tag 607472 + patch thanks On Sun, 05 Dec 2010 19:14:08 +0100, gregor herrmann wrote:
> Update: the current upstream version of the plugin at > http://git.develooper.com/?p=qpsmtpd.git;a=blob;f=plugins/sender_permitted_from;h=a6d833b03995e9f076a16de074fbac3a10854a8b;hb=HEAD > has already switched to > 37 use Mail::SPF 2.000; > > Commit: > http://git.develooper.com/?p=qpsmtpd.git;a=commit;h=02912602842a5b2251b1455cf7206cfee3d18553 > > Diff: > http://git.develooper.com/?p=qpsmtpd.git;a=blobdiff;f=plugins/sender_permitted_from;h=a6d833b03995e9f076a16de074fbac3a10854a8b;hp=287847e80de86ffb7216cedd85ac146ac0cf1aa6;hb=02912602842a5b2251b1455cf7206cfee3d18553;hpb=b1c3d2f333c807fb40b7a8e5d71086b54f69e562 > Here's a patch that changes the dependency and uses the newer sender_permitted_from. Cheers, gregor -- .''`. http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4 : :' : Debian GNU/Linux user, admin, & developer - http://www.debian.org/ `. `' Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe `- NP: U2: Beautiful Day
diff -Nru qpsmtpd-0.84/debian/changelog qpsmtpd-0.84/debian/changelog
--- qpsmtpd-0.84/debian/changelog 2010-11-04 09:21:39.000000000 +0100
+++ qpsmtpd-0.84/debian/changelog 2010-12-18 19:34:13.000000000 +0100
@@ -1,3 +1,17 @@
+qpsmtpd (0.84-4.1) UNRELEASED; urgency=low
+
+ * Non-maintainer upload.
+ * Switch from Mail::SPF::Query to Mail::SPF for the sender_permitted_from
+ plugin:
+ - change dependency in debian/control from libmail-spf-query-perl to
+ libmail-spf-perl
+ - new patch sender_permitted_from-mail_spf.patch, taken from upstream:
+ diff of new version of sender_permitted_from that usese Mail::SPF
+ instead of Mail::SPF::Query
+ Closes: #607472
+
+ -- gregor herrmann <gre...@debian.org> Sat, 18 Dec 2010 19:18:34 +0100
+
qpsmtpd (0.84-4) unstable; urgency=low
* Update Spanish translation; thanks to Francisco Cuadrado (Closes:
diff -Nru qpsmtpd-0.84/debian/control qpsmtpd-0.84/debian/control
--- qpsmtpd-0.84/debian/control 2010-10-04 10:20:20.000000000 +0200
+++ qpsmtpd-0.84/debian/control 2010-12-18 19:19:56.000000000 +0100
@@ -7,7 +7,7 @@
Package: qpsmtpd
Architecture: all
-Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 3.0), libdigest-hmac-perl, libmail-spf-query-perl, libnet-dns-perl, libnet-perl, libmailtools-perl, libipc-shareable-perl, libclamav-client-perl, libsocket6-perl
+Depends: ${misc:Depends}, ${perl:Depends}, debconf (>= 1.0.0), adduser (>= 3.0), libdigest-hmac-perl, libmail-spf-perl, libnet-dns-perl, libnet-perl, libmailtools-perl, libipc-shareable-perl, libclamav-client-perl, libsocket6-perl
Suggests: spamassassin (>= 3.0.0), clamav-daemon, tinycdb
Homepage: http://smtpd.develooper.com/
Description: Flexible SMTP daemon for network-level spam detection
diff -Nru qpsmtpd-0.84/debian/patches/sender_permitted_from-mail_spf.patch qpsmtpd-0.84/debian/patches/sender_permitted_from-mail_spf.patch
--- qpsmtpd-0.84/debian/patches/sender_permitted_from-mail_spf.patch 1970-01-01 01:00:00.000000000 +0100
+++ qpsmtpd-0.84/debian/patches/sender_permitted_from-mail_spf.patch 2010-12-18 19:17:48.000000000 +0100
@@ -0,0 +1,245 @@
+From 02912602842a5b2251b1455cf7206cfee3d18553 Mon Sep 17 00:00:00 2001
+From: Matt Simerson <m...@tnpi.net>
+Date: Tue, 11 May 2010 01:41:08 -0400
+Subject: [PATCH] rewrote sender_permitted_from
+
+rewrote the plugin using Mail::SPF, which is the replacement for Mail::SPF::Query (by the same author). The two plugins are mutually exclusive and SpamAssassin expects to have Mail::SPF available.
+
+Signed-off-by: Robert <rsp...@pobox.com>
+---
+ plugins/sender_permitted_from | 193 ++++++++++++++++++++++------------------
+ 1 files changed, 106 insertions(+), 87 deletions(-)
+
+diff --git a/plugins/sender_permitted_from b/plugins/sender_permitted_from
+index 287847e..a6d833b 100644
+--- a/plugins/sender_permitted_from
++++ b/plugins/sender_permitted_from
+@@ -5,119 +5,138 @@ SPF - plugin to implement Sender Permitted From
+
+ =head1 SYNOPSIS
+
+- # in config/plugins
+- sender_permitted_from
++Prevents email sender address spoofing by checking the SPF policy of the purported senders domain.
+
+-Or if you wish to issue 5xx on SPF fail:
++=head1 DESCRIPTION
+
+- sender_permitted_from spf_deny 1
++Sender Policy Framework (SPF) is an e-mail validation system designed to prevent spam by addressing source address spoofing. SPF allows administrators to specify which hosts are allowed to send e-mail from a given domain by creating a specific SPF record in the public DNS. Mail exchangers then use the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators. -- http://en.wikipedia.org/wiki/Sender_Policy_Framework
++
++=head1 CONFIGURATION
+
+-Other arguments are 'trust 0' and 'guess 0'. These turn off processing of
+-spf.trusted-forwarders.org and the best_guess functionality. It is unlikely
+-that you want to turn these off.
++In config/plugins, add arguments to the sender_permitted_from line.
+
+-Adding 'spf_deny 2' will also issue a 5xx on a softfail response.
++ sender_permitted_from spf_deny 1
+
+-You can also specify local SPF policy with
++=head2 spf_deny
+
+- include '<spf mechanism list>'
++Setting spf_deny to 0 will prevent emails from being rejected, even if they fail SPF checks. sfp_deny 1 is the default, and a reasonable setting. It temporarily defers connections (4xx) that have soft SFP failures and only rejects (5xx) messages when the sending domains policy suggests it. Settings spf_deny to 2 is more aggressive and will cause soft failures to be rejected permanently.
+
+ See also http://spf.pobox.com/
+
++=head1 AUTHOR
++
++Matt Simerson <msimer...@cpan.org>
++
++=head1 ACKNOWLEDGEMENTS
++
++whomever wrote the original SPF plugin, upon which I based this.
++
+ =cut
+
+-use Mail::SPF::Query 1.991;
++use strict;
++use Mail::SPF 2.000;
++use Data::Dumper;
+
+ sub register {
+- my ($self, $qp, @args) = @_;
+- %{$self->{_args}} = @args;
++ my ($self, $qp, @args) = @_;
++ %{$self->{_args}} = @args;
+ }
+
+ sub hook_mail {
+- my ($self, $transaction, $sender, %param) = @_;
+-
+- return (DECLINED) unless ($sender->format ne "<>"
+- and $sender->host && $sender->user);
+-
+- # If we are receving from a relay permitted host, then we are probably
+- # not the delivery system, and so we shouldn't check
+-
+- return (DECLINED) if $self->qp->connection->relay_client();
+- my @relay_clients = $self->qp->config("relayclients");
+- my $more_relay_clients = $self->qp->config("morerelayclients", "map");
+- my %relay_clients = map { $_ => 1 } @relay_clients;
+- my $client_ip = $self->qp->connection->remote_ip;
+- while ($client_ip) {
+- return (DECLINED) if exists $relay_clients{$client_ip};
+- return (DECLINED) if exists $more_relay_clients->{$client_ip};
+- $client_ip =~ s/\d+\.?$//; # strip off another 8 bits
+- }
+-
+- my $host = lc $sender->host;
+- my $from = $sender->user . '@' . $host;
+-
+- my $ip = $self->qp->connection->remote_ip;
+- my $helo = $self->qp->connection->hello_host;
+-
+- my $query = Mail::SPF::Query->new(ip => $ip, sender => $from, helo => $helo,
+- sanitize => 1,
+- local => $self->{_args}{local},
+- guess => defined($self->{_args}{guess}) ? $self->{_args}{guess} : 1,
+- trusted => defined($self->{_args}{trust}) ? $self->{_args}{trust} : 1)
+- || die "Couldn't construct Mail::SPF::Query object";
+- $transaction->notes('spfquery', $query);
+-
+- return (DECLINED);
++ my ($self, $transaction, $sender, %param) = @_;
++
++ my $format = $sender->format;
++ my $host = lc $sender->host;
++ my $user = $sender->user;
++ my $client_ip = $self->qp->connection->remote_ip;
++ my $from = $sender->user . '@' . $host;
++ my $helo = $self->qp->connection->hello_host;
++
++ return (DECLINED, "SPF - null sender")
++ unless ($format ne "<>" && $host && $user);
++
++ # If we are receving from a relay permitted host, then we are probably
++ # not the delivery system, and so we shouldn't check
++ return (DECLINED, "SPF - relaying permitted")
++ if $self->qp->connection->relay_client();
++
++ my @relay_clients = $self->qp->config("relayclients");
++ my $more_relay_clients = $self->qp->config("morerelayclients", "map");
++ my %relay_clients = map { $_ => 1 } @relay_clients;
++ while ($client_ip) {
++ return (DECLINED, "SPF - relaying permitted")
++ if exists $relay_clients{$client_ip};
++ return (DECLINED, "SPF - relaying permitted")
++ if exists $more_relay_clients->{$client_ip};
++ $client_ip =~ s/\d+\.?$//; # strip off another 8 bits
++ }
++
++ my $scope = $from ? 'mfrom' : 'helo';
++ $client_ip = $self->qp->connection->remote_ip;
++ my %req_params = (
++ versions => [1, 2], # optional
++ scope => $scope,
++ ip_address => $client_ip,
++ );
++
++ if ($scope =~ /mfrom|pra/) {
++ $req_params{identity} = $from;
++ $req_params{helo_identity} = $helo if $helo;
++ }
++ elsif ($scope eq 'helo') {
++ $req_params{identity} = $helo;
++ $req_params{helo_identity} = $helo;
++ }
++
++ my $spf_server = Mail::SPF::Server->new();
++ my $request = Mail::SPF::Request->new(%req_params);
++ my $result = $spf_server->process($request);
++
++ $transaction->notes('spfquery', $result);
++
++ return (OK) if $result->code eq 'pass'; # this test passed
++ return (DECLINED, "SPF - $result->code");
+ }
+
+ sub hook_rcpt {
+- my ($self, $transaction, $rcpt, %param) = @_;
+-
+- # special addresses don't get SPF-tested.
+- return DECLINED if $rcpt and $rcpt->user and $rcpt->user =~ /^(?:postmaster|abuse|mailer-daemon|root)$/i;
+-
+- my $query = $transaction->notes('spfquery');
+-
+- return DECLINED if !$query;
+- my ($result, $smtp_comment, $comment) = $query->result2($rcpt->address);
+-
+- if ($result eq "error") {
+- return (DENYSOFT, "SPF error: $smtp_comment");
+- }
+-
+- if ($result eq "fail" and $self->{_args}{spf_deny}) {
+- return (DENY, "SPF forgery: $smtp_comment");
+- }
+-
+- if ($result eq "softfail" and $self->{_args}{spf_deny} > 1) {
+- return (DENY, "SPF probable forgery: $smtp_comment");
+- }
+-
+- if ($result eq 'fail' or $result eq 'softfail') {
+- $self->log(LOGDEBUG, "result for $rcpt->address was $result: $comment");
+- }
+-
+- return DECLINED;
+-}
++ my ($self, $transaction, $rcpt, %param) = @_;
++
++ # special addresses don't get SPF-tested.
++ return DECLINED
++ if $rcpt
++ and $rcpt->user
++ and $rcpt->user =~ /^(?:postmaster|abuse|mailer-daemon|root)$/i;
++
++ my $result = $transaction->notes('spfquery') or return DECLINED;
++ my $code = $result->code;
++ my $why = $result->local_explanation;
++ my $deny = $self->{_args}{spf_deny};
++
++ return (DECLINED, "SPF - $code: $why") if $code eq "pass";
++ return (DECLINED, "SPF - $code, $why") if !$deny;
++ return (DENYSOFT, "SPF - $code: $why") if $code eq "error";
++ return (DENY, "SPF - forgery: $why") if $code eq 'fail';
+
+-sub _uri_escape {
+- my $str = shift;
+- $str =~ s/([^A-Za-z0-9\-_.!~*\'()])/sprintf "%%%X", ord($1)/eg;
+- return $str;
++ if ($code eq "softfail") {
++ return (DENY, "SPF probable forgery: $why") if $deny > 1;
++ return (DENYSOFT, "SPF probable forgery: $why");
++ }
++
++ $self->log(LOGDEBUG, "result for $rcpt->address was $code: $why");
++
++ return (DECLINED, "SPF - $code, $why");
+ }
+
+ sub hook_data_post {
+- my ($self, $transaction) = @_;
+-
+- my $query = $transaction->notes('spfquery');
+- return DECLINED if !$query;
++ my ($self, $transaction) = @_;
+
+- my ($result, $smtp_comment, $comment) = $query->message_result2();
++ my $result = $transaction->notes('spfquery') or return DECLINED;
+
+- $self->log(LOGDEBUG, "result was $result: $comment") if ($result);
++ $self->log(LOGDEBUG, "result was $result->code");
+
+- $transaction->header->add('Received-SPF' => "$result ($comment)", 0);
++ $transaction->header->add('Received-SPF' => $result->received_spf_header,
++ 0);
+
+- return DECLINED;
++ return DECLINED;
+ }
+
+--
+1.7.3.1
+
diff -Nru qpsmtpd-0.84/debian/patches/series qpsmtpd-0.84/debian/patches/series
--- qpsmtpd-0.84/debian/patches/series 2010-04-08 10:07:24.000000000 +0200
+++ qpsmtpd-0.84/debian/patches/series 2010-12-18 19:18:09.000000000 +0100
@@ -1 +1,2 @@
require_resolvable_fromhost-enable.patch
+sender_permitted_from-mail_spf.patch
signature.asc
Description: Digital signature
