[opendmarc-users] SPF record macro expansion
A. Schulze
sca at andreasschulze.de
Thu Sep 8 04:43:59 PDT 2022
A. Schulze:
> yep, I see the same problem, using opendmarc build with libspf2
> currently I use an older version from debian stretch but an update
> to debian bullseye
> will happen the next days here.
this is how to reproduce the issue using "modern/latest" versions of
opendmarc and libspf2:
first run a container with latest debian os:
docker run --rm -ti debian:bookworm-slim
inside install debian's opendmarc package:
apt-get -qq update; apt-get -qq --no-install-recommends install opendmarc
this is what you should see:
opendmarc -V # -> opendmarc-1.4.2 something
There is a publicsuffix.org datafile, referenced later:
dpkg -S /usr/share/publicsuffix/public_suffix_list.dat
now let's create a bare minimal configuration file:
cat <<EOF > /config
PublicSuffixList /usr/share/publicsuffix/public_suffix_list.dat
SPFSelfValidate yes
RejectFailures yes
EOF
now let's create a bare minimum example message
cat <<EOF > /msg
From: <test at purestorage.com>
Subject: test
body
EOF
OpenDMARC can test messagefiles. As OpenDMARC is configured to
selfvalidate SPF,
we need to inform OpenDMARC about SPF connection data:
export OPENDMARC_TEST_ENVFROM='support at purestorage.com'
export OPENDMARC_TEST_CLIENTIP='149.96.6.209'
export OPENDMARC_TEST_CLIENTHOST='outbound403.service-now.com'
export OPENDMARC_TEST_HELONAME='outbound403.service-now.com'
Now we could run a test:
opendmarc -v -v -v -c /config -t /msg
This is what you should get:
opendmarc: mlfi_connect() returned SMFIS_CONTINUE
opendmarc: mlfi_helo() returned SMFIS_CONTINUE
opendmarc: /data/msg: mlfi_envfrom() returned SMFIS_CONTINUE
opendmarc: /data/msg: line 1: mlfi_header() returned SMFIS_CONTINUE
opendmarc: /data/msg: line 2: mlfi_header() returned SMFIS_CONTINUE
### INSHEADER: idx=1 hname='Authentication-Results' hvalue='DEBUG-j;
spf=fail smtp.mailfrom=purestorage.com'
### SETREPLY: rcode='550' xcode='5.7.1' replytxt='rejected by DMARC
policy for purestorage.com'
opendmarc: /data/msg: mlfi_eom() returned SMFIS_REJECT
opendmarc: mlfi_close() returned SMFIS_CONTINUE
You could also verify, whitelisting works:
echo 'IgnoreMailFrom purestorage.com' >> /config
A rerun of 'opendmarc -v -v -v -c /config -t /msg' would now accept
the message.
As we agree, the message should pass, there is a failure. Question: in
opendmarc or libspf2?
The following test let me assume, libspf2 work correct:
$ spfquery -ip 149.96.6.209 -sender support at purestorage.com -helo
outbound403.service-now.com
pass
spfquery: domain of purestorage.com designates 149.96.6.209 as
permitted sender
So it looks like a bug in opendmarc. I may imagine, libspf2 provide
library calls to evaluate spf records with macros
which are used by libspf2 but not by opendmarc. It would be helpful if
anybody could review the
code at
https://github.com/trusteddomainproject/OpenDMARC/tree/develop. If my
assumption is true we could try to create a fix.
Andreas
More information about the opendmarc-users
mailing list