| Previous | Contents | Index |
SPF and SRS are not available for PMDF on Windows. |
For OpenVMS sites running MultiNet, the ECO UCX_LIBRARY_EMULATION-090_A052 or later is required for SPF/SRS to function. For sites running TCPware, the ECO DRIVERS_V582P020 or later is required. For sites running TCP/IP Services, you need version 5.3 or later. |
Sender Policy Framework (SPF) can be used to combat the problem of sender address forgery. It is a method of using special DNS records to say which systems are allowed to send mail for a given domain. PMDF's SPF implemention can be used to check the IP address of the system that PMDF is receiving a message from, against the domain name in the SMTP MAIL FROM:
address to make sure the message is coming from an authorized sending
system. The message can be accepted, rejected, or marked based on the
results of the SPF checks.
Sender Rewriting Scheme (SRS) is an adjunct to SPF that is used by mail forwarders. SPF breaks mail forwarding because it rejects the forwarder as an unauthorized sender of the mail. If the forwarder uses SRS to rewrite the MAIL FROM:
address, this problem is avoided.
For more information about SPF and SRS, see http://www.openspf.org/
.
Using SPF/SRS is similar to DNS_VERIFY in that both are used to combat the problem of forged sender e-mail addresses. The same drawbacks and warnings apply (see Section 16.1.8).
As with DNS_VERIFY, SPF and SRS are supplied as a sharable images on OpenVMS (PMDF_EXE:LIBSPFSHR.EXE
and PMDF_EXE:LIBSRS2SHR.EXE
), and as sharable object libraries on Unix (/pmdf/lib/libspf.so
and /pmdf/lib/libsrs2.so
).
SPF can be called from the FROM_ACCESS
, ORIG_MAIL_ACCESS
, or MAIL_ACCESS
mapping table. However, we recommend using the FROM_ACCESS mapping table for greatest efficiency since it is called only once, after the MAIL FROM:
SMTP command instead of after every RCPT TO:
SMTP command.
SRS is called from the REVERSE
mapping table to encode the MAIL FROM:
address when mail is forwarded. A different SRS routine is called from the FORWARD
mapping table to decode RCPT TO:
addresses when needed, as for example when an error response is sent back to an MAIL FROM:
address that has been SRS-encoded. SPF and SRS are invoked using the
routine callout described in Section 2.2.6.7, Customer-supplied Routine Substitutions, $[...].
Note that internal or trusted systems (such as mail gateways) should be excluded from SPF checks and SRS encoding by adding mapping table entries before the SPF or SRS entries in the mapping tables.
On Unix platforms, the symbols PMDF_SPF_LIBRARY and PMDF_SRS_LIBRARY are defined in /etc/pmdf_tailor
to point to the SPF and SRS sharable object libraries, respectively. Similarly, on OpenVMS, the logical names PMDF_SPF_LIBRARY and PMDF_SRS_LIBRARY are defined in PMDF_STARTUP.COM
to point to the sharable images. We also recommend that you install the SPF and SRS sharable images for efficiency. The following commands to do this may be put in your PMDF_COM:PMDF_SITE_STARTUP.COM
file:
$ INSTALL ADD PMDF_SPF_LIBRARY/OPEN/HEAD/SHARE $ INSTALL ADD PMDF_SRS_LIBRARY/OPEN/HEAD/SHARE |
LIBSPFSHR has three routines that can be called:
spf_lookup
spf_lookup_reject_fail
spf_lookup_reject_softfail
These are each described in the sections below.
Note that your mapping tables with SPF callouts can be tested by using the pmdf test -mapping
utility (pmdf test/mapping
on OpenVMS).
16.1.9.1.1 spf_lookup Routine
This routine does the SPF lookup and adds a Received-SPF:
header upon successful completion, or a header of your choice upon
error (such as if there are no SPF records).
The spf_lookup
routine has four arguments, separated by commas. The callout would look
like this:
$[PMDF_SPF_LIBRARY,spf_lookup,sending-ip,from-address,domain-name,header]$ |
The parameters are as follows:
sending-ip
is the sending IP address
from-address
is the MAIL FROM:
address
domain-name
is the domain name to display in the Received-SPF:
headers; this is expected to be the name of the local system that is
doing the SPF lookup
header
is the type of header to add upon error
The following example adds a Received-SPF:
header, or in the case where there is no SPF record, a X-PMDF-SPF:
header:
FROM_ACCESS TCP|*|25|*|*|SMTP*|*|tcp_*|*|* $C$[PMDF_SPF_LIBRARY,\ spf_lookup,$1,$6,example.com,X-PMDF-SPF]$E |
Example Received-SPF:
and X-PMDF-SPF:
headers would be:
Received-SPF: pass (example.com: domain of remotesys.com designates 10.0.0.1 as permitted sender) client-ip=192.168.0.1; envelope-from=joe@remotesys.com; X-PMDF-SPF: (recv=mail.example.com, send-ip=10.0.0.2) Could not find a valid SPF record |
Both of these routines do the SPF lookup and then reject the message if it gets a fail result. The spf_lookup_reject_softfail
also rejects the message if it gets a softfail result. They both add a Received-SPF:
header upon successful completion.
These routines have four arguments, separated by commas. The callouts would look like this (for example on Unix):
$[/pmdf/lib/libspf.so,spf_lookup_reject_fail,sending-ip,from-address,domain-name,header]$ $[/pmdf/lib/libspf.so,spf_lookup_reject_softfail,sending-ip,from-address,domain-name,text]$ |
The parameters are as follows:
sending-ip
is the sending IP address
from-address
is the MAIL FROM:
address
domain-name
is the domain name to display in the Received-SPF:
headers; this is expected to be the name of the local system that is
doing the SPF lookup
text
is the rejection text to use
The following example rejects mail that fails the SPF lookup:
FROM_ACCESS TCP|*|25|*|*|SMTP*|*|tcp_*|*|* $C$[/pmdf/lib/libspf.so,\ spf_lookup_reject_softfail,$1,$6,example.com,Rejected$ by$ SPF$ lookup]$E |
To configure PMDF to use SRS, changes are required to the PMDF option file pmdf_table:option.dat
, configuration file pmdf_table:pmdf.cnf
, and mapping file pmdf_table:mappings
.
16.1.9.2.1 Option File Changes
Two options need to be added to the PMDF option file: REVERSE_ENVELOPE
, and USE_REVERSE_DATABASE
.
The REVERSE_ENVELOPE
option needs to be set to 1 to tell PMDF to apply the REVERSE mapping table to envelope from
addresses (by default the REVERSE mapping table is only applied to header addresses). The USE_REVERSE_DATABASE
option should be set to a value of 266. This value turns on address
reversal processing (the REVERSE mapping table in this case), as well
as specifying that the destination channel be prepended to the address
when probing the REVERSE mapping table.
REVERSE_ENVELOPE=1 USE_REVERSE_DATABASE=266 |
By default, the REVERSE mapping table is checked for every destination channel. For SRS, normally you'd only want to encode the envelope from
address for messages that are being forwarded to the internet, for example, being sent out the tcp_local
channel.
To avoid unnecessary processing, the checking of the REVERSE mapping table can be restricted to when tcp_local
is the destination channel. This is done by using the noreverse
and reverse
channel keywords in the pmdf.cnf
file.
Place the noreverse
channel keyword on the defaults
line in pmdf.cnf
to turn off checking of the REVERSE mapping table by default. To turn the checking on for the tcp_local
channel, add the reverse
channel keyword to the tcp_local
channel definition. If there are any other channels you use that you wish to use SRS on, put the reverse
channel keyword on those channel definitions as well.
16.1.9.2.3 Mapping File Changes
The SRS library has two routines that can be called:
pmdf_srs_forward
pmdf_srs_reverse
The pmdf_srs_forward
routine is called from the REVERSE mapping table to encode the envelope from
address. The pmdf_srs_reverse
routine is called from the FORWARD mapping table to decode any SRS-encoded envelope to
addresses. These routines are further described in the sections below.
Notice that the name of the routine is opposite from the name of the mapping table that it is used in. |
Note that your mapping tables with SRS callouts can be tested by using the pmdf test -mapping
utility (pmdf test/mapping
on OpenVMS).
16.1.9.2.3.1 pmdf_srs_forward Routine And The REVERSE Mapping Table
The pmdf_srs_forward
routine takes an address and encodes it as defined by the SRS rules. It
returns the SRS-encoded address.
This routine has three arguments, separated by commas. The callout would look like this:
$[PMDF_SRS_LIBRARY,pmdf_srs_forward,from-address,secret,domain-name]$ |
The parameters are as follows:
from-address
is the MAIL FROM:
address to encode.
secret
is a secret word you must specify for use by the encoding process.
domain-name
is the local domain to use.
When adding the pmdf_srs_foward
callout to the REVERSE mapping table, you must specify the $:E flag on the entry. The option.dat option REVERSE_ENVELOPE (as described above) causes PMDF to apply the REVERSE mapping table to the envelope from
address as well as to header addresses. However, SRS should be applied
only to the envelope address and not to header
addresses. Specifying the $:E flag on your REVERSE mapping table entry
achieves this.
For best efficiency, SRS should only be applied to messages going out via the tcp_local channel (or other external channel). The option.dat option USE_REVERSE_DATABASE (as described above) specified with a value of 266 causes PMDF to prepend the destination channel to the address when the REVERSE mapping table is probed. To apply the mapping table entry to only tcp_local, specify "tcp_local|" at the front of your reverse mapping table entries.
Note that if you are already using the REVERSE mapping table for something else, this setting of USE_REVERSE_DATABASE causes the destination channel to be prepended for all REVERSE mapping table entries. |
Also, SRS should only be applied to messages that are being forwarded, and not to locally-generated messages. To do this, add additional entries to the REVERSE mapping table that exempts messages that have a local envelope from
address.
The following example encodes mail being forwarded by example.com:
REVERSE tcp_local|*@*example.com $N tcp_local|*@* $:E$[PMDF_SRS_LIBRARY,\ pmdf_srs_forward,$0@$1,mysecret,example.com]$E |
The pmdf_srs_reverse
routine takes an SRS-encoded address and decodes it back into the
original address.
This routine has three arguments, separated by commas. The callout would look like this:
$[PMDF_SRS_LIBRARY,pmdf_srs_reverse,to-address,secret,domain-name]$ |
The parameters are as follows:
to-address
the SRS-encoded RCPT TO:
address to decode.
secret
is the secret word that was used during the encoding process.
domain-name
is the local domain that was used during the encoding process.
Adding a callout to the pmdf_srs_reverse
routine from the FORWARD mapping table is required to decode any SRS-encoded envelope to
addresses. For example, to handle responses to mail that you sent with an SRS-encoded envelope from
address. Note that when you add the callout, you must also specify the
$D flag on the entry, to tell PMDF to send the resulting address back
through the rewrite process. This is so the mail can be forwarded on
successfully to the real original sender.
Since SRS decoding should only be applied to SRS-encoded addresses, you can select for this by checking for addresses that have two equal signs in the username part.
The following example decodes SRS-encoded addresses received by example.com:
FORWARD *=*=*@example.com $[PMDF_SRS_LIBRARY,\ pmdf_srs_reverse,$0=$1=$2@example.com,mysecret,example.com]$D |
The secret word specified in the mapping table callouts is used by the SRS encoding and decoding to make sure that the SRS-encoded address is not forged. You do not have to change your secret word at all, but if you wish to do so, the decoding routine needs to know all of the secret words ever used so that it can properly decode messages that were encoded using a previous secret word.
The SRS decoding routine will check for the file pmdf_table:srs_secret.dat
for a list of previous secret words. Whenever you change your secret
word, add the old secret word to this file (one word per line).
| Previous | Next | Contents | Index |