From e25d1b75d2579bec75c1ec96fdab7a8b9f057f7b Mon Sep 17 00:00:00 2001
From: Giovanni <g.bechis@snb.it>
Date: Wed, 12 Jun 2024 09:02:41 +0200
Subject: [PATCH] When mfrom is empty, create a synthetic mfrom
 (postmaster@helo) and check that identity using the mfrom scope as specified
 in RFC 7208

---
 bin/spfd                |  6 +++---
 bin/spfquery            |  6 ++++--
 lib/Mail/SPF/Request.pm | 18 ++++++++++++------
 3 files changed, 19 insertions(+), 11 deletions(-)

diff --git a/bin/spfd b/bin/spfd
index 620398a..3e149d9 100755
--- a/bin/spfd
+++ b/bin/spfd
@@ -261,9 +261,9 @@ and C<temperror>, respectively, in order to comply with RFC 4408 terminology.
 
 =item *
 
-SPF checks with an empty identity are no longer supported.  In the case of an
-empty C<MAIL FROM> SMTP transaction parameter, perform a check with the C<helo>
-scope directly.
+In the case of an empty C<MAIL FROM> SMTP transaction parameter (C<<
+MAIL FROM:<> >>), the identity checked will be postmaster@helo name as specified
+in RFC 7208.
 
 =back
 
diff --git a/bin/spfquery b/bin/spfquery
index 0188ab9..45422c4 100755
--- a/bin/spfquery
+++ b/bin/spfquery
@@ -626,8 +626,10 @@ if (
     exit(255);
 }
 
-if (defined($identity) and $identity eq '') {
-    STDERR->print("Error: Empty identities are not supported. See spfquery(1).\n");
+if (defined($identity) and $identity eq '' and defined $helo_identity) {
+    $identity = 'postmaster@' . $helo_identity;
+} elsif (defined($identity) and $identity eq '') {
+    STDERR->print("Error: Empty identities are not supported without specifying HELO.\n");
     exit(255);
 }
 
diff --git a/lib/Mail/SPF/Request.pm b/lib/Mail/SPF/Request.pm
index 1ff95c9..46e58d8 100644
--- a/lib/Mail/SPF/Request.pm
+++ b/lib/Mail/SPF/Request.pm
@@ -152,7 +152,8 @@ The given identity is the C<MAIL FROM> parameter of an SMTP transaction (RFC
 the formal definition of the C<MAIL FROM> scope.
 
 I<Note>:  In the case of an empty C<MAIL FROM> SMTP transaction parameter (C<<
-MAIL FROM:<> >>), you should perform a check with the C<helo> scope instead.
+MAIL FROM:<> >>), the identity checked will be postmaster@helo name as specified
+in RFC 7208.
 
 =item B<'pra'>
 
@@ -175,9 +176,10 @@ I<Required>.  A string denoting the sender identity whose authorization should
 be checked.  This is a domain name for the C<helo> scope, and an e-mail address
 for the C<mfrom> and C<pra> scopes.
 
-I<Note>:  An empty identity must not be passed.  In the case of an empty C<MAIL
-FROM> SMTP transaction parameter, you should perform a check with the C<helo>
-scope instead.
+I<Note>:  An empty identity should not be passed, in the case of an empty
+C<MAIL FROM> SMTP transaction parameter (C<<MAIL FROM:<> >>),
+the identity checked will be postmaster@helo name as specified
+in RFC 7208.
 
 =item B<ip_address>
 
@@ -256,8 +258,12 @@ sub new {
     # Identity:
     defined($self->{identity})
         or throw Mail::SPF::EOptionRequired("Missing required 'identity' option");
-    length($self->{identity})
-        or throw Mail::SPF::EInvalidOptionValue("'identity' option must not be empty");
+    if(not length($self->{identity}) and (defined $self->{helo_identity})) {
+      # if identity is <>, try with postmaster@helo as specified in RFC 7208 section 2.4
+      $self->{identity} = 'postmaster@' . $self->{helo_identity};
+    } elsif(not length($self->{identity})) {
+      throw Mail::SPF::EInvalidOptionValue("'identity' option must not be empty without specifying HELO");
+    }
 
     # Extract domain and localpart from identity:
     if (