Bug#779253: rmilter: Incorrect SPF Check For Null MailFrom
Package: rmilter
Version: 1.6.1
Severity: normal
Tags: upstream
Dear Maintainer,
If you look at src/spf.c you'll see the following code snippet:
/* No domain part in envfrom field - do not make spf check */
if (domain_pos == NULL) {
return 1;
}
This is not the correct behavior for the SPF protocol. If you look at RFC
7208 section 2.4 (the second paragraph), it says:
[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the MAIL FROM identity to be the mailbox composed of the
local-part postmaster and the HELO identity (which might or might
not have been checked separately before).
Rather than simply return in this case, rmilter should retrieve the remote
host's HELO/EHLO identity and perform the check with postmaster@HELO.
Note: Although RFC 7208 is fairly recent, the requirement was the same in its
predecessor RFC 4408.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#779253: rmilter: Incorrect SPF Check For Null MailFrom
package rmilter
forwarded 779253 https://github.com/vstakhov/rmilter/issues/20
thanks
On Wed, Feb 25, 2015, at 23:05, Scott Kitterman wrote:
Package: rmilter
Version: 1.6.1
Severity: normal
Tags: upstream
Dear Maintainer,
If you look at src/spf.c you'll see the following code snippet:
/* No domain part in envfrom field - do not make spf check */
if (domain_pos == NULL) {
return 1;
}
This is not the correct behavior for the SPF protocol. If you look at
RFC
7208 section 2.4 (the second paragraph), it says:
[RFC5321] allows the reverse-path to be null (see Section 4.5.5 in
[RFC5321]). In this case, there is no explicit sender mailbox, and
such a message can be assumed to be a notification message from the
mail system itself. When the reverse-path is null, this document
defines the MAIL FROM identity to be the mailbox composed of the
local-part postmaster and the HELO identity (which might or might
not have been checked separately before).
Rather than simply return in this case, rmilter should retrieve the
remote
host's HELO/EHLO identity and perform the check with postmaster@HELO.
Note: Although RFC 7208 is fairly recent, the requirement was the same in
its
predecessor RFC 4408.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
