Bug#290464: [Pkg-exim4-devel] SPF

Robert Millan rmh at aybabtu.com
Thu Jul 20 13:22:50 UTC 2006 

I just noticed you added me to the commiter list in the SVN.  Given that I
resolved your style concerns with the previous patch, I'll assume this gives me
implicit permission to check it in (let me know if anything else needs tweaking
in that part).

As promised, I'll monitor pkg-exim4-maintainers, responding to queries about
SPF support, and provide a solution in case one of the changes introduced by me
was buggy or inadequate.

Thanks!

On Thu, Jul 20, 2006 at 08:40:45AM +0200, Robert Millan wrote:
> diff -ur exim4-4.62.old/debian/control exim4-4.62/debian/control
> --- exim4-4.62.old/debian/control	2006-07-14 21:19:12.000000000 +0200
> +++ exim4-4.62/debian/control	2006-07-19 16:10:42.000000000 +0200
> @@ -13,7 +13,7 @@
>  Replaces: exim, exim-tls, exim4-daemon-light, exim4-daemon-heavy, exim4-daemon-custom
>  Depends: ${shlibs:Depends}, cron (>=3.0pl1-42), ${misc:Depends}, exim4-config (>=4.30) | exim4-config-2, adduser, netbase
>  Recommends: psmisc
> -Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin
> +Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin, libmail-spf-query-perl
>  Description: support files for all exim MTA (v4) packages
>   Exim (v4) is a mail transport agent. exim4-base provides the support
>   files needed by all exim4 daemon packages. You need an additional package
> diff -ur exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
> --- exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2006-07-14 21:19:12.000000000 +0200
> +++ exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt	2006-07-19 19:17:09.000000000 +0200
> @@ -208,6 +208,25 @@
>    .endif
>  
>  
> +  # Use spfquery to perform a pair of SPF checks (for details, see http://www.openspf.org/)
> +  #
> +  # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
> +  # enable if this is an issue.
> +  .ifdef CHECK_RCPT_SPF
> +  deny
> +    message = [SPF] $sender_host_address is not allowed to send mail from $sender_address_domain.  \
> +              Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
> +    log_message = SPF check failed.
> +    condition = ${run{/usr/bin/spfquery -ip=$sender_host_address -sender=<$sender_address> -helo=$sender_helo_name}{no}{${if eq {$runrc}{1}{yes}{no}}}}
> +
> +  warn
> +    message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}}}
> +
> +  # Support for best-guess (see http://www.openspf.org/developers-guide.html)
> +  warn
> +    message = X-SPF-Guess: ${run{/usr/bin/spfquery -ip=$sender_host_address -sender=<$sender_address> -helo=$sender_helo_name -guess=true}{pass}{${if eq {$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}}}
> +  .endif
> +
>    # Check against classic DNS "black" lists (DNSBLs) which list
>    # sender IP addresses
>    .ifdef CHECK_RCPT_IP_DNSBLS
> diff -ur exim4-4.62.old/debian/README.Debian.xml exim4-4.62/debian/README.Debian.xml
> --- exim4-4.62.old/debian/README.Debian.xml	2006-07-14 21:19:12.000000000 +0200
> +++ exim4-4.62/debian/README.Debian.xml	2006-07-19 16:45:15.000000000 +0200
> @@ -1828,58 +1828,6 @@
>  	  </para>
>  	</answer>
>        </qandaentry>
> -      <qandaentry>
> -	<question>
> -	  <para>Why are you not supporting SPF?</para>
> -	</question>
> -	<answer>
> -	  <para>
> -	    exiscan 4.34-22 introduced support for the <ulink
> -	      url="http://spf.pobox.com">Sender Policy Framework</ulink>? 
> -	    by means of a <command>spf</command> ACL condition. This
> -	    functionality is currently not included in the official
> -	    Debian packages.
> -	  </para>
> -	  <para>
> -	    Rationale:
> -	    <itemizedlist>
> -	      <listitem>
> -		<simpara>
> -		  IMHO, SPF has not reached the necessary amount of
> -		  standardization and acceptance for inclusion in a
> -		  Debian/stable release, it is still in flux.
> -		</simpara>
> -	      </listitem>
> -	      <listitem>
> -		<simpara>
> -		  I do not want to drag in another library dependency.
> -		</simpara>
> -	      </listitem>
> -	      <listitem>
> -		<simpara>
> -		  Checking with <ulink
> -		    url="http://packages.debian.org/libmail-spf-query-perl">spfd</ulink>
> -		  instead of exiscan's spf-condition offers the same
> -		  functionality, AFAICT.
> -		</simpara>
> -	      </listitem>
> -	      <listitem>
> -		<simpara>
> -		  SpamAssassin 3.0+ includes SPF support.
> -		</simpara>
> -	      </listitem>
> -	      <listitem>
> -		<simpara>
> -		  I do not want to encourage SPF because I am not
> -		  convinced of its benefits. (Discussion and links on
> -		  benefits and downsides of SPF are not listed here
> -		  intentionally.)
> -		</simpara>
> -	      </listitem>
> -	    </itemizedlist>
> -	  </para>
> -	</answer>
> -      </qandaentry>
>      </qandaset>
>    </section>
>  

-- 
Robert Millan

My spam trap is honeypot at aybabtu.com.  Note: this address is only intended for
spam harvesters.  Writing to it will get you added to my black list.

More information about the Pkg-exim4-maintainers mailing list