in acl_mail (before SPF check):
accept
authenticated = *
sender_domains = +local_domains
set acl_m0 = authorizedrelay
deny
message = You can't spoof the domains this server is authorative for
sender_domains = +local_domains
then in acl_data:
deny
message = You can't spoof the MIME From this server is authorative for
condition = ${if match {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-users@???>:
>
> I have an interesting problem I haven't been able to solve. I keep searching
> for a solution but I can't seem to find an answer.
>
> Users of my domain are required to authenticate in order to submit email.
> Additionally, SPF is enabled and rejects all mail not originating from my MX
> server (v=spf1 a mx -all).
>
> I have manually tested both of these policies and they are working as they
> should, except in one case: if the MAIL FROM and RCPT TO address are the same,
> the mail is accepted without requiring authentication, and without validating
> the SPF record. This means some spam gets through by simply claiming to be
> from me to me.
>
> Any ideas why Exim does that and how to block it?
>
> --
> Al T.
> alf@???
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
