Integrated SPF Best Guess. Fixes: bug #521

[users/jgh/exim.git] / doc / doc-txt / experimental-spec.txt

diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index 3ad0825d5ac65c70eca7b7f059225b7fceda1b6e..4175173c320d5cf1113133a8dd7117807a152e54 100644 (file)
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -1,4 +1,4 @@
-$Cambridge: exim/doc/doc-txt/experimental-spec.txt,v 1.8 2007/09/28 12:58:41 tom Exp $
+$Cambridge: exim/doc/doc-txt/experimental-spec.txt,v 1.11 2008/02/12 12:52:51 nm4 Exp $

 
 From time to time, experimental features may be added to Exim.
 While a feature  is experimental, there  will be a  build-time
 
 From time to time, experimental features may be added to Exim.
 While a feature  is experimental, there  will be a  build-time


@@ -140,6 +140,22 @@ arguments.
     can  use the $dkim_domain and $dkim_selector expansion
     variables here.
 
     can  use the $dkim_domain and $dkim_selector expansion
     variables here.
 

+  dkim_sign_headers = <expanded string> [OPTIONAL]
+
+    When set, this option must expand to (or be specified as)
+    a colon-separated list of header names. These headers will
+    be included in the message signature. When unspecified,
+    the recommended headers will be used. Currently, these
+    are:
+
+    from:sender:reply-to:subject:date:
+    message-id:to:cc:mime-version:content-type:
+    content-transfer-encoding:content-id:
+    content-description:resent-date:resent-from:
+    resent-sender:resent-to:resent-cc:resent-message-id:
+    in-reply-to:references:
+    list-id:list-help:list-unsubscribe:
+    list-subscribe:list-post:list-owner:list-archive

 
 
 
 
 
 


@@ -681,7 +697,7 @@ These four steps are explained in more details below.
 3. Sender Policy Framework (SPF) support
 --------------------------------------------------------------
 
 3. Sender Policy Framework (SPF) support
 --------------------------------------------------------------
 

-To learn  more  about  SPF, visit   http://spf.pobox.com. This
+To learn  more  about  SPF, visit   http://www.openspf.org. This

 document does   not explain  the SPF  fundamentals, you should
 read and understand the implications of deploying SPF on  your
 system before doing so.
 document does   not explain  the SPF  fundamentals, you should
 read and understand the implications of deploying SPF on  your
 system before doing so.


@@ -745,11 +761,12 @@ the SPF check, the condition  succeeds. If none of the  listed
 strings matches the  outcome of the  SPF check, the  condition
 fails.
 
 strings matches the  outcome of the  SPF check, the  condition
 fails.
 

-Here is a simple example to fail forgery attempts from domains
-that publish SPF records:
+Here is an example to fail forgery attempts from domains that
+publish SPF records:

 
 /* -----------------
 
 /* -----------------

-deny message = $sender_host_address is not allowed to send mail from $sender_address_domain
+deny message = $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
+              Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address

      spf = fail
 --------------------- */
 
      spf = fail
 --------------------- */
 


@@ -782,6 +799,9 @@ variables.
   draft, this header must be added at the top of the header
   list. Please see section 10 on how you can do this.
 
   draft, this header must be added at the top of the header
   list. Please see section 10 on how you can do this.
 

+  Note: in case of "Best-guess" (see below), the convention is
+  to put this string in a header called X-SPF-Guess: instead.
+

   $spf_result
   This contains the outcome of the SPF check in string form,
   one of pass, fail, softfail, none, neutral, err_perm or
   $spf_result
   This contains the outcome of the SPF check in string form,
   one of pass, fail, softfail, none, neutral, err_perm or


@@ -791,6 +811,37 @@ variables.
   This contains a string that can be used in a SMTP response
   to the calling party. Useful for "fail".
 
   This contains a string that can be used in a SMTP response
   to the calling party. Useful for "fail".
 

+In addition to SPF, you can also perform checks for so-called
+"Best-guess".  Strictly speaking, "Best-guess" is not standard
+SPF, but it is supported by the same framework that enables SPF
+capability.  Refer to http://www.openspf.org/FAQ/Best_guess_record
+for a description of what it means.
+
+To access this feature, simply use the spf_guess condition in place
+of the spf one.  For example:
+
+/* -----------------
+deny message = $sender_host_address doesn't look trustworthy to me
+     spf_guess = fail
+--------------------- */
+
+In case you decide to reject messages based on this check, you
+should note that although it uses the same framework, "Best-guess"
+is NOT SPF, and therefore you should not mention SPF at all in your
+reject message.
+
+When the spf_guess condition has run, it sets up the same expansion
+variables as when spf condition is run, described above.
+
+Additionally, since Best-guess is not standarized, you may redefine
+what "Best-guess" means to you by redefining spf_guess variable in
+global config.  For example, the following:
+
+/* -----------------
+spf_guess = v=spf1 a/16 mx/16 ptr ?all
+--------------------- */
+
+would relax host matching rules to a broader network range.

 
 
 4. SRS (Sender Rewriting Scheme) Support
 
 
 4. SRS (Sender Rewriting Scheme) Support