--- postfix-policyd-spf-perl-2.010.orig/debian/changelog +++ postfix-policyd-spf-perl-2.010/debian/changelog @@ -0,0 +1,124 @@ +postfix-policyd-spf-perl (2.010-1) unstable; urgency=low + + * New upstream release + - Updated debian/patches/use-debian-mailname to work with new upstream use + of libsys-hostname-long-perl + - Added depends on libsys-hostname-long-perl + - Updated debian/copyright + + -- Scott Kitterman Sun, 17 Jun 2012 23:55:06 -0400 + +postfix-policyd-spf-perl (2.009-2) unstable; urgency=low + + * Fix debian watch to work with Launchpad again + * Update standards version to 3.9.3 without further change + + -- Scott Kitterman Mon, 19 Mar 2012 17:24:49 -0400 + +postfix-policyd-spf-perl (2.009-1) unstable; urgency=low + + * New upstream release + - Refreshed patches + + -- Scott Kitterman Fri, 03 Feb 2012 23:31:43 -0500 + +postfix-policyd-spf-perl (2.008-2) unstable; urgency=low + + * Correct time limit parameter name in debian/postfix-policyd-spf-perl.1 + (Closes: #618282) + + -- Scott Kitterman Fri, 20 Jan 2012 00:17:14 -0500 + +postfix-policyd-spf-perl (2.008-1) unstable; urgency=low + + * New upstream release + - Update debian/copyright + - Add version requirement >= 2.006 for libmail-spf-perl + - Update debian/postfix-policyd-spf-perl.1 man page + * Fix long description to point to the non-dead location for the SPF web + site + * Overhaul debian/rules based on dh 7 tiny + * Add debian/postfix-policyd-spf-perl.manpages and .install + * Bump mimimum debhelper version to 7 and compat to 7 + * Add quilt to build-depends, build --with quilt, and add README.source + * Add debian/patches/use-debian-mailname to read hostname from /etc/mailname + - Thanks to Thomas Bullinger for the patch + * Bump standards version to 3.9.2 without further change + * Remove XS-DM-Upload-Allowed flag + + -- Scott Kitterman Thu, 19 Jan 2012 14:07:01 -0500 + +postfix-policyd-spf-perl (2.007-2) unstable; urgency=low + + * Update debian/control and debian/watch for new project location + * Improve package description + * Add ${misc:Depends} for postfix-policyd-spf-perl + * Use the © symbol in debian/copyright + * Bump standards version to 3.8.3 without further change + + -- Scott Kitterman Thu, 07 Jan 2010 14:34:19 -0500 + +postfix-policyd-spf-perl (2.007-1) unstable; urgency=low + + * New upstream release + - Improved recommendations in documentation + * Updated man postfix-policyd-spf-perl.1 based on upstream updates + (Closes: #492421) + * Create and use dedicated user instead of nobody (Closes: #492420) + - Add postfix-policyd-spf-perl.postinst to create user if needed + - Add depends on adduser + - Update examples in man postfix-policyd-spf-perl.1 to use the dedicated + user + + -- Scott Kitterman Fri, 25 Jul 2008 22:46:16 -0400 + +postfix-policyd-spf-perl (2.006-1) unstable; urgency=low + + * New upstream release + - Enhanced logging by default + * Update standards version to 3.8.0.1 without further change + * Update debian/copyright + * Change priority to extra due to depends + * Minor updates to man page for correctness + + -- Scott Kitterman Fri, 18 Jul 2008 01:02:55 -0400 + +postfix-policyd-spf-perl (2.005-2) unstable; urgency=low + + * Update postfix-policyd-spf-perl(1) to better describe the packages + capability to whitelist forwarders and secondary MXs from SPF checks + (Closes: #468388)- patch thanks to Tim Small - and + minor edits to quieten lintian + * Change priority to optional to match over-ride + * Minor updates to package short and long description to improve correctness + + -- Scott Kitterman Sun, 09 Mar 2008 21:20:41 -0400 + +postfix-policyd-spf-perl (2.005-1) unstable; urgency=low + + [ Scott Kitterman ] + * New upstream release + - Reduce DNS timeout period from 20 seconds to 10 seconds for faster + performance with broken DNS servers + * Move postfix from recommends to depends + * Add watch file + * Correct debian/copyright to only refer to GPL V2 and trim excess license + quoting + * Added Homepage field + * Update standards version to 3.7.3 without further change + * Clarify package description + * Minor updates to postfix-policyd-spf-perl and move from section 8 to + section 1 + * Minor white space cleanup in debian/control + + [ Philipp Kern ] + * Added `XS-DM-Upload-Allowed: yes' to `debian/control' to allow uploads + from Debian Maintainers. + + -- Scott Kitterman Sat, 15 Dec 2007 20:32:55 +0100 + +postfix-policyd-spf-perl (2.004-1) unstable; urgency=low + + * Initial Debian package (Closes: #236701) + + -- Scott Kitterman Tue, 18 April 2007 15:45:00 -0400 --- postfix-policyd-spf-perl-2.010.orig/debian/postfix-policyd-spf-perl.install +++ postfix-policyd-spf-perl-2.010/debian/postfix-policyd-spf-perl.install @@ -0,0 +1 @@ +postfix-policyd-spf-perl usr/sbin --- postfix-policyd-spf-perl-2.010.orig/debian/rules +++ postfix-policyd-spf-perl-2.010/debian/rules @@ -0,0 +1,4 @@ +#!/usr/bin/make -f + +%: + dh $@ --with quilt --- postfix-policyd-spf-perl-2.010.orig/debian/watch +++ postfix-policyd-spf-perl-2.010/debian/watch @@ -0,0 +1,3 @@ +version=3 +http://launchpad.net/postfix-policyd-spf-perl/+download https://launchpad.net/postfix-policyd-spf-perl/.*/.*/postfix-policyd-spf-perl-(.*)\.tar\.gz debian uupdate + --- postfix-policyd-spf-perl-2.010.orig/debian/copyright +++ postfix-policyd-spf-perl-2.010/debian/copyright @@ -0,0 +1,29 @@ +This package was debianized by Scott Kitterman on +Thu, 11 Jan 2007 04:29:13 -0500. + +It was downloaded from . + +Upstream authors Meng Weng Wong , Scott Kitterman +, and Julian Mehnle + +Copyright: + + © 2007-2008,2012 Scott Kitterman + © 2012 Allison Randal + © 2007 Julian Mehnle + © 2003-2004 Meng Weng Wong + +This is free software; you can redistribute it and/or modify it under the terms +of the GNU General Public License (version 2). + + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + +On Debian systems, the complete text of the GPL v2 can be found here: + /usr/share/common-licenses/GPL-2 + --- postfix-policyd-spf-perl-2.010.orig/debian/postfix-policyd-spf-perl.postinst +++ postfix-policyd-spf-perl-2.010/debian/postfix-policyd-spf-perl.postinst @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +if [ "$1" = "configure" ]; then + if ! id -u policyd-spf >/dev/null 2>&1; then + adduser --quiet --system --group --no-create-home policyd-spf + elif [ -n "$2" ]; then + addgroup --quiet --system policyd-spf + usermod -g policyd-spf policyd-spf + fi +fi + +#DEBHELPER# + +exit 0 + --- postfix-policyd-spf-perl-2.010.orig/debian/postfix-policyd-spf-perl.1 +++ postfix-policyd-spf-perl-2.010/debian/postfix-policyd-spf-perl.1 @@ -0,0 +1,274 @@ +\" +.\" Standard preamble: +.\" ======================================================================== +.de Sh \" Subsection heading +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp \" Vertical space (when we can't use .PP) +.if t .sp .5v +.if n .sp +.. +.de Vb \" Begin verbatim text +.ft CW +.nf +.ne \\$1 +.. +.de Ve \" End verbatim text +.ft R +.fi +.. +.\" Set up some character translations and predefined strings. \*(-- will +.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left +.\" double quote, and \*(R" will give a right double quote. \*(C+ will +.\" give a nicer C++. Capital omega is used to do unbreakable dashes and +.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, +.\" nothing in troff, for use with C<>. +.tr \(*W- +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.ie n \{\ +. ds -- \(*W- +. ds PI pi +. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +. ds L" "" +. ds R" "" +. ds C` "" +. ds C' "" +'br\} +.el\{\ +. ds -- \|\(em\| +. ds PI \(*p +. ds L" `` +. ds R" '' +'br\} +.\" +.\" If the F register is turned on, we'll generate index entries on stderr for +.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index +.\" entries marked with X<> in POD. Of course, you'll have to process the +.\" output yourself in some meaningful fashion. +.if \nF \{\ +. de IX +. tm Index:\\$1\t\\n%\t"\\$2" +.. +. nr % 0 +. rr F +.\} +.\" +.\" For nroff, turn off justification. Always turn off hyphenation; it makes +.\" way too many mistakes in technical documents. +.hy 0 +.if n .na +.\" +.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). +.\" Fear. Run. Save yourself. No user-serviceable parts. +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds / +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +.\} +.rm #[ #] #H #V #F C +.\" ======================================================================== +.\" +.IX Title "postfix-policyd-spf-perl 1p" +.TH postfix-policyd-spf-perl 1 "2012-01-19" +.SH "NAME" +postfix-policyd-spf-perl \- pure-Perl Postfix policy server for SPF checking +.SH "VERSION" +.IX Header "VERSION" +2\.008 + +.SH "USAGE" +.IX Header "USAGE" +Usage: + policyd\-spf\-perl [\-v] + +.SH "OTHER DOCUMENTATION" +.IX Header "OTHER DOCUMENTATION" +This documentation assumes you have read Postfix's README_FILES/ +SMTPD_POLICY_README. + +.SH "SYNOPSIS" +.IX Header "SYNOPSIS" + +postfix-policyd-spf-perl is a Postfix SMTP policy server for SPF checking. +It is implemented in pure Perl and uses the Mail::SPF CPAN module. Note that +Mail::SPF is a complete re-implementation of SPF based on the final SPF RFC, +RFC 4408. It shares no code with the older Mail::SPF::Query that was the +original SPF development implementation. + +This version of the policy server always checks HELO before Mail From (older +versions just checked HELO if Mail From was null). It will reject mail that +fails either Mail From or HELO SPF checks. It will defer mail if there is a +temporary SPF error and the message would othersise be permitted +(DEFER_IF_PERMIT). If the HELO check produces a REJECT/DEFER result, Mail From +will not be checked. + +If the message is not rejected or deferred, the policy server will PREPEND the +appropriate SPF Received header. If Mail From is anything other than completely +empty (i.e. <>) then the Mail From result will be used for SPF Received (e.g. +Mail From None even if HELO is Pass). + +The policy server skips SPF checks for connections from the localhost (127.) and +instead prepends and logs 'SPF skipped - localhost is always allowed.' If you +have relays that you want to skip SPF checks for, you can add them to +relay_addresses on line 78 using standard CIDR notation in a space separated +list. For these addresses, 'X-Comment: SPF skipped for whitelisted relay' is +prepended and logged. + +Error conditions within the policy server (that don't result in a crash) or from +Mail::SPF will return DUNNO. + +.SH "DESCRIPTION" +.IX Header "DESCRIPTION" + +Logging is sent to syslogd. + +Each time a Postfix SMTP server process is started it connects to the policy +service socket and Postfix runs one instance of this Perls script. By +default, a Postfix SMTP server process terminates after 100 seconds of idle +time, or after serving 100 clients. Thus, the cost of starting this Perl +script is smoothed over time. + +The default policy_time_limit is 1000 seconds. This may be too short for some +SMTP transactions to complete. As recommended in SMTPD_POLICY_README, this +should be extended to 3600 seconds. To do so, set "policy_time_limit = 3600" +in /etc/postfix/main.cf. + +.SH "TESTING THE POLICY DAEMON" +.IX Header "TESTING THE POLICY DAEMON" +Testing the policy daemon + +To test the policy daemon by hand, execute: + + % /usr/sbin/postfix-policyd-spf-perl + +Each query is a bunch of attributes. Order does not matter, and the server +uses only a few of all the attributes shown below: + + request=smtpd_access_policy + protocol_state=RCPT + protocol_name=SMTP + helo_name=some.domain.tld + queue_id= + instance=71b0.45e2f5f1.d4da1.0 + sender=foo@bar.tld + recipient=bar@foo.tld + client_address=1.2.3.4 + client_name=another.domain.tld + [empty line] + +The policy daemon will answer in the same style, with an attribute list +followed by a empty line: + + action=550 Please see http://www.openspf.org/Why?id=foo@bar.tld&ip=1.2.3.4& + receiver=bar@foo.tld + [empty line] + +To test HELO checking sender should be empty: + + sender= + ... More attributes... + [empty line] + +If you want more detail in the system logs change $VERBOSE to 1. + +.SH "POSTFIX INTEGRATION" +.IX Header "POSTFIX INTEGRATION" + + 1. Add the following to /etc/postfix/master.cf: + + spfcheck unix - n n - 0 spawn + user=policyd-spf argv=/usr/sbin/postfix-policyd-spf-perl + + 2. Configure the Postfix SPF policy service in /etc/postfix/main.cf: + + smtpd_recipient_restrictions = + ... + reject_unauth_destination + check_policy_service unix:private/spfcheck + ... + spfcheck_time_limit = 3600 + + NOTE: Specify check_policy_service AFTER reject_unauth_destination or + else your system can become an open relay. + + 3. Set up machines which you expect to legitimately forward mail to this + server (see description in synopsis). This should typically include + the IP addresses which backup Mail eXchangers, and known non-SRS + forwarders will use to submit mail to this server (i.e. the source IPs + of the other servers). + + 4. Restart Postfix. + + 5. Verify correct backup MX operation (if applicable). + +.SH "SEE ALSO" +.IX Header "SEE ALSO" +libmail-spf-perl, + +.SH "AUTHORS" +.IX Header "AUTHORS" +This version of \fBpolicyd-spf-perl\fR was written by Meng Weng Wong + and updated for libmail-spf-perl by Scott Kitterman + and Julian Mehnle . +.PP +This man-page was written by Scott Kitterman . + --- postfix-policyd-spf-perl-2.010.orig/debian/README.source +++ postfix-policyd-spf-perl-2.010/debian/README.source @@ -0,0 +1,5 @@ +This package uses quilt for patches. dpkg-source -x does produce source +ready for building with dpkg-buildpackage. It does not procude source ready +for editing. See /usr/share/doc/quilt/README.source for information on using +quilt. + --- postfix-policyd-spf-perl-2.010.orig/debian/control +++ postfix-policyd-spf-perl-2.010/debian/control @@ -0,0 +1,15 @@ +Source: postfix-policyd-spf-perl +Section: mail +Priority: extra +Maintainer: Scott Kitterman +Build-Depends: debhelper (>= 7), quilt (>= 0.46-7) +Standards-Version: 3.9.3 +Homepage: https://launchpad.net/postfix-policyd-spf-perl/ + +Package: postfix-policyd-spf-perl +Architecture: all +Depends: ${misc:Depends}, ${perl:Depends}, postfix, libversion-perl, libnetaddr-ip-perl (>= 4), libmail-spf-perl (>= 2.006), adduser, libsys-hostname-long-perl +Description: Simple Postfix policy server for RFC 4408 SPF checking + postfix-policyd-spf-perl is a basic Postfix SMTP policy server for SPF + checking. It is implemented in pure Perl and uses the Mail::SPF module. The + SPF project web site is http://www.openspf.net/. --- postfix-policyd-spf-perl-2.010.orig/debian/postfix-policyd-spf-perl.manpages +++ postfix-policyd-spf-perl-2.010/debian/postfix-policyd-spf-perl.manpages @@ -0,0 +1 @@ +debian/postfix-policyd-spf-perl.1 --- postfix-policyd-spf-perl-2.010.orig/debian/compat +++ postfix-policyd-spf-perl-2.010/debian/compat @@ -0,0 +1,2 @@ +7 + --- postfix-policyd-spf-perl-2.010.orig/debian/patches/series +++ postfix-policyd-spf-perl-2.010/debian/patches/series @@ -0,0 +1 @@ +use-debian-mailname --- postfix-policyd-spf-perl-2.010.orig/debian/patches/use-debian-mailname +++ postfix-policyd-spf-perl-2.010/debian/patches/use-debian-mailname @@ -0,0 +1,41 @@ +Patch by Thomas Bullinger +Added to the Debian package by Scott Kitterman +Since /etc/mailname is Debian (and derivatives) specific, this is best +handled as a distro patch and not upstream. 2012-01-19 + +Index: postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl +=================================================================== +--- postfix-policyd-spf-perl-2.010.orig/postfix-policyd-spf-perl 2012-06-17 23:50:55.621463000 -0400 ++++ postfix-policyd-spf-perl-2.010/postfix-policyd-spf-perl 2012-06-18 00:07:44.201358289 -0400 +@@ -43,10 +43,22 @@ + # Makes for a total timeout for UDP queries of 5s * 2 = 10s. + ); + ++my $MailName = ''; ++if (open (MN, '< /etc/mailname')) ++{ ++ $MailName = ; ++ close (MN); ++} ++else { ++ $MailName = hostname_long ; ++} ++chomp ($MailName); ++ + # query_rr_type_all will query both type TXT and type SPF. This upstream + # default is changed due to there being essentiall no type SPF deployment. + my $spf_server = Mail::SPF::Server->new( + dns_resolver => $resolver, ++ hostname => $MailName, + query_rr_types => Mail::SPF::Server->query_rr_type_txt, + default_authority_explanation => + 'Please see http://www.openspf.net/Why?s=%{_scope};id=%{S};ip=%{C};r=%{R}' +@@ -95,7 +107,7 @@ + + # Fully qualified hostname, if available, for use in authentication results + # headers now provided by the localhost and whitelist checks. +-my $host = hostname_long; ++my $host = $MailName; + + my %results_cache; # by message instance +