From: Heiko Schlittermann (HS12-RIPE) Date: Mon, 28 Oct 2019 21:39:24 +0000 (+0100) Subject: SPF: fix the explanation URL X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/05e4f4dea8e993a6ad0f4e6cba092226155bc6e1 SPF: fix the explanation URL But - I'm not sure if the /Why? API still works as expected. Needs further testing --- diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index 7d9281e40..bca6689b6 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -40342,8 +40342,12 @@ for more information of what they mean. SPF is a mechanism whereby a domain may assert which IP addresses may transmit messages with its domain in the envelope from, documented by RFC 7208. -For more information on SPF see &url(http://www.openspf.org). -. --- 2018-09-07: still not https +For more information on SPF see &url(http://www.open-spf.org), a static copy of +the &url(http://openspf.org). +. --- 2019-10-28: still not https, open-spf.org is told to be a +. --- web-archive copy of the now dead openspf.org site +. --- See https://www.mail-archive.com/mailop@mailop.org/msg08019.html for a +. --- discussion. Messages sent by a system not authorised will fail checking of such assertions. This includes retransmissions done by traditional forwarders. @@ -40406,7 +40410,7 @@ deny spf = fail message = $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain \ {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=\ + Please see http://www.open-spf.org/Why?scope=\ ${if def:sender_address_domain {mfrom}{helo}};\ identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};\ @@ -40459,9 +40463,9 @@ In addition to SPF, you can also perform checks for so-called "Best-guess". Strictly speaking, "Best-guess" is not standard SPF, but it is supported by the same framework that enables SPF capability. -Refer to &url(http://www.openspf.org/FAQ/Best_guess_record) +Refer to &url(http://www.open-spf.org/FAQ/Best_guess_record) for a description of what it means. -. --- 2018-09-07: still not https: +. --- 2019-10-28: still not https: To access this feature, simply use the spf_guess condition in place of the spf one. For example: diff --git a/src/src/spf.c b/src/src/spf.c index 1aa68f181..1955b5d96 100644 --- a/src/src/spf.c +++ b/src/src/spf.c @@ -165,6 +165,12 @@ if (!(spf_server = SPF_server_new_dns(dc, debug))) DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n"); return FALSE; } + /* Quick hack to override the outdated explanation URL. + See https://www.mail-archive.com/mailop@mailop.org/msg08019.html */ + SPF_server_set_explanation(spf_server, "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}", &spf_response); + if (SPF_response_errcode(spf_response) != SPF_E_SUCCESS) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s", SPF_strerror(SPF_response_errcode(spf_response))); + return TRUE; } diff --git a/test/log/4600 b/test/log/4600 index 195cb4b7b..1e8af6531 100644 --- a/test/log/4600 +++ b/test/log/4600 @@ -18,7 +18,7 @@ 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=pass smtp.mailfrom=example.com 1999-03-02 09:44:33 spf_result neutral (guess ) 1999-03-02 09:44:33 spf_header_comment myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com -1999-03-02 09:44:33 spf_smtp_comment Please see http://www.openspf.org/Why?id=b%40test.example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism +1999-03-02 09:44:33 spf_smtp_comment Please see http://www.open-spf.org/Why?id=b%40test.example.com&ip=ip4.ip4.ip4.ip4&receiver=myhost.test.ex : Reason: mechanism 1999-03-02 09:44:33 spf_received Received-SPF: neutral (myhost.test.ex: ip4.ip4.ip4.ip4 is neither permitted nor denied by domain of test.example.com) client-ip=ip4.ip4.ip4.ip4; envelope-from=b@test.example.com; helo=testclient; 1999-03-02 09:44:33 Authentication-Results: myhost.test.ex;\n spf=neutral (best guess record for domain) smtp.mailfrom=test.example.com 1999-03-02 09:44:33 H=(testclient) [ip4.ip4.ip4.ip4] F= rejected RCPT