Package: libspf2-2 Version: 1.2.10-7+b5 Severity: normal The domain `madduck.net` has a simple SPF policy:
"v=spf1 ip4:188.174.253.166/32 ip6:2001:a60:902f::bcae:fda6/128 -all" However, both `policyd-spf` as well as `spfquery` fail to report a negative result when email is being delivered from another IP. The following shows a debug run of `spfquery`, and it yields exactly the same result as if `policyd-spf` saw a message with those cornerstone data. ``` % spfquery.libspf2 -ip 130.60.75.242 -sender madd...@madduck.net -rcpt-to martin@tahi.ventures -helo diamond.madduck.net -debug spf_compile.c:523 Debug: Parsing macro starting at Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R} spf_compile.c:1210 Debug: Compiling record v=spf1 spf_dns.c:54 Debug: DNS[cache] lookup: madduck.net TXT (16) spf_dns.c:54 Debug: DNS[resolv] lookup: madduck.net TXT (16) spf_dns.c:66 Debug: DNS[resolv] found record spf_dns.c:69 Debug: DOMAIN: madduck.net TYPE: TXT (16) spf_dns.c:76 Debug: TTL: 0 RR found: 1 herrno: 0 source: resolv spf_dns.c:94 Debug: - TXT: v=spf1 ip4:188.174.253.166/32 -all spf_dns.c:66 Debug: DNS[cache] found record spf_dns.c:69 Debug: DOMAIN: madduck.net TYPE: TXT (16) spf_dns.c:76 Debug: TTL: 0 RR found: 1 herrno: 0 source: resolv spf_dns.c:94 Debug: - TXT: v=spf1 ip4:188.174.253.166/32 -all spf_server.c:402 Debug: get_record(madduck.net): NETDB_SUCCESS spf_server.c:443 Debug: found SPF record: v=spf1 ip4:188.174.253.166/32 -all spf_compile.c:1210 Debug: Compiling record v=spf1 ip4:188.174.253.166/32 -all spf_compile.c:1314 Debug: Name starts at ip4:188.174.253.166/32 -all spf_compile.c:1408 Debug: Adding mechanism type 5 spf_compile.c:847 Debug: SPF_c_mech_add: type=5, value=:188.174.253.166/32 -all spf_compile.c:1314 Debug: Name starts at all spf_compile.c:1408 Debug: Adding mechanism type 8 spf_compile.c:847 Debug: SPF_c_mech_add: type=8, value= spf_interpret.c:491 Debug: ip_match: 130.60.75.242 == 188.174.253.166 (/32 255.255.255.255): 0 --vv-- Context: Main query Response result: fail Response reason: mechanism Response err: No errors StartError EndError --^^-- spf_compile.c:1210 Debug: Compiling record v=spf1 mx:@tahi.ventures spf_compile.c:1314 Debug: Name starts at mx:@tahi.ventures spf_compile.c:1408 Debug: Adding mechanism type 2 spf_compile.c:847 Debug: SPF_c_mech_add: type=2, value=:@tahi.ventures spf_compile.c:689 Debug: Parsing domainspec starting at @tahi.ventures, cidr is optional spf_compile.c:523 Debug: Parsing macro starting at @tahi.ventures spf_dns.c:54 Debug: DNS[cache] lookup: @tahi.ventures MX (15) spf_dns.c:54 Debug: DNS[resolv] lookup: @tahi.ventures MX (15) spf_dns_resolv.c:311 Debug: query failed: err = -1 Unknown host (1): @tahi.ventures spf_dns.c:66 Debug: DNS[resolv] found record spf_dns.c:69 Debug: DOMAIN: @tahi.ventures TYPE: MX (15) spf_dns.c:76 Debug: TTL: 0 RR found: 0 herrno: 1 source: resolv spf_dns.c:66 Debug: DNS[cache] found record spf_dns.c:69 Debug: DOMAIN: @tahi.ventures TYPE: MX (15) spf_dns.c:76 Debug: TTL: 0 RR found: 0 herrno: 1 source: resolv spf_interpret.c:824 Debug: found 0 MX records for @tahi.ventures (herrno: 1) --vv-- Context: 2mx query Response result: neutral Response reason: default Response err: No errors StartError EndError --^^-- failneutral Please see http://www.openspf.org/Why?id=madduck%40madduck.net&ip=130.60.75.242&receiver=spfquery : Reason: default spfquery: 130.60.75.242 is neither permitted nor denied by domain of madduck.net Received-SPF: neutral (spfquery: 130.60.75.242 is neither permitted nor denied by domain of madduck.net) client-ip=130.60.75.242; envelope-from=madd...@madduck.net; helo=diamond.madduck.net; ``` -- System Information: Debian Release: 11.0 APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads) Kernel taint flags: TAINT_WARN Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages libspf2-2 depends on: ii libc6 2.31-12 libspf2-2 recommends no packages. libspf2-2 suggests no packages. -- .''`. martin f. krafft <madduck@d.o> @martinkrafft : :' : proud Debian developer `. `'` http://people.debian.org/~madduck `- Debian - when you have better things to do than fixing systems
digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)