[hcoop/config/exim.git] / conf.d / acl / 30_exim4-config_check_rcpt


### acl/30_exim4-config_check_rcpt
#################################

# define macros to be used below in this file to check recipient
# local parts for strange characters. Documentation below.
# This blocks local parts that begin with a dot or contain a quite
# broad range of non-alphanumeric characters.

.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
.endif

.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
.endif

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept
    hosts = :
    control = dkim_disable_verify

  # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
  # or DISABLE_DKIM_VERIFY are set.
.ifdef DC_minimaldns
  warn
    control = dkim_disable_verify
.else
.ifdef DISABLE_DKIM_VERIFY
  warn
    control = dkim_disable_verify
.endif
.endif

  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # These ACL components will block recipient addresses that are valid
  # from an RFC5322 point of view. We chose to have them blocked by
  # default for security reasons.
  #
  # If you feel that your site should have less strict recipient
  # checking, please feel free to change the default values of the macros
  # defined in main/01_exim4-config_listmacrosdefs or override them from a
  # local configuration file.
  # 
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.

  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
  # at the top of this file.
  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains : +unix_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif


  # The second rule applies to all other domains, and its default is
  # considerably less strict.
  
  # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

  # It allows local users to send outgoing messages to sites
  # that use slashes and vertical bars in their local parts. It blocks
  # local parts that begin with a dot, slash, or vertical bar, but allows
  # these characters within the local part. However, the sequence /../ is
  # barred. The use of some other non-alphanumeric characters is blocked.
  # Single quotes might probably be dangerous as well, but they're
  # allowed by the default regexps to avoid rejecting mails to Ireland.
  # The motivation here is to prevent local users (or local users' malware)
  # from mounting certain kinds of attack on remote sites.
  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains : !+unix_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif


  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  #
  accept
    .ifndef CHECK_RCPT_POSTMASTER
    local_parts = postmaster
    .else
    local_parts = CHECK_RCPT_POSTMASTER
    .endif
    domains = +local_domains : +unix_domains : +relay_to_domains

  # Deny unless the sender address can be verified.
  #
  # This is disabled by default so that DNSless systems don't break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable this feature.
  #
  # This feature does not work in smarthost and satellite setups as
  # with these setups all domains pass verification. See spec.txt section
  # "Access control lists" subsection "Address verification" with the added
  # information that a smarthost/satellite setup routes all non-local e-mail
  # to the smarthost.
  .ifdef CHECK_RCPT_VERIFY_SENDER
  # hcoop-change: warn so that we can track down webapps sending
  # without a valid return user, but not break the many web apps that
  # do so. Fix.
  warn
    log_message = Sender verification failed
    !acl = acl_local_deny_exceptions
    !verify = sender
  .endif

  # hcoop-change: Add recommended lines from
  # /usr/share/doc/mailman/README.EXIM.gz so that bounce messages
  # get through, even if they are from a malformed address

  # Accept bounces to lists even if callbacks or other checks would fail
  warn
    message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                          {def:domain} \
                          {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
                              {true}}} \
                     {yes}{no}}

  accept
    condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                          {def:domain} \
                          {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
                              {true}}} \
                     {yes}{no}}

  # Verify senders listed in local_sender_callout with a callout.
  #
  # In smarthost and satellite setups, this causes the callout to be
  # done to the smarthost. Verification will thus only be reliable if the
  # smarthost does reject illegal addresses in the SMTP dialog.
  deny
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_callout}\
                         {CONFDIR/local_sender_callout}\
                   {}}
    !verify = sender/callout


  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  # so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line. If you are actually relaying out out from
  # MTAs, you may want to disable this. If you are handling both relaying from
  # MTAs and submissions from MUAs you should probably split them into two
  # lists, and handle them differently.

  # Recipient verification is omitted here, because in many cases the clients
  # are dumb MUAs that don't cope well with SMTP error responses. If you are
  # actually relaying out from MTAs, you should probably add recipient
  # verification here.

  # Note that, by putting this test before any DNS black list checks, you will
  # always accept from these hosts, even if they end up on a black list. The
  # assumption is that they are your friends, and if they get onto black
  # list, it is a mistake.
  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify


  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.
  accept
    authenticated = *
    control = submission/sender_retain
    control = dkim_disable_verify

  # Insist that a HELO/EHLO was accepted.

  require message	= nice hosts say HELO first
          condition	= ${if def:sender_helo_name}

  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require
    message = relay not permitted
    domains = +local_domains : +unix_domains : +relay_to_domains


  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains.
  require
    verify = recipient


  # Verify recipients listed in local_rcpt_callout with a callout.
  # This is especially handy for forwarding MX hosts (secondary MX or
  # mail hubs) of domains that receive a lot of spam to non-existent
  # addresses.  The only way to check local parts for remote relay
  # domains is to use a callout (add /callout), but please read the
  # documentation about callouts before doing this.
  deny
    !acl = acl_local_deny_exceptions
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
                            {CONFDIR/local_rcpt_callout}\
                      {}}
    !verify = recipient/callout


  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  # should have their access denied to the local host. Incoming messages
  # with one of these senders are rejected at RCPT time.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    log_message = sender envelope address is locally blacklisted.
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_blacklist}\
                   {CONFDIR/local_sender_blacklist}\
                   {}}


  # deny bad sites (IP address)
  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  # and networks (CIDR notation)  that should have their access denied to
  # The local host. Messages coming in from a listed host will have all
  # RCPT statements rejected.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    log_message = sender IP address is locally blacklisted.
    !acl = acl_local_deny_exceptions
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}


  # Warn if the sender host does not have valid reverse DNS.
  # 
  # If your system can do DNS lookups without delay or cost, you might want
  # to enable this.
  # If sender_host_address is defined, it's a remote call.  If
  # sender_host_name is not defined, then reverse lookup failed.  Use
  # this instead of !verify = reverse_host_lookup to catch deferrals
  # as well as outright failures.
  .ifdef CHECK_RCPT_REVERSE_DNS
  warn
    condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
                      {yes}{no}}
    log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
    add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
  .endif


  # Use spfquery to perform a pair of SPF checks (for details, see
  # http://www.openspf.org/)
  #
  # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
  # enable if that's an issue.  Also note that if you enable this, you must
  # install "spf-tools-perl" which provides the spfquery command.
  # Missing spf-tools-perl will trigger the "Unexpected error in
  # SPF check" warning.
  .ifdef CHECK_RCPT_SPF
  deny
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
              Please see \
	      http://www.openspf.org/Why?scope=${if def:sender_address_domain \
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{no}}}}

  defer
    message = Temporary DNS error while checking SPF record.  Try again later.
    !acl = acl_local_deny_exceptions
    condition = ${if eq {$runrc}{5}{yes}{no}}

  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                 {${if eq {$runrc}{3}{neutral}\
				  {${if eq {$runrc}{4}{permerror}\
				   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
				} client-ip=$sender_host_address; \
				${if def:sender_address_domain \
				   {envelope-from=${sender_address}; }{}}\
				helo=$sender_helo_name

  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  .endif


  # Check against classic DNS "black" lists (DNSBLs) which list
  # sender IP addresses
  .ifdef CHECK_RCPT_IP_DNSBLS
  # hcoop-change: drop connection instead of warning
  drop
    message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    dnslists = CHECK_RCPT_IP_DNSBLS
    add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif


  # Check against DNSBLs which list sender domains, with an option to locally
  # whitelist certain domains that might be blacklisted.
  #
  # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
  # "/$sender_address_domain" after each domain.  For example:
  # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
  #                            : rhsbl.bar.org/$sender_address_domain
  .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  warn
    !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
                    {CONFDIR/local_domain_dnsbl_whitelist}\
                    {}}
    dnslists = CHECK_RCPT_DOMAIN_DNSBLS
    add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif


  # This hook allows you to hook in your own ACLs without having to
  # modify this file. If you do it like we suggest, you'll end up with
  # a small performance penalty since there is an additional file being
  # accessed. This doesn't happen if you leave the macro unset.
  .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

  # hcoop-change: 2015-03-19 clinton_admin
  # testing if this will reject the fucktons of spam hitting logs@,
  # most of it fscking signed with valid DKIM keys and evading
  # spamassassin.
  deny
	log_message = rejecting non-hcoop host sending to logs
	recipients = logs@*.hcoop.net,log@hcoop.net
	!hosts = +relay_from_hosts

  #############################################################################
  # This check is commented out because it is recognized that not every
  # sysadmin will want to do it. If you enable it, the check performs
  # Client SMTP Authorization (csa) checks on the sending host. These checks
  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  # an Internet draft. You can, of course, add additional conditions to this
  # ACL statement to restrict the CSA checks to certain hosts only.
  #
  # require verify = csa
  #############################################################################


  # Accept if the address is in a domain for which we are an incoming relay,
  # but again, only if the recipient can be verified.

  accept
    domains = +relay_to_domains
    endpass
    verify = recipient


  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.

  accept
Commit	Line	Data
725c9874	1
	2	### acl/30_exim4-config_check_rcpt
	3	#################################
	4
7b83f2a3 CE	5	# define macros to be used below in this file to check recipient
	6	# local parts for strange characters. Documentation below.
	7	# This blocks local parts that begin with a dot or contain a quite
	8	# broad range of non-alphanumeric characters.
	9
	10	.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
	11	CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/\|`#&?]
	12	.endif
	13
	14	.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
	15	CHECK_RCPT_REMOTE_LOCALPARTS = ^[./\|] : ^.[@%!`#&?] : ^./\\.\\./
	16	.endif
	17
725c9874	18	# This access control list is used for every RCPT command in an incoming
	19	# SMTP message. The tests are run in order until the address is either
	20	# accepted or denied.
	21	#
	22	acl_check_rcpt:
d2b0a567	23
725c9874	24	# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
	25	# testing for an empty sending host field.
	26	accept
	27	hosts = :
d21ec910	28	control = dkim_disable_verify
725c9874	29
d21ec910 CE	30	# Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
	31	# or DISABLE_DKIM_VERIFY are set.
	32	.ifdef DC_minimaldns
	33	warn
	34	control = dkim_disable_verify
	35	.else
	36	.ifdef DISABLE_DKIM_VERIFY
	37	warn
	38	control = dkim_disable_verify
	39	.endif
	40	.endif
725c9874	41
725c9874	42	# The following section of the ACL is concerned with local parts that contain
	43	# certain non-alphanumeric characters. Dots in unusual places are
	44	# handled by this ACL as well.
	45	#
	46	# Non-alphanumeric characters other than dots are rarely found in genuine
	47	# local parts, but are often tried by people looking to circumvent
	48	# relaying restrictions. Therefore, although they are valid in local
	49	# parts, these rules disallow certain non-alphanumeric characters, as
	50	# a precaution.
	51	#
	52	# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
	53	# allows them because they have been encountered. (Consider local parts
	54	# constructed as "firstinitial.secondinitial.familyname" when applied to
	55	# a name without a second initial.) However, a local part starting
	56	# with a dot or containing /../ can cause trouble if it is used as part of a
	57	# file name (e.g. for a mailing list). This is also true for local parts that
	58	# contain slashes. A pipe symbol can also be troublesome if the local part is
	59	# incorporated unthinkingly into a shell command line.
	60	#
d2b0a567	61	# These ACL components will block recipient addresses that are valid
7b83f2a3	62	# from an RFC5322 point of view. We chose to have them blocked by
d2b0a567	63	# default for security reasons.
	64	#
	65	# If you feel that your site should have less strict recipient
	66	# checking, please feel free to change the default values of the macros
	67	# defined in main/01_exim4-config_listmacrosdefs or override them from a
	68	# local configuration file.
	69	#
725c9874	70	# Two different rules are used. The first one has a quite strict
	71	# default, and is applied to messages that are addressed to one of the
	72	# local domains handled by this host.
d2b0a567	73
7b83f2a3 CE	74	# The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
7b83f2a3 CE	75	# at the top of this file.
725c9874	76	.ifdef CHECK_RCPT_LOCAL_LOCALPARTS
725c9874	77	deny
bbc29c5a	78	domains = +local_domains : +unix_domains
725c9874	79	local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
	80	message = restricted characters in address
	81	.endif
	82
	83
	84	# The second rule applies to all other domains, and its default is
	85	# considerably less strict.
d2b0a567	86
	87	# The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
	88	# main/01_exim4-config_listmacrosdefs:
	89	# CHECK_RCPT_REMOTE_LOCALPARTS = ^[./\|] : ^.[@%!`#&?] : ^./\\.\\./
	90
	91	# It allows local users to send outgoing messages to sites
	92	# that use slashes and vertical bars in their local parts. It blocks
	93	# local parts that begin with a dot, slash, or vertical bar, but allows
	94	# these characters within the local part. However, the sequence /../ is
	95	# barred. The use of some other non-alphanumeric characters is blocked.
	96	# Single quotes might probably be dangerous as well, but they're
	97	# allowed by the default regexps to avoid rejecting mails to Ireland.
	98	# The motivation here is to prevent local users (or local users' malware)
	99	# from mounting certain kinds of attack on remote sites.
725c9874	100	.ifdef CHECK_RCPT_REMOTE_LOCALPARTS
725c9874	101	deny
bbc29c5a	102	domains = !+local_domains : !+unix_domains
725c9874	103	local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
	104	message = restricted characters in address
	105	.endif
	106
	107
	108	# Accept mail to postmaster in any local domain, regardless of the source,
	109	# and without verifying the sender.
	110	#
	111	accept
	112	.ifndef CHECK_RCPT_POSTMASTER
	113	local_parts = postmaster
	114	.else
	115	local_parts = CHECK_RCPT_POSTMASTER
	116	.endif
bbc29c5a	117	domains = +local_domains : +unix_domains : +relay_to_domains
d2b0a567	118
d2b0a567	119	# Deny unless the sender address can be verified.
	120	#
	121	# This is disabled by default so that DNSless systems don't break. If
	122	# your system can do DNS lookups without delay or cost, you might want
	123	# to enable this feature.
	124	#
	125	# This feature does not work in smarthost and satellite setups as
7b83f2a3 CE	126	# with these setups all domains pass verification. See spec.txt section
	127	# "Access control lists" subsection "Address verification" with the added
	128	# information that a smarthost/satellite setup routes all non-local e-mail
	129	# to the smarthost.
d2b0a567	130	.ifdef CHECK_RCPT_VERIFY_SENDER
049ff5b8 CE	131	# hcoop-change: warn so that we can track down webapps sending
	132	# without a valid return user, but not break the many web apps that
	133	# do so. Fix.
	134	warn
	135	log_message = Sender verification failed
	136	!acl = acl_local_deny_exceptions
d2b0a567	137	!verify = sender
	138	.endif
	139
06b25c81	140	# hcoop-change: Add recommended lines from
	141	# /usr/share/doc/mailman/README.EXIM.gz so that bounce messages
	142	# get through, even if they are from a malformed address
	143
	144	# Accept bounces to lists even if callbacks or other checks would fail
	145	warn
	146	message = X-WhitelistedRCPT-nohdrfromcallback: Yes
	147	condition = ${if and {{match{$local_part}{(.)-bounces\+.}} \
ae57a972	148	{def:domain} \
b09d0d57	149	{eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
b09d0d57	150	{true}}} \
06b25c81	151	{yes}{no}}
	152
	153	accept
	154	condition = ${if and {{match{$local_part}{(.)-bounces\+.}} \
ae57a972	155	{def:domain} \
b09d0d57	156	{eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
b09d0d57	157	{true}}} \
06b25c81	158	{yes}{no}}
06b25c81	159
d2b0a567	160	# Verify senders listed in local_sender_callout with a callout.
	161	#
	162	# In smarthost and satellite setups, this causes the callout to be
	163	# done to the smarthost. Verification will thus only be reliable if the
	164	# smarthost does reject illegal addresses in the SMTP dialog.
	165	deny
d21ec910	166	!acl = acl_local_deny_exceptions
d2b0a567	167	senders = ${if exists{CONFDIR/local_sender_callout}\
	168	{CONFDIR/local_sender_callout}\
	169	{}}
	170	!verify = sender/callout
	171
	172
	173	# Accept if the message comes from one of the hosts for which we are an
	174	# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
	175	# so we set control=submission to make Exim treat the message as a
	176	# submission. It will fix up various errors in the message, for example, the
	177	# lack of a Date: header line. If you are actually relaying out out from
	178	# MTAs, you may want to disable this. If you are handling both relaying from
	179	# MTAs and submissions from MUAs you should probably split them into two
	180	# lists, and handle them differently.
	181
	182	# Recipient verification is omitted here, because in many cases the clients
	183	# are dumb MUAs that don't cope well with SMTP error responses. If you are
	184	# actually relaying out from MTAs, you should probably add recipient
	185	# verification here.
	186
	187	# Note that, by putting this test before any DNS black list checks, you will
	188	# always accept from these hosts, even if they end up on a black list. The
	189	# assumption is that they are your friends, and if they get onto black
	190	# list, it is a mistake.
	191	accept
	192	hosts = +relay_from_hosts
	193	control = submission/sender_retain
d21ec910	194	control = dkim_disable_verify
d2b0a567	195
	196
	197	# Accept if the message arrived over an authenticated connection, from
	198	# any host. Again, these messages are usually from MUAs, so recipient
	199	# verification is omitted, and submission mode is set. And again, we do this
	200	# check before any black list tests.
	201	accept
	202	authenticated = *
	203	control = submission/sender_retain
d21ec910	204	control = dkim_disable_verify
d2b0a567	205
c6ffa96a CE	206	# Insist that a HELO/EHLO was accepted.
	207
	208	require message = nice hosts say HELO first
	209	condition = ${if def:sender_helo_name}
d2b0a567	210
	211	# Insist that any other recipient address that we accept is either in one of
	212	# our local domains, or is in a domain for which we explicitly allow
	213	# relaying. Any other domain is rejected as being unacceptable for relaying.
	214	require
	215	message = relay not permitted
bbc29c5a	216	domains = +local_domains : +unix_domains : +relay_to_domains
d2b0a567	217
	218
	219	# We also require all accepted addresses to be verifiable. This check will
	220	# do local part verification for local domains, but only check the domain
	221	# for remote domains.
	222	require
	223	verify = recipient
	224
	225
	226	# Verify recipients listed in local_rcpt_callout with a callout.
	227	# This is especially handy for forwarding MX hosts (secondary MX or
	228	# mail hubs) of domains that receive a lot of spam to non-existent
	229	# addresses. The only way to check local parts for remote relay
	230	# domains is to use a callout (add /callout), but please read the
	231	# documentation about callouts before doing this.
	232	deny
d21ec910	233	!acl = acl_local_deny_exceptions
d2b0a567	234	recipients = ${if exists{CONFDIR/local_rcpt_callout}\
	235	{CONFDIR/local_rcpt_callout}\
	236	{}}
	237	!verify = recipient/callout
725c9874	238
725c9874	239
725c9874	240	# CONFDIR/local_sender_blacklist holds a list of envelope senders that
	241	# should have their access denied to the local host. Incoming messages
	242	# with one of these senders are rejected at RCPT time.
	243	#
	244	# The explicit white lists are honored as well as negative items in
d2b0a567	245	# the black list. See exim4-config_files(5) for details.
725c9874	246	deny
725c9874	247	message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
7b83f2a3	248	log_message = sender envelope address is locally blacklisted.
d21ec910	249	!acl = acl_local_deny_exceptions
725c9874	250	senders = ${if exists{CONFDIR/local_sender_blacklist}\
	251	{CONFDIR/local_sender_blacklist}\
	252	{}}
	253
	254
	255	# deny bad sites (IP address)
	256	# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
	257	# and networks (CIDR notation) that should have their access denied to
	258	# The local host. Messages coming in from a listed host will have all
	259	# RCPT statements rejected.
	260	#
	261	# The explicit white lists are honored as well as negative items in
d21ec910	262	# the black list. See exim4-config_files(5) for details.
725c9874	263	deny
725c9874	264	message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
7b83f2a3	265	log_message = sender IP address is locally blacklisted.
d21ec910	266	!acl = acl_local_deny_exceptions
725c9874	267	hosts = ${if exists{CONFDIR/local_host_blacklist}\
	268	{CONFDIR/local_host_blacklist}\
	269	{}}
	270
	271
725c9874	272	# Warn if the sender host does not have valid reverse DNS.
	273	#
	274	# If your system can do DNS lookups without delay or cost, you might want
	275	# to enable this.
	276	# If sender_host_address is defined, it's a remote call. If
	277	# sender_host_name is not defined, then reverse lookup failed. Use
	278	# this instead of !verify = reverse_host_lookup to catch deferrals
	279	# as well as outright failures.
	280	.ifdef CHECK_RCPT_REVERSE_DNS
	281	warn
d21ec910	282	condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
725c9874	283	{yes}{no}}
d21ec910 CE	284	log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
d21ec910 CE	285	add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
725c9874	286	.endif
	287
	288
d2b0a567	289	# Use spfquery to perform a pair of SPF checks (for details, see
	290	# http://www.openspf.org/)
	291	#
	292	# This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
	293	# enable if that's an issue. Also note that if you enable this, you must
d21ec910 CE	294	# install "spf-tools-perl" which provides the spfquery command.
d21ec910 CE	295	# Missing spf-tools-perl will trigger the "Unexpected error in
d2b0a567	296	# SPF check" warning.
d2b0a567	297	.ifdef CHECK_RCPT_SPF
1beeb313	298	deny
d21ec910 CE	299	message = [SPF] $sender_host_address is not allowed to send mail from \
	300	${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
	301	Please see \
	302	http://www.openspf.org/Why?scope=${if def:sender_address_domain \
	303	{mfrom}{helo}};identity=${if def:sender_address_domain \
	304	{$sender_address}{$sender_helo_name}};ip=$sender_host_address
d2b0a567	305	log_message = SPF check failed.
d21ec910 CE	306	!acl = acl_local_deny_exceptions
	307	condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
	308	${quote:$sender_host_address} --identity \
	309	${if def:sender_address_domain \
	310	{--scope mfrom --identity ${quote:$sender_address}}\
	311	{--scope helo --identity ${quote:$sender_helo_name}}}}\
	312	{no}{${if eq {$runrc}{1}{yes}{no}}}}
d2b0a567	313
	314	defer
	315	message = Temporary DNS error while checking SPF record. Try again later.
d21ec910	316	!acl = acl_local_deny_exceptions
d2b0a567	317	condition = ${if eq {$runrc}{5}{yes}{no}}
	318
	319	warn
d2b0a567	320	condition = ${if <={$runrc}{6}{yes}{no}}
d21ec910 CE	321	add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
	322	{${if eq {$runrc}{2}{softfail}\
	323	{${if eq {$runrc}{3}{neutral}\
	324	{${if eq {$runrc}{4}{permerror}\
	325	{${if eq {$runrc}{6}{none}{error}}}}}}}}}\
	326	} client-ip=$sender_host_address; \
	327	${if def:sender_address_domain \
	328	{envelope-from=${sender_address}; }{}}\
	329	helo=$sender_helo_name
d2b0a567	330
	331	warn
	332	log_message = Unexpected error in SPF check.
	333	condition = ${if >{$runrc}{6}{yes}{no}}
d2b0a567	334	.endif
	335
	336
725c9874	337	# Check against classic DNS "black" lists (DNSBLs) which list
	338	# sender IP addresses
	339	.ifdef CHECK_RCPT_IP_DNSBLS
049ff5b8 CE	340	# hcoop-change: drop connection instead of warning
049ff5b8 CE	341	drop
725c9874	342	message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
	343	log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
	344	dnslists = CHECK_RCPT_IP_DNSBLS
c6ffa96a CE	345	add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
c6ffa96a CE	346	log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
725c9874	347	.endif
	348
	349
	350	# Check against DNSBLs which list sender domains, with an option to locally
d2b0a567	351	# whitelist certain domains that might be blacklisted.
	352	#
	353	# Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
	354	# "/$sender_address_domain" after each domain. For example:
	355	# CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
	356	# : rhsbl.bar.org/$sender_address_domain
725c9874	357	.ifdef CHECK_RCPT_DOMAIN_DNSBLS
725c9874	358	warn
725c9874	359	!senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
	360	{CONFDIR/local_domain_dnsbl_whitelist}\
	361	{}}
d2b0a567	362	dnslists = CHECK_RCPT_DOMAIN_DNSBLS
d21ec910 CE	363	add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
d21ec910 CE	364	log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
725c9874	365	.endif
	366
	367
	368	# This hook allows you to hook in your own ACLs without having to
	369	# modify this file. If you do it like we suggest, you'll end up with
	370	# a small performance penalty since there is an additional file being
	371	# accessed. This doesn't happen if you leave the macro unset.
	372	.ifdef CHECK_RCPT_LOCAL_ACL_FILE
	373	.include CHECK_RCPT_LOCAL_ACL_FILE
	374	.endif
	375
8873822d CE	376	# hcoop-change: 2015-03-19 clinton_admin
	377	# testing if this will reject the fucktons of spam hitting logs@,
	378	# most of it fscking signed with valid DKIM keys and evading
	379	# spamassassin.
	380	deny
	381	log_message = rejecting non-hcoop host sending to logs
8929fb46	382	recipients = logs@*.hcoop.net,log@hcoop.net
8873822d CE	383	!hosts = +relay_from_hosts
8873822d CE	384
d2b0a567	385	#############################################################################
	386	# This check is commented out because it is recognized that not every
	387	# sysadmin will want to do it. If you enable it, the check performs
	388	# Client SMTP Authorization (csa) checks on the sending host. These checks
	389	# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
	390	# an Internet draft. You can, of course, add additional conditions to this
	391	# ACL statement to restrict the CSA checks to certain hosts only.
725c9874	392	#
d2b0a567	393	# require verify = csa
d2b0a567	394	#############################################################################
725c9874	395
725c9874	396
d2b0a567	397	# Accept if the address is in a domain for which we are an incoming relay,
	398	# but again, only if the recipient can be verified.
	399
725c9874	400	accept
	401	domains = +relay_to_domains
	402	endpass
725c9874	403	verify = recipient
	404
	405
d2b0a567	406	# At this point, the address has passed all the checks that have been
d2b0a567	407	# configured, so we accept it unconditionally.
725c9874	408
725c9874	409	accept