[Exim] exiscan-acl-4.24-22 - SPF support

Top Page
Delete this message
Reply to this message
Author: Tom Kistner
Date:  
To: exim-users, exiscanusers
CC: wayne
Subject: [Exim] exiscan-acl-4.24-22 - SPF support
exiscan-acl rev -22 is now available at

http://duncanthrax.net/exiscan-acl/

Nothing critical in this release. I have added SPF support via
libspf_alt. Having basic SPF checks is now as simple as:

deny  message = [SPF] $sender_host_address is not allowed\
                 to send mail from $sender_address_domain
       spf = fail


I have pasted the relevant documentation below so you can take a quick
peek. I'd like to add that I do not really like SPF because of the
forwarding issues. But then I'm not much of a dogmatic person, and there
were multiple requests to add SPF in a manner that does not involve
using ${readsocket or calling embedded perl, so I just did it.

Thanks to libspf_alt, it was not too much work. The relevant code is
#ifdeffed since I did not want to include the complete libspf_alt in the
patch. Read the docs below to see how you must compile to include SPF
support.


---------------------------------------------------------------------

8. Sender Policy Framework (SPF) support
--------------------------------------------------------------

To learn more about SPF, visit http://spf.pobox.com. This
document does not explain the SPF fundamentals, you should
read and understand the implications of deploying SPF on your
system before doing so.

IMPORTANT: The SPF implementation in exiscan-acl does NOT
implement the SRS (sender rewriting scheme). This means that
your exim system will not be an SPF/SRS "compatible"
forwarder. If your system does not forward email, you don't
need to care. If you don't know what that means, visit the
above mentioned website.

SPF support is added via the libspf_alt library. Visit

http://www.midwestcs.com/spf/libspf-alt/

to obtain a copy, then compile and install it. By default,
this will put headers in /usr/local/include and the static
library in /usr/local/lib.

To compile exim with SPF support, set these additional flags in
Local/Makefile:

CFLAGS=-DSPF -I/usr/local/include
EXTRALIBS_EXIM=-L/usr/local/lib -lspf_alt

This assumes that the libspf_alt files are installed in
their default locations.

You can now run SPF checks in incoming SMTP by using the "spf"
ACL condition in either the MAIL, RCPT or DATA ACLs. When
using it in the RCPT ACL, you can make the checks dependend on
the RCPT address (or domain), so you can check SPF records
only for certain target domains. This gives you the
possibility to opt-out certain customers that do not want
their mail to be subject to SPF checking.

The spf condition takes a list of strings on its right-hand
side. These strings describe the outcome of the SPF check for
which the spf condition should succeed. Valid strings are:

   o pass      The SPF check passed, the sending host
               is positively verified by SPF.
   o fail      The SPF check failed, the sending host
               is NOT allowed to send mail for the domain
               in the envelope-from address.
   o softfail  The SPF check failed, but the queried
               domain can't absolutely confirm that this
               is a forgery.
   o none      The queried domain does not publish SPF
               records.
   o neutral   The SPF check returned a "neutral" state.
               This means the queried domain has published
               a SPF record, but wants to allow outside
               servers to send mail under its domain as well.
   o err_perm  This indicates a syntax error in the SPF
               record of the queried domain. This should be
               treated like "none".
   o err_temp  This indicates a temporary error during all
               processing, including exim's SPF processing.
               You may defer messages when this occurs.


You can prefix each string with an exclamation mark to invert
is meaning, for example "!fail" will match all results but
"fail". The string list is evaluated left-to-right, in a
short-circuit fashion. When a string matches the outcome of
the SPF check, the condition succeeds. If none of the listed
strings matches the outcome of the SPF check, the condition
fails.

Here is a simple example to fail forgery attempts from domains
that publish SPF records:

/* -----------------
deny message = $sender_host_address is not allowed to send mail from
$sender_address_domain
      spf = fail
--------------------- */


You can also give special treatment to specific domains:

/* -----------------
deny message = AOL sender, but not from AOL-approved relay.
      sender_domains = aol.com
      spf = fail:neutral
--------------------- */


Explanation: AOL publishes SPF records, but is liberal and
still allows non-approved relays to send mail from aol.com.
This will result in a "neutral" state, while mail from genuine
AOL servers will result in "pass". The example above takes
this into account and treats "neutral" like "fail", but only
for aol.com. Please note that this violates the SPF draft.

When the spf condition has run, it sets up several expansion
variables.

$spf_header_comment
This contains a human-readable string describing the outcome
of the SPF check. You can add it to a custom header or use
it for logging purposes.

$spf_received
This contains a complete SPF-Received: header that can be
added to the message.

$spf_result
This contains the outcome of the SPF check in string form,
one of pass, fail, softfail, none, neutral, err_perm or
err_temp.

$spf_smtp_comment
This contains a string that can be used in a SMTP response
to the calling party. Useful for "fail".
---------------------------------------------------------------------


regards,

/tom