Ted, You are quite correct !! When I include the HELO response, I get the correct SPF result. It's always good to learn something new.
/usr/local/exim/bin/exim -bh 74.125.44.152.1234 **** SMTP testing session as if from host 74.125.44.152 **** but without any ident (RFC 1413) callback. **** This is not for real! >>> host in hosts_connection_nolog? no (option unset) LOG: [12579] SMTP connection from [74.125.44.152]:1234 >>> host in host_lookup? yes (matched "*") >>> looking up host name for 74.125.44.152 >>> IP address lookup yielded yx-out-1718.google.com >>> gethostbyname looked up these IP addresses: >>> name=yx-out-1718.google.com address=74.125.44.152 >>> name=yx-out-1718.google.com address=74.125.44.153 >>> name=yx-out-1718.google.com address=74.125.44.154 >>> name=yx-out-1718.google.com address=74.125.44.155 >>> name=yx-out-1718.google.com address=74.125.44.156 >>> name=yx-out-1718.google.com address=74.125.44.157 >>> name=yx-out-1718.google.com address=74.125.44.158 >>> checking addresses for yx-out-1718.google.com >>> 74.125.44.152 OK >>> host in host_reject_connection? no (end of list) >>> gethostbyname looked up these IP addresses: >>> name=ymp.gov address=198.147.246.53 >>> host in sender_unqualified_hosts? no (end of list) >>> gethostbyname looked up these IP addresses: >>> name=ymp.gov address=198.147.246.53 >>> host in recipient_unqualified_hosts? no (end of list) >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) 220 smtp3.ymp.gov ESMTP YMP MTA Tue, 15 Jul 2008 07:42:05 -0700 HELO smtp3.ymp.gov >>> using ACL "acl_check_helo" >>> processing "accept" >>> accept: condition test succeeded 250 smtp3.ymp.gov Hello yx-out-1718.google.com [74.125.44.152] MAIL FROM: [EMAIL PROTECTED] >>> using ACL "acl_check_mail" >>> processing "drop" >>> check !hosts = +relay_from_hosts >>> host in "(removed for security reasons) : 127.0.0.1"? no (end of list) >>> host in "+relay_from_hosts"? no (end of list) >>> check !hosts = /usr/local/homes/exim/spf_whitelisted-forwarders >>> host in "/usr/local/homes/exim/spf_whitelisted-forwarders"? no (end of list) >>> check !acl = spf_mail_acl >>> using ACL "spf_mail_acl" >>> processing "warn" >>> check !acl = spf_check >>> using ACL "spf_check" >>> processing "deny" >>> check spf = fail >>> SPF result is pass (2) >>> deny: condition test failed >>> processing "accept" >>> accept: condition test succeeded Please respond to [email protected] Sent by: [EMAIL PROTECTED] To: [email protected] cc: (bcc: Dan Mitton/YD/RWDOE) Subject: Re: [exim] Help to install exim with SPF LSN: Not Relevant User Filed as: Not a Record [EMAIL PROTECTED] wrote: > I agree SPF != Ident, but when I test SPF / libspf2 using the -bh command > line option, I get nothing but '(permanent error) (7)' results. > > I sent a real mail message from my gmail account. I see in my logs that > SPF gives a 'pass'... > > 2008-07-14 08:32:36 [25130] H=yx-out-1718.google.com [74.125.44.152]:32110 > I=[198.147.246.55]:25 Warning: MAIL - Would not be blocked by SPF: (pass) > ip=74.125.44.152, [EMAIL PROTECTED], > helo=yx-out-1718.google.com Doing the same thing as you with libspf2-1.2.5 with the following ACL snippet in my RCPT ACL .. # Deny outright a plain as day failure. This should be whitelisted deny message = ERRMSG_SPFFAIL hosts = !+relay_from_hosts !authenticated = * spf = fail continue = ${readsocket{GLSOCK}{spffail \ $sender_host_address}{20s}{ }{SOCKETERROR}} exim -bh 74.125.44.152 ... HELO yx-out-1718.google.com ... MAIL FROM:<[EMAIL PROTECTED]> ... RCPT TO:<[EMAIL PROTECTED]> ... >>> processing "deny" >>> check hosts = !+relay_from_hosts >>> host in "!+relay_from_hosts"? yes (end of list) >>> check !authenticated = * >>> check spf = fail >>> SPF result is pass (2) >>> deny: condition test failed Perhaps it is causing an error without the HELO/EHLO string. I can't test that easily right now. It shouldn't need to be in the RCPT ACL either, the MAIL FROM one I think should be fine, but that's another thing to check. -- The Exim Manual http://www.exim.org/docs.html http://docs.exim.org/current/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
