From: <fre...@va...> - 2005-12-12 10:45:54
|
Hi, I've upgraded to sid-milter version v0.2.10. Then i look at the = logfiles, i saw a intresting thing. A mail that got PermError on both = SPF and Sender-ID tests, and it was not reject or temporary failed. (I = saw a old FRE 1144119 that was about rejecting permerrors according to = the SPF draft that was closed) To me it looks like the SPF policy says that this should be tempfailed, = but instead sid-milter gives permerror on both tests and let the message = though. Is this really how it should react?=20 (btw. I use -r 5, but as i understand from sid-filter manpage it should = only let messages though if there is a "pass" in either test) I run a sid-check on the mentioned mail (i couldn't build sid-filter = with -DDEBUG on Solaris)=20 # /usr/bin/sid-check -v 195.198.244.186 Stefan.Forsberg@Studsvik.se sid-check for sid-milter version 0.2.9 Using asynchronous resolver ... sm_marid_check_host_frame: ip=3D<195.198.244.186>, = domain=3D<Studsvik.se>, sender=3D<Stefan.Forsberg@Studsvik.se> = depth=3D[-1] Trying: <v=3Dspf1 mx ptr include:mail2.web-solutions.dk ~all> Trying: <213.150.40.150> Trying: <194.192.15.177> Trying: <81.7.168.81> Trying: <studsvikpartner-112300.k.se.telia.net> sm_marid_check_host_frame: ip=3D<195.198.244.186>, = domain=3D<mail2.web-solutions.dk>, = sender=3D<Stefan.Forsberg@Studsvik.se> depth=3D[0] spf=3DPermError sm_marid_check_host_frame: ip=3D<195.198.244.186>, = domain=3D<Studsvik.se>, sender=3D<Stefan.Forsberg@Studsvik.se> = depth=3D[-1] Trying: <v=3Dspf1 mx ptr include:mail2.web-solutions.dk ~all> Trying: <194.192.15.177> Trying: <213.150.40.150> Trying: <81.7.168.81> Trying: <studsvikpartner-112300.k.se.telia.net> sm_marid_check_host_frame: ip=3D<195.198.244.186>, = domain=3D<mail2.web-solutions.dk>, = sender=3D<Stefan.Forsberg@Studsvik.se> depth=3D[0] pra=3DPermError =20 |
From: Dick St.P. <stpeters@NetHeaven.com> - 2005-12-22 22:05:42
|
fre...@va... writes: > I've upgraded to sid-milter version v0.2.10. Then i look at the logfiles, i saw a intresting thing. A mail that got PermError on both SPF and Sender-ID tests, and it was not reject or temporary failed. (I saw a old FRE 1144119 that was about rejecting permerrors according to the SPF draft that was closed) > > To me it looks like the SPF policy says that this should be tempfailed, but instead sid-milter gives permerror on both tests and let the message though. Is this really how it should react? > > (btw. I use -r 5, but as i understand from sid-filter manpage it should only let messages though if there is a "pass" in either test) The milter return value issue is more complex than just six -r values can cover. sid-filter has two tests (spf and pra) each of which can return six values (pass, fail, softfail, neutral, temperror and permerror), and it boils all this down to a single accept/reject. "-r 1" and "-r 2" treat the six values as fail/!fail, which looks boolean except !fail has five values, not just one. "-r 3" and "-r 4" treat the six values as pass/!pass, where !pass has five values. "-r 5" essentially treats the six values as pass/fail/no-decision. This still lumps softfail, neutral, temperror and permerror together, making no distinction among them. "-r 5" also says the two no-decisions case maps to an accept, so in mapping two permerrors to accept, sid-milter is doing what "-r 5" tells it to do. ("r" values of 0, 1, and 2 would also accept, and values 3 and 4 would reject.) Currently, sid-milter returns only accept or reject. It could easily be modified to return tempfail for two permerrors, but then you have to decide what to do if there's only one permerror - and whether that depends on what the other test yields. Coding any given case would be pretty easy. Deciding what cases to offer as options is where things would get sticky. I think treating permerror as the absence of a decision result makes sense. I wouldn't want to start tempfailing mail due to a typo in an SPF record. -- Dick St.Peters, stpeters@NetHeaven.com |
From: Murray S. K. <ms...@se...> - 2005-12-22 22:13:38
|
On Thu, 22 Dec 2005, Dick St.Peters wrote: > Currently, sid-milter returns only accept or reject. It could easily be > modified to return tempfail for two permerrors, but then you have to > decide what to do if there's only one permerror - and whether that > depends on what the other test yields. Coding any given case would be > pretty easy. Deciding what cases to offer as options is where things > would get sticky. I'd be more inclined to code up some way of specifying a matrix of decisions, with the possible Sender-ID results along one axis and the possible SPF results along the other, and which milter result you'd like returned for each case. The advantage is that this is a complete solution; the disadvantage is that it's tough to explain to the heavy-duty novices. Perhaps a mix of the existing "-r" levels and this would be enough to satisfy both sides of that partition. |
From: Dick St.P. <stpeters@NetHeaven.com> - 2005-12-22 22:56:35
|
Murray S. Kucherawy writes: > I'd be more inclined to code up some way of specifying a matrix of > decisions, with the possible Sender-ID results along one axis and the > possible SPF results along the other, and which milter result you'd like > returned for each case. The advantage is that this is a complete > solution; the disadvantage is that it's tough to explain to the heavy-duty > novices. Perhaps a mix of the existing "-r" levels and this would be > enough to satisfy both sides of that partition. If you offer that level of configurability, you might as well expand "fail" to three values for the three reasons (NotPermitted, MalformedDomain, DomainDoesNotExist). Fail/MalformedDomain is, in some ways, more like permerror than fail. Arguably, so is fail/DomainDoesNotExist. -- Dick St.Peters, stpeters@NetHeaven.com |