My suggested rules covers them both.
The first "deny" blocks mails with spoofed MAIL FROM adress, but the
second deny (that you put in acl_data) blocks mails with spoofed MIME
From. (ergo "From:" header).
Having both is good because some spammers use a "correct" MAIL FROM
but a spoofed "MIME From" that claims the mail was from yourself.
Den tis 5 feb. 2019 kl 17:28 skrev Evgeniy Berdnikov via Exim-users
<exim-users@???>:
>
> On Tue, Feb 05, 2019 at 04:48:46PM +0100, Sebastian Nielsen via Exim-users wrote:
> > in acl_mail (before SPF check):
> >
> > accept
> > authenticated = *
> > sender_domains = +local_domains
> > set acl_m0 = authorizedrelay
> > deny
> > message = You can't spoof the domains this server is authorative for
> > sender_domains = +local_domains
> >
> >
> > then in acl_data:
> > deny
> > message = You can't spoof the MIME From this server is authorative for
> > condition = ${if match {$h_from:}{^(?i).*<.*@(.*YOUR_DOMAIN_HERE>\$}{yes}{no}}
> > condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
>
> The $h_from: refers to mail header "From:", but you previously wrote
> about MAIL FROM address, which is generally a different thing.
>
> You have better to run Exim with debugging (-d+acl) and study the output.
>
> > Den tis 5 feb. 2019 kl 15:37 skrev Al T. via Exim-users <exim-users@???>...
> > > I have manually tested both of these policies and they are working as they
> > > should, except in one case: if the MAIL FROM and RCPT TO address are the same,
> > > the mail is accepted without requiring authentication, and without validating
> > > the SPF record. This means some spam gets through by simply claiming to be
> > > from me to me.
>
> --
> Eugene Berdnikov
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/
