smtpctl spf walk ignores some records

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

smtpctl spf walk ignores some records

Giovanni Bechis-7
"smtpctl spf walk" doesn't work as it should because it breaks when it finds
macros as defined in RFC 7208.

$ echo ryanair.com | smtpctl spf walk
gives no output while dig reply is:
$ dig txt ryanair.com | grep spf
ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?

 Cheers
  Giovanni

OpenBSD 6.8-beta (GENERIC) #54: Mon Aug 31 18:03:55 MDT 2020
    [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2130542592 (2031MB)
avail mem = 2051092480 (1956MB)
random: good seed from bootblocks
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xf5a70 (9 entries)
bios0: vendor SeaBIOS version "1.13.0-2.fc32" date 04/01/2014
bios0: QEMU Standard PC (i440FX + PIIX, 1996)
acpi0 at bios0: ACPI 1.0
acpi0: sleep states S5
acpi0: tables DSDT FACP APIC
acpi0: wakeup devices
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, 552.57 MHz, 06-3a-09
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SS,HTT,SSE3,PCLMUL,VMX,SSSE3,CX16,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,F16C,RDRAND,HV,NXE,RDTSCP,LONG,LAHF,PERF,FSGSBASE,TSC_ADJUST,SMEP,ERMS,UMIP,MD_CLEAR,IBRS,IBPB,STIBP,SSBD,ARAT,XSAVEOPT,MELTDOWN
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 512KB 64b/line 16-way L2 cache
cpu0: ITLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: DTLB 255 4KB entries direct-mapped, 255 4MB entries direct-mapped
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges
cpu0: apic clock running at 999MHz
cpu at mainbus0: not configured
cpu at mainbus0: not configured
cpu at mainbus0: not configured
ioapic0 at mainbus0: apid 0 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
"ACPI0006" at acpi0 not configured
acpipci0 at acpi0 PCI0
extent `acpipci0 pcibus' (0x0 - 0xff), flags=0
extent `pciio' (0x0 - 0xffffffff), flags=0
     0x10000 - 0xffffffff
extent `pcimem' (0x0 - 0xffffffffffffffff), flags=0
     0x0 - 0x7fffffff
     0xfeffc000 - 0xfeffffff
     0xfffc0000 - 0xffffffff
     0x40000000000 - 0xffffffffffffffff
acpicmos0 at acpi0
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"PNP0A06" at acpi0 not configured
"QEMU0002" at acpi0 not configured
"ACPI0010" at acpi0 not configured
acpicpu0 at acpi0: C1(@1 halt!)
cpu0: using VERW MDS workaround
pvbus0 at mainbus0: KVM
pvclock0 at pvbus0
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel 82441FX" rev 0x02
pcib0 at pci0 dev 1 function 0 "Intel 82371SB ISA" rev 0x00
pciide0 at pci0 dev 1 function 1 "Intel 82371SB IDE" rev 0x00: DMA, channel 0 wired to compatibility, channel 1 wired to compatibility
pciide0: channel 0 disabled (no drives)
atapiscsi0 at pciide0 channel 1 drive 0
scsibus1 at atapiscsi0: 2 targets
cd0 at scsibus1 targ 0 lun 0: <QEMU, QEMU DVD-ROM, 2.5+> removable
cd0(pciide0:1:0): using PIO mode 4, DMA mode 2
piixpm0 at pci0 dev 1 function 3 "Intel 82371AB Power" rev 0x03: apic 0 int 9
iic0 at piixpm0
vga1 at pci0 dev 2 function 0 "Red Hat QXL Video" rev 0x04
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
virtio0 at pci0 dev 3 function 0 "Qumranet Virtio Network" rev 0x00
vio0 at virtio0: address 52:54:00:d1:da:18
virtio0: msix shared
azalia0 at pci0 dev 4 function 0 "Intel 82801FB HD Audio" rev 0x01: apic 0 int 11
azalia0: No codecs found
uhci0 at pci0 dev 5 function 0 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci1 at pci0 dev 5 function 1 "Intel 82801I USB" rev 0x03: apic 0 int 10
uhci2 at pci0 dev 5 function 2 "Intel 82801I USB" rev 0x03: apic 0 int 11
ehci0 at pci0 dev 5 function 7 "Intel 82801I USB" rev 0x03: apic 0 int 11
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 configuration 1 interface 0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
virtio1 at pci0 dev 6 function 0 "Qumranet Virtio Console" rev 0x00
virtio1: no matching child driver; not configured
virtio2 at pci0 dev 7 function 0 "Qumranet Virtio Storage" rev 0x00
vioblk0 at virtio2
scsibus2 at vioblk0: 1 targets
sd0 at scsibus2 targ 0 lun 0: <VirtIO, Block Device, >
sd0: 38673MB, 512 bytes/sector, 79203632 sectors
virtio2: msix shared
virtio3 at pci0 dev 8 function 0 "Qumranet Virtio Memory Balloon" rev 0x00
viomb0 at virtio3
virtio3: apic 0 int 11
isa0 at pcib0
isadma0 at isa0
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb3 at uhci2: USB revision 1.0
uhub3 at usb3 configuration 1 interface 0 "Intel UHCI root hub" rev 1.00/1.00 addr 1
vmm0 at mainbus0: VMX/EPT (using slow L1TF mitigation)
ugen0 at uhub1 port 1 "QEMU QEMU USB CCID" rev 1.10/0.00 addr 2
vscsi0 at root
scsibus3 at vscsi0: 256 targets
softraid0 at root
scsibus4 at softraid0: 256 targets
root on sd0a (0d0f066797fe2fe1.a) swap on sd0b dump on sd0b
WARNING: clock gained 6 days
WARNING: CHECK AND RESET THE DATE!
fd0 at fdc0 drive 1: density unknown

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Stuart Henderson
On 2020/09/13 22:48, Giovanni Bechis wrote:
> "smtpctl spf walk" doesn't work as it should because it breaks when it finds
> macros as defined in RFC 7208.
>
> $ echo ryanair.com | smtpctl spf walk
> gives no output while dig reply is:
> $ dig txt ryanair.com | grep spf
> ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"

"spf walk" should return a warning or an error in these cases.

> Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?

Maybe in caveats, but if it's there it should be referenced in the
description of "spf walk" too, to make it easier to find.

Text something like this?

"SPF records may contain macros which cannot be included in a static list
and must be resolved dynamically at connection time.
spf walk cannot provide full results in these cases."

Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Martijn van Duren-8
On Mon, 2020-09-14 at 08:12 +0100, Stuart Henderson wrote:

> On 2020/09/13 22:48, Giovanni Bechis wrote:
> > "smtpctl spf walk" doesn't work as it should because it breaks when it finds
> > macros as defined in RFC 7208.
> >
> > $ echo ryanair.com | smtpctl spf walk
> > gives no output while dig reply is:
> > $ dig txt ryanair.com | grep spf
> > ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
>
> "spf walk" should return a warning or an error in these cases.

Was already working on that. How about the diff below?

$ echo ryanair.com | ./smtpctl/obj/smtpctl spf walk
smtpctl: lookup_record: %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email contains macros and can't be resolved

>
> > Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?
>
> Maybe in caveats, but if it's there it should be referenced in the
> description of "spf walk" too, to make it easier to find.
>
> Text something like this?
>
> "SPF records may contain macros which cannot be included in a static list
> and must be resolved dynamically at connection time.
> spf walk cannot provide full results in these cases."

Text reads fine to me. Added to diff below.
While here I also changed the # to $ so not to give people the
impression it should be run as root.

OK?

martijn@

Index: spfwalk.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
retrieving revision 1.17
diff -u -p -r1.17 spfwalk.c
--- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
+++ spfwalk.c 14 Sep 2020 07:31:03 -0000
@@ -118,6 +118,11 @@ lookup_record(int type, const char *reco
  struct asr_query *as;
  struct target *ntgt;
 
+ if (strchr(record, '%') != NULL) {
+ warnx("%s: %s contains macros and can't be resolved", __func__,
+    record);
+ return;
+ }
  as = res_query_async(record, C_IN, type, NULL);
  if (as == NULL)
  err(1, "res_query_async");
Index: smtpctl.8
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
retrieving revision 1.64
diff -u -p -r1.64 smtpctl.8
--- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
+++ smtpctl.8 14 Sep 2020 07:31:03 -0000
@@ -247,8 +247,12 @@ Shows if MTA, MDA and SMTP systems are c
 Recursively look up SPF records for the domains read from stdin.
 For example:
 .Bd -literal -offset indent
-# smtpctl spf walk < domains.txt
+$ smtpctl spf walk < domains.txt
 .Ed
+.Pp
+SPF records may contain macros which cannot be included in a static list and
+must be resolved dynamically at connection time.
+spf walk cannot provide full results in these cases.
 .It Cm trace Ar subsystem
 Enables real-time tracing of
 .Ar subsystem .

Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Giovanni Bechis-7
On 9/14/20 9:32 AM, Martijn van Duren wrote:

> On Mon, 2020-09-14 at 08:12 +0100, Stuart Henderson wrote:
>> On 2020/09/13 22:48, Giovanni Bechis wrote:
>>> "smtpctl spf walk" doesn't work as it should because it breaks when it finds
>>> macros as defined in RFC 7208.
>>>
>>> $ echo ryanair.com | smtpctl spf walk
>>> gives no output while dig reply is:
>>> $ dig txt ryanair.com | grep spf
>>> ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
>>
>> "spf walk" should return a warning or an error in these cases.
>
> Was already working on that. How about the diff below?
>
> $ echo ryanair.com | ./smtpctl/obj/smtpctl spf walk
> smtpctl: lookup_record: %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email contains macros and can't be resolved
>>
>>> Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?
>>
>> Maybe in caveats, but if it's there it should be referenced in the
>> description of "spf walk" too, to make it easier to find.
>>
>> Text something like this?
>>
>> "SPF records may contain macros which cannot be included in a static list
>> and must be resolved dynamically at connection time.
>> spf walk cannot provide full results in these cases."
>
> Text reads fine to me. Added to diff below.
> While here I also changed the # to $ so not to give people the
> impression it should be run as root.
>
> OK?
>
ok giovanni@, thanks.
 Giovanni

> martijn@
>
> Index: spfwalk.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 spfwalk.c
> --- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
> +++ spfwalk.c 14 Sep 2020 07:31:03 -0000
> @@ -118,6 +118,11 @@ lookup_record(int type, const char *reco
>   struct asr_query *as;
>   struct target *ntgt;
>  
> + if (strchr(record, '%') != NULL) {
> + warnx("%s: %s contains macros and can't be resolved", __func__,
> +    record);
> + return;
> + }
>   as = res_query_async(record, C_IN, type, NULL);
>   if (as == NULL)
>   err(1, "res_query_async");
> Index: smtpctl.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
> retrieving revision 1.64
> diff -u -p -r1.64 smtpctl.8
> --- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
> +++ smtpctl.8 14 Sep 2020 07:31:03 -0000
> @@ -247,8 +247,12 @@ Shows if MTA, MDA and SMTP systems are c
>  Recursively look up SPF records for the domains read from stdin.
>  For example:
>  .Bd -literal -offset indent
> -# smtpctl spf walk < domains.txt
> +$ smtpctl spf walk < domains.txt
>  .Ed
> +.Pp
> +SPF records may contain macros which cannot be included in a static list and
> +must be resolved dynamically at connection time.
> +spf walk cannot provide full results in these cases.
>  .It Cm trace Ar subsystem
>  Enables real-time tracing of
>  .Ar subsystem .
>

Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Jason McIntyre-2
On Mon, Sep 14, 2020 at 09:49:30AM +0200, Giovanni Bechis wrote:

> On 9/14/20 9:32 AM, Martijn van Duren wrote:
> > On Mon, 2020-09-14 at 08:12 +0100, Stuart Henderson wrote:
> >> On 2020/09/13 22:48, Giovanni Bechis wrote:
> >>> "smtpctl spf walk" doesn't work as it should because it breaks when it finds
> >>> macros as defined in RFC 7208.
> >>>
> >>> $ echo ryanair.com | smtpctl spf walk
> >>> gives no output while dig reply is:
> >>> $ dig txt ryanair.com | grep spf
> >>> ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
> >>
> >> "spf walk" should return a warning or an error in these cases.
> >
> > Was already working on that. How about the diff below?
> >
> > $ echo ryanair.com | ./smtpctl/obj/smtpctl spf walk
> > smtpctl: lookup_record: %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email contains macros and can't be resolved
> >>
> >>> Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?
> >>
> >> Maybe in caveats, but if it's there it should be referenced in the
> >> description of "spf walk" too, to make it easier to find.
> >>
> >> Text something like this?
> >>
> >> "SPF records may contain macros which cannot be included in a static list
> >> and must be resolved dynamically at connection time.
> >> spf walk cannot provide full results in these cases."
> >
> > Text reads fine to me. Added to diff below.
> > While here I also changed the # to $ so not to give people the
> > impression it should be run as root.
> >
> > OK?
> >
> ok giovanni@, thanks.
>  Giovanni
>
> > martijn@
> >
> > Index: spfwalk.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 spfwalk.c
> > --- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
> > +++ spfwalk.c 14 Sep 2020 07:31:03 -0000
> > @@ -118,6 +118,11 @@ lookup_record(int type, const char *reco
> >   struct asr_query *as;
> >   struct target *ntgt;
> >  
> > + if (strchr(record, '%') != NULL) {
> > + warnx("%s: %s contains macros and can't be resolved", __func__,
> > +    record);
> > + return;
> > + }
> >   as = res_query_async(record, C_IN, type, NULL);
> >   if (as == NULL)
> >   err(1, "res_query_async");
> > Index: smtpctl.8
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
> > retrieving revision 1.64
> > diff -u -p -r1.64 smtpctl.8
> > --- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
> > +++ smtpctl.8 14 Sep 2020 07:31:03 -0000
> > @@ -247,8 +247,12 @@ Shows if MTA, MDA and SMTP systems are c
> >  Recursively look up SPF records for the domains read from stdin.
> >  For example:
> >  .Bd -literal -offset indent
> > -# smtpctl spf walk < domains.txt
> > +$ smtpctl spf walk < domains.txt
> >  .Ed
> > +.Pp
> > +SPF records may contain macros which cannot be included in a static list and
> > +must be resolved dynamically at connection time.
> > +spf walk cannot provide full results in these cases.
> >  .It Cm trace Ar subsystem
> >  Enables real-time tracing of
> >  .Ar subsystem .
> >
>

ok from me too. but i think you should probably mark up "spf walk" in
the last line of added text.

jmc

Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Sebastien Marie-3
In reply to this post by Martijn van Duren-8
On Mon, Sep 14, 2020 at 09:32:46AM +0200, Martijn van Duren wrote:

> On Mon, 2020-09-14 at 08:12 +0100, Stuart Henderson wrote:
> > On 2020/09/13 22:48, Giovanni Bechis wrote:
> > > "smtpctl spf walk" doesn't work as it should because it breaks when it finds
> > > macros as defined in RFC 7208.
> > >
> > > $ echo ryanair.com | smtpctl spf walk
> > > gives no output while dig reply is:
> > > $ dig txt ryanair.com | grep spf
> > > ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
> >
> > "spf walk" should return a warning or an error in these cases.
>
> Was already working on that. How about the diff below?
>
> $ echo ryanair.com | ./smtpctl/obj/smtpctl spf walk
> smtpctl: lookup_record: %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email contains macros and can't be resolved
> >
> > > Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?
> >
> > Maybe in caveats, but if it's there it should be referenced in the
> > description of "spf walk" too, to make it easier to find.
> >
> > Text something like this?
> >
> > "SPF records may contain macros which cannot be included in a static list
> > and must be resolved dynamically at connection time.
> > spf walk cannot provide full results in these cases."
>
> Text reads fine to me. Added to diff below.
> While here I also changed the # to $ so not to give people the
> impression it should be run as root.
>
> OK?
>
> martijn@
>
> Index: spfwalk.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 spfwalk.c
> --- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
> +++ spfwalk.c 14 Sep 2020 07:31:03 -0000
> @@ -118,6 +118,11 @@ lookup_record(int type, const char *reco
>   struct asr_query *as;
>   struct target *ntgt;
>  
> + if (strchr(record, '%') != NULL) {
> + warnx("%s: %s contains macros and can't be resolved", __func__,
> +    record);
> + return;
> + }

maybe escape the output before it reachs the terminal ? the string
comes from untrusted source...

>   as = res_query_async(record, C_IN, type, NULL);
>   if (as == NULL)
>   err(1, "res_query_async");
> Index: smtpctl.8
> ===================================================================
> RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
> retrieving revision 1.64
> diff -u -p -r1.64 smtpctl.8
> --- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
> +++ smtpctl.8 14 Sep 2020 07:31:03 -0000
> @@ -247,8 +247,12 @@ Shows if MTA, MDA and SMTP systems are c
>  Recursively look up SPF records for the domains read from stdin.
>  For example:
>  .Bd -literal -offset indent
> -# smtpctl spf walk < domains.txt
> +$ smtpctl spf walk < domains.txt
>  .Ed
> +.Pp
> +SPF records may contain macros which cannot be included in a static list and
> +must be resolved dynamically at connection time.
> +spf walk cannot provide full results in these cases.
>  .It Cm trace Ar subsystem
>  Enables real-time tracing of
>  .Ar subsystem .
>

--
Sebastien Marie

Reply | Threaded
Open this post in threaded view
|

Re: smtpctl spf walk ignores some records

Martijn van Duren-8
On Mon, 2020-09-14 at 10:28 +0200, Sebastien Marie wrote:

> On Mon, Sep 14, 2020 at 09:32:46AM +0200, Martijn van Duren wrote:
> > On Mon, 2020-09-14 at 08:12 +0100, Stuart Henderson wrote:
> > > On 2020/09/13 22:48, Giovanni Bechis wrote:
> > > > "smtpctl spf walk" doesn't work as it should because it breaks when it finds
> > > > macros as defined in RFC 7208.
> > > >
> > > > $ echo ryanair.com | smtpctl spf walk
> > > > gives no output while dig reply is:
> > > > $ dig txt ryanair.com | grep spf
> > > > ryanair.com.            17      IN      TXT     "v=spf1 include:ryanair.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"
> > >
> > > "spf walk" should return a warning or an error in these cases.
> >
> > Was already working on that. How about the diff below?
> >
> > $ echo ryanair.com | ./smtpctl/obj/smtpctl spf walk
> > smtpctl: lookup_record: %{i}._ip.%{h}._ehlo.%{d}._spf.vali.email contains macros and can't be resolved
> > > > Is it worth mentioning in smtpctl in CAVEATS section or somewhere else ?
> > >
> > > Maybe in caveats, but if it's there it should be referenced in the
> > > description of "spf walk" too, to make it easier to find.
> > >
> > > Text something like this?
> > >
> > > "SPF records may contain macros which cannot be included in a static list
> > > and must be resolved dynamically at connection time.
> > > spf walk cannot provide full results in these cases."
> >
> > Text reads fine to me. Added to diff below.
> > While here I also changed the # to $ so not to give people the
> > impression it should be run as root.
> >
> > OK?
> >
> > martijn@
> >
> > Index: spfwalk.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
> > retrieving revision 1.17
> > diff -u -p -r1.17 spfwalk.c
> > --- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
> > +++ spfwalk.c 14 Sep 2020 07:31:03 -0000
> > @@ -118,6 +118,11 @@ lookup_record(int type, const char *reco
> >   struct asr_query *as;
> >   struct target *ntgt;
> >  
> > + if (strchr(record, '%') != NULL) {
> > + warnx("%s: %s contains macros and can't be resolved", __func__,
> > +    record);
> > + return;
> > + }
>
> maybe escape the output before it reachs the terminal ? the string
> comes from untrusted source...

I think the code below is the easiest solution, since '?' it's not part
of a domainname or the macro syntax.

Also marked the final "spf walk" in the manpage based on feedback from
jmc.

> >   as = res_query_async(record, C_IN, type, NULL);
> >   if (as == NULL)
> >   err(1, "res_query_async");
> > Index: smtpctl.8
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
> > retrieving revision 1.64
> > diff -u -p -r1.64 smtpctl.8
> > --- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
> > +++ smtpctl.8 14 Sep 2020 07:31:03 -0000
> > @@ -247,8 +247,12 @@ Shows if MTA, MDA and SMTP systems are c
> >  Recursively look up SPF records for the domains read from stdin.
> >  For example:
> >  .Bd -literal -offset indent
> > -# smtpctl spf walk < domains.txt
> > +$ smtpctl spf walk < domains.txt
> >  .Ed
> > +.Pp
> > +SPF records may contain macros which cannot be included in a static list and
> > +must be resolved dynamically at connection time.
> > +spf walk cannot provide full results in these cases.
> >  .It Cm trace Ar subsystem
> >  Enables real-time tracing of
> >  .Ar subsystem .
> >

Index: spfwalk.c
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/spfwalk.c,v
retrieving revision 1.17
diff -u -p -r1.17 spfwalk.c
--- spfwalk.c 15 Mar 2020 16:34:57 -0000 1.17
+++ spfwalk.c 14 Sep 2020 08:52:23 -0000
@@ -117,7 +117,17 @@ lookup_record(int type, const char *reco
 {
  struct asr_query *as;
  struct target *ntgt;
+ size_t i;
 
+ if (strchr(record, '%') != NULL) {
+ for (i = 0; record[i] != '\0'; i++) {
+ if (!isprint(record[i]))
+ record[i] = '?';
+ }
+ warnx("%s: %s contains macros and can't be resolved", __func__,
+    record);
+ return;
+ }
  as = res_query_async(record, C_IN, type, NULL);
  if (as == NULL)
  err(1, "res_query_async");
Index: smtpctl.8
===================================================================
RCS file: /cvs/src/usr.sbin/smtpd/smtpctl.8,v
retrieving revision 1.64
diff -u -p -r1.64 smtpctl.8
--- smtpctl.8 18 Sep 2018 06:21:45 -0000 1.64
+++ smtpctl.8 14 Sep 2020 08:52:23 -0000
@@ -247,8 +247,13 @@ Shows if MTA, MDA and SMTP systems are c
 Recursively look up SPF records for the domains read from stdin.
 For example:
 .Bd -literal -offset indent
-# smtpctl spf walk < domains.txt
+$ smtpctl spf walk < domains.txt
 .Ed
+.Pp
+SPF records may contain macros which cannot be included in a static list and
+must be resolved dynamically at connection time.
+.Cm spf walk
+cannot provide full results in these cases.
 .It Cm trace Ar subsystem
 Enables real-time tracing of
 .Ar subsystem .