Re: [exim] Help to install exim with SPF

Ted,

You are quite correct !! When I include the HELO response, I get the
correct SPF result. It's always good to learn something new.

/usr/local/exim/bin/exim -bh 74.125.44.152.1234

**** SMTP testing session as if from host 74.125.44.152
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
LOG: [12579] SMTP connection from [74.125.44.152]:1234
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 74.125.44.152
>>> IP address lookup yielded yx-out-1718.google.com
>>> gethostbyname looked up these IP addresses:
>>> name=yx-out-1718.google.com address=74.125.44.152
>>> name=yx-out-1718.google.com address=74.125.44.153
>>> name=yx-out-1718.google.com address=74.125.44.154
>>> name=yx-out-1718.google.com address=74.125.44.155
>>> name=yx-out-1718.google.com address=74.125.44.156
>>> name=yx-out-1718.google.com address=74.125.44.157
>>> name=yx-out-1718.google.com address=74.125.44.158
>>> checking addresses for yx-out-1718.google.com
>>> 74.125.44.152 OK
>>> host in host_reject_connection? no (end of list)
>>> gethostbyname looked up these IP addresses:
>>> name=ymp.gov address=198.147.246.53
>>> host in sender_unqualified_hosts? no (end of list)
>>> gethostbyname looked up these IP addresses:
>>> name=ymp.gov address=198.147.246.53
>>> host in recipient_unqualified_hosts? no (end of list)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 smtp3.ymp.gov ESMTP YMP MTA Tue, 15 Jul 2008 07:42:05 -0700
HELO smtp3.ymp.gov
>>> using ACL "acl_check_helo"
>>> processing "accept"
>>> accept: condition test succeeded
250 smtp3.ymp.gov Hello yx-out-1718.google.com [74.125.44.152]
MAIL FROM: DanMittonSr@???
>>> using ACL "acl_check_mail"
>>> processing "drop"
>>> check !hosts = +relay_from_hosts
>>> host in "(removed for security reasons) : 127.0.0.1"? no (end of list)
>>> host in "+relay_from_hosts"? no (end of list)
>>> check !hosts = /usr/local/homes/exim/spf_whitelisted-forwarders
>>> host in "/usr/local/homes/exim/spf_whitelisted-forwarders"? no (end of
list)
>>> check !acl = spf_mail_acl
>>> using ACL "spf_mail_acl"
>>> processing "warn"
>>> check !acl = spf_check
>>> using ACL "spf_check"
>>> processing "deny"
>>> check spf = fail
>>> SPF result is pass (2)
>>> deny: condition test failed
>>> processing "accept"
>>> accept: condition test succeeded

Please respond to exim-users@???
Sent by:        exim-users-bounces@???
To:     exim-users@???
cc:      (bcc: Dan Mitton/YD/RWDOE)
Subject:        Re: [exim] Help to install exim with SPF
LSN: Not Relevant
User Filed as: Not a Record

Dan_Mitton@??? wrote:
> I agree SPF != Ident, but when I test SPF / libspf2 using the -bh
command
> line option, I get nothing but '(permanent error) (7)' results.
>
> I sent a real mail message from my gmail account. I see in my logs that

> SPF gives a 'pass'...
>
> 2008-07-14 08:32:36 [25130] H=yx-out-1718.google.com
[74.125.44.152]:32110
> I=[198.147.246.55]:25 Warning: MAIL - Would not be blocked by SPF:
(pass)
> ip=74.125.44.152, sender=danmittonsr@???,
> helo=yx-out-1718.google.com

Doing the same thing as you with libspf2-1.2.5 with the following ACL 
snippet in my RCPT ACL ..
# Deny outright a plain as day failure. This should be whitelisted
deny    message       = ERRMSG_SPFFAIL
         hosts         = !+relay_from_hosts
         !authenticated = *
         spf           = fail
         continue     = ${readsocket{GLSOCK}{spffail \
           $sender_host_address}{20s}{ }{SOCKETERROR}}

exim -bh 74.125.44.152
...
HELO yx-out-1718.google.com
...
MAIL FROM:<example@???>
...
RCPT TO:<valid@???>
...
>>> processing "deny"
>>> check hosts = !+relay_from_hosts
>>> host in "!+relay_from_hosts"? yes (end of list)
>>> check !authenticated = *
>>> check spf = fail
>>> SPF result is pass (2)
>>> deny: condition test failed

Perhaps it is causing an error without the HELO/EHLO string. I can't
test that easily right now. It shouldn't need to be in the RCPT ACL
either, the MAIL FROM one I think should be fine, but that's another
thing to check.

--
The Exim Manual
http://www.exim.org/docs.html
http://docs.exim.org/current/

--
## List details at http://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/