Configuration man pages have incorrect defaults
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pypolicyd-spf |
Fix Released
|
Medium
|
Scott Kitterman | ||
Bug Description
When configuring policy, man policyd-spf(5) shows the following:
HELO/EHLO CHECKING
HELO check rejection policy options are:
SPF_Not_Pass (default) - Reject if result not Pass, None, or Temperror
tral, PermError). ...
There appear to be several issues here:
a) Further down the section, "Fail" is shown as default, not SPF_Not_Pass (which is correct?)
b) RFC 7208 section 8.2. Neutral states:
A "neutral" result MUST be treated exactly like the "none" result;
the distinction exists only for informational purposes.
c) RFC 7208 section 8.5. Softfail states:
Receiving software SHOULD NOT reject the message based solely on this result,...
Suggested changes:
* The default should be consistent, either SPF_Not_Pass or Fail (prob Fail?)
* SPF_Not_Pass should reject if not Pass, None, <<Neutral, or Softfail>> (code should reflect this too to be RFC compliant, not sure if it does or not...). Reject if Fail, Temperror, or Permerror (hopefully with respective temp 4xx or permanent 5xx errors?)
* Softfail should probably not exist here (breaks RFC specs), but probably could be considered an alias for SPF_Not_Pass if present (but should not reject on Softfail unless there's some sort of greylisting support added...)
Discussion welcome...
| Scott Kitterman (kitterman) wrote | #1 |
| Changed in pypolicyd-spf: | |
| importance: | Undecided → Medium |
| status: | New → Confirmed |
| Scott Kitterman (kitterman) wrote | #2 |
| Changed in pypolicyd-spf: | |
| assignee: | nobody → Scott Kitterman (kitterman) |
| status: | Confirmed → Fix Committed |
| Scott Kitterman (kitterman) wrote | #3 |
| Changed in pypolicyd-spf: | |
| status: | Fix Committed → Fix Released |
The inconsistency is obviously a bug. Currently the default is fail.
SPF_Not_Pass is intentionally not consistent with RFC 7208. This should be documented.