dnl
dnl проверка SPF записей домена отправителя
dnl
dnl варианты действий при несоответствии рилея отправителя SPF записи домена отправителя
dnl описаны в файле CONFDIR/access-spf в виде:
dnl
dnl sender.domain.tld|action : result1 : result2 : ... | message
dnl
dnl где sender.domain.tld - домен отправителя, допускаются wildcards
dnl     action            - действие (deny, defer или warn)
dnl     result1, result2  - результат проверки соответствия рилея отправителя SPF записи
dnl                       домена отправителя (pass, fail, softfail, none, neutral,
dnl                       err_perm, err_temp; см. exiscan-acl-spec.txt,
dnl                       8. Sender Policy Framework (SPF) support)
dnl     message			- сообщение, возвращаемое клиенту (опционально)
dnl
dnl пример:
dnl *.aol.com|deny	: fail | AOL sender, but not from AOL-approved relay
dnl *.aol.com|warn	: neutral | AOL sender, but not from AOL-approved relay
dnl aol.com|deny	: fail : neutral | AOL sender, but not from AOL-approved relay
dnl *|deny		: fail
dnl *|defer		: softfail : err_temp
dnl *|warn		: neutral
dnl
dnl исключения из проверки SPF записей указываются в файле CONFDIR/access-spf в виде:
dnl IP_адрес_рилея : skip
dnl сеть_рилея : skip
dnl
dnl пример:
dnl 194.183.162.130 : skip
dnl 194.183.162.195 : skip
dnl 194.183.174.248/29 : skip
dnl
dnl необходимо внести в виде исключений адреса backup MX'ов
dnl

	warn	set acl_m1	= ${lc:\
				${lookup{$sender_host_address}\
				iplsearch{CONFDIR/access-spf}\
				{$value}\
				{no}}\
				}

	warn	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|pass}wildlsearch{CONFDIR/access-spf}{$value}{}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		set acl_m1	= skip
	deny	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|deny}wildlsearch{CONFDIR/access-spf}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
	defer	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|defer}wildlsearch{CONFDIR/access-spf}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
	warn	condition	= ${if eq{$acl_m1}{skip}{no}{yes}}
		set acl_m0	= ${lookup{$sender_address_domain|warn}wildlsearch{CONFDIR/access-spf}}
		condition	= ${if eq{$acl_m0}{}{no}{yes}}
		spf		= ${extract{1}{|}{$acl_m0}}
		message		= X-Warn-SPF: ${if eq{${extract{2}{|}{$acl_m0}}}{}{\
				$sender_host_address is not allowed to send mail from $sender_address_domain\
				}{${extract{2}{|}{$acl_m0}}}}
		log_message	= $sender_host_address is not allowed to send mail from $sender_address_domain