I agree SPF != Ident, but when I test SPF / libspf2 using the -bh command line option, I get nothing but '(permanent error) (7)' results.
I sent a real mail message from my gmail account. I see in my logs that SPF gives a 'pass'... 2008-07-14 08:32:36 [25130] H=yx-out-1718.google.com [74.125.44.152]:32110 I=[198.147.246.55]:25 Warning: MAIL - Would not be blocked by SPF: (pass) ip=74.125.44.152, [EMAIL PROTECTED], helo=yx-out-1718.google.com I try to fake out SPF using -bh with the same IP address and MAIL FROM address... /usr/local/exim/bin/exim -bh 74.125.44.152 **** SMTP testing session as if from host 74.125.44.152 **** but without any ident (RFC 1413) callback. **** This is not for real! >>> host in hosts_connection_nolog? no (option unset) LOG: [25854] SMTP connection from [74.125.44.152] >>> host in host_lookup? yes (matched "*") >>> looking up host name for 74.125.44.152 >>> IP address lookup yielded yx-out-1718.google.com >>> gethostbyname looked up these IP addresses: >>> name=yx-out-1718.google.com address=74.125.44.156 >>> name=yx-out-1718.google.com address=74.125.44.157 >>> name=yx-out-1718.google.com address=74.125.44.158 >>> name=yx-out-1718.google.com address=74.125.44.152 >>> name=yx-out-1718.google.com address=74.125.44.153 >>> name=yx-out-1718.google.com address=74.125.44.154 >>> name=yx-out-1718.google.com address=74.125.44.155 >>> checking addresses for yx-out-1718.google.com >>> 74.125.44.156 >>> 74.125.44.157 >>> 74.125.44.158 >>> 74.125.44.152 OK >>> host in host_reject_connection? no (end of list) >>> gethostbyname looked up these IP addresses: >>> name=ymp.gov address=198.147.246.53 >>> host in sender_unqualified_hosts? no (end of list) >>> gethostbyname looked up these IP addresses: >>> name=ymp.gov address=198.147.246.53 >>> host in recipient_unqualified_hosts? no (end of list) >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) 220 smtp3.ymp.gov ESMTP YMP MTA Mon, 14 Jul 2008 08:34:20 -0700 MAIL FROM: [EMAIL PROTECTED] >>> using ACL "acl_check_mail" >>> processing "drop" >>> check !hosts = +relay_from_hosts >>> host in "aaa.bbb.ccc.ddd (I had to edit out this list of IP addresses for security reasons)"? no (end of list) >>> host in "+relay_from_hosts"? no (end of list) >>> check !hosts = /usr/local/homes/exim/spf_whitelisted-forwarders >>> host in "/usr/local/homes/exim/spf_whitelisted-forwarders"? no (end of list) >>> check !acl = spf_mail_acl >>> using ACL "spf_mail_acl" >>> processing "warn" >>> check !acl = spf_check >>> using ACL "spf_check" >>> processing "deny" >>> check spf = fail >>> SPF result is unknown (permanent error) (7) >>> deny: condition test failed >>> processing "accept" >>> accept: condition test succeeded Perhaps some implementations of SPF work with this testing mode, but IMHO, it seems like libspf2 does not. Dan Please respond to [email protected] Sent by: [EMAIL PROTECTED] To: [email protected] cc: (bcc: Dan Mitton/YD/RWDOE) Subject: Re: [exim] Help to install exim with SPF LSN: Not Relevant User Filed as: Not a Record [EMAIL PROTECTED] wrote: > Ian, > > And your explanation is...? Ident != SPF An ident request requires the server at the real IP address you have provided on the -bh command line to be able to answer an active ident request. Since this is a test mode, the ident server will have no idea what you talking about since that computer did not start the connection and as such has nothing to tell the testing computer. SPF only requires a DNS lookup and the IP provided by the -bh command line and as such, works in this testing mode. Full details are here: -bh http://docs.exim.org/current/spec_html/ch05.html#id479724 If you wish to test WITH ident, there is an option to provide the ident string that the server at the IP address would provide. Full details are here: -oMt http://docs.exim.org/current/spec_html/ch05.html#id486736 Please note that I have given the anchors for the term above the one I'm aiming at so that you end up with the whole paragraph on the screen. You can google the exim docs on the main page at http://www.exim.org/ or on the documentation page http://www.exim.org/docs.html -- The Exim Manual http://www.exim.org/docs.html http://docs.exim.org/current/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
