Bug#290464: [Pkg-exim4-devel] SPF
Robert Millan
rmh at aybabtu.com
Wed Jul 19 17:24:34 UTC 2006
On Wed, Jul 19, 2006 at 05:28:45PM +0200, Marc Haber wrote:
> On Wed, Jul 19, 2006 at 05:12:43PM +0200, Robert Millan wrote:
> > On Wed, Jul 19, 2006 at 10:30:12AM +0200, Marc Haber wrote:
> > > I might consider including SPF if there is a volunteer co-maintainer
> > > who is willing to do _ALL_ spf-related support including bug triage,
> > > upstream coordination, end-user support so that my increase in work
> > > load is zero or negative. At the moment, everything that has the
> > > potential to increase my work load is a non-option without being
> > > forced by the tech ctte or strong consensus on debian-devel that SPF
> > > should be enabled.
> >
> > Deal! I'm attaching a patch to add a (disabled by default) SPF template in
> > the debian config. I volunteer to do all the work that is derived from appliing
> > this patch.
>
> The patch is completely missing documentation.
I'm adding some comments to the config file itself. Is some note in
README.Debian necessary as well?
> Is it possible to avoid
> using the ACL variable, which I'd like to save for the local admin's
> use?
Yep. It was a bit tricky, but it seems to work (I'm running the same config in
my mail server).
Here's a new patch.
--
Robert Millan
My spam trap is honeypot at aybabtu.com. Note: this address is only intended for
spam harvesters. Writing to it will get you added to my black list.
-------------- next part --------------
diff -ur exim4-4.62.old/debian/control exim4-4.62/debian/control
--- exim4-4.62.old/debian/control 2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/control 2006-07-19 16:10:42.000000000 +0200
@@ -13,7 +13,7 @@
Replaces: exim, exim-tls, exim4-daemon-light, exim4-daemon-heavy, exim4-daemon-custom
Depends: ${shlibs:Depends}, cron (>=3.0pl1-42), ${misc:Depends}, exim4-config (>=4.30) | exim4-config-2, adduser, netbase
Recommends: psmisc
-Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin
+Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin, libmail-spf-query-perl
Description: support files for all exim MTA (v4) packages
Exim (v4) is a mail transport agent. exim4-base provides the support
files needed by all exim4 daemon packages. You need an additional package
diff -ur exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt 2006-07-19 19:17:09.000000000 +0200
@@ -208,6 +208,25 @@
.endif
+ # Use spfquery to perform a pair of SPF checks (for details, see http://www.openspf.org/)
+ #
+ # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
+ # enable if this is an issue.
+ .ifdef CHECK_RCPT_SPF
+ deny
+ message = [SPF] $sender_host_address is not allowed to send mail from $sender_address_domain. \
+ Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
+ log_message = SPF check failed.
+ condition = ${run{/usr/bin/spfquery -ip=$sender_host_address -sender=$sender_address -helo=$sender_helo_name}{no}{${if eq {$runrc}{1}{yes}{no}}}}
+
+ warn
+ message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}}}
+
+ # Support for best-guess (see http://www.openspf.org/developers-guide.html)
+ warn
+ message = X-SPF-Guess: ${run{/usr/bin/spfquery -ip=$sender_host_address -sender=$sender_address -helo=$sender_helo_name -guess=true}{pass}{${if eq {$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}}}
+ .endif
+
# Check against classic DNS "black" lists (DNSBLs) which list
# sender IP addresses
.ifdef CHECK_RCPT_IP_DNSBLS
diff -ur exim4-4.62.old/debian/README.Debian.xml exim4-4.62/debian/README.Debian.xml
--- exim4-4.62.old/debian/README.Debian.xml 2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/README.Debian.xml 2006-07-19 16:45:15.000000000 +0200
@@ -1828,58 +1828,6 @@
</para>
</answer>
</qandaentry>
- <qandaentry>
- <question>
- <para>Why are you not supporting SPF?</para>
- </question>
- <answer>
- <para>
- exiscan 4.34-22 introduced support for the <ulink
- url="http://spf.pobox.com">Sender Policy Framework</ulink>?
- by means of a <command>spf</command> ACL condition. This
- functionality is currently not included in the official
- Debian packages.
- </para>
- <para>
- Rationale:
- <itemizedlist>
- <listitem>
- <simpara>
- IMHO, SPF has not reached the necessary amount of
- standardization and acceptance for inclusion in a
- Debian/stable release, it is still in flux.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- I do not want to drag in another library dependency.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Checking with <ulink
- url="http://packages.debian.org/libmail-spf-query-perl">spfd</ulink>
- instead of exiscan's spf-condition offers the same
- functionality, AFAICT.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- SpamAssassin 3.0+ includes SPF support.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- I do not want to encourage SPF because I am not
- convinced of its benefits. (Discussion and links on
- benefits and downsides of SPF are not listed here
- intentionally.)
- </simpara>
- </listitem>
- </itemizedlist>
- </para>
- </answer>
- </qandaentry>
</qandaset>
</section>
More information about the Pkg-exim4-maintainers
mailing list