Re: [exim] advanced SPF Checking

Top Page
Delete this message
Reply to this message
Author: Mike Brudenell
Date:  
To: Exim Users
Subject: Re: [exim] advanced SPF Checking
Hmm…

Remember that the domain might have multiple TXT records: as do we for
york.ac.uk. In which case the values of all of the records are returned as
the value of the *dnsdb* lookup, separated with newlines by default.

At most one of which will be the SPF record, so you want to make sure the
"+all" is within the same record value as the initial "v=spf1" that
identifies it as being SPF data. You also want to guard against other
strings such as "someone+allmail@???" and so on.

So you probably want a more clever *match* pattern to make sure that you're
only looking for "+all" within an SPF value. Something like this *might* be
along the right lines:

^ *v=spf1 (.* )?\+all( .*)?$


But there's probably a better pattern (and I'm not sure whether "$" matches
an embedded newline as well as the end of string, or only the end of the
string itself; you want the former) or way of checking.

Also, for safety shouldn't the value of *$sender_address_domain* be quoted
before being used within *dnsdb*? As in

${lookup dnsdb{txt=${quote_dnsdb:$sender_address_domain}}{$value}}


Cheers,
Mike B-)

On 1 July 2016 at 15:03, James Gibbard <thisbodydrop@???> wrote:

> Untested, but you should me able to do something like this perhaps?
>
>
> # set acl variable to result of SPF lookup.
> spf_test:
> warn    set acl_m_spfrec = ${lookup
> dnsdb{txt=$sender_address_domain}{$value}}

>
> # deny  if result is +all
> deny  condition = ${if match {$acl_m_spfrec}{\\+all}}
>           message = Invalid SPF record detected.
>           log_message = SPF denied due to +all presence.

>
> I don't use spfquery myself, but I'd assume there is not a way to do
> this with that.
>
> Jamie
>
> On Fri, Jul 1, 2016 at 1:30 PM, Cyborg <cyborg2@???> wrote:
> > Hi,
> >
> > as i'm implementing SPF Checks atm , i came cross this log entry from
> > google :
> >
> > 2016-06-29 14:21:07 1bIEUB-0002yU-TK SMTP error from remote mail server
> > after end of data: 421-4.7.0 [XXXXXXX] The SPF record of the sending
> > domain has one or\n421-4.7.0 more suspicious entries. To protect our
> > users from spam, mail sent\n421-4.7.0 from your IP address has been
> > temporarily rate limited. Please visit\n421-4.7.0
> > https://support.google.com/mail/answer/81126#authentication for
> > more\n421 4.7.0 information. 78si4520019iol.86 - gsmtp
> >
> > The SPF Record looks like this :     "v=spf1 +all"

> >
> > Which means roughly: "I don't care about my EMailservers, I like to be
> > spammed with my own domain."
> >
> >
> > Problem is, with my current spfquery check, this SPF would be considered
> > valid, which is it, it's just not very usefull at all.
> >
> > I like to react like google in this special case, because that entry is
> > nonsense, you also could remove it from your DNS and nobody would notice.
> >
> > Does anyone have an exim rule / idea to check for it, before running the
> > spfquery at all?
> >
> > best regards,
> > Marius
> >
> > --
> > ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> > ## Exim details at http://www.exim.org/
> > ## Please use the Wiki with this list - http://wiki.exim.org/
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
>




--
Systems Administrator & Change Manager
IT Services, University of York, Heslington, York YO10 5DD, UK
Tel: +44-(0)1904-323811

Web: www.york.ac.uk/it-services
Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm