The spf_fetch project is a collection of utilities to make managing
greylisting easier.
Greylisting is a technique for defeating spam by temporarily rejecting email unknown senders. Well-behaved mail servers will try again after a short interval, per the RFC. Spammers will usually move on and not try again. Once the rejected server tries again, it's ip address is added to a list of known-good mail servers for a period time, often a month or longer.
One of the problem with greylisting, however, is that large senders like Google, Microsoft, Yahoo and others have multiple outbound mail servers and do not often retry from the same host, ip address or block of ip addresses. This results in the greylisting software rejecting the mailer numerous times until the email is redelivered by one of the already greylisted ip addresses.
One naive technique for pre-greylisting large mailers like Google is to add their MX records to the approved senders list. Unfortunately, large companies rarely use the same servers and ip addresses for both sending and receiving.
The spf_fetch project uses a simple technique for pre-determining
which ip addresses and blocks of addresses to add to the approved
list:
SPF records.
Sender Policy Framework record are DNS entries that list ip addresses
and blocks of ip addresses that the company will send email from. Not
all companies have SPF records, but many do. Nearly all the large
companies like Google and Yahoo do, in part because they helped define
the SPF standard.
Looking up SPF records is not a simple matter of typing dig gmail.com SPF. SPF records are not a record type. They're stored
as TXT fields and have to be parsed. They can include the
records from another domain or redirect to another domain. To get
the full list of ip addresses authorized to send on behalf of a domain
requires multiple recursive lookups.
This is where spf_fetch comes in.
spf_fetch is a utility to recursively look-up SPF records from a
list of domains. The output is a list of IPv4 and IPv6 addresses and
blocks. This list can be used to create a whitelist of outbound
MTA addresses for email greylisting utilities like OpenBSD
spamd(8).
- Fully-recursive look ups
- Specify just IPv4 or IPv6 records (defaults to both)
- Specify DNS server (defaults to system defined)
- Lookup from file, command-line or
stdin - Filters to process, transform or filter addresses after recursive lookup
See the man page for further details.
spf_fetch can now run user-supplied filters to process, transform or
remove addresses after lookup but before returning them to stdout
Ships with filters/filter_sipcalc to validate IPv4 and IPv6
addresses.
Note: The filter
requires sipcalc so is not run
without explicitly adding with command-line parameter -t filters/filter_sipcalc.
Given a list of domains like in the examples/example_domains:
gmail.com
gmx.com
googlemail.com
google.com
spf_fetch will return:
#IPs for gmail.com...
#IPs for gmx.com...
213.165.64.0/23
74.208.5.64/26
74.208.122.0/26
212.227.126.128/25
212.227.15.0/24
212.227.17.0/27
74.208.4.192/26
82.165.159.0/24
217.72.207.0/27
#IPs for googlemail.com...
#IPs for google.com...
#IPs for _spf.google.com...
#IPs for _netblocks.google.com...
64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
#IPs for _netblocks2.google.com...
#IPs for _netblocks3.google.com...
172.217.0.0/19
Each domain from the list and all domains discovered as include or
redirect domains in the SPF records will be recursively looked up to
get their relevant IPs addresses.
To get a good list of domains, see the github mailcheck (https://github.com/mailcheck/mailcheck/wiki/List-of-Popular-Domains)
See file common_domains for a properly formatted version of the
file.
spf_update_pf is a utility that will call spf_fetch with a file of
domains that should be whitelisted and add them to a table in OpenBSD
pf(4).
spf_update_pf defaults to look for a file called common_domains in
/etc/mail. It will call spf_fetch with the file as the input and
redirect the output to a file called common_domains_ips in
/etc/mail.
spf_update_pf defaults to add the ip addresses to a table called
common_white defined in pf.conf(5).
- Specify file and
pf(5)table - Pass additional arguments to
spf_fetch
See the man page for further details.
The output from spf_update_pf is now directed to
common_domains_ips rather than the previous common_domains_white.
If you're using a pf(5) table you'll want to rewrite line in
pf.conf(5) to something like:
table <common_white> persist file "/etc/mail/common_domains_ips"
spf_mta_capture is an experimental utility to watch a log file
to capture the domains of all outbound mail. It will then retrieve the
SPF records for the domain by calling spf_fetch and then add them to
a table in pf(5).
At the moment, spf_mta_capture only parses log files created by
OpenSMTPD.
spf_mta_capture is meant to run as a pipe program by syslogd(8).
- Writes send-to domains to file with timestamp in comment on same line
- Specify output file and
pf(5)table - Pass additional arguments to
spf_fetch - Truncate entries older than
now() - n seconds - Specify truncation seconds
See the man page for further details.
Copyright (c) 2016-2017 Aaron Poffenberger [email protected]
Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.
THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Let me know by Issue or email if you find bugs or other problems.