#165 SPF Internal check fails on helo
When a mail is sent from a null sender address
http://tools.ietf.org/html/rfc7489#page-12 says
"DMARC uses the result
of SPF authentication of the MAIL FROM identity. Section 2.4 of
[SPF] describes MAIL FROM processing for cases in which the MAIL
command has a null path."
RFC4408 says:
When the reverse-path is null, this document defines the "MAIL FROM" identity to be the mailbox composed of the localpart "postmaster" and the "HELO" identity (which may or may not have been checked separately before).
Look at this instance:
export OPENDMARC_TEST_HELONAME=smtpdec2.csi.it export OPENDMARC_TEST_CLIENTHOST=smtpdec2.csi.it export OPENDMARC_TEST_CLIENTIP=158.102.68.4 export OPENDMARC_TEST_ENVFROM='<>' export OPENDMARC_TEST_HELOHOST=smtpdec2.csi.it
smtpdec2.csi.it IN TXT "v=spf1 a -all"
[root@]# cat /root/tstmail1.eml
To: Marco <marco@aol.com> From: Marco <marco@gmail.com> Subject: bye Message-ID: <AAAAAAAAA.60dgdsffds@aol.it> Date: Thu, 7 Jan 2016 11:50:08 +0100 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 Ciao.
[root@]# opendmarc -t /root/tstmail1.eml -vvv
opendmarc: mlfi_connect() returned SMFIS_CONTINUE opendmarc: mlfi_helo() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: mlfi_envfrom() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 1: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 2: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 3: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 4: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 5: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 6: mlfi_header() returned SMFIS_CONTINUE opendmarc: /root/tstmail1.eml: line 8: mlfi_header() returned SMFIS_CONTINUE ### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; spf=fail smtp.helo=smtpdec2.csi.it' ### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j; dmarc=none header.from=gmail.com' ### INSHEADER: idx=1 hname='DMARC-Filter' hvalue='OpenDMARC Filter v1.3.1 DEBUG-j DEBUG-i'
So SPF fails, but it is an incorrect result.
I think the problem is in line 163 of opendmarc_spf:
if (ret |= 0 || used_mfrom == FALSE)
Maybe you didn't want to check the pointer, but the value.
I made a patch, it works for me. I also used SPF_request_set_helo_dom (see at http://www.libspf2.org/docs/html/spfrequest_8c-source.html) which seems to do what RFC requires, but probably the real problem stays in the line above.
a comment just to be clear:
even if any patch manage the SPF check for "helo" will pass, this SPF result is unusable for DMARC.
DMARC authenticate RFC5322.From. A message with empty envelope sender will never be aligned. The only way to let such messages pass DMARC is to DKIM sign them with a domain aligned to RFC5322.From.
I'll confirm the patch is working here and produce sane results.
Thank you for testing the patch.
Verifying with (DMARC-Discuss ml) I can see that now opendmarc uses the RFC7208/4408.Mailfrom composed with helo if RFC5321.Mailfrom is null. Now a message with empty RFC5321.Mailfrom can be aligned.
Last edit: Marco Favero 2016-05-11
This is already included in the 1.3.2 beta. It's even mentioned in the RELEASE_NOTES.
It's incomplete. For 1.3.2 beta0 the attached patch adds the missing bit.
Compare the above patch from Marco against Murray's commit https://sourceforge.net/p/opendmarc/code/ci/86e10bd431ed9f023a8caed795e75e40f9805352/
Last edit: Juri Haberland 2016-12-03
Patch applied for 1.3.2.
Murray, you missed the patch above https://sourceforge.net/p/opendmarc/tickets/165/#4d32 !
I did indeed; applied now.
v1.3.2 released.