Reject incoming mail which fails SPF checks

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index 6809a6a58996ff9c747483ff5175bad261613b09..d1c3ccfb353f35ec6f704b4229a0b39e3b43de24 100644 (file)
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = <; <%= @relay_from_hosts.join(" ; ") %>
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
 
+acl_smtp_mail = acl_check_mail
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 
@@ -377,6 +378,23 @@ smtp_accept_max = <%= node[:exim][:smtp_accept_max] %>
 
 begin acl
 
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+<% if node[:exim][:smarthost_name] -%>
+
+  # Reject mail that fails SPF checks
+
+  deny    spf           = fail
+          message       = $sender_host_address is not allowed to send mail from \
+                          ${if def:sender_address_domain \
+                               {$sender_address_domain}{$sender_helo_name}}.
+          !hosts        = +relay_from_hosts
+<% end -%>
+
+  accept
+
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.