On 25 September 2017 18:26:27 CEST, Hardy <b...@mailfass.de> wrote: >On 25.09.2017 14:45, Heiko Schlittermann via Exim-users wrote: >> Hi, >> >> Hardy <b...@mailfass.de> (Mo 25 Sep 2017 09:17:34 CEST): >>> Hi, >>>> and clearly does not include localhost. So passing messags from >>>> localhost might be a feature of SPF in general or of the >implementation >>>> in Exim. >>> >>> I wouldn't think localhost is handled special by SPF, but usually >(in >>> standard- and example configs) you have a very early rule ACCEPTing >existing >>> local users, before it does any "expensive" (netwise: DNS lookup >etc.) >>> actions. In this case your SPF is not even tested, which is the aim >of this >>> rule. You wouldn't want to greylist internal addresses either, would >you? >> >> The debug output of my test session from localhost to localhost shows >> that SPF was in use and gave 'pass' to localhost (with some note >about >> "localhost is always allowed") >> >> The string "localhost is always allowed." can be found in libspf2.a > >So this is wanted by exim! I did not check what SPF specs say about it, > >but this would mean, my local users CAN forge sender addresses?! Does >this make sense?!
There are other acl conditions you can use to enforce the authenticated user being authorized to use the envelope sender or optionally the from/sender header. These would be with the generic condition modifier and expansions based on your local policy. They could be put in an smtp acl after mail or the non-smtp acl. If your policy is very simple then control = submission may be sufficient. SPF is not a very good way of controlling policy between an MUA and submission service. > >RFC >Hardy > > > >-- >## List details at https://lists.exim.org/mailman/listinfo/exim-users >## Exim details at http://www.exim.org/ >## Please use the Wiki with this list - http://wiki.exim.org/ -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/