Pkg exim4 users - Aug 2010 - Does sa-exim block the use of the SPF ACL?

Platform:
  debian stable "lenny"
  exim4                               4.69-9
  exim4-base                          4.69-9
  exim4-config                        4.69-9
  exim4-daemon-heavy                  4.69-9
  exim4-doc-info                      4.69-1
  sa-exim                             4.2.1-11
  spamassassin                        3.2.5-2+lenny2
  libmail-spf-query-perl              1:1.999.1-3

I''m receiving spam sent to myself with myself as the forged sender.  I
tried stopping that by setting up SPF records saying that my MX is the
only legal sender of mydomain.

But email still gets through.  spamassassin/sa-exim lists SPF_SOFTFAIL
as one of the reasons in the headers below.  But I would like it to fail
hard and immediately reject something that doesn''t comply with the SPF
records.   Is that possible?

I also tried activating the SPF ACL in the debian exim4 config by
putting
CHECK_RCPT_SPF = yes
into /etc/exim4/conf.d/main/00_localmacros and then running	
	dpkg-reconfigure exim4-config

But that hasn''t had any effect that I can detect.

Does using sa-exim somehow block the rest of the exim4 ACL stuff?

Thanx!


- Steinar


What follows are the headers of a spam mail that got through.  Mailbox
name and domain name have been changed to protect the innocent:

Return-path: <myself at mydomain.no>
Envelope-to: myself at mydomain.no
Delivery-date: Wed, 11 Aug 2010 17:42:16 +0100
Received: from [189.12.193.134] (helo=advancedmicrosensors.com)
	by stoner.mydomain.no with smtp (Exim 4.69)
	(envelope-from <myself at mydomain.no>)
	id 1OjENa-0006Fp-3B
	for myself at mydomain.no; Wed, 11 Aug 2010 17:42:16 +0100
To: <myself at mydomain.no>
From: <myself at mydomain.no>
MIME-Version: 1.0
Importance: High
Content-Type: text/html
X-Host-Lookup-Failed: Reverse DNS lookup failed for 189.12.193.134 (failed)
X-SA-Exim-Connect-IP: 189.12.193.134
X-SA-Exim-Rcpt-To: too long (recipient list exceeded maximum allowed size of 8
bytes)
X-SA-Exim-Mail-From: myself at mydomain.no
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on stoner.mydomain.no
X-Spam-Level: **
X-Spam-Status: No, score=2.9 required=5.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
	MISSING_DATE,MISSING_MID,RCVD_IN_PBL,RDNS_NONE,SPF_SOFTFAIL autolearn=no
	version=3.2.5
Subject: vacancy #736
X-SA-Exim-Version: 4.2.1 (built Wed, 25 Jun 2008 17:20:07 +0000)
X-SA-Exim-Scanned: Yes (on stoner.mydomain.no)

>>>>> Steinar Bang <sb at dod.no>:
> I also tried activating the SPF ACL in the debian exim4 config by
> putting
> CHECK_RCPT_SPF = yes
> into /etc/exim4/conf.d/main/00_localmacros and then running	
> 	dpkg-reconfigure exim4-config
> But that hasn''t had any effect that I can detect.
I do see lines like these (domain and IP fiddled with to protect the
innocent) in /var/log/exim4/mainlog :

2010-08-11 19:32:12 H=stoner.mydomain.no [256.45.67.108] Warning: Unexpected
error in SPF check.

Hm... a google search gave me this one:
http://www.tty1.net/blog/2007-06-09-fighting-spam-with-exim4_en.html

The exim config fragment says that this is caused by a missing
libmail-spf-query-perl but I''ve installed it today.

Hm... from 22:26 I''ve started seeing messages like these
    490:2010-08-11 22:25:56 H=(mail2world.com) [187.57.239.42] F=<xduesue at
mail2world.com> rejected RCPT <87irfdr8su.fsf at mydomain.no>: SPF
check failed.

So I guess that SPF is now working.  Only not for my own domain.

Which means that there is something wrong with my DNS SPF records...?

Steinar Bang <sb at dod.no> wrote:
[...]
> I''m receiving spam sent to myself with myself as the forged
sender.  I
> tried stopping that by setting up SPF records saying that my MX is the
> only legal sender of mydomain.
[...]
> What follows are the headers of a spam mail that got through.  Mailbox
> name and domain name have been changed to protect the innocent:
> Return-path: <myself at mydomain.no>
> Envelope-to: myself at mydomain.no
[...]

This does not protect the innocent but makes reproducing the issue
impossible.

cu and- neither dod.no nor mydomain.no publish SPF records. -reas

>>>>> Steinar Bang <sb at dod.no>:
> So I guess that SPF is now working.  Only not for my own domain.
> Which means that there is something wrong with my DNS SPF records...?
The answer is that I had set up the SPF for "softfail"

It was 
 mydomain.no.           86400   IN      TXT     "v=spf1 mx ~all"
but is now
 mydomain.no.           86400   IN      TXT     "v=spf1 mx -all"

When creating the original record I just followed the wizard at
"Deploying SPF" on http://www.openspf.org/ and pasted the results into
the bind zone file.  And a soft fail was what it created.

Later reading seems to indicate that there should be an SPF record type,
rather than misusing the TXT record type.  But I don''t know if the BIND
that publishes my zone file supports that.

So.. right now there are two handlers of SPF: exim itself and
sa-exim/spamassassin.  I guess sa-exim never sees it, since exim now
rejects SPF failures...?  Are there downsides to letting exim4 handle
SPF failures directly?  Would I be better off letting
sa-exim/spamassassin handle SPF failures?

Thanx!


- Steinar