28 août 2019 12:26 "Gilles Chehade" <gil...@poolp.org> a écrit:
> On Wed, Aug 28, 2019 at 10:33:29AM +0200, Martijn van Duren wrote: > >> On 8/28/19 9:23 AM, gil...@poolp.org wrote: >> 28 ao??t 2019 09:04 "Martijn van Duren" <openbsd+t...@list.imperialat.at> a >> ??crit: >> >> Currently looking into writing an spf filter based on libopensmtpd. >> While working through the spec I found in RFC7208 section 7.3 that: >> The "r" macro expands to the name of the receiving MTA. >> In other words the hostname presented in the banner. Unfortunately we >> also support the hostnames directive, which supports ip-hostname >> mappings via dynamic tables, which makes it impossible to transfer via >> "config|". >> >> This is a major change that can break (and in the case of libopensmtpd >> will break) parsers. We're currently at 0.1, so I don't know if we want >> push it to 1 just yet, or if we want to call 1 release-stable and just >> bump it to 0.2 for now since we don't have a release yet with filters. >> >> thoughts? >> >> I'm sorry but I'm unsure I understand what you're trying to do with the >> banner, >> can you explain ? >> >> If there's need for the hostname presented in the banner to be passed to >> filters, >> which makes sense, it needs its own reporting event which is basically the >> server >> side of the link-identify event. >> >> One thing for sure, you can't put that info in the link-connect event >> because the >> banner is displayed _after_ link-connect and while in smtp-in we already >> know the >> hostname we'll use in the banner, this isn't the case for smtp-out which >> will not >> be able to infer that information before actually seeing the banner. >> >> So the diff below implements report|link-greeting >> >> I haven't implemented the smtp-out case, since none of the smtp-out >> cases appear to be currently implemented. >> >> Does this read better? > > No sorry, I'm very confused :-) > > Let me explain my understanding just to make sure we're talking about > the same thing. > > You said: > >> spf has an "exp" modifier, which allows the reject message to be >> specified by the spf administrator. To do so it can utilize several >> macros. One option being "%{r}", which expands to: >> domain name of host performing the check. > > So my understanding is that you'd like a filter to be able to use the > result from an SPF lookup to reject a message in your filter and have > the hostname that was used in the banner part of the message. > > If that's so, I think the diff below is both not enough and a bit too > specific, preventing filters with different use-cases than yours from > using the information as easily: > > 1- first, i think your report event is too specific, keep in mind the > report events are used to build the internal state of the session, > so that you can basically duplicate struct smtp_session from smtpd > in a filter. the textstring part here is not really related to the > state of the session more than it is related to your use-case. > > 2- then, your use case is to allow rejecting with a custom message so > this can't be done with report events, which are informative, this > requires a filter event which allow taking decisions (like reject, > in this case). So I think that what's missing here is a phase that > allows filters to take a decision before printing the banner and I > think THIS is where your textstring goes, the filter receives that > report event with the hostname, it receives the filter request for > the banner and it can decide to write a custom banner. > > I may want to write filters that keep track of the hostname for which > the MX is operating and that do not necessarily do anything at banner > so to me tying banner stuff outside of a banner phase is not correct. > > Does it make sense ? > By the way, as a side note, I already had a use-case which required a banner filtering phase to allow rejecting at banner and which doesn't need the server hostname so this tends to go in favour of what I said above: my filter would not register to receive the server hostname because I don't care about that, but I'd still need to get the banner so I will be able to take a decision to disconnect with a different message.