summaryrefslogtreecommitdiff
path: root/conf.d
diff options
context:
space:
mode:
authorSystem administrator2019-09-28 15:27:48 +0200
committerSystem administrator2019-09-28 15:27:48 +0200
commit4cf50abea325ced6cdc1896f95feac78020f44d2 (patch)
tree1d564883d83323805166d0f671dc3c664e5f40ab /conf.d
parentb9565c95598563917e3c0d365ac0448515fc98c3 (diff)
downloadexim-4cf50abea325ced6cdc1896f95feac78020f44d2.tar.gz
acl: use built-in SPF support
Diffstat (limited to 'conf.d')
-rw-r--r--conf.d/020_acl.conf29
1 files changed, 15 insertions, 14 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 59417b3..af56f6b 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -92,26 +92,27 @@ acl_mta_mail:
92 92
93 accept hosts = +trusted_relay_hosts 93 accept hosts = +trusted_relay_hosts
94 94
95 # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). 95 defer spf = temperror
96 # TODO: switch to builtin exim SPF support 96 message = [SPF] Could not proceed through validation. Please try again later.
97 accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ 97
98 --ip ${quote:$sender_host_address} \ 98 drop spf = permerror
99 --identity ${if def:sender_address_domain \ 99 message = [SPF] Syntax error in the SPF record of \
100 {--scope mfrom --identity ${quote:$sender_address}} \ 100 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
101 {--scope helo --identity ${quote:$sender_helo_name}}}}} 101 Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
102 condition = ${if eq {$acl_m_spf}{0}{yes}{no}} 102 {mfrom}{helo}};identity=${if def:sender_address_domain \
103 103 {$sender_address}{$sender_helo_name}};ip=$sender_host_address
104 # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). 104
105 # TODO: switch to builtin exim SPF support 105 drop spf = fail
106 drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}}
107 message = [SPF] $sender_host_address is not allowed to send mail from \ 106 message = [SPF] $sender_host_address is not allowed to send mail from \
108 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ 107 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
109 Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ 108 Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
110 {mfrom}{helo}};identity=${if def:sender_address_domain \ 109 {mfrom}{helo}};identity=${if def:sender_address_domain \
111 {$sender_address}{$sender_helo_name}};ip=$sender_host_address 110 {$sender_address}{$sender_helo_name}};ip=$sender_host_address
112 111
113 # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. 112 # Deny messages from end-user IP address ranges listed in the PBL, for which SPF didn't explicitly pass.
114 drop dnslists = pbl.spamhaus.org 113 # It is safe to assume that legitimate home-hosted MTAs have an associated SPF record, that zombie machines would lack.
114 drop !spf = pass
115 dnslists = pbl.spamhaus.org
115 message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text 116 message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
116 117
117 accept 118 accept