Bug#606000: libmail-spf-query-perl: Incorrect query results with IPv6 addresses; should warn about missing IPv6 support and/or fail graciously

gregor herrmann gregoa at debian.org
Sun Dec 5 17:14:03 UTC 2010 

On Sun, 05 Dec 2010 13:37:19 +0100, Torsten Jerzembeck wrote:

> Using Mail::SPF::Query with an IPv6 enabled mailserver (increasingly
> common today, and bound to get even more common due to the shortage of
> IPv4 addresses) leads to mail being blocked incorrectly.

Could you please give an example of a domain/mailserver which uses
IPv6 and SPF? I'd like to do some tests and it would be easier with
an example :)
 
> The "spfquery" helper script used in the example configuration for exim4

Hm, the file shipped in the package
(/usr/share/doc/libmail-spf-query-perl/examples/exim-acl) doesn't use
spfquery but spfd. #376545 suggests an alternative which uses
spfquery.

> interprets any supplied IPv6 address as an IPv4 address and tries to
> match it against the "ip4" part of SPF information. This obviously fails
> and leads to incorrectly blocked/rejected mail if the SPF policy uses "fail"
> instead of "softfail".

Right, this is definitely a bug (line 436):

  my $query = new Mail::SPF::Query (ipv4       => $opt{ip},

> The missing IPv6 support is documented in the "BUGS" section of the
> Mail::SPF::Query manpage, but not in any documentation for "spfquery"
> itself. In addition, "spfquery" or Mail::SPF::Query do not report any
> error when being supplied with an IPv6 address. 

spfquery doesn't but Mail::SPF::Query itself should, at least that's
my assumption after looking quickly through the code.

Quick test: if I change "ipv4" to "ip" in the above line in spfquery,
I end up with an error:

$ PERL5LIB=lib bin/spfquery -i 82.150.197.85 -m comodo.priv.at -h colleen.colgarra.priv.at
pass
Please see http://www.openspf.org/why.html?sender=comodo.priv.at&ip=82.150.197.85&receiver=spfquery: comodo.priv.at MX colleen.colgarra.priv.at A 82.150.197.85
spfquery: domain of comodo.priv.at designates 82.150.197.85 as permitted sender
Received-SPF: pass (spfquery: domain of comodo.priv.at designates 82.150.197.85 as permitted sender) client-ip=82.150.197.85; envelope-from=comodo.priv.at; helo=colleen.colgarra.priv.at;

$ PERL5LIB=lib bin/spfquery -i 2a02:5d8:192::201 -m comodo.priv.at -h colleen.colgarra.priv.at
no IP address given at lib/Mail/SPF/Query.pm line 255.

$ echo $?
255

From lib/Mail/SPF/Query.pm:

51      my $looks_like_ipv4  = qr/\d+\.\d+\.\d+\.\d+/;

232       $query->{ipv4} = delete $query->{ip}
233         if defined($query->{ip}) and $query->{ip} =~ $looks_like_ipv4;

254       if (not ($query->{ipv4} and length $query->{ipv4})) {
255         die "no IP address given";
256       }

> As IPv6 deployments are
> getting increasingly common, the script and/or the module should display
> an error message in this case or should at least fail graciously. In
> addition, a prominent warning should be displayed about the inability
> to deal with IPv6 addresses.

Right, the current situation is not satisfactory.

Cheers,
gregor

-- 
 .''`.   http://info.comodo.priv.at/ -- GPG key IDs: 0x8649AA06, 0x00F3CFE4
 : :' :  Debian GNU/Linux user, admin, & developer - http://www.debian.org/
 `. `'   Member of VIBE!AT & SPI, fellow of Free Software Foundation Europe
   `-    NP: James Taylor: How Sweet It Is (To Be Loved By You)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-perl-maintainers/attachments/20101205/88843cb3/attachment.pgp>

More information about the pkg-perl-maintainers mailing list