From: Dick St.P. <stpeters@NetHeaven.com> - 2005-08-04 22:02:45
|
Some time ago I said I would post a patch for building sid-filter as a utility for manual SPF checking, and I've finally done that. This patch is available at ftp://ftp.netheaven.com/pub/sid-milter/nh-utility-0.2.9.patch With this patch applied, sid-filter is unchanged unless NH_UTILITY is defined for the build, e.g. with this line in site.config.m4: APPENDDEF(`confENVDEF', `-DNH_UTILITY') With that defined, sid-filter is built as a utility rather than a milter. After building, I rename it to "sid-check". Usage is sid-check ip-address mfrom-address [pra-address] If no pra-address is specified, the mfrom-address is used for both the SPF and PRA checks. The checks are done by running the exact same code (except for optional prints) as sid-filter, so it's handy for seeing what sid-filter would do, especially in verbose (-v) mode. As a trivial example, sendmail.net's SPF is "v=spf1 mx ip4:209.246.26.40 ~all" so mail from 209.246.26.40 should pass, and it does: # sid-check 209.246.26.40 jo...@se... sid-check for sid-milter version 0.2.9 spf=Pass pra=Pass Verbose mode is more interesting: # sid-check -v 209.246.26.40 jo...@se... sid-check for sid-milter version 0.2.9 Using asynchronous resolver ... sm_marid_check_host_frame: ip=<209.246.26.40>, domain=<sendmail.net>, sender=<jo...@se...> depth=[-1] Trying: <v=spf1 mx ip4:209.246.26.40 ~all> Trying: <209.246.26.21> spf=Pass sm_marid_check_host_frame: ip=<209.246.26.40>, domain=<sendmail.net>, sender=<jo...@se...> depth=[-1] Trying: <v=spf1 mx ip4:209.246.26.40 ~all> Trying: <209.246.26.21> pra=Pass As a much more complex example, v2.listbox.com has SPF record "v=spf1 redirect=listbox.com" and listbox.com's record is "v=spf1 mx a:dream.listbox.com a:emerald.pobox.com mx:fallback-relay.pobox.com ptr redirect=%{l1r+}._at_.%{o2}._spf.pobox.com" Picking an IP that's sure to fail and trimming the redundant PRA check: # sid-check -v 192.168.0.1 jo...@v2... sid-check for sid-milter version 0.2.9 Using asynchronous resolver ... sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<v2.listbox.com>, sender=<jo...@v2...> depth=[-1] Trying: <v=spf1 redirect=listbox.com> sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<listbox.com>, sender=<jo...@v2...> depth=[0] Trying: <v=spf1 mx a:dream.listbox.com a:emerald.pobox.com mx:fallback-relay.pobox.com ptr redirect=%{l1r+}._at_.%{o2}._spf.pobox.com> Trying: <208.210.124.79> Trying: <208.58.1.195> Trying: <207.8.214.5> Trying: <207.8.214.6> Trying: <207.8.226.12> Trying: <208.58.1.197> sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<joe._at_.listbox.com._spf.pobox.com>, sender=<jo...@v2...> depth=[1] Trying: <v=spf1 ~all> spf=SoftFail Note the expansion to "joe._at_.listbox.com._spf.pobox.com". You won't get that without the "NH_BACKFIX" fix from my patch for 0.2.8. Instead, you'll get this: # sid-check-nobackfix -v 192.168.0.1 jo...@v2... sid-check for sid-milter version 0.2.9 Using asynchronous resolver ... sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<v2.listbox.com>, sender=<jo...@v2...> depth=[-1] Trying: <v=spf1 redirect=listbox.com> sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<listbox.com>, sender=<jo...@v2...> depth=[0] Trying: <v=spf1 mx a:dream.listbox.com a:emerald.pobox.com mx:fallback-relay.pobox.com ptr redirect=%{l1r+}._at_.%{o2}._spf.pobox.com> Trying: <207.8.214.5> Trying: <208.210.124.79> Trying: <208.58.1.195> Trying: <207.8.214.6> Trying: <207.8.226.12> Trying: <208.58.1.197> sm_marid_check_host_frame: ip=<192.168.0.1>, domain=<joe._at_..com._spf.pobox.com>, sender=<jo...@v2...> depth=[1] spf=Fail (MalformedDomain) The "joe._at_..com._spf.pobox.com" comes from a bug in backwards parsing during expansion of %{o2}. I will be posting an updated patch for 0.2.9 (or later), but first I need help from someone who builds the sid-check utility for something other than a Linux box. I need the output of sid-check -v 198.69.28.162 jo...@sp... -- Dick St.Peters, stpeters@NetHeaven.com Gatekeeper, NetHeaven, Saratoga Springs, NY |