pyspf-2.0.14/0000775000175000017500000000000013603255513013632 5ustar stuartstuart00000000000000pyspf-2.0.14/setup.py0000775000175000017500000000260413552212044015344 0ustar stuartstuart00000000000000#!/usr/bin/python from distutils.core import setup import sys DESC = """SPF (Sender Policy Framework) implemented in Python.""" with open("README.md", "r") as fh: LONG_DESC = fh.read() setup(name='pyspf', version='2.0.14', description=DESC, long_description=LONG_DESC, long_description_content_type="text/markdown", author='Terence Way', author_email='terry@wayforward.net', maintainer="Stuart D. Gathman", maintainer_email="stuart@gathman.org", url='https://github.com/sdgathman/pyspf/', license='Python Software Foundation License', py_modules=['spf'], keywords = ['spf','email','forgery'], scripts = ['type99.py','spfquery.py'], classifiers = [ 'Development Status :: 5 - Production/Stable', 'Environment :: No Input/Output (Daemon)', 'Intended Audience :: Developers', 'License :: OSI Approved :: Python Software Foundation License', 'Natural Language :: English', 'Operating System :: OS Independent', 'Programming Language :: Python', 'Programming Language :: Python :: 3', 'Topic :: Communications :: Email :: Mail Transport Agents', 'Topic :: Communications :: Email :: Filters', 'Topic :: Internet :: Name Service (DNS)', 'Topic :: Software Development :: Libraries :: Python Modules' ] ) if sys.version_info < (2, 6): raise Exception("pyspf 2.0.6 and later requires at least python2.6.") pyspf-2.0.14/PKG-INFO0000664000175000017500000002412013603255513014726 0ustar stuartstuart00000000000000Metadata-Version: 1.1 Name: pyspf Version: 2.0.14 Summary: SPF (Sender Policy Framework) implemented in Python. Home-page: https://github.com/sdgathman/pyspf/ Author: Stuart D. Gathman Author-email: stuart@gathman.org License: Python Software Foundation License Description: # SPF ## Sender-Policy-Framework queries in Python. ### Quick Start Installation ------------ This package requires either the dns (dnspython) or DNS (PyDNS/Py3DNS modules and either the ipaddr module or python3.3 and later. It does not work with the ipaddress module backport. For dnspython, at least version 1.16.0 is required. The authres module is required to process and generate RFC 7601 Authentication Results headers. These can all be installed from pypi via pip. Additionally, they are also available via many distribution packaging systems. pyspf uses traditional python distutils, so dependencies are not installed automatically. pyspf can be installed from pypi via pip or manually: After unpacking the source distribution, install this in your site- specific Python extension directory:: % python setup.py build % su # python setup.py install The minimum Python version required is python2.6. The spf module in this version has been tested with python3 versions through python3.8. Testing ------- After this package is installed, cd into the test directory and execute testspf.py:: % cd test % python testspf.py WARN: invalid-domain-long in rfc4408-tests.yml, 8.1/2, 5/10: fail preferred to temperror WARN: txttimeout in rfc4408-tests.yml, 4.4/1: fail preferred to temperror WARN: spfoverride in rfc4408-tests.yml, 4.5/5: pass preferred to fail WARN: multitxt1 in rfc4408-tests.yml, 4.5/5: pass preferred to permerror WARN: multispf2 in rfc4408-tests.yml, 4.5/6: permerror preferred to pass .. ---------------------------------------------------------------------- Ran 2 tests in 3.036s OK This runs the SPF council test-suite as of when this package was built. It does not test the pyDNS installation, but uses an internal driver. This avoids changing results due to DNS timeouts. In addition, spf.py runs an internal self-test every time it is used from the command line. If you're running on Mac OS X, and it looks like DNS.DiscoverNameServers() is failing, you'll need to edit your /etc/resolv.conf and specify a domain name. For some reason, OS X writes out resolv.conf with a single 'domain' line, which isn't good at all. Later versions of py3dns have been updated to better support Max OS X. Description =========== SPF does email sender validation. For more information about SPF, please see http://www.openspf.net/ One incompatible change was introduced in version 1.7. Prior to version 1.7, connections from a local IP address (127...) would always return a Pass result. The special case was eliminated. Programs calling pySPF should not do SPF checks on locally submitted mail. This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to forward mail. The SPF check should be done during the MAIL FROM:<...> command. There are two ways to use this package. The first is from the command line:: % python spf.py {ip-addr} {mail-from} {helo} For instance, during an SMTP exchange from client 69.55.226.139:: S: 220 mail.example.com ESMTP Postfix C: EHLO mx1.wayforward.net S: 250-mail.example.com S: ... S: 250 8BITMIME C: MAIL FROM: Then the following command line would check if this is a valid sender:: % ./spf.py 69.55.226.139 terry@wayforward.net mx1.wayforward.net ('pass', 250, 'sender SPF authorized') Command line calls return RFC 4408/7208 result codes, i.e. 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second way is via the module's APIs. The legacy (pySPF 1.6) API: >>> import spf >>> spf.check(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 250, 'sender SPF authorized') The first element in the tuple is one of 'pass', 'fail', 'netural', 'softfail', 'unknown', or 'error'. The second is the SMTP response status code: 550 for 'fail', 450 for 'error' and 250 for all else. The third is an explanation. Note: SPF results alone are never sufficient to decide that a message should be accepted. Accept, reject, or defer decisions are a function of local reciever policy. The RFC 4408/7208 compliant API:: >>> import spf >>> spf.check2(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 'sender SPF verified') The first element in the tuple is one of 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second is an explanation. This package also provides two additional helper scripts; type99.py and spfquery.py. The type99.py script will convert DNS TXT strings to a binary equivalent suitable for use in a BIND zone file. The spfquery.py script is a Python reimplementination of Wayne Schlitt's spfquery command line tool. The type99.py script is called from the command line as follows: python type99.py "v=spf1 -all" {Note: Use your desired SPF record instead.} \# 12 0b763d73706631202d616c6c {This is the correct result for "v=spf1 -all"} or python type99 - {File name} The input file format is a standard BIND Zone file. The type99 script will add a Type99 record for each TXT record found in the file. Use of DNS type 99 (type SPF) was removed from SPF in RFC 7208, so this script should be of historical interest only. The spfquery.py script is called with a number of possible options. Options can either use standard '-' prefix or be PERL style long options, '--'. Supported options are: "--file" or "-file" {filename}: Read the query (or queries) from the designated file. If {filename} is '0', then query inputs are read from STDIN. "--ip" or "-ip" {address}: Client IP address to use for SPF check. "--sender" or "-sender" {Mail From address}: Envelope sender from which mail was received. "--helo" or "-helo" {client hostname}: HELO/EHLO name used by SMTP client. "--local" or "-local" {local policy SPF string}: Additional SPF mechanisms to be checked on the basis of local policy. Note that local policy matches are not strictly SPF results. Local policy processing is not defined in RFC 4408 or RFC 7208. Result may vary among SPF implementations. "--rcpt-to" or "rcpt-to" {rcpt-to address - if available}: Receipt to address is not used for actual SPF processing, but if available it can be useful for logging, spf-received header construction, and providing useful rejection messages when messages are rejected due to SPF. --default-explanation" or "-default-explanation" {explanation string}: Default Fail explanation string to be used. "--sanitize" or "-sanitize" and "--debug" or "-debug": These options are no-op in the Python implementation, but are valid inputs to provide compatibliity with input files developed to work with the original PERL and C spfquery implementations. Overall per SPF check time limits can be controlled by passing querytime to the spf.check2 function or when initializing a spf.query object. It is set to 20 seconds by default based on RFC 7208. If querytime is set to 0, then the overall time limit is disabled and the per DNS lookup limit is used instead. This defaults to 20 seconds and can be controlled via spf.MAX_PER_LOOKUP_TIME. RFC 4408 says that the overall limit MAY be used and recommends no less than 20 seconds if it is. RFC 7208 is stronger, so a default limit aligned to the RFC requirements is now used. License: Python Software Foundation License Author: Terence Way terry@wayforward.net http://www.wayforward.net/spf/ Maintainers: Stuart Gathman stuart@gathman.org Scott Kitterman scott@kitterman.com http://cheeseshop.python.org/pypi/pyspf Code is currently hosted at https://github.com/sdgathman/pyspf/ Keywords: spf,email,forgery Platform: UNKNOWN Classifier: Development Status :: 5 - Production/Stable Classifier: Environment :: No Input/Output (Daemon) Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: Python Software Foundation License Classifier: Natural Language :: English Classifier: Operating System :: OS Independent Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 3 Classifier: Topic :: Communications :: Email :: Mail Transport Agents Classifier: Topic :: Communications :: Email :: Filters Classifier: Topic :: Internet :: Name Service (DNS) Classifier: Topic :: Software Development :: Libraries :: Python Modules pyspf-2.0.14/spfquery.py0000775000175000017500000001076513353537453016106 0ustar stuartstuart00000000000000#!/usr/bin/python # Author: Stuart D. Gathman # Copyright 2004 Business Management Systems, Inc. # This module is free software, and you may redistribute it and/or modify # it under the same terms as Python itself, so long as this copyright message # and disclaimer are retained in their original form. # Emulate the spfquery command line tool used by Wayne Schlitt's SPF test suite # $Log$ # Revision 1.4.2.3 2011/10/27 04:44:58 kitterma # Update spfquery.py to work with 2.6, 2.7, and 3.2: # - raise ... as ... # - print() # # Revision 1.4.2.2 2008/03/26 14:34:35 kitterma # Change shebangs to #!/usr/bin/python throughout. # # Revision 1.4.2.1 2006/12/23 05:31:22 kitterma # Minor updates for packaging lessons learned from Ubuntu # # Revision 1.4 2006/11/20 18:39:41 customdesigned # Change license on spfquery.py. Update README. Move tests to test directory. # # Revision 1.3 2005/07/22 02:11:57 customdesigned # Use dictionary to check for CNAME loops. Check limit independently for # each top level name, just like for PTR. # # Revision 1.2 2005/07/14 04:18:01 customdesigned # Bring explanations and Received-SPF header into line with # the unknown=PermErr and error=TempErr convention. # Hope my case-sensitive mech fix doesn't clash with Scotts. # # Revision 1.1.1.1 2005/06/20 19:57:32 customdesigned # Move Python SPF to its own module. # # Revision 1.2 2005/06/02 04:18:55 customdesigned # Update copyright notices after reading article on /. # # Revision 1.1.1.1 2005/05/31 18:07:19 customdesigned # Release 0.6.9 # # Revision 2.3 2004/04/19 22:12:11 stuart # Release 0.6.9 # # Revision 2.2 2004/04/18 03:29:35 stuart # Pass most tests except -local and -rcpt-to # # Revision 2.1 2004/04/08 18:41:15 stuart # Reject numeric hello names # # Driver for SPF test system import spf import sys from optparse import OptionParser class PerlOptionParser(OptionParser): def _process_args (self, largs, rargs, values): """_process_args(largs : [string], rargs : [string], values : Values) Process command-line arguments and populate 'values', consuming options and arguments from 'rargs'. If 'allow_interspersed_args' is false, stop at the first non-option argument. If true, accumulate any interspersed non-option arguments in 'largs'. """ while rargs: arg = rargs[0] # We handle bare "--" explicitly, and bare "-" is handled by the # standard arg handler since the short arg case ensures that the # len of the opt string is greater than 1. if arg == "--": del rargs[0] return elif arg[0:2] == "--": # process a single long option (possibly with value(s)) self._process_long_opt(rargs, values) elif arg[:1] == "-" and len(arg) > 1: # process a single perl style long option rargs[0] = '-' + arg self._process_long_opt(rargs, values) elif self.allow_interspersed_args: largs.append(arg) del rargs[0] else: return def format(q): res,code,txt = q.check() print(res) if res in ('pass','neutral','unknown'): print() else: print(txt) print('spfquery:',q.get_header_comment(res)) print('Received-SPF:',q.get_header(res,'spfquery')) def main(argv): parser = PerlOptionParser() parser.add_option("--file",dest="file") parser.add_option("--ip",dest="ip") parser.add_option("--sender",dest="sender") parser.add_option("--helo",dest="hello_name") parser.add_option("--local",dest="local_policy") parser.add_option("--rcpt-to",dest="rcpt") parser.add_option("--default-explanation",dest="explanation") parser.add_option("--sanitize",type="int",dest="sanitize") parser.add_option("--debug",type="int",dest="debug") opts,args = parser.parse_args(argv) if opts.ip: q = spf.query(opts.ip,opts.sender,opts.hello_name,local=opts.local_policy) if opts.explanation: q.set_default_explanation(opts.explanation) format(q) if opts.file: if opts.file == '0': fp = sys.stdin else: fp = open(opts.file,'r') for ln in fp: ip,sender,helo,rcpt = ln.split(None,3) q = spf.query(ip,sender,helo,local=opts.local_policy) if opts.explanation: q.set_default_explanation(opts.explanation) format(q) fp.close() if __name__ == "__main__": import sys main(sys.argv[1:]) pyspf-2.0.14/CHANGELOG0000664000175000017500000001772313603204342015050 0ustar stuartstuart00000000000000Version 2.0.14 * Fix doctest for CNAME fixes to work with python and python3 * Fix dnspython integration so that SPF TempError is properly raised when there are timeout or no nameserver errors * Add missing use of timeout parameter for dnspython DNSLookup * Restore DNSLookup API for pydnsv(DNS) for tcp fallback works again * Update Installation section of README.md Version 2.0.13 - September 2, 2019 * Add support for use of dnspython (dns) if installed * Catch ValueError due to improper IP address in connect IP or in ip4/ip6 mechanisms * Fix for CNAME processing causing incorrect permerrors Version 2.0.12 - August 5, 2015 * Reset void_lookups at top of check() * Ignore permerror for best_guess() * Don't crash on null DNS TXT record (ignore): test case null-text * Trailing spaces are allowed by 4.5/2: test case trailing-space * Make CNAME loop result in unknown host: test case ptr-cname-loop * Test case and fix for mixed case CNAME loop, test case ptr-cname-loop Version 2.0.11 - December 5, 2014 * Fix another bug in SPF record parsing that caused records with terms separated by multple spaces as invalid, but they are fine per the ABNF * Downcase names in additional answers returned by DNS before adding to cache, since case inconsistency can cause PTR match failures (initial patch thanks to Joni Fieggen) and other problems. Version 2.0.10 - September 2, 2014 * Fix bug in SPF record parsing that caused all 'whitespace' characters to be considered valid term separators and not just spaces * Fixed multiple bugs in temperror processing that would lead to tracebacks instead of correct error processing * Fix AAAA not flagged as bytes when strict=2 * Include '~' as safe char in url quoted macro expansion Version 2.0.9 - April 29, 2014 * Update for new SPF standards track RFC 7208 - Add processing for new void lookups processing limit - Default SPF process timeout limit to 20 seconds per RFC 7208 4.6.4 - Change default DNS timeout to 20 seconds in DNSLookup to better match RFC 7208 4.6.4 - Make mx lookups > 10 a permerror per RFC 7208 and mx-limit test - Add RFC 7208 specific test suite and make allowance for RFC 7208 changes in RFC 4408 test suite - Convert YAML tests to TestCases, and have testspf.py return success/fail. Version 2.0.8 - July 24, 2013 * Use ipaddr/ipaddres module in place of custom IP processing code * Numerous python3 compatibility fixes * Improved unicode error detection in SPF records * Fixed a bug caused by a null CNAME in cache Version 2.0.7 - January 19, 2012 * Allow for timeouts to be global for all DNS lookups instead of per DNS lookup to allow for MAY processing time limitsin RFC 4408 10.1. See README for details. * Use openspf.net for SPF web site instead of openspf.org * Extend query.get_header to return either Received-SPF (still default) or RFC 5451 Authentication Results headers (needs authres 0.3 or later) * Rework query.parse_header: - Make query.parse_header automatically select Received-DPF or Authentication Results header types and use them to collect SPF results from trusted relays - Add query.parse_header_spf and query.parse_header_ar functions for header type specific processing * Finish Python3 port - works with python2.6/2.7/3.2 and 2to3 is no longer required - will also work with newer py3dns where TXT records are returned as type bytes and not strings * Accounts for new py3dns error classes coming in py3dns 3.0.2 (but fully backward compatible with earlier versions) * check for 7-bit ascii on TXT and SPF records * fix CNAME chain duplicating TXT records Version 2.0.6 - October 27, 2011 * Refactor code so that 2to3 will provide a working python3 module - Now requires at least python2.6 * Update spfquery.py, type99.py, and testspf.py to work with either python or python3 (2to3 not needed for these scripts) - SPF test suite can now be run from either python or python3 * Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 * Parse Received-SPF header * Report CIDR error only for valid mechanism * Handle invalid SPF record on command line * Add timeout to check2 Version 2.0.5 - July 29, 2008 * Add TCP fallback if DNS UDP reply is truncated - Fixes inconsistent results from trying to use partial UDP replies * Correct Received-SPF formatting * Minor updates to reflect RFC 4408 errata * Added License file for RFC 4408 test suite * Update RFC 4408 test suite from svn * Fix Type99 conversion script to work with multi-string TXT records * Timeout parameter Version 2.0.4 - January 24, 2007 * Correct unofficial 'best guess' processing. * PTR validation processing cleanup * Improved detection of exp= errors * Keyword parameters on get_header() Version 2.0.3 - January 15, 2007 * IPv6 compatibility test fix to support Python 2.2 * Change DNS queries to only check Type SPF in Harsh mode * pyspf requires pydns, python-pyspf requires python-pydns * Record matching mechanism and add to Received-SPF header. * Test for RFC4408 6.2/4, and fix spf.py to comply. * Permerror for more than one exp or redirect modifier. * Parse op= modifier Version 2.0.2 - January 4, 2007 * Update openspf URLs * Update Readme to better describe available pyspf interfaces * Add basic description of type99.py and spfquery.py scripts * Add usage instructions for type99.py DNS RR type conversion script * Add spfquery.py usage instructions * Incorporate downstream feedback from Debian packager * Fix key-value quoting in get_header Version 2.0.1 - December 08, 2006 * Prevent cache poisoning attack * Prevent malformed RR attack * Update license on a few files we missed last time Version 2.0 - November 20, 2006 * Completed RFC 4408 compliance * Added spf.check2 for RFC 4408 compatible result codes * Full IP6 support * Fedora Core compatible RPM spec file * Update README, licenses Version 1.8 - July 26, 2006 * YAML test suite syntax * trailing dot support (RFC4408 8.1) Version 1.7 - July 21, 2005 * Strict processing limits per newly official SPF RFC * Fixed several parsing bugs under RFC * Support official IANA SPF record (type99) * Extended SPF processing results beyond strict RFC limits * Validate spf.py against test suite, and add Received-SPF support to spf.py * Support best_guess for SPF * Support SPF delegation Version 1.6 - December 18, 2003 * Arik Baratz pointed out endian problems using socket.inet_ntoa() and socket.inet_aton(). Use struct.pack("!L", struct.unpack("!L") to fix. Version 1.5 - December 17, 2003 * Replace DNS.addr2bin() and DNS.bin2addr() with socket.inet_ntoa() and socket.inet_aton(). New code supports n, n.n, and n.n.n formats for IPv4 addresses, and gets rid of annoying Python 2.4 future warnings Version 1.4 - December 16, 2003 * Greg Connor discovered that SPF queries to altavista.com were broken. This was testing to see if a mechanism needs to be macro expanded _before_ leading ? + - characters were removed. * Fixed include handling to be a real mechanism: -include must work. Version 1.3.1 - December 14, 2003 * Forgot to include new test file in distribution. * Forgot CHANGELOG in distribution. Version 1.3 - December 13, 2003 * Add %{o} (original sender domain) macro * The ./spf.py {spf} {ipaddr} {sender} {helo} command line didn't print out the results. Oops. * Support default= so Meng's test #6 'v=spf1 default=deny' works * Any IP address '127.*.*.*' automatically pass, so all Meng's tests work * Follow DNS CNAMES * Cache DNS results, including additional info, reducing DNS query load * Support Python 2.2 (doesn't have bool, True, False: those are added in Python 2.2.1) Version 1.2 - December 11, 2003 * Added exp= (explanation) and redirect= modifiers * Added macros Version 1.1 - December 9, 2003 * Meng Weng Wong added PTR code, THANK YOU Version 1.0 - December 9, 2003 * Initial Version pyspf-2.0.14/README.md0000664000175000017500000001714713603255510015120 0ustar stuartstuart00000000000000# SPF ## Sender-Policy-Framework queries in Python. ### Quick Start Installation ------------ This package requires either the dns (dnspython) or DNS (PyDNS/Py3DNS modules and either the ipaddr module or python3.3 and later. It does not work with the ipaddress module backport. For dnspython, at least version 1.16.0 is required. The authres module is required to process and generate RFC 7601 Authentication Results headers. These can all be installed from pypi via pip. Additionally, they are also available via many distribution packaging systems. pyspf uses traditional python distutils, so dependencies are not installed automatically. pyspf can be installed from pypi via pip or manually: After unpacking the source distribution, install this in your site- specific Python extension directory:: % python setup.py build % su # python setup.py install The minimum Python version required is python2.6. The spf module in this version has been tested with python3 versions through python3.8. Testing ------- After this package is installed, cd into the test directory and execute testspf.py:: % cd test % python testspf.py WARN: invalid-domain-long in rfc4408-tests.yml, 8.1/2, 5/10: fail preferred to temperror WARN: txttimeout in rfc4408-tests.yml, 4.4/1: fail preferred to temperror WARN: spfoverride in rfc4408-tests.yml, 4.5/5: pass preferred to fail WARN: multitxt1 in rfc4408-tests.yml, 4.5/5: pass preferred to permerror WARN: multispf2 in rfc4408-tests.yml, 4.5/6: permerror preferred to pass .. ---------------------------------------------------------------------- Ran 2 tests in 3.036s OK This runs the SPF council test-suite as of when this package was built. It does not test the pyDNS installation, but uses an internal driver. This avoids changing results due to DNS timeouts. In addition, spf.py runs an internal self-test every time it is used from the command line. If you're running on Mac OS X, and it looks like DNS.DiscoverNameServers() is failing, you'll need to edit your /etc/resolv.conf and specify a domain name. For some reason, OS X writes out resolv.conf with a single 'domain' line, which isn't good at all. Later versions of py3dns have been updated to better support Max OS X. Description =========== SPF does email sender validation. For more information about SPF, please see http://www.openspf.net/ One incompatible change was introduced in version 1.7. Prior to version 1.7, connections from a local IP address (127...) would always return a Pass result. The special case was eliminated. Programs calling pySPF should not do SPF checks on locally submitted mail. This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to forward mail. The SPF check should be done during the MAIL FROM:<...> command. There are two ways to use this package. The first is from the command line:: % python spf.py {ip-addr} {mail-from} {helo} For instance, during an SMTP exchange from client 69.55.226.139:: S: 220 mail.example.com ESMTP Postfix C: EHLO mx1.wayforward.net S: 250-mail.example.com S: ... S: 250 8BITMIME C: MAIL FROM: Then the following command line would check if this is a valid sender:: % ./spf.py 69.55.226.139 terry@wayforward.net mx1.wayforward.net ('pass', 250, 'sender SPF authorized') Command line calls return RFC 4408/7208 result codes, i.e. 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second way is via the module's APIs. The legacy (pySPF 1.6) API: >>> import spf >>> spf.check(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 250, 'sender SPF authorized') The first element in the tuple is one of 'pass', 'fail', 'netural', 'softfail', 'unknown', or 'error'. The second is the SMTP response status code: 550 for 'fail', 450 for 'error' and 250 for all else. The third is an explanation. Note: SPF results alone are never sufficient to decide that a message should be accepted. Accept, reject, or defer decisions are a function of local reciever policy. The RFC 4408/7208 compliant API:: >>> import spf >>> spf.check2(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 'sender SPF verified') The first element in the tuple is one of 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second is an explanation. This package also provides two additional helper scripts; type99.py and spfquery.py. The type99.py script will convert DNS TXT strings to a binary equivalent suitable for use in a BIND zone file. The spfquery.py script is a Python reimplementination of Wayne Schlitt's spfquery command line tool. The type99.py script is called from the command line as follows: python type99.py "v=spf1 -all" {Note: Use your desired SPF record instead.} \# 12 0b763d73706631202d616c6c {This is the correct result for "v=spf1 -all"} or python type99 - {File name} The input file format is a standard BIND Zone file. The type99 script will add a Type99 record for each TXT record found in the file. Use of DNS type 99 (type SPF) was removed from SPF in RFC 7208, so this script should be of historical interest only. The spfquery.py script is called with a number of possible options. Options can either use standard '-' prefix or be PERL style long options, '--'. Supported options are: "--file" or "-file" {filename}: Read the query (or queries) from the designated file. If {filename} is '0', then query inputs are read from STDIN. "--ip" or "-ip" {address}: Client IP address to use for SPF check. "--sender" or "-sender" {Mail From address}: Envelope sender from which mail was received. "--helo" or "-helo" {client hostname}: HELO/EHLO name used by SMTP client. "--local" or "-local" {local policy SPF string}: Additional SPF mechanisms to be checked on the basis of local policy. Note that local policy matches are not strictly SPF results. Local policy processing is not defined in RFC 4408 or RFC 7208. Result may vary among SPF implementations. "--rcpt-to" or "rcpt-to" {rcpt-to address - if available}: Receipt to address is not used for actual SPF processing, but if available it can be useful for logging, spf-received header construction, and providing useful rejection messages when messages are rejected due to SPF. --default-explanation" or "-default-explanation" {explanation string}: Default Fail explanation string to be used. "--sanitize" or "-sanitize" and "--debug" or "-debug": These options are no-op in the Python implementation, but are valid inputs to provide compatibliity with input files developed to work with the original PERL and C spfquery implementations. Overall per SPF check time limits can be controlled by passing querytime to the spf.check2 function or when initializing a spf.query object. It is set to 20 seconds by default based on RFC 7208. If querytime is set to 0, then the overall time limit is disabled and the per DNS lookup limit is used instead. This defaults to 20 seconds and can be controlled via spf.MAX_PER_LOOKUP_TIME. RFC 4408 says that the overall limit MAY be used and recommends no less than 20 seconds if it is. RFC 7208 is stronger, so a default limit aligned to the RFC requirements is now used. License: Python Software Foundation License Author: Terence Way terry@wayforward.net http://www.wayforward.net/spf/ Maintainers: Stuart Gathman stuart@gathman.org Scott Kitterman scott@kitterman.com http://cheeseshop.python.org/pypi/pyspf Code is currently hosted at https://github.com/sdgathman/pyspf/ pyspf-2.0.14/MANIFEST.in0000664000175000017500000000040413603251645015370 0ustar stuartstuart00000000000000include README* include MANIFEST.in include NOTES include CHANGELOG include spf.py include spfquery.py include type99.py include setup.py include setup.cfg include test/*.yml include test/*.LICENSE include test/*.CHANGES include test/testspf.py include *.spec pyspf-2.0.14/pyspf.spec0000664000175000017500000001523713552211746015662 0ustar stuartstuart00000000000000%define __python python2.6 %if "%{dist}" == ".el4" || "%{dist}" == ".el5" %define pythonbase python26 %else %define pythonbase python %endif %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Name: %{pythonbase}-pyspf Version: 2.0.14 Release: 1 Summary: Python module and programs for SPF (Sender Policy Framework). Group: Development/Languages License: Python Software Foundation License URL: http://sourceforge.net/forum/forum.php?forum_id=596908 Source0: pyspf-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{pythonbase}-devel Requires: %{pythonbase}-pydns, %{pythonbase} >= 2.6 Requires: %{pythonbase}-authres %{pythonbase}-ipaddr >= 2.1.10 %description SPF does email sender validation. For more information about SPF, please see http://openspf.net This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to send mail. The SPF check should be done during the MAIL FROM:<...> command. %define namewithoutpythonprefix %(echo %{name} | sed 's/^%{pythonbase}-//') %prep %setup -q -n %{namewithoutpythonprefix}-%{version} %build %{__python} setup.py build %install rm -rf $RPM_BUILD_ROOT %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/usr/bin/type99.py $RPM_BUILD_ROOT/usr/bin/type99 mv $RPM_BUILD_ROOT/usr/bin/spfquery.py $RPM_BUILD_ROOT/usr/bin/spfquery rm -f $RPM_BUILD_ROOT/usr/bin/*.py{o,c} %check %{__python} spf.py %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc CHANGELOG PKG-INFO README test %{python_sitelib}/spf.py* /usr/bin/type99 /usr/bin/spfquery /usr/lib/python2.6/site-packages/pyspf-%{version}-py2.6.egg-info %changelog * Thu Oct 17 2019 Stuart Gathman 2.0.14-1 - Fix doctest for CNAME fixes to work with python and python3 - Fix dnspython integration so that SPF TempError is properly raised when there are timeout or no nameserver errors - Restore DNSLookup API for pydnsv(DNS) for tcp fallback works again * Mon Jul 23 2018 Stuart Gathman 2.0.13-1 - Add support for use of dnspython (dns) if installed - Catch ValueError due to improper IP address in connect IP or in ip4/ip6 mechanisms - Fix for CNAME processing causing incorrect permerrors * Wed Aug 5 2015 Stuart Gathman 2.0.12-1 - Reset void_lookups at top of check() to fix bogus permerror on best_guess() - Ignore permerror for best_guess() - Don't crash on null DNS TXT record (ignore): test case null-text - Trailing spaces are allowed by 4.5/2: test case trailing-space - Make CNAME loop result in unknown host: test case ptr-cname-loop - Test case and fix for mixed case CNAME loop, test case ptr-cname-loop * Fri Dec 5 2014 Stuart Gathman 2.0.11-1 - Fix another bug in SPF record parsing that caused records with terms separated by multple spaces as invalid, but they are fine per the ABNF - Downcase names in additional answers returned by DNS before adding to cache, since case inconsistency can cause PTR match failures (initial patch thanks to Joni Fieggen) and other problems. * Tue Sep 2 2014 Stuart Gathman 2.0.10-1 - Fix AAAA not flagged as bytes when strict=2 - Split mechanisms by space only, not by whitespace - include '~' as safe char in url quoted macro expansion - treat AttributeError from pydns as TempError * Tue Apr 29 2014 Stuart Gathman 2.0.9-1 - RFC7208 support - void lookup limit and test cases - Convert YAML tests to TestCases, and have testspf.py return success/fail. * Tue Jul 23 2013 Stuart Gathman 2.0.8-2 - Test case and fix for PermError on non-ascii chars in non-SPF TXT records - Use ipaddr/ipaddress module in place of custom IP processing code - Numerous python3 compatibility fixes - Improved unicode error detection in SPF records - Fixed a bug caused by a null CNAME in cache * Fri Feb 03 2012 Stuart Gathman 2.0.7-1 - fix CNAME chain duplicating TXT records - local test cases for CNAME chains - python3 compatibility changes e.g. print a -> print(a) - check for 7-bit ascii on TXT and SPF records - Use openspf.net for SPF web site instead of openspf.org - Support Authentication-Results header field - Support overall DNS timeout * Thu Oct 27 2011 Stuart Gathman 2.0.6-2 - Python3 port (still requires 2to3 on spf.py) - Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 - Parse Received-SPF header - Report CIDR error only for valid mechanism - Handle invalid SPF record on command line - Add timeout to check2 - Check for non-ascii policy * Wed Mar 03 2011 Stuart Gathman 2.0.6-1 - Python-2.6 - parse_header method * Wed Apr 02 2008 Stuart Gathman 2.0.5-1 - Add timeout parameter to query ctor and DNSLookup - Patch from Scott Kitterman to retry truncated results with TCP unless harsh - Validate DNS labels - Reflect decision on empty-exp errata * Wed Jul 25 2007 Stuart Gathman 2.0.4-1 - Correct unofficial 'best guess' processing. - PTR validation processing cleanup - Improved detection of exp= errors - Keyword args for get_header, minor fixes * Mon Jan 15 2007 Stuart Gathman 2.0.3-1 - pyspf requires pydns, python-pyspf requires python-pydns - Record matching mechanism and add to Received-SPF header. - Test for RFC4408 6.2/4, and fix spf.py to comply. - Test for type SPF (type 99) by default in harsh mode only. - Permerror for more than one exp or redirect modifier. - Parse op= modifier * Sat Dec 30 2006 Stuart Gathman 2.0.2-1 - Update openspf URLs - Update Readme to better describe available pyspf interfaces - Add basic description of type99.py and spfquery.py scripts - Add usage instructions for type99.py DNS RR type conversion script - Add spfquery.py usage instructions - Incorporate downstream feedback from Debian packager - Fix key-value quoting in get_header * Fri Dec 08 2006 Stuart Gathman 2.0.1-1 - Prevent cache poisoning attack - Prevent malformed RR attack - Update license on a few files we missed last time * Mon Nov 20 2006 Stuart Gathman 2.0-1 - Completed RFC 4408 compliance - Added spf.check2 for RFC 4408 compatible result codes - Full IP6 support - Fedora Core compatible RPM spec file - Update README, licenses * Tue Sep 26 2006 Stuart Gathman 1.8-1 - YAML test suite syntax - trailing dot support (RFC4408 8.1) * Tue Aug 29 2006 Sean Reifschneider 1.7-1 - Initial RPM spec file. pyspf-2.0.14/spf.py0000775000175000017500000023340613603204342015001 0ustar stuartstuart00000000000000#!/usr/bin/python from __future__ import print_function """SPF (Sender Policy Framework) implementation. Copyright (c) 2003 Terence Way Portions Copyright(c) 2004,2005,2006,2007,2008,2011,2012 Stuart Gathman Portions Copyright(c) 2005,2006,2007,2008,2011,2012,2013,2014 Scott Kitterman Portions Copyright(c) 2013,2014 Stuart Gathman This module is free software, and you may redistribute it and/or modify it under the same terms as Python itself, so long as this copyright message and disclaimer are retained in their original form. IN NO EVENT SHALL THE AUTHOR BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE AUTHOR SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. For more information about SPF, a tool against email forgery, see http://www.openspf.net/ For news, bugfixes, etc. visit the home page for this implementation at http://cheeseshop.python.org/pypi/pyspf/ http://sourceforge.net/projects/pymilter/ http://www.wayforward.net/spf/ """ # CVS Commits since last release (2.0.12): # $Log$ # Revision 1.108.2.152 2016/04/26 03:57:04 kitterma # * Set version and update changelog for 2.0.13 development. # # Revision 1.108.2.151 2016/04/26 03:53:04 kitterma # * Catch ValueError due to improper IP address in connect IP or in ip4/ip6 # mechanisms # # See pyspf_changelog.txt for earlier CVS commits. __author__ = "Terence Way, Stuart Gathman, Scott Kitterman" __email__ = "pyspf@openspf.org" __version__ = "2.0.14" MODULE = 'spf' USAGE = """To check an incoming mail request: % python spf.py [-v] {ip} {sender} {helo} % python spf.py 69.55.226.139 tway@optsw.com mx1.wayforward.net To test an SPF record: % python spf.py [-v] "v=spf1..." {ip} {sender} {helo} % python spf.py "v=spf1 +mx +ip4:10.0.0.1 -all" 10.0.0.1 tway@foo.com a To fetch an SPF record: % python spf.py {domain} % python spf.py wayforward.net To test this script (and to output this usage message): % python spf.py """ import re import sys import socket # for inet_ntoa() and inet_aton() import struct # for pack() and unpack() import time # for time() try: import urllib.parse as urllibparse # for quote() except: import urllib as urllibparse import sys # for version_info() from functools import reduce try: from email.message import Message except ImportError: from email.Message import Message try: # Python standard library as of python3.3 import ipaddress if bytes is str: from ipaddress import Bytes except ImportError: try: import ipaddr as ipaddress from ipaddr import Bytes except ImportError: print('ipaddr module required: http://code.google.com/p/ipaddr-py/') def DNSLookup_pydns(name, qtype, strict=True, timeout=20): try: req = DNS.DnsRequest(name, qtype=qtype, timeout=timeout) resp = req.req() #resp.show() # key k: ('wayforward.net', 'A'), value v # FIXME: pydns returns AAAA RR as 16 byte binary string, but # A RR as dotted quad. For consistency, this driver should # return both as binary string. # if resp.header['tc'] == True: if strict > 1: raise AmbiguityWarning('DNS: Truncated UDP Reply, SPF records should fit in a UDP packet, retrying TCP') try: req = DNS.DnsRequest(name, qtype=qtype, protocol='tcp', timeout=(timeout)) resp = req.req() except DNS.DNSError as x: raise TempError('DNS: TCP Fallback error: ' + str(x)) if resp.header['rcode'] != 0 and resp.header['rcode'] != 3: raise IOError('Error: ' + resp.header['status'] + ' RCODE: ' + str(resp.header['rcode'])) return [((a['name'], a['typename']), a['data']) for a in resp.answers] \ + [((a['name'], a['typename']), a['data']) for a in resp.additional] except AttributeError as x: raise TempError('DNS ' + str(x)) except IOError as x: raise TempError('DNS ' + str(x)) except DNS.DNSError as x: raise TempError('DNS ' + str(x)) def DNSLookup_dnspython(name, qtype, tcpfallback=True, timeout=30): retVal = [] try: # FIXME: how to disable TCP fallback in dnspython if not tcpfallback? answers = dns.resolver.query(name, qtype, lifetime=timeout) for rdata in answers: if qtype == 'A' or qtype == 'AAAA': retVal.append(((name, qtype), rdata.address)) elif qtype == 'MX': retVal.append(((name, qtype), (rdata.preference, rdata.exchange))) elif qtype == 'PTR': retVal.append(((name, qtype), rdata.target.to_text(True))) elif qtype == 'TXT' or qtype == 'SPF': retVal.append(((name, qtype), rdata.strings)) except dns.resolver.NoAnswer: pass except dns.resolver.NXDOMAIN: pass except dns.exception.Timeout as x: raise TempError('DNS ' + str(x)) except dns.resolver.NoNameservers as x: raise TempError('DNS ' + str(x)) return retVal try: # prefer dnspython (the more complete library) import dns import dns.resolver # http://www.dnspython.org import dns.exception if not hasattr(dns.rdatatype,'SPF'): # patch in type99 support dns.rdatatype.SPF = 99 dns.rdatatype._by_text['SPF'] = dns.rdatatype.SPF DNSLookup = DNSLookup_dnspython except: import DNS # https://launchpad.net/pydns if not hasattr(DNS.Type, 'SPF'): # patch in type99 support DNS.Type.SPF = 99 DNS.Type.typemap[99] = 'SPF' DNS.Lib.RRunpacker.getSPFdata = DNS.Lib.RRunpacker.getTXTdata # Fails on Mac OS X? Add domain to /etc/resolv.conf DNS.DiscoverNameServers() DNSLookup = DNSLookup_pydns RE_SPF = re.compile(br'^v=spf1$|^v=spf1 ',re.IGNORECASE) # Regular expression to look for modifiers RE_MODIFIER = re.compile(r'^([a-z][a-z0-9_\-\.]*)=', re.IGNORECASE) # Regular expression to find macro expansions PAT_CHAR = r'%(%|_|-|(\{[^\}]*\}))' RE_CHAR = re.compile(PAT_CHAR) RE_INVALID_MACRO = re.compile(r'(?, from a client with ip address i. h is the HELO/EHLO domain name. This is the RFC4408/7208 compliant pySPF2.0 interface. The interface returns an SPF result and explanation only. SMTP response codes are not returned since neither RFC 4408 nor RFC 7208 does specify receiver policy. Applications updated for RFC 4408 and RFC 7208 should use this interface. The maximum time, in seconds, this function is allowed to run before a TempError is returned is controlled by querytime. When set to 0 the timeout parameter (default 20 seconds) controls the time allowed for each DNS lookup. When set to a non-zero value, it total time for all processing related to the SPF check is limited to querytime (default 20 seconds as recommended in RFC 7208, paragraph 4.6.4). Returns (result, explanation) where result in ['pass', 'permerror', 'fail', 'temperror', 'softfail', 'none', 'neutral' ]. Example: #>>> check2(i='61.51.192.42', s='liukebing@bcc.com', h='bmsi.com') """ res,_,exp = query(i=i, s=s, h=h, local=local, receiver=receiver,timeout=timeout,verbose=verbose,querytime=querytime).check() return res,exp def check(i, s, h, local=None, receiver=None, verbose=False): """Test an incoming MAIL FROM:, from a client with ip address i. h is the HELO/EHLO domain name. This is the pre-RFC SPF Classic interface. Applications written for pySPF 1.6/1.7 can use this interface to allow pySPF2 to be a drop in replacement for older versions. With the exception of result codes, performance in RFC 4408 compliant. Returns (result, code, explanation) where result in ['pass', 'unknown', 'fail', 'error', 'softfail', 'none', 'neutral' ]. Example: #>>> check(i='61.51.192.42', s='liukebing@bcc.com', h='bmsi.com') """ res,code,exp = query(i=i, s=s, h=h, local=local, receiver=receiver, verbose=verbose).check() if res == 'permerror': res = 'unknown' elif res == 'tempfail': res =='error' return res, code, exp class query(object): """A query object keeps the relevant information about a single SPF query: i: ip address of SMTP client in dotted notation s: sender declared in MAIL FROM:<> l: local part of sender s d: current domain, initially domain part of sender s h: EHLO/HELO domain v: 'in-addr' for IPv4 clients and 'ip6' for IPv6 clients t: current timestamp p: SMTP client domain name o: domain part of sender s r: receiver c: pretty ip address (different from i for IPv6) This is also, by design, the same variables used in SPF macro expansion. Also keeps cache: DNS cache. """ def __init__(self, i, s, h, local=None, receiver=None, strict=True, timeout=MAX_PER_LOOKUP_TIME,verbose=False,querytime=0): self.s, self.h = s, h if not s and h: self.s = 'postmaster@' + h self.ident = 'helo' else: self.ident = 'mailfrom' self.l, self.o = split_email(s, h) self.t = str(int(time.time())) self.d = self.o self.p = None # lazy evaluation if receiver: self.r = receiver else: self.r = 'unknown' # Since the cache does not track Time To Live, it is created # fresh for each query. It is important for efficiently using # multiple results provided in DNS answers. self.cache = {} self.defexps = dict(EXPLANATIONS) self.exps = dict(EXPLANATIONS) self.libspf_local = local # local policy self.lookups = 0 # New processing limit in RFC 7208, section 4.6.4 self.void_lookups = 0 # strict can be False, True, or 2 (numeric) for harsh self.strict = strict self.timeout = timeout self.querytime = querytime # Default to not using a global check # timelimit since this is an RFC 4408 MAY if querytime > 0: self.timeout = querytime self.timer = 0 self.ipaddr = None if i: self.set_ip(i) # Document bits of the object model not set up here: # self.i = string, expanded dot notation, suitable for PTR lookups # self.c = string, human readable form of the connect IP address # single letter lowercase variable names (e.g. self.i) are used for SPF macros # For IPv4, self.i = self.c, but not in IPv6 # self.iplist = list of IPv4/6 addresses that would pass, collected # when list or list6 is passed as 'i' # self.addr = ipaddr/ipaddress object representing the connect IP self.default_modifier = True self.verbose = verbose self.authserv = None # Only used in A-R header generation tests def log(self,mech,d,spf): print('%s: %s "%s"'%(mech,d,spf)) def set_ip(self, i): "Set connect ip, and ip6 or ip4 mode." self.iplist = False if i.lower() == 'list': self.iplist = [] ip6 = False elif i.lower() == 'list6': self.iplist = [] ip6 = True else: try: try: self.ipaddr = ipaddress.ip_address(i) except AttributeError: self.ipaddr = ipaddress.IPAddress(i) except ValueError as x: raise PermError(str(x)) if self.ipaddr.version == 6: if self.ipaddr.ipv4_mapped: self.ipaddr = ipaddress.IPv4Address(self.ipaddr.ipv4_mapped) ip6 = False else: ip6 = True else: ip6 = False self.c = str(self.ipaddr) # NOTE: self.A is not lowercase, so isn't a macro. See query.expand() if ip6: self.A = 'AAAA' self.v = 'ip6' if self.ipaddr: self.i = '.'.join(list(self.ipaddr.exploded.replace(':','').upper())) self.cidrmax = 128 else: self.A = 'A' self.v = 'in-addr' if self.ipaddr: self.i = self.ipaddr.exploded self.cidrmax = 32 def set_default_explanation(self, exp): exps = self.exps defexps = self.defexps for i in 'softfail', 'fail', 'permerror': exps[i] = exp defexps[i] = exp def set_explanation(self, exp): exps = self.exps for i in 'softfail', 'fail', 'permerror': exps[i] = exp # Compute p macro only if needed def getp(self): if not self.p: p = self.validated_ptrs() if not p: self.p = "unknown" elif self.d in p: self.p = self.d else: sfx = '.' + self.d for d in p: if d.endswith(sfx): self.p = d break else: self.p = p[0] return self.p def best_guess(self, spf=DEFAULT_SPF): """Return a best guess based on a default SPF record. >>> q = query('1.2.3.4','','SUPERVISION1',receiver='example.com') >>> q.best_guess()[0] 'none' """ if RE_TOPLAB.split(self.d)[-1]: return ('none', 250, '') pe = self.perm_error r,c,e = self.check(spf) if r == 'permerror': # permerror not useful for bestguess if self.perm_error and self.perm_error.ext: r,c,e = self.perm_error.ext else: r,c = 'neutral',250 self.perm_error = pe return r,c,e def check(self, spf=None): """ Returns (result, mta-status-code, explanation) where result in ['fail', 'softfail', 'neutral' 'permerror', 'pass', 'temperror', 'none'] Examples: >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.check(spf='v=spf1 ip4:192.0.0.n ?all') ('permerror', 550, 'SPF Permanent Error: Invalid IP4 address: ip4:192.0.0.n') >>> q.check(spf='v=spf1 ip4:192.0.2.3 ip4:192.0.0.n ?all') ('permerror', 550, 'SPF Permanent Error: Invalid IP4 address: ip4:192.0.0.n') >>> q.check(spf='v=spf1 ip6:2001:db8:ZZZZ:: ?all') ('permerror', 550, 'SPF Permanent Error: Invalid IP6 address: ip6:2001:db8:ZZZZ::') >>> q.check(spf='v=spf1 =a ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown qualifier, RFC 4408 para 4.6.1, found in: =a') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ~all') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all moo=') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all match.sub-domains_9=yes') ('pass', 250, 'sender SPF authorized') >>> q.strict = False >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.perm_error.ext ('pass', 250, 'sender SPF authorized') >>> q.strict = True >>> q.check(spf='v=spf1 ip4:192.1.0.0/16 moo -all') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.check(spf='v=spf1 ip4:192.1.0.0/16 ~all') ('softfail', 250, 'domain owner discourages use of this host') >>> q.check(spf='v=spf1 -ip4:192.1.0.0/6 ~all') ('fail', 550, 'SPF fail - not authorized') # Assumes DNS available >>> q.check() ('none', 250, '') >>> q.check(spf='v=spf1 ip4:1.2.3.4 -a:example.net -all') ('fail', 550, 'SPF fail - not authorized') >>> q.libspf_local='ip4:192.0.2.3 a:example.org' >>> q.check(spf='v=spf1 ip4:1.2.3.4 -a:example.net -all') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:1.2.3.4 -all exp=_exp.controlledmail.com') ('fail', 550, 'Controlledmail.com does not send mail from itself.') >>> q.check(spf='v=spf1 ip4:1.2.3.4 ?all exp=_exp.controlledmail.com') ('neutral', 250, 'access neither permitted nor denied') """ self.mech = [] # unknown mechanisms # If not strict, certain PermErrors (mispelled # mechanisms, strict processing limits exceeded) # will continue processing. However, the exception # that strict processing would raise is saved here self.perm_error = None self.mechanism = None self.void_lookups = 0 self.options = {} try: self.lookups = 0 if not spf: spf = self.dns_spf(self.d) if self.verbose: self.log("top",self.d,spf) if self.libspf_local and spf: spf = insert_libspf_local_policy( spf, self.libspf_local) rc = self.check1(spf, self.d, 0) if self.perm_error: # lax processing encountered a permerror, but continued self.perm_error.ext = rc raise self.perm_error return rc except TempError as x: self.prob = x.msg if x.mech: self.mech.append(x.mech) return ('temperror', 451, 'SPF Temporary Error: ' + str(x)) except PermError as x: if not self.perm_error: self.perm_error = x self.prob = x.msg if x.mech: self.mech.append(x.mech) # Pre-Lentczner draft treats this as an unknown result # and equivalent to no SPF record. return ('permerror', 550, 'SPF Permanent Error: ' + str(x)) def check1(self, spf, domain, recursion): # spf rfc: 3.7 Processing Limits # if recursion > MAX_RECURSION: # This should never happen in strict mode # because of the other limits we check, # so if it does, there is something wrong with # our code. It is not a PermError because there is not # necessarily anything wrong with the SPF record. if self.strict: raise AssertionError('Too many levels of recursion') # As an extended result, however, it should be # a PermError. raise PermError('Too many levels of recursion') try: try: tmp, self.d = self.d, domain return self.check0(spf, recursion) finally: self.d = tmp except AmbiguityWarning as x: self.prob = x.msg if x.mech: self.mech.append(x.mech) return ('ambiguous', 000, 'SPF Ambiguity Warning: %s' % x) def note_error(self, *msg): if self.strict: raise PermError(*msg) # if lax mode, note error and continue if not self.perm_error: try: raise PermError(*msg) except PermError as x: # FIXME: keep a list of errors for even friendlier diagnostics. self.perm_error = x return self.perm_error def expand_domain(self,arg): "validate and expand domain-spec" # any trailing dot was removed by expand() if RE_TOPLAB.split(arg)[-1]: raise PermError('Invalid domain found (use FQDN)', arg) return self.expand(arg) def validate_mechanism(self, mech): """Parse and validate a mechanism. Returns mech,m,arg,cidrlength,result Examples: >>> q = query(s='strong-bad@email.example.com.', ... h='mx.example.org', i='192.0.2.3') >>> q.validate_mechanism('A') ('A', 'a', 'email.example.com', 32, 'pass') >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.validate_mechanism('A//64') ('A//64', 'a', 'email.example.com', 32, 'pass') >>> q.validate_mechanism('A/24//64') ('A/24//64', 'a', 'email.example.com', 24, 'pass') >>> q.validate_mechanism('?mx:%{d}/27') ('?mx:%{d}/27', 'mx', 'email.example.com', 27, 'neutral') >>> try: q.validate_mechanism('ip4:1.2.3.4/247') ... except PermError as x: print(x) Invalid IP4 CIDR length: ip4:1.2.3.4/247 >>> try: q.validate_mechanism('ip4:1.2.3.4/33') ... except PermError as x: print(x) Invalid IP4 CIDR length: ip4:1.2.3.4/33 >>> try: q.validate_mechanism('a:example.com:8080') ... except PermError as x: print(x) Invalid domain found (use FQDN): example.com:8080 >>> try: q.validate_mechanism('ip4:1.2.3.444/24') ... except PermError as x: print(x) Invalid IP4 address: ip4:1.2.3.444/24 >>> try: q.validate_mechanism('ip4:1.2.03.4/24') ... except PermError as x: print(x) Invalid IP4 address: ip4:1.2.03.4/24 >>> try: q.validate_mechanism('-all:3030') ... except PermError as x: print(x) Invalid all mechanism format - only qualifier allowed with all: -all:3030 >>> q.validate_mechanism('-mx:%%%_/.Clara.de/27') ('-mx:%%%_/.Clara.de/27', 'mx', '% /.Clara.de', 27, 'fail') >>> q.validate_mechanism('~exists:%{i}.%{s1}.100/86400.rate.%{d}') ('~exists:%{i}.%{s1}.100/86400.rate.%{d}', 'exists', '192.0.2.3.com.100/86400.rate.email.example.com', 32, 'softfail') >>> q.validate_mechanism('a:mail.example.com.') ('a:mail.example.com.', 'a', 'mail.example.com', 32, 'pass') >>> try: q.validate_mechanism('a:mail.example.com,') ... except PermError as x: print(x) Do not separate mechnisms with commas: a:mail.example.com, >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='2001:db8:1234::face:b007') >>> q.validate_mechanism('A//64') ('A//64', 'a', 'email.example.com', 64, 'pass') >>> q.validate_mechanism('A/16') ('A/16', 'a', 'email.example.com', 128, 'pass') >>> q.validate_mechanism('A/16//48') ('A/16//48', 'a', 'email.example.com', 48, 'pass') """ if mech.endswith( "," ): self.note_error('Do not separate mechnisms with commas', mech) mech = mech[:-1] # a mechanism m, arg, cidrlength, cidr6length = parse_mechanism(mech, self.d) # map '?' '+' or '-' to 'neutral' 'pass' or 'fail' if m: result = RESULTS.get(m[0]) if result: # eat '?' '+' or '-' m = m[1:] else: # default pass result = 'pass' if m in COMMON_MISTAKES: self.note_error('Unknown mechanism found', mech) m = COMMON_MISTAKES[m] if m == 'a' and RE_IP4.match(arg): x = self.note_error( 'Use the ip4 mechanism for ip4 addresses', mech) m = 'ip4' # validate cidr and dual-cidr if m in ('a', 'mx'): if cidrlength is None: cidrlength = 32; elif cidrlength > 32: raise PermError('Invalid IP4 CIDR length', mech) if cidr6length is None: cidr6length = 128 elif cidr6length > 128: raise PermError('Invalid IP6 CIDR length', mech) if self.v == 'ip6': cidrlength = cidr6length elif m == 'ip4' or RE_IP4.match(m): if m != 'ip4': self.note_error( 'Missing IP4' , mech) m,arg = 'ip4',m if cidr6length is not None: raise PermError('Dual CIDR not allowed', mech) if cidrlength is None: cidrlength = 32; elif cidrlength > 32: raise PermError('Invalid IP4 CIDR length', mech) if not RE_IP4.match(arg): raise PermError('Invalid IP4 address', mech) elif m == 'ip6': if cidr6length is not None: raise PermError('Dual CIDR not allowed', mech) if cidrlength is None: cidrlength = 128 elif cidrlength > 128: raise PermError('Invalid IP6 CIDR length', mech) if not RE_IP6.match(arg): raise PermError('Invalid IP6 address', mech) else: if cidrlength is not None or cidr6length is not None: if m in ALL_MECHANISMS: raise PermError('CIDR not allowed', mech) cidrlength = self.cidrmax if m in ('a', 'mx', 'ptr', 'exists', 'include'): if m == 'exists' and not arg: raise PermError('implicit exists not allowed', mech) arg = self.expand_domain(arg) if not arg: raise PermError('empty domain:',mech) if m == 'include': if arg == self.d: if mech != 'include': raise PermError('include has trivial recursion', mech) raise PermError('include mechanism missing domain', mech) return mech, m, arg, cidrlength, result # validate 'all' mechanism per RFC 4408 ABNF if m == 'all' and mech.count(':'): # print '|'+ arg + '|', mech, self.d, self.note_error( 'Invalid all mechanism format - only qualifier allowed with all' , mech) if m in ALL_MECHANISMS: return mech, m, arg, cidrlength, result if m[1:] in ALL_MECHANISMS: x = self.note_error( 'Unknown qualifier, RFC 4408 para 4.6.1, found in', mech) else: x = self.note_error('Unknown mechanism found', mech) return mech, m, arg, cidrlength, x def check0(self, spf, recursion): """Test this query information against SPF text. Returns (result, mta-status-code, explanation) where result in ['fail', 'unknown', 'pass', 'none'] """ if not spf: return ('none', 250, EXPLANATIONS['none']) # Split string by space, drop the 'v=spf1'. Split by all whitespace # casuses things like carriage returns being treated as valid space # separators, so split() is not sufficient. spf = spf.split(' ') # Catch case where SPF record has no spaces. # Can never happen with conforming dns_spf(), however # in the future we might want to give warnings # for common mistakes like IN TXT "v=spf1" "mx" "-all" # in relaxed mode. if spf[0].lower() != 'v=spf1': if self.strict > 1: raise AmbiguityWarning('Invalid SPF record in', self.d) return ('none', 250, EXPLANATIONS['none']) # Just to make it even more fun, the relevant piece of the ABNF for # term separations is *( 1*SP ( directive / modifier ) ), so it's one # or more spaces, not just one. So strip empty mechanisms. spf = [mech for mech in spf[1:] if mech] # copy of explanations to be modified by exp= exps = self.exps redirect = None # no mechanisms at all cause unknown result, unless # overridden with 'default=' modifier # default = 'neutral' mechs = [] modifiers = [] # Look for modifiers # for mech in spf: m = RE_MODIFIER.split(mech)[1:] if len(m) != 2: mechs.append(self.validate_mechanism(mech)) continue mod,arg = m if mod in modifiers: if mod == 'redirect': raise PermError('redirect= MUST appear at most once',mech) self.note_error('%s= MUST appear at most once'%mod,mech) # just use last one in lax mode modifiers.append(mod) if mod == 'exp': # always fetch explanation to check permerrors if not arg: raise PermError('exp has empty domain-spec:',arg) arg = self.expand_domain(arg) if arg: try: exp = self.get_explanation(arg) if exp and not recursion: # only set explanation in base recursion level self.set_explanation(exp) except: pass elif mod == 'redirect': self.check_lookups() redirect = self.expand_domain(arg) if not redirect: raise PermError('redirect has empty domain:',arg) elif mod == 'default': # default modifier is obsolete if self.strict > 1: raise AmbiguityWarning('The default= modifier is obsolete.') if not self.strict and self.default_modifier: # might be an old policy, so do it anyway arg = self.expand(arg) # default=- is the same as default=fail default = RESULTS.get(arg, default) elif mod == 'op': if not recursion: for v in arg.split('.'): if v: self.options[v] = True else: # spf rfc: 3.6 Unrecognized Mechanisms and Modifiers self.expand(m[1]) # syntax error on invalid macro # Evaluate mechanisms # for mech, m, arg, cidrlength, result in mechs: if m == 'include': self.check_lookups() d = self.dns_spf(arg) if self.verbose: self.log("include",arg,d) res, code, txt = self.check1(d,arg, recursion + 1) if res == 'pass': break if res == 'none': self.note_error( 'No valid SPF record for included domain: %s' %arg, mech) res = 'neutral' continue elif m == 'all': break elif m == 'exists': self.check_lookups() try: if len(self.dns_a(arg,'A')) > 0: break except AmbiguityWarning: # Exists wants no response sometimes so don't raise # the warning. pass elif m == 'a': self.check_lookups() if self.cidrmatch(self.dns_a(arg,self.A), cidrlength): break elif m == 'mx': self.check_lookups() if self.cidrmatch(self.dns_mx(arg), cidrlength): break elif m == 'ip4': if self.v == 'in-addr': # match own connection type only try: if self.cidrmatch([arg], cidrlength): break except socket.error: raise PermError('syntax error', mech) elif m == 'ip6': if self.v == 'ip6': # match own connection type only try: if self.cidrmatch([arg], cidrlength): break except socket.error: raise PermError('syntax error', mech) elif m == 'ptr': self.check_lookups() if domainmatch(self.validated_ptrs(), arg): break else: # no matches if redirect: #Catch redirect to a non-existant SPF record. redirect_record = self.dns_spf(redirect) if not redirect_record: raise PermError('redirect domain has no SPF record', redirect) if self.verbose: self.log("redirect",redirect,redirect_record) # forget modifiers on redirect if not recursion: self.exps = dict(self.defexps) self.options = {} return self.check1(redirect_record, redirect, recursion) result = default mech = None if not recursion: # record matching mechanism at base level self.mechanism = mech if result == 'fail': return (result, 550, exps[result]) else: return (result, 250, exps[result]) def check_lookups(self): self.lookups = self.lookups + 1 if self.lookups > MAX_LOOKUP*4: raise PermError('More than %d DNS lookups'%(MAX_LOOKUP*4)) if self.lookups > MAX_LOOKUP: self.note_error('Too many DNS lookups') def get_explanation(self, spec): """Expand an explanation.""" if spec: try: a = self.dns_txt(spec,ignore_void=True) if len(a) == 1: return str(self.expand(to_ascii(a[0]), stripdot=False)) except PermError: # RFC4408 6.2/4 syntax errors cause exp= to be ignored if self.strict > 1: raise # but report in harsh mode for record checking tools pass elif self.strict > 1: raise PermError('Empty domain-spec on exp=') # RFC4408 6.2/4 empty domain spec is ignored # (unless you give precedence to the grammar). return None def expand(self, s, stripdot=True): # macros='slodipvh' """Do SPF RFC macro expansion. Examples: >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.p = 'mx.example.org' >>> q.r = 'example.net' >>> q.expand('%{d}') 'email.example.com' >>> q.expand('%{d4}') 'email.example.com' >>> q.expand('%{d3}') 'email.example.com' >>> q.expand('%{d2}') 'example.com' >>> q.expand('%{d1}') 'com' >>> q.expand('%{p}') 'mx.example.org' >>> q.expand('%{p2}') 'example.org' >>> q.expand('%{dr}') 'com.example.email' >>> q.expand('%{d2r}') 'example.email' >>> q.expand('%{l}') 'strong-bad' >>> q.expand('%{l-}') 'strong.bad' >>> q.expand('%{lr}') 'strong-bad' >>> q.expand('%{lr-}') 'bad.strong' >>> q.expand('%{l1r-}') 'strong' >>> q.expand('%{c}',stripdot=False) '192.0.2.3' >>> q.expand('%{r}',stripdot=False) 'example.net' >>> q.expand('%{ir}.%{v}._spf.%{d2}') '3.2.0.192.in-addr._spf.example.com' >>> q.expand('%{lr-}.lp._spf.%{d2}') 'bad.strong.lp._spf.example.com' >>> q.expand('%{lr-}.lp.%{ir}.%{v}._spf.%{d2}') 'bad.strong.lp.3.2.0.192.in-addr._spf.example.com' >>> q.expand('%{ir}.%{v}.%{l1r-}.lp._spf.%{d2}') '3.2.0.192.in-addr.strong.lp._spf.example.com' >>> try: q.expand('%(ir).%{v}.%{l1r-}.lp._spf.%{d2}') ... except PermError as x: print(x) invalid-macro-char : %(ir) >>> q.expand('%{p2}.trusted-domains.example.net') 'example.org.trusted-domains.example.net' >>> q.expand('%{p2}.trusted-domains.example.net.') 'example.org.trusted-domains.example.net' >>> q = query(s='@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.p = 'mx.example.org' >>> q.expand('%{l}') 'postmaster' """ # Check for invalid macro syntax if s.find('%') >= 0: regex = RE_INVALID_MACRO for label in s.split('.'): if regex.search(s): raise PermError ('invalid-macro-char ', label) # expand macros end = 0 result = '' for i in RE_CHAR.finditer(s): result += s[end:i.start()] macro = s[i.start():i.end()] if macro == '%%': result += '%' elif macro == '%_': result += ' ' elif macro == '%-': result += '%20' else: letter = macro[2].lower() # print letter if letter == 'p': self.getp() elif letter in 'crt' and stripdot: raise PermError( 'c,r,t macros allowed in exp= text only', macro) expansion = getattr(self, letter, self) if expansion: if expansion == self: raise PermError('Unknown Macro Encountered', macro) e = expand_one(expansion, macro[3:-1], JOINERS.get(letter)) if letter != macro[2]: e = urllibparse.quote(e,'~') result += e end = i.end() result += s[end:] if stripdot and result.endswith('.'): result = result[:-1] if result.count('.') != 0: if len(result) > 253: result = result[(result.index('.')+1):] return result def dns_spf(self, domain): """Get the SPF record recorded in DNS for a specific domain name. Returns None if not found, or if more than one record is found. """ # Per RFC 4.3/1, check for malformed domain. This produces # no results as a special case. for label in domain.split('.'): if not label or len(label) > 63: return None # for performance, check for most common case of TXT first a = [t for t in self.dns_txt(domain) if RE_SPF.match(t)] if len(a) > 1: if self.verbose: print('cache=',self.cache) raise PermError('Two or more type TXT spf records found.') if len(a) == 1 and self.strict < 2: return to_ascii(a[0]) # check official SPF type first when it becomes more popular if self.strict > 1: #Only check for Type SPF in harsh mode until it is more popular. try: b = [t for t in self.dns_txt(domain,'SPF',ignore_void=True) if RE_SPF.match(t)] except TempError as x: # some braindead DNS servers hang on type 99 query if self.strict > 1: raise TempError(x) b = [] if len(b) > 1: raise PermError('Two or more type SPF spf records found.') if len(b) == 1: if self.strict > 1 and len(a) == 1 and a[0] != b[0]: #Changed from permerror to warning based on RFC 4408 Auth 48 change raise AmbiguityWarning( 'v=spf1 records of both type TXT and SPF (type 99) present, but not identical') return to_ascii(b[0]) if len(a) == 1: return to_ascii(a[0]) # return TXT if SPF wasn't found if DELEGATE: # use local record if neither found a = [t for t in self.dns_txt(domain+'._spf.'+DELEGATE,ignore_void=True) if RE_SPF.match(t) ] if len(a) == 1: return to_ascii(a[0]) return None ## Get list of TXT records for a domain name. # Any DNS library *must* return bytes (same as str in python2) for TXT # or SPF since there is no general decoding to unicode. Py3dns-3.0.2 # incorrectly attempts to convert to str using idna encoding by default. # We work around this by assuming any UnicodeErrors coming from py3dns # are from a non-ascii SPF record (incorrect in general). Packages # should require py3dns != 3.0.2. # # We cannot check for non-ascii here, because we must ignore non-SPF # records - even when they are non-ascii. So we return bytes. # The caller does the ascii check for SPF records and explanations. # def dns_txt(self, domainname, rr='TXT',ignore_void=False): "Get a list of TXT records for a domain name." if domainname: try: dns_list = self.dns(domainname, rr,ignore_void=ignore_void) if dns_list: # a[0][:0] is '' for py3dns-3.0.2, otherwise b'' a = [a[0][:0].join(a) for a in dns_list if a] # FIXME: workaround for error in py3dns-3.0.2 if isinstance(a[0],bytes): return a return [s.encode('utf-8') for s in a] # FIXME: workaround for error in py3dns-3.0.2 except UnicodeError: raise PermError('Non-ascii characters found in %s record for %s' %(rr,domainname)) return [] def dns_mx(self, domainname): """Get a list of IP addresses for all MX exchanges for a domain name. """ # RFC 4408/7208 section 5.4 "mx" # To prevent DoS attacks, more than 10 MX names MUST NOT be looked up # Changed to permerror if more than 10 exist in 7208 mxnames = self.dns(domainname, 'MX') if self.strict: max = MAX_MX if len(mxnames) > MAX_MX: raise PermError( 'More than %d MX records returned'%MAX_MX) if self.strict > 1: if len(mxnames) == 0: raise AmbiguityWarning( 'No MX records found for mx mechanism', domainname) else: max = MAX_MX * 4 mxnames.sort() return [a for mx in mxnames[:max] for a in self.dns_a(mx[1],self.A)] def dns_a(self, domainname, A='A'): """Get a list of IP addresses for a domainname. """ if not domainname: return [] r = self.dns(domainname, A) if self.strict > 1 and len(r) == 0: raise AmbiguityWarning( 'No %s records found for'%A, domainname) if A == 'AAAA' and bytes is str: # work around pydns inconsistency plus python2 bytes/str ambiguity return [Bytes(ip) for ip in r] return r def validated_ptrs(self): """Figure out the validated PTR domain names for the connect IP.""" # To prevent DoS attacks, more than 10 PTR names MUST NOT be looked up if self.strict: max = MAX_PTR if self.strict > 1: #Break out the number of PTR records returned for testing try: ptrnames = self.dns_ptr(self.i) if len(ptrnames) > max: warning = 'More than %d PTR records returned' % max raise AmbiguityWarning(warning, self.c) else: if len(ptrnames) == 0: raise AmbiguityWarning( 'No PTR records found for ptr mechanism', self.c) except: raise AmbiguityWarning( 'No PTR records found for ptr mechanism', self.c) else: max = MAX_PTR * 4 cidrlength = self.cidrmax return [p for p in self.dns_ptr(self.i)[:max] if self.cidrmatch(self.dns_a(p,self.A),cidrlength)] def dns_ptr(self, i): """Get a list of domain names for an IP address.""" return self.dns('%s.%s.arpa'%(reverse_dots(i),self.v), 'PTR') # We have to be careful which additional DNS RRs we cache. For # instance, PTR records are controlled by the connecting IP, and they # could poison our local cache with bogus A and MX records. SAFE2CACHE = { ('MX','A'): None, ('MX','MX'): None, ('CNAME','A'): None, ('A','A'): None, ('AAAA','AAAA'): None, ('PTR','PTR'): None, ('TXT','TXT'): None, ('SPF','SPF'): None } # FIXME: move to anydns # # All types return a list of values. TXT/SPF values are # in turn a list of strings (as bytes), as DNS supports long # strings as shorter strings which must be concatenated. # def dns(self, name, qtype, cnames=None, ignore_void=False): """DNS query. If the result is in cache, return that. Otherwise pull the result from DNS, and cache ALL answers, so additional info is available for further queries later. CNAMEs are followed. If there is no data, [] is returned. pre: qtype in ['A', 'AAAA', 'MX', 'PTR', 'TXT', 'SPF'] post: isinstance(__return__, types.ListType) Examples: >>> c = query(s='strong-bad@email.example.com', ... h='parallel.kitterman.org',i='192.0.2.123') >>> "".join( chr(x) for x in bytearray(c.dns('parallel.kitterman.org', 'TXT')[0][0]) ) 'v=spf1 include:long.kitterman.org include:cname.kitterman.org -all' """ if not name: raise Exception('Invalid query') name = str(name) if name.endswith('.'): name = name[:-1] if not reduce(lambda x, y: x and 0 < len(y) < 64, name.split('.'), True): return [] # invalid DNS name (too long or empty) name = name.lower() result = self.cache.get( (name, qtype), []) if result: return result cnamek = (name,'CNAME') cname = self.cache.get( cnamek ) debug = self.verbose and name.startswith('cname.') if cname: cname = cname[0] else: safe2cache = query.SAFE2CACHE if self.querytime < 0: raise TempError('DNS Error: exceeded max query lookup time') if self.querytime < self.timeout and self.querytime > 0: timeout = self.querytime else: timeout = self.timeout timethen = time.time() for k, v in DNSLookup(name, qtype, self.strict, timeout): if debug: print('result=',k,v) # Force case insensitivity in cache, DNS servers often # return random case in domain part of answers. k = (k[0].lower(), k[1]) if k == cnamek: cname = v result = self.cache.get( (cname, qtype), []) if result: break if k[1] == 'CNAME' or (qtype,k[1]) in safe2cache: if debug: print('addcache=',k,v) self.cache.setdefault(k, []).append(v) #if ans and qtype == k[1]: # self.cache.setdefault((name,qtype), []).append(v) result = self.cache.get( (name, qtype), []) if self.querytime > 0: self.querytime = self.querytime - (time.time()-timethen) if not result and cname: if not cnames: cnames = {} elif len(cnames) >= MAX_CNAME: #return result # if too many == NX_DOMAIN raise PermError('Length of CNAME chain exceeds %d' % MAX_CNAME) cnames[name] = cname if cname.lower().rstrip('.') in cnames: if self.strict > 1: raise AmbiguityWarning('CNAME loop', cname) else: result = self.dns(cname, qtype, cnames=cnames) if result: self.cache[(name,qtype)] = result if not result and not ignore_void: self.void_lookups += 1 if self.void_lookups > MAX_VOID_LOOKUPS: raise PermError('Void lookup limit of %d exceeded' % MAX_VOID_LOOKUPS) return result def cidrmatch(self, ipaddrs, n): """Match connect IP against a CIDR network of other IP addresses. Examples: >>> c = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> c.p = 'mx.example.org' >>> c.r = 'example.com' >>> c.cidrmatch(['192.0.2.3'],32) True >>> c.cidrmatch(['192.0.2.2'],32) False >>> c.cidrmatch(['192.0.2.2'],31) True >>> six = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='2001:0db8:0:0:0:0:0:0001') >>> six.p = 'mx.example.org' >>> six.r = 'example.com' >>> six.cidrmatch(['2001:0DB8::'],127) True >>> six.cidrmatch(['2001:0DB8::'],128) False >>> six.cidrmatch(['2001:0DB8:0:0:0:0:0:0001'],128) True """ try: try: for netwrk in [ipaddress.ip_network(ip) for ip in ipaddrs]: network = netwrk.supernet(new_prefix=n) if isinstance(self.iplist, bool): if network.__contains__(self.ipaddr): return True else: if n < self.cidrmax: self.iplist.append(network) else: self.iplist.append(network.ip) except AttributeError: for netwrk in [ipaddress.IPNetwork(ip,strict=False) for ip in ipaddrs]: network = netwrk.supernet(new_prefix=n) if isinstance(self.iplist, bool): if network.__contains__(self.ipaddr): return True else: if n < self.cidrmax: self.iplist.append(network) else: self.iplist.append(network.ip) except ValueError as x: raise PermError(str(x)) return False def parse_header_ar(self, val): """Set SPF values from RFC 5451 Authentication Results header. Useful when SPF has already been run on a trusted gateway machine. Expects the entire header as an input. Examples: >>> q = query('192.0.2.3','strong-bad@email.example.com','mx.example.org') >>> q.mechanism = 'unknown' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=neutral \\n (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) \\n smtp.mailfrom=email.example.com \\n (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=None (mail.bmsi.com: test; client-ip=163.247.46.150) smtp.mailfrom=admin@squiebras.cl (helo=mail.squiebras.cl; receiver=mail.bmsi.com;\\n mechanism=mx/24)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=none (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=admin@squiebras.cl (sender=admin@squiebras.cl; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' """ import authres # Authres expects unwrapped headers according to docs val = ' '.join(s.strip() for s in val.split('\n')) arobj = authres.AuthenticationResultsHeader.parse(val) # TODO extract and parse comments (not supported by authres) for resobj in arobj.results: if resobj.method == 'spf': self.authserv = arobj.authserv_id self.result = resobj.result if resobj.properties[0].name == 'mailfrom': self.d = resobj.properties[0].value self.s = resobj.properties[0].value if resobj.properties[0].name == 'helo': self.h = resobj.properties[0].value return def parse_header_spf(self, val): """Set SPF values from Received-SPF header. Useful when SPF has already been run on a trusted gateway machine. Examples: >>> q = query('0.0.0.0','','') >>> p = q.parse_header_spf('''Pass (test) client-ip=70.98.79.77; ... envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; ... receiver=mail.bmsi.com; mechanism=a; identity=mailfrom''') >>> q.get_header(q.result) 'Pass (test) client-ip=70.98.79.77; envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; receiver=mail.bmsi.com; mechanism=a; identity=mailfrom' >>> o = q.parse_header_spf('''None (mail.bmsi.com: test) ... client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; ... helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; ... x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom''') >>> q.get_header(q.result,**o) 'None (mail.bmsi.com: test) client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom' >>> o['bestguess'] 'pass' """ a = val.split(None,1) self.result = a[0].lower() self.mechanism = None if len(a) < 2: return 'none' val = a[1] if val.startswith('('): pos = val.find(')') if pos < 0: return self.result self.comment = val[1:pos] val = val[pos+1:] msg = Message() msg.add_header('Received-SPF','; '+val) p = {} for k,v in msg.get_params(header='Received-SPF'): if k == 'client-ip': self.set_ip(v) elif k == 'envelope-from': self.s = v elif k == 'helo': self.h = v elif k == 'receiver': self.r = v elif k == 'problem': self.mech = v elif k == 'mechanism': self.mechanism = v elif k == 'identity': self.ident = v elif k.startswith('x-'): p[k[2:]] = v self.l, self.o = split_email(self.s, self.h) return p def parse_header(self, val): """Set SPF values from Received-SPF or RFC 5451 Authentication Results header. Useful when SPF has already been run on a trusted gateway machine. Auto detects the header type and parses it. Use parse_header_spf or parse_header_ar for each type if required. Examples: >>> q = query('0.0.0.0','','') >>> p = q.parse_header('''Pass (test) client-ip=70.98.79.77; ... envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; ... receiver=mail.bmsi.com; mechanism=a; identity=mailfrom''') >>> q.get_header(q.result) 'Pass (test) client-ip=70.98.79.77; envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; receiver=mail.bmsi.com; mechanism=a; identity=mailfrom' >>> r = q.parse_header('''None (mail.bmsi.com: test) ... client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; ... helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; ... x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom''') >>> q.get_header(q.result,**r) 'None (mail.bmsi.com: test) client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom' >>> r['bestguess'] 'pass' >>> q = query('192.0.2.3','strong-bad@email.example.com','mx.example.org') >>> q.mechanism = 'unknown' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=neutral \\n (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) \\n smtp.mailfrom=email.example.com \\n (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=None (mail.bmsi.com: test; client-ip=163.247.46.150) smtp.mailfrom=admin@squiebras.cl (helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=none (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=admin@squiebras.cl (sender=admin@squiebras.cl; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' """ if val.startswith('Authentication-Results:'): return(self.parse_header_ar(val)) else: return(self.parse_header_spf(val)) def get_header(self, res, receiver=None, header_type='spf', aid=None, **kv): """ Generate Received-SPF or Authentication Results header based on the last lookup. >>> q = query(s='strong-bad@email.example.com', h='mx.example.org', ... i='192.0.2.3') >>> q.r='abuse@kitterman.com' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.get_header('neutral') 'Neutral (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism=?all; identity=mailfrom' >>> q.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> q.get_header('fail') 'Fail (abuse@kitterman.com: domain of email.example.com does not designate 192.0.2.3 as permitted sender) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism=-all; identity=mailfrom' >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.get_header('permerror') 'PermError (abuse@kitterman.com: permanent error in processing domain of email.example.com: Unknown mechanism found) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; problem=moo; identity=mailfrom' >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ~all') ('pass', 250, 'sender SPF authorized') >>> q.get_header('pass') 'Pass (abuse@kitterman.com: domain of email.example.com designates 192.0.2.3 as permitted sender) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism="ip4:192.0.0.0/8"; identity=mailfrom' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.get_header('neutral', header_type = 'authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)' >>> p = query(s='strong-bad@email.example.com', h='mx.example.org', ... i='192.0.2.3') >>> p.r='abuse@kitterman.com' >>> p.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> p.ident = 'helo' >>> p.get_header('fail', header_type = 'authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=fail (abuse@kitterman.com: domain of email.example.com does not designate 192.0.2.3 as permitted sender) smtp.helo=mx.example.org (sender=strong-bad@email.example.com; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=-all)' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> try: q.get_header('neutral', header_type = 'dkim') ... except SyntaxError as x: print(x) Unknown results header type: dkim """ # If type is Authentication Results header (spf/authres) if header_type == 'authres': if not aid: raise SyntaxError('authserv-id missing for Authentication Results header type, see RFC5451 2.3') import authres if not receiver: receiver = self.r client_ip = self.c helo = quote_value(self.h) resmap = { 'pass': 'Pass', 'neutral': 'Neutral', 'fail': 'Fail', 'softfail': 'SoftFail', 'none': 'None', 'temperror': 'TempError', 'permerror': 'PermError' } identity = self.ident if identity == 'helo': envelope_from = None else: envelope_from = quote_value(self.s) tag = resmap[res] if res == 'permerror' and self.mech: problem = quote_value(' '.join(self.mech)) else: problem = None mechanism = quote_value(self.mechanism) if hasattr(self,'comment'): comment = self.comment else: comment = '%s: %s' % (receiver,self.get_header_comment(res)) res = ['%s (%s)' % (tag,comment)] if header_type == 'spf': for k in ('client_ip','envelope_from','helo','receiver', 'problem','mechanism'): v = locals()[k] if v: res.append('%s=%s;'%(k.replace('_','-'),v)) for k,v in sorted(list(kv.items())): if v: res.append('x-%s=%s;'%(k.replace('_','-'),quote_value(v))) # do identity last so we can easily drop the trailing ';' res.append('%s=%s'%('identity',identity)) return ' '.join(res) elif header_type == 'authres': if envelope_from: return str(authres.AuthenticationResultsHeader(authserv_id = aid, \ results = [authres.SPFAuthenticationResult(result = tag, \ result_comment = comment, smtp_mailfrom = self.d, \ smtp_mailfrom_comment = \ 'sender={0}; helo={1}; client-ip={2}; receiver={3}; mechanism={4}'.format(self.s, \ self.h, self.c, self.r, mechanism))])) else: return str(authres.AuthenticationResultsHeader(authserv_id = aid, \ results = [authres.SPFAuthenticationResult(result = tag, \ result_comment = comment, smtp_helo = self.h, \ smtp_helo_comment = \ 'sender={0}; client-ip={1}; receiver={2}; mechanism={3}'.format(self.s, \ self.c, self.r, mechanism))])) else: raise SyntaxError('Unknown results header type: {0}'.format(header_type)) def get_header_comment(self, res): """Return comment for Received-SPF header. """ sender = self.o if res == 'pass': return \ "domain of %s designates %s as permitted sender" \ % (sender, self.c) elif res == 'softfail': return \ "transitioning domain of %s does not designate %s as permitted sender" \ % (sender, self.c) elif res == 'neutral': return \ "%s is neither permitted nor denied by domain of %s" \ % (self.c, sender) elif res == 'none': return \ "%s is neither permitted nor denied by domain of %s" \ % (self.c, sender) #"%s does not designate permitted sender hosts" % sender elif res == 'permerror': return \ "permanent error in processing domain of %s: %s" \ % (sender, self.prob) elif res == 'temperror': return \ "temporary error in processing during lookup of %s" % sender elif res == 'fail': return \ "domain of %s does not designate %s as permitted sender" \ % (sender, self.c) raise ValueError("invalid SPF result for header comment: "+res) def split_email(s, h): """Given a sender email s and a HELO domain h, create a valid tuple (l, d) local-part and domain-part. Examples: >>> split_email('', 'wayforward.net') ('postmaster', 'wayforward.net') >>> split_email('foo.com', 'wayforward.net') ('postmaster', 'foo.com') >>> split_email('terry@wayforward.net', 'optsw.com') ('terry', 'wayforward.net') """ if not s: return 'postmaster', h else: parts = s.split('@', 1) if parts[0] == '': parts[0] = 'postmaster' if len(parts) == 2: return tuple(parts) else: return 'postmaster', s def quote_value(s): """Quote the value for a key-value pair in Received-SPF header field if needed. No quoting needed for a dot-atom value. Examples: >>> quote_value('foo@bar.com') '"foo@bar.com"' >>> quote_value('mail.example.com') 'mail.example.com' >>> quote_value('A:1.2.3.4') '"A:1.2.3.4"' >>> quote_value('abc"def') '"abc\\\\"def"' >>> quote_value(r'abc\def') '"abc\\\\\\\\def"' >>> quote_value('abc..def') '"abc..def"' >>> quote_value('') '""' >>> quote_value(None) """ if s is None or RE_DOT_ATOM.match(s): return s return '"' + s.replace('\\',r'\\').replace('"',r'\"' ).replace('\x00',r'\x00') + '"' def parse_mechanism(str, d): """Breaks A, MX, IP4, and PTR mechanisms into a (name, domain, cidr,cidr6) tuple. The domain portion defaults to d if not present, the cidr defaults to 32 if not present. Examples: >>> parse_mechanism('a', 'foo.com') ('a', 'foo.com', None, None) >>> parse_mechanism('exists','foo.com') ('exists', None, None, None) >>> parse_mechanism('a:bar.com', 'foo.com') ('a', 'bar.com', None, None) >>> parse_mechanism('a/24', 'foo.com') ('a', 'foo.com', 24, None) >>> parse_mechanism('A:foo:bar.com/16//48', 'foo.com') ('a', 'foo:bar.com', 16, 48) >>> parse_mechanism('-exists:%{i}.%{s1}.100/86400.rate.%{d}','foo.com') ('-exists', '%{i}.%{s1}.100/86400.rate.%{d}', None, None) >>> parse_mechanism('mx:%%%_/.Claranet.de/27','foo.com') ('mx', '%%%_/.Claranet.de', 27, None) >>> parse_mechanism('mx:%{d}//97','foo.com') ('mx', '%{d}', None, 97) >>> parse_mechanism('iP4:192.0.0.0/8','foo.com') ('ip4', '192.0.0.0', 8, None) """ a = RE_DUAL_CIDR.split(str) if len(a) == 3: str, cidr6 = a[0], int(a[1]) else: cidr6 = None a = RE_CIDR.split(str) if len(a) == 3: str, cidr = a[0], int(a[1]) else: cidr = None a = str.split(':', 1) if len(a) < 2: str = str.lower() if str == 'exists': d = None return str, d, cidr, cidr6 return a[0].lower(), a[1], cidr, cidr6 def reverse_dots(name): """Reverse dotted IP addresses or domain names. Example: >>> reverse_dots('192.168.0.145') '145.0.168.192' >>> reverse_dots('email.example.com') 'com.example.email' """ a = name.split('.') a.reverse() return '.'.join(a) def domainmatch(ptrs, domainsuffix): """grep for a given domain suffix against a list of validated PTR domain names. Examples: >>> domainmatch(['FOO.COM'], 'foo.com') 1 >>> domainmatch(['moo.foo.com'], 'FOO.COM') 1 >>> domainmatch(['moo.bar.com'], 'foo.com') 0 """ domainsuffix = domainsuffix.lower() for ptr in ptrs: ptr = ptr.lower() if ptr == domainsuffix or ptr.endswith('.' + domainsuffix): return True return False def expand_one(expansion, str, joiner): if not str: return expansion ln, reverse, delimiters = RE_ARGS.split(str)[1:4] if not delimiters: delimiters = '.' expansion = split(expansion, delimiters, joiner) if reverse: expansion.reverse() if ln: expansion = expansion[-int(ln)*2+1:] return ''.join(expansion) def split(str, delimiters, joiner=None): """Split a string into pieces by a set of delimiter characters. The resulting list is delimited by joiner, or the original delimiter if joiner is not specified. Examples: >>> split('192.168.0.45', '.') ['192', '.', '168', '.', '0', '.', '45'] >>> split('terry@wayforward.net', '@.') ['terry', '@', 'wayforward', '.', 'net'] >>> split('terry@wayforward.net', '@.', '.') ['terry', '.', 'wayforward', '.', 'net'] """ result, element = [], '' for c in str: if c in delimiters: result.append(element) element = '' if joiner: result.append(joiner) else: result.append(c) else: element += c result.append(element) return result def insert_libspf_local_policy(spftxt, local=None): """Returns spftxt with local inserted just before last non-fail mechanism. This is how the libspf{2} libraries handle "local-policy". Examples: >>> insert_libspf_local_policy('v=spf1 -all') 'v=spf1 -all' >>> insert_libspf_local_policy('v=spf1 -all','mx') 'v=spf1 -all' >>> insert_libspf_local_policy('v=spf1','a mx ptr') 'v=spf1 a mx ptr' >>> insert_libspf_local_policy('v=spf1 mx -all','a ptr') 'v=spf1 mx a ptr -all' >>> insert_libspf_local_policy('v=spf1 mx -include:foo.co +all','a ptr') 'v=spf1 mx a ptr -include:foo.co +all' # FIXME: is this right? If so, "last non-fail" is a bogus description. >>> insert_libspf_local_policy('v=spf1 mx ?include:foo.co +all','a ptr') 'v=spf1 mx a ptr ?include:foo.co +all' >>> spf='v=spf1 ip4:1.2.3.4 -a:example.net -all' >>> local='ip4:192.0.2.3 a:example.org' >>> insert_libspf_local_policy(spf,local) 'v=spf1 ip4:1.2.3.4 ip4:192.0.2.3 a:example.org -a:example.net -all' """ # look to find the all (if any) and then put local # just after last non-fail mechanism. This is how # libspf2 handles "local policy", and some people # apparently find it useful (don't ask me why). if not local: return spftxt spf = spftxt.split()[1:] if spf: # local policy is SPF mechanisms/modifiers with no # 'v=spf1' at the start spf.reverse() #find the last non-fail mechanism for mech in spf: # map '?' '+' or '-' to 'neutral' 'pass' # or 'fail' if not RESULTS.get(mech[0]): # actually finds last mech with default result where = spf.index(mech) spf[where:where] = [local] spf.reverse() local = ' '.join(spf) break else: return spftxt # No local policy adds for v=spf1 -all # Processing limits not applied to local policy. Suggest # inserting 'local' mechanism to handle this properly #MAX_LOOKUP = 100 return 'v=spf1 '+local if sys.version_info[0] == 2: def to_ascii(s): "Raise PermError if arg is not 7-bit ascii." try: return s.encode('ascii') except UnicodeError: raise PermError('Non-ascii characters found',repr(s)) else: def to_ascii(s): "Raise PermError if arg is not 7-bit ascii." try: return s.decode('ascii') except UnicodeError: raise PermError('Non-ascii characters found',repr(s)) def _test(): import doctest, spf return doctest.testmod(spf) if __name__ == '__main__': import getopt try: opts,argv = getopt.getopt(sys.argv[1:],"hvs:", ["help","verbose","strict"]) except getopt.GetoptError as err: print(str(err)) print(USAGE) sys.exit(2) verbose = False strict = True for o,a in opts: if o in ('-v','--verbose'): verbose = True if o in ('-s','--strict'): strict = int(a) elif o in ('-h','--help'): print(USAGE) if len(argv) == 0: print(USAGE) _test() elif len(argv) == 1: try: q = query(i='127.0.0.1', s='localhost', h='unknown', receiver=socket.gethostname()) print(q.dns_spf(argv[0])) except TempError as x: print("Temporary DNS error: ", x) except PermError as x: print("PermError: ", x) elif len(argv) == 3: i, s, h = argv q = query(i=i, s=s, h=h,receiver=socket.gethostname(),verbose=verbose, strict=strict) r = q.check() print('result:',r,q.mechanism) if r[0] == 'none': print('guessed:',q.best_guess(),q.mechanism) if q.perm_error and q.perm_error.ext: print('lax:',q.perm_error.ext) if q.iplist: for ip in q.iplist: print(ip) elif len(argv) == 4: i, s, h = argv[1:] q = query(i=i, s=s, h=h, receiver=socket.gethostname(), strict=False, verbose=verbose) r = q.check(argv[0]) print('result:',r,q.mechanism) if r[0] == 'none': print('guessed:',q.best_guess(),q.mechanism) if q.perm_error and q.perm_error.ext: print('lax:',q.perm_error.ext) if q.iplist: for ip in q.iplist: print(ip) else: print(USAGE) pyspf-2.0.14/test/0000775000175000017500000000000013603255513014611 5ustar stuartstuart00000000000000pyspf-2.0.14/test/doctest.yml0000664000175000017500000000202613533304532016777 0ustar stuartstuart00000000000000# Zonedata for doctests zonedata: example.net: - A: 192.0.32.10 _exp.controlledmail.com: - TXT: Controlledmail.com does not send mail from itself. _spf.controlledmail.com: - TXT: v=spf1 ip4:72.81.252.18 ip4:72.81.252.19 ip4:208.43.65.50 ip6:2607:f0d0:3001:00aa:0000:0000:0000:0002 -all controlledmail.com: - TXT: v=spf1 redirect=_spf.controlledmail.com parallel.kitterman.org: - TXT: v=spf1 include:long.kitterman.org include:cname.kitterman.org -all a.example.org: - TXT: "Another TXT record." - SPF: "v=spf1 ip4:192.0.2.225 ?include:webmail.pair.com ?include:relay.pair.com -all" - TXT: "More TXT records." - TXT: "A third TXT record." - AAAA: 2001:db8:ff0:300::4 b.example.org: - CNAME: "a.example.org" parallel.example.org: - SPF: "v=spf1 include:a.example.org include:b.example.org -all" - A: 192.0.2.28 webmail.pair.com: - TXT: "v=spf1 ip4:66.39.3.0/24 ip4:209.68.6.94/32" relay.pair.com: - TXT: "v=spf1 ip4:209.68.5.9/32 ip4:209.68.5.15/32 a -all" - A: 192.0.2.131 pyspf-2.0.14/test/rfc7208-tests.LICENSE0000664000175000017500000000302713353537453020062 0ustar stuartstuart00000000000000The RFC 7208 test-suite (rfc7208-tests.yml) is (C) 2006-2008 Stuart D Gathman 2007-2008 Julian Mehnle 2014 Scott Kitterman All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. pyspf-2.0.14/test/rfc7208-tests.CHANGES0000664000175000017500000001473313533304532020044 0ustar stuartstuart00000000000000# Legend: # --- = A new release # ! = Added a test case or otherwise tightened a requirement, possibly # causing implementations to become incompliant with the current # test-suite release # - = Removed a test case or otherwise relaxed a requirement # * = Fixed a bug, or made a minor improvement --- 2019.08 (UNRELEASED) ! Added multiple tests for creative syntax errors in SPF records that were breaking implementations. --- 2014.04 (UNRELEASED) ! Updates for RFC 7208 (4408bis) ! Updated multiple tests not to consider type SPF records under mixed conditions - Note: due to the way the test suite is structured, many records are still labled SPF internally, but for test functions, it doesn't matter externally. - Removed "invalid-domain-empty-label", "invalid-domain-long", and "invalid-domain-long-via-macro". Since RFC 7208 explicitly describes the results for these conditions as undefined, there's no point in testing for a particular result. ! Modified multiple tests to remove ambiguous results for cases that were ambiguous in RFC 4408, but have been clarified in RFC 7208. ! Changed "mx-limit" test to produce permerror result per changes in RFC 7208 ! Added "invalid-trailing-macro-char" and "invalid-embedded-macro-char" tests from Stuart on pyspf trunk --- 2009.10 (2009-10-31 20:00) ! Added test case: ! "macro-multiple-delimiters": Multiple delimiters in a macro expression must be supported. * Fixed "multitxt2" test case failing with SPF-type-only implementations. Tolerate a "None" result to accomodate those. --- 2008.08 (2008-08-17 16:00) ! "invalid-domain-empty-label", "invalid-domain-long", "invalid-domain-long-via-macro" test cases: A that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (two successive dots or labels longer than 63 characters) must be treated either as a "PermError" or as non-existent and thus a no-match. (In particular, those cases can never cause a TempError because the error is guaranteed to reoccur given the same input data. This applies likewise to RFC-1035-invalid s that are the result of macro expansion.) Refined descriptions and comments to that end. The no-match behavior can be inferred by analogy from 4.3/1 and 5/10/3. The spec reference to 8.1/2 is bogus because the formal grammar does not preclude such invalid domain names. ! The "exp= without domain-spec" controversy has been resolved; it must be a syntax error. Tightened "exp-empty-domain" test case accordingly. ! Added test cases: ! "a-dash-in-toplabel": may contain dashes. Implementations matching non-greedily may get that wrong. ! "a-only-toplabel", "a-only-toplabel-trailing-dot": Both "a:museum" and "a:museum." are invalid syntax. A bare top-label is insufficient, with or without a trailing dot. ! "exp-no-txt", "exp-dns-error": Clearly, "exp=" referring to a non-existent TXT RR, or the look-up resulting in a DNS error, must cause the "exp=" modifier to be ignored per 6.2/4. ! "macro-mania-in-domain": Test macro-encoded percents (%%), spaces (%_), and URL-percent-encoded spaces (%20) in . ! "macro-reverse-split-on-dash": Test transformation of macro expansion results: splitting on non-dot separator characters, reversal, number of right-hand parts to use. - Removed "a-valid-syntax-but-unqueryable" test case. It is redundant to the "invalid-domain-empty-label" test case. - Relaxed "multispf1" test case: If performed via live DNS (yes, some people do that!), this test may be ineffective as DNS resolvers may combine multiple identical RRs. Thus, tolerate the test failing in this manner. * Adjusted "multispf2" test case: Avoid combination of multiple identical RRs by using different capitalization in intentionally duplicate RRs. * Renamed test cases: a-numeric-top-label -> a-numeric-toplabel a-bad-toplab -> a-bad-toplabel --- 2007.05 (2007-05-30 21:00) - "exp-empty-domain" test case is subject to controversy. "exp=" with an empty domain-spec may be considered a syntax error or not, thus both "Fail" and "PermError" results are acceptable for now. * Renamed the old "exp-syntax-error" test case to "explanation-syntax-error" to indicate that it refers to syntax errors in the explanation string, not in the "exp=" modifier. ! Added test cases: ! "exp-syntax-error", "redirect-syntax-error": Syntax errors in "exp=" and "redirect=" must be treated as such. ! "a-empty-domain", "mx-empty-domain", "ptr-empty-domain", "include-empty-domain", "redirect-empty-domain": "a:", "mx:", "ptr:", "include:", and "redirect=" with an empty domain-spec are syntax errors. ! "include-cidr": "include:/" is a syntax error. ! "helo-not-fqdn", "helo-domain-literal", "domain-literal": A non-FQDN HELO or MAIL FROM must result in a "None" result. ! "hello-domain-literal": Macro expansion results must not be checked for syntax errors, but must rather be treated as non-matches if nonsensical. ! "false-a-limit": There is no limit for the number of A records resulting from an "a:"-induced lookup, and no such limit must be imposed. ! "default-modifier-obsolete(2)": The "default=" modifier used in very old spec drafts must be ignored by RFC 4408 implementations. --- 2007.01 (2007-01-14 05:19) ! Added test cases: ! "nospftxttimeout": If no SPF-type record is present and the TXT lookup times out, the result must either be "None" (preferred) or "TempError". ! "exp-multiple-txt", "exp-syntax-error": Multiple explanation string TXT records and syntax errors in explanation strings must be ignored (i.e., specifically "PermError" must NOT be returned). ! "exp-empty-domain": "exp=" with an empty domain-spec is to be tolerated, i.e., ignored, too. (This is under debate.) ! "exp-twice", "redirect-twice": Added. Multiple "exp=" or "redirect=" modifiers are prohibited. * "Macro expansion rules" scenario: Fixed a bug that caused TXT-only implementations to fail several tests incorrectly due to a real TXT record blocking the automatic synthesis of TXT records from the corresponding SPF-type records. --- 2006.11 (initial release) (2006-11-27 21:27) # $Id$ # vim:tw=79 sts=2 sw=2 pyspf-2.0.14/test/test.yml0000664000175000017500000001223613433554216016322 0ustar stuartstuart00000000000000# This is the test suite used during development of the pyspf library. # It is a collection of ad hoc tests based on bug reports. It is the # goal of the SPF test project to have an elegant and minimal test suite # that reflects RFC 4408. However, this should help get things started # by serving as a example of what tests look like. Also, any implementation # that flunks this, should flunk the minimal elegant suite as well. # # We extended the test attributes with 'receiver' and 'header' to test # our implementation of the Received-SPF header. This cannot easily # be part of the RFC test suite because of wide latitude in formatting. # --- comment: | check basic exists with macros tests: exists-pass: helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@example.co.uk result: pass receiver: receiver.com header: >- Pass (receiver.com: domain of example.co.uk designates 1.2.3.5 as permitted sender) client-ip=1.2.3.5; envelope-from="lyme.eater@example.co.uk"; helo=mail.example.net; receiver=receiver.com; mechanism="exists:%{l}.%{d}.%{i}.spf.example.net"; identity=mailfrom exists-fail: helo: mail.example.net host: 1.2.3.4 mailfrom: lyme.eater@example.co.uk result: fail zonedata: lyme.eater.example.co.uk.1.2.3.5.spf.example.net: - A: 127.0.0.1 example.co.uk: - SPF: v=spf1 mx/26 exists:%{l}.%{d}.%{i}.spf.example.net -all --- comment: | permerror detection tests: incloop: comment: | include loop helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplea.com result: permerror badall: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplec.com result: permerror baddomain: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@exampled.com result: permerror receiver: receiver.com header: >- PermError (receiver.com: permanent error in processing domain of exampled.com: Invalid domain found (use FQDN)) client-ip=66.150.186.79; envelope-from="chuckvsr@exampled.com"; helo=mail.example.com; receiver=receiver.com; problem="examplea.com:8080"; identity=mailfrom tworecs: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplef.com result: permerror receiver: receiver.com header: >- PermError (receiver.com: permanent error in processing domain of examplef.com: Two or more type TXT spf records found.) client-ip=66.150.186.79; envelope-from="chuckvsr@examplef.com"; helo=mail.example.com; receiver=receiver.com; identity=mailfrom badip: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplee.com result: permerror zonedata: examplea.com: - SPF: v=spf1 a mx include:b.com exampleb.com: - SPF: v=spf1 a mx include:a.com examplec.com: - SPF: v=spf1 -all:foobar exampled.com: - SPF: v=spf1 a:examplea.com:8080 examplee.com: - SPF: v=spf1 ip4:1.2.3.4:8080 examplef.com: - SPF: v=spf1 -all - SPF: v=spf1 +all --- tests: nospace1: comment: | test no space test multi-line comment helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example2.com result: none empty: comment: | test empty helo: mail1.example1.com host: 1.2.3.4 mailfrom: foo@example1.com result: neutral nospace2: helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example3.com result: pass zonedata: example3.com: - SPF: [ 'v=spf1','mx' ] - SPF: [ 'v=spf1 ', 'mx' ] - MX: [0, mail.example1.com] example1.com: - SPF: v=spf1 example2.com: - SPF: v=spf1mx mail.example1.com: - A: 1.2.3.4 --- comment: | corner cases tests: emptyMX: comment: | test empty MX helo: mail.example.com host: 1.2.3.4 mailfrom: "" result: neutral localhost: helo: mail.example.com host: 127.0.0.1 mailfrom: root@example.com result: fail default-modifier: comment: | default modifier implemented in lax mode for compatibility helo: mail.example.com host: 1.2.3.4 mailfrom: root@e1.example.com result: fail strict: 0 default-modifier-harsh: comment: | default modifier implemented in lax mode for compatibility helo: mail.example.com host: 1.2.3.4 mailfrom: root@e1.example.com result: ambiguous strict: 2 cname-chain: comment: | pyspf was duplicating TXT (and other) records while following CNAME helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass null-cname: comment: | pyspf was getting a type error for null CNAMEs Thanks to Kazuhiro Ogura helo: mail.example.com host: 1.2.3.4 mailfrom: bar@e3.example.com result: softfail zonedata: mail.example.com: - MX: [0, ''] - SPF: v=spf1 mx example.com: - SPF: v=spf1 -all e1.example.com: - SPF: v=spf1 default=- e2.example.com: - CNAME: c1.example.com. c1.example.com: - CNAME: c2.example.com. c2.example.com: - SPF: v=spf1 a a:c1.example.com -all - A: 1.2.3.4 mx1.example.com: - CNAME: '' e3.example.com: - SPF: v=spf1 a:mx1.example.com mx:mx1.example.com ~all pyspf-2.0.14/test/testspf.py0000664000175000017500000001714013603204342016650 0ustar stuartstuart00000000000000# Author: Stuart D. Gathman # Copyright 2006 Business Management Systems, Inc. # This module is free software, and you may redistribute it and/or modify # it under the same terms as Python itself, so long as this copyright message # and disclaimer are retained in their original form. # Run SPF test cases in the YAML format specified by the SPF council. from __future__ import print_function import unittest import socket import sys import spf import re try: import yaml except: print("yaml can be found at http://pyyaml.org/") print("Tested with PYYAML 3.04 up to 5.1.2") raise zonedata = {} RE_IP4 = re.compile(r'\.'.join( [r'(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])']*4)+'$') def DNSLookup(name,qtype,strict=True,timeout=None,level=0): try: #print name,qtype timeout = True # emulate pydns-2.3.0 label processing a = [] for label in name.split('.'): if label: if len(label) > 63: raise spf.TempError('DNS label too long') a.append(label) name = '.'.join(a) for i in zonedata[name.lower()]: if i == 'TIMEOUT': if timeout: raise spf.TempError('DNS timeout') return t,v,n = i if t == qtype: timeout = False if v == 'TIMEOUT': if t == qtype: raise spf.TempError('DNS timeout') continue # keep test zonedata human readable, but translate to simulate pydns if t == 'AAAA': v = bytes(socket.inet_pton(socket.AF_INET6,v)) elif t in ('TXT','SPF'): v = tuple([s.encode('utf-8') for s in v]) yield ((n,t),v) # emulate CNAME additional info for 1 level if not level and t == 'CNAME': for j in DNSLookup(v,qtype,strict,timeout,1): yield j except KeyError: if name.startswith('error.'): raise spf.TempError('DNS timeout') spf.DNSLookup = DNSLookup class SPFTest(object): def __init__(self,testid,scenario,data={}): self.id = testid self.scenario = scenario self.explanation = None self.bestguess = None self.spec = None self.header = None self.strict = True self.receiver = None self.comment = [] if 'result' not in data: print(testid,'missing result') for k,v in list(data.items()): setattr(self,k,v) if type(self.comment) is str: self.comment = self.comment.splitlines() def getrdata(r,name): "Unpack rdata given as list of maps to list of tuples." txt = [] # generated TXT records gen = True for m in r: try: for i in list(m.items()): t,v = i if t in ('TXT','SPF') and type(v) == str: v = (v,) if t == 'TXT': gen = False # no generated TXT records elif t == 'SPF' and gen: txt.append(('TXT',v,name)) if v != ('NONE',): yield (t,v,name) except: yield m if gen: for i in txt: yield i def loadZone(data): return dict([ (d.lower(), list(getrdata(r,d))) for d,r in list(data['zonedata'].items()) ]) class SPFScenario(object): def __init__(self,filename=None,data={}): self.id = None self.filename = filename self.comment = [] self.zonedata = {} self.tests = {} if data: self.zonedata= loadZone(data) #print self.zonedata for t,v in list(data['tests'].items()): self.tests[t] = SPFTest(t,self,v) if 'id' in data: self.id = data['id'] if 'comment' in data: self.comment = data['comment'].splitlines() def addDNS(self,name,val): self.zonedata.setdefault(name,[]).append(val) def addTest(self,test): self.tests[test.id] = test def loadYAML(fname): "Load testcases in YAML format. Return map of SPFTests by name." fp = open(fname,'rb') try: tests = {} for s in yaml.safe_load_all(fp): scenario = SPFScenario(fname,data=s) for k,v in list(scenario.tests.items()): tests[k] = v return tests finally: fp.close() oldresults = { 'unknown': 'permerror', 'error': 'temperror' } verbose = 0 warnings = [] class SPFTestCase(unittest.TestCase): def __init__(self,t): unittest.TestCase.__init__(self) self._spftest = t self._testMethodName = 'runTest' self._testMethodDoc = str(t.spec) def id(self): t = self._spftest return t.id + ' in ' + t.scenario.filename def setUp(self): global zonedata self.savezonedata = zonedata def tearDown(self): global zonedata zonedata = self.savezonedata def warn(self,msg): global warnings warnings.append(msg) def runTest(self): global zonedata t = self._spftest zonedata = t.scenario.zonedata q = spf.query(i=t.host, s=t.mailfrom, h=t.helo, strict=t.strict) q.verbose = verbose q.set_default_explanation('DEFAULT') res,code,exp = q.check() #print q.mechanism if res in oldresults: res = oldresults[res] ok = True msg = '' if res != t.result and res not in t.result: if verbose: msg += ' '.join((t.result,'!=',res))+'\n' ok = False elif res != t.result and res != t.result[0]: self.warn("WARN: %s in %s, %s: %s preferred to %s" % ( t.id,t.scenario.filename,t.spec,t.result[0],res)) if t.explanation is not None and t.explanation != exp: if verbose: msg += ' '.join((t.explanation,'!=',exp))+'\n' ok = False if t.header: self.assertEqual(t.header,q.get_header(res,receiver=t.receiver)) if q.perm_error and t.bestguess is not None \ and q.perm_error.ext[0] != t.bestguess: ok = False if not ok: print('Session cache:',q.cache) if verbose and not t.explanation: msg += exp+'\n' if verbose > 1: msg += t.scenario.zonedata self.fail(msg+"%s in %s failed, %s" % (t.id,t.scenario.filename,t.spec)) class SPFTestCases(unittest.TestCase): def testInvalidSPF(self): i, s, h = '1.2.3.4','sender@domain','helo' q = spf.query(i=i, s=s, h=h, receiver='localhost', strict=False) res,code,txt = q.check('v=spf1...') self.assertEqual('none',res) q = spf.query(i=i, s=s, h=h, receiver='localhost', strict=2) res,code,txt = q.check('v=spf1...') self.assertEqual('ambiguous',res) def makeSuite(filename): suite = unittest.TestSuite() for t in loadYAML(filename).values(): suite.addTest(SPFTestCase(t)) return suite def docsuite(): suite = unittest.makeSuite(SPFTestCases,'test') try: import authres except: print("no authres module: skipping doctests") return suite import doctest suite.addTest(doctest.DocTestSuite(spf)) return suite def suite(skipdoc=False): suite = docsuite() suite.addTest(makeSuite('test.yml')) suite.addTest(makeSuite('rfc7208-tests.yml')) suite.addTest(makeSuite('rfc4408-tests.yml')) return suite if __name__ == '__main__': tc = None doctest = False for i in sys.argv[1:]: if i == '-v': verbose += 1 continue if i == '-d': doctest = True continue # a specific test selected by id from YAML files if not tc: tc = unittest.TestSuite() t0 = loadYAML('rfc7208-tests.yml') t1 = loadYAML('rfc4408-tests.yml') t2 = loadYAML('test.yml') if i in t0: tc.addTest(SPFTestCase(t0[i])) if i in t1: tc.addTest(SPFTestCase(t1[i])) if i in t2: tc.addTest(SPFTestCase(t2[i])) if not tc: # load zonedata for doctests with open('doctest.yml','rb') as fp: zonedata = loadZone(next(yaml.safe_load_all(fp))) if doctest: tc = docsuite() # doctests only else: tc = suite() # all tests, including doctests runner = unittest.TextTestRunner() res = runner.run(tc) for s in warnings: print(s) if not res.wasSuccessful(): sys.exit(1) pyspf-2.0.14/test/rfc7208-tests.yml0000664000175000017500000023214213533304532017571 0ustar stuartstuart00000000000000# This is the openspf.org test suite (release 2014.04) based on RFC 7208. # http://www.openspf.org/Test_Suite # # $Id$ # vim:sw=2 sts=2 et # # See rfc7208-tests.CHANGES for a changelog. # # Contributors: # Stuart D Gathman 90% of the tests # Julian Mehnle some tests, proofread YAML syntax, formal schema # Frank Ellermann # Scott Kitterman # Wayne Schlitt # Craig Whitmore # Norman Maurer # Mark Shewmaker # Philip Gladstone # # For RFC 4408, the test suite was designed for use with SPF (type 99) and TXT # implementations. In RFC 7208, use of type SPF has been removed. # # The "Selecting records" test section is the only one concerned with weeding # out (incorrect) queries for type SPF of any kind or proper response to # duplicate or conflicting records. Other sections rely on auto-magic # duplication of SPF to TXT records (by test suite drivers) to test all # implementation types with one specification. # # All new tests should use Documentation IPs for both IP4 and IP6. I was # stupid to use 1.2.3.4 - that is a real global IP (although it doesn't ping). # --- description: Initial processing tests: toolonglabel: description: >- DNS labels limited to 63 chars. comment: >- For initial processing, a long label results in None, not TempError spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com result: none longlabel: description: >- DNS labels limited to 63 chars. spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com result: fail emptylabel: spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A...example.com result: none helo-not-fqdn: spec: 4.3/1 helo: A2345678 host: 1.2.3.5 mailfrom: "" result: none helo-domain-literal: spec: 4.3/1 helo: "[1.2.3.5]" host: 1.2.3.5 mailfrom: "" result: none nolocalpart: spec: 4.3/2 helo: mail.example.net host: 1.2.3.4 mailfrom: '@example.net' result: fail explanation: postmaster domain-literal: spec: 4.3/1 helo: OEMCOMPUTER host: 1.2.3.5 mailfrom: "foo@[1.2.3.5]" result: none non-ascii-policy: description: >- SPF policies are restricted to 7-bit ascii. spec: 3.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed.example.com" result: permerror non-ascii-mech: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 3.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed2.example.com" result: permerror non-ascii-result: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking yet another code path for non-ascii chars. spec: 3.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed3.example.com" result: permerror non-ascii-non-spf: description: >- Non-ascii content in non-SPF related records. comment: >- Non-SPF related TXT records are none of our business. spec: 4.5/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nothosed.example.com" result: fail explanation: DEFAULT control-char-policy: description: >- Mechanisms are separated by spaces only, not any control char. spec: 4.6.1/2 helo: hosed host: 192.0.2.3 mailfrom: "foobar@ctrl.example.com" result: permerror two-spaces: description: >- ABNF for term separation is one or more spaces, not just one. spec: 4.6.1 helo: hosed host: 1.2.3.4 mailfrom: "actually@fine.example.com" result: fail trailing-space: description: >- ABNF for record does allow trailing spaces. comment: >- record = version terms *SP spec: 4.5/2 helo: hosed host: 192.0.2.5 mailfrom: "silly@trail.example.com" result: fail null-text: description: >- Multiple strings are glued together with no separator. comment: >- Note that null text (no strings) is illegal, but SPF should not crash. spec: 3.3 helo: hosed host: 192.0.2.5 mailfrom: "silly@null.example.com" result: pass badip4: description: >- Mechanisms are separated by spaces only, not any control char. spec: 4.6.1/2 helo: foobar host: 192.0.2.5 mailfrom: "oops@badip.example.com" result: permerror zonedata: example.com: - TIMEOUT example.net: - SPF: v=spf1 -all exp=exp.example.net a.example.net: - SPF: v=spf1 -all exp=exp.example.net exp.example.net: - TXT: '%{l}' a12345678901234567890123456789012345678901234567890123456789012.example.com: - SPF: v=spf1 -all hosed.example.com: - SPF: "v=spf1 a:\xEF\xBB\xBFgarbage.example.net -all" hosed2.example.com: - SPF: "v=spf1 \x80a:example.net -all" hosed3.example.com: - SPF: "v=spf1 a:example.net \x96all" nothosed.example.com: - SPF: "v=spf1 a:example.net -all" - SPF: "\x96" ctrl.example.com: - SPF: "v=spf1 a:ctrl.example.com\x0dptr -all" - A: 192.0.2.3 fine.example.com: - SPF: "v=spf1 a -all" trail.example.com: - SPF: "v=spf1 a -all " null.example.com: - SPF: [ "v=spf1 ip4:", "192.0.2.5 -all" ] - SPF: [ ] badip.example.com: - SPF: "v=spf1 ip4:192.0.2.5\x0a include:spf.protection.outlook.com ~all" --- description: Record lookup tests: both: spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@both.example.net result: fail txtonly: description: Result is none if checking SPF records only (which you should not be doing). spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txtonly.example.net result: fail spfonly: description: Result is none if checking TXT records only. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spfonly.example.net result: none spftimeout: description: >- TXT record present, but SPF lookup times out. Result is temperror if checking SPF records only. Fortunately, we don't do type SPF anymore. comment: >- This actually happens for a popular braindead DNS server. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spftimeout.example.net result: fail txttimeout: description: >- SPF record present, but TXT lookup times out. If only TXT records are checked, result is temperror. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txttimeout.example.net result: temperror nospftxttimeout: description: >- No SPF record present, and TXT lookup times out. If only TXT records are checked, result is temperror. comment: >- Because TXT records is where v=spf1 records will likely be, returning temperror will try again later. A timeout due to a braindead server is unlikely in the case of TXT, as opposed to the newer SPF RR. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@nospftxttimeout.example.net result: temperror alltimeout: description: Both TXT and SPF queries time out spec: 4.4/2 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@alltimeout.example.net result: temperror zonedata: both.example.net: - TXT: v=spf1 -all - SPF: v=spf1 -all txtonly.example.net: - TXT: v=spf1 -all spfonly.example.net: - SPF: v=spf1 -all - TXT: NONE spftimeout.example.net: - TXT: v=spf1 -all - TIMEOUT txttimeout.example.net: - SPF: v=spf1 -all - TXT: NONE - TIMEOUT nospftxttimeout.example.net: - SPF: "v=spf3 !a:yahoo.com -all" - TXT: NONE - TIMEOUT alltimeout.example.net: - TIMEOUT --- description: Selecting records tests: nospace1: description: >- Version must be terminated by space or end of record. TXT pieces are joined without intervening spaces. spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example2.com result: none empty: description: Empty SPF record. spec: 4.5/4 helo: mail1.example1.com host: 1.2.3.4 mailfrom: foo@example1.com result: neutral nospace2: spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example3.com result: pass spfoverride: description: >- SPF records no longer used. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example4.com result: fail multitxt1: description: >- Implementations should give permerror/unknown because of the conflicting TXT records. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example5.com result: permerror multitxt2: description: >- Multiple records is a permerror, v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example6.com result: permerror multispf1: description: >- Multiple records is a permerror, even when they are identical. However, this situation cannot be reliably reproduced with live DNS since cache and resolvers are allowed to combine identical records. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example7.com result: [permerror, fail] multispf2: description: >- Ignoring SPF-type records will give pass because there is a (single) TXT record. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example8.com result: pass nospf: spec: 4.5/7 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@mail.example1.com result: none case-insensitive: description: >- v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example9.com result: softfail zonedata: example3.com: - SPF: v=spf10 - SPF: v=spf1 mx - MX: [0, mail.example1.com] example1.com: - SPF: v=spf1 example2.com: - SPF: ['v=spf1', 'mx'] mail.example1.com: - A: 1.2.3.4 example4.com: - SPF: v=spf1 +all - TXT: v=spf1 -all example5.com: - SPF: v=spf1 +all - TXT: v=spf1 -all - TXT: v=spf1 +all example6.com: - SPF: v=spf1 -all - SPF: V=sPf1 +all example7.com: - SPF: v=spf1 -all - SPF: v=spf1 -all example8.com: - SPF: V=spf1 -all - SPF: v=spf1 -all - TXT: v=spf1 +all example9.com: - SPF: v=SpF1 ~all --- description: Record evaluation tests: detect-errors-anywhere: description: Any syntax errors anywhere in the record MUST be detected. spec: 4.6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t1.example.com result: permerror modifier-charset-good: description: name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) spec: 4.6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t2.example.com result: pass modifier-charset-bad1: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t3.example.com result: permerror modifier-charset-bad2: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t4.example.com result: permerror redirect-after-mechanisms1: description: >- The "redirect" modifier has an effect after all the mechanisms. comment: >- The redirect in this example would violate processing limits, except that it is never used because of the all mechanism. spec: 4.6.3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t5.example.com result: softfail redirect-after-mechanisms2: description: >- The "redirect" modifier has an effect after all the mechanisms. spec: 4.6.3 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t6.example.com result: fail default-result: description: Default result is neutral. spec: 4.7/1 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t7.example.com result: neutral redirect-is-modifier: description: |- Invalid mechanism. Redirect is a modifier. spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t8.example.com result: permerror invalid-domain: description: >- Domain-spec must end in macro-expand or valid toplabel. spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t9.example.com result: permerror invalid-domain-empty-label: description: >- target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (empty label) should be treated as non-existent. comment: >- An empty domain label, i.e. two successive dots, in a mechanism target-name is valid domain-spec syntax (perhaps formed from a macro expansion), even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match. RFC 7208 failed to agree on which result to use, and declares the situation undefined. The preferred test result is therefore a matter of opinion. spec: 4.3/1, 4.8/5, 5/10/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t10.example.com result: [fail, permerror] invalid-domain-long: description: >- target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters in a mechanism target-name is valid domain-spec syntax (perhaps formed from a macro expansion), even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match. RFC 7208 failed to agree on which result to use, and declares the situation undefined. The preferred test result is therefore a matter of opinion. spec: 4.3/1, 4.8/5, 5/10/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t11.example.com result: [fail,permerror] invalid-domain-long-via-macro: description: >- target-name that is a valid domain-spec per RFC 4408 and RFC 7208 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters that results from macro expansion in a mechanism target-name is valid domain-spec syntax (and is not even subject to syntax checking after macro expansion), even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism could be treated as a no-match. RFC 7208 failed to agree on which result to use, and declares the situation undefined. The preferred test result is therefore a matter of opinion. spec: 4.3/1, 4.8/5, 5/10/3 helo: "%%%%%%%%%%%%%%%%%%%%%%" host: 1.2.3.4 mailfrom: foo@t12.example.com result: [fail,permerror] zonedata: mail.example.com: - A: 1.2.3.4 t1.example.com: - SPF: v=spf1 ip4:1.2.3.4 -all moo t2.example.com: - SPF: v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all t3.example.com: - SPF: v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all t4.example.com: - SPF: v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all t5.example.com: - SPF: v=spf1 redirect=t5.example.com ~all t6.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect=t2.example.com t7.example.com: - SPF: v=spf1 ip4:1.2.3.4 t8.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect:t2.example.com t9.example.com: - SPF: v=spf1 a:foo-bar -all t10.example.com: - SPF: v=spf1 a:mail.example...com -all t11.example.com: - SPF: v=spf1 a:a123456789012345678901234567890123456789012345678901234567890123.example.com -all t12.example.com: - SPF: v=spf1 a:%{H}.bar -all --- description: ALL mechanism syntax tests: all-dot: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror all-arg: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror all-cidr: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror all-neutral: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral all-double: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: pass zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all. e2.example.com: - SPF: v=spf1 -all:foobar e3.example.com: - SPF: v=spf1 -all/8 e4.example.com: - SPF: v=spf1 ?all e5.example.com: - SPF: v=spf1 all -all --- description: PTR mechanism syntax tests: ptr-cidr: description: |- PTR = "ptr" [ ":" domain-spec ] spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror ptr-match-target: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass ptr-match-implicit: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: pass ptr-nomatch-invalid: description: >- Check all validated domain names to see if they end in the domain. comment: >- This PTR record does not validate spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: fail ptr-match-ip6: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: CAFE:BABE::1 mailfrom: foo@e3.example.com result: pass ptr-empty-domain: description: >- domain-spec cannot be empty. spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror ptr-case-change: description: >- arpa domain is case insensitive. comment: >- Some DNS servers have random case in the domain part of returned answers, especially for PTR records. For example, a query for 1.2.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.F.0.0.4.F.1.1.1.0.1.0.A.2.ip6.arpa may return 1.2.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.F.0.0.4.F.1.1.1.0.1.0.a.2.ip6.arpa spec: 5.5/2 helo: mail.example.com host: 2001:db8::1 mailfrom: bar@e6.example.com result: pass ptr-cname-loop: description: >- a PTR with CNAME loop and inconsistent case in domain. comment: >- RFC 1034 3.6.2/11 says, CNAME chains should be followed and CNAME loops signalled as an error. RFC 7208 5.5/7 says, If a DNS error occurs while doing an A RR lookup, then that domain name is skipped and the search continues. spec: 5.5/7 helo: loop.example.com host: 192.0.2.4 mailfrom: postmaster@loop.example.com result: neutral zonedata: mail.example.com: - A: 1.2.3.4 - AAAA: 2001:db8::1 e1.example.com: - SPF: v=spf1 ptr/0 -all e2.example.com: - SPF: v=spf1 ptr:example.com -all 4.3.2.1.in-addr.arpa: - PTR: e3.example.com - PTR: e4.example.com - PTR: mail.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: e3.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.D.0.1.0.0.2.ip6.arpa: - PTR: mail.Example.com e3.example.com: - SPF: v=spf1 ptr -all - A: 1.2.3.4 - AAAA: CAFE:BABE::1 e4.example.com: - SPF: v=spf1 ptr -all e5.example.com: - SPF: "v=spf1 ptr:" e6.example.com: - SPF: "v=spf1 ptr:example.Com -all" loop.example.com: - SPF: "v=spf1 ptr" 4.2.0.192.in-addr.arpa: - PTR: "loop4.example.com." loop4.example.com: - CNAME: "CNAME.example.com." cname.example.com: - CNAME: "CNAME.example.com." --- description: A mechanism syntax tests: a-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail a-bad-cidr4: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror a-bad-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror a-dual-cidr-ip4-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-err: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8e.example.com result: permerror a-dual-cidr-ip6-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8b.example.com result: fail a-dual-cidr-ip6-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8a.example.com result: fail a-multi-ip1: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-multi-ip2: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-bad-domain: description: >- domain-spec must pass basic syntax checks; a ':' may appear in domain-spec, but not in top-label spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror a-nxdomain: description: >- If no ips are returned, A mechanism does not match, even with /0. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail a-cidr4-0: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass a-cidr4-0-ip6: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail a-cidr6-0-ip4: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip4mapped: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip6: description: >- Matches if any AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass a-ip6-dualstack: description: >- Simple IP6 Address match with dual stack. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@ipv6.example.com result: pass a-cidr6-0-nxdomain: description: >- No match if no AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail a-null: description: >- Null octets not allowed in toplabel spec: 7.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror a-numeric: description: >- toplabel may not be all numeric comment: >- A common publishing mistake is using ip4 addresses with A mechanism. This should receive special diagnostic attention in the permerror. spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror a-numeric-toplabel: description: >- toplabel may not be all numeric spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror a-dash-in-toplabel: description: >- toplabel may contain dashes comment: >- Going from the "toplabel" grammar definition, an implementation using regular expressions in incrementally parsing SPF records might erroneously try to match a TLD such as ".xn--zckzah" (cf. IDN TLDs!) to '( *alphanum ALPHA *alphanum )' first before trying the alternative '( 1*alphanum "-" *( alphanum / "-" ) alphanum )', essentially causing a non-greedy, and thus, incomplete match. Make sure a greedy match is performed! spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: pass a-bad-toplabel: description: >- toplabel may not begin with a dash spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror a-only-toplabel: description: >- domain-spec may not consist of only a toplabel. spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5a.example.com result: permerror a-only-toplabel-trailing-dot: description: >- domain-spec may not consist of only a toplabel. comment: >- "A trailing dot doesn't help." spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5b.example.com result: permerror a-colon-domain: description: >- domain-spec may contain any visible char except % spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass a-colon-domain-ip4mapped: description: >- domain-spec may contain any visible char except % spec: 7.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass a-empty-domain: description: >- domain-spec cannot be empty. spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 a/0 -all e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - SPF: v=spf1 a/0 -all e2a.example.com: - AAAA: 1234::1 - SPF: v=spf1 a//0 -all e2b.example.com: - A: 1.1.1.1 - SPF: v=spf1 a//0 -all ipv6.example.com: - AAAA: 1234::1 - A: 1.1.1.1 - SPF: v=spf1 a -all e3.example.com: - SPF: "v=spf1 a:foo.example.com\0" e4.example.com: - SPF: v=spf1 a:111.222.33.44 e5.example.com: - SPF: v=spf1 a:abc.123 e5a.example.com: - SPF: v=spf1 a:museum e5b.example.com: - SPF: v=spf1 a:museum. e6.example.com: - SPF: v=spf1 a//33 -all e6a.example.com: - SPF: v=spf1 a/33 -all e7.example.com: - SPF: v=spf1 a//129 -all e8.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24//64 -all e8e.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24/64 -all e8a.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24 -all e8b.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a//64 -all e9.example.com: - SPF: v=spf1 a:example.com:8080 e10.example.com: - SPF: v=spf1 a:foo.example.com/24 foo.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 a:foo:bar/baz.example.com foo:bar/baz.example.com: - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 a:example.-com e13.example.com: - SPF: "v=spf1 a:" e14.example.com: - SPF: "v=spf1 a:foo.example.xn--zckzah -all" foo.example.xn--zckzah: - A: 1.2.3.4 --- description: Include mechanism semantics and syntax tests: include-fail: description: >- recursive check_host() result of fail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: softfail include-softfail: description: >- recursive check_host() result of softfail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass include-neutral: description: >- recursive check_host() result of neutral causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail include-temperror: description: >- recursive check_host() result of temperror causes include to temperror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: temperror include-permerror: description: >- recursive check_host() result of permerror causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror include-syntax-error: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror include-cidr: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror include-none: description: >- recursive check_host() result of none causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 ip5.example.com: - SPF: v=spf1 ip4:1.2.3.5 -all ip6.example.com: - SPF: v=spf1 ip4:1.2.3.6 ~all ip7.example.com: - SPF: v=spf1 ip4:1.2.3.7 ?all ip8.example.com: - TIMEOUT erehwon.example.com: - TXT: v=spfl am not an SPF record e1.example.com: - SPF: v=spf1 include:ip5.example.com ~all e2.example.com: - SPF: v=spf1 include:ip6.example.com all e3.example.com: - SPF: v=spf1 include:ip7.example.com -all e4.example.com: - SPF: v=spf1 include:ip8.example.com -all e5.example.com: - SPF: v=spf1 include:e6.example.com -all e6.example.com: - SPF: v=spf1 include +all e7.example.com: - SPF: v=spf1 include:erehwon.example.com -all e8.example.com: - SPF: "v=spf1 include: -all" e9.example.com: - SPF: "v=spf1 include:ip5.example.com/24 -all" --- description: MX mechanism syntax tests: mx-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail mx-bad-cidr4: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror mx-bad-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror mx-multi-ip1: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-multi-ip2: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-bad-domain: description: >- domain-spec must pass basic syntax checks comment: >- A ':' may appear in domain-spec, but not in top-label. spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror mx-nxdomain: description: >- If no ips are returned, MX mechanism does not match, even with /0. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail mx-cidr4-0: description: >- Matches if any A records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass mx-cidr4-0-ip6: description: >- cidr4 doesn't apply to IP6 connections. comment: >- The IP6 CIDR starts with a double slash. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail mx-cidr6-0-ip4: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip4mapped: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip6: description: >- Matches if any AAAA records for any MX records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass mx-cidr6-0-nxdomain: description: >- No match if no AAAA records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail mx-null: description: >- Null not allowed in top-label. spec: 7.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror mx-numeric-top-label: description: >- Top-label may not be all numeric spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror mx-colon-domain: description: >- Domain-spec may contain any visible char except % spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-colon-domain-ip4mapped: description: >- Domain-spec may contain any visible char except % spec: 7.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-bad-toplab: description: >- Toplabel may not begin with - spec: 7.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror mx-empty: description: >- test null MX comment: >- Some implementations have had trouble with null MX spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: "" result: neutral mx-implicit: description: >- If the target name has no MX records, check_host() MUST NOT pretend the target is its single MX, and MUST NOT default to an A lookup on the target-name directly. spec: 5.4/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral mx-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 - MX: [0, ""] - SPF: v=spf1 mx e1.example.com: - SPF: v=spf1 mx/0 -all - MX: [0, e1.example.com] e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - MX: [0, e2.example.com] - SPF: v=spf1 mx/0 -all e2a.example.com: - AAAA: 1234::1 - MX: [0, e2a.example.com] - SPF: v=spf1 mx//0 -all e2b.example.com: - A: 1.1.1.1 - MX: [0, e2b.example.com] - SPF: v=spf1 mx//0 -all e3.example.com: - SPF: "v=spf1 mx:foo.example.com\0" e4.example.com: - SPF: v=spf1 mx - A: 1.2.3.4 e5.example.com: - SPF: v=spf1 mx:abc.123 e6.example.com: - SPF: v=spf1 mx//33 -all e6a.example.com: - SPF: v=spf1 mx/33 -all e7.example.com: - SPF: v=spf1 mx//129 -all e9.example.com: - SPF: v=spf1 mx:example.com:8080 e10.example.com: - SPF: v=spf1 mx:foo.example.com/24 foo.example.com: - MX: [0, foo1.example.com] foo1.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 mx:foo:bar/baz.example.com foo:bar/baz.example.com: - MX: [0, "foo:bar/baz.example.com"] - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 mx:example.-com e13.example.com: - SPF: "v=spf1 mx: -all" --- description: EXISTS mechanism syntax tests: exists-empty-domain: description: >- domain-spec cannot be empty. spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror exists-implicit: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror exists-cidr: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror exists-ip4: description: >- mechanism matches if any DNS A RR exists spec: 5.7/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: pass exists-ip6: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e4.example.com result: pass exists-ip6only: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e5.example.com result: fail exists-dnserr: description: >- Result for DNS error clarified in RFC7208: MTAs or other processors SHOULD impose a limit on the maximum amount of elapsed time to evaluate check_host(). Such a limit SHOULD allow at least 20 seconds. If such a limit is exceeded, the result of authorization SHOULD be "temperror". spec: 5/8 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e6.example.com result: temperror zonedata: mail.example.com: - A: 1.2.3.4 mail6.example.com: - AAAA: CAFE:BABE::4 err.example.com: - TIMEOUT e1.example.com: - SPF: "v=spf1 exists:" e2.example.com: - SPF: "v=spf1 exists" e3.example.com: - SPF: "v=spf1 exists:mail.example.com/24" e4.example.com: - SPF: "v=spf1 exists:mail.example.com" e5.example.com: - SPF: "v=spf1 exists:mail6.example.com -all" e6.example.com: - SPF: "v=spf1 exists:err.example.com -all" --- description: IP4 mechanism syntax tests: cidr4-0: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: pass cidr4-32: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass cidr4-33: description: >- Invalid CIDR should get permerror. comment: >- The RFC4408 was silent on ip4 CIDR > 32 or ip6 CIDR > 128, but RFC7208 is explicit. Invalid CIDR is prohibited. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr4-032: description: >- Invalid CIDR should get permerror. comment: >- Leading zeros are not explicitly prohibited by the RFC. However, since the RFC explicity prohibits leading zeros in ip4-network, our interpretation is that CIDR should be also. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror bare-ip4: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror bad-ip4-port: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] comment: >- This has actually been published in SPF records. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror bad-ip4-short: description: >- It is not permitted to omit parts of the IP address instead of using CIDR notations. spec: 5.6/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror ip4-dual-cidr: description: >- dual-cidr-length not permitted on ip4 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror ip4-mapped-ip6: description: >- IP4 mapped IP6 connections MUST be treated as IP4 spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e7.example.com result: fail zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1/0 -all e2.example.com: - SPF: v=spf1 ip4:1.2.3.4/32 -all e3.example.com: - SPF: v=spf1 ip4:1.2.3.4/33 -all e4.example.com: - SPF: v=spf1 ip4:1.2.3.4/032 -all e5.example.com: - SPF: v=spf1 ip4 e6.example.com: - SPF: v=spf1 ip4:1.2.3.4//32 e7.example.com: - SPF: v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4 e8.example.com: - SPF: v=spf1 ip4:1.2.3.4:8080 e9.example.com: - SPF: v=spf1 ip4:1.2.3 --- description: IP6 mechanism syntax comment: >- IP4 only implementations may skip tests where host is not IP4 tests: bare-ip6: description: >- IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror cidr6-0-ip4: description: >- IP4 connections do not match ip6. comment: >- There was controversy over IPv4 mapped connections. RFC7208 clearly states IPv4 mapped addresses only match ip4: mechanisms. spec: 5/9/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: neutral cidr6-ip4: description: >- Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address (see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address. comment: >- There was controversy over ip4 mapped connections. RFC7208 clearly requires such connections to be considered as ip4 only. spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2.example.com result: neutral cidr6-0: description: >- Match any IP6 spec: 5/8 helo: mail.example.com host: DEAF:BABE::CAB:FEE mailfrom: foo@e2.example.com result: pass cidr6-129: description: >- Invalid CIDR comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr6-bad: description: >- dual-cidr syntax not used for ip6 comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror cidr6-33: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: "CAFE:BABE:8000::" mailfrom: foo@e5.example.com result: pass cidr6-33-ip4: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: neutral ip6-bad1: description: >- spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all ip6 e2.example.com: - SPF: v=spf1 ip6:::1.1.1.1/0 e3.example.com: - SPF: v=spf1 ip6:::1.1.1.1/129 e4.example.com: - SPF: v=spf1 ip6:::1.1.1.1//33 e5.example.com: - SPF: v=spf1 ip6:Cafe:Babe:8000::/33 e6.example.com: - SPF: v=spf1 ip6::CAFE::BABE --- description: Semantics of exp and other modifiers comment: >- Implementing exp= is optional. If not implemented, the test driver should not check the explanation field. tests: redirect-none: description: >- If no SPF record is found, or if the target-name is malformed, the result is a "PermError" rather than "None". spec: 6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: permerror redirect-cancels-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail explanation: DEFAULT redirect-syntax-error: description: | redirect = "redirect" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e17.example.com result: permerror include-ignores-exp: description: >- when executing "include", exp= from the target domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: fail explanation: Correct! redirect-cancels-prior-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail explanation: See me. invalid-modifier: description: | unknown-modifier = name "=" macro-string name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must begin with alpha. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror empty-modifier-name: description: | name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must not be empty. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror dorky-sentinel: description: >- An implementation that uses a legal expansion as a sentinel. We cannot check them all, but we can check this one. comment: >- Spaces are allowed in local-part. spec: 7.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: "Macro Error@e8.example.com" result: fail explanation: Macro Error in implementation exp-multiple-txt: description: | Ignore exp if multiple TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: fail explanation: DEFAULT exp-no-txt: description: | Ignore exp if no TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e22.example.com result: fail explanation: DEFAULT exp-dns-error: description: | Ignore exp if DNS error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e21.example.com result: fail explanation: DEFAULT exp-empty-domain: description: | PermError if exp= domain-spec is empty. comment: >- Section 6.2/4 says, "If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given." However, "if domain-spec is empty" conflicts with the grammar given for the exp modifier. This was reported as an erratum, and the solution chosen was to report explicit "exp=" as PermError, but ignore problems due to macro expansion, DNS, or invalid explanation string. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror explanation-syntax-error: description: | Ignore exp if the explanation string has a syntax error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: fail explanation: DEFAULT exp-syntax-error: description: | explanation = "exp" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e16.example.com result: permerror exp-twice: description: | exp= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: permerror redirect-empty-domain: description: | redirect = "redirect" "=" domain-spec comment: >- Unlike for exp, there is no instruction to override the permerror for an empty domain-spec (which is invalid syntax). spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e18.example.com result: permerror redirect-twice: description: | redirect= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e15.example.com result: permerror unknown-modifier-syntax: description: | unknown-modifier = name "=" macro-string comment: >- Unknown modifiers must have valid macro syntax. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror default-modifier-obsolete: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e19.example.com result: neutral default-modifier-obsolete2: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e20.example.com result: neutral non-ascii-exp: description: >- SPF explanation text is restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 6.2/5 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nonascii.example.com" result: fail explanation: DEFAULT two-exp-records: description: >- Must ignore exp= if DNS returns more than one TXT record. spec: 6.2/4 helo: hosed host: 1.2.3.4 mailfrom: "foobar@tworecs.example.com" result: fail explanation: DEFAULT exp-void: description: | exp=nxdomain.tld comment: >- Non-existent exp= domains MUST NOT count against the void lookup limit. Implementations should lookup any exp record at most once after computing the result. spec: 4.6.4/1, 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e23.example.com result: fail redirect-implicit: description: | redirect changes implicit domain spec: 6.1/4 helo: e24.example.com host: 192.0.2.2 mailfrom: bar@e24.example.com result: pass zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e2.example.com e2.example.com: - SPF: v=spf1 -all e3.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e4.example.com e4.example.com: - SPF: v=spf1 -all exp=exp2.example.com exp1.example.com: - TXT: No-see-um exp2.example.com: - TXT: See me. exp3.example.com: - TXT: Correct! exp4.example.com: - TXT: "%{l} in implementation" e5.example.com: - SPF: v=spf1 1up=foo e6.example.com: - SPF: v=spf1 =all e7.example.com: - SPF: v=spf1 include:e3.example.com -all exp=exp3.example.com e8.example.com: - SPF: v=spf1 -all exp=exp4.example.com e9.example.com: - SPF: v=spf1 -all foo=%abc e10.example.com: - SPF: v=spf1 redirect=erehwon.example.com e11.example.com: - SPF: v=spf1 -all exp=e11msg.example.com e11msg.example.com: - TXT: Answer a fool according to his folly. - TXT: Do not answer a fool according to his folly. e12.example.com: - SPF: v=spf1 exp= -all e13.example.com: - SPF: v=spf1 exp=e13msg.example.com -all e13msg.example.com: - TXT: The %{x}-files. e14.example.com: - SPF: v=spf1 exp=e13msg.example.com -all exp=e11msg.example.com e15.example.com: - SPF: v=spf1 redirect=e12.example.com -all redirect=e12.example.com e16.example.com: - SPF: v=spf1 exp=-all e17.example.com: - SPF: v=spf1 redirect=-all ?all e18.example.com: - SPF: v=spf1 ?all redirect= e19.example.com: - SPF: v=spf1 default=pass e20.example.com: - SPF: "v=spf1 default=+" e21.example.com: - SPF: v=spf1 exp=e21msg.example.com -all e21msg.example.com: - TIMEOUT e22.example.com: - SPF: v=spf1 exp=mail.example.com -all nonascii.example.com: - SPF: v=spf1 exp=badexp.example.com -all badexp.example.com: - TXT: "\xEF\xBB\xBFExplanation" tworecs.example.com: - SPF: v=spf1 exp=twoexp.example.com -all twoexp.example.com: - TXT: "one" - TXT: "two" e23.example.com: - SPF: v=spf1 a:erehwon.example.com a:foobar.com exp=nxdomain.com -all e24.example.com: - SPF: v=spf1 redirect=testimplicit.example.com - A: 192.0.2.1 testimplicit.example.com: - SPF: v=spf1 a -all - A: 192.0.2.2 --- description: Macro expansion rules tests: trailing-dot-domain: spec: 7.1/16 description: >- trailing dot is ignored for domains helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@example.com result: pass trailing-dot-exp: spec: 7.1 description: >- trailing dot is not removed from explanation comment: >- A simple way for an implementation to ignore trailing dots on domains is to remove it when present. But be careful not to remove it for explanation text. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@exp.example.com result: fail explanation: This is a test. exp-only-macro-char: spec: 7.1/8 description: >- The following macro letters are allowed only in "exp" text: c, r, t helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e2.example.com result: permerror invalid-macro-char: spec: 7.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1.example.com result: permerror invalid-embedded-macro-char: spec: 7.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1e.example.com result: permerror invalid-trailing-macro-char: spec: 7.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1t.example.com result: permerror macro-mania-in-domain: description: >- macro-encoded percents (%%), spaces (%_), and URL-percent-encoded spaces (%-) spec: 7.1/3, 7.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: test@e1a.example.com result: pass exp-txt-macro-char: spec: 7.1/20 description: >- For IPv4 addresses, both the "i" and "c" macros expand to the standard dotted-quad format. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e3.example.com result: fail explanation: Connections from 192.168.218.40 not authorized. domain-name-truncation: spec: 7.1/25 description: >- When the result of macro expansion is used in a domain name query, if the expanded domain name exceeds 253 characters, the left side is truncated to fit, by removing successive domain labels until the total length does not exceed 253 characters. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@somewhat.long.exp.example.com result: fail explanation: Congratulations! That was tricky. v-macro-ip4: spec: 7.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e4.example.com result: fail explanation: 192.168.218.40 is queried as 40.218.168.192.in-addr.arpa v-macro-ip6: spec: 7.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e4.example.com result: fail explanation: cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa undef-macro: spec: 7.1/6 description: >- Allowed macros chars are 'slodipvh' plus 'crt' in explanation. helo: msgbas2x.cos.example.com host: CAFE:BABE::192.168.218.40 mailfrom: test@e5.example.com result: permerror p-macro-ip4-novalid: spec: 7.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip4-valid: spec: 7.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.41 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-ip6-novalid: spec: 7.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip6-valid: spec: 7.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: CAFE:BABE::3 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-multiple: spec: 7.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: test@e7.example.com result: [pass, softfail] upper-macro: spec: 7.1/26 description: >- Uppercased macros expand exactly as their lowercased equivalents, and are then URL escaped. All chars not in the unreserved set MUST be escaped. comment: | unreserved = ALPHA / DIGIT / "-" / "." / "_" / "~" helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: ~jack&jill=up-a_b3.c@e8.example.com result: fail explanation: http://example.com/why.html?l=~jack%26jill%3Dup-a_b3.c hello-macro: spec: 7.1/6 description: |- h = HELO/EHLO domain helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e9.example.com result: pass invalid-hello-macro: spec: 7.1/2 description: |- h = HELO/EHLO domain, but HELO is invalid comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "JUMPIN' JUPITER" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail hello-domain-literal: spec: 7.1/2 description: |- h = HELO/EHLO domain, but HELO is a domain literal comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "[192.168.218.40]" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail require-valid-helo: spec: 7.1/6 description: >- Example of requiring valid helo in sender policy. This is a complex policy testing several points at once. helo: OEMCOMPUTER host: 1.2.3.4 mailfrom: test@e10.example.com result: fail macro-reverse-split-on-dash: spec: 7.1/15, 7.1/16, 7.1/17, 7.1/18 description: >- Macro value transformation (splitting on arbitrary characters, reversal, number of right-hand parts to use) helo: mail.example.com host: 1.2.3.4 mailfrom: philip-gladstone-test@e11.example.com result: pass macro-multiple-delimiters: spec: 7.1/15, 7.1/16 description: |- Multiple delimiters may be specified in a macro expression. macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) / "%%" / "%_" / "%-" helo: mail.example.com host: 1.2.3.4 mailfrom: foo-bar+zip+quux@e12.example.com result: pass zonedata: example.com.d.spf.example.com: - SPF: v=spf1 redirect=a.spf.example.com a.spf.example.com: - SPF: v=spf1 include:o.spf.example.com. ~all o.spf.example.com: - SPF: v=spf1 ip4:192.168.218.40 msgbas2x.cos.example.com: - A: 192.168.218.40 example.com: - A: 192.168.90.76 - SPF: v=spf1 redirect=%{d}.d.spf.example.com. exp.example.com: - SPF: v=spf1 exp=msg.example.com. -all msg.example.com: - TXT: This is a test. e1.example.com: - SPF: v=spf1 -exists:%(ir).sbl.example.com ?all e1e.example.com: - SPF: v=spf1 exists:foo%(ir).sbl.example.com ?all e1t.example.com: - SPF: v=spf1 exists:foo%.sbl.example.com ?all e1a.example.com: - SPF: "v=spf1 a:macro%%percent%_%_space%-url-space.example.com -all" "macro%percent space%20url-space.example.com": - A: 1.2.3.4 e2.example.com: - SPF: v=spf1 -all exp=%{r}.example.com e3.example.com: - SPF: v=spf1 -all exp=%{ir}.example.com 40.218.168.192.example.com: - TXT: Connections from %{c} not authorized. somewhat.long.exp.example.com: - SPF: v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com: - TXT: Congratulations! That was tricky. e4.example.com: - SPF: v=spf1 -all exp=e4msg.example.com e4msg.example.com: - TXT: "%{c} is queried as %{ir}.%{v}.arpa" e5.example.com: - SPF: v=spf1 a:%{a}.example.com -all e6.example.com: - SPF: v=spf1 -all exp=e6msg.example.com e6msg.example.com: - TXT: "connect from %{p}" mx.example.com: - A: 192.168.218.41 - A: 192.168.218.42 - AAAA: CAFE:BABE::2 - AAAA: CAFE:BABE::3 40.218.168.192.in-addr.arpa: - PTR: mx.example.com 41.218.168.192.in-addr.arpa: - PTR: mx.example.com 42.218.168.192.in-addr.arpa: - PTR: mx.example.com - PTR: mx.e7.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com mx.e7.example.com: - A: 192.168.218.42 mx.e7.example.com.should.example.com: - A: 127.0.0.2 mx.example.com.ok.example.com: - A: 127.0.0.2 e7.example.com: - SPF: v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com e8.example.com: - SPF: v=spf1 -all exp=msg8.%{D2} msg8.example.com: - TXT: "http://example.com/why.html?l=%{L}" e9.example.com: - SPF: v=spf1 a:%{H} -all e10.example.com: - SPF: v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all _spfh.example.com: - SPF: v=spf1 -a:%{h} +all e11.example.com: - SPF: v=spf1 exists:%{i}.%{l2r-}.user.%{d2} 1.2.3.4.gladstone.philip.user.example.com: - A: 127.0.0.2 e12.example.com: - SPF: v=spf1 exists:%{l2r+-}.user.%{d2} bar.foo.user.example.com: - A: 127.0.0.2 --- description: Processing limits tests: redirect-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror include-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror mx-limit: description: >- there MUST be a limit of no more than 10 MX looked up and checked. comment: >- The required result for this test was the subject of much controversy with RFC4408. For RFC7208 the ambiguity was resolved in favor of producing a permerror result. spec: 4.6.4/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e4.example.com result: permerror ptr-limit: description: >- there MUST be a limit of no more than 10 PTR looked up and checked. comment: >- The result of this test cannot be permerror not only because the RFC does not specify it, but because the sender has no control over the PTR records of spammers. The preferred result reflects evaluating the 10 allowed PTR records in the order returned by the test data. If testing with live DNS, the PTR order may be random, and a pass result would still be compliant. The SPF result is effectively randomized. spec: 4.6.4/3 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e5.example.com result: [neutral, pass] false-a-limit: description: >- unlike MX, PTR, there is no RR limit for A comment: >- There seems to be a tendency for developers to want to limit A RRs in addition to MX and PTR. These are IPs, not usable for 3rd party DoS attacks, and hence need no low limit. spec: 4.6.4 helo: mail.example.com host: 1.2.3.12 mailfrom: foo@e10.example.com result: pass mech-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: pass mech-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- We do not check whether an implementation counts mechanisms before or after evaluation. The RFC is not clear on this. spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- The part of the RFC that talks about MAY parse the entire record first (4.6) is specific to syntax errors. In RFC7208, processing limits are part of syntax checking (4.6). spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass include-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 4.6.4/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror void-at-limit: description: >- SPF implementations SHOULD limit "void lookups" to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. comment: >- This is a new check in RFC7208, but it's been implemented in Mail::SPF for years with no issues. spec: 4.6.4/7 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: neutral void-over-limit: description: >- SPF implementations SHOULD limit "void lookups" to two. An implementation MAY choose to make such a limit configurable. In this case, a default of two is RECOMMENDED. spec: 4.6.4/7 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1 redirect=e1.example.com - A: 1.2.3.6 e2.example.com: - SPF: v=spf1 include:e3.example.com - A: 1.2.3.7 e3.example.com: - SPF: v=spf1 include:e2.example.com - A: 1.2.3.8 e4.example.com: - SPF: v=spf1 mx - MX: [0, mail.example.com] - MX: [1, mail.example.com] - MX: [2, mail.example.com] - MX: [3, mail.example.com] - MX: [4, mail.example.com] - MX: [5, mail.example.com] - MX: [6, mail.example.com] - MX: [7, mail.example.com] - MX: [8, mail.example.com] - MX: [9, mail.example.com] - MX: [10, e4.example.com] - A: 1.2.3.5 e5.example.com: - SPF: v=spf1 ptr - A: 1.2.3.5 5.3.2.1.in-addr.arpa: - PTR: e1.example.com. - PTR: e2.example.com. - PTR: e3.example.com. - PTR: e4.example.com. - PTR: example.com. - PTR: e6.example.com. - PTR: e7.example.com. - PTR: e8.example.com. - PTR: e9.example.com. - PTR: e10.example.com. - PTR: e5.example.com. e6.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all - A: 1.2.3.8 - MX: [10, e6.example.com] e7.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all - A: 1.2.3.20 e8.example.com: - SPF: v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all - A: 1.2.3.4 inc.example.com: - SPF: v=spf1 a a a a a a a a - A: 1.2.3.10 e9.example.com: - SPF: v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all - A: 1.2.3.21 e10.example.com: - SPF: v=spf1 a -all - A: 1.2.3.1 - A: 1.2.3.2 - A: 1.2.3.3 - A: 1.2.3.4 - A: 1.2.3.5 - A: 1.2.3.6 - A: 1.2.3.7 - A: 1.2.3.8 - A: 1.2.3.9 - A: 1.2.3.10 - A: 1.2.3.11 - A: 1.2.3.12 e11.example.com: - TXT: v=spf1 a:err.example.com a:err1.example.com a:err2.example.com ?all e12.example.com: - TXT: v=spf1 a:err.example.com a:err1.example.com ?all --- description: Test cases from implementation bugs tests: bytes-bug: description: >- Bytes vs str bug from pyspf. comment: >- Pyspf failed with strict=2 only. Other implementations may ignore the strict parameter. spec: 5.4/4 helo: example.org host: 2001:db8:ff0:100::2 mailfrom: test@example.org result: pass strict: 2 cname-aliasing: description: >- referencing the same TXT record through multiple CNAME aliases comment: >- Pyspf incorrectly reports multiple SPF records spec: 3.2/1 helo: mail.example.org host: 192.0.2.27 mailfrom: test@mail.example.org result: fail zonedata: example.org: - SPF: "v=spf1 mx redirect=_spf.example.com" - MX: [10,smtp.example.org] - MX: [10,smtp1.example.com] smtp.example.org: - A: 198.51.100.2 - AAAA: 2001:db8:ff0:100::3 smtp1.example.com: - A: 192.0.2.26 - AAAA: 2001:db8:ff0:200::2 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.F.F.0.8.B.D.0.1.0.0.2.ip6.arpa: - PTR: smtp6-v.fe.example.org smtp6-v.fe.example.org: - AAAA: 2001:db8:ff0:100::2 _spf.example.com: - SPF: "v=spf1 ptr:fe.example.org ptr:sgp.example.com exp=_expspf.example.org -all" _expspf.example.org: - TXT: "Sender domain not allowed from this host. Please see http://www.openspf.org/Why?s=mfrom&id=%{S}&ip=%{C}&r=%{R}" a.example.org: - TXT: "Another TXT record." - TXT: "v=spf1 ip4:192.0.2.225 ?include:webmail.pair.com ?include:relay.pair.com -all" - TXT: "More TXT records." - TXT: "A third TXT record." - AAAA: 2001:db8:ff0:300::4 b.example.org: - CNAME: "a.example.org" mail.example.org: - SPF: "v=spf1 include:a.example.org include:b.example.org -all" - A: 192.0.2.28 webmail.pair.com: - TXT: "v=spf1 ip4:66.39.3.0/24 ip4:209.68.6.94/32" relay.pair.com: - TXT: "v=spf1 ip4:209.68.5.9/32 ip4:209.68.5.15/32 a -all" - A: 192.0.2.131 pyspf-2.0.14/test/rfc4408-tests.LICENSE0000664000175000017500000000274313353537453020065 0ustar stuartstuart00000000000000The RFC 4408 test-suite (rfc4408-tests.yml) is (C) 2006-2007 Stuart D Gathman 2007 Julian Mehnle All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. pyspf-2.0.14/test/rfc4408-tests.yml0000664000175000017500000021670313533330245017575 0ustar stuartstuart00000000000000# This is the openspf.org test suite (release 2009.10) based on RFC 4408. # http://www.openspf.org/Test_Suite # # $Id$ # vim:sw=2 sts=2 et # # See rfc4408-tests.CHANGES for a changelog. # # Contributors: # Stuart D Gathman 90% of the tests # Julian Mehnle some tests, proofread YAML syntax, formal schema # Frank Ellermann # Scott Kitterman # Wayne Schlitt # Craig Whitmore # Norman Maurer # Mark Shewmaker # Philip Gladstone # # While the test suite is designed for all types of implementations, it only # needs to explicitly concern itself with SPF-only (type 99) and TXT-only # implementations. This is because while an implementation may support both, # it must use only one record type for a given query - see 4.5/5. If an # implementation finds SPF (type 99) records and decides to use them, they # override TXT, and it must ignore any TXT records. Note that an # implementation may decide whether to use SPF records on a case by case basis. # Maybe it looks TXT and SPF up in parallel and goes with the first result to # come back. Or maybe one is cached already. Or maybe it chooses at random. # Think of dual SPF/TXT implementations as a quantum superposition of SPF-only # and TXT-only. It must collapse to one or the other on each observation to be # compliant. # # The "Selecting records" test section is the only one concerned with weeding # out (incorrect) mixed behaviour and checking for proper response to duplicate # or conflicting records. Other sections rely on auto-magic duplication # of SPF to TXT records (by test suite drivers) to test all implementation # types with one specification. # --- description: Initial processing tests: toolonglabel: description: >- DNS labels limited to 63 chars. comment: >- For initial processing, a long label results in None, not TempError spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com result: none longlabel: description: >- DNS labels limited to 63 chars. spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com result: fail emptylabel: spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A...example.com result: none helo-not-fqdn: spec: 4.3/1 helo: A2345678 host: 1.2.3.5 mailfrom: "" result: none helo-domain-literal: spec: 4.3/1 helo: "[1.2.3.5]" host: 1.2.3.5 mailfrom: "" result: none nolocalpart: spec: 4.3/2 helo: mail.example.net host: 1.2.3.4 mailfrom: '@example.net' result: fail explanation: postmaster domain-literal: spec: 4.3/1 helo: OEMCOMPUTER host: 1.2.3.5 mailfrom: "foo@[1.2.3.5]" result: none non-ascii-policy: description: >- SPF policies are restricted to 7-bit ascii. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed.example.com" result: permerror non-ascii-mech: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed2.example.com" result: permerror non-ascii-result: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking yet another code path for non-ascii chars. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed3.example.com" result: permerror non-ascii-non-spf: description: >- Non-ascii content in non-SPF related records. comment: >- Non-SPF related TXT records are none of our business. (But what about SPF records?) spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nothosed.example.com" result: fail explanation: DEFAULT two-spaces: description: >- ABNF for term separation is one or more spaces, not just one. spec: 4.6.1 helo: hosed host: 1.2.3.4 mailfrom: "actually@fine.example.com" result: fail zonedata: example.com: - TIMEOUT example.net: - SPF: v=spf1 -all exp=exp.example.net a.example.net: - SPF: v=spf1 -all exp=exp.example.net exp.example.net: - TXT: '%{l}' a12345678901234567890123456789012345678901234567890123456789012.example.com: - SPF: v=spf1 -all hosed.example.com: - SPF: "v=spf1 a:\xEF\xBB\xBFgarbage.example.net -all" hosed2.example.com: - SPF: "v=spf1 \x80a:example.net -all" hosed3.example.com: - SPF: "v=spf1 a:example.net \x96all" nothosed.example.com: - SPF: "v=spf1 a:example.net -all" - SPF: "\x96" fine.example.com: - TXT: "v=spf1 a -all" --- description: Record lookup tests: both: spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@both.example.net result: fail txtonly: description: Result is none if checking SPF records only. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txtonly.example.net result: [fail, none] spfonly: description: Result is none if checking TXT records only. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spfonly.example.net result: [fail, none] spftimeout: description: >- TXT record present, but SPF lookup times out. Result is temperror if checking SPF records only. comment: >- This actually happens for a popular braindead DNS server. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spftimeout.example.net result: [fail, temperror] txttimeout: description: >- SPF record present, but TXT lookup times out. If only TXT records are checked, result is temperror. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txttimeout.example.net result: [fail, temperror] nospftxttimeout: description: >- No SPF record present, and TXT lookup times out. If only TXT records are checked, result is temperror. comment: >- Because TXT records is where v=spf1 records will likely be, returning temperror will try again later. A timeout due to a braindead server is unlikely in the case of TXT, as opposed to the newer SPF RR. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@nospftxttimeout.example.net result: [temperror, none] alltimeout: description: Both TXT and SPF queries time out spec: 4.4/2 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@alltimeout.example.net result: temperror zonedata: both.example.net: - TXT: v=spf1 -all - SPF: v=spf1 -all txtonly.example.net: - TXT: v=spf1 -all spfonly.example.net: - SPF: v=spf1 -all - TXT: NONE spftimeout.example.net: - TXT: v=spf1 -all - TIMEOUT txttimeout.example.net: - SPF: v=spf1 -all - TXT: NONE - TIMEOUT nospftxttimeout.example.net: - SPF: "v=spf3 !a:yahoo.com -all" - TXT: NONE - TIMEOUT alltimeout.example.net: - TIMEOUT --- description: Selecting records tests: nospace1: description: >- Version must be terminated by space or end of record. TXT pieces are joined without intervening spaces. spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example2.com result: none empty: description: Empty SPF record. spec: 4.5/4 helo: mail1.example1.com host: 1.2.3.4 mailfrom: foo@example1.com result: neutral nospace2: spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example3.com result: pass spfoverride: description: >- SPF records override TXT records. Older implementation may check TXT records only. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example4.com result: [pass, fail] multitxt1: description: >- Older implementations will give permerror/unknown because of the conflicting TXT records. However, RFC 4408 says the SPF records overrides them. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example5.com result: [pass, permerror] multitxt2: description: >- Multiple records is a permerror, v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example6.com result: permerror multispf1: description: >- Multiple records is a permerror, even when they are identical. However, this situation cannot be reliably reproduced with live DNS since cache and resolvers are allowed to combine identical records. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example7.com result: [permerror, fail] multispf2: description: >- Older implementations ignoring SPF-type records will give pass because there is a (single) TXT record. But RFC 4408 requires permerror because the SPF records override and there are more than one. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example8.com result: [permerror, pass] nospf: spec: 4.5/7 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@mail.example1.com result: none case-insensitive: description: >- v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example9.com result: softfail zonedata: example3.com: - SPF: v=spf10 - SPF: v=spf1 mx - MX: [0, mail.example1.com] example1.com: - SPF: v=spf1 example2.com: - SPF: ['v=spf1', 'mx'] mail.example1.com: - A: 1.2.3.4 example4.com: - SPF: v=spf1 +all - TXT: v=spf1 -all example5.com: - SPF: v=spf1 +all - TXT: v=spf1 -all - TXT: v=spf1 +all example6.com: - SPF: v=spf1 -all - SPF: V=sPf1 +all example7.com: - SPF: v=spf1 -all - SPF: v=spf1 -all example8.com: - SPF: V=spf1 -all - SPF: v=spf1 -all - TXT: v=spf1 +all example9.com: - SPF: v=SpF1 ~all --- description: Record evaluation tests: detect-errors-anywhere: description: Any syntax errors anywhere in the record MUST be detected. spec: 4.6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t1.example.com result: permerror modifier-charset-good: description: name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) spec: 4.6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t2.example.com result: pass modifier-charset-bad1: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t3.example.com result: permerror modifier-charset-bad2: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t4.example.com result: permerror redirect-after-mechanisms1: description: >- The "redirect" modifier has an effect after all the mechanisms. comment: >- The redirect in this example would violate processing limits, except that it is never used because of the all mechanism. spec: 4.6.3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t5.example.com result: softfail redirect-after-mechanisms2: description: >- The "redirect" modifier has an effect after all the mechanisms. spec: 4.6.3 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t6.example.com result: fail default-result: description: Default result is neutral. spec: 4.7/1 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t7.example.com result: neutral redirect-is-modifier: description: |- Invalid mechanism. Redirect is a modifier. spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t8.example.com result: permerror invalid-domain: description: >- Domain-spec must end in macro-expand or valid toplabel. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t9.example.com result: permerror invalid-domain-empty-label: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (empty label) must be treated as non-existent. comment: >- An empty domain label, i.e. two successive dots, in a mechanism target-name is valid domain-spec syntax, even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t10.example.com result: [permerror, fail] invalid-domain-long: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters in a mechanism target-name is valid domain-spec syntax, even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t11.example.com result: [permerror,fail] invalid-domain-long-via-macro: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters that results from macro expansion in a mechanism target-name is valid domain-spec syntax (and is not even subject to syntax checking after macro expansion), even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: "%%%%%%%%%%%%%%%%%%%%%%" host: 1.2.3.4 mailfrom: foo@t12.example.com result: [permerror,fail] zonedata: mail.example.com: - A: 1.2.3.4 t1.example.com: - SPF: v=spf1 ip4:1.2.3.4 -all moo t2.example.com: - SPF: v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all t3.example.com: - SPF: v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all t4.example.com: - SPF: v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all t5.example.com: - SPF: v=spf1 redirect=t5.example.com ~all t6.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect=t2.example.com t7.example.com: - SPF: v=spf1 ip4:1.2.3.4 t8.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect:t2.example.com t9.example.com: - SPF: v=spf1 a:foo-bar -all t10.example.com: - SPF: v=spf1 a:mail.example...com -all t11.example.com: - SPF: v=spf1 a:a123456789012345678901234567890123456789012345678901234567890123.example.com -all t12.example.com: - SPF: v=spf1 a:%{H}.bar -all --- description: ALL mechanism syntax tests: all-dot: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror all-arg: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror all-cidr: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror all-neutral: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral all-double: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: pass zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all. e2.example.com: - SPF: v=spf1 -all:foobar e3.example.com: - SPF: v=spf1 -all/8 e4.example.com: - SPF: v=spf1 ?all e5.example.com: - SPF: v=spf1 all -all --- description: PTR mechanism syntax tests: ptr-cidr: description: |- PTR = "ptr" [ ":" domain-spec ] spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror ptr-match-target: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass ptr-match-implicit: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: pass ptr-nomatch-invalid: description: >- Check all validated domain names to see if they end in the domain. comment: >- This PTR record does not validate spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: fail ptr-match-ip6: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: CAFE:BABE::1 mailfrom: foo@e3.example.com result: pass ptr-empty-domain: description: >- domain-spec cannot be empty. spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ptr/0 -all e2.example.com: - SPF: v=spf1 ptr:example.com -all 4.3.2.1.in-addr.arpa: - PTR: e3.example.com - PTR: e4.example.com - PTR: mail.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: e3.example.com e3.example.com: - SPF: v=spf1 ptr -all - A: 1.2.3.4 - AAAA: CAFE:BABE::1 e4.example.com: - SPF: v=spf1 ptr -all e5.example.com: - SPF: "v=spf1 ptr:" --- description: A mechanism syntax tests: a-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail a-bad-cidr4: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror a-bad-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror a-dual-cidr-ip4-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-err: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8e.example.com result: permerror a-dual-cidr-ip6-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8b.example.com result: fail a-dual-cidr-ip6-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8a.example.com result: fail a-multi-ip1: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-multi-ip2: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-bad-domain: description: >- domain-spec must pass basic syntax checks; a ':' may appear in domain-spec, but not in top-label spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror a-nxdomain: description: >- If no ips are returned, A mechanism does not match, even with /0. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail a-cidr4-0: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass a-cidr4-0-ip6: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail a-cidr6-0-ip4: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip4mapped: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip6: description: >- Matches if any AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass a-ip6-dualstack: description: >- Simple IP6 Address match with dual stack. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@ipv6.example.com result: pass a-cidr6-0-nxdomain: description: >- No match if no AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail a-null: description: >- Null octets not allowed in toplabel spec: 8.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror a-numeric: description: >- toplabel may not be all numeric comment: >- A common publishing mistake is using ip4 addresses with A mechanism. This should receive special diagnostic attention in the permerror. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror a-numeric-toplabel: description: >- toplabel may not be all numeric spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror a-dash-in-toplabel: description: >- toplabel may contain dashes comment: >- Going from the "toplabel" grammar definition, an implementation using regular expressions in incrementally parsing SPF records might erroneously try to match a TLD such as ".xn--zckzah" (cf. IDN TLDs!) to '( *alphanum ALPHA *alphanum )' first before trying the alternative '( 1*alphanum "-" *( alphanum / "-" ) alphanum )', essentially causing a non-greedy, and thus, incomplete match. Make sure a greedy match is performed! spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: pass a-bad-toplabel: description: >- toplabel may not begin with a dash spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror a-only-toplabel: description: >- domain-spec may not consist of only a toplabel. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5a.example.com result: permerror a-only-toplabel-trailing-dot: description: >- domain-spec may not consist of only a toplabel. comment: >- "A trailing dot doesn't help." spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5b.example.com result: permerror a-colon-domain: description: >- domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass a-colon-domain-ip4mapped: description: >- domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass a-empty-domain: description: >- domain-spec cannot be empty. spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 a/0 -all e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - SPF: v=spf1 a/0 -all e2a.example.com: - AAAA: 1234::1 - SPF: v=spf1 a//0 -all e2b.example.com: - A: 1.1.1.1 - SPF: v=spf1 a//0 -all ipv6.example.com: - AAAA: 1234::1 - A: 1.1.1.1 - SPF: v=spf1 a -all e3.example.com: - SPF: "v=spf1 a:foo.example.com\0" e4.example.com: - SPF: v=spf1 a:111.222.33.44 e5.example.com: - SPF: v=spf1 a:abc.123 e5a.example.com: - SPF: v=spf1 a:museum e5b.example.com: - SPF: v=spf1 a:museum. e6.example.com: - SPF: v=spf1 a//33 -all e6a.example.com: - SPF: v=spf1 a/33 -all e7.example.com: - SPF: v=spf1 a//129 -all e8.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24//64 -all e8e.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24/64 -all e8a.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24 -all e8b.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a//64 -all e9.example.com: - SPF: v=spf1 a:example.com:8080 e10.example.com: - SPF: v=spf1 a:foo.example.com/24 foo.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 a:foo:bar/baz.example.com foo:bar/baz.example.com: - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 a:example.-com e13.example.com: - SPF: "v=spf1 a:" e14.example.com: - SPF: "v=spf1 a:foo.example.xn--zckzah -all" foo.example.xn--zckzah: - A: 1.2.3.4 --- description: Include mechanism semantics and syntax tests: include-fail: description: >- recursive check_host() result of fail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: softfail include-softfail: description: >- recursive check_host() result of softfail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass include-neutral: description: >- recursive check_host() result of neutral causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail include-temperror: description: >- recursive check_host() result of temperror causes include to temperror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: temperror include-permerror: description: >- recursive check_host() result of permerror causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror include-syntax-error: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror include-cidr: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror include-none: description: >- recursive check_host() result of none causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 ip5.example.com: - SPF: v=spf1 ip4:1.2.3.5 -all ip6.example.com: - SPF: v=spf1 ip4:1.2.3.6 ~all ip7.example.com: - SPF: v=spf1 ip4:1.2.3.7 ?all ip8.example.com: - TIMEOUT erehwon.example.com: - TXT: v=spfl am not an SPF record e1.example.com: - SPF: v=spf1 include:ip5.example.com ~all e2.example.com: - SPF: v=spf1 include:ip6.example.com all e3.example.com: - SPF: v=spf1 include:ip7.example.com -all e4.example.com: - SPF: v=spf1 include:ip8.example.com -all e5.example.com: - SPF: v=spf1 include:e6.example.com -all e6.example.com: - SPF: v=spf1 include +all e7.example.com: - SPF: v=spf1 include:erehwon.example.com -all e8.example.com: - SPF: "v=spf1 include: -all" e9.example.com: - SPF: "v=spf1 include:ip5.example.com/24 -all" --- description: MX mechanism syntax tests: mx-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail mx-bad-cidr4: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror mx-bad-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror mx-multi-ip1: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-multi-ip2: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-bad-domain: description: >- domain-spec must pass basic syntax checks comment: >- A ':' may appear in domain-spec, but not in top-label. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror mx-nxdomain: description: >- If no ips are returned, MX mechanism does not match, even with /0. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail mx-cidr4-0: description: >- Matches if any A records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass mx-cidr4-0-ip6: description: >- cidr4 doesn't apply to IP6 connections. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail mx-cidr6-0-ip4: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip4mapped: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip6: description: >- Matches if any AAAA records for any MX records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass mx-cidr6-0-nxdomain: description: >- No match if no AAAA records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail mx-null: description: >- Null not allowed in top-label. spec: 8.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror mx-numeric-top-label: description: >- Top-label may not be all numeric spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror mx-colon-domain: description: >- Domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-colon-domain-ip4mapped: description: >- Domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-bad-toplab: description: >- Toplabel may not begin with - spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror mx-empty: description: >- test null MX comment: >- Some implementations have had trouble with null MX spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: "" result: neutral mx-implicit: description: >- If the target name has no MX records, check_host() MUST NOT pretend the target is its single MX, and MUST NOT default to an A lookup on the target-name directly. spec: 5.4/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral mx-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 - MX: [0, ""] - SPF: v=spf1 mx e1.example.com: - SPF: v=spf1 mx/0 -all - MX: [0, e1.example.com] e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - MX: [0, e2.example.com] - SPF: v=spf1 mx/0 -all e2a.example.com: - AAAA: 1234::1 - MX: [0, e2a.example.com] - SPF: v=spf1 mx//0 -all e2b.example.com: - A: 1.1.1.1 - MX: [0, e2b.example.com] - SPF: v=spf1 mx//0 -all e3.example.com: - SPF: "v=spf1 mx:foo.example.com\0" e4.example.com: - SPF: v=spf1 mx - A: 1.2.3.4 e5.example.com: - SPF: v=spf1 mx:abc.123 e6.example.com: - SPF: v=spf1 mx//33 -all e6a.example.com: - SPF: v=spf1 mx/33 -all e7.example.com: - SPF: v=spf1 mx//129 -all e9.example.com: - SPF: v=spf1 mx:example.com:8080 e10.example.com: - SPF: v=spf1 mx:foo.example.com/24 foo.example.com: - MX: [0, foo1.example.com] foo1.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 mx:foo:bar/baz.example.com foo:bar/baz.example.com: - MX: [0, "foo:bar/baz.example.com"] - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 mx:example.-com e13.example.com: - SPF: "v=spf1 mx: -all" --- description: EXISTS mechanism syntax tests: exists-empty-domain: description: >- domain-spec cannot be empty. spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror exists-implicit: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror exists-cidr: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror exists-ip4: description: >- mechanism matches if any DNS A RR exists spec: 5.7/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: pass exists-ip6: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e4.example.com result: pass exists-ip6only: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e5.example.com result: fail exists-dnserr: description: >- Result for DNS error is being clarified in spfbis spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e6.example.com result: [fail, temperror] zonedata: mail.example.com: - A: 1.2.3.4 mail6.example.com: - AAAA: CAFE:BABE::4 err.example.com: - TIMEOUT e1.example.com: - SPF: "v=spf1 exists:" e2.example.com: - SPF: "v=spf1 exists" e3.example.com: - SPF: "v=spf1 exists:mail.example.com/24" e4.example.com: - SPF: "v=spf1 exists:mail.example.com" e5.example.com: - SPF: "v=spf1 exists:mail6.example.com -all" e6.example.com: - SPF: "v=spf1 exists:err.example.com -all" --- description: IP4 mechanism syntax tests: cidr4-0: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: pass cidr4-32: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass cidr4-33: description: >- Invalid CIDR should get permerror. comment: >- The RFC is silent on ip4 CIDR > 32 or ip6 CIDR > 128. However, since there is no reasonable interpretation (except a noop), we have read between the lines to see a prohibition on invalid CIDR. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr4-032: description: >- Invalid CIDR should get permerror. comment: >- Leading zeros are not explicitly prohibited by the RFC. However, since the RFC explicity prohibits leading zeros in ip4-network, our interpretation is that CIDR should be also. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror bare-ip4: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror bad-ip4-port: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] comment: >- This has actually been published in SPF records. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror bad-ip4-short: description: >- It is not permitted to omit parts of the IP address instead of using CIDR notations. spec: 5.6/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror ip4-dual-cidr: description: >- dual-cidr-length not permitted on ip4 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror ip4-mapped-ip6: description: >- IP4 mapped IP6 connections MUST be treated as IP4 spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e7.example.com result: fail zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1/0 -all e2.example.com: - SPF: v=spf1 ip4:1.2.3.4/32 -all e3.example.com: - SPF: v=spf1 ip4:1.2.3.4/33 -all e4.example.com: - SPF: v=spf1 ip4:1.2.3.4/032 -all e5.example.com: - SPF: v=spf1 ip4 e6.example.com: - SPF: v=spf1 ip4:1.2.3.4//32 e7.example.com: - SPF: v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4 e8.example.com: - SPF: v=spf1 ip4:1.2.3.4:8080 e9.example.com: - SPF: v=spf1 ip4:1.2.3 --- description: IP6 mechanism syntax comment: >- IP4 only implementations may skip tests where host is not IP4 tests: bare-ip6: description: >- IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror cidr6-0-ip4: description: >- IP4 connections do not match ip6. comment: >- There is controversy over ip4 mapped connections. RFC4408 clearly requires such connections to be considered as ip4. However, some interpret the RFC to mean that such connections should *also* match appropriate ip6 mechanisms (but not, inexplicably, A or MX mechanisms). Until there is consensus, both results are acceptable. spec: 5/9/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: [neutral, pass] cidr6-ip4: description: >- Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address (see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address. comment: >- There is controversy over ip4 mapped connections. RFC4408 clearly requires such connections to be considered as ip4. However, some interpret the RFC to mean that such connections should *also* match appropriate ip6 mechanisms (but not, inexplicably, A or MX mechanisms). Until there is consensus, both results are acceptable. spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2.example.com result: [neutral, pass] cidr6-0: description: >- Match any IP6 spec: 5/8 helo: mail.example.com host: DEAF:BABE::CAB:FEE mailfrom: foo@e2.example.com result: pass cidr6-129: description: >- Invalid CIDR comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr6-bad: description: >- dual-cidr syntax not used for ip6 comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror cidr6-33: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: "CAFE:BABE:8000::" mailfrom: foo@e5.example.com result: pass cidr6-33-ip4: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: neutral ip6-bad1: description: >- spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all ip6 e2.example.com: - SPF: v=spf1 ip6:::1.1.1.1/0 e3.example.com: - SPF: v=spf1 ip6:::1.1.1.1/129 e4.example.com: - SPF: v=spf1 ip6:::1.1.1.1//33 e5.example.com: - SPF: v=spf1 ip6:CAFE:BABE:8000::/33 e6.example.com: - SPF: v=spf1 ip6::CAFE::BABE --- description: Semantics of exp and other modifiers comment: >- Implementing exp= is optional. If not implemented, the test driver should not check the explanation field. tests: redirect-none: description: >- If no SPF record is found, or if the target-name is malformed, the result is a "PermError" rather than "None". spec: 6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: permerror redirect-cancels-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail explanation: DEFAULT redirect-syntax-error: description: | redirect = "redirect" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e17.example.com result: permerror include-ignores-exp: description: >- when executing "include", exp= from the target domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: fail explanation: Correct! redirect-cancels-prior-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail explanation: See me. invalid-modifier: description: | unknown-modifier = name "=" macro-string name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must begin with alpha. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror empty-modifier-name: description: | name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must not be empty. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror dorky-sentinel: description: >- An implementation that uses a legal expansion as a sentinel. We cannot check them all, but we can check this one. comment: >- Spaces are allowed in local-part. spec: 8.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: "Macro Error@e8.example.com" result: fail explanation: Macro Error in implementation exp-multiple-txt: description: | Ignore exp if multiple TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: fail explanation: DEFAULT exp-no-txt: description: | Ignore exp if no TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e22.example.com result: fail explanation: DEFAULT exp-dns-error: description: | Ignore exp if DNS error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e21.example.com result: fail explanation: DEFAULT exp-empty-domain: description: | PermError if exp= domain-spec is empty. comment: >- Section 6.2/4 says, "If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given." However, "if domain-spec is empty" conflicts with the grammar given for the exp modifier. This was reported as an erratum, and the solution chosen was to report explicit "exp=" as PermError, but ignore problems due to macro expansion, DNS, or invalid explanation string. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror explanation-syntax-error: description: | Ignore exp if the explanation string has a syntax error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: fail explanation: DEFAULT exp-syntax-error: description: | explanation = "exp" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e16.example.com result: permerror exp-twice: description: | exp= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: permerror redirect-empty-domain: description: | redirect = "redirect" "=" domain-spec comment: >- Unlike for exp, there is no instruction to override the permerror for an empty domain-spec (which is invalid syntax). spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e18.example.com result: permerror redirect-twice: description: | redirect= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e15.example.com result: permerror unknown-modifier-syntax: description: | unknown-modifier = name "=" macro-string comment: >- Unknown modifiers must have valid macro syntax. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror default-modifier-obsolete: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e19.example.com result: neutral default-modifier-obsolete2: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e20.example.com result: neutral non-ascii-exp: description: >- SPF explanation text is restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 6.2/5 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nonascii.example.com" result: fail explanation: DEFAULT two-exp-records: description: >- Must ignore exp= if DNS returns more than one TXT record. spec: 6.2/4 helo: hosed host: 1.2.3.4 mailfrom: "foobar@tworecs.example.com" result: fail explanation: DEFAULT zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e2.example.com e2.example.com: - SPF: v=spf1 -all e3.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e4.example.com e4.example.com: - SPF: v=spf1 -all exp=exp2.example.com exp1.example.com: - TXT: No-see-um exp2.example.com: - TXT: See me. exp3.example.com: - TXT: Correct! exp4.example.com: - TXT: "%{l} in implementation" e5.example.com: - SPF: v=spf1 1up=foo e6.example.com: - SPF: v=spf1 =all e7.example.com: - SPF: v=spf1 include:e3.example.com -all exp=exp3.example.com e8.example.com: - SPF: v=spf1 -all exp=exp4.example.com e9.example.com: - SPF: v=spf1 -all foo=%abc e10.example.com: - SPF: v=spf1 redirect=erehwon.example.com e11.example.com: - SPF: v=spf1 -all exp=e11msg.example.com e11msg.example.com: - TXT: Answer a fool according to his folly. - TXT: Do not answer a fool according to his folly. e12.example.com: - SPF: v=spf1 exp= -all e13.example.com: - SPF: v=spf1 exp=e13msg.example.com -all e13msg.example.com: - TXT: The %{x}-files. e14.example.com: - SPF: v=spf1 exp=e13msg.example.com -all exp=e11msg.example.com e15.example.com: - SPF: v=spf1 redirect=e12.example.com -all redirect=e12.example.com e16.example.com: - SPF: v=spf1 exp=-all e17.example.com: - SPF: v=spf1 redirect=-all ?all e18.example.com: - SPF: v=spf1 ?all redirect= e19.example.com: - SPF: v=spf1 default=pass e20.example.com: - SPF: "v=spf1 default=+" e21.example.com: - SPF: v=spf1 exp=e21msg.example.com -all e21msg.example.com: - TIMEOUT e22.example.com: - SPF: v=spf1 exp=mail.example.com -all nonascii.example.com: - SPF: v=spf1 exp=badexp.example.com -all badexp.example.com: - TXT: "\xEF\xBB\xBFExplanation" tworecs.example.com: - SPF: v=spf1 exp=twoexp.example.com -all twoexp.example.com: - TXT: "one" - TXT: "two" --- description: Macro expansion rules tests: trailing-dot-domain: spec: 8.1/16 description: >- trailing dot is ignored for domains helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@example.com result: pass trailing-dot-exp: spec: 8.1 description: >- trailing dot is not removed from explanation comment: >- A simple way for an implementation to ignore trailing dots on domains is to remove it when present. But be careful not to remove it for explanation text. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@exp.example.com result: fail explanation: This is a test. exp-only-macro-char: spec: 8.1/8 description: >- The following macro letters are allowed only in "exp" text: c, r, t helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e2.example.com result: permerror invalid-macro-char: spec: 8.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1.example.com result: permerror invalid-embedded-macro-char: spec: 8.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1e.example.com result: permerror invalid-trailing-macro-char: spec: 8.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1t.example.com result: permerror macro-mania-in-domain: description: >- macro-encoded percents (%%), spaces (%_), and URL-percent-encoded spaces (%-) spec: 8.1/3, 8.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: test@e1a.example.com result: pass exp-txt-macro-char: spec: 8.1/20 description: >- For IPv4 addresses, both the "i" and "c" macros expand to the standard dotted-quad format. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e3.example.com result: fail explanation: Connections from 192.168.218.40 not authorized. domain-name-truncation: spec: 8.1/25 description: >- When the result of macro expansion is used in a domain name query, if the expanded domain name exceeds 253 characters, the left side is truncated to fit, by removing successive domain labels until the total length does not exceed 253 characters. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@somewhat.long.exp.example.com result: fail explanation: Congratulations! That was tricky. v-macro-ip4: spec: 8.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e4.example.com result: fail explanation: 192.168.218.40 is queried as 40.218.168.192.in-addr.arpa v-macro-ip6: spec: 8.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e4.example.com result: fail explanation: cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa undef-macro: spec: 8.1/6 description: >- Allowed macros chars are 'slodipvh' plus 'crt' in explanation. helo: msgbas2x.cos.example.com host: CAFE:BABE::192.168.218.40 mailfrom: test@e5.example.com result: permerror p-macro-ip4-novalid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip4-valid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.41 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-ip6-novalid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip6-valid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: CAFE:BABE::3 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-multiple: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: test@e7.example.com result: [pass, softfail] upper-macro: spec: 8.1/26 description: >- Uppercased macros expand exactly as their lowercased equivalents, and are then URL escaped. helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: jack&jill=up@e8.example.com result: fail explanation: http://example.com/why.html?l=jack%26jill%3Dup hello-macro: spec: 8.1/6 description: |- h = HELO/EHLO domain helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e9.example.com result: pass invalid-hello-macro: spec: 8.1/2 description: |- h = HELO/EHLO domain, but HELO is invalid comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "JUMPIN' JUPITER" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail hello-domain-literal: spec: 8.1/2 description: |- h = HELO/EHLO domain, but HELO is a domain literal comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "[192.168.218.40]" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail require-valid-helo: spec: 8.1/6 description: >- Example of requiring valid helo in sender policy. This is a complex policy testing several points at once. helo: OEMCOMPUTER host: 1.2.3.4 mailfrom: test@e10.example.com result: fail macro-reverse-split-on-dash: spec: [8.1/15, 8.1/16, 8.1/17, 8.1/18] description: >- Macro value transformation (splitting on arbitrary characters, reversal, number of right-hand parts to use) helo: mail.example.com host: 1.2.3.4 mailfrom: philip-gladstone-test@e11.example.com result: pass macro-multiple-delimiters: spec: [8.1/15, 8.1/16] description: |- Multiple delimiters may be specified in a macro expression. macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) / "%%" / "%_" / "%-" helo: mail.example.com host: 1.2.3.4 mailfrom: foo-bar+zip+quux@e12.example.com result: pass zonedata: example.com.d.spf.example.com: - SPF: v=spf1 redirect=a.spf.example.com a.spf.example.com: - SPF: v=spf1 include:o.spf.example.com. ~all o.spf.example.com: - SPF: v=spf1 ip4:192.168.218.40 msgbas2x.cos.example.com: - A: 192.168.218.40 example.com: - A: 192.168.90.76 - SPF: v=spf1 redirect=%{d}.d.spf.example.com. exp.example.com: - SPF: v=spf1 exp=msg.example.com. -all msg.example.com: - TXT: This is a test. e1.example.com: - SPF: v=spf1 -exists:%(ir).sbl.example.com ?all e1e.example.com: - SPF: v=spf1 exists:foo%(ir).sbl.example.com ?all e1t.example.com: - SPF: v=spf1 exists:foo%.sbl.example.com ?all e1a.example.com: - SPF: "v=spf1 a:macro%%percent%_%_space%-url-space.example.com -all" "macro%percent space%20url-space.example.com": - A: 1.2.3.4 e2.example.com: - SPF: v=spf1 -all exp=%{r}.example.com e3.example.com: - SPF: v=spf1 -all exp=%{ir}.example.com 40.218.168.192.example.com: - TXT: Connections from %{c} not authorized. somewhat.long.exp.example.com: - SPF: v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com: - TXT: Congratulations! That was tricky. e4.example.com: - SPF: v=spf1 -all exp=e4msg.example.com e4msg.example.com: - TXT: "%{c} is queried as %{ir}.%{v}.arpa" e5.example.com: - SPF: v=spf1 a:%{a}.example.com -all e6.example.com: - SPF: v=spf1 -all exp=e6msg.example.com e6msg.example.com: - TXT: "connect from %{p}" mx.example.com: - A: 192.168.218.41 - A: 192.168.218.42 - AAAA: CAFE:BABE::2 - AAAA: CAFE:BABE::3 40.218.168.192.in-addr.arpa: - PTR: mx.example.com 41.218.168.192.in-addr.arpa: - PTR: mx.example.com 42.218.168.192.in-addr.arpa: - PTR: mx.example.com - PTR: mx.e7.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com mx.e7.example.com: - A: 192.168.218.42 mx.e7.example.com.should.example.com: - A: 127.0.0.2 mx.example.com.ok.example.com: - A: 127.0.0.2 e7.example.com: - SPF: v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com e8.example.com: - SPF: v=spf1 -all exp=msg8.%{D2} msg8.example.com: - TXT: "http://example.com/why.html?l=%{L}" e9.example.com: - SPF: v=spf1 a:%{H} -all e10.example.com: - SPF: v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all _spfh.example.com: - SPF: v=spf1 -a:%{h} +all e11.example.com: - SPF: v=spf1 exists:%{i}.%{l2r-}.user.%{d2} 1.2.3.4.gladstone.philip.user.example.com: - A: 127.0.0.2 e12.example.com: - SPF: v=spf1 exists:%{l2r+-}.user.%{d2} bar.foo.user.example.com: - A: 127.0.0.2 --- description: Processing limits tests: redirect-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror include-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror mx-limit: description: >- there MUST be a limit of no more than 10 MX looked up and checked. comment: >- The required result for this test was the subject of much controversy. Many felt that the RFC *should* have specified permerror, but the consensus was that it failed to actually do so. The preferred result reflects evaluating the 10 allowed MX records in the order returned by the test data - or sorted via priority. If testing with live DNS, the MX order may be random, and a pass result would still be compliant. The SPF result is effectively random. spec: 10.1/7 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e4.example.com result: [neutral, pass, permerror] ptr-limit: description: >- there MUST be a limit of no more than 10 PTR looked up and checked. comment: >- The result of this test cannot be permerror not only because the RFC does not specify it, but because the sender has no control over the PTR records of spammers. The preferred result reflects evaluating the 10 allowed PTR records in the order returned by the test data. If testing with live DNS, the PTR order may be random, and a pass result would still be compliant. The SPF result is effectively randomized. spec: 10.1/7 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e5.example.com result: [neutral, pass] false-a-limit: description: >- unlike MX, PTR, there is no RR limit for A comment: >- There seems to be a tendency for developers to want to limit A RRs in addition to MX and PTR. These are IPs, not usable for 3rd party DoS attacks, and hence need no low limit. spec: 10.1/7 helo: mail.example.com host: 1.2.3.12 mailfrom: foo@e10.example.com result: pass mech-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: pass mech-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- We do not check whether an implementation counts mechanisms before or after evaluation. The RFC is not clear on this. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- The part of the RFC that talks about MAY parse the entire record first (4.6) is specific to syntax errors. Processing limits is a different, non-syntax issue. Processing limits (10.1) specifically talks about limits during a check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass include-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1 redirect=e1.example.com - A: 1.2.3.6 e2.example.com: - SPF: v=spf1 include:e3.example.com - A: 1.2.3.7 e3.example.com: - SPF: v=spf1 include:e2.example.com - A: 1.2.3.8 e4.example.com: - SPF: v=spf1 mx - MX: [0, mail.example.com] - MX: [1, mail.example.com] - MX: [2, mail.example.com] - MX: [3, mail.example.com] - MX: [4, mail.example.com] - MX: [5, mail.example.com] - MX: [6, mail.example.com] - MX: [7, mail.example.com] - MX: [8, mail.example.com] - MX: [9, mail.example.com] - MX: [10, e4.example.com] - A: 1.2.3.5 e5.example.com: - SPF: v=spf1 ptr - A: 1.2.3.5 5.3.2.1.in-addr.arpa: - PTR: e1.example.com. - PTR: e2.example.com. - PTR: e3.example.com. - PTR: e4.example.com. - PTR: example.com. - PTR: e6.example.com. - PTR: e7.example.com. - PTR: e8.example.com. - PTR: e9.example.com. - PTR: e10.example.com. - PTR: e5.example.com. e6.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all - A: 1.2.3.8 - MX: [10, e6.example.com] e7.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all - A: 1.2.3.20 e8.example.com: - SPF: v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all - A: 1.2.3.4 inc.example.com: - SPF: v=spf1 a a a a a a a a - A: 1.2.3.10 e9.example.com: - SPF: v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all - A: 1.2.3.21 e10.example.com: - SPF: v=spf1 a -all - A: 1.2.3.1 - A: 1.2.3.2 - A: 1.2.3.3 - A: 1.2.3.4 - A: 1.2.3.5 - A: 1.2.3.6 - A: 1.2.3.7 - A: 1.2.3.8 - A: 1.2.3.9 - A: 1.2.3.10 - A: 1.2.3.11 - A: 1.2.3.12 pyspf-2.0.14/type99.py0000775000175000017500000001110213533330245015343 0ustar stuartstuart00000000000000#!/usr/bin/python """Type 99 (SPF) DNS conversion script. Copyright (c) 2005,2006 Stuart Gathman Portions Copyright (c) 2007 Scott Kitterman This module is free software, and you may redistribute it and/or modify it under the same terms as Python itself, so long as this copyright message and disclaimer are retained in their original form. IN NO EVENT SHALL THE AUTHOR BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE AUTHOR SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. For more information about SPF, a tool against email forgery, see http://www.openspf.net/""" # Copy Bind zonefiles to stdout, removing TYPE99 RRs and # adding a TYPE99 RR for each TXT RR encountered. # This can be used to maintain SPF records as TXT RRs # in a zonefile until Bind is patched/upgraded to recognize # the SPF RR. After adding/changing/deleting TXT RRs, # filtering through this script will refresh the TYPE99 RRs. # # $Log$ # Revision 1.4.4.4 2011/10/27 04:44:58 kitterma # Update type99.py to work with 2.6, 2.7, and 3.2: # - raise ... as ... # - Add filter to stdin processing # - Modernize output print to use format to get consistent python/python3 output # # Revision 1.4.4.3 2008/03/26 19:01:07 kitterma # Capture Type99.py improvements from trunk. SF #1257140 # # Revision 1.9 2008/03/26 18:56:42 kitterma # Update Type99 script to correctly parse multi-string single line TXT records. # Multi-string/multi-line still fails. # # Revision 1.8 2007/01/26 05:06:41 customdesigned # Tweaks for epydoc. # Design for test in type99.py, test cases. # Null byte test case for quote_value. # # Revision 1.7 2007/01/25 21:59:29 kitterma # Update comments to match bug fix. Include copyright statements. Update sheband. # # Revision 1.6 2007/01/25 21:51:45 kitterma # Fix type99 script for multi-line support (Fixes sourceforge #1257140) # # Revision 1.5 2006/12/16 20:45:23 customdesigned # Move dns drivers to package directory. # # Revision 1.4 2005/08/26 20:53:38 kitterma # Fixed typo in type99 script # # Revision 1.3 2005/08/19 19:06:49 customdesigned # use note_error method for consistent extended processing. # Return extended result, strict result in self.perm_error # # Revision 1.2 2005/07/17 02:46:03 customdesigned # Use of expand not needed. # # Revision 1.1 2005/07/17 02:39:42 customdesigned # Utility to maintain TYPE99 copies of SPF TXT RRs. # import sys import fileinput import re def dnstxt(txt): "Convert data into DNS TXT format (sequence of pascal strings)." r = [] while txt: s,txt = txt[:255],txt[255:] r.append(chr(len(s))+s) return ''.join(r) RE_TXT = re.compile(r'^(?P.*\s)TXT\s"(?Pv=spf1.*)"(?P.*)', re.DOTALL) RE_TYPE99 = re.compile(r'\sTYPE99\s') def filter(fin): for line in fin: if not RE_TYPE99.search(line): yield line m = RE_TXT.match(line) if not m: left = line.split('(') try: right = left[1].split(')') except IndexError as errmsg: right = left[0].split(')') if len(left) == 2: right = left[1] else: left = line.split('(') right = left[0] middlelist = right[0].split('"') middle = '' for fragment in middlelist: if fragment != ' ': middle = middle + fragment line = left[0] + '"' + middle + '"' m = RE_TXT.match(line) if m: phrase = dnstxt(m.group('str')) dns_string = '' list = m.group('str') for st in list: dns_string += st phrase = dnstxt(dns_string) s = m.group('rr') + 'TYPE99 \# %i '%len(phrase) yield s+''.join(["%02x"%ord(c) for c in phrase])+m.group('eol') USAGE="""Usage:\t%s phrase %s - = 2.6 Requires: python-authres python-ipaddr >= 2.1.10 # Provide pyspf *only* if not using pyspf package for non-default python Provides: pyspf %description SPF does email sender validation. For more information about SPF, please see http://openspf.net This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to send mail. The SPF check should be done during the MAIL FROM:<...> command. %define namewithoutpythonprefix %(echo %{name} | sed 's/^python-//') %prep %setup -q -n %{namewithoutpythonprefix}-%{version} %build %{__python} setup.py build %install rm -rf $RPM_BUILD_ROOT %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/usr/bin/type99.py $RPM_BUILD_ROOT/usr/bin/type99 mv $RPM_BUILD_ROOT/usr/bin/spfquery.py $RPM_BUILD_ROOT/usr/bin/spfquery rm -f $RPM_BUILD_ROOT/usr/bin/*.py{o,c} %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc CHANGELOG PKG-INFO README test %{python_sitelib}/spf.py* /usr/bin/type99 /usr/bin/spfquery /usr/lib/python2.6/site-packages/pyspf-%{version}-py2.6.egg-info %changelog * Thu Oct 17 2019 Stuart Gathman 2.0.14-1 - Fix doctest for CNAME fixes to work with python and python3 - Fix dnspython integration so that SPF TempError is properly raised when there are timeout or no nameserver errors - Restore DNSLookup API for pydnsv(DNS) for tcp fallback works again * Mon Jul 23 2018 Stuart Gathman 2.0.13-1 - Add support for use of dnspython (dns) if installed - Catch ValueError due to improper IP address in connect IP or in ip4/ip6 mechanisms - Fix for CNAME processing causing incorrect permerrors * Wed Aug 5 2015 Stuart Gathman 2.0.12-1 - Reset void_lookups at top of check() to fix bogus permerror on best_guess() - Ignore permerror for best_guess() - Don't crash on null DNS TXT record (ignore): test case null-text - Trailing spaces are allowed by 4.5/2: test case trailing-space - Make CNAME loop result in unknown host: test case ptr-cname-loop - Test case and fix for mixed case CNAME loop, test case ptr-cname-loop * Fri Dec 5 2014 Stuart Gathman 2.0.11-1 - Fix another bug in SPF record parsing that caused records with terms separated by multple spaces as invalid, but they are fine per the ABNF - Downcase names in additional answers returned by DNS before adding to cache, since case inconsistency can cause PTR match failures (initial patch thanks to Joni Fieggen) and other problems. * Tue Sep 2 2014 Stuart Gathman 2.0.10-1 - Fix AAAA not flagged as bytes when strict=2 - Split mechanisms by space only, not by whitespace - include '~' as safe char in url quoted macro expansion - treat AttributeError from pydns as TempError * Tue Apr 29 2014 Stuart Gathman 2.0.9-1 - RFC7208 support - void lookup limit and test cases - Convert YAML tests to TestCases, and have testspf.py return success/fail. * Tue Jul 23 2013 Stuart Gathman 2.0.8-2 - Test case and fix for PermError on non-ascii chars in non-SPF TXT records - Use ipaddr/ipaddress module in place of custom IP processing code - Numerous python3 compatibility fixes - Improved unicode error detection in SPF records - Fixed a bug caused by a null CNAME in cache * Fri Feb 03 2012 Stuart Gathman 2.0.7-1 - fix CNAME chain duplicating TXT records - local test cases for CNAME chains - python3 compatibility changes e.g. print a -> print(a) - check for 7-bit ascii on TXT and SPF records - Use openspf.net for SPF web site instead of openspf.org - Support Authentication-Results header field - Support overall DNS timeout * Thu Oct 27 2011 Stuart Gathman 2.0.6-1 - Python3 port (still requires 2to3 on spf.py) - Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 - Parse Received-SPF header - Report CIDR error only for valid mechanism - Handle invalid SPF record on command line - Add timeout to check2 - Check for non-ascii policy - parse_header method - python2.6 * Wed Apr 02 2008 Stuart Gathman 2.0.5-1 - Add timeout parameter to query ctor and DNSLookup - Patch from Scott Kitterman to retry truncated results with TCP unless harsh - Validate DNS labels - Reflect decision on empty-exp errata * Wed Jul 25 2007 Stuart Gathman 2.0.4-1 - Correct unofficial 'best guess' processing. - PTR validation processing cleanup - Improved detection of exp= errors - Keyword args for get_header, minor fixes * Mon Jan 15 2007 Stuart Gathman 2.0.3-1 - pyspf requires pydns, python-pyspf requires python-pydns - Record matching mechanism and add to Received-SPF header. - Test for RFC4408 6.2/4, and fix spf.py to comply. - Test for type SPF (type 99) by default in harsh mode only. - Permerror for more than one exp or redirect modifier. - Parse op= modifier * Sat Dec 30 2006 Stuart Gathman 2.0.2-1 - Update openspf URLs - Update Readme to better describe available pyspf interfaces - Add basic description of type99.py and spfquery.py scripts - Add usage instructions for type99.py DNS RR type conversion script - Add spfquery.py usage instructions - Incorporate downstream feedback from Debian packager - Fix key-value quoting in get_header * Fri Dec 08 2006 Stuart Gathman 2.0.1-1 - Prevent cache poisoning attack - Prevent malformed RR attack - Update license on a few files we missed last time * Mon Nov 20 2006 Stuart Gathman 2.0-1 - Completed RFC 4408 compliance - Added spf.check2 for RFC 4408 compatible result codes - Full IP6 support - Fedora Core compatible RPM spec file - Update README, licenses * Tue Sep 26 2006 Stuart Gathman 1.8-1 - YAML test suite syntax - trailing dot support (RFC4408 8.1) * Tue Aug 29 2006 Sean Reifschneider 1.7-1 - Initial RPM spec file.