diff options
| author | System administrator | 2019-09-28 15:27:48 +0200 |
|---|---|---|
| committer | System administrator | 2019-09-28 15:27:48 +0200 |
| commit | 4cf50abea325ced6cdc1896f95feac78020f44d2 (patch) | |
| tree | 1d564883d83323805166d0f671dc3c664e5f40ab /conf.d | |
| parent | b9565c95598563917e3c0d365ac0448515fc98c3 (diff) | |
| download | exim-4cf50abea325ced6cdc1896f95feac78020f44d2.tar.gz | |
acl: use built-in SPF support
Diffstat (limited to 'conf.d')
| -rw-r--r-- | conf.d/020_acl.conf | 29 |
1 files changed, 15 insertions, 14 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 59417b3..af56f6b 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf | |||
| @@ -92,26 +92,27 @@ acl_mta_mail: | |||
| 92 | 92 | ||
| 93 | accept hosts = +trusted_relay_hosts | 93 | accept hosts = +trusted_relay_hosts |
| 94 | 94 | ||
| 95 | # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). | 95 | defer spf = temperror |
| 96 | # TODO: switch to builtin exim SPF support | 96 | message = [SPF] Could not proceed through validation. Please try again later. |
| 97 | accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ | 97 | |
| 98 | --ip ${quote:$sender_host_address} \ | 98 | drop spf = permerror |
| 99 | --identity ${if def:sender_address_domain \ | 99 | message = [SPF] Syntax error in the SPF record of \ |
| 100 | {--scope mfrom --identity ${quote:$sender_address}} \ | 100 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ |
| 101 | {--scope helo --identity ${quote:$sender_helo_name}}}}} | 101 | Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ |
| 102 | condition = ${if eq {$acl_m_spf}{0}{yes}{no}} | 102 | {mfrom}{helo}};identity=${if def:sender_address_domain \ |
| 103 | 103 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address | |
| 104 | # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). | 104 | |
| 105 | # TODO: switch to builtin exim SPF support | 105 | drop spf = fail |
| 106 | drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} | ||
| 107 | message = [SPF] $sender_host_address is not allowed to send mail from \ | 106 | message = [SPF] $sender_host_address is not allowed to send mail from \ |
| 108 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ | 107 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ |
| 109 | Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ | 108 | Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ |
| 110 | {mfrom}{helo}};identity=${if def:sender_address_domain \ | 109 | {mfrom}{helo}};identity=${if def:sender_address_domain \ |
| 111 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address | 110 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address |
| 112 | 111 | ||
| 113 | # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. | 112 | # Deny messages from end-user IP address ranges listed in the PBL, for which SPF didn't explicitly pass. |
| 114 | drop dnslists = pbl.spamhaus.org | 113 | # It is safe to assume that legitimate home-hosted MTAs have an associated SPF record, that zombie machines would lack. |
| 114 | drop !spf = pass | ||
| 115 | dnslists = pbl.spamhaus.org | ||
| 115 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text | 116 | message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text |
| 116 | 117 | ||
| 117 | accept | 118 | accept |