Will's blog

purpose: Will Kahn-Greene's blog of Python, Linux, random content, PyBlosxom, Miro, and other projects mixed in there ad hoc, half-baked, and with a twist of lemon

Wed, 12 Jul 2006

SPF and Exim in Debian

Turns out the Debian packager doesn't enable SPF in the exim4-daemon-heavy package. But it took me a couple of hours to figure that out. I ended up implementing SPF using the libmail-spf-query-perl package by adding the following rule to my rcpt acl just before greylist stuff: 

  accept
    message     = [SPF] $sender_host_address is not allowed to send mail \
                  from $sender_address_domain.
    log_message = SPF check failed.
    set acl_m9  = -ipv4=$sender_host_address \
                  -sender=$sender_address \
                  -helo=$sender_helo_name
    set acl_m9  = ${run{/usr/bin/spfquery $acl_m9}}
    condition   = ${if eq {$runrc}{0}{true}{false}}

The exit codes for spfquery are in the spfquery file (it's a Perl script) and the code for "pass" is 0. So (in theory) this will accept any email that passes the SPF check. Any email that fails the SPF check will go through greylistd. I think that does what I want it to do.

Incidentally, I found the above code (though I inverted the check) here at The Linux Documentation Project.

[ category: /debian | Permalink | 3 comments ]
Posted by David Eads on Mon Nov 13 16:00:10 2006
Thanks Will -- you saved me an hour or two of implementing this myself.  Why oh why doesn't the package maintainer compile with SPF support?


Posted by Dario on Wed May 30 19:29:02 2007
Hi,

i think your implementation can make you loose mail. thing is:
spfquery returns 0 when the sender is permitted. it returns 1 if the sender is not permitted
everything besides 0 and 1 means: no spf available, spf malformatted, etc. etc.

in those cases you want to accept the mail.

the original implementation on http://www.tldp.org/HOWTO/Spam-Filtering-for-MX/exim-spf.html checks whether runrc is 1 - which is better imho. deny if 1, accept else.


Posted by will on Thu Jun 7 09:50:51 2007
I was trying to accept email that spfquery accepts and I wanted to pass any other emails through greylistd.

So if spfquery returns a 0 (i.e. the sender is permitted), then we want to accept the email without further processing.

If spfquery returns anything else (fail, malformatted, ...), then we want to pass it through greylistd.

I think what we had was correctly set up.  I and my users didn't see any evidence of email disappearing into the ether.  On a side note, I suspect there are multiple versions of spfquery out there that return different numbers.

Having said that, I no longer run bluesock with this configuration.  We upgraded servers in December and I haven't reimplemented the spfquery bits.


Please keep comments appropriate. I reserve the right to remove anonymous comments, flames, spammy, inappropriate, and other comments that I deem to be worth removing.

Note: New comments get placed in a "draft" status and will NOT show up on the site until I explicitly approve it. Usually that happens within 24 hours, but sometimes I go away and it takes a day or two.

Note 2: There is now a preview button for those of you who want to see a preview! However, it doesn't quite work the way you'd think it should work. I'll look into adjusting it some day.

Note 3: If you can't for some reason post a comment, send me an email: willg at bluesock dot org.

Your name:


Your e-mail address (this doesn't get displayed to anyone--I use it to contact you if there are issues):


URL of your website (optional):


Comment:


Yes, I am a human!

pyblosxom::2.0 dev

All contents Copyright 1996 to 2008 Will Guaraldi.
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-Share Alike 3.0 United States License.