[exim] Experimental SPF

Top Page
Delete this message
Reply to this message
Author: Pierre-Philipp Braun
Date:  
To: exim-users
Subject: [exim] Experimental SPF
Hello,

I tried to take advantage of Experimental SPF support with no much
success in Exim 4.89 as well as development head. I do not know if this
is me not writing the ACLs correctly or if this is truly unfeatured.

(exim -bV)

Exim version 4.90devstart_210-ac0dcd3 #4 built 20-Sep-2017 10:25:33
Copyright (c) University of Cambridge, 1995 - 2017
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007
- 2017
Berkeley DB: Berkeley DB 5.3.28: (September 9, 2013)
Support for: crypteq iconv() OpenSSL DKIM DNSSEC Event OCSP PRDR
TCP_Fast_Open Experimental_SPF
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch dbm dbmjz
dbmnz dnsdb
Authenticators: cram_md5 dovecot gsasl plaintext spa tls
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile autoreply pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /usr/local/exim/configure

I compiled it with `libspf` v1.2.10-6build1 available on Ubuntu.

The settings I used in the `Makefile`,

     EXPERIMENTAL_SPF=yes
     CFLAGS  += -I/usr/local/include
     LDFLAGS += -lspf2


I tried to understand in what order the examples from the guide
(https://github.com/Exim/exim/wiki/SPF) should be used and tried several
ACLs including this one, which actually got me closed to some result,

acl_smtp_mail = acl_check_mail
[...]

acl_check_mail:
        warn            spf = !unknown
        add_header      = :at_start:$spf_received
        log_message     = SPF=$spf_result
        accept spf      = pass
        accept


Here is one production and one testing SPF record,

nethence.com descriptive text "v=spf1 mx -all"
stdpierre.os3.site descriptive text "v=spf1 mx -all"

only MX IP addresses should be authorized,

nethence.com mail is handled by 5 mx.nethence.com.
stdpierre.os3.site mail is handled by 5 mx.stdpierre.os3.site.

mx.nethence.com has address 62.210.110.7
mx.stdpierre.os3.site has address 18.221.91.30

I think even localhost should not be authorized to impersonate
@nethence.com (hence should be fail) nor mx.nethence.com should be able
to impersonate @stdpierre.os3.site (hence should be fail).

Tested locally on Exim's system at stdpierre.os3.site (FAIL: message is
passing through),

telnet localhost 25

helo crap
mail from:<root@???>
rcpt to:<user@???>
quit

Tested remotely at nethence.com (FAIL: message is passing through),

    telnet mx.stdpierre.os3.site 25


helo crap
mail from:<user@???>
rcpt to:<user@???>
quit


The ACL described earlier passes everything through but
at least returns information about the SPF result in the logs even if it
is false, I think.

2017-09-20 10:44:16 H=localhost (crap) [127.0.0.1] Warning: SPF=pass
2017-09-20 10:44:45 H=mx.nethence.com (crap) [62.210.110.7] Warning:
SPF=temperror

This is however the closest result to some working Exim Experimental_SPF
I have.

Although I have been using Exim a while in the past, I did not take much
profit of the enhanced ACLs features. Please help me define a simple
and good ACL setup that _should_ work so I can better test the
implementation.

Thanks
--
Pierre-Philipp