Subversion Repositories

.\"     Title: SPFQUERY

.\"     Title: SPFQUERY

.\"    Author: Magnus Holmgren <magnus@kibibyte.se>

.\"    Author: Magnus Holmgren <magnus@kibibyte.se>

.\"      Date: 2007-09-06

.\"      Date: 2007-09-06

.\"    Manual: libspf2 manuals for Debian

.\"    Manual: libspf2 manuals for Debian

.\"    Source: libspf2 1.2.5

.\"    Source: libspf2 1.2.5

.\"

.\"

.TH "SPFQUERY" "1" "2007-09-06" "libspf2 1.2.5" "libspf2 manuals for Debian"

.TH "SPFQUERY" "1" "2007-09-06" "libspf2 1.2.5" "libspf2 manuals for Debian"

.\" disable hyphenation

.\" disable hyphenation

.nh

.nh

.SH NAME

.SH NAME

spfquery, spfquery.libspf2 \- checks if an IP address is an SPF-authorized SMTP sender for a domain.

spfquery, spfquery.libspf2 \- checks if an IP address is an SPF-authorized SMTP sender for a domain.

.SH SYNOPSIS

.SH SYNOPSIS

.ad l

.ad l

.HP 9

.HP 9

.B spfquery

.B spfquery

.RB { \-i | \-\-ip }

.RB { \-i | \-\-ip }

.I ip\-address

.I ip\-address

.RB { -s | \-\-sender }

.RB { -s | \-\-sender }

.RI [ local-part \fB@\fP] domain

.RI [ local-part \fB@\fP] domain

.RB [{ \-h | \-\-helo } 

.RB [{ \-h | \-\-helo } 

.IR domain-name ]

.IR domain-name ]

.RB [ \-\-rcpt\-to

.RB [ \-\-rcpt\-to

.IR email-address(es) ]

.IR email-address(es) ]

.RI [ CONTROL-OPTIONS ]

.RI [ CONTROL-OPTIONS ]

.HP 9

.HP 9

.B spfquery

.B spfquery

.RB { \-f | \-\-file }

.RB { \-f | \-\-file }

.IR datafile " [" CONTROL-OPTIONS ] 

.IR datafile " [" CONTROL-OPTIONS ] 

.HP 9

.HP 9

.B spfquery

.B spfquery

.RB { \-\-help | \-v | \-\-version }

.RB { \-\-help | \-v | \-\-version }

.ad b

.ad b

.SH DESCRIPTION

.SH DESCRIPTION

This manual page documents briefly the

This manual page documents briefly the

\fBspfquery\fR

\fBspfquery\fR

command. It was written for the

command. It was written for the

Debian\*[R] distribution because the original program does not have a manual page.

Debian\*[R] distribution because the original program does not have a manual page.

.PP

.PP

\fBspfquery\fR performs Sender Policy Framework (SPF) authorization

\fBspfquery\fR performs Sender Policy Framework (SPF) authorization

checks based on the command-line arguments or data given in a file or

checks based on the command-line arguments or data given in a file or

on standard input. For information on SPF see http://www.openspf.org.

on standard input. For information on SPF see http://www.openspf.org.

.

.

.SH OPTIONS

.SH OPTIONS

Options are divided into two groups: Data options, which must be

Options are divided into two groups: Data options, which must be

given, though just enough of them to specify a query; and control

given, though just enough of them to specify a query; and control

options, which are optional and control the local policy, behaviour

options, which are optional and control the local policy, behaviour

and output format of spfquery.

and output format of spfquery.

.PP

.PP

This programs follows the GNU \fBgetopt_long_only\fR(3) command line

This programs follows the GNU \fBgetopt_long_only\fR(3) command line

syntax: Long options can be given with one or two dashes and can be

syntax: Long options can be given with one or two dashes and can be

abbreviated to a prefix long enough to be non-ambiguous. If an option

abbreviated to a prefix long enough to be non-ambiguous. If an option

starting with a single dash doesn't match a long option, it is taken

starting with a single dash doesn't match a long option, it is taken

as a short option with a following parameter, if applicable. An equals

as a short option with a following parameter, if applicable. An equals

sign between the option name and the parameter is optional for both

sign between the option name and the parameter is optional for both

short and long options.

short and long options.

.SS Data options

.SS Data options

The

The

\fB\-\-file\fR option conflicts with all the other data options. The

\fB\-\-file\fR option conflicts with all the other data options. The

\fB\-\-helo\fR and \fB\-\-rcpt\-to\fR are optional.

\fB\-\-helo\fR and \fB\-\-rcpt\-to\fR are optional.

.TP

.TP

\fB\-f\fR, \fB\-\-file\fR \fIfilename\fR

\fB\-f\fR, \fB\-\-file\fR \fIfilename\fR

Read SPF data from \fIfilename\fR. Specify \(lq-\(rq to read from standard input.

Read SPF data from \fIfilename\fR. Specify \(lq-\(rq to read from standard input.

.sp

.sp

The file should consist of one line per query, each query line consisting of the IP address, sender adress, and optional HELO string, separated by spaces.

The file should consist of one line per query, each query line consisting of the IP address, sender adress, and optional HELO string, separated by spaces.

.sp

.sp

\fBNote\fP

\fBNote\fP

Local parts containing spaces are currently not supported.

Local parts containing spaces are currently not supported.

.TP

.TP

\fB\-i\fP, \fB\-\-ip\fP \fIip-address\fP

\fB\-i\fP, \fB\-\-ip\fP \fIip-address\fP

Specify the IP address of the remote host that is delivering the mail.

Specify the IP address of the remote host that is delivering the mail.

.TP

.TP

\fB\-s\fP, \fB\-\-sender\fP [\fIlocal-part\fP\fB@\fP]\fIdomain\fP

\fB\-s\fP, \fB\-\-sender\fP [\fIlocal-part\fP\fB@\fP]\fIdomain\fP

Specify the email address that was used as the envelope sender. If no

Specify the email address that was used as the envelope sender. If no

username (local part) is given, \(lqpostmaster\(rq will be assumed.

username (local part) is given, \(lqpostmaster\(rq will be assumed.

.TP

.TP

\fB\-h\fP, \fB\-\-helo\fP \fIdomain-name\fP

\fB\-h\fP, \fB\-\-helo\fP \fIdomain-name\fP

Specify that \fIdomain-name\fP was provided in the SMTP HELO (or EHLO) command.

Specify that \fIdomain-name\fP was provided in the SMTP HELO (or EHLO) command.

.TP

.TP

\fB\-r\fP, \fB\-\-rcpt-to\fP \fIrcpt-address\fP[,\fIrcpt-address\fP,...]

\fB\-r\fP, \fB\-\-rcpt-to\fP \fIrcpt-address\fP[,\fIrcpt-address\fP,...]

Specify the recipients as comma-separated list. Any secondary mail exchangers of all

Specify the recipients as comma-separated list. Any secondary mail exchangers of all

recipient domains are automatically authorized.

recipient domains are automatically authorized.

.

.

.SS Control options

.SS Control options

.TP

.TP

\fB\-d\fP, \fB\-\-debug\fP[\fB=\fP\fIlevel\fP]

\fB\-d\fP, \fB\-\-debug\fP[\fB=\fP\fIlevel\fP]

Turn on debugging output.

Turn on debugging output.

.TP

.TP

\fB\-l\fP, \fB\-\-local\fP \fIspf\-terms\fP

\fB\-l\fP, \fB\-\-local\fP \fIspf\-terms\fP

Test against \fIspf\-terms\fR before the final (implicit or explicit)

Test against \fIspf\-terms\fR before the final (implicit or explicit)

\(lqall\(rq in an SPF record. This can be used to implement a local policy for whitelisting.

\(lqall\(rq in an SPF record. This can be used to implement a local policy for whitelisting.

.TP

.TP

\fB\-t, \fB\-\-trusted\fR [\fB1\fR]

\fB\-t, \fB\-\-trusted\fR [\fB1\fR]

Check the sender domain with trusted\-forwarder.org.

Check the sender domain with trusted\-forwarder.org.

\fBThis is a non\-standard feature.\fR

\fBThis is a non\-standard feature.\fR

.TP

.TP

\fB\-t\fP \fB0\fP, \fB\-\-trusted\fR \fB0\fP

\fB\-t\fP \fB0\fP, \fB\-\-trusted\fR \fB0\fP

Do not check the sender domain with trusted\-forwarder.org. This is the default.

Do not check the sender domain with trusted\-forwarder.org. This is the default.

.TP

.TP

\fB\-g\fP, \fB\-\-guess\fP \fIspf-mechanisms\fP

\fB\-g\fP, \fB\-\-guess\fP \fIspf-mechanisms\fP

Test the sender domain against \fIspf\-mechanisms\fP if the domain has no SPF record.

Test the sender domain against \fIspf\-mechanisms\fP if the domain has no SPF record.

.TP

.TP

\fB\-e\fP, \fB\-\-default\-explanation\fP \fIstring\fP

\fB\-e\fP, \fB\-\-default\-explanation\fP \fIstring\fP

Default explanation string to use if the SPF record does not specify an expla\%nation string itself.

Default explanation string to use if the SPF record does not specify an expla\%nation string itself.

.TP

.TP

\fB\-m\fP, \fB\-\-max\-lookup\fP \fInumber\fP

\fB\-m\fP, \fB\-\-max\-lookup\fP \fInumber\fP

Maximum number of DNS lookups to allow.

Maximum number of DNS lookups to allow.

.TP

.TP

\fB\-c\fP, \fB\-\-sanitize\fP [\fB0\fP|\fB1\fP]

\fB\-c\fP, \fB\-\-sanitize\fP [\fB0\fP|\fB1\fP]

Do [not] sanitize the output by condensing conse\%cutive white\%space

Do [not] sanitize the output by condensing conse\%cutive white\%space

into a single space and replacing non-printable characters with

into a single space and replacing non-printable characters with

question marks. Enabled by default.

question marks. Enabled by default.

.TP

.TP

\fB\-n\fP, \fB\-\-name\fP \fIhostname\fP

\fB\-n\fP, \fB\-\-name\fP \fIhostname\fP

Use

Use

\fIhostname\fP

\fIhostname\fP

as the name of the local system instead of

as the name of the local system instead of

\(lqspfquery\(rq

\(lqspfquery\(rq

(the name is used in the output).

(the name is used in the output).

.TP

.TP

\fB\-k\fP, \fB\-\-keep\-comments\fP

\fB\-k\fP, \fB\-\-keep\-comments\fP

Print comments found when reading from a file.

Print comments found when reading from a file.

.TP

.TP

\fB\-a\fP, \fB\-\-override\fP \fI...\fP

\fB\-a\fP, \fB\-\-override\fP \fI...\fP

.TP

.TP

\fB\-z\fP, \fB\-\-fallback\fP \fI...\fP

\fB\-z\fP, \fB\-\-fallback\fP \fI...\fP

Provide override and fallback SPF records for certain domains.

Provide override and fallback SPF records for certain domains.

\fBNot implemented yet.\fP

\fBNot implemented yet.\fP

\fBspfquery\fP

\fBspfquery\fP

would act as if the speci\%fied records were present before and after any existing record, respectively, of those domains.

would act as if the speci\%fied records were present before and after any existing record, respectively, of those domains.

.TP

.TP

\fB\-\-help\fP

\fB\-\-help\fP

Show summary of options.

Show summary of options.

.TP

.TP

\fB\-v\fP, \fB\-\-version\fP

\fB\-v\fP, \fB\-\-version\fP

Show version of program.

Show version of program.

.SH DIAGNOSTICS

.SH DIAGNOSTICS

The output ordinarily consists of four lines:

The output ordinarily consists of four lines:

.IP 1. 4

.IP 1. 4

the \fIresult code\fP;

the \fIresult code\fP;

.IP 2. 4

.IP 2. 4

the \fIexplanation\fP, suitable for use in an SMTP response message, empty

the \fIexplanation\fP, suitable for use in an SMTP response message, empty

except when a rejection (permanent or temporary) makes sense;

except when a rejection (permanent or temporary) makes sense;

.IP 3. 4

.IP 3. 4

the header comment on its own;

the header comment on its own;

.IP 4. 4

.IP 4. 4

the Received\-SPF header field as defined in RFC 4408 section 7,

the Received\-SPF header field as defined in RFC 4408 section 7,

incorporating the header comment.

incorporating the header comment.

.PP

.PP

If errors (including no SPF record found!) occur during processing, 

If errors (including no SPF record found!) occur during processing, 

one or more error blocks will be prepended.

one or more error blocks will be prepended.

These start with \(lqStartError\(lq and end with \(lqEndError\(lq.

These start with \(lqStartError\(lq and end with \(lqEndError\(lq.

.PP

.PP

The result codes and their corresponding exit codes are as follows:

The result codes and their corresponding exit codes are as follows:

.TP

.TP

.B 1 \(en neutral

.B 1 \(en neutral

The sender domain explicitly makes no assertion about the \fIip-address\fP.

The sender domain explicitly makes no assertion about the \fIip-address\fP.

This result must be interpreted exactly as if no SPF record at all existed.

This result must be interpreted exactly as if no SPF record at all existed.

.TP

.TP

.B 2 \(en pass

.B 2 \(en pass

The \fIip-address\fP is authorized to send mail for the sender domain.

The \fIip-address\fP is authorized to send mail for the sender domain.

.TP

.TP

.B 3 \(en fail

.B 3 \(en fail

The \fIip-address\fP is \fBunauthorized\fP to send mail for the sender domain.

The \fIip-address\fP is \fBunauthorized\fP to send mail for the sender domain.

.TP

.TP

.B 4 \(en softfail

.B 4 \(en softfail

The \fIip-address\fP is not authorized to send mail for the sender domain, but

The \fIip-address\fP is not authorized to send mail for the sender domain, but

the sender domain cannot or does not wish to make a strong assertion that no such mail can

the sender domain cannot or does not wish to make a strong assertion that no such mail can

ever come from it.

ever come from it.

.TP

.TP

.B 5 \(en none

.B 5 \(en none

No SPF record was found.

No SPF record was found.

.TP

.TP

.BR "6 \(en error" " (temporary)"

.BR "6 \(en error" " (temporary)"

A transient error occurred (e.g. failure to reach a DNS server), preventing a

A transient error occurred (e.g. failure to reach a DNS server), preventing a

result from being reached.

result from being reached.

.TP

.TP

.BR "7 \(en unknown" " (permanent error)"

.BR "7 \(en unknown" " (permanent error)"

One or more SPF records could not be interpreted.

One or more SPF records could not be interpreted.

.SH EXAMPLES

.SH EXAMPLES

.nf

.nf

spfquery \-ip=11.22.33.44 \-sender=user@aol.com \-helo=spammer.tld

spfquery \-ip=11.22.33.44 \-sender=user@aol.com \-helo=spammer.tld

spfquery \-f test_data

spfquery \-f test_data

echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery \-f \-

echo "127.0.0.1 myname@mydomain.com helohost.com" | spfquery \-f \-

.fi

.fi

.SH SEE ALSO

.SH SEE ALSO

\fBspftest\fR(1), \fBspfd\fR(8)

\fBspftest\fR(1), \fBspfd\fR(8)

.SH AUTHOR

.SH AUTHOR

\fBspfquery\fP was written by Wayne Schlitt.

\fBspfquery\fP was written by Wayne Schlitt.

.PP

.PP

This manual page was written by Magnus Holmgren for the Debian\*[R]

This manual page was written by Magnus Holmgren for the Debian\*[R]

system (but may be used by others). Heavily inspired by the spfquery manpage of 

system (but may be used by others). Heavily inspired by the spfquery manpage of 

libmail\-spf\-query\-perl (\fBspfquery.mail\-spf\-query\-perl\fR(1)) by Julian Mehnle.

libmail\-spf\-query\-perl (\fBspfquery.mail\-spf\-query\-perl\fR(1)) by Julian Mehnle.

Also based on the command\-line help of spfquery.

Also based on the command\-line help of spfquery.

.SH COPYRIGHT

.SH COPYRIGHT

Copyright \(co 2007 Magnus Holmgren. Permission is granted to copy,

Copyright \(co 2007 Magnus Holmgren. Permission is granted to copy,

distribute and/or modify this document under the terms of the BSD

distribute and/or modify this document under the terms of the BSD

License.

License.

.PP

.PP

On Debian systems, the complete text of the BSD License can be found in /usr/share/common\-licenses/BSD.

On Debian systems, the complete text of the BSD License can be found in /usr/share/common\-licenses/BSD.