SPF: promote from Experimental to mainline status

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f247e9ab86a68f92cad47d06579da54745680029..844178fcacf07889f1bff5f1cc75d92cbda7a16e 100644 (file)
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11661,7 +11661,7 @@ The name of the main configuration file Exim is using.
 
 .vitem &$dkim_verify_status$& &&&
 Results of DKIM verification.
 
 .vitem &$dkim_verify_status$& &&&
 Results of DKIM verification.

-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.

 
 .vitem &$dkim_cur_signer$& &&&
        &$dkim_verify_reason$& &&&
 
 .vitem &$dkim_cur_signer$& &&&
        &$dkim_verify_reason$& &&&


@@ -11683,13 +11683,13 @@ For details see chapter &<<CHAPdkim>>&.
        &$dkim_key_notes$& &&&
        &$dkim_key_length$&
 These variables are only available within the DKIM ACL.
        &$dkim_key_notes$& &&&
        &$dkim_key_length$&
 These variables are only available within the DKIM ACL.

-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.

 
 .vitem &$dkim_signers$&
 .vindex &$dkim_signers$&
 When a message has been received this variable contains
 a colon-separated list of signer domains and identities for the message.
 
 .vitem &$dkim_signers$&
 .vindex &$dkim_signers$&
 When a message has been received this variable contains
 a colon-separated list of signer domains and identities for the message.

-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.

 
 .vitem &$dnslist_domain$& &&&
        &$dnslist_matched$& &&&
 
 .vitem &$dnslist_domain$& &&&
        &$dnslist_matched$& &&&


@@ -12833,6 +12833,14 @@ A number of variables whose names start with &$spam$& are available when Exim
 is compiled with the content-scanning extension. For details, see section
 &<<SECTscanspamass>>&.
 
 is compiled with the content-scanning extension. For details, see section
 &<<SECTscanspamass>>&.
 

+.new
+.vitem &$spf_header_comment$& &&&
+       &$spf_received$& &&&
+       &$spf_result$& &&&
+       &$spf_smtp_comment$&
+These variables are only available if Exim is built with SPF support.
+For details see section &<<SECSPF>>&.
+.wen

 
 .vitem &$spool_directory$&
 .vindex "&$spool_directory$&"
 
 .vitem &$spool_directory$&
 .vindex "&$spool_directory$&"


@@ -14086,7 +14094,7 @@ acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
 This option defines the ACL that is run for each DKIM signature
 (by default, or as specified in the dkim_verify_signers option)
 of a received message.
 This option defines the ACL that is run for each DKIM signature
 (by default, or as specified in the dkim_verify_signers option)
 of a received message.

-See chapter &<<CHAPdkim>>& for further details.
+See section &<<SECDKIMVFY>>& for further details.

 
 .option acl_smtp_etrn main string&!! unset
 .cindex "ETRN" "ACL for"
 
 .option acl_smtp_etrn main string&!! unset
 .cindex "ETRN" "ACL for"


@@ -14619,7 +14627,7 @@ to handle IPv6 literal addresses.
 This option gives a list of DKIM domains for which the DKIM ACL is run.
 It is expanded after the message is received; by default it runs
 the ACL once for each signature in the message.
 This option gives a list of DKIM domains for which the DKIM ACL is run.
 It is expanded after the message is received; by default it runs
 the ACL once for each signature in the message.

-See chapter &<<CHAPdkim>>&.
+See section &<<SECDKIMVFY>>&.

 
 
 .option dns_again_means_nonexist main "domain list&!!" unset
 
 
 .option dns_again_means_nonexist main "domain list&!!" unset


@@ -16804,17 +16812,21 @@ response to EHLO only to those client hosts that match this option. See
 chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
 
 
 chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
 
 

-.option spamd_address main string "see below"
+.option spamd_address main string "127.0.0.1 783"

 This option is available when Exim is compiled with the content-scanning
 extension. It specifies how Exim connects to SpamAssassin's &%spamd%& daemon.
 This option is available when Exim is compiled with the content-scanning
 extension. It specifies how Exim connects to SpamAssassin's &%spamd%& daemon.

-The default value is
-.code
-127.0.0.1 783
-.endd

 See section &<<SECTscanspamass>>& for more details.
 
 
 
 See section &<<SECTscanspamass>>& for more details.
 
 
 

+.new
+.option spf_guess main string "v=spf1 a/24 mx/24 ptr ?all"
+This option is available when Exim is compiled with SPF support.
+See section &<<SECSPF>>& for more details.
+.wen
+
+
+

 .option split_spool_directory main boolean false
 .cindex "multiple spool directories"
 .cindex "spool directory" "split"
 .option split_spool_directory main boolean false
 .cindex "multiple spool directories"
 .cindex "spool directory" "split"


@@ -28115,7 +28127,7 @@ otherwise specified, the default action is to accept.
 
 This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&.
 
 
 This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&.
 

-For details on the operation of DKIM, see chapter &<<CHAPdkim>>&.
+For details on the operation of DKIM, see section &<<SECDKIM>>&.

 
 
 .section "The SMTP MIME ACL" "SECID194"
 
 
 .section "The SMTP MIME ACL" "SECID194"


@@ -29181,7 +29193,7 @@ contexts):
 .cindex "disable DKIM verify"
 .cindex "DKIM" "disable verify"
 This control turns off DKIM verification processing entirely.  For details on
 .cindex "disable DKIM verify"
 .cindex "DKIM" "disable verify"
 This control turns off DKIM verification processing entirely.  For details on

-the operation and configuration of DKIM, see chapter &<<CHAPdkim>>&.
+the operation and configuration of DKIM, see section &<<SECDKIM>>&.

 
 
 .vitem &*control&~=&~dscp/*&<&'value'&>
 
 
 .vitem &*control&~=&~dscp/*&<&'value'&>


@@ -38483,15 +38495,23 @@ There is no dot-stuffing (and no dot-termination).
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 

-.chapter "Support for DKIM (DomainKeys Identified Mail)" "CHAPdkim" &&&
-         "DKIM Support"
+.chapter "DKIM and SPF" "CHAPdkim" &&&
+         "DKIM and SPF Support"

 .cindex "DKIM"
 
 .cindex "DKIM"
 

+.section "DKIM (DomainKeys Identified Mail)" SECDKIM
+

 DKIM is a mechanism by which messages sent by some entity can be provably
 linked to a domain which that entity controls.  It permits reputation to
 be tracked on a per-domain basis, rather than merely upon source IP address.
 DKIM is documented in RFC 4871.
 
 DKIM is a mechanism by which messages sent by some entity can be provably
 linked to a domain which that entity controls.  It permits reputation to
 be tracked on a per-domain basis, rather than merely upon source IP address.
 DKIM is documented in RFC 4871.
 

+.new
+As DKIM relies on the message being unchanged in transit, messages handled
+by a mailing-list (which traditionally adds to the message) will not match
+any original DKIM signature.
+.wen
+

 DKIM support is compiled into Exim by default if TLS support is present.
 It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&.
 
 DKIM support is compiled into Exim by default if TLS support is present.
 It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&.
 


@@ -38612,7 +38632,7 @@ will be signed, and one signtature added for a missing header with the
 name will be appended.
 
 
 name will be appended.
 
 

-.section "Verifying DKIM signatures in incoming mail" "SECID514"
+.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"

 .cindex "DKIM" "verification"
 
 Verification of DKIM signatures in SMTP incoming email is implemented via the
 .cindex "DKIM" "verification"
 
 Verification of DKIM signatures in SMTP incoming email is implemented via the


@@ -38829,6 +38849,178 @@ see the documentation of the &%$dkim_verify_status%& expansion variable above
 for more information of what they mean.
 .endlist
 
 for more information of what they mean.
 .endlist
 

+
+
+
+.new
+.section "SPF (Sender Policy Framework)" SECSPF
+.cindex SPF verification
+
+SPF is a mechanism whereby a domain may assert which IP addresses may transmit
+messages with its domain in the envelope from, documented by RFC 7208.
+For more information on SPF see &url(http://www.openspf.org).
+
+Messages sent by a system not authorised will fail checking of such assertions.
+This includes retransmissions done by traditional forwarders.
+
+SPF verification support is built into Exim if SUPPORT_SPF=yes is set in
+&_Local/Makefile_&.  The support uses the &_libspf2_& library
+&url(http://www.libspf2.org/).
+There is no Exim involvement on the trasmission of messages; publishing certain
+DNS records is all that is required.
+
+For verification, an ACL condition and an expansion lookup are provided.
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf condition"
+The ACL condition "spf" can be used at or after the MAIL ACL.
+It takes as an argument a list of strings giving the outcome of the SPF check,
+and will succeed for any matching outcome.
+Valid strings are:
+.vlist
+.vitem &%pass%&
+The SPF check passed, the sending host is positively verified by SPF.
+
+.vitem &%fail%&
+The SPF check failed, the sending host is NOT allowed to send mail for the
+domain in the envelope-from address.
+
+.vitem &%softfail%&
+The SPF check failed, but the queried domain can't absolutely confirm that this
+is a forgery.
+
+.vitem &%none%&
+The queried domain does not publish SPF records.
+
+.vitem &%neutral%&
+The SPF check returned a "neutral" state.  This means the queried domain has
+published a SPF record, but wants to allow outside servers to send mail under
+its domain as well.  This should be treated like "none".
+
+.vitem &%permerror%&
+This indicates a syntax error in the SPF record of the queried domain.
+You may deny messages when this occurs. (Changed in 4.83)
+
+.vitem &%temperror%&
+This indicates a temporary error during all processing, including Exim's
+SPF processing.  You may defer messages when this occurs.
+(Changed in 4.83)
+
+.vitem &%err_temp%&
+Same as permerror, deprecated in 4.83, will be removed in a future release.
+
+.vitem &%err_perm%&
+Same as temperror, deprecated in 4.83, will be removed in a future release.
+.endlist
+
+You can prefix each string with an exclamation mark to  invert
+its meaning,  for example  "!fail" will  match all  results but
+"fail".  The  string  list is  evaluated  left-to-right,  in a
+short-circuit fashion.
+
+Example:
+.code
+deny spf = fail
+     message = $sender_host_address is not allowed to send mail from \
+               ${if def:sender_address_domain \
+                    {$sender_address_domain}{$sender_helo_name}}.  \
+               Please see http://www.openspf.org/Why?scope=\
+               ${if def:sender_address_domain {mfrom}{helo}};\
+               identity=${if def:sender_address_domain \
+                             {$sender_address}{$sender_helo_name}};\
+               ip=$sender_host_address
+.endd
+
+When the spf condition has run, it sets up several expansion
+variables:
+
+.cindex SPF "verification variables"
+.vlist
+.vitem &$spf_header_comment$&
+.vindex &$spf_header_comment$&
+  This contains a human-readable string describing the outcome
+  of the SPF check. You can add it to a custom header or use
+  it for logging purposes.
+
+.vitem &$spf_received$&
+.vindex &$spf_received$&
+  This contains a complete Received-SPF: header that can be
+  added to the message. Please note that according to the SPF
+  draft, this header must be added at the top of the header
+  list. Please see section 10 on how you can do this.
+
+  Note: in case of "Best-guess" (see below), the convention is
+  to put this string in a header called X-SPF-Guess: instead.
+
+.vitem &$spf_result$&
+.vindex &$spf_result$&
+  This contains the outcome of the SPF check in string form,
+  one of pass, fail, softfail, none, neutral, permerror or
+  temperror.
+
+.vitem &$spf_smtp_comment$&
+.vindex &$spf_smtp_comment$&
+  This contains a string that can be used in a SMTP response
+  to the calling party. Useful for "fail".
+.endlist
+
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf_guess condition"
+.cindex SPF "best guess"
+In addition to SPF, you can also perform checks for so-called
+"Best-guess".  Strictly speaking, "Best-guess" is not standard
+SPF, but it is supported by the same framework that enables SPF
+capability.
+Refer to &url(http://www.openspf.org/FAQ/Best_guess_record)
+for a description of what it means.
+
+To access this feature, simply use the spf_guess condition in place
+of the spf one.  For example:
+
+.code
+deny spf_guess = fail
+     message = $sender_host_address doesn't look trustworthy to me
+.endd
+
+In case you decide to reject messages based on this check, you
+should note that although it uses the same framework, "Best-guess"
+is not SPF, and therefore you should not mention SPF at all in your
+reject message.
+
+When the spf_guess condition has run, it sets up the same expansion
+variables as when spf condition is run, described above.
+
+Additionally, since Best-guess is not standardized, you may redefine
+what "Best-guess" means to you by redefining the main configuration
+&%spf_guess%& option.
+For example, the following:
+
+.code
+spf_guess = v=spf1 a/16 mx/16 ptr ?all
+.endd
+
+would relax host matching rules to a broader network range.
+
+
+.cindex SPF "lookup expansion"
+.cindex lookup spf
+A lookup expansion is also available. It takes an email
+address as the key and an IP address as the database:
+
+.code
+  ${lookup {username@domain} spf {ip.ip.ip.ip}}
+.endd
+
+The lookup will return the same result strings as they can appear in
+&$spf_result$& (pass,fail,softfail,neutral,none,err_perm,err_temp).
+Currently, only IPv4 addresses are supported.
+
+
+. wen-for SPF section
+.wen
+
+

 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 
 . ////////////////////////////////////////////////////////////////////////////
 . ////////////////////////////////////////////////////////////////////////////
 

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 590343f82c47f3e54736cb1bc0096efb63d762c7..cfa44b713e78a7d9530c6f053f39e6248b9501bc 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -17,6 +17,9 @@ Version 4.91
 
  3. Feature macros for the compiled-in set of malware scanner interfaces.
 
 
  3. Feature macros for the compiled-in set of malware scanner interfaces.
 

+ 4. SPF support is promoted from Experimental to mainline status.  The template
+    src/EDITME makefile does not enable its inclusion.
+

 
 Version 4.90
 ------------
 
 Version 4.90
 ------------

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index db7a9a51da80fbdd63a17895f143ad0afcda07ae..b77fb733f78bde0da7b4d9d6e79f2a2c3459967e 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -292,173 +292,6 @@ These four steps are explained in more details below.
 
 
 
 
 
 

-Sender Policy Framework (SPF) support
---------------------------------------------------------------
-
-To learn  more  about  SPF, visit   http://www.openspf.org. This
-document does   not explain  the SPF  fundamentals, you should
-read and understand the implications of deploying SPF on  your
-system before doing so.
-
-SPF support is added via the libspf2 library. Visit
-
-  http://www.libspf2.org/
-
-to obtain  a copy,  then compile  and install  it. By default,
-this will  put headers  in /usr/local/include  and the  static
-library in /usr/local/lib.
-
-To compile Exim with SPF support, set these additional flags in
-Local/Makefile:
-
-EXPERIMENTAL_SPF=yes
-CFLAGS=-DSPF -I/usr/local/include
-EXTRALIBS_EXIM=-L/usr/local/lib -lspf2
-
-This assumes   that the   libspf2 files   are installed  in
-their default locations.
-
-You can now run SPF checks in incoming SMTP by using the "spf"
-ACL condition  in either  the MAIL,  RCPT or  DATA ACLs.  When
-using it in the RCPT ACL, you can make the checks dependent on
-the RCPT  address (or  domain), so  you can  check SPF records
-only  for   certain  target   domains.  This   gives  you  the
-possibility  to opt-out  certain customers  that do  not want
-their mail to be subject to SPF checking.
-
-The spf condition  takes a list  of strings on  its right-hand
-side. These strings describe the outcome of the SPF check  for
-which the spf condition should succeed. Valid strings are:
-
-  o pass      The SPF check passed, the sending host
-              is positively verified by SPF.
-  o fail      The SPF check failed, the sending host
-              is NOT allowed to send mail for the domain
-              in the envelope-from address.
-  o softfail  The SPF check failed, but the queried
-              domain can't absolutely confirm that this
-              is a forgery.
-  o none      The queried domain does not publish SPF
-              records.
-  o neutral   The SPF check returned a "neutral" state.
-              This means the queried domain has published
-              a SPF record, but wants to allow outside
-              servers to send mail under its domain as well.
-              This should be treated like "none".
-  o permerror This indicates a syntax error in the SPF
-              record of the queried domain. You may deny
-              messages when this occurs. (Changed in 4.83)
-  o temperror This indicates a temporary error during all
-              processing, including Exim's SPF processing.
-              You may defer messages when this occurs.
-              (Changed in 4.83)
-  o err_temp  Same as permerror, deprecated in 4.83, will be
-              removed in a future release.
-  o err_perm  Same as temperror, deprecated in 4.83, will be
-              removed in a future release.
-
-You can prefix each string with an exclamation mark to  invert
-its meaning,  for example  "!fail" will  match all  results but
-"fail".  The  string  list is  evaluated  left-to-right,  in a
-short-circuit fashion.  When a  string matches  the outcome of
-the SPF check, the condition  succeeds. If none of the  listed
-strings matches the  outcome of the  SPF check, the  condition
-fails.
-
-Here is an example to fail forgery attempts from domains that
-publish SPF records:
-
-/* -----------------
-deny message = $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
-              Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
-     spf = fail
---------------------- */
-
-You can also give special treatment to specific domains:
-
-/* -----------------
-deny message = AOL sender, but not from AOL-approved relay.
-     sender_domains = aol.com
-     spf = fail:neutral
---------------------- */
-
-Explanation: AOL  publishes SPF  records, but  is liberal  and
-still allows  non-approved relays  to send  mail from aol.com.
-This will result in a "neutral" state, while mail from genuine
-AOL servers  will result  in "pass".  The example  above takes
-this into account and  treats "neutral" like "fail",  but only
-for aol.com. Please note that this violates the SPF draft.
-
-When the spf condition has run, it sets up several expansion
-variables.
-
-  $spf_header_comment
-  This contains a human-readable string describing the outcome
-  of the SPF check. You can add it to a custom header or use
-  it for logging purposes.
-
-  $spf_received
-  This contains a complete Received-SPF: header that can be
-  added to the message. Please note that according to the SPF
-  draft, this header must be added at the top of the header
-  list. Please see section 10 on how you can do this.
-
-  Note: in case of "Best-guess" (see below), the convention is
-  to put this string in a header called X-SPF-Guess: instead.
-
-  $spf_result
-  This contains the outcome of the SPF check in string form,
-  one of pass, fail, softfail, none, neutral, permerror or
-  temperror.
-
-  $spf_smtp_comment
-  This contains a string that can be used in a SMTP response
-  to the calling party. Useful for "fail".
-
-In addition to SPF, you can also perform checks for so-called
-"Best-guess".  Strictly speaking, "Best-guess" is not standard
-SPF, but it is supported by the same framework that enables SPF
-capability.  Refer to http://www.openspf.org/FAQ/Best_guess_record
-for a description of what it means.
-
-To access this feature, simply use the spf_guess condition in place
-of the spf one.  For example:
-
-/* -----------------
-deny message = $sender_host_address doesn't look trustworthy to me
-     spf_guess = fail
---------------------- */
-
-In case you decide to reject messages based on this check, you
-should note that although it uses the same framework, "Best-guess"
-is NOT SPF, and therefore you should not mention SPF at all in your
-reject message.
-
-When the spf_guess condition has run, it sets up the same expansion
-variables as when spf condition is run, described above.
-
-Additionally, since Best-guess is not standardized, you may redefine
-what "Best-guess" means to you by redefining spf_guess variable in
-global config.  For example, the following:
-
-/* -----------------
-spf_guess = v=spf1 a/16 mx/16 ptr ?all
---------------------- */
-
-would relax host matching rules to a broader network range.
-
-
-A lookup expansion is also available. It takes an email
-address as the key and an IP address as the database:
-
-  ${lookup {username@domain} spf {ip.ip.ip.ip}}
-
-The lookup will return the same result strings as they can appear in
-$spf_result (pass,fail,softfail,neutral,none,err_perm,err_temp).
-Currently, only IPv4 addresses are supported.
-
-
-

 SRS (Sender Rewriting Scheme) Support
 --------------------------------------------------------------
 
 SRS (Sender Rewriting Scheme) Support
 --------------------------------------------------------------
 

diff --git a/src/src/EDITME b/src/src/EDITME
index 3a57fab11951cb351a46f6f4592267d18e13dc65..9dcd174ca1b1b04d9bc550c42543e9257a4924e5 100644 (file)
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -463,14 +463,6 @@ DISABLE_MAL_MKS=yes
 
 # EXPERIMENTAL_DCC=yes
 
 
 # EXPERIMENTAL_DCC=yes
 

-# Uncomment the following lines to add SPF support. You need to have libspf2
-# installed on your system (www.libspf2.org). Depending on where it is installed
-# you may have to edit the CFLAGS and LDFLAGS lines.
-
-# EXPERIMENTAL_SPF=yes
-# CFLAGS  += -I/usr/local/include
-# LDFLAGS += -lspf2
-

 # Uncomment the following lines to add SRS (Sender rewriting scheme) support.
 # You need to have libsrs_alt installed on your system (srs.mirtol.com).
 # Depending on where it is installed you may have to edit the CFLAGS and
 # Uncomment the following lines to add SRS (Sender rewriting scheme) support.
 # You need to have libsrs_alt installed on your system (srs.mirtol.com).
 # Depending on where it is installed you may have to edit the CFLAGS and


@@ -978,6 +970,16 @@ ZCAT_COMMAND=/usr/bin/zcat
 # LDFLAGS += -lidn -lidn2
 
 
 # LDFLAGS += -lidn -lidn2
 
 

+#------------------------------------------------------------------------------
+# Uncomment the following lines to add SPF support. You need to have libspf2
+# installed on your system (www.libspf2.org). Depending on where it is installed
+# you may have to edit the CFLAGS and LDFLAGS lines.
+
+# SUPPORT_SPF=yes
+# CFLAGS  += -I/usr/local/include
+# LDFLAGS += -lspf2
+
+

 #------------------------------------------------------------------------------
 # Support for authentication via Radius is also available. The Exim support,
 # which is intended for use in conjunction with the SMTP AUTH facilities,
 #------------------------------------------------------------------------------
 # Support for authentication via Radius is also available. The Exim support,
 # which is intended for use in conjunction with the SMTP AUTH facilities,

diff --git a/src/src/acl.c b/src/src/acl.c
index 045535526569b9cb2df0006636d7615b6086e68a..7d54cdd5296e2e65379a8cce33805fb9d0502594 100644 (file)
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -102,7 +102,7 @@ enum { ACLC_ACL,
 #ifdef WITH_CONTENT_SCAN
        ACLC_SPAM,
 #endif
 #ifdef WITH_CONTENT_SCAN
        ACLC_SPAM,
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

        ACLC_SPF,
        ACLC_SPF_GUESS,
 #endif
        ACLC_SPF,
        ACLC_SPF_GUESS,
 #endif


@@ -312,7 +312,7 @@ static condition_def conditions[] = {
                                  (1<<ACL_WHERE_NOTSMTP)),
   },
 #endif
                                  (1<<ACL_WHERE_NOTSMTP)),
   },
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

   [ACLC_SPF] =                 { US"spf",              TRUE, FALSE,
                                  (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
                                    (1<<ACL_WHERE_HELO)|
   [ACLC_SPF] =                 { US"spf",              TRUE, FALSE,
                                  (1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
                                    (1<<ACL_WHERE_HELO)|


@@ -3682,7 +3682,7 @@ for (; cb != NULL; cb = cb->next)
     break;
 #endif
 
     break;
 #endif
 

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

     case ACLC_SPF:
       rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
     break;
     case ACLC_SPF:
       rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
     break;

diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index a9d071765fa5656febe025d7293c45037f63b340..810d8969b013d4b51da3b0b8c121313769f27ab9 100644 (file)
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -147,6 +147,7 @@ Do not put spaces between # and the 'define'.
 #define SUPPORT_PAM
 #define SUPPORT_PROXY
 #define SUPPORT_SOCKS
 #define SUPPORT_PAM
 #define SUPPORT_PROXY
 #define SUPPORT_SOCKS

+#define SUPPORT_SPF

 #define SUPPORT_TLS
 #define SUPPORT_TRANSLATE_IP_ADDRESS
 
 #define SUPPORT_TLS
 #define SUPPORT_TRANSLATE_IP_ADDRESS
 


@@ -196,7 +197,6 @@ Do not put spaces between # and the 'define'.
     #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define EXPERIMENTAL_LMDB
 #define EXPERIMENTAL_QUEUEFILE
     #define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
 #define EXPERIMENTAL_LMDB
 #define EXPERIMENTAL_QUEUEFILE

-#define EXPERIMENTAL_SPF

 #define EXPERIMENTAL_SRS
 
 
 #define EXPERIMENTAL_SRS
 
 

diff --git a/src/src/dmarc.c b/src/src/dmarc.c
index 6cb5b19fe38617c8491f21024b4ec2cdd19433dd..37ac9c555b69b8e584dd75921e347567833aa6a0 100644 (file)
--- a/src/src/dmarc.c
+++ b/src/src/dmarc.c
@@ -12,7 +12,7 @@
 
 #include "exim.h"
 #ifdef EXPERIMENTAL_DMARC
 
 #include "exim.h"
 #ifdef EXPERIMENTAL_DMARC

-# if !defined EXPERIMENTAL_SPF
+# if !defined SUPPORT_SPF

 #  error SPF must also be enabled for DMARC
 # elif defined DISABLE_DKIM
 #  error DKIM must also be enabled for DMARC
 #  error SPF must also be enabled for DMARC
 # elif defined DISABLE_DKIM
 #  error DKIM must also be enabled for DMARC


@@ -632,7 +632,7 @@ if (header_from_sender)
 return hdr_tmp;
 }
 
 return hdr_tmp;
 }
 

-# endif /* EXPERIMENTAL_SPF */
+# endif /* SUPPORT_SPF */

 #endif /* EXPERIMENTAL_DMARC */
 /* vi: aw ai sw=2
  */
 #endif /* EXPERIMENTAL_DMARC */
 /* vi: aw ai sw=2
  */

diff --git a/src/src/dmarc.h b/src/src/dmarc.h
index 78e2a5b7b7e0d5e31605811353335087a5c2f1b4..764ff88ffb70a4288e6ef3f59cf671c798917843 100644 (file)
--- a/src/src/dmarc.h
+++ b/src/src/dmarc.h
@@ -12,9 +12,9 @@
 #ifdef EXPERIMENTAL_DMARC
 
 # include "opendmarc/dmarc.h"
 #ifdef EXPERIMENTAL_DMARC
 
 # include "opendmarc/dmarc.h"

-# ifdef EXPERIMENTAL_SPF
+# ifdef SUPPORT_SPF

 #  include "spf2/spf.h"
 #  include "spf2/spf.h"

-# endif /* EXPERIMENTAL_SPF */
+# endif /* SUPPORT_SPF */

 
 /* prototypes */
 int dmarc_init();
 
 /* prototypes */
 int dmarc_init();

diff --git a/src/src/drtables.c b/src/src/drtables.c
index d8904ac4fb1a7a4c81df618062efd299d84c8258..36bf64261521164fccabcd0ac95d62fe920d820a 100644 (file)
--- a/src/src/drtables.c
+++ b/src/src/drtables.c
@@ -578,7 +578,7 @@ extern lookup_module_info redis_lookup_module_info;
 #if defined(EXPERIMENTAL_LMDB)
 extern lookup_module_info lmdb_lookup_module_info;
 #endif
 #if defined(EXPERIMENTAL_LMDB)
 extern lookup_module_info lmdb_lookup_module_info;
 #endif

-#if defined(EXPERIMENTAL_SPF)
+#if defined(SUPPORT_SPF)

 extern lookup_module_info spf_lookup_module_info;
 #endif
 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
 extern lookup_module_info spf_lookup_module_info;
 #endif
 #if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2


@@ -669,7 +669,7 @@ init_lookup_list(void)
   addlookupmodule(NULL, &lmdb_lookup_module_info);
 #endif
 
   addlookupmodule(NULL, &lmdb_lookup_module_info);
 #endif
 

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

   addlookupmodule(NULL, &spf_lookup_module_info);
 #endif
 
   addlookupmodule(NULL, &spf_lookup_module_info);
 #endif
 

diff --git a/src/src/exim.c b/src/src/exim.c
index 2189bc0511c4f1ee104a69f17a3e504617d0ddec..01c0e306a91fcb64877ffbb88965e0667dffee6b 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -840,6 +840,9 @@ fprintf(f, "Support for:");
 #ifdef SUPPORT_SOCKS
   fprintf(f, " SOCKS");
 #endif
 #ifdef SUPPORT_SOCKS
   fprintf(f, " SOCKS");
 #endif

+#ifdef SUPPORT_SPF
+  fprintf(f, " SPF");
+#endif

 #ifdef TCP_FASTOPEN
   deliver_init();
   if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");
 #ifdef TCP_FASTOPEN
   deliver_init();
   if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");


@@ -850,9 +853,6 @@ fprintf(f, "Support for:");
 #ifdef EXPERIMENTAL_QUEUEFILE
   fprintf(f, " Experimental_QUEUEFILE");
 #endif
 #ifdef EXPERIMENTAL_QUEUEFILE
   fprintf(f, " Experimental_QUEUEFILE");
 #endif

-#ifdef EXPERIMENTAL_SPF
-  fprintf(f, " Experimental_SPF");
-#endif

 #ifdef EXPERIMENTAL_SRS
   fprintf(f, " Experimental_SRS");
 #endif
 #ifdef EXPERIMENTAL_SRS
   fprintf(f, " Experimental_SRS");
 #endif

diff --git a/src/src/exim.h b/src/src/exim.h
index 770fd6333de186c728abca5e33751169b7714ccc..faeb6455b87ba8c6a5099ee5a8fb47918eb09ce9 100644 (file)
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -502,7 +502,7 @@ config.h, mytypes.h, and store.h, so we don't need to mention them explicitly.
 #ifdef EXPERIMENTAL_BRIGHTMAIL
 # include "bmi_spam.h"
 #endif
 #ifdef EXPERIMENTAL_BRIGHTMAIL
 # include "bmi_spam.h"
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 # include "spf.h"
 #endif
 #ifdef EXPERIMENTAL_SRS
 # include "spf.h"
 #endif
 #ifdef EXPERIMENTAL_SRS

diff --git a/src/src/expand.c b/src/src/expand.c
index 3a63a7c7827cfcc2e09186e35533d01b31705189..2b40823c92b0905a9d650c1981a98ea8b0f9ef58 100644 (file)
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -700,7 +700,7 @@ static var_entry var_table[] = {
   { "spam_score",          vtype_stringptr,   &spam_score },
   { "spam_score_int",      vtype_stringptr,   &spam_score_int },
 #endif
   { "spam_score",          vtype_stringptr,   &spam_score },
   { "spam_score_int",      vtype_stringptr,   &spam_score_int },
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

   { "spf_guess",           vtype_stringptr,   &spf_guess },
   { "spf_header_comment",  vtype_stringptr,   &spf_header_comment },
   { "spf_received",        vtype_stringptr,   &spf_received },
   { "spf_guess",           vtype_stringptr,   &spf_guess },
   { "spf_header_comment",  vtype_stringptr,   &spf_header_comment },
   { "spf_received",        vtype_stringptr,   &spf_received },

diff --git a/src/src/globals.c b/src/src/globals.c
index 5df84bd10299fc7e70328117ec03c21a4591b650..346bb07440c2f6a08e8c6af35b39cde57bc5b9cc 100644 (file)
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1360,7 +1360,7 @@ uschar *spam_action            = NULL;
 uschar *spam_score             = NULL;
 uschar *spam_score_int         = NULL;
 #endif
 uschar *spam_score             = NULL;
 uschar *spam_score_int         = NULL;
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 uschar *spf_guess              = US"v=spf1 a/24 mx/24 ptr ?all";
 uschar *spf_header_comment     = NULL;
 uschar *spf_received           = NULL;
 uschar *spf_guess              = US"v=spf1 a/24 mx/24 ptr ?all";
 uschar *spf_header_comment     = NULL;
 uschar *spf_received           = NULL;

diff --git a/src/src/globals.h b/src/src/globals.h
index 37d4cada38c98057641670ae90ae1b01ff84f7f9..0c1b6ccbc428f8aaffedf1769488deb1b166c5e6 100644 (file)
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -867,7 +867,7 @@ extern uschar *spam_action;            /* the spamd recommended-action */
 extern uschar *spam_score;             /* the spam score (float) */
 extern uschar *spam_score_int;         /* spam_score * 10 (int) */
 #endif
 extern uschar *spam_score;             /* the spam score (float) */
 extern uschar *spam_score_int;         /* spam_score * 10 (int) */
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 extern uschar *spf_guess;              /* spf best-guess record */
 extern uschar *spf_header_comment;     /* spf header comment */
 extern uschar *spf_received;           /* Received-SPF: header */
 extern uschar *spf_guess;              /* spf best-guess record */
 extern uschar *spf_header_comment;     /* spf header comment */
 extern uschar *spf_received;           /* Received-SPF: header */

diff --git a/src/src/lookups/spf.c b/src/src/lookups/spf.c
index ad56a2a8dd0864c11fa9a7ec230aa2060823fd72..b32a73e6a9f549b6ce3a56cf9e48eda0a28d7b57 100644 (file)
--- a/src/src/lookups/spf.c
+++ b/src/src/lookups/spf.c
@@ -18,7 +18,7 @@
 
 #include "../exim.h"
 
 
 #include "../exim.h"
 

-#ifndef EXPERIMENTAL_SPF
+#ifndef SUPPORT_SPF

 static void dummy(int x);
 static void dummy2(int x) { dummy(x-1); }
 static void dummy(int x) { dummy2(x-1); }
 static void dummy(int x);
 static void dummy2(int x) { dummy(x-1); }
 static void dummy(int x) { dummy2(x-1); }


@@ -118,4 +118,4 @@ static lookup_info _lookup_info = {
 static lookup_info *_lookup_list[] = { &_lookup_info };
 lookup_module_info spf_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
 
 static lookup_info *_lookup_list[] = { &_lookup_info };
 lookup_module_info spf_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
 

-#endif /* EXPERIMENTAL_SPF */
+#endif /* SUPPORT_SPF */

diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index 08028bf5b9873efaac5c9c1e135530395c5f0f95..47ba3fdd1c859cda43f2af1e8ab8d8688a5db3da 100644 (file)
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -174,7 +174,7 @@ due to conflicts with other common macros. */
 #ifdef EXPERIMENTAL_LMDB
   builtin_macro_create(US"_HAVE_LMDB");
 #endif
 #ifdef EXPERIMENTAL_LMDB
   builtin_macro_create(US"_HAVE_LMDB");
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

   builtin_macro_create(US"_HAVE_SPF");
 #endif
 #ifdef EXPERIMENTAL_SRS
   builtin_macro_create(US"_HAVE_SPF");
 #endif
 #ifdef EXPERIMENTAL_SRS

diff --git a/src/src/readconf.c b/src/src/readconf.c
index 8d5f38c58c24105e93ad2c14164ab0a8b0554ec4..007e8444ef6315b2a51782c373c5e7cddf2c28b0 100644 (file)
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -304,7 +304,7 @@ static optionlist optionlist_config[] = {
 #ifdef WITH_CONTENT_SCAN
   { "spamd_address",            opt_stringptr,   &spamd_address },
 #endif
 #ifdef WITH_CONTENT_SCAN
   { "spamd_address",            opt_stringptr,   &spamd_address },
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

   { "spf_guess",                opt_stringptr,   &spf_guess },
 #endif
   { "split_spool_directory",    opt_bool,        &split_spool_directory },
   { "spf_guess",                opt_stringptr,   &spf_guess },
 #endif
   { "split_spool_directory",    opt_bool,        &split_spool_directory },

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 92e4a29089a9aa1512ed241ae699972c5f3a38b8..498cfab5e2d6513d6915d372c24140fec53178f3 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2007,7 +2007,7 @@ deliver_host = deliver_host_address = NULL;       /* Can be set by ACL */
 #ifndef DISABLE_PRDR
 prdr_requested = FALSE;
 #endif
 #ifndef DISABLE_PRDR
 prdr_requested = FALSE;
 #endif

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 spf_header_comment = NULL;
 spf_received = NULL;
 spf_result = NULL;
 spf_header_comment = NULL;
 spf_received = NULL;
 spf_result = NULL;


@@ -4082,7 +4082,7 @@ while (done <= 0)
         }
       }
 
         }
       }
 

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

     /* set up SPF context */
     spf_init(sender_helo_name, sender_host_address);
 #endif
     /* set up SPF context */
     spf_init(sender_helo_name, sender_host_address);
 #endif

diff --git a/src/src/spf.c b/src/src/spf.c
index ffd278af8609f5b3e817929a75ec7d6bb9e3116f..1d4e032e94ca6139f4e7a3d34e81ec138fdae232 100644 (file)
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -11,7 +11,7 @@
 /* Code for calling spf checks via libspf-alt. Called from acl.c. */
 
 #include "exim.h"
 /* Code for calling spf checks via libspf-alt. Called from acl.c. */
 
 #include "exim.h"

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 
 /* must be kept in numeric order */
 static spf_result_id spf_result_id_list[] = {
 
 /* must be kept in numeric order */
 static spf_result_id spf_result_id_list[] = {

diff --git a/src/src/spf.h b/src/src/spf.h
index 0d982f336bcf732aff1f8e864d602821ad70eb54..23ad325f17b854bc1a452545754cad72355ea132 100644 (file)
--- a/src/src/spf.h
+++ b/src/src/spf.h
@@ -8,7 +8,7 @@
    Copyright (c) The Exim Maintainers 2016
 */
 
    Copyright (c) The Exim Maintainers 2016
 */
 

-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF

 
 /* Yes, we do have ns_type. spf.h redefines it if we don't set this. Doh */
 #ifndef HAVE_NS_TYPE
 
 /* Yes, we do have ns_type. spf.h redefines it if we don't set this. Doh */
 #ifndef HAVE_NS_TYPE

diff --git a/test/scripts/4600-SPF/REQUIRES b/test/scripts/4600-SPF/REQUIRES
index c4c4339245fa14c64bff4367c2bce0c5e43d98bb..0fde5fb3f55c50336c586d1faf34781d1660ffb1 100644 (file)
--- a/test/scripts/4600-SPF/REQUIRES
+++ b/test/scripts/4600-SPF/REQUIRES
@@ -1 +1 @@
-support Experimental_SPF
+support SPF