[exim] Re : SPF checking and type 99 filtering

Góra strony
Delete this message
Reply to this message
Autor: Christian Gregoire
Data:  
Dla: Murray S. Kucherawy, exim-users@exim.org
Stare tematy: Re: [exim] SPF checking and type 99 filtering
Temat: [exim] Re : SPF checking and type 99 filtering
>> -----Original Message-----
>> From: exim-users-bounces@??? [mailto:exim-users-bounces@exim.org] On
>>Behalf Of Phil Pennock
>> Sent: Friday, August 12, 2011 2:54 PM
>> To: Christian Gregoire
>> Cc: exim-users@???
>> Subject: Re: [exim] SPF checking and type 99 filtering
>>
>> Not really. Unfortunately, libspf2 doesn't provide a timeout mechanism,
>> so we would need to wrap the library calls in timeouts manually.
>> However, the abstraction would make this a "SPF result or SPF timeout"
>> expiry and the Exim code is in no position to timeout just the SPF
>> RR-type lookups, while letting the TXT RR-type lookups succeed.
>> [...]


>A cursory look through the libspf2 source code suggests it (by default) uses the
>stock system resolver, and influencing timeouts there is a chore.
> (Specifically, it calls res_query() or res_nquery().) You could try to add a
>patch to it so that it calls res_init()/res_ninit() and requests shorter
>timeouts, or better yet add a hook so that exim can make that request using the
>timeouts it wants.


>Even better would be to modify libspf2 to allow control over timeouts by using
>res_mkquery() to build the query, then do your own sendto() and wait for an
>answer with your own timeout, but then you have to worry about retransmission
>and possible TCP upgrades.


>But that's a lot of work. Someone doing this might want to look into using
>libunbound instead since it hides a lot of that (but not all of it) from you.
> But that creates a new library dependency.


>But the real reason I'm replying to this is to say this is useful data for some
>work that's starting up at IETF with regard to SPF. Specifically, if RRTYPE 99
>queries are an operational problem, the people looking at updating the standards
>need to know that. I'll make sure it's forwarded along.


OK, indeed this topic is being discussed on the SPF mailing list. Thanks for
passing that along.

But ... in the last end, shouldn't it be Exim's responsability to check for
timeout ? There's already this possibility with callouts (verify =
sender/callout=5s) or ${readsocket ...} expansion item for example. So why not
with SPF checking ? I understand that it may be a bug in the libspf2
implementation but again, can't Exim deal with that ?