On Fri, Apr 21, 2017 at 01:52:05PM +0200, Boudewijn Dijkstra wrote: > Op Fri, 21 Apr 2017 12:16:31 +0200 schreef Reyk Floeter <r...@openbsd.org>: > > On Fri, Apr 21, 2017 at 11:59:20AM +0200, Peter N. M. Hansteen wrote: > > > On Fri, Apr 21, 2017 at 11:25:14AM +0200, Markus Rosjat wrote: > > > > > > > > I use the attached script to fetch the SPF entries recursively, in a > > plain text format that can be fed into pfctl. > > Have you tried mx3a.certifiedfactory.info ? ;) >
great I think you got something wrong: I don't use this simple script automatically or for "untrusted domains", I just use it _manually_ and for _well-known_ offenders like outlook.com that break greylisting. SPF is not a security solution, but it is a band-aid that helps to handle these stupid cloud-based MTAs. The script below fixes it - or akpoff's slightly more complicated (and probably more correct) version. Reyk ---snip--- #!/usr/bin/perl # Copyright (c) 2016, 2017 Reyk Floeter <r...@openbsd.org> # # Permission to use, copy, modify, and distribute this software for any # purpose with or without fee is hereby granted, provided that the above # copyright notice and this permission notice appear in all copies. # # THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES # WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF # MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR # ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES # WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN # ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. $domain = shift @ARGV or die "usage: $0 domain"; %seen = {}; sub parsespf { my $domain = shift; my @foo = `nslookup -q=TXT $domain`; my @results = (); foreach (@foo) { next if not /$domain\ttext/; next if not s/$domain\ttext = "v=spf1([^"]+)"/$1/; @results = split /\s+/; foreach (@results) { next if /.all/; if (s/^ip[46]://) { print "$_\n"; } elsif (s/^(redirect|include)[:=]//) { print "\n#$_\n"; if (!$seen{$_}) { $seen{$_} = true; parsespf($_); } } } } } parsespf($domain); 0;