[opendmarc-users] trouble with endutec.de

A. Schulze sca at andreasschulze.de
Mon Aug 14 12:27:54 PDT 2017



Am 14.08.2017 um 20:59 schrieb Juri Haberland:
> I just checked the sources and there is a check for
> "v=DMARC1" in various places, but unfortunately these checks are never
> anchored at the beginning of the string - they all pass if "v=DMARC1" is
> *somewhere* in the DNS answer.
found in libopendmarc/opendmarc_policy.c, line 609 and line 638

        if (dns_reply == NETDB_SUCCESS && buf != NULL)
        {
                /* Must include DMARC version */
                if (strncasecmp((char *)buf, "v=DMARC1", sizeof buf) == 0)
                {
                        return DMARC_PARSE_OKAY;
                }
        }

this code try to fetch policy records to verify permissions to send reports to other domains
-> not relevant

and a third time in line 920

                if (strcasecmp((char *)cp, "v") == 0)
                {
                        /*
                         * Yes, this is required to be first, but why
                         * reject it if it is not first?
                         */
                        if (strcasecmp((char *)vp, "DMARC1") != 0)
                        {
                                return DMARC_PARSE_ERROR_BAD_VERSION;
                        }
                }

this code is expected to check
 - the tagname is "v"
 - the tagvalue is "DMARC1"

but it should not "see a tagname "off-v" ??

BTW:
to answer the question inside comment: https://tools.ietf.org/html/rfc7489#section-6.3
 - It (v=) MUST have the value of "DMARC1"
 - It (v=) MUST be the first tag in the list

> The only place where a more thorough check is used is in
> opendmarc_policy_parse_dmarc(), but again unfortunately it isn't checked
> whether something like "v=DMARC1" is found at all :(
> 
> Will you open a bug report?
yes

Andreas


More information about the opendmarc-users mailing list