Merge remote-tracking branch 'ni/master'

1 files changed, 39 insertions, 1 deletions

diff --git a/krebs/3modules/exim-smarthost.nix b/krebs/3modules/exim-smarthost.nix
index 38cc828bb..7c176d224 100644
--- a/krebs/3modules/exim-smarthost.nix
+++ b/krebs/3modules/exim-smarthost.nix
@@ -12,6 +12,8 @@ let
   api = {
     enable = mkEnableOption "krebs.exim-smarthost";
 
+    enableSPFVerification = mkEnableOption "SPF verification";
+
     authenticators = mkOption {
       type = types.attrsOf types.str;
       default = {};
@@ -126,8 +128,9 @@ let
         domainlist sender_domains = ${concatStringsSep ":" cfg.sender_domains}
         hostlist relay_from_hosts = <;${concatStringsSep ";" cfg.relay_from_hosts}
 
-        acl_smtp_rcpt = acl_check_rcpt
         acl_smtp_data = acl_check_data
+        acl_smtp_mail = acl_check_mail
+        acl_smtp_rcpt = acl_check_rcpt
 
         never_users = root
 
@@ -179,6 +182,41 @@ let
 
           accept
 
+        acl_check_mail:
+          ${if cfg.enableSPFVerification then indent /* exim */ ''
+            accept
+              authenticated = *
+            accept
+              hosts = +relay_from_hosts
+            deny
+              spf = fail : softfail
+              log_message = spf=$spf_result
+              message = SPF validation failed: \
+                      $sender_host_address is not allowed to send mail from \
+                      ''${if def:sender_address_domain\
+                             {$sender_address_domain}\
+                             {$sender_helo_name}}
+            deny
+              spf = permerror
+              log_message = spf=$spf_result
+              message = SPF validation failed: \
+                      syntax error in SPF record(s) for \
+                      ''${if def:sender_address_domain\
+                             {$sender_address_domain}\
+                             {$sender_helo_name}}
+            defer
+              spf = temperror
+              log_message = spf=$spf_result; deferred
+              message = temporary error during SPF validation; \
+                      please try again later
+            warn
+              spf = none : neutral
+              log_message = spf=$spf_result
+            accept
+              add_header = $spf_received
+          '' else indent /* exim */ ''
+            accept
+          ''}
 
         begin routers