pm
2.
http://search.cpan.org/dist/Net-Address-IPv4-Local/lib/Net/Address/IPv4/Local.pm
3. http://www.bmsi.com/python/milter.html
4. http://new.openspf.org/Implementations
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEaNlkwL7PKlBZWjsRAm6CAKCQy0D0X9UoqIYjxfMCFA7udOLjqACdEcIU
yQ9j8I46lsAFQDgJWBJwtWI=
=BqRq
-----END PGP SIGNATURE-----
-------
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-devel@xxxxxxxxxxxxxx
|
|