From: David Saez <david@ols.es>
Date: Wed, 30 Jul 2003 16:15:33 +0200

This is a first attempt to have a working SPF ( http://spf.pobox.com/ ) check
for Exim 4.xx that does not need patching Exim.


# SPF Auth test for Exim 4.xx
# Version 1.02 by david@ols.es
#
# Features:
#
# - SPF lookup with spfinclude recursion support
# - Received-SPF: header support
# - Null sender support
# - No multi spfinclude support
# - No IPv6 support
#
# Warning:
#
# Will use acl_m9 and acl_m8
#
# Usage instructions:
#
# 1. copy this file to your exim installation directory
#
# 2. add this line to your exim configuration file to allow
#    spf like dns names:
#
#    dns_check_names_pattern = \
#	(?i)^(?>(?(1)\.|())[^\W](?>[a-z0-9-_]*[^\W_])?)+$
#
# 3. add this line to your exim configuration file after your
#    begin acl:
#
#    .include spf.acl
#
# 4. Now you can use the test on your RCPT ACL this way:
#
#    deny    !acl        = spf_acl
#            message     = $sender_host_address is no allowed to send \
#                             mail for $sender_address_domain
#	     log_message = Not authorized by SPF
#

spf_acl:

  warn    !senders       = :
          set acl_m9     = $sender_address_domain

  warn    senders        = :
          set acl_m9     = $sender_helo_name

  deny    !acl           = spf_real_acl
  warn    message        = Received-SPF: $acl_m9
  accept

spf_real_acl:

  warn    set acl_m9     = ${extract{4}{.}{$sender_host_address}}.\
                           ${extract{3}{.}{$sender_host_address}}.\
                           ${extract{2}{.}{$sender_host_address}}.\
                           ${extract{1}{.}{$sender_host_address}}.\
                           in-addr._smtp_client.$acl_m9

  # SPF TXT lookup

  warn    set acl_m8     = ${lookup dnsdb{txt=$acl_m9}{$value}}

  # Split response

  warn    set acl_m8     = ${extract{1}{\n}{$acl_m8}}
          set acl_m9     = ${extract{2}{=}{$acl_m8}}
          set acl_m8     = ${extract{1}{=}{$acl_m8}}

  # spf=deny

  deny    condition      = ${if eq{$acl_m8}{spf}{yes}{no}}
          condition      = ${if eq{$acl_m9}{deny}{yes}{no}}

  # spf=allow

  accept  condition      = ${if eq{$acl_m8}{spf}{yes}{no}}
          condition      = ${if eq{$acl_m9}{allow}{yes}{no}}
          set acl_m9     = pass ($sender_host_name [$sender_host_address] \
			   is designated mailer for domain of sender \
			   $sender_address)

  # spf=softdeny

  accept  condition      = ${if eq{$acl_m8}{spf}{yes}{no}}
          condition      = ${if eq{$acl_m9}{softdeny}{yes}{no}}
          set acl_m9     = softfail ($sender_host_name [$sender_host_address] \
                           not a designated mailer for transitioning \
                           domain of sender $sender_address)

  # no SPF

  accept condition       = ${if eq{$acl_m8}{spfinclude}{no}{yes}}
         set acl_m9      = unknown (domain of sender $sender_address \
                           does not designate mailers)

  # spfinclude

  accept condition       = ${if match{$acl_m9}{:}{yes}{no}}
         set acl_m9      = pass (unsupported multiple spfinclude detected)

  accept acl             = spf_real_acl
  deny