On Wed, Jul 19, 2006 at 07:24:34PM +0200, Robert Millan wrote:
>
> Here's a new patch.
Actualy, please use this one instead. The former didn't authenticate mail from
"<>", where $sender_address is an empty string.
--
Robert Millan
My spam trap is [EMAIL PROTECTED] Note: this address is only intended for
spam harvesters. Writing to it will get you added to my black list.
diff -ur exim4-4.62.old/debian/control exim4-4.62/debian/control
--- exim4-4.62.old/debian/control 2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/control 2006-07-19 16:10:42.000000000 +0200
@@ -13,7 +13,7 @@
Replaces: exim, exim-tls, exim4-daemon-light, exim4-daemon-heavy,
exim4-daemon-custom
Depends: ${shlibs:Depends}, cron (>=3.0pl1-42), ${misc:Depends}, exim4-config
(>=4.30) | exim4-config-2, adduser, netbase
Recommends: psmisc
-Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin
+Suggests: mail-reader, eximon4, exim4-doc-html|exim4-doc-info, gnutls-bin,
libmail-spf-query-perl
Description: support files for all exim MTA (v4) packages
Exim (v4) is a mail transport agent. exim4-base provides the support
files needed by all exim4 daemon packages. You need an additional package
diff -ur exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
--- exim4-4.62.old/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
2006-07-14 21:19:12.000000000 +0200
+++ exim4-4.62/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
2006-07-19 19:17:09.000000000 +0200
@@ -208,6 +208,25 @@
.endif
+ # Use spfquery to perform a pair of SPF checks (for details, see
http://www.openspf.org/)
+ #
+ # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
+ # enable if this is an issue.
+ .ifdef CHECK_RCPT_SPF
+ deny
+ message = [SPF] $sender_host_address is not allowed to send mail from
$sender_address_domain. \
+ Please see
http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
+ log_message = SPF check failed.
+ condition = ${run{/usr/bin/spfquery -ip=$sender_host_address
-sender=<$sender_address> -helo=$sender_helo_name}{no}{${if eq
{$runrc}{1}{yes}{no}}}}
+
+ warn
+ message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq
{$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq
{$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq
{$runrc}{6}{none}{error}}}}}}}}}}}}
+
+ # Support for best-guess (see http://www.openspf.org/developers-guide.html)
+ warn
+ message = X-SPF-Guess: ${run{/usr/bin/spfquery -ip=$sender_host_address
-sender=<$sender_address> -helo=$sender_helo_name -guess=true}{pass}{${if eq
{$runrc}{1}{fail}{${if eq {$runrc}{2}{softfail}{${if eq
{$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq
{$runrc}{6}{none}{error}}}}}}}}}}}}
+ .endif
+
# Check against classic DNS "black" lists (DNSBLs) which list
# sender IP addresses
.ifdef CHECK_RCPT_IP_DNSBLS
diff -ur exim4-4.62.old/debian/README.Debian.xml
exim4-4.62/debian/README.Debian.xml
--- exim4-4.62.old/debian/README.Debian.xml 2006-07-14 21:19:12.000000000
+0200
+++ exim4-4.62/debian/README.Debian.xml 2006-07-19 16:45:15.000000000 +0200
@@ -1828,58 +1828,6 @@
</para>
</answer>
</qandaentry>
- <qandaentry>
- <question>
- <para>Why are you not supporting SPF?</para>
- </question>
- <answer>
- <para>
- exiscan 4.34-22 introduced support for the <ulink
- url="http://spf.pobox.com";>Sender Policy Framework</ulink>?
- by means of a <command>spf</command> ACL condition. This
- functionality is currently not included in the official
- Debian packages.
- </para>
- <para>
- Rationale:
- <itemizedlist>
- <listitem>
- <simpara>
- IMHO, SPF has not reached the necessary amount of
- standardization and acceptance for inclusion in a
- Debian/stable release, it is still in flux.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- I do not want to drag in another library dependency.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- Checking with <ulink
-
url="http://packages.debian.org/libmail-spf-query-perl";>spfd</ulink>
- instead of exiscan's spf-condition offers the same
- functionality, AFAICT.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- SpamAssassin 3.0+ includes SPF support.
- </simpara>
- </listitem>
- <listitem>
- <simpara>
- I do not want to encourage SPF because I am not
- convinced of its benefits. (Discussion and links on
- benefits and downsides of SPF are not listed here
- intentionally.)
- </simpara>
- </listitem>
- </itemizedlist>
- </para>
- </answer>
- </qandaentry>
</qandaset>
</section>
