A.7. Adding SPF Checks

Here we cover two different ways to check Sender Policy Framework records using Exim. In addition to these explicit mechanisms, the SpamAssassin suite will in the near future (around version 2.70) incorporate more sophisticated SPF checks, by assigning weighted scores to the various SPF results.

Although we could perform this check as early as in the acl_mail_from ACL, there is an issue that will affect this decision: SPF is incompatible with traditional e-mail forwarding. Unless the forwarding host implements SRS, you may end up rejecting forwarded mail because you receive it from a host that is not authorized to do so per the SPF policy of the domain in the Envelope Sender address.

To avoid doing this, we need to consult a user-specific list of hosts from which forwarded mails should be accepted (as described in Exempting Forwarded Mail, to follow). This is only possible after the RCPT TO:, when we know the username of the recipient.

As such, we will add this check prior to any greylisting checks and/or the final accept statement in acl_rcpt_to.

A.7.1. SPF checks via Exiscan-ACL

Recent versions of Tom Kistner's Exiscan-ACL patch (see Prerequisites) have native support for SPF. [1] Usage is very simple. An spf ACL condition is added, and can be compared against any of the keywords pass, fail, softfail, none, neutral, err_perm or err_temp.

Prior to any greylisting checks and/or the final accept statement in acl_rcpt_to, insert the following snippet:

  # Query the SPF information for the sender address domain, if any,
  # to see if the sending host is authorized to deliver its mail.
  # If not, reject the mail.
  #
  deny
    message     = [SPF] $sender_host_address is not allowed to send mail \
                  from $sender_address_domain
    log_message = SPF check failed.
    spf         = fail


  # Add a SPF-Received: header to the message
  warn
    message     = $spf_received

This statement will reject the mail if the owner of the domain in the sender address has disallowed deliveries from the calling host. Some people find that this gives the domain owner a little bit too much control, even to the point of shooting themselves in the foot. A suggested alternative is to combine the SPF check with other checks, such as Sender Callout Verification (but note that as before, there is no point in doing this if you are sending your outgoing mail through a smarthost):

  # Reject the mail if we cannot verify the sender address via callouts,
  # and if SPF information for the sending domain does not grant explicit
  # authority to the sending host.
  #
  deny
    message     = The sender address does not seem to be valid, and SPF \
                  information does not grant $sender_host_address explicit \
                  authority to send mail from $sender_address_domain
    log_message = SPF check failed.
    !verify     = sender/callout,random,postmaster
    !spf        = pass


  # Add a SPF-Received: header to the message
  warn
    message     = $spf_received

A.7.2. SPF checks via Mail::SPF::Query

Mail::SPF::Query is a the official SPF test suite, available from http://spf.pobox.com/downloads.html. Debian users, install libmail-spf-query-perl.

The Mail::SPF::Query package comes with a daemon (spfd) that listens for requests on a UNIX domain socket. Unfortunately, it does not come with an "init" script to start this daemon automatically. Therefore, in the following example, we will use the standalone spfquery utility to make our SPF requests.

As above, insert the following prior to any greylisting checks and/or the final accept statement in acl_rcpt_to:

  # Use "spfquery" to obtain SPF status for this particular sender/host.
  # If the return code of that command is 1, this is an unauthorized sender.
  #
  deny
    message     = [SPF] $sender_host_address is not allowed to send mail \
                  from $sender_address_domain.
    log_message = SPF check failed.
    set acl_m9  = -ipv4=$sender_host_address \
                  -sender=$sender_address \
                  -helo=$sender_helo_name
    set acl_m9  = ${run{/usr/bin/spfquery $acl_m9}}
    condition   = ${if eq {$runrc}{1}{true}{false}}

Notes

[1]

Debian users: As of July 14th, 2004, the version of Exiscan-ACL that is included in the exim4-daemon-heavy package does not yet have support for SPF. In the mean time, you may choose the other SPF implementation; install libmail-spf-query-perl.