Ubuntu
libspf2 package

libspf2-2 1.2.9-4 returns incorrect response with IPv6 SPF Record

  1. Lucid (10.04)
  2. Bug #1188429
Bug #1188429 reported by Mitsuru Ogino
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Japanese Kaizen Project
New
Undecided
Unassigned
libspf2 (Ubuntu)
Fix Released
High
Unassigned
Lucid
Won't Fix
High
Unassigned
Precise
Won't Fix
High
Unassigned

Bug Description

lucid 上で postfix, milter-greylist, libspf2-2 の組み合わせでメールサーバを構築していますが、IPv6 address の SPF 判定において、pass と判定されるべきものが fail と判定されるというバグに遭遇しました。

libspf2-2 を使用するツール spfquery を使用して確認したところ、lucid, precise の libspf2-2 1.2.9-4 では再現しますが、raring の 1.2.9-7 では解消しているようです。lucid, precise のパッケージについても修正していただくことは可能でしょうか。

1. SMTP sender and SPF record

Sender: 日本厚生労働省 (Japanese The Ministry of Health, Labour and Welfare)
SMTP MAIL FROM domain: @mhlw.go.jp
SMTP client IPv6 address: 2400:4040:3003:64::61

m-ogino@mx1:~$ host -t txt mhlw.go.jp
mhlw.go.jp descriptive text "v=spf1 include:spf-ikou.mhlw.go.jp +ip4:203.138.241.24 +ip4:208.90.57.0/26 +ip4:204.15.81.0/26 -all"

m-ogino@mx1:~$ host -t txt spf-ikou.mhlw.go.jp
spf-ikou.mhlw.go.jp descriptive text "v=spf1 +ip4:210.161.136.128/27 +ip4:210.227.79.192/26 +ip6:2400:4040:3003:64::/112 +ip6:2001:380:515:1::/112 -all"

spf-ikou.mhlw.go.jp の +ip6:2400:4040:3003:64::/112 は 2400:4040:3003:64::61 を含みますので pass が正しい結果です。

2. spfquery result on lucid (incorrect)

m-ogino@mx1:~$ lsb_release -d
Description: Ubuntu 10.04.4 LTS

m-ogino@mx1:~$ dpkg -l postfix milter-greylist libspf2-2 spfquery
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Cfg-files/Unpacked/Failed-cfg/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==================-==================-====================================================
ii libspf2-2 1.2.9-4 library for validating mail senders with SPF
ii milter-greylist 4.3.4-2 Greylist milter for sendmail
ii postfix 2.7.0-1ubuntu0.2 High-performance mail transport agent
ii spfquery 1.2.9-4 query SPF (Sender Policy Framework) to validate mail

m-ogino@mx1:~$ spfquery -ip 2400:4040:3003:64::61 -sender <email address hidden>
fail
Please see http://www.openspf.org/Why?id=foo%40mhlw.go.jp&ip=2400%3a4040%3a3003%3a64%3a%3a61&receiver=spfquery : Reason: mechanism
spfquery: domain of mhlw.go.jp does not designate 2400:4040:3003:64::61 as permitted sender
Received-SPF: fail (spfquery: domain of mhlw.go.jp does not designate 2400:4040:3003:64::61 as permitted sender) client-ip=2400:4040:3003:64::61; <email address hidden>;

3. spfquery result on raring (good)

m-ogino@ubuntu-raring:~$ lsb_release -d
Description: Ubuntu 13.04

m-ogino@ubuntu-raring:~$ dpkg -l libspf2-2 spfquery
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==================-==============-==============-==========================================
ii libspf2-2 1.2.9-7 amd64 library for validating mail senders with S
ii spfquery 1.2.9-7 amd64 query SPF (Sender Policy Framework) to val

m-ogino@ubuntu-raring:~$ spfquery -ip 2400:4040:3003:64::61 -sender <email address hidden>
pass

spfquery: domain of mhlw.go.jp designates 2400:4040:3003:64::61 as permitted sender
Received-SPF: pass (spfquery: domain of mhlw.go.jp designates 2400:4040:3003:64::61 as permitted sender) client-ip=2400:4040:3003:64::61; <email address hidden>;

Revision history for this message
Rolf Leggewie (r0lf) wrote :

Ogino様、バグ報告ありがとうございます。ドイツのロルフです。お世話になります。

The libspf2-2 package in lucid and precise returns incorrect information for IPv6 queries. Going by the changelog this was fixed in 1.2.9-6 in Debian and thus Quantal and later should not be affected. The relevant changes will need to be backported.

Changed in libspf2 (Ubuntu):
status: New → Fix Released
Revision history for this message
Rolf Leggewie (r0lf) wrote :

revision 62 in svn of Debian packaging is probably pretty close to a minmal patch:

http://svn.kibibyte.se/libspf2?op=comp&compare[]=/trunk/@61&compare[]=/trunk/@62

Revision history for this message
Scott Kitterman (kitterman) wrote :

I think this should be SRU'ed, certainly to precise. I'll be glad to process the SRU once it's uploaded. Please either mention it in the bug or ping me on IRC.

Changed in libspf2 (Ubuntu Lucid):
status: New → Confirmed
Changed in libspf2 (Ubuntu Precise):
status: New → Confirmed
Changed in libspf2 (Ubuntu):
importance: Undecided → High
Changed in libspf2 (Ubuntu Lucid):
importance: Undecided → High
Changed in libspf2 (Ubuntu Precise):
importance: Undecided → High
Rolf Leggewie (r0lf)
tags: added: patch patch-accepted-debian
Revision history for this message
Rolf Leggewie (r0lf) wrote :

lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".

Changed in libspf2 (Ubuntu Lucid):
status: Confirmed → Won't Fix
Revision history for this message
Steve Langasek (vorlon) wrote :

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release

Changed in libspf2 (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.