summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--doc/doc-docbook/spec.xfpt222
-rw-r--r--doc/doc-txt/NewStuff3
-rw-r--r--doc/doc-txt/experimental-spec.txt167
-rw-r--r--src/src/EDITME18
-rw-r--r--src/src/acl.c6
-rw-r--r--src/src/config.h.defaults2
-rw-r--r--src/src/dmarc.c4
-rw-r--r--src/src/dmarc.h4
-rw-r--r--src/src/drtables.c4
-rw-r--r--src/src/exim.c6
-rw-r--r--src/src/exim.h2
-rw-r--r--src/src/expand.c2
-rw-r--r--src/src/globals.c2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/lookups/spf.c4
-rw-r--r--src/src/macro_predef.c2
-rw-r--r--src/src/readconf.c2
-rw-r--r--src/src/smtp_in.c4
-rw-r--r--src/src/spf.c2
-rw-r--r--src/src/spf.h2
-rw-r--r--test/scripts/4600-SPF/REQUIRES2
21 files changed, 246 insertions, 216 deletions
diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index f247e9ab8..844178fca 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11661,7 +11661,7 @@ The name of the main configuration file Exim is using.
.vitem &$dkim_verify_status$& &&&
Results of DKIM verification.
-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.
.vitem &$dkim_cur_signer$& &&&
&$dkim_verify_reason$& &&&
@@ -11683,13 +11683,13 @@ For details see chapter &<<CHAPdkim>>&.
&$dkim_key_notes$& &&&
&$dkim_key_length$&
These variables are only available within the DKIM ACL.
-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.
.vitem &$dkim_signers$&
.vindex &$dkim_signers$&
When a message has been received this variable contains
a colon-separated list of signer domains and identities for the message.
-For details see chapter &<<CHAPdkim>>&.
+For details see section &<<SECDKIMVFY>>&.
.vitem &$dnslist_domain$& &&&
&$dnslist_matched$& &&&
@@ -12833,6 +12833,14 @@ A number of variables whose names start with &$spam$& are available when Exim
is compiled with the content-scanning extension. For details, see section
&<<SECTscanspamass>>&.
+.new
+.vitem &$spf_header_comment$& &&&
+ &$spf_received$& &&&
+ &$spf_result$& &&&
+ &$spf_smtp_comment$&
+These variables are only available if Exim is built with SPF support.
+For details see section &<<SECSPF>>&.
+.wen
.vitem &$spool_directory$&
.vindex "&$spool_directory$&"
@@ -14086,7 +14094,7 @@ acknowledgment is sent. See chapter &<<CHAPACL>>& for further details.
This option defines the ACL that is run for each DKIM signature
(by default, or as specified in the dkim_verify_signers option)
of a received message.
-See chapter &<<CHAPdkim>>& for further details.
+See section &<<SECDKIMVFY>>& for further details.
.option acl_smtp_etrn main string&!! unset
.cindex "ETRN" "ACL for"
@@ -14619,7 +14627,7 @@ to handle IPv6 literal addresses.
This option gives a list of DKIM domains for which the DKIM ACL is run.
It is expanded after the message is received; by default it runs
the ACL once for each signature in the message.
-See chapter &<<CHAPdkim>>&.
+See section &<<SECDKIMVFY>>&.
.option dns_again_means_nonexist main "domain list&!!" unset
@@ -16804,17 +16812,21 @@ response to EHLO only to those client hosts that match this option. See
chapter &<<CHAPi18n>>& for details of Exim's support for internationalisation.
-.option spamd_address main string "see below"
+.option spamd_address main string "127.0.0.1 783"
This option is available when Exim is compiled with the content-scanning
extension. It specifies how Exim connects to SpamAssassin's &%spamd%& daemon.
-The default value is
-.code
-127.0.0.1 783
-.endd
See section &<<SECTscanspamass>>& for more details.
+.new
+.option spf_guess main string "v=spf1 a/24 mx/24 ptr ?all"
+This option is available when Exim is compiled with SPF support.
+See section &<<SECSPF>>& for more details.
+.wen
+
+
+
.option split_spool_directory main boolean false
.cindex "multiple spool directories"
.cindex "spool directory" "split"
@@ -28115,7 +28127,7 @@ otherwise specified, the default action is to accept.
This ACL is evaluated before &%acl_smtp_mime%& and &%acl_smtp_data%&.
-For details on the operation of DKIM, see chapter &<<CHAPdkim>>&.
+For details on the operation of DKIM, see section &<<SECDKIM>>&.
.section "The SMTP MIME ACL" "SECID194"
@@ -29181,7 +29193,7 @@ contexts):
.cindex "disable DKIM verify"
.cindex "DKIM" "disable verify"
This control turns off DKIM verification processing entirely. For details on
-the operation and configuration of DKIM, see chapter &<<CHAPdkim>>&.
+the operation and configuration of DKIM, see section &<<SECDKIM>>&.
.vitem &*control&~=&~dscp/*&<&'value'&>
@@ -38483,15 +38495,23 @@ There is no dot-stuffing (and no dot-termination).
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
-.chapter "Support for DKIM (DomainKeys Identified Mail)" "CHAPdkim" &&&
- "DKIM Support"
+.chapter "DKIM and SPF" "CHAPdkim" &&&
+ "DKIM and SPF Support"
.cindex "DKIM"
+.section "DKIM (DomainKeys Identified Mail)" SECDKIM
+
DKIM is a mechanism by which messages sent by some entity can be provably
linked to a domain which that entity controls. It permits reputation to
be tracked on a per-domain basis, rather than merely upon source IP address.
DKIM is documented in RFC 4871.
+.new
+As DKIM relies on the message being unchanged in transit, messages handled
+by a mailing-list (which traditionally adds to the message) will not match
+any original DKIM signature.
+.wen
+
DKIM support is compiled into Exim by default if TLS support is present.
It can be disabled by setting DISABLE_DKIM=yes in &_Local/Makefile_&.
@@ -38612,7 +38632,7 @@ will be signed, and one signtature added for a missing header with the
name will be appended.
-.section "Verifying DKIM signatures in incoming mail" "SECID514"
+.section "Verifying DKIM signatures in incoming mail" "SECDKIMVFY"
.cindex "DKIM" "verification"
Verification of DKIM signatures in SMTP incoming email is implemented via the
@@ -38829,6 +38849,178 @@ see the documentation of the &%$dkim_verify_status%& expansion variable above
for more information of what they mean.
.endlist
+
+
+
+.new
+.section "SPF (Sender Policy Framework)" SECSPF
+.cindex SPF verification
+
+SPF is a mechanism whereby a domain may assert which IP addresses may transmit
+messages with its domain in the envelope from, documented by RFC 7208.
+For more information on SPF see &url(http://www.openspf.org).
+
+Messages sent by a system not authorised will fail checking of such assertions.
+This includes retransmissions done by traditional forwarders.
+
+SPF verification support is built into Exim if SUPPORT_SPF=yes is set in
+&_Local/Makefile_&. The support uses the &_libspf2_& library
+&url(http://www.libspf2.org/).
+There is no Exim involvement on the trasmission of messages; publishing certain
+DNS records is all that is required.
+
+For verification, an ACL condition and an expansion lookup are provided.
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf condition"
+The ACL condition "spf" can be used at or after the MAIL ACL.
+It takes as an argument a list of strings giving the outcome of the SPF check,
+and will succeed for any matching outcome.
+Valid strings are:
+.vlist
+.vitem &%pass%&
+The SPF check passed, the sending host is positively verified by SPF.
+
+.vitem &%fail%&
+The SPF check failed, the sending host is NOT allowed to send mail for the
+domain in the envelope-from address.
+
+.vitem &%softfail%&
+The SPF check failed, but the queried domain can't absolutely confirm that this
+is a forgery.
+
+.vitem &%none%&
+The queried domain does not publish SPF records.
+
+.vitem &%neutral%&
+The SPF check returned a "neutral" state. This means the queried domain has
+published a SPF record, but wants to allow outside servers to send mail under
+its domain as well. This should be treated like "none".
+
+.vitem &%permerror%&
+This indicates a syntax error in the SPF record of the queried domain.
+You may deny messages when this occurs. (Changed in 4.83)
+
+.vitem &%temperror%&
+This indicates a temporary error during all processing, including Exim's
+SPF processing. You may defer messages when this occurs.
+(Changed in 4.83)
+
+.vitem &%err_temp%&
+Same as permerror, deprecated in 4.83, will be removed in a future release.
+
+.vitem &%err_perm%&
+Same as temperror, deprecated in 4.83, will be removed in a future release.
+.endlist
+
+You can prefix each string with an exclamation mark to invert
+its meaning, for example "!fail" will match all results but
+"fail". The string list is evaluated left-to-right, in a
+short-circuit fashion.
+
+Example:
+.code
+deny spf = fail
+ message = $sender_host_address is not allowed to send mail from \
+ ${if def:sender_address_domain \
+ {$sender_address_domain}{$sender_helo_name}}. \
+ Please see http://www.openspf.org/Why?scope=\
+ ${if def:sender_address_domain {mfrom}{helo}};\
+ identity=${if def:sender_address_domain \
+ {$sender_address}{$sender_helo_name}};\
+ ip=$sender_host_address
+.endd
+
+When the spf condition has run, it sets up several expansion
+variables:
+
+.cindex SPF "verification variables"
+.vlist
+.vitem &$spf_header_comment$&
+.vindex &$spf_header_comment$&
+ This contains a human-readable string describing the outcome
+ of the SPF check. You can add it to a custom header or use
+ it for logging purposes.
+
+.vitem &$spf_received$&
+.vindex &$spf_received$&
+ This contains a complete Received-SPF: header that can be
+ added to the message. Please note that according to the SPF
+ draft, this header must be added at the top of the header
+ list. Please see section 10 on how you can do this.
+
+ Note: in case of "Best-guess" (see below), the convention is
+ to put this string in a header called X-SPF-Guess: instead.
+
+.vitem &$spf_result$&
+.vindex &$spf_result$&
+ This contains the outcome of the SPF check in string form,
+ one of pass, fail, softfail, none, neutral, permerror or
+ temperror.
+
+.vitem &$spf_smtp_comment$&
+.vindex &$spf_smtp_comment$&
+ This contains a string that can be used in a SMTP response
+ to the calling party. Useful for "fail".
+.endlist
+
+
+.cindex SPF "ACL condition"
+.cindex ACL "spf_guess condition"
+.cindex SPF "best guess"
+In addition to SPF, you can also perform checks for so-called
+"Best-guess". Strictly speaking, "Best-guess" is not standard
+SPF, but it is supported by the same framework that enables SPF
+capability.
+Refer to &url(http://www.openspf.org/FAQ/Best_guess_record)
+for a description of what it means.
+
+To access this feature, simply use the spf_guess condition in place
+of the spf one. For example:
+
+.code
+deny spf_guess = fail
+ message = $sender_host_address doesn't look trustworthy to me
+.endd
+
+In case you decide to reject messages based on this check, you
+should note that although it uses the same framework, "Best-guess"
+is not SPF, and therefore you should not mention SPF at all in your
+reject message.
+
+When the spf_guess condition has run, it sets up the same expansion
+variables as when spf condition is run, described above.
+
+Additionally, since Best-guess is not standardized, you may redefine
+what "Best-guess" means to you by redefining the main configuration
+&%spf_guess%& option.
+For example, the following:
+
+.code
+spf_guess = v=spf1 a/16 mx/16 ptr ?all
+.endd
+
+would relax host matching rules to a broader network range.
+
+
+.cindex SPF "lookup expansion"
+.cindex lookup spf
+A lookup expansion is also available. It takes an email
+address as the key and an IP address as the database:
+
+.code
+ ${lookup {username@domain} spf {ip.ip.ip.ip}}
+.endd
+
+The lookup will return the same result strings as they can appear in
+&$spf_result$& (pass,fail,softfail,neutral,none,err_perm,err_temp).
+Currently, only IPv4 addresses are supported.
+
+
+. wen-for SPF section
+.wen
+
+
. ////////////////////////////////////////////////////////////////////////////
. ////////////////////////////////////////////////////////////////////////////
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 590343f82..cfa44b713 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -17,6 +17,9 @@ Version 4.91
3. Feature macros for the compiled-in set of malware scanner interfaces.
+ 4. SPF support is promoted from Experimental to mainline status. The template
+ src/EDITME makefile does not enable its inclusion.
+
Version 4.90
------------
diff --git a/doc/doc-txt/experimental-spec.txt b/doc/doc-txt/experimental-spec.txt
index db7a9a51d..b77fb733f 100644
--- a/doc/doc-txt/experimental-spec.txt
+++ b/doc/doc-txt/experimental-spec.txt
@@ -292,173 +292,6 @@ These four steps are explained in more details below.
-Sender Policy Framework (SPF) support
---------------------------------------------------------------
-
-To learn more about SPF, visit http://www.openspf.org. This
-document does not explain the SPF fundamentals, you should
-read and understand the implications of deploying SPF on your
-system before doing so.
-
-SPF support is added via the libspf2 library. Visit
-
- http://www.libspf2.org/
-
-to obtain a copy, then compile and install it. By default,
-this will put headers in /usr/local/include and the static
-library in /usr/local/lib.
-
-To compile Exim with SPF support, set these additional flags in
-Local/Makefile:
-
-EXPERIMENTAL_SPF=yes
-CFLAGS=-DSPF -I/usr/local/include
-EXTRALIBS_EXIM=-L/usr/local/lib -lspf2
-
-This assumes that the libspf2 files are installed in
-their default locations.
-
-You can now run SPF checks in incoming SMTP by using the "spf"
-ACL condition in either the MAIL, RCPT or DATA ACLs. When
-using it in the RCPT ACL, you can make the checks dependent on
-the RCPT address (or domain), so you can check SPF records
-only for certain target domains. This gives you the
-possibility to opt-out certain customers that do not want
-their mail to be subject to SPF checking.
-
-The spf condition takes a list of strings on its right-hand
-side. These strings describe the outcome of the SPF check for
-which the spf condition should succeed. Valid strings are:
-
- o pass The SPF check passed, the sending host
- is positively verified by SPF.
- o fail The SPF check failed, the sending host
- is NOT allowed to send mail for the domain
- in the envelope-from address.
- o softfail The SPF check failed, but the queried
- domain can't absolutely confirm that this
- is a forgery.
- o none The queried domain does not publish SPF
- records.
- o neutral The SPF check returned a "neutral" state.
- This means the queried domain has published
- a SPF record, but wants to allow outside
- servers to send mail under its domain as well.
- This should be treated like "none".
- o permerror This indicates a syntax error in the SPF
- record of the queried domain. You may deny
- messages when this occurs. (Changed in 4.83)
- o temperror This indicates a temporary error during all
- processing, including Exim's SPF processing.
- You may defer messages when this occurs.
- (Changed in 4.83)
- o err_temp Same as permerror, deprecated in 4.83, will be
- removed in a future release.
- o err_perm Same as temperror, deprecated in 4.83, will be
- removed in a future release.
-
-You can prefix each string with an exclamation mark to invert
-its meaning, for example "!fail" will match all results but
-"fail". The string list is evaluated left-to-right, in a
-short-circuit fashion. When a string matches the outcome of
-the SPF check, the condition succeeds. If none of the listed
-strings matches the outcome of the SPF check, the condition
-fails.
-
-Here is an example to fail forgery attempts from domains that
-publish SPF records:
-
-/* -----------------
-deny message = $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address
- spf = fail
---------------------- */
-
-You can also give special treatment to specific domains:
-
-/* -----------------
-deny message = AOL sender, but not from AOL-approved relay.
- sender_domains = aol.com
- spf = fail:neutral
---------------------- */
-
-Explanation: AOL publishes SPF records, but is liberal and
-still allows non-approved relays to send mail from aol.com.
-This will result in a "neutral" state, while mail from genuine
-AOL servers will result in "pass". The example above takes
-this into account and treats "neutral" like "fail", but only
-for aol.com. Please note that this violates the SPF draft.
-
-When the spf condition has run, it sets up several expansion
-variables.
-
- $spf_header_comment
- This contains a human-readable string describing the outcome
- of the SPF check. You can add it to a custom header or use
- it for logging purposes.
-
- $spf_received
- This contains a complete Received-SPF: header that can be
- added to the message. Please note that according to the SPF
- draft, this header must be added at the top of the header
- list. Please see section 10 on how you can do this.
-
- Note: in case of "Best-guess" (see below), the convention is
- to put this string in a header called X-SPF-Guess: instead.
-
- $spf_result
- This contains the outcome of the SPF check in string form,
- one of pass, fail, softfail, none, neutral, permerror or
- temperror.
-
- $spf_smtp_comment
- This contains a string that can be used in a SMTP response
- to the calling party. Useful for "fail".
-
-In addition to SPF, you can also perform checks for so-called
-"Best-guess". Strictly speaking, "Best-guess" is not standard
-SPF, but it is supported by the same framework that enables SPF
-capability. Refer to http://www.openspf.org/FAQ/Best_guess_record
-for a description of what it means.
-
-To access this feature, simply use the spf_guess condition in place
-of the spf one. For example:
-
-/* -----------------
-deny message = $sender_host_address doesn't look trustworthy to me
- spf_guess = fail
---------------------- */
-
-In case you decide to reject messages based on this check, you
-should note that although it uses the same framework, "Best-guess"
-is NOT SPF, and therefore you should not mention SPF at all in your
-reject message.
-
-When the spf_guess condition has run, it sets up the same expansion
-variables as when spf condition is run, described above.
-
-Additionally, since Best-guess is not standardized, you may redefine
-what "Best-guess" means to you by redefining spf_guess variable in
-global config. For example, the following:
-
-/* -----------------
-spf_guess = v=spf1 a/16 mx/16 ptr ?all
---------------------- */
-
-would relax host matching rules to a broader network range.
-
-
-A lookup expansion is also available. It takes an email
-address as the key and an IP address as the database:
-
- ${lookup {username@domain} spf {ip.ip.ip.ip}}
-
-The lookup will return the same result strings as they can appear in
-$spf_result (pass,fail,softfail,neutral,none,err_perm,err_temp).
-Currently, only IPv4 addresses are supported.
-
-
-
SRS (Sender Rewriting Scheme) Support
--------------------------------------------------------------
diff --git a/src/src/EDITME b/src/src/EDITME
index 3a57fab11..9dcd174ca 100644
--- a/src/src/EDITME
+++ b/src/src/EDITME
@@ -463,14 +463,6 @@ DISABLE_MAL_MKS=yes
# EXPERIMENTAL_DCC=yes
-# Uncomment the following lines to add SPF support. You need to have libspf2
-# installed on your system (www.libspf2.org). Depending on where it is installed
-# you may have to edit the CFLAGS and LDFLAGS lines.
-
-# EXPERIMENTAL_SPF=yes
-# CFLAGS += -I/usr/local/include
-# LDFLAGS += -lspf2
-
# Uncomment the following lines to add SRS (Sender rewriting scheme) support.
# You need to have libsrs_alt installed on your system (srs.mirtol.com).
# Depending on where it is installed you may have to edit the CFLAGS and
@@ -979,6 +971,16 @@ ZCAT_COMMAND=/usr/bin/zcat
#------------------------------------------------------------------------------
+# Uncomment the following lines to add SPF support. You need to have libspf2
+# installed on your system (www.libspf2.org). Depending on where it is installed
+# you may have to edit the CFLAGS and LDFLAGS lines.
+
+# SUPPORT_SPF=yes
+# CFLAGS += -I/usr/local/include
+# LDFLAGS += -lspf2
+
+
+#------------------------------------------------------------------------------
# Support for authentication via Radius is also available. The Exim support,
# which is intended for use in conjunction with the SMTP AUTH facilities,
# is included only when requested by setting the following parameter to the
diff --git a/src/src/acl.c b/src/src/acl.c
index 045535526..7d54cdd52 100644
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -102,7 +102,7 @@ enum { ACLC_ACL,
#ifdef WITH_CONTENT_SCAN
ACLC_SPAM,
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
ACLC_SPF,
ACLC_SPF_GUESS,
#endif
@@ -312,7 +312,7 @@ static condition_def conditions[] = {
(1<<ACL_WHERE_NOTSMTP)),
},
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
[ACLC_SPF] = { US"spf", TRUE, FALSE,
(1<<ACL_WHERE_AUTH)|(1<<ACL_WHERE_CONNECT)|
(1<<ACL_WHERE_HELO)|
@@ -3682,7 +3682,7 @@ for (; cb != NULL; cb = cb->next)
break;
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
case ACLC_SPF:
rc = spf_process(&arg, sender_address, SPF_PROCESS_NORMAL);
break;
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults
index a9d071765..810d8969b 100644
--- a/src/src/config.h.defaults
+++ b/src/src/config.h.defaults
@@ -147,6 +147,7 @@ Do not put spaces between # and the 'define'.
#define SUPPORT_PAM
#define SUPPORT_PROXY
#define SUPPORT_SOCKS
+#define SUPPORT_SPF
#define SUPPORT_TLS
#define SUPPORT_TRANSLATE_IP_ADDRESS
@@ -196,7 +197,6 @@ Do not put spaces between # and the 'define'.
#define DMARC_TLD_FILE "/etc/exim/opendmarc.tlds"
#define EXPERIMENTAL_LMDB
#define EXPERIMENTAL_QUEUEFILE
-#define EXPERIMENTAL_SPF
#define EXPERIMENTAL_SRS
diff --git a/src/src/dmarc.c b/src/src/dmarc.c
index 6cb5b19fe..37ac9c555 100644
--- a/src/src/dmarc.c
+++ b/src/src/dmarc.c
@@ -12,7 +12,7 @@
#include "exim.h"
#ifdef EXPERIMENTAL_DMARC
-# if !defined EXPERIMENTAL_SPF
+# if !defined SUPPORT_SPF
# error SPF must also be enabled for DMARC
# elif defined DISABLE_DKIM
# error DKIM must also be enabled for DMARC
@@ -632,7 +632,7 @@ if (header_from_sender)
return hdr_tmp;
}
-# endif /* EXPERIMENTAL_SPF */
+# endif /* SUPPORT_SPF */
#endif /* EXPERIMENTAL_DMARC */
/* vi: aw ai sw=2
*/
diff --git a/src/src/dmarc.h b/src/src/dmarc.h
index 78e2a5b7b..764ff88ff 100644
--- a/src/src/dmarc.h
+++ b/src/src/dmarc.h
@@ -12,9 +12,9 @@
#ifdef EXPERIMENTAL_DMARC
# include "opendmarc/dmarc.h"
-# ifdef EXPERIMENTAL_SPF
+# ifdef SUPPORT_SPF
# include "spf2/spf.h"
-# endif /* EXPERIMENTAL_SPF */
+# endif /* SUPPORT_SPF */
/* prototypes */
int dmarc_init();
diff --git a/src/src/drtables.c b/src/src/drtables.c
index d8904ac4f..36bf64261 100644
--- a/src/src/drtables.c
+++ b/src/src/drtables.c
@@ -578,7 +578,7 @@ extern lookup_module_info redis_lookup_module_info;
#if defined(EXPERIMENTAL_LMDB)
extern lookup_module_info lmdb_lookup_module_info;
#endif
-#if defined(EXPERIMENTAL_SPF)
+#if defined(SUPPORT_SPF)
extern lookup_module_info spf_lookup_module_info;
#endif
#if defined(LOOKUP_SQLITE) && LOOKUP_SQLITE!=2
@@ -669,7 +669,7 @@ init_lookup_list(void)
addlookupmodule(NULL, &lmdb_lookup_module_info);
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
addlookupmodule(NULL, &spf_lookup_module_info);
#endif
diff --git a/src/src/exim.c b/src/src/exim.c
index 2189bc051..01c0e306a 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -840,6 +840,9 @@ fprintf(f, "Support for:");
#ifdef SUPPORT_SOCKS
fprintf(f, " SOCKS");
#endif
+#ifdef SUPPORT_SPF
+ fprintf(f, " SPF");
+#endif
#ifdef TCP_FASTOPEN
deliver_init();
if (tcp_fastopen_ok) fprintf(f, " TCP_Fast_Open");
@@ -850,9 +853,6 @@ fprintf(f, "Support for:");
#ifdef EXPERIMENTAL_QUEUEFILE
fprintf(f, " Experimental_QUEUEFILE");
#endif
-#ifdef EXPERIMENTAL_SPF
- fprintf(f, " Experimental_SPF");
-#endif
#ifdef EXPERIMENTAL_SRS
fprintf(f, " Experimental_SRS");
#endif
diff --git a/src/src/exim.h b/src/src/exim.h
index 770fd6333..faeb6455b 100644
--- a/src/src/exim.h
+++ b/src/src/exim.h
@@ -502,7 +502,7 @@ config.h, mytypes.h, and store.h, so we don't need to mention them explicitly.
#ifdef EXPERIMENTAL_BRIGHTMAIL
# include "bmi_spam.h"
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
# include "spf.h"
#endif
#ifdef EXPERIMENTAL_SRS
diff --git a/src/src/expand.c b/src/src/expand.c
index 3a63a7c78..2b40823c9 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -700,7 +700,7 @@ static var_entry var_table[] = {
{ "spam_score", vtype_stringptr, &spam_score },
{ "spam_score_int", vtype_stringptr, &spam_score_int },
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
{ "spf_guess", vtype_stringptr, &spf_guess },
{ "spf_header_comment", vtype_stringptr, &spf_header_comment },
{ "spf_received", vtype_stringptr, &spf_received },
diff --git a/src/src/globals.c b/src/src/globals.c
index 5df84bd10..346bb0744 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1360,7 +1360,7 @@ uschar *spam_action = NULL;
uschar *spam_score = NULL;
uschar *spam_score_int = NULL;
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
uschar *spf_guess = US"v=spf1 a/24 mx/24 ptr ?all";
uschar *spf_header_comment = NULL;
uschar *spf_received = NULL;
diff --git a/src/src/globals.h b/src/src/globals.h
index 37d4cada3..0c1b6ccbc 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -867,7 +867,7 @@ extern uschar *spam_action; /* the spamd recommended-action */
extern uschar *spam_score; /* the spam score (float) */
extern uschar *spam_score_int; /* spam_score * 10 (int) */
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
extern uschar *spf_guess; /* spf best-guess record */
extern uschar *spf_header_comment; /* spf header comment */
extern uschar *spf_received; /* Received-SPF: header */
diff --git a/src/src/lookups/spf.c b/src/src/lookups/spf.c
index ad56a2a8d..b32a73e6a 100644
--- a/src/src/lookups/spf.c
+++ b/src/src/lookups/spf.c
@@ -18,7 +18,7 @@
#include "../exim.h"
-#ifndef EXPERIMENTAL_SPF
+#ifndef SUPPORT_SPF
static void dummy(int x);
static void dummy2(int x) { dummy(x-1); }
static void dummy(int x) { dummy2(x-1); }
@@ -118,4 +118,4 @@ static lookup_info _lookup_info = {
static lookup_info *_lookup_list[] = { &_lookup_info };
lookup_module_info spf_lookup_module_info = { LOOKUP_MODULE_INFO_MAGIC, _lookup_list, 1 };
-#endif /* EXPERIMENTAL_SPF */
+#endif /* SUPPORT_SPF */
diff --git a/src/src/macro_predef.c b/src/src/macro_predef.c
index 08028bf5b..47ba3fdd1 100644
--- a/src/src/macro_predef.c
+++ b/src/src/macro_predef.c
@@ -174,7 +174,7 @@ due to conflicts with other common macros. */
#ifdef EXPERIMENTAL_LMDB
builtin_macro_create(US"_HAVE_LMDB");
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
builtin_macro_create(US"_HAVE_SPF");
#endif
#ifdef EXPERIMENTAL_SRS
diff --git a/src/src/readconf.c b/src/src/readconf.c
index 8d5f38c58..007e8444e 100644
--- a/src/src/readconf.c
+++ b/src/src/readconf.c
@@ -304,7 +304,7 @@ static optionlist optionlist_config[] = {
#ifdef WITH_CONTENT_SCAN
{ "spamd_address", opt_stringptr, &spamd_address },
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
{ "spf_guess", opt_stringptr, &spf_guess },
#endif
{ "split_spool_directory", opt_bool, &split_spool_directory },
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 92e4a2908..498cfab5e 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2007,7 +2007,7 @@ deliver_host = deliver_host_address = NULL; /* Can be set by ACL */
#ifndef DISABLE_PRDR
prdr_requested = FALSE;
#endif
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
spf_header_comment = NULL;
spf_received = NULL;
spf_result = NULL;
@@ -4082,7 +4082,7 @@ while (done <= 0)
}
}
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
/* set up SPF context */
spf_init(sender_helo_name, sender_host_address);
#endif
diff --git a/src/src/spf.c b/src/src/spf.c
index ffd278af8..1d4e032e9 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -11,7 +11,7 @@
/* Code for calling spf checks via libspf-alt. Called from acl.c. */
#include "exim.h"
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
/* must be kept in numeric order */
static spf_result_id spf_result_id_list[] = {
diff --git a/src/src/spf.h b/src/src/spf.h
index 0d982f336..23ad325f1 100644
--- a/src/src/spf.h
+++ b/src/src/spf.h
@@ -8,7 +8,7 @@
Copyright (c) The Exim Maintainers 2016
*/
-#ifdef EXPERIMENTAL_SPF
+#ifdef SUPPORT_SPF
/* Yes, we do have ns_type. spf.h redefines it if we don't set this. Doh */
#ifndef HAVE_NS_TYPE
diff --git a/test/scripts/4600-SPF/REQUIRES b/test/scripts/4600-SPF/REQUIRES
index c4c433924..0fde5fb3f 100644
--- a/test/scripts/4600-SPF/REQUIRES
+++ b/test/scripts/4600-SPF/REQUIRES
@@ -1 +1 @@
-support Experimental_SPF
+support SPF