- condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
- {yes}{no}}
- .endif
-
-
- # Use spfquery to perform a pair of SPF checks (for details, see
- # http://www.openspf.org/)
- #
- # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
- # enable if that's an issue. Also note that if you enable this, you must
- # install "libmail-spf-query-perl" which provides the spfquery command.
- # Missing libmail-spf-query-perl will trigger the "Unexpected error in
- # SPF check" warning.
- .ifdef CHECK_RCPT_SPF
- deny
- message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
- log_message = SPF check failed.
- !acl = acl_local_deny_exceptions
- condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
- {no}{${if eq {$runrc}{1}{yes}{no}}}}
-
- defer
- message = Temporary DNS error while checking SPF record. Try again later.
- condition = ${if eq {$runrc}{5}{yes}{no}}
-
- warn
- message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
- {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
- condition = ${if <={$runrc}{6}{yes}{no}}
-
- warn
- log_message = Unexpected error in SPF check.
- condition = ${if >{$runrc}{6}{yes}{no}}
-
- # Support for best-guess (see http://www.openspf.org/developers-guide.html)
- warn
- message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
- {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
- {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
- condition = ${if <={$runrc}{6}{yes}{no}}
-
- defer
- message = Temporary DNS error while checking SPF record. Try again later.
- condition = ${if eq {$runrc}{5}{yes}{no}}
- .endif
-
-
- # Check against classic DNS "black" lists (DNSBLs) which list
- # sender IP addresses
- .ifdef CHECK_RCPT_IP_DNSBLS
- warn
- message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- dnslists = CHECK_RCPT_IP_DNSBLS
- .endif
-
-
- # Check against DNSBLs which list sender domains, with an option to locally
- # whitelist certain domains that might be blacklisted.
- #
- # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
- # "/$sender_address_domain" after each domain. For example:
- # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
- # : rhsbl.bar.org/$sender_address_domain
- .ifdef CHECK_RCPT_DOMAIN_DNSBLS
- warn
- message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
- {CONFDIR/local_domain_dnsbl_whitelist}\
- {}}
- dnslists = CHECK_RCPT_DOMAIN_DNSBLS
- .endif
-
-
- # This hook allows you to hook in your own ACLs without having to
- # modify this file. If you do it like we suggest, you'll end up with
- # a small performance penalty since there is an additional file being
- # accessed. This doesn't happen if you leave the macro unset.
- .ifdef CHECK_RCPT_LOCAL_ACL_FILE
- .include CHECK_RCPT_LOCAL_ACL_FILE
- .endif
-
-
- #############################################################################
- # This check is commented out because it is recognized that not every
- # sysadmin will want to do it. If you enable it, the check performs
- # Client SMTP Authorization (csa) checks on the sending host. These checks
- # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
- # an Internet draft. You can, of course, add additional conditions to this
- # ACL statement to restrict the CSA checks to certain hosts only.
- #
- # require verify = csa
- #############################################################################
-
-
- # Accept if the address is in a domain for which we are an incoming relay,
- # but again, only if the recipient can be verified.
-
- accept
- domains = +relay_to_domains
- endpass
- verify = recipient
-