[opendmarc-users] SPF record macro expansion

A. Schulze sca at andreasschulze.de
Thu Sep 8 04:43:59 PDT 2022 

A. Schulze:


> yep, I see the same problem, using opendmarc build with libspf2
> currently I use an older version from debian stretch but an update  
> to debian bullseye
> will happen the next days here.

this is how to reproduce the issue using "modern/latest" versions of  
opendmarc and libspf2:

first run a container with latest debian os:
   docker run --rm -ti debian:bookworm-slim

inside install debian's opendmarc package:
   apt-get -qq update; apt-get -qq --no-install-recommends install opendmarc

this is what you should see:
   opendmarc -V # -> opendmarc-1.4.2 something

There is a publicsuffix.org datafile, referenced later:
   dpkg -S /usr/share/publicsuffix/public_suffix_list.dat

now let's create a bare minimal configuration file:
   cat <<EOF > /config
   PublicSuffixList        /usr/share/publicsuffix/public_suffix_list.dat
   SPFSelfValidate         yes
   RejectFailures          yes
   EOF

now let's create a bare minimum example message
   cat <<EOF > /msg
   From: <test at purestorage.com>
   Subject: test

   body
   EOF

OpenDMARC can test messagefiles. As OpenDMARC is configured to  
selfvalidate SPF,
we need to inform OpenDMARC about SPF connection data:

   export OPENDMARC_TEST_ENVFROM='support at purestorage.com'
   export OPENDMARC_TEST_CLIENTIP='149.96.6.209'
   export OPENDMARC_TEST_CLIENTHOST='outbound403.service-now.com'
   export OPENDMARC_TEST_HELONAME='outbound403.service-now.com'

Now we could run a test:
   opendmarc -v -v -v -c /config -t /msg

This is what you should get:

opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: /data/msg: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: /data/msg: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /data/msg: line 2: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j;  
spf=fail smtp.mailfrom=purestorage.com'
### SETREPLY: rcode='550' xcode='5.7.1' replytxt='rejected by DMARC  
policy for purestorage.com'
opendmarc: /data/msg: mlfi_eom() returned SMFIS_REJECT
opendmarc: mlfi_close() returned SMFIS_CONTINUE

You could also verify, whitelisting works:
   echo 'IgnoreMailFrom purestorage.com' >> /config

A rerun of 'opendmarc -v -v -v -c /config -t /msg' would now accept  
the message.

As we agree, the message should pass, there is a failure. Question: in  
opendmarc or libspf2?

The following test let me assume, libspf2 work correct:

    $ spfquery -ip 149.96.6.209 -sender support at purestorage.com -helo  
outbound403.service-now.com
    pass

    spfquery: domain of purestorage.com designates 149.96.6.209 as  
permitted sender

So it looks like a bug in opendmarc. I may imagine, libspf2 provide  
library calls to evaluate spf records with macros
which are used by libspf2 but not by opendmarc. It would be helpful if  
anybody could review the
code at  
https://github.com/trusteddomainproject/OpenDMARC/tree/develop. If my  
assumption is true we could try to create a fix.

Andreas

More information about the opendmarc-users mailing list