A.7. Adding SPF Checks
Here we cover two different ways to check Sender Policy Framework
records using Exim. In addition to these explicit mechanisms,
the SpamAssassin suite will in the near future (around version
2.70) incorporate more sophisticated SPF checks, by assigning
weighted scores to the various SPF results.
Although we could perform this check as
early as in the acl_mail_from ACL, there
is an issue that will affect this decision: SPF is incompatible
with traditional e-mail forwarding. Unless the forwarding host
implements SRS, you may end up
rejecting forwarded mail because you receive it from a host that
is not authorized to do so per the SPF policy of the domain in
the Envelope Sender address.
To avoid doing this, we need to consult a user-specific list of
hosts from which forwarded mails should be accepted (as
described in Exempting Forwarded Mail, to follow).
This is only possible after the RCPT TO:,
when we know the username of the recipient.
As such, we will add this check prior to any greylisting
checks and/or the final accept statement in
acl_rcpt_to.
A.7.1. SPF checks via Exiscan-ACL
Recent versions of Tom Kistner's Exiscan-ACL
patch (see Prerequisites) have native support
for SPF.
Usage is very simple. An spf ACL condition
is added, and can be compared against any of the keywords
pass, fail,
softfail, none,
neutral, err_perm or
err_temp.
Prior to any greylisting checks and/or the final
accept statement in acl_rcpt_to, insert the following snippet:
# Query the SPF information for the sender address domain, if any,
# to see if the sending host is authorized to deliver its mail.
# If not, reject the mail.
#
deny
message = [SPF] $sender_host_address is not allowed to send mail \
from $sender_address_domain
log_message = SPF check failed.
spf = fail
# Add a SPF-Received: header to the message
warn
message = $spf_received
|
This statement will reject the mail if the owner of the domain
in the sender address has disallowed deliveries from the
calling host. Some people find that this gives the domain
owner a little bit too much control, even to the point of
shooting themselves in the foot. A suggested alternative is
to combine the SPF check with other checks, such as Sender
Callout Verification (but note that as before, there is no
point in doing this if you are sending your outgoing mail
through a smarthost):
# Reject the mail if we cannot verify the sender address via callouts,
# and if SPF information for the sending domain does not grant explicit
# authority to the sending host.
#
deny
message = The sender address does not seem to be valid, and SPF \
information does not grant $sender_host_address explicit \
authority to send mail from $sender_address_domain
log_message = SPF check failed.
!verify = sender/callout,random,postmaster
!spf = pass
# Add a SPF-Received: header to the message
warn
message = $spf_received
|
A.7.2. SPF checks via Mail::SPF::Query
Mail::SPF::Query is a the official SPF test
suite, available from http://spf.pobox.com/downloads.html. Debian users,
install libmail-spf-query-perl.
The Mail::SPF::Query package comes with a
daemon (spfd) that listens for requests on
a UNIX domain socket. Unfortunately, it does not come with an
"init" script to start this daemon automatically.
Therefore, in the following example, we will use the
standalone spfquery utility to make our SPF
requests.
As above, insert the following prior to any greylisting checks
and/or the final accept statement in acl_rcpt_to:
# Use "spfquery" to obtain SPF status for this particular sender/host.
# If the return code of that command is 1, this is an unauthorized sender.
#
deny
message = [SPF] $sender_host_address is not allowed to send mail \
from $sender_address_domain.
log_message = SPF check failed.
set acl_m9 = -ipv4=$sender_host_address \
-sender=$sender_address \
-helo=$sender_helo_name
set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}}
condition = ${if eq {$runrc}{1}{true}{false}}
|