From 71df4ba66dfa78d3d4856fc650af20001aeb09e9 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Thu, 14 Mar 2024 09:42:26 +0000
Subject: [PATCH] Reject incoming mail which fails SPF checks

---
 .../exim/templates/default/exim4.conf.erb      | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/cookbooks/exim/templates/default/exim4.conf.erb b/cookbooks/exim/templates/default/exim4.conf.erb
index 6809a6a58..d1c3ccfb3 100644
--- a/cookbooks/exim/templates/default/exim4.conf.erb
+++ b/cookbooks/exim/templates/default/exim4.conf.erb
@@ -107,6 +107,7 @@ hostlist   relay_from_hosts = <; <%= @relay_from_hosts.join(" ; ") %>
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
 
+acl_smtp_mail = acl_check_mail
 acl_smtp_rcpt = acl_check_rcpt
 acl_smtp_data = acl_check_data
 
@@ -377,6 +378,23 @@ smtp_accept_max = <%= node[:exim][:smtp_accept_max] %>
 
 begin acl
 
+# This access control list is used for the MAIL command in an incoming
+# SMTP message.
+
+acl_check_mail:
+<% if node[:exim][:smarthost_name] -%>
+
+  # Reject mail that fails SPF checks
+
+  deny    spf           = fail
+          message       = $sender_host_address is not allowed to send mail from \
+                          ${if def:sender_address_domain \
+                               {$sender_address_domain}{$sender_helo_name}}.
+          !hosts        = +relay_from_hosts
+<% end -%>
+
+  accept
+
 # This access control list is used for every RCPT command in an incoming
 # SMTP message. The tests are run in order until the address is either
 # accepted or denied.
-- 
2.45.1