On Sun, 05 Dec 2010 13:37:19 +0100, Torsten Jerzembeck wrote: > Using Mail::SPF::Query with an IPv6 enabled mailserver (increasingly > common today, and bound to get even more common due to the shortage of > IPv4 addresses) leads to mail being blocked incorrectly.
Could you please give an example of a domain/mailserver which uses
IPv6 and SPF? I'd like to do some tests and it would be easier with
an example :)
> The "spfquery" helper script used in the example configuration for exim4
Hm, the file shipped in the package
(/usr/share/doc/libmail-spf-query-perl/examples/exim-acl) doesn't use
spfquery but spfd. #376545 suggests an alternative which uses
spfquery.
> interprets any supplied IPv6 address as an IPv4 address and tries to
> match it against the "ip4" part of SPF information. This obviously fails
> and leads to incorrectly blocked/rejected mail if the SPF policy uses "fail"
> instead of "softfail".
Right, this is definitely a bug (line 436):
my $query = new Mail::SPF::Query (ipv4 => $opt{ip},
> The missing IPv6 support is documented in the "BUGS" section of the
> Mail::SPF::Query manpage, but not in any documentation for "spfquery"
> itself. In addition, "spfquery" or Mail::SPF::Query do not report any
> error when being supplied with an IPv6 address.
spfquery doesn't but Mail::SPF::Query itself should, at least that's
my assumption after looking quickly through the code.
Quick test: if I change "ipv4" to "ip" in the above line in spfquery,
I end up with an error:
$ PERL5LIB=lib bin/spfquery -i 82.150.197.85 -m comodo.priv.at -h
colleen.colgarra.priv.at
pass
Please see
http://www.openspf.org/why.html?sender=comodo.priv.at&ip=82.150.197.85&receiver=spfquery:
comodo.priv.at MX colleen.colgarra.priv.at A 82.150.197.85
spfquery: domain of comodo.priv.at designates 82.150.197.85 as permitted sender
Received-SPF: pass (spfquery: domain of comodo.priv.at designates 82.150.197.85
as permitted sender) client-ip=82.150.197.85; envelope-from=comodo.priv.at;
helo=colleen.colgarra.priv.at;
$ PERL5LIB=lib bin/spfquery -i 2a02:5d8:192::201 -m comodo.priv.at -h
colleen.colgarra.priv.at
no IP address given at lib/Mail/SPF/Query.pm line 255.
$ echo $?
255
From lib/Mail/SPF/Query.pm:
51 my $looks_like_ipv4 = qr/\d+\.\d+\.\d+\.\d+/;
232 $query->{ipv4} = delete $query->{ip}
233 if defined($query->{ip}) and $query->{ip} =~ $looks_like_ipv4;
254 if (not ($query->{ipv4} and length $query->{ipv4})) {
255 die "no IP address given";
256 }
> As IPv6 deployments are
> getting increasingly common, the script and/or the module should display
> an error message in this case or should at least fail graciously. In
> addition, a prominent warning should be displayed about the inability
> to deal with IPv6 addresses.
Right, the current situation is not satisfactory.
Cheers,
gregor
--
.''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
: :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/
`. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
`- NP: James Taylor: How Sweet It Is (To Be Loved By You)
signature.asc
Description: Digital signature
