mail/libspf2-10 Vulnerable, use mail/libspf2 instead

mail/postfix-policyd-spf Relies on vulnerable mail/libspf2-10
This commit is contained in:
Doug Barton 2011-09-09 08:20:59 +00:00
parent 7626bb39cb
commit de3193618a
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=281487
12 changed files with 2 additions and 284 deletions

2
MOVED
View file

@ -2639,3 +2639,5 @@ games/xshisen||2011-09-07|Has expired: No more public distfiles
games/slige||2011-09-07|Has expired: No more public distfiles
games/wmtimebomb||2011-09-07|Has expired: No more public distfiles
net-mgmt/cfgstoragemk||2011-09-07|Has expired: No more public distfiles
mail/libspf2-10||2011-09-09|Vulnerable, use mail/libspf2 instead
mail/postfix-policyd-spf||2011-09-09|Relies on vulnerable mail/libspf2-10

View file

@ -233,7 +233,6 @@
SUBDIR += libspamtest
SUBDIR += libspf
SUBDIR += libspf2
SUBDIR += libspf2-10
SUBDIR += libsrs2
SUBDIR += libsrs_alt
SUBDIR += libvmime
@ -518,7 +517,6 @@
SUBDIR += postfix-gps
SUBDIR += postfix-logwatch
SUBDIR += postfix-policyd-sf
SUBDIR += postfix-policyd-spf
SUBDIR += postfix-policyd-spf-perl
SUBDIR += postfix-policyd-spf-python
SUBDIR += postfix-policyd-weight

View file

@ -1,29 +0,0 @@
# New ports collection makefile for: libspf2
# Date created: 07 July 2004
# Whom: snowchyld
#
# $FreeBSD$
#
PORTNAME= libspf2
PORTVERSION= 1.0.4
PORTREVISION= 1
CATEGORIES= mail
MASTER_SITES= http://www.libspf2.org/%SUBDIR%/
MASTER_SITE_SUBDIR= spf
MAINTAINER= mnag@FreeBSD.org
COMMENT= Sender Rewriting Scheme 2 C Implementation
DEPRECATED= Vulnerable as of 2008-10-27 http://portaudit.freebsd.org/2ddbfd29-a455-11dd-a55e-00163e000016.html
EXPIRATION_DATE= 2011-09-09
CONFLICTS= ${PORTNAME}-1.2.*
LATEST_LINK= ${PORTNAME}-${PORTVERSION:S/.//:R}
USE_AUTOTOOLS= libtool
USE_LDCONFIG= yes
GNU_CONFIGURE= yes
.include <bsd.port.mk>

View file

@ -1,2 +0,0 @@
SHA256 (libspf2-1.0.4.tar.gz) = 222803a98d1e86ac7eee9491beb5fbf30e259a3c74cd4166bda1796374c26cd1
SIZE (libspf2-1.0.4.tar.gz) = 427613

View file

@ -1,10 +0,0 @@
libspf2 implements the Sender Policy Framework, a part of the SPF/SRS
protocol pair. libspf2 is a library which allows email systems such as
Sendmail, Postfix, Exim, Zmailer and MS Exchange to check SPF records
and make sure that the email is authorized by the domain name that it
is coming from. This prevents email forgery, commonly used by spammers,
scammers and email viruses/worms.
WWW: http://www.libspf2.org/
snowchyld <mail-libsrs2-freebsd-ports@snowchyld.org>

View file

@ -1,23 +0,0 @@
bin/spf_example
bin/spf_example_2mx
bin/spf_example_2mx_static
bin/spf_example_static
bin/spfd
bin/spfd_static
bin/spfquery
bin/spfquery_static
bin/spftest
bin/spftest_static
include/spf2/spf.h
include/spf2/spf_dns.h
include/spf2/spf_dns_cache.h
include/spf2/spf_dns_null.h
include/spf2/spf_dns_resolv.h
include/spf2/spf_dns_test.h
include/spf2/spf_dns_zone.h
include/spf2/spf_lib_version.h
@dirrm include/spf2
lib/libspf2.a
lib/libspf2.la
lib/libspf2.so
lib/libspf2.so.1

View file

@ -1,49 +0,0 @@
# New ports collection makefile for: policyd
# Date created: 19 Dec 2004
# Whom: Marcus Alves Grando <mnag@FreeBSD.org>
#
# $FreeBSD$
#
PORTNAME= policyd
PORTVERSION= 1.0.1
PORTREVISION= 3
CATEGORIES= mail
MASTER_SITES= http://www.libspf2.org/patch/
PKGNAMEPREFIX= postfix-
PKGNAMESUFFIX= -spf
MAINTAINER= mnag@FreeBSD.org
COMMENT= Implements SPF for postfix, as a policy daemon
DEPRECATED= Relies on libspf2-10 which is vulnerable as of 2008-10-27
EXPIRATION_DATE= 2011-09-09
LIB_DEPENDS= spf2.1:${PORTSDIR}/mail/libspf2-10
CONFLICTS= policyd-1.*
CONFIGURE_ENV= CPPFLAGS="-I${LOCALBASE}/include"
CONFIGURE_ENV+= CFLAGS="-I${LOCALBASE}/include"
CONFIGURE_ENV+= LDFLAGS="-L${LOCALBASE}/lib"
GNU_CONFIGURE= yes
PKGMESSAGE= ${WRKDIR}/pkg-message
SUB_FILES= pkg-message
PLIST_FILES= sbin/postfix-policyd-spf
DOCSDIR= ${PREFIX}/share/doc/${PKGNAMEPREFIX}${PORTNAME}${PKGNAMESUFFIX}
.if !defined(NOPORTDOCS)
PORTDOCS= *
.endif
post-install:
.if !defined(NOPORTDOCS)
${MKDIR} ${DOCSDIR}
${INSTALL_DATA} ${WRKSRC}/README ${DOCSDIR}
.endif
@${CAT} ${PKGMESSAGE}
.include <bsd.port.mk>

View file

@ -1,2 +0,0 @@
SHA256 (policyd-1.0.1.tar.gz) = 4fc9c174144260b696c3804de01b5c1f7189f824cbcbb5bd9e80c9663d45c764
SIZE (policyd-1.0.1.tar.gz) = 201134

View file

@ -1,13 +0,0 @@
--- Makefile.in.orig Mon Jun 28 13:59:26 2004
+++ Makefile.in Mon Apr 18 11:24:56 2005
@@ -192,8 +192,8 @@
|| test -f $$p1 \
; then \
f=`echo $$p1|sed '$(transform);s/$$/$(EXEEXT)/'`; \
- echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/$$f"; \
- $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/$$f; \
+ echo " $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/postfix-policyd-spf"; \
+ $(INSTALL_PROGRAM_ENV) $(LIBTOOL) --mode=install $(INSTALL_PROGRAM) $$p $(DESTDIR)$(sbindir)/postfix-policyd-spf; \
else :; fi; \
done

View file

@ -1,128 +0,0 @@
--- policyd.c.orig 2004-07-09 06:42:25.000000000 +0900
+++ policyd.c 2008-06-23 12:55:02.000000000 +0900
@@ -70,12 +70,14 @@
#define POSTFIX_DUNNO "DUNNO"
#define POSTFIX_REJECT "REJECT"
+#define POSTFIX_PREPEND "PREPEND"
typedef
struct _config_t {
char *localpolicy;
char *explanation;
int trustedforwarder;
+ int softfailreject;
int debug;
} config_t;
@@ -106,6 +108,7 @@
static const struct option longopts[] = {
{ "localpolicy", required_argument, NULL, 'l', },
{ "trustedforwarder", no_argument, NULL, 't', },
+ { "softfailreject", no_argument, NULL, 's', },
{ "explanation", required_argument, NULL, 'x', },
{ "debug", optional_argument, NULL, 'd', },
{ "help", no_argument, NULL, 'h', },
@@ -119,7 +122,7 @@
#else
#define DOC_LONGOPT(l, v, t, p1) do { } while(0)
#endif
-static const char *shortopts = "a:h";
+static const char *shortopts = "l:x:d:tsh";
#define DOC_OPT(s, l, v, t, p0, p1) do { \
fprintf(stderr, " -%c%c%s%*s" t "\n", \
@@ -137,10 +140,12 @@
"Set the SPF local policy.", 21, 10);
DOC_OPT('t', "trustedforwarder", NULL,
"Use the trusted-forwarder.com whitelist.", 29, 13);
+ DOC_OPT('s', "softfailreject", NULL,
+ "Reject SOFTFAIL.", 29, 15);
DOC_OPT('x', "explanation", "<explanation>",
"Set the SPF explanation.", 16, 5);
- DOC_OPT('d', "debug", "[<level>]",
- "Set the debug level.", 20, 15);
+ DOC_OPT('d', "debug", "<level>",
+ "Set the debug level.", 22, 17);
DOC_OPT('h', "help", NULL,
"Display this help.", 29, 25);
}
@@ -249,7 +254,7 @@
}
static void
-process_request(request_t *req)
+process_request(request_t *req, config_t *conf)
{
SPF_output_t output;
@@ -268,7 +273,7 @@
switch (output.result) {
case SPF_RESULT_PASS:
- strcpy(req->result, POSTFIX_DUNNO);
+ snprintf(req->result, RESULTSIZE, POSTFIX_PREPEND " %s", output.received_spf);
break;
case SPF_RESULT_FAIL:
snprintf(req->result, RESULTSIZE,
@@ -287,11 +292,21 @@
: ""));
break;
case SPF_RESULT_SOFTFAIL:
+ if (conf->softfailreject == 1) {
+ snprintf(req->result, RESULTSIZE,
+ POSTFIX_REJECT " %s",
+ (output.smtp_comment
+ ? output.smtp_comment
+ : (output.header_comment
+ ? output.header_comment
+ : "")));
+ break;
+ }
case SPF_RESULT_NEUTRAL:
case SPF_RESULT_UNKNOWN:
case SPF_RESULT_NONE:
default:
- strcpy(req->result, POSTFIX_DUNNO);
+ snprintf(req->result, RESULTSIZE, POSTFIX_PREPEND " %s", output.received_spf);
break;
}
@@ -315,6 +330,11 @@
argv0 = argv[0];
+ config.localpolicy = NULL;
+ config.explanation = NULL;
+ config.trustedforwarder = 0;
+ config.softfailreject = 0;
+ config.debug = 0;
while ((c =
#ifdef HAVE_GETOPT_LONG
getopt_long(argc, argv, shortopts, longopts, &idx)
@@ -329,12 +349,15 @@
case 't':
config.trustedforwarder = 1;
break;
+ case 's':
+ config.softfailreject = 1;
+ break;
case 'x':
config.explanation = optarg;
break;
case 'd':
if (optarg)
- config.debug = atol(optarg);
+ config.debug = atoi(optarg);
else
config.debug = 1;
break;
@@ -366,7 +389,7 @@
CHECK(req.client_ip, "client_address")
else CHECK(req.sender_address, "sender")
else CHECK(req.helo_address, "helo_name")
- else process_request(&req);
+ else process_request(&req, &config);
req.result[RESULTSIZE - 1] = '\0';
printf("action=%s\n\n", req.result);

View file

@ -1,19 +0,0 @@
***
*** NOTE: Now %%PREFIX%%/sbin/policyd has renamed to %%PREFIX%%/sbin/postfix-policyd-spf
***
To run this from %%PREFIX%%/etc/postfix/master.cf:
policy unix - n n - - spawn
user=nobody argv=%%PREFIX%%/sbin/postfix-policyd-spf
To use this from Postfix SMTPD, use in %%PREFIX%%/etc/postfix/main.cf:
smtpd_recipient_restrictions = ...
reject_unknown_sender_domain
reject_unauth_destination
check_policy_service unix:private/policy
...
NOTE: specify check_policy_service AFTER reject_unauth_destination
or else your system can become an open relay.

View file

@ -1,7 +0,0 @@
This is a C port of Meng Wong's policyd for Postfix. The original
code is available from http://spf.pobox.com/postfix-policyd.txt.
It implements SPF for postfix, as a policy daemon.
WWW: http://www.libspf2.org/
Marcus Alves Grando <mnag@FreeBSD.org>