Will's blog

purpose: Will Kahn-Greene's blog of Miro, PyBlosxom, Python, GNU/Linux, random content, PyBlosxom, Miro, and other projects mixed in there ad hoc, half-baked, and with a twist of lemon

[ home | blog home | recent activity ]

Thu, 13 Jul 2006

SPF and Exim in Debian

Turns out the Debian packager doesn't enable SPF in the exim4-daemon-heavy package. But it took me a couple of hours to figure that out. I ended up implementing SPF using the libmail-spf-query-perl package by adding the following rule to my rcpt acl just before greylist stuff: 

  accept
    message     = [SPF] $sender_host_address is not allowed to send mail \
                  from $sender_address_domain.
    log_message = SPF check failed.
    set acl_m9  = -ipv4=$sender_host_address \
                  -sender=$sender_address \
                  -helo=$sender_helo_name
    set acl_m9  = ${run{/usr/bin/spfquery $acl_m9}}
    condition   = ${if eq {$runrc}{0}{true}{false}}

The exit codes for spfquery are in the spfquery file (it's a Perl script) and the code for "pass" is 0. So (in theory) this will accept any email that passes the SPF check. Any email that fails the SPF check will go through greylistd. I think that does what I want it to do.

Incidentally, I found the above code (though I inverted the check) here at The Linux Documentation Project.

[ tags: communication, debian, software | category: /debian | Permalink | View/Add Comments: 3 ]

Comments:

Posted by David Eads on Mon Nov 13 17:00:10 2006
Thanks Will -- you saved me an hour or two of implementing this myself.  Why oh why doesn't the package maintainer compile with SPF support?


Posted by Dario on Wed May 30 20:29:02 2007
Hi,

i think your implementation can make you loose mail. thing is:
spfquery returns 0 when the sender is permitted. it returns 1 if the sender is not permitted
everything besides 0 and 1 means: no spf available, spf malformatted, etc. etc.

in those cases you want to accept the mail.

the original implementation on http://www.tldp.org/HOWTO/Spam-Filtering-for-MX/exim-spf.html checks whether runrc is 1 - which is better imho. deny if 1, accept else.


Posted by will on Thu Jun 7 10:50:51 2007
I was trying to accept email that spfquery accepts and I wanted to pass any other emails through greylistd.

So if spfquery returns a 0 (i.e. the sender is permitted), then we want to accept the email without further processing.

If spfquery returns anything else (fail, malformatted, ...), then we want to pass it through greylistd.

I think what we had was correctly set up.  I and my users didn't see any evidence of email disappearing into the ether.  On a side note, I suspect there are multiple versions of spfquery out there that return different numbers.

Having said that, I no longer run bluesock with this configuration.  We upgraded servers in December and I haven't reimplemented the spfquery bits.


Post a new comment:

Three things:

  1. New comments get placed in a "draft" status and will NOT show up on the site until I explicitly approve it. Sometimes that happens within 24 hours.
  2. I reserve the right to reject/remove inappropriate comments.
  3. Sometimes I'll reply to a comment directly in email--so make sure your email address is correct.

If you can't for some reason post a comment, send me an email: willg at bluesock dot org.

Your name:


Your e-mail address (this doesn't get displayed to anyone--sometimes I'll reply directly to you):


URL of your website (optional):


Comment:


Yes, I am a human!

pyblosxom::1.5-dev git-master

Copyright 1996 to 2012, Will Guaraldi Kahn-Greene, under the Creative Commons BY-SA 3.0 license

Creative Commons License
Will's Blog by William Kahn-Greene is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.