As I understand it, our SPF record will now allow other people to do that for our domain if they are configured to do so but is further configuration required for our own SME install required to do the same check?
Yes, there are ways to block this, even if it's not enabled by default. Here's how I do this:
Create /etc/e-smith/templates-custom/var/service/qpsmtpd/config/peers/0/30check_spf
{
my $spf = $qpsmtpd{'CheckSPF'} || 'disabled';
return '' unless ($spf =~ m/^[012]$/);
return "sender_permitted_from spf_deny $spf";
}
Now, you can enable SPF verification for email comming from outside with:
db configuration setprop qpsmtpd CheckSPF 1
signal-event email-update
(vallid values are 0, 1, 2, see /usr/share/qpsmtpd/plugins/sender_permitted_from for details).
Ok, now you can check emails are indeed sent by the permitted host, but this won't work for your own domains, simply because for your own domains, your SME Server is usually the DNS server, which has no SPF entries. Lets fix this:
Create /etc/e-smith/templates-custom/var/service/tinydns/root/data/85Spf
{
if (($qpsmtpd{RejectSpoofedLocalDomains} || 'disabled') eq 'enabled'){
$OUT .= "# SPF entries for local domains\n";
my $allowed = '';
foreach my $ip ( split /[;,]/, ($qpsmtpd{AllowedRemoteIP} || '')){
$allowed .= 'ip4\072'.$ip.' ';
}
foreach my $domain (get_domains()){
$OUT .= "'$domain:v=spf1 mx $allowed-all:3600\n";
$OUT .= ":$domain:99:\041v=spf1 mx $allowed-all:3600\n";
}
}
else{
$OUT .= "\n";
}
}
Now, you can configure SME to reject emails if the sender is using one of your locally managed domain
db configuration setprop qpsmtpd RejectSpoofedLocalDomains enabled
signal-event domain-modify
But, if you happen to have an external server which should be allowed to use one of your domain, you can allow it:
db configuration setprop qpsmtpd AllowedRemoteIP 12.13.14.15,25.26.27.28
signal-event domain-modify