From 4cf50abea325ced6cdc1896f95feac78020f44d2 Mon Sep 17 00:00:00 2001
From: System administrator
Date: Sat, 28 Sep 2019 15:27:48 +0200
Subject: acl: use built-in SPF support

---
 conf.d/020_acl.conf | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

(limited to 'conf.d/020_acl.conf')

diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 59417b3..af56f6b 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -92,26 +92,27 @@ acl_mta_mail:
 
   accept   hosts         = +trusted_relay_hosts
 
-  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
-  # TODO: switch to builtin exim SPF support
-  accept   set acl_m_spf = ${run{SPF_QUERY_COMMAND \
-                             --ip ${quote:$sender_host_address} \
-                             --identity ${if def:sender_address_domain \
-                               {--scope mfrom --identity ${quote:$sender_address}} \
-                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
-           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}
-
-  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
-  # TODO: switch to builtin exim SPF support
-  drop     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
+  defer    spf           = temperror
+           message       = [SPF] Could not proceed through validation. Please try again later.
+
+  drop     spf           = permerror
+           message       = [SPF] Syntax error in the SPF record of \
+                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
+                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+                             {mfrom}{helo}};identity=${if def:sender_address_domain \
+                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address
+
+  drop     spf           = fail
            message       = [SPF] $sender_host_address is not allowed to send mail from \
                            ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
                            Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
                              {mfrom}{helo}};identity=${if def:sender_address_domain \
                              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
 
-  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
-  drop     dnslists      = pbl.spamhaus.org
+  # Deny messages from end-user IP address ranges listed in the PBL, for which SPF didn't explicitly pass.
+  # It is safe to assume that legitimate home-hosted MTAs have an associated SPF record, that zombie machines would lack.
+  drop     !spf          = pass
+           dnslists      = pbl.spamhaus.org
            message       = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
 
   accept
-- 
cgit v1.2.3