471 lines
8.9 KiB
HTML
471 lines
8.9 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Adding SPF Checks</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Spam Filtering for Mail Exchangers"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Exim Implementation"
|
|
HREF="exim.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Adding Greylisting Support"
|
|
HREF="exim-greylisting.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Adding MIME and Filetype Checks"
|
|
HREF="exim-mime.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Spam Filtering for Mail Exchangers: </TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="exim-greylisting.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Appendix A. Exim Implementation</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="exim-mime.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="exim-spf"
|
|
></A
|
|
>A.7. Adding SPF Checks</H1
|
|
><P
|
|
> Here we cover two different ways to check <A
|
|
HREF="senderauth.html#spf"
|
|
>Sender Policy Framework</A
|
|
>
|
|
records using Exim. In addition to these explicit mechanisms,
|
|
the SpamAssassin suite will in the near future (around version
|
|
2.70) incorporate more sophisticated SPF checks, by assigning
|
|
weighted scores to the various SPF results.
|
|
</P
|
|
><P
|
|
> Although we <EM
|
|
>could</EM
|
|
> perform this check as
|
|
early as in the <A
|
|
HREF="exim-final.html#acl_mail_from_final"
|
|
>acl_mail_from</A
|
|
> ACL, there
|
|
is an issue that will affect this decision: SPF is incompatible
|
|
with traditional e-mail forwarding. Unless the forwarding host
|
|
implements <A
|
|
HREF="http://spf.pobox.com/srs.html"
|
|
TARGET="_top"
|
|
>SRS</A
|
|
>, you may end up
|
|
rejecting forwarded mail because you receive it from a host that
|
|
is not authorized to do so per the SPF policy of the domain in
|
|
the <A
|
|
HREF="gloss.html#envfrom"
|
|
><I
|
|
CLASS="glossterm"
|
|
>Envelope Sender</I
|
|
></A
|
|
> address.
|
|
</P
|
|
><P
|
|
> To avoid doing this, we need to consult a user-specific list of
|
|
hosts from which forwarded mails should be accepted (as
|
|
described in <A
|
|
HREF="exim-forward.html"
|
|
>Exempting Forwarded Mail</A
|
|
>, to follow).
|
|
This is only possible after the <B
|
|
CLASS="command"
|
|
>RCPT TO:</B
|
|
>,
|
|
when we know the username of the recipient.
|
|
</P
|
|
><P
|
|
> As such, we will add this check prior to any greylisting
|
|
checks and/or the final <TT
|
|
CLASS="option"
|
|
>accept</TT
|
|
> statement in
|
|
<A
|
|
HREF="exim-final.html#acl_rcpt_to_final"
|
|
>acl_rcpt_to</A
|
|
>.
|
|
</P
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="exim-spf-exiscan"
|
|
></A
|
|
>A.7.1. SPF checks via Exiscan-ACL</H2
|
|
><P
|
|
> Recent versions of Tom Kistner's <TT
|
|
CLASS="option"
|
|
>Exiscan-ACL</TT
|
|
>
|
|
patch (see <A
|
|
HREF="exim-prereq.html"
|
|
>Prerequisites</A
|
|
>) have native support
|
|
for SPF.
|
|
<A
|
|
NAME="AEN1692"
|
|
HREF="#FTN.AEN1692"
|
|
><SPAN
|
|
CLASS="footnote"
|
|
>[1]</SPAN
|
|
></A
|
|
>
|
|
Usage is very simple. An <TT
|
|
CLASS="option"
|
|
>spf</TT
|
|
> ACL condition
|
|
is added, and can be compared against any of the keywords
|
|
<TT
|
|
CLASS="option"
|
|
>pass</TT
|
|
>, <TT
|
|
CLASS="option"
|
|
>fail</TT
|
|
>,
|
|
<TT
|
|
CLASS="option"
|
|
>softfail</TT
|
|
>, <TT
|
|
CLASS="option"
|
|
>none</TT
|
|
>,
|
|
<TT
|
|
CLASS="option"
|
|
>neutral</TT
|
|
>, <TT
|
|
CLASS="option"
|
|
>err_perm</TT
|
|
> or
|
|
<TT
|
|
CLASS="option"
|
|
>err_temp</TT
|
|
>.
|
|
</P
|
|
><P
|
|
> Prior to any greylisting checks and/or the final
|
|
<TT
|
|
CLASS="option"
|
|
>accept</TT
|
|
> statement in <A
|
|
HREF="exim-final.html#acl_rcpt_to_final"
|
|
>acl_rcpt_to</A
|
|
>, insert the following snippet:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # Query the SPF information for the sender address domain, if any,
|
|
# to see if the sending host is authorized to deliver its mail.
|
|
# If not, reject the mail.
|
|
#
|
|
deny
|
|
message = [SPF] $sender_host_address is not allowed to send mail \
|
|
from $sender_address_domain
|
|
log_message = SPF check failed.
|
|
spf = fail
|
|
|
|
|
|
# Add a SPF-Received: header to the message
|
|
warn
|
|
message = $spf_received
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
><P
|
|
> This statement will reject the mail if the owner of the domain
|
|
in the sender address has disallowed deliveries from the
|
|
calling host. Some people find that this gives the domain
|
|
owner a little bit too much control, even to the point of
|
|
shooting themselves in the foot. A suggested alternative is
|
|
to combine the SPF check with other checks, such as Sender
|
|
Callout Verification (but note that as before, there is no
|
|
point in doing this if you are sending your outgoing mail
|
|
through a smarthost):
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # Reject the mail if we cannot verify the sender address via callouts,
|
|
# and if SPF information for the sending domain does not grant explicit
|
|
# authority to the sending host.
|
|
#
|
|
deny
|
|
message = The sender address does not seem to be valid, and SPF \
|
|
information does not grant $sender_host_address explicit \
|
|
authority to send mail from $sender_address_domain
|
|
log_message = SPF check failed.
|
|
!verify = sender/callout,random,postmaster
|
|
!spf = pass
|
|
|
|
|
|
# Add a SPF-Received: header to the message
|
|
warn
|
|
message = $spf_received
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="exim-spf-query-perl"
|
|
></A
|
|
>A.7.2. SPF checks via Mail::SPF::Query</H2
|
|
><P
|
|
> <TT
|
|
CLASS="option"
|
|
>Mail::SPF::Query</TT
|
|
> is a the official SPF test
|
|
suite, available from <A
|
|
HREF="http://spf.pobox.com/downloads.html"
|
|
TARGET="_top"
|
|
>http://spf.pobox.com/downloads.html</A
|
|
>. Debian users,
|
|
install <TT
|
|
CLASS="option"
|
|
>libmail-spf-query-perl</TT
|
|
>.
|
|
</P
|
|
><P
|
|
> The <TT
|
|
CLASS="option"
|
|
>Mail::SPF::Query</TT
|
|
> package comes with a
|
|
daemon (<B
|
|
CLASS="command"
|
|
>spfd</B
|
|
>) that listens for requests on
|
|
a UNIX domain socket. Unfortunately, it does not come with an
|
|
<SPAN
|
|
CLASS="QUOTE"
|
|
>"init"</SPAN
|
|
> script to start this daemon automatically.
|
|
Therefore, in the following example, we will use the
|
|
standalone <B
|
|
CLASS="command"
|
|
>spfquery</B
|
|
> utility to make our SPF
|
|
requests.
|
|
</P
|
|
><P
|
|
> As above, insert the following prior to any greylisting checks
|
|
and/or the final <TT
|
|
CLASS="option"
|
|
>accept</TT
|
|
> statement in <A
|
|
HREF="exim-firstpass.html#acl_rcpt_to_1"
|
|
>acl_rcpt_to</A
|
|
>:
|
|
|
|
<TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="screen"
|
|
> # Use "spfquery" to obtain SPF status for this particular sender/host.
|
|
# If the return code of that command is 1, this is an unauthorized sender.
|
|
#
|
|
deny
|
|
message = [SPF] $sender_host_address is not allowed to send mail \
|
|
from $sender_address_domain.
|
|
log_message = SPF check failed.
|
|
set acl_m9 = -ipv4=$sender_host_address \
|
|
-sender=$sender_address \
|
|
-helo=$sender_helo_name
|
|
set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}}
|
|
condition = ${if eq {$runrc}{1}{true}{false}}
|
|
</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
>
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><H3
|
|
CLASS="FOOTNOTES"
|
|
>Notes</H3
|
|
><TABLE
|
|
BORDER="0"
|
|
CLASS="FOOTNOTES"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="5%"
|
|
><A
|
|
NAME="FTN.AEN1692"
|
|
HREF="exim-spf.html#AEN1692"
|
|
><SPAN
|
|
CLASS="footnote"
|
|
>[1]</SPAN
|
|
></A
|
|
></TD
|
|
><TD
|
|
ALIGN="LEFT"
|
|
VALIGN="TOP"
|
|
WIDTH="95%"
|
|
><P
|
|
> Debian users: As of July 14th, 2004, the version of
|
|
Exiscan-ACL that is included in the
|
|
<TT
|
|
CLASS="option"
|
|
>exim4-daemon-heavy</TT
|
|
> package does not yet
|
|
have support for SPF. In the mean time, you may choose
|
|
the other SPF implementation; install
|
|
<TT
|
|
CLASS="option"
|
|
>libmail-spf-query-perl</TT
|
|
>.
|
|
</P
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim-greylisting.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim-mime.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Adding Greylisting Support</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="exim.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Adding MIME and Filetype Checks</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |