Re: [exim] SPF feature would be more useful if

Góra strony
Delete this message
Reply to this message
Autor: Bernd Jendrissek
Data:  
Dla: Graeme Fowler
CC: exim users
Stare tematy: Re: [exim] SPF feature would be more useful if
Temat: Re: [exim] SPF feature would be more useful if
Graeme Fowler wrote...
> On Sat, 2010-07-17 at 00:40 -0700, Marc Perkel wrote:
> > As it is now SPF checks the sender domain against the connecting IP
> > address. It would be more useful if it were expanded to allow me to pass
> > a different domain and to pass a different IP address.
>

+1
> Anyway: with judicious use of the "dnsdb" lookup, the tools you need
> exist already.
>

Unfortunately I don't see an easy way (that doesn't involve an exim.conf
Turing machine) of processing the full expressiveness of SPF records.
Specifically, I'm thinking of include: and redirect=, as in Google's and
hotmail's records:

$ host -t txt gmail.com.
gmail.com descriptive text "v=spf1 redirect=_spf.google.com"
$ host -t txt hotmail.com.
hotmail.com descriptive text "v=spf1 include:spf-a.hotmail.com
include:spf-b.hotmail.com include:spf-c.hotmail.com
include:spf-d.hotmail.com ~all"

I would rather not hardcode something that addresses Google's SPF
specifically, even that is our current need: we have customers who get
Google to send their email (from their own domain, not @gmail.com) via
our quasi-MTA. The customer's own domain doesn't have SPF records [*],
but we know that they're using Google's servers. So we want to be able
to ask, "Does the SPF data on _spf.google.com cover
$sender_host_address?". If only I could say...

condition = ${if and {{lookup {$sender_address_domain} lsearch
{/foo/googlers}} {lookup {$sender_host_address} spf {_spf.google.com}}}

Any recommendations that don't include Turing machines or hardcoded
assumptions about the SPF data? Anything less frightening to our
sysadmins than a dlfunc?

[*] And to get them to do so seems... difficult. It's not my call, and I
guess since they're paying us they get to make the rules.