Patches no longer maintained.
The central Exim code now supports libspf-alt as such I don't really maintain this code base, and HIGHLY recommend that you use the main Exim builds. To use the central SPF support, you only need to enable EXPERIMENTAL_SPF (and probably EXPERIMENTAL_SRS) at build time.
For examples of this the ATRPMS Exim build comes with SPF enabled. http://atrpms.net/dist/fc5/exim/
SPF and SRS, a quick overview
Mail Authentication Through Records In DNS (MARID) was an IETF working group looking into methods for reducing forgery of email headers. SPF was one of the options being looked into.
SPF has two meanings, Sender Policy Framework, and Sender Permitted From. The first describes the structure of the record. The second, what it is used for. SPF records are published in the DNS for the domain they refer to. Currently they are published as DNS TXT records, in future they may have a record type of their own. The SPF record states to the outside world which mail servers are authorized to send email on behalf of that domain. More information on the format of SPF records can be found at http://spf.pobox.com/. SPF support within Exim means that, through ACLs, you are able to check to see if an email has come from a server authorized to send email on behalf of that domain. If not you can reject the email, or tag it and deal with the failure in your spam filters.
The biggest problem with SPF is the some people use forwarding accounts so email from an SPF protected domain is forwarded through a server which is not authorized to send email from our original domain, so if the ISP implements SPF on account to which the email was forwarded, then this legitimate email is seen as invalid and may be incorrectly rejected. Sender Rewriting Scheme (SRS) is a method for rewriting the from address so that it comes from a domain which the mail server IS authorised to send mail on behalf of. This is done using a cryptographic hash to prevent forging of rewritten addresses. More information on the complexities of SRS can be found at http://www.libsrs2.org.
Exim SPF and SRS support
If you've made it to this page then chances are that you know what SRS and SPF are, in which case the thing you're going to be most interested in is what you need to get them working through Exim with my patches, you need Exim version 4.43, libsrs2 version 1.0.17 and libspf2 version 1.0.4. The patches *may* work with other versions, however, the development versions of the SPF2 library include a revised API, as such I can't be certain that the code will work for future versions. If you have versions later than these and are experiencing problems, there are two places you can go for help, there is an RT based tracking system, you caN open a new ticket by emailing a report to email@example.com. Alternatively, you can email me at firstname.lastname@example.org and I will endevour to be of assistance.
Exim combined SPF and SRS support
As of patch set "nslm-4" I no longer maintain seperate SPF and SRS patches, however, all code specific to SPF or SRS in the patches can be disabled by not including the SUPPORT_SPF or SUPPORT_SRS macros in Local/Makefile .
If you specifically want me to maintain patches seperately I will do so if it is requested. Email me at email@example.com and I will begin maintaning them again, however, my logs show that people are only downloading the combined patches anyway.
the current patch file ( patches/exim-4.43-nslm-5.patch )
Exim SPF support
To enable the SPF support you need to uncomment SUPPORT_SPF in Local/Makefile at build time, as well as adding -lspf2 to EXTRALIBS.
This patch adds support for an spf acl. The values for the result being, pass, neutral, softfail, fail, none (For when there is no SPF record), error (For when there is an error parsing the SPF record), and unknown (Which should not occur, but means that an unknown, and uncaught error occured while processing the SPF record). It is possible to pass the ACL multiple values at once by delimiting them using a colon, ':'.
There is also support for a "default explaination", spf_default_explaination, setting the libspf2 debug level, spf_debug_level, and a local SPF record which is inserted into all SPF records parsed, spf_local_record.
Older versions of the patch purely reject SPF Fails.
Exim SRS support
To enable the SRS support you need to uncomment SUPPORT_SRS in Local/Makefile at build time, as well as adding -lsrs2 to EXTRALIBS.
Once enabled an srs keyword becomes available in the routers. If set to forward, forward SRS will be applied to the MAIL FROM address. If set to reverse, then reverse SRS will be applied to the MAIL FROM address.
- Bug fixes, with many thanks to Wolfgang Breyha
- Now compiles under gcc 2.96
- No longer segfaults if sender_host_address is null
- Verify now works properly again
- Handles non-rewritting of reverse path messages properly
- SPF keywords can now be entered as a ':' seperated list in ACLs
- Minor updates to the patch for Exim version 4.43
- SRS rewriting now done properly
- SPF control keywords added to the ACLS
- Forced SRS rewriting when going through the redirect router
- Forced SPF bounces on Fail
- Basic support for Exim version 4.34
Help and information
- LibSPF2.org - the home of the library these patches use to implement SPF checking.
- LibSRS2.org - the home of the library these patches use to implement SRS mail from rewriting.
- SPF.POBox.com - the home of SPF.
Mailing lists :
- http://spf.pobox.com/mailinglist.html - SPF-Discuss, SPF-Help, SPF-announce, SPF-devel, SPF-deployment, SRS-Discuss.
- http://duncanthrax.net/exiscan-acl/ - The home of Exiscan which, among other things, now has support for SPF.