On 25.09.2017 14:45, Heiko Schlittermann via Exim-users wrote: > Hi,
>
> Hardy <bulk@???> (Mo 25 Sep 2017 09:17:34 CEST):
>> Hi,
>>> and clearly does not include localhost. So passing messags from
>>> localhost might be a feature of SPF in general or of the implementation
>>> in Exim.
>>
>> I wouldn't think localhost is handled special by SPF, but usually (in
>> standard- and example configs) you have a very early rule ACCEPTing existing
>> local users, before it does any "expensive" (netwise: DNS lookup etc.)
>> actions. In this case your SPF is not even tested, which is the aim of this
>> rule. You wouldn't want to greylist internal addresses either, would you?
>
> The debug output of my test session from localhost to localhost shows
> that SPF was in use and gave 'pass' to localhost (with some note about
> "localhost is always allowed")
>
> The string "localhost is always allowed." can be found in libspf2.a
So this is wanted by exim! I did not check what SPF specs say about it,
but this would mean, my local users CAN forge sender addresses?! Does
this make sense?!