Re: [exim] Implementation of SPF - flaw?

Top Page
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Implementation of SPF - flaw?
Hi,

> > The string "localhost is always allowed." can be found in libspf2.a
> So this is wanted by exim! I did not check what SPF specs say about it, but


libspf2 is the library, Exim links against. So this is probably a
default, Exim relies on.

> this would mean, my local users CAN forge sender addresses?! Does this make
> sense?!


Local users on your MX (Mail In, SPF checking host), yes (if I do not miss anything). Do
you have any local users there?

The RFC does not seem to mention localhost specifically, but libspf2 seems
do do something like:

        /* Give localhost a free ride */
        if (SPF_request_is_loopback(spf_request))
                return SPF_i_done(*spf_responsep, SPF_RESULT_PASS,
                                                SPF_REASON_LOCALHOST, SPF_E_SUCCESS);




    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
-- 
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -