pyspf-2.0.8/0000755000160600001450000000000012174115617011551 5ustar stuartbmspyspf-2.0.8/test/0000755000160600001450000000000012174115617012530 5ustar stuartbmspyspf-2.0.8/test/rfc4408-tests.yml0000644000160600001450000021464712174112153015513 0ustar stuartbms# This is the openspf.org test suite (release 2009.10) based on RFC 4408. # http://www.openspf.org/Test_Suite # # $Id: rfc4408-tests.yml,v 1.1.2.25 2013/07/23 06:07:25 customdesigned Exp $ # vim:sw=2 sts=2 et # # See rfc4408-tests.CHANGES for a changelog. # # Contributors: # Stuart D Gathman 90% of the tests # Julian Mehnle some tests, proofread YAML syntax, formal schema # Frank Ellermann # Scott Kitterman # Wayne Schlitt # Craig Whitmore # Norman Maurer # Mark Shewmaker # Philip Gladstone # # While the test suite is designed for all types of implementations, it only # needs to explicitly concern itself with SPF-only (type 99) and TXT-only # implementations. This is because while an implementation may support both, # it must use only one record type for a given query - see 4.5/5. If an # implementation finds SPF (type 99) records and decides to use them, they # override TXT, and it must ignore any TXT records. Note that an # implementation may decide whether to use SPF records on a case by case basis. # Maybe it looks TXT and SPF up in parallel and goes with the first result to # come back. Or maybe one is cached already. Or maybe it chooses at random. # Think of dual SPF/TXT implementations as a quantum superposition of SPF-only # and TXT-only. It must collapse to one or the other on each observation to be # compliant. # # The "Selecting records" test section is the only one concerned with weeding # out (incorrect) mixed behaviour and checking for proper response to duplicate # or conflicting records. Other sections rely on auto-magic duplication # of SPF to TXT records (by test suite drivers) to test all implementation # types with one specification. # --- description: Initial processing tests: toolonglabel: description: >- DNS labels limited to 63 chars. comment: >- For initial processing, a long label results in None, not TempError spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A123456789012345678901234567890123456789012345678901234567890123.example.com result: none longlabel: description: >- DNS labels limited to 63 chars. spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A12345678901234567890123456789012345678901234567890123456789012.example.com result: fail emptylabel: spec: 4.3/1 helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@A...example.com result: none helo-not-fqdn: spec: 4.3/1 helo: A2345678 host: 1.2.3.5 mailfrom: "" result: none helo-domain-literal: spec: 4.3/1 helo: "[1.2.3.5]" host: 1.2.3.5 mailfrom: "" result: none nolocalpart: spec: 4.3/2 helo: mail.example.net host: 1.2.3.4 mailfrom: '@example.net' result: fail explanation: postmaster domain-literal: spec: 4.3/1 helo: OEMCOMPUTER host: 1.2.3.5 mailfrom: "foo@[1.2.3.5]" result: none non-ascii-policy: description: >- SPF policies are restricted to 7-bit ascii. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed.example.com" result: permerror non-ascii-mech: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed2.example.com" result: permerror non-ascii-result: description: >- SPF policies are restricted to 7-bit ascii. comment: >- Checking yet another code path for non-ascii chars. spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@hosed3.example.com" result: permerror non-ascii-non-spf: description: >- Non-ascii content in non-SPF related records. comment: >- Non-SPF related TXT records are none of our business. (But what about SPF records?) spec: 3.1.1/1 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nothosed.example.com" result: fail explanation: DEFAULT zonedata: example.com: - TIMEOUT example.net: - SPF: v=spf1 -all exp=exp.example.net a.example.net: - SPF: v=spf1 -all exp=exp.example.net exp.example.net: - TXT: '%{l}' a12345678901234567890123456789012345678901234567890123456789012.example.com: - SPF: v=spf1 -all hosed.example.com: - SPF: "v=spf1 a:\xEF\xBB\xBFgarbage.example.net -all" hosed2.example.com: - SPF: "v=spf1 \x80a:example.net -all" hosed3.example.com: - SPF: "v=spf1 a:example.net \x96all" nothosed.example.com: - SPF: "v=spf1 a:example.net -all" - SPF: "\x96" --- description: Record lookup tests: both: spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@both.example.net result: fail txtonly: description: Result is none if checking SPF records only. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txtonly.example.net result: [fail, none] spfonly: description: Result is none if checking TXT records only. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spfonly.example.net result: [fail, none] spftimeout: description: >- TXT record present, but SPF lookup times out. Result is temperror if checking SPF records only. comment: >- This actually happens for a popular braindead DNS server. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@spftimeout.example.net result: [fail, temperror] txttimeout: description: >- SPF record present, but TXT lookup times out. If only TXT records are checked, result is temperror. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@txttimeout.example.net result: [fail, temperror] nospftxttimeout: description: >- No SPF record present, and TXT lookup times out. If only TXT records are checked, result is temperror. comment: >- Because TXT records is where v=spf1 records will likely be, returning temperror will try again later. A timeout due to a braindead server is unlikely in the case of TXT, as opposed to the newer SPF RR. spec: 4.4/1 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@nospftxttimeout.example.net result: [temperror, none] alltimeout: description: Both TXT and SPF queries time out spec: 4.4/2 helo: mail.example.net host: 1.2.3.4 mailfrom: foo@alltimeout.example.net result: temperror zonedata: both.example.net: - TXT: v=spf1 -all - SPF: v=spf1 -all txtonly.example.net: - TXT: v=spf1 -all spfonly.example.net: - SPF: v=spf1 -all - TXT: NONE spftimeout.example.net: - TXT: v=spf1 -all - TIMEOUT txttimeout.example.net: - SPF: v=spf1 -all - TXT: NONE - TIMEOUT nospftxttimeout.example.net: - SPF: "v=spf3 !a:yahoo.com -all" - TXT: NONE - TIMEOUT alltimeout.example.net: - TIMEOUT --- description: Selecting records tests: nospace1: description: >- Version must be terminated by space or end of record. TXT pieces are joined without intervening spaces. spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example2.com result: none empty: description: Empty SPF record. spec: 4.5/4 helo: mail1.example1.com host: 1.2.3.4 mailfrom: foo@example1.com result: neutral nospace2: spec: 4.5/4 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example3.com result: pass spfoverride: description: >- SPF records override TXT records. Older implementation may check TXT records only. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example4.com result: [pass, fail] multitxt1: description: >- Older implementations will give permerror/unknown because of the conflicting TXT records. However, RFC 4408 says the SPF records overrides them. spec: 4.5/5 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example5.com result: [pass, permerror] multitxt2: description: >- Multiple records is a permerror, v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example6.com result: permerror multispf1: description: >- Multiple records is a permerror, even when they are identical. However, this situation cannot be reliably reproduced with live DNS since cache and resolvers are allowed to combine identical records. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example7.com result: [permerror, fail] multispf2: description: >- Older implementations ignoring SPF-type records will give pass because there is a (single) TXT record. But RFC 4408 requires permerror because the SPF records override and there are more than one. spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example8.com result: [permerror, pass] nospf: spec: 4.5/7 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@mail.example1.com result: none case-insensitive: description: >- v=spf1 is case insensitive spec: 4.5/6 helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example9.com result: softfail zonedata: example3.com: - SPF: v=spf10 - SPF: v=spf1 mx - MX: [0, mail.example1.com] example1.com: - SPF: v=spf1 example2.com: - SPF: ['v=spf1', 'mx'] mail.example1.com: - A: 1.2.3.4 example4.com: - SPF: v=spf1 +all - TXT: v=spf1 -all example5.com: - SPF: v=spf1 +all - TXT: v=spf1 -all - TXT: v=spf1 +all example6.com: - SPF: v=spf1 -all - SPF: V=sPf1 +all example7.com: - SPF: v=spf1 -all - SPF: v=spf1 -all example8.com: - SPF: V=spf1 -all - SPF: v=spf1 -all - TXT: v=spf1 +all example9.com: - SPF: v=SpF1 ~all --- description: Record evaluation tests: detect-errors-anywhere: description: Any syntax errors anywhere in the record MUST be detected. spec: 4.6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t1.example.com result: permerror modifier-charset-good: description: name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) spec: 4.6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t2.example.com result: pass modifier-charset-bad1: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t3.example.com result: permerror modifier-charset-bad2: description: >- '=' character immediately after the name and before any ":" or "/" spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t4.example.com result: permerror redirect-after-mechanisms1: description: >- The "redirect" modifier has an effect after all the mechanisms. comment: >- The redirect in this example would violate processing limits, except that it is never used because of the all mechanism. spec: 4.6.3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t5.example.com result: softfail redirect-after-mechanisms2: description: >- The "redirect" modifier has an effect after all the mechanisms. spec: 4.6.3 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t6.example.com result: fail default-result: description: Default result is neutral. spec: 4.7/1 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@t7.example.com result: neutral redirect-is-modifier: description: |- Invalid mechanism. Redirect is a modifier. spec: 4.6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t8.example.com result: permerror invalid-domain: description: >- Domain-spec must end in macro-expand or valid toplabel. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t9.example.com result: permerror invalid-domain-empty-label: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (empty label) must be treated as non-existent. comment: >- An empty domain label, i.e. two successive dots, in a mechanism target-name is valid domain-spec syntax, even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t10.example.com result: [permerror, fail] invalid-domain-long: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters in a mechanism target-name is valid domain-spec syntax, even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: mail.example.com host: 1.2.3.4 mailfrom: foo@t11.example.com result: [permerror,fail] invalid-domain-long-via-macro: description: >- target-name that is a valid domain-spec per RFC 4408 but an invalid domain name per RFC 1035 (long label) must be treated as non-existent. comment: >- A domain label longer than 63 characters that results from macro expansion in a mechanism target-name is valid domain-spec syntax (and is not even subject to syntax checking after macro expansion), even though a DNS query cannot be composed from it. The spec being unclear about it, this could either be considered a syntax error, or, by analogy to 4.3/1 and 5/10/3, the mechanism chould be treated as a no-match. spec: [4.3/1, 5/10/3] helo: "%%%%%%%%%%%%%%%%%%%%%%" host: 1.2.3.4 mailfrom: foo@t12.example.com result: [permerror,fail] zonedata: mail.example.com: - A: 1.2.3.4 t1.example.com: - SPF: v=spf1 ip4:1.2.3.4 -all moo t2.example.com: - SPF: v=spf1 moo.cow-far_out=man:dog/cat ip4:1.2.3.4 -all t3.example.com: - SPF: v=spf1 moo.cow/far_out=man:dog/cat ip4:1.2.3.4 -all t4.example.com: - SPF: v=spf1 moo.cow:far_out=man:dog/cat ip4:1.2.3.4 -all t5.example.com: - SPF: v=spf1 redirect=t5.example.com ~all t6.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect=t2.example.com t7.example.com: - SPF: v=spf1 ip4:1.2.3.4 t8.example.com: - SPF: v=spf1 ip4:1.2.3.4 redirect:t2.example.com t9.example.com: - SPF: v=spf1 a:foo-bar -all t10.example.com: - SPF: v=spf1 a:mail.example...com -all t11.example.com: - SPF: v=spf1 a:a123456789012345678901234567890123456789012345678901234567890123.example.com -all t12.example.com: - SPF: v=spf1 a:%{H}.bar -all --- description: ALL mechanism syntax tests: all-dot: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror all-arg: description: | all = "all" comment: |- At least one implementation got this wrong spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror all-cidr: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror all-neutral: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral all-double: description: | all = "all" spec: 5.1/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: pass zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all. e2.example.com: - SPF: v=spf1 -all:foobar e3.example.com: - SPF: v=spf1 -all/8 e4.example.com: - SPF: v=spf1 ?all e5.example.com: - SPF: v=spf1 all -all --- description: PTR mechanism syntax tests: ptr-cidr: description: |- PTR = "ptr" [ ":" domain-spec ] spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror ptr-match-target: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass ptr-match-implicit: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: pass ptr-nomatch-invalid: description: >- Check all validated domain names to see if they end in the domain. comment: >- This PTR record does not validate spec: 5.5/5 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: fail ptr-match-ip6: description: >- Check all validated domain names to see if they end in the domain. spec: 5.5/5 helo: mail.example.com host: CAFE:BABE::1 mailfrom: foo@e3.example.com result: pass ptr-empty-domain: description: >- domain-spec cannot be empty. spec: 5.5/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ptr/0 -all e2.example.com: - SPF: v=spf1 ptr:example.com -all 4.3.2.1.in-addr.arpa: - PTR: e3.example.com - PTR: e4.example.com - PTR: mail.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: e3.example.com e3.example.com: - SPF: v=spf1 ptr -all - A: 1.2.3.4 - AAAA: CAFE:BABE::1 e4.example.com: - SPF: v=spf1 ptr -all e5.example.com: - SPF: "v=spf1 ptr:" --- description: A mechanism syntax tests: a-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail a-bad-cidr4: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror a-bad-cidr6: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror a-dual-cidr-ip4-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-err: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8e.example.com result: permerror a-dual-cidr-ip6-match: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8.example.com result: pass a-dual-cidr-ip4-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8b.example.com result: fail a-dual-cidr-ip6-default: description: | A = "a" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.3/2 helo: mail.example.com host: 2001:db8:1234::cafe:babe mailfrom: foo@e8a.example.com result: fail a-multi-ip1: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-multi-ip2: description: >- A matches any returned IP. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass a-bad-domain: description: >- domain-spec must pass basic syntax checks; a ':' may appear in domain-spec, but not in top-label spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror a-nxdomain: description: >- If no ips are returned, A mechanism does not match, even with /0. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail a-cidr4-0: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass a-cidr4-0-ip6: description: >- Matches if any A records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail a-cidr6-0-ip4: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip4mapped: description: >- Would match if any AAAA records are present in DNS, but not for an IP4 connection. spec: 5.3/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail a-cidr6-0-ip6: description: >- Matches if any AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass a-ip6-dualstack: description: >- Simple IP6 Address match with dual stack. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@ipv6.example.com result: pass a-cidr6-0-nxdomain: description: >- No match if no AAAA records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail a-null: description: >- Null octets not allowed in toplabel spec: 8.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror a-numeric: description: >- toplabel may not be all numeric comment: >- A common publishing mistake is using ip4 addresses with A mechanism. This should receive special diagnostic attention in the permerror. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror a-numeric-toplabel: description: >- toplabel may not be all numeric spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror a-dash-in-toplabel: description: >- toplabel may contain dashes comment: >- Going from the "toplabel" grammar definition, an implementation using regular expressions in incrementally parsing SPF records might erroneously try to match a TLD such as ".xn--zckzah" (cf. IDN TLDs!) to '( *alphanum ALPHA *alphanum )' first before trying the alternative '( 1*alphanum "-" *( alphanum / "-" ) alphanum )', essentially causing a non-greedy, and thus, incomplete match. Make sure a greedy match is performed! spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: pass a-bad-toplabel: description: >- toplabel may not begin with a dash spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror a-only-toplabel: description: >- domain-spec may not consist of only a toplabel. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5a.example.com result: permerror a-only-toplabel-trailing-dot: description: >- domain-spec may not consist of only a toplabel. comment: >- "A trailing dot doesn't help." spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5b.example.com result: permerror a-colon-domain: description: >- domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass a-colon-domain-ip4mapped: description: >- domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass a-empty-domain: description: >- domain-spec cannot be empty. spec: 5.3/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 a/0 -all e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - SPF: v=spf1 a/0 -all e2a.example.com: - AAAA: 1234::1 - SPF: v=spf1 a//0 -all e2b.example.com: - A: 1.1.1.1 - SPF: v=spf1 a//0 -all ipv6.example.com: - AAAA: 1234::1 - A: 1.1.1.1 - SPF: v=spf1 a -all e3.example.com: - SPF: "v=spf1 a:foo.example.com\0" e4.example.com: - SPF: v=spf1 a:111.222.33.44 e5.example.com: - SPF: v=spf1 a:abc.123 e5a.example.com: - SPF: v=spf1 a:museum e5b.example.com: - SPF: v=spf1 a:museum. e6.example.com: - SPF: v=spf1 a//33 -all e6a.example.com: - SPF: v=spf1 a/33 -all e7.example.com: - SPF: v=spf1 a//129 -all e8.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24//64 -all e8e.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24/64 -all e8a.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a/24 -all e8b.example.com: - A: 1.2.3.5 - AAAA: 2001:db8:1234::dead:beef - SPF: v=spf1 a//64 -all e9.example.com: - SPF: v=spf1 a:example.com:8080 e10.example.com: - SPF: v=spf1 a:foo.example.com/24 foo.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 a:foo:bar/baz.example.com foo:bar/baz.example.com: - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 a:example.-com e13.example.com: - SPF: "v=spf1 a:" e14.example.com: - SPF: "v=spf1 a:foo.example.xn--zckzah -all" foo.example.xn--zckzah: - A: 1.2.3.4 --- description: Include mechanism semantics and syntax tests: include-fail: description: >- recursive check_host() result of fail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: softfail include-softfail: description: >- recursive check_host() result of softfail causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass include-neutral: description: >- recursive check_host() result of neutral causes include to not match. spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail include-temperror: description: >- recursive check_host() result of temperror causes include to temperror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: temperror include-permerror: description: >- recursive check_host() result of permerror causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror include-syntax-error: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror include-cidr: description: >- include = "include" ":" domain-spec spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror include-none: description: >- recursive check_host() result of none causes include to permerror spec: 5.2/9 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 ip5.example.com: - SPF: v=spf1 ip4:1.2.3.5 -all ip6.example.com: - SPF: v=spf1 ip4:1.2.3.6 ~all ip7.example.com: - SPF: v=spf1 ip4:1.2.3.7 ?all ip8.example.com: - TIMEOUT erehwon.example.com: - TXT: v=spfl am not an SPF record e1.example.com: - SPF: v=spf1 include:ip5.example.com ~all e2.example.com: - SPF: v=spf1 include:ip6.example.com all e3.example.com: - SPF: v=spf1 include:ip7.example.com -all e4.example.com: - SPF: v=spf1 include:ip8.example.com -all e5.example.com: - SPF: v=spf1 include:e6.example.com -all e6.example.com: - SPF: v=spf1 include +all e7.example.com: - SPF: v=spf1 include:erehwon.example.com -all e8.example.com: - SPF: "v=spf1 include: -all" e9.example.com: - SPF: "v=spf1 include:ip5.example.com/24 -all" --- description: MX mechanism syntax tests: mx-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: fail mx-bad-cidr4: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6a.example.com result: permerror mx-bad-cidr6: description: | MX = "mx" [ ":" domain-spec ] [ dual-cidr-length ] dual-cidr-length = [ ip4-cidr-length ] [ "/" ip6-cidr-length ] spec: 5.4/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror mx-multi-ip1: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-multi-ip2: description: >- MX matches any returned IP. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: pass mx-bad-domain: description: >- domain-spec must pass basic syntax checks comment: >- A ':' may appear in domain-spec, but not in top-label. spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror mx-nxdomain: description: >- If no ips are returned, MX mechanism does not match, even with /0. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail mx-cidr4-0: description: >- Matches if any A records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass mx-cidr4-0-ip6: description: >- Matches if any A records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2.example.com result: fail mx-cidr6-0-ip4: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip4mapped: description: >- Would match if any AAAA records for MX records are present in DNS, but not for an IP4 connection. spec: 5.4/3 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2a.example.com result: fail mx-cidr6-0-ip6: description: >- Matches if any AAAA records for any MX records are present in DNS. spec: 5.3/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2a.example.com result: pass mx-cidr6-0-nxdomain: description: >- No match if no AAAA records for any MX records are present in DNS. spec: 5.4/3 helo: mail.example.com host: 1234::1 mailfrom: foo@e2b.example.com result: fail mx-null: description: >- Null not allowed in top-label. spec: 8.1/2 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e3.example.com result: permerror mx-numeric-top-label: description: >- Top-label may not be all numeric spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror mx-colon-domain: description: >- Domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-colon-domain-ip4mapped: description: >- Domain-spec may contain any visible char except % spec: 8.1/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e11.example.com result: pass mx-bad-toplab: description: >- Toplabel may not begin with - spec: 8.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror mx-empty: description: >- test null MX comment: >- Some implementations have had trouble with null MX spec: 5.4/3 helo: mail.example.com host: 1.2.3.4 mailfrom: "" result: neutral mx-implicit: description: >- If the target name has no MX records, check_host() MUST NOT pretend the target is its single MX, and MUST NOT default to an A lookup on the target-name directly. spec: 5.4/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: neutral mx-empty-domain: description: >- domain-spec cannot be empty. spec: 5.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 - MX: [0, ""] - SPF: v=spf1 mx e1.example.com: - SPF: v=spf1 mx/0 -all - MX: [0, e1.example.com] e2.example.com: - A: 1.1.1.1 - AAAA: 1234::2 - MX: [0, e2.example.com] - SPF: v=spf1 mx/0 -all e2a.example.com: - AAAA: 1234::1 - MX: [0, e2a.example.com] - SPF: v=spf1 mx//0 -all e2b.example.com: - A: 1.1.1.1 - MX: [0, e2b.example.com] - SPF: v=spf1 mx//0 -all e3.example.com: - SPF: "v=spf1 mx:foo.example.com\0" e4.example.com: - SPF: v=spf1 mx - A: 1.2.3.4 e5.example.com: - SPF: v=spf1 mx:abc.123 e6.example.com: - SPF: v=spf1 mx//33 -all e6a.example.com: - SPF: v=spf1 mx/33 -all e7.example.com: - SPF: v=spf1 mx//129 -all e9.example.com: - SPF: v=spf1 mx:example.com:8080 e10.example.com: - SPF: v=spf1 mx:foo.example.com/24 foo.example.com: - MX: [0, foo1.example.com] foo1.example.com: - A: 1.1.1.1 - A: 1.2.3.5 e11.example.com: - SPF: v=spf1 mx:foo:bar/baz.example.com foo:bar/baz.example.com: - MX: [0, "foo:bar/baz.example.com"] - A: 1.2.3.4 e12.example.com: - SPF: v=spf1 mx:example.-com e13.example.com: - SPF: "v=spf1 mx: -all" --- description: EXISTS mechanism syntax tests: exists-empty-domain: description: >- domain-spec cannot be empty. spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror exists-implicit: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror exists-cidr: description: >- exists = "exists" ":" domain-spec spec: 5.7/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror exists-ip4: description: >- mechanism matches if any DNS A RR exists spec: 5.7/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: pass exists-ip6: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e4.example.com result: pass exists-ip6only: description: >- The lookup type is A even when the connection is ip6 spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e5.example.com result: fail exists-dnserr: description: >- Result for DNS error is being clarified in spfbis spec: 5.7/3 helo: mail.example.com host: CAFE:BABE::3 mailfrom: foo@e6.example.com result: [fail, temperror] zonedata: mail.example.com: - A: 1.2.3.4 mail6.example.com: - AAAA: CAFE:BABE::4 err.example.com: - TIMEOUT e1.example.com: - SPF: "v=spf1 exists:" e2.example.com: - SPF: "v=spf1 exists" e3.example.com: - SPF: "v=spf1 exists:mail.example.com/24" e4.example.com: - SPF: "v=spf1 exists:mail.example.com" e5.example.com: - SPF: "v=spf1 exists:mail6.example.com -all" e6.example.com: - SPF: "v=spf1 exists:err.example.com -all" --- description: IP4 mechanism syntax tests: cidr4-0: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: pass cidr4-32: description: >- ip4-cidr-length = "/" 1*DIGIT spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass cidr4-33: description: >- Invalid CIDR should get permerror. comment: >- The RFC is silent on ip4 CIDR > 32 or ip6 CIDR > 128. However, since there is no reasonable interpretation (except a noop), we have read between the lines to see a prohibition on invalid CIDR. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr4-032: description: >- Invalid CIDR should get permerror. comment: >- Leading zeros are not explicitly prohibited by the RFC. However, since the RFC explicity prohibits leading zeros in ip4-network, our interpretation is that CIDR should be also. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror bare-ip4: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror bad-ip4-port: description: >- IP4 = "ip4" ":" ip4-network [ ip4-cidr-length ] comment: >- This has actually been published in SPF records. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: permerror bad-ip4-short: description: >- It is not permitted to omit parts of the IP address instead of using CIDR notations. spec: 5.6/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror ip4-dual-cidr: description: >- dual-cidr-length not permitted on ip4 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror ip4-mapped-ip6: description: >- IP4 mapped IP6 connections MUST be treated as IP4 spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e7.example.com result: fail zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1/0 -all e2.example.com: - SPF: v=spf1 ip4:1.2.3.4/32 -all e3.example.com: - SPF: v=spf1 ip4:1.2.3.4/33 -all e4.example.com: - SPF: v=spf1 ip4:1.2.3.4/032 -all e5.example.com: - SPF: v=spf1 ip4 e6.example.com: - SPF: v=spf1 ip4:1.2.3.4//32 e7.example.com: - SPF: v=spf1 -ip4:1.2.3.4 ip6:::FFFF:1.2.3.4 e8.example.com: - SPF: v=spf1 ip4:1.2.3.4:8080 e9.example.com: - SPF: v=spf1 ip4:1.2.3 --- description: IP6 mechanism syntax comment: >- IP4 only implementations may skip tests where host is not IP4 tests: bare-ip6: description: >- IP6 = "ip6" ":" ip6-network [ ip6-cidr-length ] spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror cidr6-0-ip4: description: >- IP4 connections do not match ip6. comment: >- There is controversy over ip4 mapped connections. RFC4408 clearly requires such connections to be considered as ip4. However, some interpret the RFC to mean that such connections should *also* match appropriate ip6 mechanisms (but not, inexplicably, A or MX mechanisms). Until there is consensus, both results are acceptable. spec: 5/9/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: [neutral, pass] cidr6-ip4: description: >- Even if the SMTP connection is via IPv6, an IPv4-mapped IPv6 IP address (see RFC 3513, Section 2.5.5) MUST still be considered an IPv4 address. comment: >- There is controversy over ip4 mapped connections. RFC4408 clearly requires such connections to be considered as ip4. However, some interpret the RFC to mean that such connections should *also* match appropriate ip6 mechanisms (but not, inexplicably, A or MX mechanisms). Until there is consensus, both results are acceptable. spec: 5/9/2 helo: mail.example.com host: ::FFFF:1.2.3.4 mailfrom: foo@e2.example.com result: [neutral, pass] cidr6-0: description: >- Match any IP6 spec: 5/8 helo: mail.example.com host: DEAF:BABE::CAB:FEE mailfrom: foo@e2.example.com result: pass cidr6-129: description: >- Invalid CIDR comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: permerror cidr6-bad: description: >- dual-cidr syntax not used for ip6 comment: >- IP4 only implementations MUST fully syntax check all mechanisms, even if they otherwise ignore them. spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e4.example.com result: permerror cidr6-33: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: "CAFE:BABE:8000::" mailfrom: foo@e5.example.com result: pass cidr6-33-ip4: description: >- make sure ip4 cidr restriction are not used for ip6 spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: neutral ip6-bad1: description: >- spec: 5.6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 -all ip6 e2.example.com: - SPF: v=spf1 ip6:::1.1.1.1/0 e3.example.com: - SPF: v=spf1 ip6:::1.1.1.1/129 e4.example.com: - SPF: v=spf1 ip6:::1.1.1.1//33 e5.example.com: - SPF: v=spf1 ip6:CAFE:BABE:8000::/33 e6.example.com: - SPF: v=spf1 ip6::CAFE::BABE --- description: Semantics of exp and other modifiers comment: >- Implementing exp= is optional. If not implemented, the test driver should not check the explanation field. tests: redirect-none: description: >- If no SPF record is found, or if the target-name is malformed, the result is a "PermError" rather than "None". spec: 6.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e10.example.com result: permerror redirect-cancels-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: fail explanation: DEFAULT redirect-syntax-error: description: | redirect = "redirect" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.1/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e17.example.com result: permerror include-ignores-exp: description: >- when executing "include", exp= from the target domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: fail explanation: Correct! redirect-cancels-prior-exp: description: >- when executing "redirect", exp= from the original domain MUST NOT be used. spec: 6.2/13 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e3.example.com result: fail explanation: See me. invalid-modifier: description: | unknown-modifier = name "=" macro-string name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must begin with alpha. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e5.example.com result: permerror empty-modifier-name: description: | name = ALPHA *( ALPHA / DIGIT / "-" / "_" / "." ) comment: >- Unknown modifier name must not be empty. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: permerror dorky-sentinel: description: >- An implementation that uses a legal expansion as a sentinel. We cannot check them all, but we can check this one. comment: >- Spaces are allowed in local-part. spec: 8.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: "Macro Error@e8.example.com" result: fail explanation: Macro Error in implementation exp-multiple-txt: description: | Ignore exp if multiple TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e11.example.com result: fail explanation: DEFAULT exp-no-txt: description: | Ignore exp if no TXT records. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e22.example.com result: fail explanation: DEFAULT exp-dns-error: description: | Ignore exp if DNS error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e21.example.com result: fail explanation: DEFAULT exp-empty-domain: description: | PermError if exp= domain-spec is empty. comment: >- Section 6.2/4 says, "If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given." However, "if domain-spec is empty" conflicts with the grammar given for the exp modifier. This was reported as an erratum, and the solution chosen was to report explicit "exp=" as PermError, but ignore problems due to macro expansion, DNS, or invalid explanation string. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e12.example.com result: permerror explanation-syntax-error: description: | Ignore exp if the explanation string has a syntax error. comment: >- If domain-spec is empty, or there are any DNS processing errors (any RCODE other than 0), or if no records are returned, or if more than one record is returned, or if there are syntax errors in the explanation string, then proceed as if no exp modifier was given. spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e13.example.com result: fail explanation: DEFAULT exp-syntax-error: description: | explanation = "exp" "=" domain-spec comment: >- A literal application of the grammar causes modifier syntax errors (except for macro syntax) to become unknown-modifier. modifier = explanation | redirect | unknown-modifier However, it is generally agreed, with precedent in other RFCs, that unknown-modifier should not be "greedy", and should not match known modifier names. There should have been explicit prose to this effect, and some has been proposed as an erratum. spec: 6.2/1 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e16.example.com result: permerror exp-twice: description: | exp= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e14.example.com result: permerror redirect-empty-domain: description: | redirect = "redirect" "=" domain-spec comment: >- Unlike for exp, there is no instruction to override the permerror for an empty domain-spec (which is invalid syntax). spec: 6.2/4 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e18.example.com result: permerror redirect-twice: description: | redirect= appears twice. comment: >- These two modifiers (exp,redirect) MUST NOT appear in a record more than once each. If they do, then check_host() exits with a result of "PermError". spec: 6/2 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e15.example.com result: permerror unknown-modifier-syntax: description: | unknown-modifier = name "=" macro-string comment: >- Unknown modifiers must have valid macro syntax. spec: A/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror default-modifier-obsolete: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e19.example.com result: neutral default-modifier-obsolete2: description: | Unknown modifiers do not modify the RFC SPF result. comment: >- Some implementations may have a leftover default= modifier from earlier drafts. spec: 6/3 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e20.example.com result: neutral non-ascii-exp: description: >- SPF explanation text is restricted to 7-bit ascii. comment: >- Checking a possibly different code path for non-ascii chars. spec: 6.2/5 helo: hosed host: 1.2.3.4 mailfrom: "foobar@nonascii.example.com" result: fail explanation: DEFAULT two-exp-records: description: >- Must ignore exp= if DNS returns more than one TXT record. spec: 6.2/4 helo: hosed host: 1.2.3.4 mailfrom: "foobar@tworecs.example.com" result: fail explanation: DEFAULT zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e2.example.com e2.example.com: - SPF: v=spf1 -all e3.example.com: - SPF: v=spf1 exp=exp1.example.com redirect=e4.example.com e4.example.com: - SPF: v=spf1 -all exp=exp2.example.com exp1.example.com: - TXT: No-see-um exp2.example.com: - TXT: See me. exp3.example.com: - TXT: Correct! exp4.example.com: - TXT: "%{l} in implementation" e5.example.com: - SPF: v=spf1 1up=foo e6.example.com: - SPF: v=spf1 =all e7.example.com: - SPF: v=spf1 include:e3.example.com -all exp=exp3.example.com e8.example.com: - SPF: v=spf1 -all exp=exp4.example.com e9.example.com: - SPF: v=spf1 -all foo=%abc e10.example.com: - SPF: v=spf1 redirect=erehwon.example.com e11.example.com: - SPF: v=spf1 -all exp=e11msg.example.com e11msg.example.com: - TXT: Answer a fool according to his folly. - TXT: Do not answer a fool according to his folly. e12.example.com: - SPF: v=spf1 exp= -all e13.example.com: - SPF: v=spf1 exp=e13msg.example.com -all e13msg.example.com: - TXT: The %{x}-files. e14.example.com: - SPF: v=spf1 exp=e13msg.example.com -all exp=e11msg.example.com e15.example.com: - SPF: v=spf1 redirect=e12.example.com -all redirect=e12.example.com e16.example.com: - SPF: v=spf1 exp=-all e17.example.com: - SPF: v=spf1 redirect=-all ?all e18.example.com: - SPF: v=spf1 ?all redirect= e19.example.com: - SPF: v=spf1 default=pass e20.example.com: - SPF: "v=spf1 default=+" e21.example.com: - SPF: v=spf1 exp=e21msg.example.com -all e21msg.example.com: - TIMEOUT e22.example.com: - SPF: v=spf1 exp=mail.example.com -all nonascii.example.com: - SPF: v=spf1 exp=badexp.example.com -all badexp.example.com: - TXT: "\xEF\xBB\xBFExplanation" tworecs.example.com: - SPF: v=spf1 exp=twoexp.example.com -all twoexp.example.com: - TXT: "one" - TXT: "two" --- description: Macro expansion rules tests: trailing-dot-domain: spec: 8.1/16 description: >- trailing dot is ignored for domains helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@example.com result: pass trailing-dot-exp: spec: 8.1 description: >- trailing dot is not removed from explanation comment: >- A simple way for an implementation to ignore trailing dots on domains is to remove it when present. But be careful not to remove it for explanation text. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@exp.example.com result: fail explanation: This is a test. exp-only-macro-char: spec: 8.1/8 description: >- The following macro letters are allowed only in "exp" text: c, r, t helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e2.example.com result: permerror invalid-macro-char: spec: 8.1/9 description: >- A '%' character not followed by a '{', '%', '-', or '_' character is a syntax error. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e1.example.com result: permerror macro-mania-in-domain: description: >- macro-encoded percents (%%), spaces (%_), and URL-percent-encoded spaces (%-) spec: 8.1/3, 8.1/4 helo: mail.example.com host: 1.2.3.4 mailfrom: test@e1a.example.com result: pass exp-txt-macro-char: spec: 8.1/20 description: >- For IPv4 addresses, both the "i" and "c" macros expand to the standard dotted-quad format. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e3.example.com result: fail explanation: Connections from 192.168.218.40 not authorized. domain-name-truncation: spec: 8.1/25 description: >- When the result of macro expansion is used in a domain name query, if the expanded domain name exceeds 253 characters, the left side is truncated to fit, by removing successive domain labels until the total length does not exceed 253 characters. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@somewhat.long.exp.example.com result: fail explanation: Congratulations! That was tricky. v-macro-ip4: spec: 8.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e4.example.com result: fail explanation: 192.168.218.40 is queried as 40.218.168.192.in-addr.arpa v-macro-ip6: spec: 8.1/6 description: |- v = the string "in-addr" if is ipv4, or "ip6" if is ipv6 helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e4.example.com result: fail explanation: cafe:babe::1 is queried as 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa undef-macro: spec: 8.1/6 description: >- Allowed macros chars are 'slodipvh' plus 'crt' in explanation. helo: msgbas2x.cos.example.com host: CAFE:BABE::192.168.218.40 mailfrom: test@e5.example.com result: permerror p-macro-ip4-novalid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip4-valid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.41 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-ip6-novalid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- The PTR in this example does not validate. helo: msgbas2x.cos.example.com host: CAFE:BABE::1 mailfrom: test@e6.example.com result: fail explanation: connect from unknown p-macro-ip6-valid: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: CAFE:BABE::3 mailfrom: test@e6.example.com result: fail explanation: connect from mx.example.com p-macro-multiple: spec: 8.1/22 description: |- p = the validated domain name of comment: >- If a subdomain of the is present, it SHOULD be used. helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: test@e7.example.com result: [pass, softfail] upper-macro: spec: 8.1/26 description: >- Uppercased macros expand exactly as their lowercased equivalents, and are then URL escaped. helo: msgbas2x.cos.example.com host: 192.168.218.42 mailfrom: jack&jill=up@e8.example.com result: fail explanation: http://example.com/why.html?l=jack%26jill%3Dup hello-macro: spec: 8.1/6 description: |- h = HELO/EHLO domain helo: msgbas2x.cos.example.com host: 192.168.218.40 mailfrom: test@e9.example.com result: pass invalid-hello-macro: spec: 8.1/2 description: |- h = HELO/EHLO domain, but HELO is invalid comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "JUMPIN' JUPITER" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail hello-domain-literal: spec: 8.1/2 description: |- h = HELO/EHLO domain, but HELO is a domain literal comment: >- Domain-spec must end in either a macro, or a valid toplabel. It is not correct to check syntax after macro expansion. helo: "[192.168.218.40]" host: 192.168.218.40 mailfrom: test@e9.example.com result: fail require-valid-helo: spec: 8.1/6 description: >- Example of requiring valid helo in sender policy. This is a complex policy testing several points at once. helo: OEMCOMPUTER host: 1.2.3.4 mailfrom: test@e10.example.com result: fail macro-reverse-split-on-dash: spec: [8.1/15, 8.1/16, 8.1/17, 8.1/18] description: >- Macro value transformation (splitting on arbitrary characters, reversal, number of right-hand parts to use) helo: mail.example.com host: 1.2.3.4 mailfrom: philip-gladstone-test@e11.example.com result: pass macro-multiple-delimiters: spec: [8.1/15, 8.1/16] description: |- Multiple delimiters may be specified in a macro expression. macro-expand = ( "%{" macro-letter transformers *delimiter "}" ) / "%%" / "%_" / "%-" helo: mail.example.com host: 1.2.3.4 mailfrom: foo-bar+zip+quux@e12.example.com result: pass zonedata: example.com.d.spf.example.com: - SPF: v=spf1 redirect=a.spf.example.com a.spf.example.com: - SPF: v=spf1 include:o.spf.example.com. ~all o.spf.example.com: - SPF: v=spf1 ip4:192.168.218.40 msgbas2x.cos.example.com: - A: 192.168.218.40 example.com: - A: 192.168.90.76 - SPF: v=spf1 redirect=%{d}.d.spf.example.com. exp.example.com: - SPF: v=spf1 exp=msg.example.com. -all msg.example.com: - TXT: This is a test. e1.example.com: - SPF: v=spf1 -exists:%(ir).sbl.example.com ?all e1a.example.com: - SPF: "v=spf1 a:macro%%percent%_%_space%-url-space.example.com -all" "macro%percent space%20url-space.example.com": - A: 1.2.3.4 e2.example.com: - SPF: v=spf1 -all exp=%{r}.example.com e3.example.com: - SPF: v=spf1 -all exp=%{ir}.example.com 40.218.168.192.example.com: - TXT: Connections from %{c} not authorized. somewhat.long.exp.example.com: - SPF: v=spf1 -all exp=foobar.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.%{o}.example.com somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.somewhat.long.exp.example.com.example.com: - TXT: Congratulations! That was tricky. e4.example.com: - SPF: v=spf1 -all exp=e4msg.example.com e4msg.example.com: - TXT: "%{c} is queried as %{ir}.%{v}.arpa" e5.example.com: - SPF: v=spf1 a:%{a}.example.com -all e6.example.com: - SPF: v=spf1 -all exp=e6msg.example.com e6msg.example.com: - TXT: "connect from %{p}" mx.example.com: - A: 192.168.218.41 - A: 192.168.218.42 - AAAA: CAFE:BABE::2 - AAAA: CAFE:BABE::3 40.218.168.192.in-addr.arpa: - PTR: mx.example.com 41.218.168.192.in-addr.arpa: - PTR: mx.example.com 42.218.168.192.in-addr.arpa: - PTR: mx.example.com - PTR: mx.e7.example.com 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com 3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.E.B.A.B.E.F.A.C.ip6.arpa: - PTR: mx.example.com mx.e7.example.com: - A: 192.168.218.42 mx.e7.example.com.should.example.com: - A: 127.0.0.2 mx.example.com.ok.example.com: - A: 127.0.0.2 e7.example.com: - SPF: v=spf1 exists:%{p}.should.example.com ~exists:%{p}.ok.example.com e8.example.com: - SPF: v=spf1 -all exp=msg8.%{D2} msg8.example.com: - TXT: "http://example.com/why.html?l=%{L}" e9.example.com: - SPF: v=spf1 a:%{H} -all e10.example.com: - SPF: v=spf1 -include:_spfh.%{d2} ip4:1.2.3.0/24 -all _spfh.example.com: - SPF: v=spf1 -a:%{h} +all e11.example.com: - SPF: v=spf1 exists:%{i}.%{l2r-}.user.%{d2} 1.2.3.4.gladstone.philip.user.example.com: - A: 127.0.0.2 e12.example.com: - SPF: v=spf1 exists:%{l2r+-}.user.%{d2} bar.foo.user.example.com: - A: 127.0.0.2 --- description: Processing limits tests: redirect-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e1.example.com result: permerror include-loop: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: permerror mx-limit: description: >- there MUST be a limit of no more than 10 MX looked up and checked. comment: >- The required result for this test was the subject of much controversy. Many felt that the RFC *should* have specified permerror, but the consensus was that it failed to actually do so. The preferred result reflects evaluating the 10 allowed MX records in the order returned by the test data - or sorted via priority. If testing with live DNS, the MX order may be random, and a pass result would still be compliant. The SPF result is effectively random. spec: 10.1/7 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e4.example.com result: [neutral, pass] ptr-limit: description: >- there MUST be a limit of no more than 10 PTR looked up and checked. comment: >- The result of this test cannot be permerror not only because the RFC does not specify it, but because the sender has no control over the PTR records of spammers. The preferred result reflects evaluating the 10 allowed PTR records in the order returned by the test data. If testing with live DNS, the PTR order may be random, and a pass result would still be compliant. The SPF result is effectively randomized. spec: 10.1/7 helo: mail.example.com host: 1.2.3.5 mailfrom: foo@e5.example.com result: [neutral, pass] false-a-limit: description: >- unlike MX, PTR, there is no RR limit for A comment: >- There seems to be a tendency for developers to want to limit A RRs in addition to MX and PTR. These are IPs, not usable for 3rd party DoS attacks, and hence need no low limit. spec: 10.1/7 helo: mail.example.com host: 1.2.3.12 mailfrom: foo@e10.example.com result: pass mech-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e6.example.com result: pass mech-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- We do not check whether an implementation counts mechanisms before or after evaluation. The RFC is not clear on this. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e7.example.com result: permerror include-at-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. comment: >- The part of the RFC that talks about MAY parse the entire record first (4.6) is specific to syntax errors. Processing limits is a different, non-syntax issue. Processing limits (10.1) specifically talks about limits during a check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e8.example.com result: pass include-over-limit: description: >- SPF implementations MUST limit the number of mechanisms and modifiers that do DNS lookups to at most 10 per SPF check. spec: 10.1/6 helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e9.example.com result: permerror zonedata: mail.example.com: - A: 1.2.3.4 e1.example.com: - SPF: v=spf1 ip4:1.1.1.1 redirect=e1.example.com e2.example.com: - SPF: v=spf1 include:e3.example.com e3.example.com: - SPF: v=spf1 include:e2.example.com e4.example.com: - SPF: v=spf1 mx - MX: [0, mail.example.com] - MX: [1, mail.example.com] - MX: [2, mail.example.com] - MX: [3, mail.example.com] - MX: [4, mail.example.com] - MX: [5, mail.example.com] - MX: [6, mail.example.com] - MX: [7, mail.example.com] - MX: [8, mail.example.com] - MX: [9, mail.example.com] - MX: [10, e4.example.com] - A: 1.2.3.5 e5.example.com: - SPF: v=spf1 ptr - A: 1.2.3.5 5.3.2.1.in-addr.arpa: - PTR: e1.example.com. - PTR: e2.example.com. - PTR: e3.example.com. - PTR: e4.example.com. - PTR: example.com. - PTR: e6.example.com. - PTR: e7.example.com. - PTR: e8.example.com. - PTR: e9.example.com. - PTR: e10.example.com. - PTR: e5.example.com. e6.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr ip4:1.2.3.4 -all e7.example.com: - SPF: v=spf1 a mx a mx a mx a mx a ptr a ip4:1.2.3.4 -all e8.example.com: - SPF: v=spf1 a include:inc.example.com ip4:1.2.3.4 mx -all inc.example.com: - SPF: v=spf1 a a a a a a a a e9.example.com: - SPF: v=spf1 a include:inc.example.com a ip4:1.2.3.4 -all e10.example.com: - SPF: v=spf1 a -all - A: 1.2.3.1 - A: 1.2.3.2 - A: 1.2.3.3 - A: 1.2.3.4 - A: 1.2.3.5 - A: 1.2.3.6 - A: 1.2.3.7 - A: 1.2.3.8 - A: 1.2.3.9 - A: 1.2.3.10 - A: 1.2.3.11 - A: 1.2.3.12 pyspf-2.0.8/test/testspf.py0000644000160600001450000001431312174112153014564 0ustar stuartbms# Author: Stuart D. Gathman # Copyright 2006 Business Management Systems, Inc. # This module is free software, and you may redistribute it and/or modify # it under the same terms as Python itself, so long as this copyright message # and disclaimer are retained in their original form. # Run SPF test cases in the YAML format specified by the SPF council. import unittest import socket import sys import spf import re try: import yaml except: print("yaml can be found at http://pyyaml.org/") print("Tested with PYYAML 3.04") raise zonedata = {} RE_IP4 = re.compile(r'\.'.join( [r'(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])']*4)+'$') def DNSLookup(name,qtype,strict=True,timeout=None): try: #print name,qtype timeout = True # emulate pydns-2.3.0 label processing a = [] for label in name.split('.'): if label: if len(label) > 63: raise spf.TempError('DNS label too long') a.append(label) name = '.'.join(a) for i in zonedata[name.lower()]: if i == 'TIMEOUT': if timeout: raise spf.TempError('DNS timeout') return t,v = i if t == qtype: timeout = False if v == 'TIMEOUT': if t == qtype: raise spf.TempError('DNS timeout') continue # keep test zonedata human readable, but translate to simulate pydns if t == 'AAAA': v = bytes(socket.inet_pton(socket.AF_INET6,v)) elif t in ('TXT','SPF'): v = tuple([s.encode('utf-8') for s in v]) yield ((name,t),v) except KeyError: if name.startswith('error.'): raise spf.TempError('DNS timeout') spf.DNSLookup = DNSLookup class SPFTest(object): def __init__(self,testid,scenario,data={}): self.id = testid self.scenario = scenario self.explanation = None self.spec = None self.header = None self.strict = True self.receiver = None self.comment = [] if 'result' not in data: print(testid,'missing result') for k,v in list(data.items()): setattr(self,k,v) if type(self.comment) is str: self.comment = self.comment.splitlines() def getrdata(r): "Unpack rdata given as list of maps to list of tuples." txt = [] # generated TXT records gen = True for m in r: try: for i in list(m.items()): t,v = i if t == 'TXT': gen = False # no generated TXT records elif t == 'SPF' and gen: txt.append(('TXT',v)) if v != 'NONE': if t in ('TXT','SPF') and type(v) == str: yield (t,(v,)) else: yield i except: yield m if gen: for i in txt: yield i def loadZone(data): return dict([ (d.lower(), list(getrdata(r))) for d,r in list(data['zonedata'].items()) ]) class SPFScenario(object): def __init__(self,filename=None,data={}): self.id = None self.filename = filename self.comment = [] self.zonedata = {} self.tests = {} if data: self.zonedata= loadZone(data) #print self.zonedata for t,v in list(data['tests'].items()): self.tests[t] = SPFTest(t,self,v) if 'id' in data: self.id = data['id'] if 'comment' in data: self.comment = data['comment'].splitlines() def addDNS(self,name,val): self.zonedata.setdefault(name,[]).append(val) def addTest(self,test): self.tests[test.id] = test def loadYAML(fname): "Load testcases in YAML format. Return map of SPFTests by name." fp = open(fname,'rb') try: tests = {} for s in yaml.safe_load_all(fp): scenario = SPFScenario(fname,data=s) for k,v in list(scenario.tests.items()): tests[k] = v return tests finally: fp.close() oldresults = { 'unknown': 'permerror', 'error': 'temperror' } verbose = 0 class SPFTestCase(unittest.TestCase): def setUp(self): global zonedata self.savezonedata = zonedata def tearDown(self): global zonedata zonedata = self.savezonedata def runTest(self,tests): global zonedata passed,failed = 0,0 for t in tests: zonedata = t.scenario.zonedata q = spf.query(i=t.host, s=t.mailfrom, h=t.helo, strict=t.strict) q.set_default_explanation('DEFAULT') res,code,exp = q.check() if res in oldresults: res = oldresults[res] ok = True if res != t.result and res not in t.result: if verbose: print(t.result,'!=',res) ok = False elif res != t.result and res != t.result[0]: print("WARN: %s in %s, %s: %s preferred to %s" % ( t.id,t.scenario.filename,t.spec,t.result[0],res)) if t.explanation is not None and t.explanation != exp: if verbose: print(t.explanation,'!=',exp) ok = False if t.header: self.assertEqual(t.header,q.get_header(res,receiver=t.receiver)) if ok: passed += 1 else: failed += 1 print("%s in %s failed, %s" % (t.id,t.scenario.filename,t.spec)) if verbose and not t.explanation: print(exp) if verbose > 1: print(t.scenario.zonedata) if failed: print("%d passed" % passed,"%d failed" % failed) def testYAML(self): self.runTest(list(loadYAML('test.yml').values())) def testRFC(self): self.runTest(list(loadYAML('rfc4408-tests.yml').values())) def testInvalidSPF(self): i, s, h = '1.2.3.4','sender@domain','helo' q = spf.query(i=i, s=s, h=h, receiver='localhost', strict=False) res,code,txt = q.check('v=spf1...') self.assertEquals('none',res) q = spf.query(i=i, s=s, h=h, receiver='localhost', strict=2) res,code,txt = q.check('v=spf1...') self.assertEquals('ambiguous',res) def suite(): suite = unittest.makeSuite(SPFTestCase,'test') import doctest suite.addTest(doctest.DocTestSuite(spf)) return suite if __name__ == '__main__': tc = None for i in sys.argv[1:]: if i == '-v': verbose += 1 continue if not tc: tc = SPFTestCase() t = loadYAML('rfc4408-tests.yml') if i not in t: t = loadYAML('test.yml') tc.runTest([t[i]]) if not tc: fp = open('doctest.yml','rb') try: zonedata = loadZone(next(yaml.safe_load_all(fp))) finally: fp.close() #print(zonedata) suite = suite() unittest.TextTestRunner().run(suite) pyspf-2.0.8/test/doctest.yml0000644000160600001450000000056111551667132014724 0ustar stuartbms# Zonedata for doctests zonedata: example.net: - A: 192.0.32.10 _exp.controlledmail.com: - TXT: Controlledmail.com does not send mail from itself. _spf.controlledmail.com: - TXT: v=spf1 ip4:72.81.252.18 ip4:72.81.252.19 ip4:208.43.65.50 ip6:2607:f0d0:3001:00aa:0000:0000:0000:0002 -all controlledmail.com: - TXT: v=spf1 redirect=_spf.controlledmail.com pyspf-2.0.8/test/test.yml0000644000160600001450000001215612124153541014230 0ustar stuartbms# This is the test suite used during development of the pyspf library. # It is a collection of ad hoc tests based on bug reports. It is the # goal of the SPF test project to have an elegant and minimal test suite # that reflects RFC 4408. However, this should help get things started # by serving as a example of what tests look like. Also, any implementation # that flunks this, should flunk the minimal elegant suite as well. # # We extended the test attributes with 'receiver' and 'header' to test # our implementation of the Received-SPF header. This cannot easily # be part of the RFC test suite because of wide latitude in formatting. # --- comment: | check basic exists with macros tests: exists-pass: helo: mail.example.net host: 1.2.3.5 mailfrom: lyme.eater@example.co.uk result: pass receiver: receiver.com header: >- Pass (receiver.com: domain of example.co.uk designates 1.2.3.5 as permitted sender) client-ip=1.2.3.5; envelope-from="lyme.eater@example.co.uk"; helo=mail.example.net; receiver=receiver.com; mechanism="exists:%{l}.%{d}.%{i}.spf.example.net"; identity=mailfrom exists-fail: helo: mail.example.net host: 1.2.3.4 mailfrom: lyme.eater@example.co.uk result: fail zonedata: lyme.eater.example.co.uk.1.2.3.5.spf.example.net: - A: 127.0.0.1 example.co.uk: - SPF: v=spf1 mx/26 exists:%{l}.%{d}.%{i}.spf.example.net -all --- comment: | permerror detection tests: incloop: comment: | include loop helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplea.com result: permerror badall: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplec.com result: permerror baddomain: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@exampled.com result: permerror receiver: receiver.com header: >- PermError (receiver.com: permanent error in processing domain of exampled.com: Invalid domain found (use FQDN)) client-ip=66.150.186.79; envelope-from="chuckvsr@exampled.com"; helo=mail.example.com; receiver=receiver.com; problem="examplea.com:8080"; identity=mailfrom tworecs: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplef.com result: permerror receiver: receiver.com header: >- PermError (receiver.com: permanent error in processing domain of examplef.com: Two or more type TXT spf records found.) client-ip=66.150.186.79; envelope-from="chuckvsr@examplef.com"; helo=mail.example.com; receiver=receiver.com; identity=mailfrom badip: helo: mail.example.com host: 66.150.186.79 mailfrom: chuckvsr@examplee.com result: permerror zonedata: examplea.com: - SPF: v=spf1 a mx include:b.com exampleb.com: - SPF: v=spf1 a mx include:a.com examplec.com: - SPF: v=spf1 -all:foobar exampled.com: - SPF: v=spf1 a:examplea.com:8080 examplee.com: - SPF: v=spf1 ip4:1.2.3.4:8080 examplef.com: - SPF: v=spf1 -all - SPF: v=spf1 +all --- tests: nospace1: comment: | test no space test multi-line comment helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example2.com result: none empty: comment: | test empty helo: mail1.example1.com host: 1.2.3.4 mailfrom: foo@example1.com result: neutral nospace2: helo: mail.example1.com host: 1.2.3.4 mailfrom: foo@example3.com result: pass zonedata: example3.com: - SPF: [ 'v=spf1','mx' ] - SPF: [ 'v=spf1 ', 'mx' ] - MX: [0, mail.example1.com] example1.com: - SPF: v=spf1 example2.com: - SPF: v=spf1mx mail.example1.com: - A: 1.2.3.4 --- comment: | corner cases tests: emptyMX: comment: | test empty MX helo: mail.example.com host: 1.2.3.4 mailfrom: "" result: neutral localhost: helo: mail.example.com host: 127.0.0.1 mailfrom: root@example.com result: fail default-modifier: comment: | default modifier implemented in lax mode for compatibility helo: mail.example.com host: 1.2.3.4 mailfrom: root@e1.example.com result: fail strict: 0 default-modifier-harsh: comment: | default modifier implemented in lax mode for compatibility helo: mail.example.com host: 1.2.3.4 mailfrom: root@e1.example.com result: ambiguous strict: 2 cname-chain: comment: | pyspf was duplicating TXT (and other) records while following CNAME helo: mail.example.com host: 1.2.3.4 mailfrom: foo@e2.example.com result: pass null-cname: comment: | pyspf was getting a type error for null CNAMEs helo: mail.example.com host: 1.2.3.4 mailfrom: bar@e3.example.com result: [fail, permerror] zonedata: mail.example.com: - MX: [0, ''] - SPF: v=spf1 mx example.com: - SPF: v=spf1 -all e1.example.com: - SPF: v=spf1 default=- e2.example.com: - CNAME: c1.example.com. c1.example.com: - CNAME: c2.example.com. c2.example.com: - SPF: v=spf1 a a:c1.example.com -all - A: 1.2.3.4 mx1.example.com: - CNAME: '' e3.example.com: - SPF: v=spf1 a:mx1.example.com mx:mx1.example.com -all pyspf-2.0.8/test/rfc4408-tests.LICENSE0000644000160600001450000000274310772465202015774 0ustar stuartbmsThe RFC 4408 test-suite (rfc4408-tests.yml) is (C) 2006-2007 Stuart D Gathman 2007 Julian Mehnle All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. The names of the authors may not be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE AUTHORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. pyspf-2.0.8/PKG-INFO0000644000160600001450000000172112174115617012647 0ustar stuartbmsMetadata-Version: 1.0 Name: pyspf Version: 2.0.8 Summary: SPF (Sender Policy Framework) implemented in Python. Home-page: http://pymilter.sourceforge.net/ Author: Stuart D. Gathman Author-email: stuart@bmsi.com License: Python Software Foundation License Description: UNKNOWN Keywords: spf,email,forgery Platform: UNKNOWN Classifier: Development Status :: 5 - Production/Stable Classifier: Environment :: No Input/Output (Daemon) Classifier: Intended Audience :: Developers Classifier: License :: OSI Approved :: Python Software Foundation License Classifier: Natural Language :: English Classifier: Operating System :: OS Independent Classifier: Programming Language :: Python Classifier: Programming Language :: Python :: 3 Classifier: Topic :: Communications :: Email :: Mail Transport Agents Classifier: Topic :: Communications :: Email :: Filters Classifier: Topic :: Internet :: Name Service (DNS) Classifier: Topic :: Software Development :: Libraries :: Python Modules pyspf-2.0.8/python-pyspf.spec0000644000160600001450000001122212174112153015073 0ustar stuartbms%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Name: python-pyspf Version: 2.0.8 Release: 2%{?dist} Summary: Python module and programs for SPF (Sender Policy Framework). Group: Development/Languages License: Python Software Foundation License URL: http://sourceforge.net/forum/forum.php?forum_id=596908 Source0: pyspf-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: python-setuptools python-devel Requires: python-pydns python >= 2.6 python-authres python-ipaddr >= 2.1.10 # Provide pyspf *only* if not using pyspf package for non-default python Provides: pyspf %description SPF does email sender validation. For more information about SPF, please see http://openspf.net This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to send mail. The SPF check should be done during the MAIL FROM:<...> command. %define namewithoutpythonprefix %(echo %{name} | sed 's/^python-//') %prep %setup -q -n %{namewithoutpythonprefix}-%{version} %build %{__python} setup.py build %install rm -rf $RPM_BUILD_ROOT %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/usr/bin/type99.py $RPM_BUILD_ROOT/usr/bin/type99 mv $RPM_BUILD_ROOT/usr/bin/spfquery.py $RPM_BUILD_ROOT/usr/bin/spfquery rm -f $RPM_BUILD_ROOT/usr/bin/*.py{o,c} %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc CHANGELOG PKG-INFO README test %{python_sitelib}/spf.py* /usr/bin/type99 /usr/bin/spfquery /usr/lib/python2.7/site-packages/pyspf-%{version}-py2.7.egg-info %changelog * Tue Jul 23 2013 Stuart Gathman 2.0.8-2 - Test case and fix for PermError on non-ascii chars in non-SPF TXT records - Use ipaddr/ipaddress module in place of custom IP processing code - Numerous python3 compatibility fixes - Improved unicode error detection in SPF records - Fixed a bug caused by a null CNAME in cache * Fri Feb 03 2012 Stuart Gathman 2.0.7-1 - fix CNAME chain duplicating TXT records - local test cases for CNAME chains - python3 compatibility changes e.g. print a -> print(a) - check for 7-bit ascii on TXT and SPF records - Use openspf.net for SPF web site instead of openspf.org - Support Authentication-Results header field - Support overall DNS timeout * Thu Oct 27 2011 Stuart Gathman 2.0.6-1 - Python3 port (still requires 2to3 on spf.py) - Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 - Parse Received-SPF header - Report CIDR error only for valid mechanism - Handle invalid SPF record on command line - Add timeout to check2 - Check for non-ascii policy - parse_header method - python2.6 * Wed Apr 02 2008 Stuart Gathman 2.0.5-1 - Add timeout parameter to query ctor and DNSLookup - Patch from Scott Kitterman to retry truncated results with TCP unless harsh - Validate DNS labels - Reflect decision on empty-exp errata * Wed Jul 25 2007 Stuart Gathman 2.0.4-1 - Correct unofficial 'best guess' processing. - PTR validation processing cleanup - Improved detection of exp= errors - Keyword args for get_header, minor fixes * Mon Jan 15 2007 Stuart Gathman 2.0.3-1 - pyspf requires pydns, python-pyspf requires python-pydns - Record matching mechanism and add to Received-SPF header. - Test for RFC4408 6.2/4, and fix spf.py to comply. - Test for type SPF (type 99) by default in harsh mode only. - Permerror for more than one exp or redirect modifier. - Parse op= modifier * Sat Dec 30 2006 Stuart Gathman 2.0.2-1 - Update openspf URLs - Update Readme to better describe available pyspf interfaces - Add basic description of type99.py and spfquery.py scripts - Add usage instructions for type99.py DNS RR type conversion script - Add spfquery.py usage instructions - Incorporate downstream feedback from Debian packager - Fix key-value quoting in get_header * Fri Dec 08 2006 Stuart Gathman 2.0.1-1 - Prevent cache poisoning attack - Prevent malformed RR attack - Update license on a few files we missed last time * Mon Nov 20 2006 Stuart Gathman 2.0-1 - Completed RFC 4408 compliance - Added spf.check2 for RFC 4408 compatible result codes - Full IP6 support - Fedora Core compatible RPM spec file - Update README, licenses * Tue Sep 26 2006 Stuart Gathman 1.8-1 - YAML test suite syntax - trailing dot support (RFC4408 8.1) * Tue Aug 29 2006 Sean Reifschneider 1.7-1 - Initial RPM spec file. pyspf-2.0.8/README0000644000160600001450000001713512150236627012437 0ustar stuartbmsSPF Sender-Policy-Framework queries in Python. Quick Start =========== Installation ------------ This package requires PyDNS (or Py3DNS for running with Python 3) and either the ipaddr or python3.3 and later. PyDNS is available at http://pydns.sourceforge.net. Binary and source RPMs for PyDNS are also available from http://pymilter.sourceforge.net. Py3DNS is available on pypi and at https://launchpad.net/py3dns. The ipaddr module is available from http://code.google.com/p/ipaddr-py or as part of the Python standard library starting with python3.3 (as ipaddress). This package requires authres from either pypi or http://launchpad.net/authentication-results-python to process and generate RFC 5451 Authentication Results headers. After unpacking the source distribution, install this in your site- specific Python extension directory:: % python setup.py build % su # python setup.py install The minimum Python version required is python2.6. The spf module in this version has been tested with python3.2 and does not require using 2to3. It will work with all versions of pydns or py3dns. It works either with the stand alone ipaddr module or the standard library ipaddress module. Testing ------- After this package is installed, cd into the test directory and execute testspf.py:: % cd test % python testspf.py WARN: invalid-domain-long in rfc4408-tests.yml, 8.1/2, 5/10: fail preferred to temperror WARN: txttimeout in rfc4408-tests.yml, 4.4/1: fail preferred to temperror WARN: spfoverride in rfc4408-tests.yml, 4.5/5: pass preferred to fail WARN: multitxt1 in rfc4408-tests.yml, 4.5/5: pass preferred to permerror WARN: multispf2 in rfc4408-tests.yml, 4.5/6: permerror preferred to pass .. ---------------------------------------------------------------------- Ran 2 tests in 3.036s OK This runs the SPF council test-suite as of when this package was built. It does not test the pyDNS installation, but uses an internal driver. This avoids changing results due to DNS timeouts. In addition, spf.py runs an internal self-test every time it is used from the command line. If you're running on Mac OS X, and it looks like DNS.DiscoverNameServers() is failing, you'll need to edit your /etc/resolv.conf and specify a domain name. For some reason, OS X writes out resolv.conf with a single 'domain' line, which isn't good at all. Later versions of py3dns have been updated to better support Max OS X. Description =========== SPF does email sender validation. For more information about SPF, please see http://www.openspf.net/ One incompatible change was introduced in version 1.7. Prior to version 1.7, connections from a local IP address (127...) would always return a Pass result. The special case was eliminated. Programs calling pySPF should not do SPF checks on locally submitted mail. This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to forward mail. The SPF check should be done during the MAIL FROM:<...> command. There are two ways to use this package. The first is from the command line:: % python spf.py {ip-addr} {mail-from} {helo} For instance, during an SMTP exchange from client 69.55.226.139:: S: 220 mail.example.com ESMTP Postfix C: EHLO mx1.wayforward.net S: 250-mail.example.com S: ... S: 250 8BITMIME C: MAIL FROM: Then the following command line would check if this is a valid sender: % ./spf.py 69.55.226.139 terry@wayforward.net mx1.wayforward.net ('pass', 250, 'sender SPF authorized') Command line calls return RFC 4408 result codes, i.e. 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second way is via the module's APIs. The legacy (pySPF 1.6) API: >>> import spf >>> spf.check(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 250, 'sender SPF authorized') The first element in the tuple is one of 'pass', 'fail', 'netural', 'softfail', 'unknown', or 'error'. The second is the SMTP response status code: 550 for 'fail', 450 for 'error' and 250 for all else. The third is an explanation. Note: SPF results alone are never sufficient to decide that a message should be accepted. Accept, reject, or defer decisions are a function of local reciever policy. The RFC 4408 compliant API: >>> import spf >>> spf.check2(i='69.55.226.139', ... s='terry@wayforward.net', ... h='mx1.wayforward.net') ('pass', 'sender SPF verified') The first element in the tuple is one of 'pass', 'fail', 'neutral', 'softfail, 'permerror', or 'temperror'. The second is an explanation. This package also provides two additional helper scripts; type99.py and spfquery.py. The type99.py script will convert DNS TXT strings to a binary equivalent suitable for use in a BIND zone file. The spfquery.py script is a Python reimplementination of Wayne Schlitt's spfquery command line tool. The type99.py script is called from the command line as follows: python type99.py "v=spf1 -all" {Note: Use your desired SPF record instead.} \# 12 0b763d73706631202d616c6c {This is the correct result for "v=spf1 -all"} or python type99 - {File name} The input file format is a standard BIND Zone file. The type99 script will add a Type99 record for each TXT record found in the file. The spfquery.py script is called with a number of possible options. Options can either use standard '-' prefix or be PERL style long options, '--'. Supported options are: "--file" or "-file" {filename}: Read the query (or queries) from the designated file. If {filename} is '0', then query inputs are read from STDIN. "--ip" or "-ip" {address}: Client IP address to use for SPF check. "--sender" or "-sender" {Mail From address}: Envelope sender from which mail was received. "--helo" or "-helo" {client hostname}: HELO/EHLO name used by SMTP client. "--local" or "-local" {local policy SPF string}: Additional SPF mechanisms to be checked on the basis of local policy. Note that local policy matches are not strictly SPF results. Local policy processing is not defined in RFC 4408. Result may vary among SPF implementations. "--rcpt-to" or "rcpt-to" {rcpt-to address - if available}: Receipt to address is not used for actual SPF processing, but if available it can be useful for logging, spf-received header construction, and providing useful rejection messages when messages are rejected due to SPF. --default-explanation" or "-default-explanation" {explanation string}: Default Fail explanation string to be used. "--sanitize" or "-sanitize" and "--debug" or "-debug": These options are no-op in the Python implementation, but are valid inputs to provide compatibliity with input files developed to work with the original PERL and C spfquery implementations. Overall per SPF check time limits can be controlled by passing querytime to the spf.check2 function or when initializing a spf.query object. It is disabled by default. If querytime is set to 0 (default), then the overall time limit is disabled and the per DNS lookup limit is used instead. This defaults to 30 seconds and can be controlled via spf.MAX_PER_LOOKUP_TIME. This is the long standing pyspf default. RFC 4408 says that the overall limit MAY be used and recommends no less than 20 seconds if it is. License: Python Software Foundation License Author: Terence Way terry@wayforward.net http://www.wayforward.net/spf/ Maintainers: Stuart Gathman stuart@bmsi.com Scott Kitterman scott@kitterman.com http://cheeseshop.python.org/pypi/pyspf Currently part of the pymilter project: http://pymilter.sourceforge.net pyspf-2.0.8/spfquery.py0000755000160600001450000001113011652161035013773 0ustar stuartbms#!/usr/bin/python # Author: Stuart D. Gathman # Copyright 2004 Business Management Systems, Inc. # This module is free software, and you may redistribute it and/or modify # it under the same terms as Python itself, so long as this copyright message # and disclaimer are retained in their original form. # Emulate the spfquery command line tool used by Wayne Schlitt's SPF test suite # $Log: spfquery.py,v $ # Revision 1.4.2.4 2011/10/27 04:46:21 kitterma # Fix spfquery commit message. # # Revision 1.4.2.3 2011/10/27 04:44:58 kitterma # Update spfquery.py to work with 2.6, 2.7, and 3.2: # - raise ... as ... # - print() # # Revision 1.4.2.2 2008/03/26 14:34:35 kitterma # Change shebangs to #!/usr/bin/python throughout. # # Revision 1.4.2.1 2006/12/23 05:31:22 kitterma # Minor updates for packaging lessons learned from Ubuntu # # Revision 1.4 2006/11/20 18:39:41 customdesigned # Change license on spfquery.py. Update README. Move tests to test directory. # # Revision 1.3 2005/07/22 02:11:57 customdesigned # Use dictionary to check for CNAME loops. Check limit independently for # each top level name, just like for PTR. # # Revision 1.2 2005/07/14 04:18:01 customdesigned # Bring explanations and Received-SPF header into line with # the unknown=PermErr and error=TempErr convention. # Hope my case-sensitive mech fix doesn't clash with Scotts. # # Revision 1.1.1.1 2005/06/20 19:57:32 customdesigned # Move Python SPF to its own module. # # Revision 1.2 2005/06/02 04:18:55 customdesigned # Update copyright notices after reading article on /. # # Revision 1.1.1.1 2005/05/31 18:07:19 customdesigned # Release 0.6.9 # # Revision 2.3 2004/04/19 22:12:11 stuart # Release 0.6.9 # # Revision 2.2 2004/04/18 03:29:35 stuart # Pass most tests except -local and -rcpt-to # # Revision 2.1 2004/04/08 18:41:15 stuart # Reject numeric hello names # # Driver for SPF test system import spf import sys from optparse import OptionParser class PerlOptionParser(OptionParser): def _process_args (self, largs, rargs, values): """_process_args(largs : [string], rargs : [string], values : Values) Process command-line arguments and populate 'values', consuming options and arguments from 'rargs'. If 'allow_interspersed_args' is false, stop at the first non-option argument. If true, accumulate any interspersed non-option arguments in 'largs'. """ while rargs: arg = rargs[0] # We handle bare "--" explicitly, and bare "-" is handled by the # standard arg handler since the short arg case ensures that the # len of the opt string is greater than 1. if arg == "--": del rargs[0] return elif arg[0:2] == "--": # process a single long option (possibly with value(s)) self._process_long_opt(rargs, values) elif arg[:1] == "-" and len(arg) > 1: # process a single perl style long option rargs[0] = '-' + arg self._process_long_opt(rargs, values) elif self.allow_interspersed_args: largs.append(arg) del rargs[0] else: return def format(q): res,code,txt = q.check() print(res) if res in ('pass','neutral','unknown'): print() else: print(txt) print('spfquery:',q.get_header_comment(res)) print('Received-SPF:',q.get_header(res,'spfquery')) def main(argv): parser = PerlOptionParser() parser.add_option("--file",dest="file") parser.add_option("--ip",dest="ip") parser.add_option("--sender",dest="sender") parser.add_option("--helo",dest="hello_name") parser.add_option("--local",dest="local_policy") parser.add_option("--rcpt-to",dest="rcpt") parser.add_option("--default-explanation",dest="explanation") parser.add_option("--sanitize",type="int",dest="sanitize") parser.add_option("--debug",type="int",dest="debug") opts,args = parser.parse_args(argv) if opts.ip: q = spf.query(opts.ip,opts.sender,opts.hello_name,local=opts.local_policy) if opts.explanation: q.set_default_explanation(opts.explanation) format(q) if opts.file: if opts.file == '0': fp = sys.stdin else: fp = open(opts.file,'r') for ln in fp: ip,sender,helo,rcpt = ln.split(None,3) q = spf.query(ip,sender,helo,local=opts.local_policy) if opts.explanation: q.set_default_explanation(opts.explanation) format(q) fp.close() if __name__ == "__main__": import sys main(sys.argv[1:]) pyspf-2.0.8/CHANGELOG0000644000160600001450000001322412150253624012760 0ustar stuartbmsVersion 2.0.8 - May 25, 2013 * Use ipaddr/ipaddres module in place of custom IP processing code * Numerous python3 compatibility fixes * Improved unicode error detection in SPF records * Fixed a bug caused by a null CNAME in cache Version 2.0.7 - January 19, 2012 * Allow for timeouts to be global for all DNS lookups instead of per DNS lookup to allow for MAY processing time limitsin RFC 4408 10.1. See README for details. * Use openspf.net for SPF web site instead of openspf.org * Extend query.get_header to return either Received-SPF (still default) or RFC 5451 Authentication Results headers (needs authres 0.3 or later) * Rework query.parse_header: - Make query.parse_header automatically select Received-DPF or Authentication Results header types and use them to collect SPF results from trusted relays - Add query.parse_header_spf and query.parse_header_ar functions for header type specific processing * Finish Python3 port - works with python2.6/2.7/3.2 and 2to3 is no longer required - will also work with newer py3dns where TXT records are returned as type bytes and not strings * Accounts for new py3dns error classes coming in py3dns 3.0.2 (but fully backward compatible with earlier versions) * check for 7-bit ascii on TXT and SPF records * fix CNAME chain duplicating TXT records Version 2.0.6 - October 27, 2011 * Refactor code so that 2to3 will provide a working python3 module - Now requires at least python2.6 * Update spfquery.py, type99.py, and testspf.py to work with either python or python3 (2to3 not needed for these scripts) - SPF test suite can now be run from either python or python3 * Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 * Parse Received-SPF header * Report CIDR error only for valid mechanism * Handle invalid SPF record on command line * Add timeout to check2 Version 2.0.5 - July 29, 2008 * Add TCP fallback if DNS UDP reply is truncated - Fixes inconsistent results from trying to use partial UDP replies * Correct Received-SPF formatting * Minor updates to reflect RFC 4408 errata * Added License file for RFC 4408 test suite * Update RFC 4408 test suite from svn * Fix Type99 conversion script to work with multi-string TXT records * Timeout parameter Version 2.0.4 - January 24, 2007 * Correct unofficial 'best guess' processing. * PTR validation processing cleanup * Improved detection of exp= errors * Keyword parameters on get_header() Version 2.0.3 - January 15, 2007 * IPv6 compatibility test fix to support Python 2.2 * Change DNS queries to only check Type SPF in Harsh mode * pyspf requires pydns, python-pyspf requires python-pydns * Record matching mechanism and add to Received-SPF header. * Test for RFC4408 6.2/4, and fix spf.py to comply. * Permerror for more than one exp or redirect modifier. * Parse op= modifier Version 2.0.2 - January 4, 2007 * Update openspf URLs * Update Readme to better describe available pyspf interfaces * Add basic description of type99.py and spfquery.py scripts * Add usage instructions for type99.py DNS RR type conversion script * Add spfquery.py usage instructions * Incorporate downstream feedback from Debian packager * Fix key-value quoting in get_header Version 2.0.1 - December 08, 2006 * Prevent cache poisoning attack * Prevent malformed RR attack * Update license on a few files we missed last time Version 2.0 - November 20, 2006 * Completed RFC 4408 compliance * Added spf.check2 for RFC 4408 compatible result codes * Full IP6 support * Fedora Core compatible RPM spec file * Update README, licenses Version 1.8 - July 26, 2006 * YAML test suite syntax * trailing dot support (RFC4408 8.1) Version 1.7 - July 21, 2005 * Strict processing limits per newly official SPF RFC * Fixed several parsing bugs under RFC * Support official IANA SPF record (type99) * Extended SPF processing results beyond strict RFC limits * Validate spf.py against test suite, and add Received-SPF support to spf.py * Support best_guess for SPF * Support SPF delegation Version 1.6 - December 18, 2003 * Arik Baratz pointed out endian problems using socket.inet_ntoa() and socket.inet_aton(). Use struct.pack("!L", struct.unpack("!L") to fix. Version 1.5 - December 17, 2003 * Replace DNS.addr2bin() and DNS.bin2addr() with socket.inet_ntoa() and socket.inet_aton(). New code supports n, n.n, and n.n.n formats for IPv4 addresses, and gets rid of annoying Python 2.4 future warnings Version 1.4 - December 16, 2003 * Greg Connor discovered that SPF queries to altavista.com were broken. This was testing to see if a mechanism needs to be macro expanded _before_ leading ? + - characters were removed. * Fixed include handling to be a real mechanism: -include must work. Version 1.3.1 - December 14, 2003 * Forgot to include new test file in distribution. * Forgot CHANGELOG in distribution. Version 1.3 - December 13, 2003 * Add %{o} (original sender domain) macro * The ./spf.py {spf} {ipaddr} {sender} {helo} command line didn't print out the results. Oops. * Support default= so Meng's test #6 'v=spf1 default=deny' works * Any IP address '127.*.*.*' automatically pass, so all Meng's tests work * Follow DNS CNAMES * Cache DNS results, including additional info, reducing DNS query load * Support Python 2.2 (doesn't have bool, True, False: those are added in Python 2.2.1) Version 1.2 - December 11, 2003 * Added exp= (explanation) and redirect= modifiers * Added macros Version 1.1 - December 9, 2003 * Meng Weng Wong added PTR code, THANK YOU Version 1.0 - December 9, 2003 * Initial Version pyspf-2.0.8/setup.py0000755000160600001450000000235112150253624013262 0ustar stuartbms#!/usr/bin/python from distutils.core import setup import sys DESC = """SPF (Sender Policy Framework) implemented in Python.""" setup(name='pyspf', version='2.0.8', description=DESC, author='Terence Way', author_email='terry@wayforward.net', maintainer="Stuart D. Gathman", maintainer_email="stuart@bmsi.com", url='http://pymilter.sourceforge.net/', license='Python Software Foundation License', py_modules=['spf'], keywords = ['spf','email','forgery'], scripts = ['type99.py','spfquery.py'], classifiers = [ 'Development Status :: 5 - Production/Stable', 'Environment :: No Input/Output (Daemon)', 'Intended Audience :: Developers', 'License :: OSI Approved :: Python Software Foundation License', 'Natural Language :: English', 'Operating System :: OS Independent', 'Programming Language :: Python', 'Programming Language :: Python :: 3', 'Topic :: Communications :: Email :: Mail Transport Agents', 'Topic :: Communications :: Email :: Filters', 'Topic :: Internet :: Name Service (DNS)', 'Topic :: Software Development :: Libraries :: Python Modules' ] ) if sys.version_info < (2, 6): raise Exception("pyspf 2.0.6 and later requires at least python2.6.") pyspf-2.0.8/spf.py0000755000160600001450000023060112174112153012710 0ustar stuartbms#!/usr/bin/python """SPF (Sender Policy Framework) implementation. Copyright (c) 2003 Terence Way Portions Copyright(c) 2004,2005,2006,2007,2008,2011,2012 Stuart Gathman Portions Copyright(c) 2005,2006,2007,2008,2011,2012,2013 Scott Kitterman Portions Copyright(c) 2013 Stuart Gathman This module is free software, and you may redistribute it and/or modify it under the same terms as Python itself, so long as this copyright message and disclaimer are retained in their original form. IN NO EVENT SHALL THE AUTHOR BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE AUTHOR SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. For more information about SPF, a tool against email forgery, see http://www.openspf.net/ For news, bugfixes, etc. visit the home page for this implementation at http://cheeseshop.python.org/pypi/pyspf/ http://sourceforge.net/projects/pymilter/ http://www.wayforward.net/spf/ """ # CVS Commits since last release (2.0.7): # $Log: spf.py,v $ # Revision 1.108.2.109 2013/07/25 01:51:24 customdesigned # Forgot to convert to bytes in py3dns-3.0.2 workaround. # # Revision 1.108.2.108 2013/07/25 01:29:07 customdesigned # The Final and Ultimate Solution to the String Problem for TXT records. # # Revision 1.108.2.107 2013/07/23 18:37:17 customdesigned # Removed decode from dns_txt again, as it breaks python3, both with py3dns and test framework. # Need to identify exact situation in which it is needed to put it back. # # Revision 1.108.2.106 2013/07/23 06:32:58 kitterma # Post fix cleanup. # # Revision 1.108.2.105 2013/07/23 06:30:13 kitterma # Fix compatibility with py3dns versions that return type bytes. # # Revision 1.108.2.104 2013/07/23 06:20:18 kitterma # Consolidate code related to UnicodeDecodeError and UnicodeEncodeError into UnicodeError. # # Revision 1.108.2.103 2013/07/23 06:07:24 customdesigned # Test case and fix for allowing non-ascii in non-spf TXT records. # # Revision 1.108.2.102 2013/07/23 05:22:54 customdesigned # Check for non-ascii on explanation. # # Revision 1.108.2.101 2013/07/23 04:51:59 customdesigned # Functional alias for __email__ # # Revision 1.108.2.100 2013/07/23 04:07:38 customdesigned # Sort unofficial keywords for consistent ordering. # # Revision 1.108.2.99 2013/07/23 02:40:54 customdesigned # Update __email__ and __author__ # # Revision 1.108.2.98 2013/07/23 02:35:33 customdesigned # Release 2.0.8 # # Revision 1.108.2.97 2013/07/23 02:04:59 customdesigned # Release 2.0.8 # # Revision 1.108.2.96 2013/07/22 22:59:58 kitterma # Give another header test it's own variable names. # # Revision 1.108.2.95 2013/07/22 19:29:22 kitterma # Fix dns_txt to work if DNS data is not pure bytes for python3 compatibility. # # Revision 1.108.2.94 2013/07/22 02:44:39 kitterma # Add tests for cirdmatch. # # Revision 1.108.2.93 2013/07/21 23:56:51 kitterma # Fix cidrmatch to work with both ipaddr and the python3.3 ipadrress versions of the module. # # Revision 1.108.2.91 2013/07/03 23:38:39 customdesigned # Removed two more unused functions. # # Revision 1.108.2.90 2013/07/03 22:58:26 customdesigned # Clean up use of ipaddress module. make %{i} upper case to match test suite # (test suite is incorrect requiring uppercase, but one thing at a time). # Remove no longer used inet_pton substitute. But what if someone was using it? # # Revision 1.108.2.89 2013/05/26 03:32:19 kitterma # Syntax fix to maintain python2.6 compatibility. # # Revision 1.108.2.88 2013/05/26 00:30:12 kitterma # Bump versions to 2.0.8 and add CHANGELOG entries. # # Revision 1.108.2.87 2013/05/26 00:23:52 kitterma # Move old (pre-2.0.7) spf.py commit messages to pyspf_changelog.txt. # # Revision 1.108.2.86 2013/05/25 22:39:19 kitterma # Use ipaddr/ipaddress instead of custome code. # # Revision 1.108.2.85 2013/05/25 00:06:03 kitterma # Fix return type detection for bytes/string for python3 compatibility in dns_txt. # # Revision 1.108.2.84 2013/04/20 20:49:13 customdesigned # Some dual-cidr doc tests # # Revision 1.108.2.83 2013/03/25 22:51:37 customdesigned # Replace dns_99 method with dns_txt(type='SPF') # Fix null CNAME in cache bug. # # Revision 1.108.2.82 2013/03/14 21:13:06 customdesigned # Fix Non-ascii exception description. # # Revision 1.108.2.81 2013/03/14 21:03:25 customdesigned # Fix dns_txt and dns_spf - should hopefully still be correct for python3. # # Revision 1.108.2.80 2012/06/14 20:09:56 kitterma # Use the correct exception type to capture unicode in SPF records. # # Revision 1.108.2.79 2012/03/10 00:19:44 kitterma # Add fixes for py3dns DNS return as type bytes - not complete. # # Revision 1.108.2.77 2012/02/09 22:13:42 kitterma # Fix stray character in last commit. # Start fixing python3 bytes issue - Now works, but fails the non-ASCII exp test. # # Revision 1.108.2.76 2012/02/05 05:50:39 kitterma # Fix a few stray print -> print() changes for python3 compatbility. # # See pyspf_changelog.txt for earlier CVS commits. __author__ = "Terence Way, Stuart Gathman, Scott Kitterman" __email__ = "pyspf@openspf.org" __version__ = "2.0.8: Jul 22, 2013" MODULE = 'spf' USAGE = """To check an incoming mail request: % python spf.py [-v] {ip} {sender} {helo} % python spf.py 69.55.226.139 tway@optsw.com mx1.wayforward.net To test an SPF record: % python spf.py [-v] "v=spf1..." {ip} {sender} {helo} % python spf.py "v=spf1 +mx +ip4:10.0.0.1 -all" 10.0.0.1 tway@foo.com a To fetch an SPF record: % python spf.py {domain} % python spf.py wayforward.net To test this script (and to output this usage message): % python spf.py """ import re import sys import socket # for inet_ntoa() and inet_aton() import struct # for pack() and unpack() import time # for time() try: import urllib.parse as urllibparse # for quote() except: import urllib as urllibparse import sys # for version_info() from functools import reduce try: from email.message import Message except ImportError: from email.Message import Message try: # Python standard libarary as of python3.3 import ipaddress except ImportError: try: import ipaddr as ipaddress except ImportError: print('ipaddr module required: http://code.google.com/p/ipaddr-py/') import DNS # http://pydns.sourceforge.net if not hasattr(DNS.Type, 'SPF'): # patch in type99 support DNS.Type.SPF = 99 DNS.Type.typemap[99] = 'SPF' DNS.Lib.RRunpacker.getSPFdata = DNS.Lib.RRunpacker.getTXTdata def DNSLookup(name, qtype, strict=True, timeout=30): try: req = DNS.DnsRequest(name, qtype=qtype, timeout=timeout) resp = req.req() #resp.show() # key k: ('wayforward.net', 'A'), value v # FIXME: pydns returns AAAA RR as 16 byte binary string, but # A RR as dotted quad. For consistency, this driver should # return both as binary string. # if resp.header['tc'] == True: if strict > 1: raise AmbiguityWarning('DNS: Truncated UDP Reply, SPF records should fit in a UDP packet, retrying TCP') try: req = DNS.DnsRequest(name, qtype=qtype, protocol='tcp', timeout=(timeout)) resp = req.req() except DNS.DNSError as x: raise TempError('DNS: TCP Fallback error: ' + str(x)) if resp.header['rcode'] != 0 and resp.header['rcode'] != 3: raise IOError('Error: ' + resp.header['status'] + ' RCODE: ' + str(resp.header['rcode'])) return [((a['name'], a['typename']), a['data']) for a in resp.answers] \ + [((a['name'], a['typename']), a['data']) for a in resp.additional] except IOError as x: raise TempError('DNS ' + str(x)) except DNS.DNSError as x: raise TempError('DNS ' + str(x)) RE_SPF = re.compile(br'^v=spf1$|^v=spf1 ',re.IGNORECASE) # Regular expression to look for modifiers RE_MODIFIER = re.compile(r'^([a-z][a-z0-9_\-\.]*)=', re.IGNORECASE) # Regular expression to find macro expansions PAT_CHAR = r'%(%|_|-|(\{[^\}]*\}))' RE_CHAR = re.compile(PAT_CHAR) # Regular expression to break up a macro expansion RE_ARGS = re.compile(r'([0-9]*)(r?)([^0-9a-zA-Z]*)') RE_DUAL_CIDR = re.compile(r'//(0|[1-9]\d*)$') RE_CIDR = re.compile(r'/(0|[1-9]\d*)$') PAT_IP4 = r'\.'.join([r'(?:\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])']*4) RE_IP4 = re.compile(PAT_IP4+'$') RE_TOPLAB = re.compile( r'\.(?:[0-9a-z]*[a-z][0-9a-z]*|[0-9a-z]+-[0-9a-z-]*[0-9a-z])\.?$|%s' % PAT_CHAR, re.IGNORECASE) RE_DOT_ATOM = re.compile(r'%(atext)s+([.]%(atext)s+)*$' % { 'atext': r"[0-9a-z!#$%&'*+/=?^_`{}|~-]" }, re.IGNORECASE) # Derived from RFC 3986 appendix A RE_IP6 = re.compile( '(?:%(hex4)s:){6}%(ls32)s$' '|::(?:%(hex4)s:){5}%(ls32)s$' '|(?:%(hex4)s)?::(?:%(hex4)s:){4}%(ls32)s$' '|(?:(?:%(hex4)s:){0,1}%(hex4)s)?::(?:%(hex4)s:){3}%(ls32)s$' '|(?:(?:%(hex4)s:){0,2}%(hex4)s)?::(?:%(hex4)s:){2}%(ls32)s$' '|(?:(?:%(hex4)s:){0,3}%(hex4)s)?::%(hex4)s:%(ls32)s$' '|(?:(?:%(hex4)s:){0,4}%(hex4)s)?::%(ls32)s$' '|(?:(?:%(hex4)s:){0,5}%(hex4)s)?::%(hex4)s$' '|(?:(?:%(hex4)s:){0,6}%(hex4)s)?::$' % { 'ls32': r'(?:[0-9a-f]{1,4}:[0-9a-f]{1,4}|%s)'%PAT_IP4, 'hex4': r'[0-9a-f]{1,4}' }, re.IGNORECASE) # Local parts and senders have their delimiters replaced with '.' during # macro expansion # JOINERS = {'l': '.', 's': '.'} RESULTS = {'+': 'pass', '-': 'fail', '?': 'neutral', '~': 'softfail', 'pass': 'pass', 'fail': 'fail', 'permerror': 'permerror', 'error': 'temperror', 'neutral': 'neutral', 'softfail': 'softfail', 'none': 'none', 'local': 'local', 'trusted': 'trusted', 'ambiguous': 'ambiguous', 'unknown': 'permerror' } EXPLANATIONS = {'pass': 'sender SPF authorized', 'fail': 'SPF fail - not authorized', 'permerror': 'permanent error in processing', 'temperror': 'temporary DNS error in processing', 'softfail': 'domain owner discourages use of this host', 'neutral': 'access neither permitted nor denied', 'none': '', #Note: The following are not formally SPF results 'local': 'No SPF result due to local policy', 'trusted': 'No SPF check - trusted-forwarder.org', #Ambiguous only used in harsh mode for SPF validation 'ambiguous': 'No error, but results may vary' } DELEGATE = None # standard default SPF record for best_guess DEFAULT_SPF = 'v=spf1 a/24 mx/24 ptr' #Whitelisted forwarders here. Additional locally trusted forwarders can be #added to this record. TRUSTED_FORWARDERS = 'v=spf1 ?include:spf.trusted-forwarder.org -all' # maximum DNS lookups allowed MAX_LOOKUP = 10 #RFC 4408 Para 10.1 MAX_MX = 10 #RFC 4408 Para 10.1 MAX_PTR = 10 #RFC 4408 Para 10.1 MAX_CNAME = 10 # analogous interpretation to MAX_PTR MAX_RECURSION = 20 MAX_PER_LOOKUP_TIME = 30 # Long standing pyspf default ALL_MECHANISMS = ('a', 'mx', 'ptr', 'exists', 'include', 'ip4', 'ip6', 'all') COMMON_MISTAKES = { 'prt': 'ptr', 'ip': 'ip4', 'ipv4': 'ip4', 'ipv6': 'ip6', 'all.': 'all' } #If harsh processing, for the validator, is invoked, warn if results #likely deviate from the publishers intention. class AmbiguityWarning(Exception): "SPF Warning - ambiguous results" def __init__(self, msg, mech=None, ext=None): Exception.__init__(self, msg, mech) self.msg = msg self.mech = mech self.ext = ext def __str__(self): if self.mech: return '%s: %s' %(self.msg, self.mech) return self.msg class TempError(Exception): "Temporary SPF error" def __init__(self, msg, mech=None, ext=None): Exception.__init__(self, msg, mech) self.msg = msg self.mech = mech self.ext = ext def __str__(self): if self.mech: return '%s: %s '%(self.msg, self.mech) return self.msg class PermError(Exception): "Permanent SPF error" def __init__(self, msg, mech=None, ext=None): Exception.__init__(self, msg, mech) self.msg = msg self.mech = mech self.ext = ext def __str__(self): if self.mech: return '%s: %s'%(self.msg, self.mech) return self.msg def check2(i, s, h, local=None, receiver=None, timeout=MAX_PER_LOOKUP_TIME, verbose=False, querytime=0): """Test an incoming MAIL FROM:, from a client with ip address i. h is the HELO/EHLO domain name. This is the RFC4408 compliant pySPF2.0 interface. The interface returns an SPF result and explanation only. SMTP response codes are not returned since RFC 4408 does not specify receiver policy. Applications updated for RFC 4408 should use this interface. The maximum time, in seconds, this function is allowed to run before a TempError is returned is controlled by querytime. When set to 0 (default) the timeout parameter (default 30 seconds) controls the time allowed for each DNS lookup. Returns (result, explanation) where result in ['pass', 'permerror', 'fail', 'temperror', 'softfail', 'none', 'neutral' ]. Example: #>>> check2(i='61.51.192.42', s='liukebing@bcc.com', h='bmsi.com') """ res,_,exp = query(i=i, s=s, h=h, local=local, receiver=receiver,timeout=timeout,verbose=verbose,querytime=querytime).check() return res,exp def check(i, s, h, local=None, receiver=None, verbose=False): """Test an incoming MAIL FROM:, from a client with ip address i. h is the HELO/EHLO domain name. This is the pre-RFC SPF Classic interface. Applications written for pySPF 1.6/1.7 can use this interface to allow pySPF2 to be a drop in replacement for older versions. With the exception of result codes, performance in RFC 4408 compliant. Returns (result, code, explanation) where result in ['pass', 'unknown', 'fail', 'error', 'softfail', 'none', 'neutral' ]. Example: #>>> check(i='61.51.192.42', s='liukebing@bcc.com', h='bmsi.com') """ res,code,exp = query(i=i, s=s, h=h, local=local, receiver=receiver, verbose=verbose).check() if res == 'permerror': res = 'unknown' elif res == 'tempfail': res =='error' return res, code, exp class query(object): """A query object keeps the relevant information about a single SPF query: i: ip address of SMTP client in dotted notation s: sender declared in MAIL FROM:<> l: local part of sender s d: current domain, initially domain part of sender s h: EHLO/HELO domain v: 'in-addr' for IPv4 clients and 'ip6' for IPv6 clients t: current timestamp p: SMTP client domain name o: domain part of sender s r: receiver c: pretty ip address (different from i for IPv6) This is also, by design, the same variables used in SPF macro expansion. Also keeps cache: DNS cache. """ def __init__(self, i, s, h, local=None, receiver=None, strict=True, timeout=MAX_PER_LOOKUP_TIME,verbose=False,querytime=0): self.s, self.h = s, h if not s and h: self.s = 'postmaster@' + h self.ident = 'helo' else: self.ident = 'mailfrom' self.l, self.o = split_email(s, h) self.t = str(int(time.time())) self.d = self.o self.p = None # lazy evaluation if receiver: self.r = receiver else: self.r = 'unknown' # Since the cache does not track Time To Live, it is created # fresh for each query. It is important for efficiently using # multiple results provided in DNS answers. self.cache = {} self.defexps = dict(EXPLANATIONS) self.exps = dict(EXPLANATIONS) self.libspf_local = local # local policy self.lookups = 0 # strict can be False, True, or 2 (numeric) for harsh self.strict = strict self.timeout = timeout self.querytime = querytime # Default to not using a global check # timelimit since this is an RFC 4408 MAY if querytime > 0: self.timeout = querytime self.timer = 0 if i: self.set_ip(i) # Document bits of the object model not set up here: # self.i = string, expanded dot notation, suitable for PTR lookups # self.c = string, human readable form of the connect IP address # single letter lowercase variable names (e.g. self.i) are used for SPF macros # For IPv4, self.i = self.c, but not in IPv6 # self.iplist = list of IPv4/6 addresses that would pass, collected # when list or list6 is passed as 'i' # self.addr = ipaddr/ipaddress object representing the connect IP self.default_modifier = True self.verbose = verbose self.authserv = None # Only used in A-R header generation tests def log(self,mech,d,spf): print('%s: %s "%s"'%(mech,d,spf)) def set_ip(self, i): "Set connect ip, and ip6 or ip4 mode." self.iplist = False if i.lower() == 'list': self.iplist = [] ip6 = False elif i.lower() == 'list6': self.iplist = [] ip6 = True else: try: self.ipaddr = ipaddress.ip_address(i) except AttributeError: self.ipaddr = ipaddress.IPAddress(i) if self.ipaddr.version == 6: if self.ipaddr.ipv4_mapped: self.ipaddr = ipaddress.IPv4Address(self.ipaddr.ipv4_mapped) ip6 = False else: ip6 = True else: ip6 = False self.c = str(self.ipaddr) # NOTE: self.A is not lowercase, so isn't a macro. See query.expand() if ip6: self.A = 'AAAA' self.v = 'ip6' self.i = '.'.join(list(self.ipaddr.exploded.replace(':','').upper())) self.cidrmax = 128 else: self.A = 'A' self.v = 'in-addr' self.i = self.ipaddr.exploded self.cidrmax = 32 def set_default_explanation(self, exp): exps = self.exps defexps = self.defexps for i in 'softfail', 'fail', 'permerror': exps[i] = exp defexps[i] = exp def set_explanation(self, exp): exps = self.exps for i in 'softfail', 'fail', 'permerror': exps[i] = exp # Compute p macro only if needed def getp(self): if not self.p: p = self.validated_ptrs() if not p: self.p = "unknown" elif self.d in p: self.p = self.d else: sfx = '.' + self.d for d in p: if d.endswith(sfx): self.p = d break else: self.p = p[0] return self.p def best_guess(self, spf=DEFAULT_SPF): """Return a best guess based on a default SPF record. >>> q = query('1.2.3.4','','SUPERVISION1',receiver='example.com') >>> q.best_guess()[0] 'none' """ if RE_TOPLAB.split(self.d)[-1]: return ('none', 250, '') return self.check(spf) def check(self, spf=None): """ Returns (result, mta-status-code, explanation) where result in ['fail', 'softfail', 'neutral' 'permerror', 'pass', 'temperror', 'none'] Examples: >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.check(spf='v=spf1 =a ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown qualifier, RFC 4408 para 4.6.1, found in: =a') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ~all') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all moo=') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all match.sub-domains_9=yes') ('pass', 250, 'sender SPF authorized') >>> q.strict = False >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 -all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.perm_error.ext ('pass', 250, 'sender SPF authorized') >>> q.strict = True >>> q.check(spf='v=spf1 ip4:192.1.0.0/16 moo -all') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.check(spf='v=spf1 ip4:192.1.0.0/16 ~all') ('softfail', 250, 'domain owner discourages use of this host') >>> q.check(spf='v=spf1 -ip4:192.1.0.0/6 ~all') ('fail', 550, 'SPF fail - not authorized') # Assumes DNS available >>> q.check() ('none', 250, '') >>> q.check(spf='v=spf1 ip4:1.2.3.4 -a:example.net -all') ('fail', 550, 'SPF fail - not authorized') >>> q.libspf_local='ip4:192.0.2.3 a:example.org' >>> q.check(spf='v=spf1 ip4:1.2.3.4 -a:example.net -all') ('pass', 250, 'sender SPF authorized') >>> q.check(spf='v=spf1 ip4:1.2.3.4 -all exp=_exp.controlledmail.com') ('fail', 550, 'Controlledmail.com does not send mail from itself.') >>> q.check(spf='v=spf1 ip4:1.2.3.4 ?all exp=_exp.controlledmail.com') ('neutral', 250, 'access neither permitted nor denied') """ self.mech = [] # unknown mechanisms # If not strict, certain PermErrors (mispelled # mechanisms, strict processing limits exceeded) # will continue processing. However, the exception # that strict processing would raise is saved here self.perm_error = None self.mechanism = None self.options = {} try: self.lookups = 0 self.timer = 0 if not spf: spf = self.dns_spf(self.d) if self.verbose: self.log("top",self.d,spf) if self.libspf_local and spf: spf = insert_libspf_local_policy( spf, self.libspf_local) rc = self.check1(spf, self.d, 0) if self.perm_error: # lax processing encountered a permerror, but continued self.perm_error.ext = rc raise self.perm_error return rc except TempError as x: self.prob = x.msg if x.mech: self.mech.append(x.mech) return ('temperror', 451, 'SPF Temporary Error: ' + str(x)) except PermError as x: if not self.perm_error: self.perm_error = x self.prob = x.msg if x.mech: self.mech.append(x.mech) # Pre-Lentczner draft treats this as an unknown result # and equivalent to no SPF record. return ('permerror', 550, 'SPF Permanent Error: ' + str(x)) def check1(self, spf, domain, recursion): # spf rfc: 3.7 Processing Limits # if recursion > MAX_RECURSION: # This should never happen in strict mode # because of the other limits we check, # so if it does, there is something wrong with # our code. It is not a PermError because there is not # necessarily anything wrong with the SPF record. if self.strict: raise AssertionError('Too many levels of recursion') # As an extended result, however, it should be # a PermError. raise PermError('Too many levels of recursion') try: try: tmp, self.d = self.d, domain return self.check0(spf, recursion) finally: self.d = tmp except AmbiguityWarning as x: self.prob = x.msg if x.mech: self.mech.append(x.mech) return ('ambiguous', 000, 'SPF Ambiguity Warning: %s' % x) def note_error(self, *msg): if self.strict: raise PermError(*msg) # if lax mode, note error and continue if not self.perm_error: try: raise PermError(*msg) except PermError as x: # FIXME: keep a list of errors for even friendlier diagnostics. self.perm_error = x return self.perm_error def expand_domain(self,arg): "validate and expand domain-spec" # any trailing dot was removed by expand() if RE_TOPLAB.split(arg)[-1]: raise PermError('Invalid domain found (use FQDN)', arg) return self.expand(arg) def validate_mechanism(self, mech): """Parse and validate a mechanism. Returns mech,m,arg,cidrlength,result Examples: >>> q = query(s='strong-bad@email.example.com.', ... h='mx.example.org', i='192.0.2.3') >>> q.validate_mechanism('A') ('A', 'a', 'email.example.com', 32, 'pass') >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.validate_mechanism('A//64') ('A//64', 'a', 'email.example.com', 32, 'pass') >>> q.validate_mechanism('A/24//64') ('A/24//64', 'a', 'email.example.com', 24, 'pass') >>> q.validate_mechanism('?mx:%{d}/27') ('?mx:%{d}/27', 'mx', 'email.example.com', 27, 'neutral') >>> try: q.validate_mechanism('ip4:1.2.3.4/247') ... except PermError as x: print(x) Invalid IP4 CIDR length: ip4:1.2.3.4/247 >>> try: q.validate_mechanism('ip4:1.2.3.4/33') ... except PermError as x: print(x) Invalid IP4 CIDR length: ip4:1.2.3.4/33 >>> try: q.validate_mechanism('a:example.com:8080') ... except PermError as x: print(x) Invalid domain found (use FQDN): example.com:8080 >>> try: q.validate_mechanism('ip4:1.2.3.444/24') ... except PermError as x: print(x) Invalid IP4 address: ip4:1.2.3.444/24 >>> try: q.validate_mechanism('ip4:1.2.03.4/24') ... except PermError as x: print(x) Invalid IP4 address: ip4:1.2.03.4/24 >>> try: q.validate_mechanism('-all:3030') ... except PermError as x: print(x) Invalid all mechanism format - only qualifier allowed with all: -all:3030 >>> q.validate_mechanism('-mx:%%%_/.Clara.de/27') ('-mx:%%%_/.Clara.de/27', 'mx', '% /.Clara.de', 27, 'fail') >>> q.validate_mechanism('~exists:%{i}.%{s1}.100/86400.rate.%{d}') ('~exists:%{i}.%{s1}.100/86400.rate.%{d}', 'exists', '192.0.2.3.com.100/86400.rate.email.example.com', 32, 'softfail') >>> q.validate_mechanism('a:mail.example.com.') ('a:mail.example.com.', 'a', 'mail.example.com', 32, 'pass') >>> try: q.validate_mechanism('a:mail.example.com,') ... except PermError as x: print(x) Do not separate mechnisms with commas: a:mail.example.com, >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='2001:db8:1234::face:b007') >>> q.validate_mechanism('A//64') ('A//64', 'a', 'email.example.com', 64, 'pass') >>> q.validate_mechanism('A/16') ('A/16', 'a', 'email.example.com', 128, 'pass') >>> q.validate_mechanism('A/16//48') ('A/16//48', 'a', 'email.example.com', 48, 'pass') """ if mech.endswith( "," ): self.note_error('Do not separate mechnisms with commas', mech) mech = mech[:-1] # a mechanism m, arg, cidrlength, cidr6length = parse_mechanism(mech, self.d) # map '?' '+' or '-' to 'neutral' 'pass' or 'fail' if m: result = RESULTS.get(m[0]) if result: # eat '?' '+' or '-' m = m[1:] else: # default pass result = 'pass' if m in COMMON_MISTAKES: self.note_error('Unknown mechanism found', mech) m = COMMON_MISTAKES[m] if m == 'a' and RE_IP4.match(arg): x = self.note_error( 'Use the ip4 mechanism for ip4 addresses', mech) m = 'ip4' # validate cidr and dual-cidr if m in ('a', 'mx'): if cidrlength is None: cidrlength = 32; elif cidrlength > 32: raise PermError('Invalid IP4 CIDR length', mech) if cidr6length is None: cidr6length = 128 elif cidr6length > 128: raise PermError('Invalid IP6 CIDR length', mech) if self.v == 'ip6': cidrlength = cidr6length elif m == 'ip4' or RE_IP4.match(m): if m != 'ip4': self.note_error( 'Missing IP4' , mech) m,arg = 'ip4',m if cidr6length is not None: raise PermError('Dual CIDR not allowed', mech) if cidrlength is None: cidrlength = 32; elif cidrlength > 32: raise PermError('Invalid IP4 CIDR length', mech) if not RE_IP4.match(arg): raise PermError('Invalid IP4 address', mech) elif m == 'ip6': if cidr6length is not None: raise PermError('Dual CIDR not allowed', mech) if cidrlength is None: cidrlength = 128 elif cidrlength > 128: raise PermError('Invalid IP6 CIDR length', mech) if not RE_IP6.match(arg): raise PermError('Invalid IP6 address', mech) else: if cidrlength is not None or cidr6length is not None: if m in ALL_MECHANISMS: raise PermError('CIDR not allowed', mech) cidrlength = self.cidrmax if m in ('a', 'mx', 'ptr', 'exists', 'include'): if m == 'exists' and not arg: raise PermError('implicit exists not allowed', mech) arg = self.expand_domain(arg) if not arg: raise PermError('empty domain:',mech) if m == 'include': if arg == self.d: if mech != 'include': raise PermError('include has trivial recursion', mech) raise PermError('include mechanism missing domain', mech) return mech, m, arg, cidrlength, result # validate 'all' mechanism per RFC 4408 ABNF if m == 'all' and mech.count(':'): # print '|'+ arg + '|', mech, self.d, self.note_error( 'Invalid all mechanism format - only qualifier allowed with all' , mech) if m in ALL_MECHANISMS: return mech, m, arg, cidrlength, result if m[1:] in ALL_MECHANISMS: x = self.note_error( 'Unknown qualifier, RFC 4408 para 4.6.1, found in', mech) else: x = self.note_error('Unknown mechanism found', mech) return mech, m, arg, cidrlength, x def check0(self, spf, recursion): """Test this query information against SPF text. Returns (result, mta-status-code, explanation) where result in ['fail', 'unknown', 'pass', 'none'] """ if not spf: return ('none', 250, EXPLANATIONS['none']) # split string by whitespace, drop the 'v=spf1' spf = spf.split() # Catch case where SPF record has no spaces. # Can never happen with conforming dns_spf(), however # in the future we might want to give warnings # for common mistakes like IN TXT "v=spf1" "mx" "-all" # in relaxed mode. if spf[0].lower() != 'v=spf1': if self.strict > 1: raise AmbiguityWarning('Invalid SPF record in', self.d) return ('none', 250, EXPLANATIONS['none']) spf = spf[1:] # copy of explanations to be modified by exp= exps = self.exps redirect = None # no mechanisms at all cause unknown result, unless # overridden with 'default=' modifier # default = 'neutral' mechs = [] modifiers = [] # Look for modifiers # for mech in spf: m = RE_MODIFIER.split(mech)[1:] if len(m) != 2: mechs.append(self.validate_mechanism(mech)) continue mod,arg = m if mod in modifiers: if mod == 'redirect': raise PermError('redirect= MUST appear at most once',mech) self.note_error('%s= MUST appear at most once'%mod,mech) # just use last one in lax mode modifiers.append(mod) if mod == 'exp': # always fetch explanation to check permerrors if not arg: raise PermError('exp has empty domain-spec:',arg) arg = self.expand_domain(arg) if arg: try: exp = self.get_explanation(arg) if exp and not recursion: # only set explanation in base recursion level self.set_explanation(exp) except: pass elif mod == 'redirect': self.check_lookups() redirect = self.expand_domain(arg) if not redirect: raise PermError('redirect has empty domain:',arg) elif mod == 'default': # default modifier is obsolete if self.strict > 1: raise AmbiguityWarning('The default= modifier is obsolete.') if not self.strict and self.default_modifier: # might be an old policy, so do it anyway arg = self.expand(arg) # default=- is the same as default=fail default = RESULTS.get(arg, default) elif mod == 'op': if not recursion: for v in arg.split('.'): if v: self.options[v] = True else: # spf rfc: 3.6 Unrecognized Mechanisms and Modifiers self.expand(m[1]) # syntax error on invalid macro # Evaluate mechanisms # for mech, m, arg, cidrlength, result in mechs: if m == 'include': self.check_lookups() d = self.dns_spf(arg) if self.verbose: self.log("include",arg,d) res, code, txt = self.check1(d,arg, recursion + 1) if res == 'pass': break if res == 'none': self.note_error( 'No valid SPF record for included domain: %s' %arg, mech) res = 'neutral' continue elif m == 'all': break elif m == 'exists': self.check_lookups() try: if len(self.dns_a(arg,'A')) > 0: break except AmbiguityWarning: # Exists wants no response sometimes so don't raise # the warning. pass elif m == 'a': self.check_lookups() if self.cidrmatch(self.dns_a(arg,self.A), cidrlength): break elif m == 'mx': self.check_lookups() if self.cidrmatch(self.dns_mx(arg), cidrlength): break elif m == 'ip4': if self.v == 'in-addr': # match own connection type only try: if self.cidrmatch([arg], cidrlength): break except socket.error: raise PermError('syntax error', mech) elif m == 'ip6': if self.v == 'ip6': # match own connection type only try: if self.cidrmatch([arg], cidrlength): break except socket.error: raise PermError('syntax error', mech) elif m == 'ptr': self.check_lookups() if domainmatch(self.validated_ptrs(), arg): break else: # no matches if redirect: #Catch redirect to a non-existant SPF record. redirect_record = self.dns_spf(redirect) if not redirect_record: raise PermError('redirect domain has no SPF record', redirect) if self.verbose: self.log("redirect",redirect,redirect_record) # forget modifiers on redirect if not recursion: self.exps = dict(self.defexps) self.options = {} return self.check1(redirect_record, redirect, recursion) result = default mech = None if not recursion: # record matching mechanism at base level self.mechanism = mech if result == 'fail': return (result, 550, exps[result]) else: return (result, 250, exps[result]) def check_lookups(self): self.lookups = self.lookups + 1 if self.lookups > MAX_LOOKUP*4: raise PermError('More than %d DNS lookups'%(MAX_LOOKUP*4)) if self.lookups > MAX_LOOKUP: self.note_error('Too many DNS lookups') def get_explanation(self, spec): """Expand an explanation.""" if spec: try: a = self.dns_txt(spec) if len(a) == 1: return str(self.expand(to_ascii(a[0]), stripdot=False)) except PermError: # RFC4408 6.2/4 syntax errors cause exp= to be ignored if self.strict > 1: raise # but report in harsh mode for record checking tools pass elif self.strict > 1: raise PermError('Empty domain-spec on exp=') # RFC4408 6.2/4 empty domain spec is ignored # (unless you give precedence to the grammar). return None def expand(self, str, stripdot=True): # macros='slodipvh' """Do SPF RFC macro expansion. Examples: >>> q = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.p = 'mx.example.org' >>> q.r = 'example.net' >>> q.expand('%{d}') 'email.example.com' >>> q.expand('%{d4}') 'email.example.com' >>> q.expand('%{d3}') 'email.example.com' >>> q.expand('%{d2}') 'example.com' >>> q.expand('%{d1}') 'com' >>> q.expand('%{p}') 'mx.example.org' >>> q.expand('%{p2}') 'example.org' >>> q.expand('%{dr}') 'com.example.email' >>> q.expand('%{d2r}') 'example.email' >>> q.expand('%{l}') 'strong-bad' >>> q.expand('%{l-}') 'strong.bad' >>> q.expand('%{lr}') 'strong-bad' >>> q.expand('%{lr-}') 'bad.strong' >>> q.expand('%{l1r-}') 'strong' >>> q.expand('%{c}',stripdot=False) '192.0.2.3' >>> q.expand('%{r}',stripdot=False) 'example.net' >>> q.expand('%{ir}.%{v}._spf.%{d2}') '3.2.0.192.in-addr._spf.example.com' >>> q.expand('%{lr-}.lp._spf.%{d2}') 'bad.strong.lp._spf.example.com' >>> q.expand('%{lr-}.lp.%{ir}.%{v}._spf.%{d2}') 'bad.strong.lp.3.2.0.192.in-addr._spf.example.com' >>> q.expand('%{ir}.%{v}.%{l1r-}.lp._spf.%{d2}') '3.2.0.192.in-addr.strong.lp._spf.example.com' >>> try: q.expand('%(ir).%{v}.%{l1r-}.lp._spf.%{d2}') ... except PermError as x: print(x) invalid-macro-char : %(ir) >>> q.expand('%{p2}.trusted-domains.example.net') 'example.org.trusted-domains.example.net' >>> q.expand('%{p2}.trusted-domains.example.net.') 'example.org.trusted-domains.example.net' >>> q = query(s='@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> q.p = 'mx.example.org' >>> q.expand('%{l}') 'postmaster' """ macro_delimiters = ['{', '%', '-', '_'] end = 0 result = '' macro_count = str.count('%') if macro_count != 0: labels = str.split('.') for label in labels: is_macro = False if len(label) > 1: if label[0] == '%': for delimit in macro_delimiters: if label[1] == delimit: is_macro = True if not is_macro: raise PermError ('invalid-macro-char ', label) break for i in RE_CHAR.finditer(str): result += str[end:i.start()] macro = str[i.start():i.end()] if macro == '%%': result += '%' elif macro == '%_': result += ' ' elif macro == '%-': result += '%20' else: letter = macro[2].lower() # print letter if letter == 'p': self.getp() elif letter in 'crt' and stripdot: raise PermError( 'c,r,t macros allowed in exp= text only', macro) expansion = getattr(self, letter, self) if expansion: if expansion == self: raise PermError('Unknown Macro Encountered', macro) e = expand_one(expansion, macro[3:-1], JOINERS.get(letter)) if letter != macro[2]: e = urllibparse.quote(e) result += e end = i.end() result += str[end:] if stripdot and result.endswith('.'): result = result[:-1] if result.count('.') != 0: if len(result) > 253: result = result[(result.index('.')+1):] return result def dns_spf(self, domain): """Get the SPF record recorded in DNS for a specific domain name. Returns None if not found, or if more than one record is found. """ # Per RFC 4.3/1, check for malformed domain. This produces # no results as a special case. for label in domain.split('.'): if not label or len(label) > 63: return None # for performance, check for most common case of TXT first a = [t for t in self.dns_txt(domain) if RE_SPF.match(t)] if len(a) > 1: raise PermError('Two or more type TXT spf records found.') if len(a) == 1 and self.strict < 2: return to_ascii(a[0]) # check official SPF type first when it becomes more popular if self.strict > 1: #Only check for Type SPF in harsh mode until it is more popular. try: b = [t for t in self.dns_txt(domain,'SPF') if RE_SPF.match(t)] except TempError as x: # some braindead DNS servers hang on type 99 query if self.strict > 1: raise TempError(x) b = [] if len(b) > 1: raise PermError('Two or more type SPF spf records found.') if len(b) == 1: if self.strict > 1 and len(a) == 1 and a[0] != b[0]: #Changed from permerror to warning based on RFC 4408 Auth 48 change raise AmbiguityWarning( 'v=spf1 records of both type TXT and SPF (type 99) present, but not identical') return to_ascii(b[0]) if len(a) == 1: return to_ascii(a[0]) # return TXT if SPF wasn't found if DELEGATE: # use local record if neither found a = [t for t in self.dns_txt(domain+'._spf.'+DELEGATE) if RE_SPF.match(t) ] if len(a) == 1: return to_ascii(a[0]) return None ## Get list of TXT records for a domain name. # Any DNS library *must* return bytes (same as str in python2) for TXT # or SPF since there is no general decoding to unicode. Py3dns-3.0.2 # incorrectly attempts to convert to str using idna encoding by default. # We work around this by assuming any UnicodeErrors coming from py3dns # are from a non-ascii SPF record (incorrect in general). Packages # should require py3dns != 3.0.2. # # We cannot check for non-ascii here, because we must ignore non-SPF # records - even when they are non-ascii. So we return bytes. # The caller does the ascii check for SPF records and explanations. # def dns_txt(self, domainname, rr='TXT'): "Get a list of TXT records for a domain name." if domainname: try: dns_list = self.dns(domainname, rr) if dns_list: # a[0][:0] is '' for py3dns-3.0.2, otherwise b'' a = [a[0][:0].join(a) for a in dns_list] # FIXME: workaround for error in py3dns-3.0.2 if isinstance(a[0],bytes): return a return [s.encode('utf-8') for s in a] # FIXME: workaround for error in py3dns-3.0.2 except UnicodeError: raise PermError('Non-ascii characters found in %s record for %s' %(rr,domainname)) return [] def dns_mx(self, domainname): """Get a list of IP addresses for all MX exchanges for a domain name. """ # RFC 4408 section 5.4 "mx" # To prevent DoS attacks, more than 10 MX names MUST NOT be looked up mxnames = self.dns(domainname, 'MX') if self.strict: max = MAX_MX if self.strict > 1: if len(mxnames) > MAX_MX: raise AmbiguityWarning( 'More than %d MX records returned'%MAX_MX) if len(mxnames) == 0: raise AmbiguityWarning( 'No MX records found for mx mechanism', domainname) else: max = MAX_MX * 4 mxnames.sort() return [a for mx in mxnames[:max] for a in self.dns_a(mx[1],self.A)] def dns_a(self, domainname, A='A'): """Get a list of IP addresses for a domainname. """ if not domainname: return [] if self.strict > 1: alist = self.dns(domainname, A) if len(alist) == 0: raise AmbiguityWarning( 'No %s records found for'%A, domainname) else: return alist r = self.dns(domainname, A) if A == 'AAAA' and bytes is str: # work around pydns inconsistency plus python2 bytes/str ambiguity return [ipaddress.Bytes(ip) for ip in r] return r def validated_ptrs(self): """Figure out the validated PTR domain names for the connect IP.""" # To prevent DoS attacks, more than 10 PTR names MUST NOT be looked up if self.strict: max = MAX_PTR if self.strict > 1: #Break out the number of PTR records returned for testing try: ptrnames = self.dns_ptr(self.i) if len(ptrnames) > max: warning = 'More than %d PTR records returned' % max raise AmbiguityWarning(warning, self.c) else: if len(ptrnames) == 0: raise AmbiguityWarning( 'No PTR records found for ptr mechanism', self.c) except: raise AmbiguityWarning( 'No PTR records found for ptr mechanism', self.c) else: max = MAX_PTR * 4 cidrlength = self.cidrmax return [p for p in self.dns_ptr(self.i)[:max] if self.cidrmatch(self.dns_a(p,self.A),cidrlength)] def dns_ptr(self, i): """Get a list of domain names for an IP address.""" return self.dns('%s.%s.arpa'%(reverse_dots(i),self.v), 'PTR') # We have to be careful which additional DNS RRs we cache. For # instance, PTR records are controlled by the connecting IP, and they # could poison our local cache with bogus A and MX records. SAFE2CACHE = { ('MX','A'): None, ('MX','MX'): None, ('CNAME','A'): None, ('A','A'): None, ('AAAA','AAAA'): None, ('PTR','PTR'): None, ('TXT','TXT'): None, ('SPF','SPF'): None } # FIXME: move to dnsplug def dns(self, name, qtype, cnames=None): """DNS query. If the result is in cache, return that. Otherwise pull the result from DNS, and cache ALL answers, so additional info is available for further queries later. CNAMEs are followed. If there is no data, [] is returned. pre: qtype in ['A', 'AAAA', 'MX', 'PTR', 'TXT', 'SPF'] post: isinstance(__return__, types.ListType) """ if name.endswith('.'): name = name[:-1] if not reduce(lambda x,y:x and 0 < len(y) < 64, name.split('.'),True): return [] # invalid DNS name (too long or empty) result = self.cache.get( (name, qtype), []) if result: return result cnamek = (name,'CNAME') cname = self.cache.get( cnamek ) if cname: cname = cname[0] else: safe2cache = query.SAFE2CACHE if self.querytime < 0: raise TempError('DNS Error: exceeded max query lookup time') if self.querytime < self.timeout and self.querytime > 0: timeout = self.querytime else: timeout = self.timeout timethen = time.time() for k, v in DNSLookup(name, qtype, self.strict, timeout): if k == cnamek: cname = v if k[1] == 'CNAME' or (qtype,k[1]) in safe2cache: self.cache.setdefault(k, []).append(v) #if ans and qtype == k[1]: # self.cache.setdefault((name,qtype), []).append(v) result = self.cache.get( (name, qtype), []) if self.querytime > 0: self.querytime = self.querytime - (time.time()-timethen) if not result and cname: if not cnames: cnames = {} elif len(cnames) >= MAX_CNAME: #return result # if too many == NX_DOMAIN raise PermError('Length of CNAME chain exceeds %d' % MAX_CNAME) cnames[name] = cname if cname in cnames: raise PermError('CNAME loop') result = self.dns(cname, qtype, cnames=cnames) if result: self.cache[(name,qtype)] = result return result def cidrmatch(self, ipaddrs, n): """Match connect IP against a CIDR network of other IP addresses. Examples: >>> c = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='192.0.2.3') >>> c.p = 'mx.example.org' >>> c.r = 'example.com' >>> c.cidrmatch(['192.0.2.3'],32) True >>> c.cidrmatch(['192.0.2.2'],32) False >>> c.cidrmatch(['192.0.2.2'],31) True >>> six = query(s='strong-bad@email.example.com', ... h='mx.example.org', i='2001:0db8:0:0:0:0:0:0001') >>> six.p = 'mx.example.org' >>> six.r = 'example.com' >>> six.cidrmatch(['2001:0DB8::'],127) True >>> six.cidrmatch(['2001:0DB8::'],128) False >>> six.cidrmatch(['2001:0DB8:0:0:0:0:0:0001'],128) True """ try: for netwrk in [ipaddress.ip_network(ip) for ip in ipaddrs]: network = netwrk.supernet(new_prefix=n) if isinstance(self.iplist, bool): if network.__contains__(self.ipaddr): return True else: if n < self.cidrmax: self.iplist.append(network) else: self.iplist.append(network.ip) except AttributeError: for netwrk in [ipaddress.IPNetwork(ip,strict=False) for ip in ipaddrs]: network = netwrk.supernet(new_prefix=n) if isinstance(self.iplist, bool): if network.__contains__(self.ipaddr): return True else: if n < self.cidrmax: self.iplist.append(network) else: self.iplist.append(network.ip) return False def parse_header_ar(self, val): """Set SPF values from RFC 5451 Authentication Results header. Useful when SPF has already been run on a trusted gateway machine. Expects the entire header as an input. Examples: >>> q = query('192.0.2.3','strong-bad@email.example.com','mx.example.org') >>> q.mechanism = 'unknown' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=neutral \\n (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) \\n smtp.mailfrom=email.example.com \\n (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=None (mail.bmsi.com: test; client-ip=163.247.46.150) smtp.mailfrom=admin@squiebras.cl (helo=mail.squiebras.cl; receiver=mail.bmsi.com;\\n mechanism=mx/24)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=none (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=admin@squiebras.cl (sender=admin@squiebras.cl; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' """ import authres # Authres expects unwrapped headers according to docs val = ' '.join(s.strip() for s in val.split('\n')) arobj = authres.AuthenticationResultsHeader.parse(val) # TODO extract and parse comments (not supported by authres) for resobj in arobj.results: if resobj.method == 'spf': self.authserv = arobj.authserv_id self.result = resobj.result if resobj.properties[0].name == 'mailfrom': self.d = resobj.properties[0].value self.s = resobj.properties[0].value if resobj.properties[0].name == 'helo': self.h = resobj.properties[0].value return def parse_header_spf(self, val): """Set SPF values from Received-SPF header. Useful when SPF has already been run on a trusted gateway machine. Examples: >>> q = query('0.0.0.0','','') >>> p = q.parse_header_spf('''Pass (test) client-ip=70.98.79.77; ... envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; ... receiver=mail.bmsi.com; mechanism=a; identity=mailfrom''') >>> q.get_header(q.result) 'Pass (test) client-ip=70.98.79.77; envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; receiver=mail.bmsi.com; mechanism=a; identity=mailfrom' >>> o = q.parse_header_spf('''None (mail.bmsi.com: test) ... client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; ... helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; ... x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom''') >>> q.get_header(q.result,**o) 'None (mail.bmsi.com: test) client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom' >>> o['bestguess'] 'pass' """ a = val.split(None,1) self.result = a[0].lower() self.mechanism = None if len(a) < 2: return 'none' val = a[1] if val.startswith('('): pos = val.find(')') if pos < 0: return self.result self.comment = val[1:pos] val = val[pos+1:] msg = Message() msg.add_header('Received-SPF','; '+val) p = {} for k,v in msg.get_params(header='Received-SPF'): if k == 'client-ip': self.set_ip(v) elif k == 'envelope-from': self.s = v elif k == 'helo': self.h = v elif k == 'receiver': self.r = v elif k == 'problem': self.mech = v elif k == 'mechanism': self.mechanism = v elif k == 'identity': self.ident = v elif k.startswith('x-'): p[k[2:]] = v self.l, self.o = split_email(self.s, self.h) return p def parse_header(self, val): """Set SPF values from Received-SPF or RFC 5451 Authentication Results header. Useful when SPF has already been run on a trusted gateway machine. Auto detects the header type and parses it. Use parse_header_spf or parse_header_ar for each type if required. Examples: >>> q = query('0.0.0.0','','') >>> p = q.parse_header('''Pass (test) client-ip=70.98.79.77; ... envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; ... receiver=mail.bmsi.com; mechanism=a; identity=mailfrom''') >>> q.get_header(q.result) 'Pass (test) client-ip=70.98.79.77; envelope-from="evelyn@subjectsthum.com"; helo=mail.subjectsthum.com; receiver=mail.bmsi.com; mechanism=a; identity=mailfrom' >>> r = q.parse_header('''None (mail.bmsi.com: test) ... client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; ... helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; ... x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom''') >>> q.get_header(q.result,**r) 'None (mail.bmsi.com: test) client-ip=163.247.46.150; envelope-from="admin@squiebras.cl"; helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24; x-bestguess=pass; x-helo-spf=neutral; identity=mailfrom' >>> r['bestguess'] 'pass' >>> q = query('192.0.2.3','strong-bad@email.example.com','mx.example.org') >>> q.mechanism = 'unknown' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=neutral \\n (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) \\n smtp.mailfrom=email.example.com \\n (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' >>> p = q.parse_header_ar('''Authentication-Results: bmsi.com; spf=None (mail.bmsi.com: test; client-ip=163.247.46.150) smtp.mailfrom=admin@squiebras.cl (helo=mail.squiebras.cl; receiver=mail.bmsi.com; mechanism=mx/24)''') >>> q.get_header(q.result, header_type='authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=none (unknown: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=admin@squiebras.cl (sender=admin@squiebras.cl; helo=mx.example.org; client-ip=192.0.2.3; receiver=unknown; mechanism=unknown)' """ if val.startswith('Authentication-Results:'): return(self.parse_header_ar(val)) else: return(self.parse_header_spf(val)) def get_header(self, res, receiver=None, header_type='spf', aid=None, **kv): """ Generate Received-SPF or Authentication Results header based on the last lookup. >>> q = query(s='strong-bad@email.example.com', h='mx.example.org', ... i='192.0.2.3') >>> q.r='abuse@kitterman.com' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.get_header('neutral') 'Neutral (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism=?all; identity=mailfrom' >>> q.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> q.get_header('fail') 'Fail (abuse@kitterman.com: domain of email.example.com does not designate 192.0.2.3 as permitted sender) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism=-all; identity=mailfrom' >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ?all moo') ('permerror', 550, 'SPF Permanent Error: Unknown mechanism found: moo') >>> q.get_header('permerror') 'PermError (abuse@kitterman.com: permanent error in processing domain of email.example.com: Unknown mechanism found) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; problem=moo; identity=mailfrom' >>> q.check(spf='v=spf1 ip4:192.0.0.0/8 ~all') ('pass', 250, 'sender SPF authorized') >>> q.get_header('pass') 'Pass (abuse@kitterman.com: domain of email.example.com designates 192.0.2.3 as permitted sender) client-ip=192.0.2.3; envelope-from="strong-bad@email.example.com"; helo=mx.example.org; receiver=abuse@kitterman.com; mechanism="ip4:192.0.0.0/8"; identity=mailfrom' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> q.get_header('neutral', header_type = 'authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=neutral (abuse@kitterman.com: 192.0.2.3 is neither permitted nor denied by domain of email.example.com) smtp.mailfrom=email.example.com (sender=strong-bad@email.example.com; helo=mx.example.org; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=?all)' >>> p = query(s='strong-bad@email.example.com', h='mx.example.org', ... i='192.0.2.3') >>> p.r='abuse@kitterman.com' >>> p.check(spf='v=spf1 redirect=controlledmail.com exp=_exp.controlledmail.com') ('fail', 550, 'SPF fail - not authorized') >>> p.ident = 'helo' >>> p.get_header('fail', header_type = 'authres', aid='bmsi.com') 'Authentication-Results: bmsi.com; spf=fail (abuse@kitterman.com: domain of email.example.com does not designate 192.0.2.3 as permitted sender) smtp.helo=mx.example.org (sender=strong-bad@email.example.com; client-ip=192.0.2.3; receiver=abuse@kitterman.com; mechanism=-all)' >>> q.check(spf='v=spf1 ?all') ('neutral', 250, 'access neither permitted nor denied') >>> try: q.get_header('neutral', header_type = 'dkim') ... except SyntaxError as x: print(x) Unknown results header type: dkim """ # If type is Authentication Results header (spf/authres) if header_type == 'authres': if not aid: raise SyntaxError('authserv-id missing for Authentication Results header type, see RFC5451 2.3') import authres if not receiver: receiver = self.r client_ip = self.c helo = quote_value(self.h) resmap = { 'pass': 'Pass', 'neutral': 'Neutral', 'fail': 'Fail', 'softfail': 'SoftFail', 'none': 'None', 'temperror': 'TempError', 'permerror': 'PermError' } identity = self.ident if identity == 'helo': envelope_from = None else: envelope_from = quote_value(self.s) tag = resmap[res] if res == 'permerror' and self.mech: problem = quote_value(' '.join(self.mech)) else: problem = None mechanism = quote_value(self.mechanism) if hasattr(self,'comment'): comment = self.comment else: comment = '%s: %s' % (receiver,self.get_header_comment(res)) res = ['%s (%s)' % (tag,comment)] if header_type == 'spf': for k in ('client_ip','envelope_from','helo','receiver', 'problem','mechanism'): v = locals()[k] if v: res.append('%s=%s;'%(k.replace('_','-'),v)) for k,v in sorted(list(kv.items())): if v: res.append('x-%s=%s;'%(k.replace('_','-'),quote_value(v))) # do identity last so we can easily drop the trailing ';' res.append('%s=%s'%('identity',identity)) return ' '.join(res) elif header_type == 'authres': if envelope_from: return str(authres.AuthenticationResultsHeader(authserv_id = aid, \ results = [authres.SPFAuthenticationResult(result = tag, \ result_comment = comment, smtp_mailfrom = self.d, \ smtp_mailfrom_comment = \ 'sender={0}; helo={1}; client-ip={2}; receiver={3}; mechanism={4}'.format(self.s, \ self.h, self.c, self.r, mechanism))])) else: return str(authres.AuthenticationResultsHeader(authserv_id = aid, \ results = [authres.SPFAuthenticationResult(result = tag, \ result_comment = comment, smtp_helo = self.h, \ smtp_helo_comment = \ 'sender={0}; client-ip={1}; receiver={2}; mechanism={3}'.format(self.s, \ self.c, self.r, mechanism))])) else: raise SyntaxError('Unknown results header type: {0}'.format(header_type)) def get_header_comment(self, res): """Return comment for Received-SPF header. """ sender = self.o if res == 'pass': return \ "domain of %s designates %s as permitted sender" \ % (sender, self.c) elif res == 'softfail': return \ "transitioning domain of %s does not designate %s as permitted sender" \ % (sender, self.c) elif res == 'neutral': return \ "%s is neither permitted nor denied by domain of %s" \ % (self.c, sender) elif res == 'none': return \ "%s is neither permitted nor denied by domain of %s" \ % (self.c, sender) #"%s does not designate permitted sender hosts" % sender elif res == 'permerror': return \ "permanent error in processing domain of %s: %s" \ % (sender, self.prob) elif res == 'temperror': return \ "temporary error in processing during lookup of %s" % sender elif res == 'fail': return \ "domain of %s does not designate %s as permitted sender" \ % (sender, self.c) raise ValueError("invalid SPF result for header comment: "+res) def split_email(s, h): """Given a sender email s and a HELO domain h, create a valid tuple (l, d) local-part and domain-part. Examples: >>> split_email('', 'wayforward.net') ('postmaster', 'wayforward.net') >>> split_email('foo.com', 'wayforward.net') ('postmaster', 'foo.com') >>> split_email('terry@wayforward.net', 'optsw.com') ('terry', 'wayforward.net') """ if not s: return 'postmaster', h else: parts = s.split('@', 1) if parts[0] == '': parts[0] = 'postmaster' if len(parts) == 2: return tuple(parts) else: return 'postmaster', s def quote_value(s): """Quote the value for a key-value pair in Received-SPF header field if needed. No quoting needed for a dot-atom value. Examples: >>> quote_value('foo@bar.com') '"foo@bar.com"' >>> quote_value('mail.example.com') 'mail.example.com' >>> quote_value('A:1.2.3.4') '"A:1.2.3.4"' >>> quote_value('abc"def') '"abc\\\\"def"' >>> quote_value(r'abc\def') '"abc\\\\\\\\def"' >>> quote_value('abc..def') '"abc..def"' >>> quote_value('') '""' >>> quote_value(None) """ if s is None or RE_DOT_ATOM.match(s): return s return '"' + s.replace('\\',r'\\').replace('"',r'\"' ).replace('\x00',r'\x00') + '"' def parse_mechanism(str, d): """Breaks A, MX, IP4, and PTR mechanisms into a (name, domain, cidr,cidr6) tuple. The domain portion defaults to d if not present, the cidr defaults to 32 if not present. Examples: >>> parse_mechanism('a', 'foo.com') ('a', 'foo.com', None, None) >>> parse_mechanism('exists','foo.com') ('exists', None, None, None) >>> parse_mechanism('a:bar.com', 'foo.com') ('a', 'bar.com', None, None) >>> parse_mechanism('a/24', 'foo.com') ('a', 'foo.com', 24, None) >>> parse_mechanism('A:foo:bar.com/16//48', 'foo.com') ('a', 'foo:bar.com', 16, 48) >>> parse_mechanism('-exists:%{i}.%{s1}.100/86400.rate.%{d}','foo.com') ('-exists', '%{i}.%{s1}.100/86400.rate.%{d}', None, None) >>> parse_mechanism('mx:%%%_/.Claranet.de/27','foo.com') ('mx', '%%%_/.Claranet.de', 27, None) >>> parse_mechanism('mx:%{d}//97','foo.com') ('mx', '%{d}', None, 97) >>> parse_mechanism('iP4:192.0.0.0/8','foo.com') ('ip4', '192.0.0.0', 8, None) """ a = RE_DUAL_CIDR.split(str) if len(a) == 3: str, cidr6 = a[0], int(a[1]) else: cidr6 = None a = RE_CIDR.split(str) if len(a) == 3: str, cidr = a[0], int(a[1]) else: cidr = None a = str.split(':', 1) if len(a) < 2: str = str.lower() if str == 'exists': d = None return str, d, cidr, cidr6 return a[0].lower(), a[1], cidr, cidr6 def reverse_dots(name): """Reverse dotted IP addresses or domain names. Example: >>> reverse_dots('192.168.0.145') '145.0.168.192' >>> reverse_dots('email.example.com') 'com.example.email' """ a = name.split('.') a.reverse() return '.'.join(a) def domainmatch(ptrs, domainsuffix): """grep for a given domain suffix against a list of validated PTR domain names. Examples: >>> domainmatch(['FOO.COM'], 'foo.com') 1 >>> domainmatch(['moo.foo.com'], 'FOO.COM') 1 >>> domainmatch(['moo.bar.com'], 'foo.com') 0 """ domainsuffix = domainsuffix.lower() for ptr in ptrs: ptr = ptr.lower() if ptr == domainsuffix or ptr.endswith('.' + domainsuffix): return True return False def expand_one(expansion, str, joiner): if not str: return expansion ln, reverse, delimiters = RE_ARGS.split(str)[1:4] if not delimiters: delimiters = '.' expansion = split(expansion, delimiters, joiner) if reverse: expansion.reverse() if ln: expansion = expansion[-int(ln)*2+1:] return ''.join(expansion) def split(str, delimiters, joiner=None): """Split a string into pieces by a set of delimiter characters. The resulting list is delimited by joiner, or the original delimiter if joiner is not specified. Examples: >>> split('192.168.0.45', '.') ['192', '.', '168', '.', '0', '.', '45'] >>> split('terry@wayforward.net', '@.') ['terry', '@', 'wayforward', '.', 'net'] >>> split('terry@wayforward.net', '@.', '.') ['terry', '.', 'wayforward', '.', 'net'] """ result, element = [], '' for c in str: if c in delimiters: result.append(element) element = '' if joiner: result.append(joiner) else: result.append(c) else: element += c result.append(element) return result def insert_libspf_local_policy(spftxt, local=None): """Returns spftxt with local inserted just before last non-fail mechanism. This is how the libspf{2} libraries handle "local-policy". Examples: >>> insert_libspf_local_policy('v=spf1 -all') 'v=spf1 -all' >>> insert_libspf_local_policy('v=spf1 -all','mx') 'v=spf1 -all' >>> insert_libspf_local_policy('v=spf1','a mx ptr') 'v=spf1 a mx ptr' >>> insert_libspf_local_policy('v=spf1 mx -all','a ptr') 'v=spf1 mx a ptr -all' >>> insert_libspf_local_policy('v=spf1 mx -include:foo.co +all','a ptr') 'v=spf1 mx a ptr -include:foo.co +all' # FIXME: is this right? If so, "last non-fail" is a bogus description. >>> insert_libspf_local_policy('v=spf1 mx ?include:foo.co +all','a ptr') 'v=spf1 mx a ptr ?include:foo.co +all' >>> spf='v=spf1 ip4:1.2.3.4 -a:example.net -all' >>> local='ip4:192.0.2.3 a:example.org' >>> insert_libspf_local_policy(spf,local) 'v=spf1 ip4:1.2.3.4 ip4:192.0.2.3 a:example.org -a:example.net -all' """ # look to find the all (if any) and then put local # just after last non-fail mechanism. This is how # libspf2 handles "local policy", and some people # apparently find it useful (don't ask me why). if not local: return spftxt spf = spftxt.split()[1:] if spf: # local policy is SPF mechanisms/modifiers with no # 'v=spf1' at the start spf.reverse() #find the last non-fail mechanism for mech in spf: # map '?' '+' or '-' to 'neutral' 'pass' # or 'fail' if not RESULTS.get(mech[0]): # actually finds last mech with default result where = spf.index(mech) spf[where:where] = [local] spf.reverse() local = ' '.join(spf) break else: return spftxt # No local policy adds for v=spf1 -all # Processing limits not applied to local policy. Suggest # inserting 'local' mechanism to handle this properly #MAX_LOOKUP = 100 return 'v=spf1 '+local if sys.version_info[0] == 2: def to_ascii(s): "Raise PermError if arg is not 7-bit ascii." try: return s.encode('ascii') except UnicodeError: raise PermError('Non-ascii characters found',repr(s)) else: def to_ascii(s): "Raise PermError if arg is not 7-bit ascii." try: return s.decode('ascii') except UnicodeError: raise PermError('Non-ascii characters found',repr(s)) def _test(): import doctest, spf return doctest.testmod(spf) DNS.DiscoverNameServers() # Fails on Mac OS X? Add domain to /etc/resolv.conf if __name__ == '__main__': import getopt try: opts,argv = getopt.getopt(sys.argv[1:],"hv",["help","verbose"]) except getopt.GetoptError as err: print(str(err)) print(USAGE) sys.exit(2) verbose = False for o,a in opts: if o in ('-v','--verbose'): verbose = True elif o in ('-h','--help'): print(USAGE) if len(argv) == 0: print(USAGE) _test() elif len(argv) == 1: try: q = query(i='127.0.0.1', s='localhost', h='unknown', receiver=socket.gethostname()) print(q.dns_spf(argv[0])) except TempError as x: print("Temporary DNS error: ", x) except PermError as x: print("PermError: ", x) elif len(argv) == 3: i, s, h = argv q = query(i=i, s=s, h=h,receiver=socket.gethostname(),verbose=verbose) print(q.check(),q.mechanism) if q.perm_error and q.perm_error.ext: print(q.perm_error.ext) if q.iplist: for ip in q.iplist: print(ip) elif len(argv) == 4: i, s, h = argv[1:] q = query(i=i, s=s, h=h, receiver=socket.gethostname(), strict=False, verbose=verbose) print(q.check(argv[0]),q.mechanism) if q.perm_error and q.perm_error.ext: print(q.perm_error.ext) else: print(USAGE) pyspf-2.0.8/pyspf.spec0000644000160600001450000001144112174112153013557 0ustar stuartbms%define __python python2.6 %if "%{dist}" == ".el4" || "%{dist}" == ".el5" %define pythonbase python26 %else %define pythonbase python %endif %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")} Name: %{pythonbase}-pyspf Version: 2.0.8 Release: 2 Summary: Python module and programs for SPF (Sender Policy Framework). Group: Development/Languages License: Python Software Foundation License URL: http://sourceforge.net/forum/forum.php?forum_id=596908 Source0: pyspf-%{version}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildArch: noarch BuildRequires: %{pythonbase}-devel Requires: %{pythonbase}-pydns, %{pythonbase} >= 2.6 Requires: %{pythonbase}-authres %{pythonbase}-ipaddr >= 2.1.10 %description SPF does email sender validation. For more information about SPF, please see http://openspf.net This SPF client is intended to be installed on the border MTA, checking if incoming SMTP clients are permitted to send mail. The SPF check should be done during the MAIL FROM:<...> command. %define namewithoutpythonprefix %(echo %{name} | sed 's/^%{pythonbase}-//') %prep %setup -q -n %{namewithoutpythonprefix}-%{version} %build %{__python} setup.py build %install rm -rf $RPM_BUILD_ROOT %{__python} setup.py install -O1 --skip-build --root $RPM_BUILD_ROOT mv $RPM_BUILD_ROOT/usr/bin/type99.py $RPM_BUILD_ROOT/usr/bin/type99 mv $RPM_BUILD_ROOT/usr/bin/spfquery.py $RPM_BUILD_ROOT/usr/bin/spfquery rm -f $RPM_BUILD_ROOT/usr/bin/*.py{o,c} %clean rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root,-) %doc CHANGELOG PKG-INFO README test %{python_sitelib}/spf.py* /usr/bin/type99 /usr/bin/spfquery /usr/lib/python2.6/site-packages/pyspf-%{version}-py2.6.egg-info %changelog * Tue Jul 23 2013 Stuart Gathman 2.0.8-2 - Test case and fix for PermError on non-ascii chars in non-SPF TXT records - Use ipaddr/ipaddress module in place of custom IP processing code - Numerous python3 compatibility fixes - Improved unicode error detection in SPF records - Fixed a bug caused by a null CNAME in cache * Fri Feb 03 2012 Stuart Gathman 2.0.7-1 - fix CNAME chain duplicating TXT records - local test cases for CNAME chains - python3 compatibility changes e.g. print a -> print(a) - check for 7-bit ascii on TXT and SPF records - Use openspf.net for SPF web site instead of openspf.org - Support Authentication-Results header field - Support overall DNS timeout * Thu Oct 27 2011 Stuart Gathman 2.0.6-2 - Python3 port (still requires 2to3 on spf.py) - Ensure Temperror for all DNS rcodes other than 0 and 3 per RFC 4408 - Parse Received-SPF header - Report CIDR error only for valid mechanism - Handle invalid SPF record on command line - Add timeout to check2 - Check for non-ascii policy * Wed Mar 03 2011 Stuart Gathman 2.0.6-1 - Python-2.6 - parse_header method * Wed Apr 02 2008 Stuart Gathman 2.0.5-1 - Add timeout parameter to query ctor and DNSLookup - Patch from Scott Kitterman to retry truncated results with TCP unless harsh - Validate DNS labels - Reflect decision on empty-exp errata * Wed Jul 25 2007 Stuart Gathman 2.0.4-1 - Correct unofficial 'best guess' processing. - PTR validation processing cleanup - Improved detection of exp= errors - Keyword args for get_header, minor fixes * Mon Jan 15 2007 Stuart Gathman 2.0.3-1 - pyspf requires pydns, python-pyspf requires python-pydns - Record matching mechanism and add to Received-SPF header. - Test for RFC4408 6.2/4, and fix spf.py to comply. - Test for type SPF (type 99) by default in harsh mode only. - Permerror for more than one exp or redirect modifier. - Parse op= modifier * Sat Dec 30 2006 Stuart Gathman 2.0.2-1 - Update openspf URLs - Update Readme to better describe available pyspf interfaces - Add basic description of type99.py and spfquery.py scripts - Add usage instructions for type99.py DNS RR type conversion script - Add spfquery.py usage instructions - Incorporate downstream feedback from Debian packager - Fix key-value quoting in get_header * Fri Dec 08 2006 Stuart Gathman 2.0.1-1 - Prevent cache poisoning attack - Prevent malformed RR attack - Update license on a few files we missed last time * Mon Nov 20 2006 Stuart Gathman 2.0-1 - Completed RFC 4408 compliance - Added spf.check2 for RFC 4408 compatible result codes - Full IP6 support - Fedora Core compatible RPM spec file - Update README, licenses * Tue Sep 26 2006 Stuart Gathman 1.8-1 - YAML test suite syntax - trailing dot support (RFC4408 8.1) * Tue Aug 29 2006 Sean Reifschneider 1.7-1 - Initial RPM spec file. pyspf-2.0.8/type99.py0000755000160600001450000001126311655304611013271 0ustar stuartbms#!/usr/bin/python """Type 99 (SPF) DNS conversion script. Copyright (c) 2005,2006 Stuart Gathman Portions Copyright (c) 2007 Scott Kitterman This module is free software, and you may redistribute it and/or modify it under the same terms as Python itself, so long as this copyright message and disclaimer are retained in their original form. IN NO EVENT SHALL THE AUTHOR BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS CODE, EVEN IF THE AUTHOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. THE AUTHOR SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE CODE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THERE IS NO OBLIGATION WHATSOEVER TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. For more information about SPF, a tool against email forgery, see http://www.openspf.net/""" # Copy Bind zonefiles to stdout, removing TYPE99 RRs and # adding a TYPE99 RR for each TXT RR encountered. # This can be used to maintain SPF records as TXT RRs # in a zonefile until Bind is patched/upgraded to recognize # the SPF RR. After adding/changing/deleting TXT RRs, # filtering through this script will refresh the TYPE99 RRs. # # $Log: type99.py,v $ # Revision 1.4.4.5 2011/11/05 19:07:53 customdesigned # New website openspf.org -> openspf.net # # Revision 1.4.4.4 2011/10/27 04:44:58 kitterma # Update type99.py to work with 2.6, 2.7, and 3.2: # - raise ... as ... # - Add filter to stdin processing # - Modernize output print to use format to get consistent python/python3 output # # Revision 1.4.4.3 2008/03/26 19:01:07 kitterma # Capture Type99.py improvements from trunk. SF #1257140 # # Revision 1.9 2008/03/26 18:56:42 kitterma # Update Type99 script to correctly parse multi-string single line TXT records. # Multi-string/multi-line still fails. # # Revision 1.8 2007/01/26 05:06:41 customdesigned # Tweaks for epydoc. # Design for test in type99.py, test cases. # Null byte test case for quote_value. # # Revision 1.7 2007/01/25 21:59:29 kitterma # Update comments to match bug fix. Include copyright statements. Update sheband. # # Revision 1.6 2007/01/25 21:51:45 kitterma # Fix type99 script for multi-line support (Fixes sourceforge #1257140) # # Revision 1.5 2006/12/16 20:45:23 customdesigned # Move dns drivers to package directory. # # Revision 1.4 2005/08/26 20:53:38 kitterma # Fixed typo in type99 script # # Revision 1.3 2005/08/19 19:06:49 customdesigned # use note_error method for consistent extended processing. # Return extended result, strict result in self.perm_error # # Revision 1.2 2005/07/17 02:46:03 customdesigned # Use of expand not needed. # # Revision 1.1 2005/07/17 02:39:42 customdesigned # Utility to maintain TYPE99 copies of SPF TXT RRs. # import sys import fileinput import re def dnstxt(txt): "Convert data into DNS TXT format (sequence of pascal strings)." r = [] while txt: s,txt = txt[:255],txt[255:] r.append(chr(len(s))+s) return ''.join(r) RE_TXT = re.compile(r'^(?P.*\s)TXT\s"(?Pv=spf1.*)"(?P.*)', re.DOTALL) RE_TYPE99 = re.compile(r'\sTYPE99\s') def filter(fin): for line in fin: if not RE_TYPE99.search(line): yield line m = RE_TXT.match(line) if not m: left = line.split('(') try: right = left[1].split(')') except IndexError as errmsg: right = left[0].split(')') if len(left) == 2: right = left[1] else: left = line.split('(') right = left[0] middlelist = right[0].split('"') middle = '' for fragment in middlelist: if fragment != ' ': middle = middle + fragment line = left[0] + '"' + middle + '"' m = RE_TXT.match(line) if m: phrase = dnstxt(m.group('str')) dns_string = '' list = m.group('str') for st in list: dns_string += st phrase = dnstxt(dns_string) s = m.group('rr') + 'TYPE99 \# %i '%len(phrase) yield s+''.join(["%02x"%ord(c) for c in phrase])+m.group('eol') USAGE="""Usage:\t%s phrase %s -