Configuration man pages have incorrect defaults

Bug #1724107 reported by Scott Shambarger
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pypolicyd-spf
Fix Released
Medium
Scott Kitterman

Bug Description

When configuring policy, man policyd-spf(5) shows the following:

HELO/EHLO CHECKING
       HELO check rejection policy options are:

       SPF_Not_Pass (default) - Reject if result not Pass, None, or Temperror
       (alternatively put, reject if the SPF result is Fail, Softfail, Neu‐
       tral, PermError). ...

There appear to be several issues here:

a) Further down the section, "Fail" is shown as default, not SPF_Not_Pass (which is correct?)

b) RFC 7208 section 8.2. Neutral states:
   A "neutral" result MUST be treated exactly like the "none" result;
     the distinction exists only for informational purposes.

c) RFC 7208 section 8.5. Softfail states:
   Receiving software SHOULD NOT reject the message based solely on this result,...

Suggested changes:

* The default should be consistent, either SPF_Not_Pass or Fail (prob Fail?)

* SPF_Not_Pass should reject if not Pass, None, <<Neutral, or Softfail>> (code should reflect this too to be RFC compliant, not sure if it does or not...). Reject if Fail, Temperror, or Permerror (hopefully with respective temp 4xx or permanent 5xx errors?)

* Softfail should probably not exist here (breaks RFC specs), but probably could be considered an alias for SPF_Not_Pass if present (but should not reject on Softfail unless there's some sort of greylisting support added...)

Discussion welcome...

Revision history for this message
Scott Kitterman (kitterman) wrote :

The inconsistency is obviously a bug. Currently the default is fail.

SPF_Not_Pass is intentionally not consistent with RFC 7208. This should be documented.

Changed in pypolicyd-spf:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed for next release:

  * Update HELO checking default option in policyd-spf.conf(5) (LP: #1724107)
  * Note that SPF_Not_Pass is not consistent with RFC 7208 in the HELO
    checking section of policyd-spf.conf(5) - already documented for Mail From

Changed in pypolicyd-spf:
assignee: nobody → Scott Kitterman (kitterman)
status: Confirmed → Fix Committed
Revision history for this message
Scott Kitterman (kitterman) wrote :

Fixed in 2.0.2

Changed in pypolicyd-spf:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.