Bug#989970: Returns "neutral" despite "-all"

Wed, 16 Jun 2021 19:39:20 -0700 

Package: libspf2-2
Version: 1.2.10-7+b5
Severity: normal

The domain `madduck.net` has a simple SPF policy:

    "v=spf1 ip4:188.174.253.166/32 ip6:2001:a60:902f::bcae:fda6/128 -all"

However, both `policyd-spf` as well as `spfquery` fail to report a 
negative result when email is being delivered from another IP. The 
following shows a debug run of `spfquery`, and it yields exactly the 
same result as if `policyd-spf` saw a message with those cornerstone 
data.


```
% spfquery.libspf2 -ip 130.60.75.242 -sender madd...@madduck.net -rcpt-to 
martin@tahi.ventures -helo diamond.madduck.net -debug
spf_compile.c:523    Debug: Parsing macro starting at 
Please%_see%_http://www.openspf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}
spf_compile.c:1210   Debug: Compiling record v=spf1 
spf_dns.c:54         Debug: DNS[cache] lookup: madduck.net TXT (16)
spf_dns.c:54         Debug: DNS[resolv] lookup: madduck.net TXT (16)
spf_dns.c:66         Debug: DNS[resolv] found record
spf_dns.c:69         Debug:     DOMAIN: madduck.net  TYPE: TXT (16)
spf_dns.c:76         Debug:     TTL: 0  RR found: 1  herrno: 0  source: resolv
spf_dns.c:94         Debug:     - TXT: v=spf1 ip4:188.174.253.166/32 -all
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:69         Debug:     DOMAIN: madduck.net  TYPE: TXT (16)
spf_dns.c:76         Debug:     TTL: 0  RR found: 1  herrno: 0  source: resolv
spf_dns.c:94         Debug:     - TXT: v=spf1 ip4:188.174.253.166/32 -all
spf_server.c:402     Debug: get_record(madduck.net): NETDB_SUCCESS
spf_server.c:443     Debug: found SPF record: v=spf1 ip4:188.174.253.166/32 -all
spf_compile.c:1210   Debug: Compiling record v=spf1 ip4:188.174.253.166/32 -all
spf_compile.c:1314   Debug: Name starts at  ip4:188.174.253.166/32 -all
spf_compile.c:1408   Debug: Adding mechanism type 5
spf_compile.c:847    Debug: SPF_c_mech_add: type=5, value=:188.174.253.166/32 
-all
spf_compile.c:1314   Debug: Name starts at  all
spf_compile.c:1408   Debug: Adding mechanism type 8
spf_compile.c:847    Debug: SPF_c_mech_add: type=8, value=
spf_interpret.c:491  Debug: ip_match:  130.60.75.242 == 188.174.253.166  (/32 
255.255.255.255):  0
--vv--
Context: Main query
Response result: fail
Response reason: mechanism
Response err: No errors
StartError
EndError
--^^--
spf_compile.c:1210   Debug: Compiling record v=spf1 mx:@tahi.ventures
spf_compile.c:1314   Debug: Name starts at  mx:@tahi.ventures
spf_compile.c:1408   Debug: Adding mechanism type 2
spf_compile.c:847    Debug: SPF_c_mech_add: type=2, value=:@tahi.ventures
spf_compile.c:689    Debug: Parsing domainspec starting at @tahi.ventures, cidr 
is optional
spf_compile.c:523    Debug: Parsing macro starting at @tahi.ventures
spf_dns.c:54         Debug: DNS[cache] lookup: @tahi.ventures MX (15)
spf_dns.c:54         Debug: DNS[resolv] lookup: @tahi.ventures MX (15)
spf_dns_resolv.c:311 Debug: query failed: err = -1  Unknown host (1): 
@tahi.ventures
spf_dns.c:66         Debug: DNS[resolv] found record
spf_dns.c:69         Debug:     DOMAIN: @tahi.ventures  TYPE: MX (15)
spf_dns.c:76         Debug:     TTL: 0  RR found: 0  herrno: 1  source: resolv
spf_dns.c:66         Debug: DNS[cache] found record
spf_dns.c:69         Debug:     DOMAIN: @tahi.ventures  TYPE: MX (15)
spf_dns.c:76         Debug:     TTL: 0  RR found: 0  herrno: 1  source: resolv
spf_interpret.c:824  Debug: found 0 MX records for @tahi.ventures  (herrno: 1)
--vv--
Context: 2mx query
Response result: neutral
Response reason: default
Response err: No errors
StartError
EndError
--^^--
failneutral
Please see 
http://www.openspf.org/Why?id=madduck%40madduck.net&ip=130.60.75.242&receiver=spfquery
 : Reason: default
spfquery: 130.60.75.242 is neither permitted nor denied by domain of madduck.net
Received-SPF: neutral (spfquery: 130.60.75.242 is neither permitted nor denied 
by domain of madduck.net) client-ip=130.60.75.242; 
envelope-from=madd...@madduck.net; helo=diamond.madduck.net;
```

-- System Information:
Debian Release: 11.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-6-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_NZ, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8), LANGUAGE=en_NZ:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libspf2-2 depends on:
ii  libc6  2.31-12

libspf2-2 recommends no packages.

libspf2-2 suggests no packages.


-- 
 .''`.   martin f. krafft <madduck@d.o> @martinkrafft
: :'  :  proud Debian developer
`. `'`   http://people.debian.org/~madduck
  `-  Debian - when you have better things to do than fixing systems

Attachment: digital_signature_gpg.asc
Description: Digital GPG signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current)

  • Bug#989970: Returns "neutral" despite "-all... martin f krafft

Reply via email to