Plugin details: qmail-spp-spf 

qmail-spp-spf details

   This is an implementation of SPF as a qmail-spp module.  It requires
   libspf2.  For more information, consult:

     http://www.openspf.org/
     http://qmail-spp.sourceforge.net/
     http://www.libspf2.org/

   If an SPF record is not found or doesn't process, a fallback SPF record
   of "v=spf1 mx -all" can be used to test if the client is listed in the MX
   records of the envelope domain.
   
   Compile plugin using something like:

     gcc -Wall -o qmail-spp-spf qmail-spp-spf.c -lspf2 -I/usr/include/spf2

   Put this in the qmail plugins directory (ex. "/var/qmail/plugins") and add
   to smtpplugins file (ex. "/var/qmail/control/smtpplugins") after [mail]
   section:

     [mail]
     plugins/qmail-spp-spf

   If the "RELAYCLIENT" environment variable (envar) is set, this module
   exits without doing anything, since the client has permission to relay.

   IPv6 is supported if TCPREMOTEIP contains an IPv6 address or if
   TCP6REMOTEIP envar is set.

   Set these envars as desired to instruct the module how to handle each SPF
   result.  Only envars defined will be used.

     SPP_SPF_NO_RESULT          - Used if both SPF and MX checks can't be done.

     SPP_SPF_RESULT_NEUTRAL    \
     SPP_SPF_RESULT_PASS       |
     SPP_SPF_RESULT_FAIL       |- Refer to http://www.openspf.org/ for
     SPP_SPF_RESULT_SOFTFAIL   |  definitions.
     SPP_SPF_RESULT_NONE       |
     SPP_SPF_RESULT_TEMPERROR  |
     SPP_SPF_RESULT_PERMERROR  /

     SPP_SPF_MX_RESULT_PASS    \  If any set, MX check of sender is done when
     SPP_SPF_MX_RESULT_FAIL    |- SPF record doesn't exist or SPF check result
     SPP_SPF_MX_RESULT_UNKNOWN /  is None, PermError, TempError or invalid.

   Possible settings of the above envars are taken from
   http://qmail-spp.sourceforge.net/doc/ :

     Command       Description
     -----------------------------------------------------------------------
     A             accept mail - turn off qmail-spp in this session
     N             next - accept current SMTP command (do not execute
                   remaining plugins for this command)
     O             ok - like N, but omits qmail checks in MAIL and RCPT
     Emsg          error - do not accept this SMTP command and immediately
                   send msg to the client
     LMmsg         later, mail - like E, but shows error after MAIL command
     LRmsg         later, rcpt - like E, but shows error after RCPT command
     LDmsg         later, data - like E, but shows error after DATA command
     Rmsg          reject mail - send msg to the client and drop connection
     D             drop connection immediately, without printing anything
     Svar=value    set environmental variable var to value
     Uvar          unset var variable
     Hcontent      header - add header content (eg. X-Spam-Flag: YES)
     Cfoo@bar.com  change last address provided by the client to foo@bar.com
                   (MAIL FROM or RCPT TO address)
     Pmsg          print - send msg to the client

   Separate commands are separated by a comma or a carriage return.  Be
   careful not to include a comma for any other reason.

   Except for the SPP_SPF_NO_RESULT and SPP_SPF_MX_RESULT_xx envars, if any
   envars include the special string "spf_smtp_msg" then "spf_smtp_msg" will
   be replaced by the output of libspf2's SPF_response_get_smtp_comment()
   function.  For example:

     SPP_SPF_RESULT_FAIL="E550 spf_smtp_msg"

   If the actual SPF query is able to be done, this module also sets the
   environmental variable SPP_SPF_RESULT to one of the following (via the
   qmail-spp 'S' command):

     pass
     fail
     softfail
     neutral
     none
     permerror
     temperror

   In addition, a "Received-SPF:" header is added to the message via the
   qmail-spp 'H' command when the SPF query is able to be done.

   It is okay to not set a particular SPP_SPF_xxx envar.  If that particular
   case is hit the module will only return the "SSPP_SPF_RESULT=" and
   "HReceived-SPF:" commands if the SPF query is done.

   If the SPP_SPF_DONT_ALLOW_RANDOM_IP_PASS envar is set, then when an SPF pass
   result is obtained, two random IP addresses will also be tried to see if the
   SPF definition is passing everything as if "+all" is declared.  If the two
   random IP addresses also receive a pass from the SPF library, then the
   original pass is ignored.

   Example:

      In /etc/tcprules.d/tcp.qmail-smtp change ":allow" line to be as follows:

         :allow,SPP_SPF_RESULT_PASS="HX-Spam-Flag: No,A",SPP_SPF_RESULT_FAIL= \
"E550 spf_smtp_msg",SPP_SPF_NO_RESULT="SSPF_MODULE_FAILED=1"

      or

         :allow,SPP_SPF_RESULT_PASS="A",SPP_SPF_MX_RESULT_PASS="A"

      (Be sure to rebuild tcp.qmail-smtp.cdb after modification, such as with
      "make" or "tcprules" commands.)


Author: Chris Caputo
Added on: 2008-11-12
URL: https://www.caputo.com/foss/qmail-spp-spf/


<<< Back to plugins

Copyright © 2004-2008 Paweł Foremski

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license can be found here.