Hello,
I tried to take advantage of Experimental SPF support with no much
success in Exim 4.89 as well as development head. I do not know if this
is me not writing the ACLs correctly or if this is truly unfeatured.
(exim -bV)
Exim version 4.90devstart_210-ac0dcd3 #4 built 20-Sep-2017 10:25:33
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() OpenSSL DKIM DNSSEC Event OCSP PRDR
TCP_Fast_Open Experimental_SPF
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz
dbmnz dnsdb
Authenticators: cram_md5 dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /usr/local/exim/configure
I compiled it with `libspf` v1.2.10-6build1 available on Ubuntu.
The settings I used in the `Makefile`,
EXPERIMENTAL_SPF=yes
CFLAGS += -I/usr/local/include
LDFLAGS += -lspf2
I tried to understand in what order the examples from the guide
(
https://github.com/Exim/exim/wiki/SPF) should be used and tried several
ACLs including this one, which actually got me closed to some result,
acl_smtp_mail = acl_check_mail
[...]
acl_check_mail:
warn spf = !unknown
add_header = :at_start:$spf_received
log_message = SPF=$spf_result
accept spf = pass
accept
Here is one production and one testing SPF record,
nethence.com descriptive text "v=spf1 mx -all"
stdpierre.os3.site descriptive text "v=spf1 mx -all"
only MX IP addresses should be authorized,
nethence.com mail is handled by 5 mx.nethence.com.
stdpierre.os3.site mail is handled by 5 mx.stdpierre.os3.site.
mx.nethence.com has address 62.210.110.7
mx.stdpierre.os3.site has address 18.221.91.30
I think even localhost should not be authorized to impersonate
@nethence.com (hence should be fail) nor mx.nethence.com should be able
to impersonate @stdpierre.os3.site (hence should be fail).
Tested locally on Exim's system at stdpierre.os3.site (FAIL: message is
passing through),
telnet localhost 25
helo crap
mail from:<root@???>
rcpt to:<user@???>
quit
Tested remotely at nethence.com (FAIL: message is passing through),
telnet mx.stdpierre.os3.site 25
helo crap
mail from:<user@???>
rcpt to:<user@???>
quit
The ACL described earlier passes everything through but
at least returns information about the SPF result in the logs even if it
is false, I think.
2017-09-20 10:44:16 H=localhost (crap) [127.0.0.1] Warning: SPF=pass
2017-09-20 10:44:45 H=mx.nethence.com (crap) [62.210.110.7] Warning:
SPF=temperror
This is however the closest result to some working Exim Experimental_SPF
I have.
Although I have been using Exim a while in the past, I did not take much
profit of the enhanced ACLs features. Please help me define a simple
and good ACL setup that _should_ work so I can better test the
implementation.
Thanks
--
Pierre-Philipp
