From 4cf50abea325ced6cdc1896f95feac78020f44d2 Mon Sep 17 00:00:00 2001 From: System administrator Date: Sat, 28 Sep 2019 15:27:48 +0200 Subject: acl: use built-in SPF support --- conf.d/020_acl.conf | 29 +++++++++++++++-------------- 1 file changed, 15 insertions(+), 14 deletions(-) (limited to 'conf.d') diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 59417b3..af56f6b 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf @@ -92,26 +92,27 @@ acl_mta_mail: accept hosts = +trusted_relay_hosts - # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). - # TODO: switch to builtin exim SPF support - accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ - --ip ${quote:$sender_host_address} \ - --identity ${if def:sender_address_domain \ - {--scope mfrom --identity ${quote:$sender_address}} \ - {--scope helo --identity ${quote:$sender_helo_name}}}}} - condition = ${if eq {$acl_m_spf}{0}{yes}{no}} - - # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). - # TODO: switch to builtin exim SPF support - drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} + defer spf = temperror + message = [SPF] Could not proceed through validation. Please try again later. + + drop spf = permerror + message = [SPF] Syntax error in the SPF record of \ + ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ + Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ + {mfrom}{helo}};identity=${if def:sender_address_domain \ + {$sender_address}{$sender_helo_name}};ip=$sender_host_address + + drop spf = fail message = [SPF] $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ {mfrom}{helo}};identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};ip=$sender_host_address - # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. - drop dnslists = pbl.spamhaus.org + # Deny messages from end-user IP address ranges listed in the PBL, for which SPF didn't explicitly pass. + # It is safe to assume that legitimate home-hosted MTAs have an associated SPF record, that zombie machines would lack. + drop !spf = pass + dnslists = pbl.spamhaus.org message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text accept -- cgit v1.2.3