Here we cover two different ways to check Sender Policy Framework records using Exim. In addition to these explicit mechanisms, the SpamAssassin suite will in the near future (around version 2.70) incorporate more sophisticated SPF checks, by assigning weighted scores to the various SPF results.
Although we could perform this check as early as in the acl_mail_from ACL, there is an issue that will affect this decision: SPF is incompatible with traditional e-mail forwarding. Unless the forwarding host implements SRS, you may end up rejecting forwarded mail because you receive it from a host that is not authorized to do so per the SPF policy of the domain in the Envelope Sender address.
To avoid doing this, we need to consult a user-specific list of hosts from which forwarded mails should be accepted (as described in Exempting Forwarded Mail, to follow). This is only possible after the RCPT TO:, when we know the username of the recipient.
As such, we will add this check prior to any greylisting
checks and/or the final accept
statement in
acl_rcpt_to.
Recent versions of Tom Kistner's Exiscan-ACL
patch (see Prerequisites) have native support
for SPF.
[16]
Usage is very simple. An spf
ACL condition
is added, and can be compared against any of the keywords
pass
, fail
,
softfail
, none
,
neutral
, err_perm
or
err_temp
.
Prior to any greylisting checks and/or the final
accept
statement in acl_rcpt_to, insert the following snippet:
# Query the SPF information for the sender address domain, if any, # to see if the sending host is authorized to deliver its mail. # If not, reject the mail. # deny message = [SPF] $sender_host_address is not allowed to send mail \ from $sender_address_domain log_message = SPF check failed. spf = fail # Add a SPF-Received: header to the message warn message = $spf_received
This statement will reject the mail if the owner of the domain in the sender address has disallowed deliveries from the calling host. Some people find that this gives the domain owner a little bit too much control, even to the point of shooting themselves in the foot. A suggested alternative is to combine the SPF check with other checks, such as Sender Callout Verification (but note that as before, there is no point in doing this if you are sending your outgoing mail through a smarthost):
# Reject the mail if we cannot verify the sender address via callouts, # and if SPF information for the sending domain does not grant explicit # authority to the sending host. # deny message = The sender address does not seem to be valid, and SPF \ information does not grant $sender_host_address explicit \ authority to send mail from $sender_address_domain log_message = SPF check failed. !verify = sender/callout,random,postmaster !spf = pass # Add a SPF-Received: header to the message warn message = $spf_received
Mail::SPF::Query
is a the official SPF test
suite, available from http://spf.pobox.com/downloads.html. Debian users,
install libmail-spf-query-perl
.
The Mail::SPF::Query
package comes with a
daemon (spfd) that listens for requests on
a UNIX domain socket. Unfortunately, it does not come with an
“init” script to start this daemon automatically.
Therefore, in the following example, we will use the
standalone spfquery utility to make our SPF
requests.
As above, insert the following prior to any greylisting checks
and/or the final accept
statement in acl_rcpt_to:
# Use "spfquery" to obtain SPF status for this particular sender/host. # If the return code of that command is 1, this is an unauthorized sender. # deny message = [SPF] $sender_host_address is not allowed to send mail \ from $sender_address_domain. log_message = SPF check failed. set acl_m9 = -ipv4=$sender_host_address \ -sender=$sender_address \ -helo=$sender_helo_name set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}} condition = ${if eq {$runrc}{1}{true}{false}}
[16]
Debian users: As of July 14th, 2004, the version of
Exiscan-ACL that is included in the
exim4-daemon-heavy
package does not yet
have support for SPF. In the mean time, you may choose
the other SPF implementation; install
libmail-spf-query-perl
.