I've used SPF checking for a few years since its introduction in
exiscan. I never paid it a great deal of attention until recently I was
trying to diagnose a problem where it was allowing me to spoof when I
thought it shouldn't.
I have the spf check in my acl_smtp_mail acl. The problem is that
the spf check only occurs if the sender uses HELO to set the domain. If
they don't, the check will not happen. If I were trying to spoof and knew
some sites wouldn't check helo, I wouldn't bother sending it!
It seems to me that in the acl_smtp_mail acl, you know the domain
name (if specified) and IP address of the sender so you should be able to
perform SPF checks in the absense of HELO. Here's my diff to spf_process in
spf.c:
--- exim/src/spf.c Tue Apr 4 08:00:04 2006
+++ exm/src/spf.c Wed May 10 08:14:22 2006
@@ -74,6 +74,9 @@
uschar spf_result_id_buffer[128];
int rc = SPF_RESULT_PERMERROR;
+ if( !(spf_server) ){
+ spf_init(expand_string("$sender_address_domain"),
sender_host_address);
+ }
if (!(spf_server && spf_request)) {
/* no global context, assume temp error and skip to evaluation */
rc = SPF_RESULT_PERMERROR;
Chris Blaise
