Re: [exim] Help to install exim with SPF

Top Page
Delete this message
Reply to this message
Author: Dan_Mitton
Date:  
To: exim-users
Subject: Re: [exim] Help to install exim with SPF
I agree SPF != Ident, but when I test SPF / libspf2 using the -bh command
line option, I get nothing but '(permanent error) (7)' results.

I sent a real mail message from my gmail account. I see in my logs that
SPF gives a 'pass'...

2008-07-14 08:32:36 [25130] H=yx-out-1718.google.com [74.125.44.152]:32110
I=[198.147.246.55]:25 Warning: MAIL - Would not be blocked by SPF: (pass)
ip=74.125.44.152, sender=danmittonsr@???,
helo=yx-out-1718.google.com

I try to fake out SPF using -bh with the same IP address and MAIL FROM
address...

/usr/local/exim/bin/exim -bh 74.125.44.152

**** SMTP testing session as if from host 74.125.44.152
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)

LOG: [25854] SMTP connection from [74.125.44.152]
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 74.125.44.152
>>> IP address lookup yielded yx-out-1718.google.com
>>> gethostbyname looked up these IP addresses:
>>> name=yx-out-1718.google.com address=74.125.44.156
>>> name=yx-out-1718.google.com address=74.125.44.157
>>> name=yx-out-1718.google.com address=74.125.44.158
>>> name=yx-out-1718.google.com address=74.125.44.152
>>> name=yx-out-1718.google.com address=74.125.44.153
>>> name=yx-out-1718.google.com address=74.125.44.154
>>> name=yx-out-1718.google.com address=74.125.44.155
>>> checking addresses for yx-out-1718.google.com
>>> 74.125.44.156
>>> 74.125.44.157
>>> 74.125.44.158
>>> 74.125.44.152 OK
>>> host in host_reject_connection? no (end of list)
>>> gethostbyname looked up these IP addresses:
>>> name=ymp.gov address=198.147.246.53
>>> host in sender_unqualified_hosts? no (end of list)
>>> gethostbyname looked up these IP addresses:
>>> name=ymp.gov address=198.147.246.53
>>> host in recipient_unqualified_hosts? no (end of list)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 smtp3.ymp.gov ESMTP YMP MTA Mon, 14 Jul 2008 08:34:20 -0700
MAIL FROM: DanMittonSr@???
>>> using ACL "acl_check_mail"
>>> processing "drop"
>>> check !hosts = +relay_from_hosts
>>> host in "aaa.bbb.ccc.ddd (I had to edit out this list of IP addresses

for security reasons)"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> check !hosts = /usr/local/homes/exim/spf_whitelisted-forwarders
>>> host in "/usr/local/homes/exim/spf_whitelisted-forwarders"? no (end of

list)
>>> check !acl = spf_mail_acl
>>> using ACL "spf_mail_acl"
>>> processing "warn"
>>> check !acl = spf_check
>>> using ACL "spf_check"
>>> processing "deny"
>>> check spf = fail
>>> SPF result is unknown (permanent error) (7)
>>> deny: condition test failed
>>> processing "accept"
>>> accept: condition test succeeded


Perhaps some implementations of SPF work with this testing mode, but IMHO,
it seems like libspf2 does not.

Dan



Please respond to exim-users@???
Sent by:        exim-users-bounces@???
To:     exim-users@???
cc:      (bcc: Dan Mitton/YD/RWDOE)
Subject:        Re: [exim] Help to install exim with SPF
LSN: Not Relevant
User Filed as: Not a Record


Dan_Mitton@??? wrote:
> Ian,
>
> And your explanation is...?


Ident != SPF

An ident request requires the server at the real IP address you have
provided on the -bh command line to be able to answer an active ident
request. Since this is a test mode, the ident server will have no idea
what you talking about since that computer did not start the connection
and as such has nothing to tell the testing computer.

SPF only requires a DNS lookup and the IP provided by the -bh command
line and as such, works in this testing mode.

Full details are here: -bh
http://docs.exim.org/current/spec_html/ch05.html#id479724

If you wish to test WITH ident, there is an option to provide the ident
string that the server at the IP address would provide.
Full details are here: -oMt
http://docs.exim.org/current/spec_html/ch05.html#id486736

Please note that I have given the anchors for the term above the one I'm
aiming at so that you end up with the whole paragraph on the screen.

You can google the exim docs on the main page at http://www.exim.org/ or
on the documentation page http://www.exim.org/docs.html

--
The Exim Manual
http://www.exim.org/docs.html
http://docs.exim.org/current/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/