# SPF Auth test for Exim 4.xx
# Version 2.09 by david @ ols . es
#
# Features:
#
#    Full SPF support via spfd socket
#
# Warning:
#
#    Will use acl_m9, acl_m8, acl_m7
#
# Requires
#
#    Mail::SPF::Query ver 1.9.1
#
# Usage instructions:
#
# 1. copy this file to your /usr/local/exim
#
# 2. add this line to your exim configuration file after your
#    begin acl:
#
#    .include /usr/local/exim/spf.acl
#
# 3. Grab a copy of Mail::SPF::Query from
#    http://www.openspf.org/downloads.html and install it
#
# 4. Run spfd -path=/tmp/spfd as the same user as Exim runs
#
# 5. Now you can use the test on your RCPT/MAIL ACL this way:
#
#    deny    !acl        = spf_rcpt_acl
#
#    And on your DATA ACL:
#
#    deny    senders     = :
#            !acl        = spf_from_acl
#
#    now acl_m8 will hold 'pass','fail', 'unknown', ...
#    so you can take other decisions based on the result
#    like being more strict on some circumstances:
#
#    deny     senders     = :
#             condition   = ${if eq {$acl_m8}{softfail}{yes}{no}}
#             message     = Not authorized by SPF

spf_rcpt_acl:

    # Check envelope sender

    warn     set acl_m8  = $sender_address
    deny     !acl        = spf_check
    warn     message     = Received-SPF: $acl_m8 ($acl_m7)
    accept

spf_from_acl:

    # Check header From:

    warn     set acl_m8  = ${address:$h_from:}
    deny     !acl        = spf_check
    warn     message     = Received-SPF: $acl_m8 ($acl_m7)
    accept

spf_check:

    warn     set acl_m9  = ${readsocket{/tmp/spfd}\
                           {ip=$sender_host_address\n\
                           helo=${if def:sender_helo_name\
                           {$sender_helo_name}{NOHELO}}\
                           \nsender=$acl_m8\n\n}{20s}{\n}{socket failure}} 

    # Defer on socket error

    defer    condition   = ${if eq{$acl_m9}{socket failure}{yes}{no}}
             message     = Cannot connect to spfd

    # Prepare answer and get results

    warn     set acl_m9  = ${sg{$acl_m9}{\N=(.*)\n\N}{=\"\$1\" }}
             set acl_m8  = ${extract{result}{$acl_m9}{$value}{unknown}}
             set acl_m7  = ${extract{header_comment}{$acl_m9}{$value}{}}

    # Check for fail

    deny     condition   = ${if eq{$acl_m8}{fail}{yes}{no}}
             message     = ${extract{smtp_comment}{$acl_m9}{$value}{}}
             log_message = Not authorized by SPF

    accept