Hmm… Remember that the domain might have multiple TXT records: as do we for york.ac.uk. In which case the values of all of the records are returned as the value of the *dnsdb* lookup, separated with newlines by default.
At most one of which will be the SPF record, so you want to make sure the "+all" is within the same record value as the initial "v=spf1" that identifies it as being SPF data. You also want to guard against other strings such as "[email protected]" and so on. So you probably want a more clever *match* pattern to make sure that you're only looking for "+all" within an SPF value. Something like this *might* be along the right lines: ^ *v=spf1 (.* )?\+all( .*)?$ But there's probably a better pattern (and I'm not sure whether "$" matches an embedded newline as well as the end of string, or only the end of the string itself; you want the former) or way of checking. Also, for safety shouldn't the value of *$sender_address_domain* be quoted before being used within *dnsdb*? As in ${lookup dnsdb{txt=${quote_dnsdb:$sender_address_domain}}{$value}} Cheers, Mike B-) On 1 July 2016 at 15:03, James Gibbard <[email protected]> wrote: > Untested, but you should me able to do something like this perhaps? > > > # set acl variable to result of SPF lookup. > spf_test: > warn set acl_m_spfrec = ${lookup > dnsdb{txt=$sender_address_domain}{$value}} > > # deny if result is +all > deny condition = ${if match {$acl_m_spfrec}{\\+all}} > message = Invalid SPF record detected. > log_message = SPF denied due to +all presence. > > I don't use spfquery myself, but I'd assume there is not a way to do > this with that. > > Jamie > > On Fri, Jul 1, 2016 at 1:30 PM, Cyborg <[email protected]> wrote: > > Hi, > > > > as i'm implementing SPF Checks atm , i came cross this log entry from > > google : > > > > 2016-06-29 14:21:07 1bIEUB-0002yU-TK SMTP error from remote mail server > > after end of data: 421-4.7.0 [XXXXXXX] The SPF record of the sending > > domain has one or\n421-4.7.0 more suspicious entries. To protect our > > users from spam, mail sent\n421-4.7.0 from your IP address has been > > temporarily rate limited. Please visit\n421-4.7.0 > > https://support.google.com/mail/answer/81126#authentication for > > more\n421 4.7.0 information. 78si4520019iol.86 - gsmtp > > > > The SPF Record looks like this : "v=spf1 +all" > > > > Which means roughly: "I don't care about my EMailservers, I like to be > > spammed with my own domain." > > > > > > Problem is, with my current spfquery check, this SPF would be considered > > valid, which is it, it's just not very usefull at all. > > > > I like to react like google in this special case, because that entry is > > nonsense, you also could remove it from your DNS and nobody would notice. > > > > Does anyone have an exim rule / idea to check for it, before running the > > spfquery at all? > > > > best regards, > > Marius > > > > -- > > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > > ## Exim details at http://www.exim.org/ > > ## Please use the Wiki with this list - http://wiki.exim.org/ > > -- > ## List details at https://lists.exim.org/mailman/listinfo/exim-users > ## Exim details at http://www.exim.org/ > ## Please use the Wiki with this list - http://wiki.exim.org/ > -- Systems Administrator & Change Manager IT Services, University of York, Heslington, York YO10 5DD, UK Tel: +44-(0)1904-323811 Web: www.york.ac.uk/it-services Disclaimer: www.york.ac.uk/docs/disclaimer/email.htm -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
