From: David Saez Date: Wed, 30 Jul 2003 16:15:33 +0200 This is a first attempt to have a working SPF ( http://spf.pobox.com/ ) check for Exim 4.xx that does not need patching Exim. # SPF Auth test for Exim 4.xx # Version 1.02 by david@ols.es # # Features: # # - SPF lookup with spfinclude recursion support # - Received-SPF: header support # - Null sender support # - No multi spfinclude support # - No IPv6 support # # Warning: # # Will use acl_m9 and acl_m8 # # Usage instructions: # # 1. copy this file to your exim installation directory # # 2. add this line to your exim configuration file to allow # spf like dns names: # # dns_check_names_pattern = \ # (?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9-_]*[^\W_])?)+$ # # 3. add this line to your exim configuration file after your # begin acl: # # .include spf.acl # # 4. Now you can use the test on your RCPT ACL this way: # # deny !acl = spf_acl # message = $sender_host_address is no allowed to send \ # mail for $sender_address_domain # log_message = Not authorized by SPF # spf_acl: warn !senders = : set acl_m9 = $sender_address_domain warn senders = : set acl_m9 = $sender_helo_name deny !acl = spf_real_acl warn message = Received-SPF: $acl_m9 accept spf_real_acl: warn set acl_m9 = ${extract{4}{.}{$sender_host_address}}.\ ${extract{3}{.}{$sender_host_address}}.\ ${extract{2}{.}{$sender_host_address}}.\ ${extract{1}{.}{$sender_host_address}}.\ in-addr._smtp_client.$acl_m9 # SPF TXT lookup warn set acl_m8 = ${lookup dnsdb{txt=$acl_m9}{$value}} # Split response warn set acl_m8 = ${extract{1}{\n}{$acl_m8}} set acl_m9 = ${extract{2}{=}{$acl_m8}} set acl_m8 = ${extract{1}{=}{$acl_m8}} # spf=deny deny condition = ${if eq{$acl_m8}{spf}{yes}{no}} condition = ${if eq{$acl_m9}{deny}{yes}{no}} # spf=allow accept condition = ${if eq{$acl_m8}{spf}{yes}{no}} condition = ${if eq{$acl_m9}{allow}{yes}{no}} set acl_m9 = pass ($sender_host_name [$sender_host_address] \ is designated mailer for domain of sender \ $sender_address) # spf=softdeny accept condition = ${if eq{$acl_m8}{spf}{yes}{no}} condition = ${if eq{$acl_m9}{softdeny}{yes}{no}} set acl_m9 = softfail ($sender_host_name [$sender_host_address] \ not a designated mailer for transitioning \ domain of sender $sender_address) # no SPF accept condition = ${if eq{$acl_m8}{spfinclude}{no}{yes}} set acl_m9 = unknown (domain of sender $sender_address \ does not designate mailers) # spfinclude accept condition = ${if match{$acl_m9}{:}{yes}{no}} set acl_m9 = pass (unsupported multiple spfinclude detected) accept acl = spf_real_acl deny