commit 2aa4f41f732b1b34759d34543ea89f688d9c47d6e45fe1cc9aa7682fa907eb15 Author: Dirk Mueller Date: Thu Oct 10 15:49:32 2024 +0000 - update to 5.5.0: * Support `redirect` in SPF OBS-URL: https://build.opensuse.org/package/show/devel:languages:python/python-checkdmarc?expand=0&rev=7 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/checkdmarc-5.3.1.tar.gz b/checkdmarc-5.3.1.tar.gz new file mode 100644 index 0000000..7eb54d8 --- /dev/null +++ b/checkdmarc-5.3.1.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:1d71e7fa611fa8faa36fad09416b5e2c3265d026d3b5209c051f4e292565e332 +size 36307 diff --git a/checkdmarc-5.5.0.tar.gz b/checkdmarc-5.5.0.tar.gz new file mode 100644 index 0000000..35a4182 --- /dev/null +++ b/checkdmarc-5.5.0.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:d775f566f8fdd584adb9a26e792cfe1565cdf6bd50c54fe7b6d8443ce6db68cf +size 36103 diff --git a/python-checkdmarc.changes b/python-checkdmarc.changes new file mode 100644 index 0000000..67dfe2b --- /dev/null +++ b/python-checkdmarc.changes @@ -0,0 +1,84 @@ +------------------------------------------------------------------- +Thu Oct 10 15:49:23 UTC 2024 - Dirk Müller + +- update to 5.5.0: + * Support `redirect` in SPF + +------------------------------------------------------------------- +Thu Feb 29 01:43:19 UTC 2024 - Steve Kowalik + +- Update to 5.3.1: + * Ignore UnicodeDecodeError exceptions when querying for TXT records + * Check DNSSEC on MX hostnames + * USE DNSSEC when requesting DNSKEY records + * Do not require an RRSIG answer when querying for DNSKEY records + * Pass in nameservers and timeout when running get_dnskey recursively + * Properly cache DNSKEY answers + * Fix exception handling for query_mta_sts_record + * Check for TLSA records + * Add support for parsing SMTP TLS Reporting (RFC8460) DNS records + * Add missing import dns.dnssec + * Always use the actual subdomain or domain provided + * Include MTA-STS and BIMI results in CSV output + * Added the include_tag_descriptions parameter to + checkdmarc.bimi.check_bimi() + * Added the exception class MTASTSPolicyDownloadError + * Major refactoring: Change from a single module to a package of modules, + with each checked standard as its own package + * Add support for MTA-STS RFC 8461 + * Add support for BIMI + * Specify a BIMI selector using the --bimi-selector/-b option + * Fix SPF query error and warning messages + * Add support for null MX records - RFC 7505 + * Make DMARC retorting URI error messages more clear + * Fix compatibility with Python 3.8 + * SPFRecordNotFound exception now includes a domain argument + * The DMARC missing authorization error message now includes the full + expected DNS record + * Properly parse DMARC and BIMI records for domains that do not have an + identified base domain + * Add ignore_unrelated_records argument to query_dmarc_record() + * Replace publicsuffix2 with publicsuffixlist + * Maintain the original character case of the DMARC record + * Always treat tag names as lowercase + * Always treat the DMARC v tag value as if it was uppercase + * Always treat the DMARC p, and fo tag values as if they were lowercase + * Always treat URI schemes as lowercase, but maintain the case of the address + * Ignore case and whitespace when parsing DMARC and BIMI key=value pairs + * Handle missing PTR records more gracefully + * Redundant DMARC fo tag values now result in a warning + * Detect non-trivial loops + * Raise a SPFSyntaxError exception when an IP address and IP version do + not match + * Fix raising the DMARCRecordNotFound exception when a DMARC record does + not exist + * Add void lookup limit + * Add Support for User Defined DNS Resolver Object + * Fix DNS caching + * Fix CSV output + * Always parse RUA and RUF fields, even if other parts of the record are + invalid + * Migrate build from setuptools to hatch +- Stop shipping LICENSE, now included directly. +- Refresh tests.py from upstream. +- Switch to pyproject and patch macros. +- No more greedy globs in %files. +- Drop skip-broken-tests.patch, not required. +- Add patch skip-network-tests.patch, skip tests that require network access. + +------------------------------------------------------------------- +Wed Jul 21 10:20:44 UTC 2021 - Matej Cepl + +- Use %pyunittest macro instead of directly calling %python_exec + +------------------------------------------------------------------- +Tue Jul 20 17:00:06 UTC 2021 - Martin Hauke + +- Use tests.py from github +- Add patch: + * skip-broken-tests.patch + +------------------------------------------------------------------- +Sat Jul 17 10:14:54 UTC 2021 - Martin Hauke + +- Initial package, version 4.4.1 diff --git a/python-checkdmarc.spec b/python-checkdmarc.spec new file mode 100644 index 0000000..92d3f11 --- /dev/null +++ b/python-checkdmarc.spec @@ -0,0 +1,86 @@ +# +# spec file for package python-checkdmarc +# +# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2021, Martin Hauke +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: python-checkdmarc +Version: 5.5.0 +Release: 0 +Summary: A Python module and command line parser for SPF and DMARC records +License: Apache-2.0 +URL: https://domainaware.github.io/checkdmarc +Source: https://files.pythonhosted.org/packages/source/c/checkdmarc/checkdmarc-%{version}.tar.gz +Source1: https://raw.githubusercontent.com/domainaware/checkdmarc/master/tests.py +Patch0: skip-network-tests.patch +BuildRequires: %{python_module hatchling} +BuildRequires: %{python_module pip} +BuildRequires: %{python_module wheel} +BuildRequires: fdupes +BuildRequires: python-rpm-macros +Requires: python-cryptography +Requires: python-dnspython >= 2.0.0 +Requires: python-expiringdict >= 1.1.4 +Requires: python-publicsuffixlist +Requires: python-pyleri >= 1.3.2 +Requires: python-requests >= 2.25.0 +Requires: python-timeout-decorator >= 0.4.1 +Requires(post): update-alternatives +Requires(postun): update-alternatives +BuildArch: noarch +# SECTION test requirements +BuildRequires: %{python_module dnspython >= 2.0.0} +BuildRequires: %{python_module expiringdict >= 1.1.4} +BuildRequires: %{python_module publicsuffixlist} +BuildRequires: %{python_module pyleri >= 1.3.2} +BuildRequires: %{python_module requests >= 2.25.0} +BuildRequires: %{python_module timeout-decorator >= 0.4.1} +# /SECTION +%python_subpackages + +%description +A Python module and command line parser for SPF and DMARC records. + +%prep +%setup -q -n checkdmarc-%{version} +cp %{SOURCE1} . +%patch -P 0 -p0 + +%build +%pyproject_wheel + +%install +%pyproject_install +%python_clone -a %{buildroot}%{_bindir}/checkdmarc +%python_expand %fdupes %{buildroot}%{$python_sitelib} + +%post +%python_install_alternative checkdmarc + +%postun +%python_uninstall_alternative checkdmarc + +%check +%pyunittest -v tests.py + +%files %{python_files} +%license LICENSE +%doc README.md +%python_alternative %{_bindir}/checkdmarc +%{python_sitelib}/checkdmarc +%{python_sitelib}/checkdmarc-%{version}.dist-info + +%changelog diff --git a/skip-network-tests.patch b/skip-network-tests.patch new file mode 100644 index 0000000..245176a --- /dev/null +++ b/skip-network-tests.patch @@ -0,0 +1,58 @@ +--- tests.py~ 2024-02-29 12:22:56.007309853 +1100 ++++ tests.py 2024-02-29 12:25:49.618057933 +1100 +@@ -3,6 +3,7 @@ + + """Automated tests""" + ++import os.path + import unittest + from collections import OrderedDict + +@@ -94,6 +95,7 @@ + + self.assertEqual(len(results["warnings"]), 0) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testSplitSPFRecord(self): + """Split SPF records are parsed properly""" + +@@ -129,6 +131,7 @@ + self.assertRaises(checkdmarc.spf.SPFRecordNotFound, + checkdmarc.spf.parse_spf_record, spf_record, domain) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testTooManySPFDNSLookups(self): + """SPF records with > 10 SPF mechanisms that cause DNS lookups raise + SPFTooManyDNSLookups""" +@@ -144,6 +147,7 @@ + self.assertRaises(checkdmarc.spf.SPFTooManyDNSLookups, + checkdmarc.spf.parse_spf_record, spf_record, domain) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testTooManySPFVoidDNSLookups(self): + """SPF records with > 2 void DNS lookups""" + +@@ -216,6 +220,7 @@ + self.assertRaises(checkdmarc.spf.SPFIncludeLoop, + checkdmarc.spf.parse_spf_record, spf_record, domain) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testSPFMissingMXRecord(self): + """A warning is issued if an SPF record contains a mx mechanism + pointing to a domain that has no MX records""" +@@ -226,6 +231,7 @@ + self.assertIn("{0} does not have any MX records".format(domain), + results["warnings"]) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testSPFMissingARecord(self): + """A warning is issued if an SPF record contains a mx mechanism + pointing to a domain that has no A records""" +@@ -236,6 +242,7 @@ + self.assertIn("cardinalhealth.net does not have any A/AAAA records", + results["warnings"]) + ++ @unittest.skipUnless(os.path.exists("/etc/resolv.conf"), "no network") + def testDMARCPctLessThan100Warning(self): + """A warning is issued if the DMARC pvt value is less than 100""" + diff --git a/tests.py b/tests.py new file mode 100644 index 0000000..e175d6a --- /dev/null +++ b/tests.py @@ -0,0 +1,279 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +"""Automated tests""" + +import unittest +from collections import OrderedDict + +import checkdmarc +import checkdmarc.utils +import checkdmarc.spf +import checkdmarc.dmarc +import checkdmarc.dnssec + +known_good_domains = [ + "fbi.gov", + "pm.me" +] + + +class Test(unittest.TestCase): + @unittest.skip + def testKnownGood(self): + """Domains with known good STARTTLS support, SPF and DMARC records""" + + results = checkdmarc.check_domains(known_good_domains) + for result in results: + spf_error = None + dmarc_error = None + for mx in result["mx"]["hosts"]: + self.assertEqual( + mx["starttls"], True, + "Host of known good domain {0} failed STARTTLS check: {1}" + "\n\n{0}".format(result["domain"], mx["hostname"]) + ) + if "error" in result["spf"]: + spf_error = result["spf"]["error"] + if "error" in result["dmarc"]: + dmarc_error = result["dmarc"]["error"] + self.assertEqual(result["spf"]["valid"], True, + "Known good domain {0} failed SPF check:" + "\n\n{1}".format(result["domain"], spf_error)) + self.assertEqual(result["dmarc"]["valid"], True, + "Known good domain {0} failed DMARC check:" + "\n\n{1}".format(result["domain"], dmarc_error)) + + def testDMARCMixedFormatting(self): + """DMARC records with extra spaces and mixed case are still valid""" + examples = [ + "v=DMARC1;p=ReJect", + "v = DMARC1;p=reject;", + "v = DMARC1\t;\tp=reject\t;", + "v = DMARC1\t;\tp\t\t\t=\t\t\treject\t;", + "V=DMARC1;p=reject;" + ] + + for example in examples: + parsed_record = checkdmarc.dmarc.parse_dmarc_record(example, "") + self.assertIsInstance(parsed_record, OrderedDict) + + def testGetBaseDomain(self): + subdomain = "foo.example.com" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "example.com" + + # Test reserved domains + subdomain = "_dmarc.nonauth-rua.invalid.example" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "invalid.example" + + subdomain = "_dmarc.nonauth-rua.invalid.test" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "invalid.test" + + subdomain = "_dmarc.nonauth-rua.invalid.invalid" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "invalid.invalid" + + subdomain = "_dmarc.nonauth-rua.invalid.localhost" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "invalid.localhost" + + # Test newer PSL entries + subdomain = "e3191.c.akamaiedge.net" + result = checkdmarc.utils.get_base_domain(subdomain) + assert result == "c.akamaiedge.net" + + def testUppercaseSPFMechanism(self): + """Treat uppercase SPF"SPF mechanisms as valid""" + spf_record = "v=spf1 IP4:147.75.8.208 -ALL" + domain = "example.no" + + results = checkdmarc.spf.parse_spf_record(spf_record, domain) + + self.assertEqual(len(results["warnings"]), 0) + + def testSplitSPFRecord(self): + """Split SPF records are parsed properly""" + + rec = '"v=spf1 ip4:147.75.8.208 " "include:_spf.salesforce.com -all"' + + parsed_record = checkdmarc.spf.parse_spf_record(rec, "example.com") + + self.assertEqual(parsed_record["parsed"]["all"], "fail") + + def testJunkAfterAll(self): + """Ignore any mechanisms after the all mechanism, but warn about it""" + rec = "v=spf1 ip4:213.5.39.110 -all MS=83859DAEBD1978F9A7A67D3" + domain = "avd.dk" + + parsed_record = checkdmarc.spf.parse_spf_record(rec, domain) + self.assertEqual(len(parsed_record["warnings"]), 1) + + @unittest.skip + def testDNSSEC(self): + """Test known good DNSSEC""" + self.assertEqual(checkdmarc.dnssec.test_dnssec("fbi.gov"), True) + + def testIncludeMissingSPF(self): + """SPF records that include domains that are missing SPF records + raise SPFRecordNotFound""" + + spf_record = '"v=spf1 include:spf.comendosystems.com ' \ + 'include:bounce.peytz.dk include:etrack.indicia.dk ' \ + 'include:etrack1.com include:mail1.dialogportal.com ' \ + 'include:mail2.dialogportal.com a:mailrelay.jppol.dk ' \ + 'a:sendmail.jppol.dk ?all"' + domain = "ekstrabladet.dk" + self.assertRaises(checkdmarc.spf.SPFRecordNotFound, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testTooManySPFDNSLookups(self): + """SPF records with > 10 SPF mechanisms that cause DNS lookups raise + SPFTooManyDNSLookups""" + + spf_record = "v=spf1 a include:_spf.salesforce.com " \ + "include:spf.protection.outlook.com " \ + "include:spf.constantcontact.com " \ + "include:_spf.elasticemail.com " \ + "include:servers.mcsv.net " \ + "include:_spf.google.com " \ + "~all" + domain = "example.com" + self.assertRaises(checkdmarc.spf.SPFTooManyDNSLookups, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testTooManySPFVoidDNSLookups(self): + """SPF records with > 2 void DNS lookups""" + + spf_record = "v=spf1 a:13Mk4olS9VWhQqXRl90fKJrD.example.com " \ + "mx:SfGiqBnQfRbOMapQJhozxo2B.example.com " \ + "a:VAFeyU9N2KJX518aGsN3w6VS.example.com " \ + "~all" + domain = "example.com" + self.assertRaises(checkdmarc.spf.SPFTooManyVoidDNSLookups, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFSyntaxErrors(self): + """SPF record syntax errors raise SPFSyntaxError""" + + spf_record = '"v=spf1 mx a:mail.cohaesio.net ' \ + 'include: trustpilotservice.com ~all"' + domain = "2021.ai" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv4(self): + """Invalid ipv4 SPF mechanism values raise SPFSyntaxError""" + spf_record = "v=spf1 ip4:78.46.96.236 +a +mx +ip4:138.201.239.158 " \ + "+ip4:78.46.224.83 " \ + "+ip4:relay.mailchannels.net +ip4:138.201.60.20 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv6inIPv4(self): + """Invalid ipv4 SPF mechanism values raise SPFSyntaxError""" + spf_record = "v=spf1 ip4:1200:0000:AB00:1234:0000:2552:7777:1313 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv4Range(self): + """Invalid ipv4 SPF mechanism values raise SPFSyntaxError""" + spf_record = "v=spf1 ip4:78.46.96.236/99 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv6(self): + """Invalid ipv6 SPF mechanism values raise SPFSyntaxError""" + spf_record = "v=spf1 ip6:1200:0000:AB00:1234:O000:2552:7777:1313 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv4inIPv6(self): + """Invalid ipv6 SPF mechanism values raise SPFSyntaxError""" + spf_record = "v=spf1 ip6:78.46.96.236 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFInvalidIPv6Range(self): + """Invalid ipv6 SPF mechanism values raise SPFSyntaxError""" + record = "v=spf1 ip6:1200:0000:AB00:1234:0000:2552:7777:1313/130 ~all" + domain = "surftown.dk" + self.assertRaises(checkdmarc.spf.SPFSyntaxError, + checkdmarc.spf.parse_spf_record, record, domain) + + def testSPFIncludeLoop(self): + """SPF record with include loop raises SPFIncludeLoop""" + + spf_record = '"v=spf1 include:example.com"' + domain = "example.com" + self.assertRaises(checkdmarc.spf.SPFIncludeLoop, + checkdmarc.spf.parse_spf_record, spf_record, domain) + + def testSPFMissingMXRecord(self): + """A warning is issued if an SPF record contains a mx mechanism + pointing to a domain that has no MX records""" + + spf_record = '"v=spf1 mx ~all"' + domain = "seanthegeek.net" + results = checkdmarc.spf.parse_spf_record(spf_record, domain) + self.assertIn("{0} does not have any MX records".format(domain), + results["warnings"]) + + def testSPFMissingARecord(self): + """A warning is issued if an SPF record contains a mx mechanism + pointing to a domain that has no A records""" + + spf_record = '"v=spf1 a ~all"' + domain = "cardinalhealth.net" + results = checkdmarc.spf.parse_spf_record(spf_record, domain) + self.assertIn("cardinalhealth.net does not have any A/AAAA records", + results["warnings"]) + + def testDMARCPctLessThan100Warning(self): + """A warning is issued if the DMARC pvt value is less than 100""" + + dmarc_record = "v=DMARC1; p=none; sp=none; fo=1; pct=50; adkim=r; " \ + "aspf=r; rf=afrf; ri=86400; " \ + "rua=mailto:eits.dmarcrua@energy.gov; " \ + "ruf=mailto:eits.dmarcruf@energy.gov" + domain = "energy.gov" + results = checkdmarc.dmarc.parse_dmarc_record(dmarc_record, domain) + self.assertIn("pct value is less than 100", + results["warnings"][0]) + + def testInvalidDMARCURI(self): + """An invalid DMARC report URI raises InvalidDMARCReportURI""" + + dmarc_record = "v=DMARC1; p=none; rua=reports@dmarc.cyber.dhs.gov," \ + "mailto:dmarcreports@usdoj.gov" + domain = "dea.gov" + self.assertRaises(checkdmarc.dmarc.InvalidDMARCReportURI, + checkdmarc.dmarc.parse_dmarc_record, dmarc_record, + domain) + + dmarc_record = "v=DMARC1; p=none; rua=__" \ + "mailto:reports@dmarc.cyber.dhs.gov," \ + "mailto:dmarcreports@usdoj.gov" + self.assertRaises(checkdmarc.dmarc.InvalidDMARCReportURI, + checkdmarc.dmarc.parse_dmarc_record, dmarc_record, + domain) + + def testInvalidDMARCPolicyValue(self): + """An invalid DMARC policy value raises InvalidDMARCTagValue """ + dmarc_record = "v=DMARC1; p=foo; rua=mailto:dmarc@example.com" + domain = "example.com" + self.assertRaises(checkdmarc.dmarc.InvalidDMARCTagValue, + checkdmarc.dmarc.parse_dmarc_record, + dmarc_record, + domain) + + +if __name__ == "__main__": + unittest.main(verbosity=2)