> On Mar 31, 2021, at 1:09 PM, David Bürgin <dbuer...@gluet.ch> wrote:
>
> Dominic Raferd:
>> On 31/03/2021 17:29, Benny Pedersen wrote:
>>> On 2021-03-31 18:21, Dan Mahoney wrote:
>>>
>>>>> problem is your setup used Sender-ID with is long time depricated
>>>> Why would you advise not using libspf2?
>>> atleast not in opendmarc, sid-milter is imho fine
>>>
>>> but it bulds in both cases of depricated Sender-ID
>> opendmarc's internal spf checking with libspf2 works fine with versions
>> 1.3.2 or higher, so you don't need to use an external spf checker (unless
>> you want such for another purpose).
>
> Yeah, I found libspf2 as used in OpenDMARC to be reliable enough. But
> it’s true that it was written for now obsolete RFC 4408. For example,
> the ‘void lookup limit’ is not implemented in libspf2.
To be clear, that’s a SHOULD, RECOMMENDED implementation detail, not a MUST.
That said, yeah it would be nice if LibSPF2 were updated to reflect the most
recent RFC.
In OpenDMARC, we’re generally recommending that everyone use LibSPF2 (or
something else) and not rely on the inbuilt SPF libs (and may even rip them out
at some point), but we don’t want to do that between a 1.4.0 and a 1.4.1
release. There’s also been a CVE raised because pypolicyd trusts the HELO
string, which causes opendmarc to return a false pass.
I’m the FreeBSD port maintainer for opendmarc — if someone hasn’t packaged your
milter for FreeBSD, we should talk.
-Dan
