Package: rmilter
Version: 1.6.1
Severity: normal
Tags: upstream
Dear Maintainer,
If you look at src/spf.c you'll see the following code snippet:
/* No domain part in envfrom field - do not make spf check */
if (domain_pos == NULL) {
return 1;
}
This is not the correct behavior for the SPF protocol. If you look at RFC
7208 section 2.4 (the second paragraph), it says:
[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the "MAIL FROM" identity to be the mailbox composed of the
local-part "postmaster" and the "HELO" identity (which might or might
not have been checked separately before).
Rather than simply return in this case, rmilter should retrieve the remote
host's HELO/EHLO identity and perform the check with postmaster@HELO.
Note: Although RFC 7208 is fairly recent, the requirement was the same in its
predecessor RFC 4408.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
