Commit | Line | Data |
---|---|---|
725c9874 | 1 | |
2 | ### acl/30_exim4-config_check_rcpt | |
3 | ################################# | |
4 | ||
7b83f2a3 CE |
5 | # define macros to be used below in this file to check recipient |
6 | # local parts for strange characters. Documentation below. | |
7 | # This blocks local parts that begin with a dot or contain a quite | |
8 | # broad range of non-alphanumeric characters. | |
9 | ||
10 | .ifndef CHECK_RCPT_LOCAL_LOCALPARTS | |
11 | CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] | |
12 | .endif | |
13 | ||
14 | .ifndef CHECK_RCPT_REMOTE_LOCALPARTS | |
15 | CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ | |
16 | .endif | |
17 | ||
725c9874 | 18 | # This access control list is used for every RCPT command in an incoming |
19 | # SMTP message. The tests are run in order until the address is either | |
20 | # accepted or denied. | |
21 | # | |
22 | acl_check_rcpt: | |
d2b0a567 | 23 | |
725c9874 | 24 | # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by |
25 | # testing for an empty sending host field. | |
26 | accept | |
27 | hosts = : | |
d21ec910 | 28 | control = dkim_disable_verify |
725c9874 | 29 | |
d21ec910 CE |
30 | # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns |
31 | # or DISABLE_DKIM_VERIFY are set. | |
32 | .ifdef DC_minimaldns | |
33 | warn | |
34 | control = dkim_disable_verify | |
35 | .else | |
36 | .ifdef DISABLE_DKIM_VERIFY | |
37 | warn | |
38 | control = dkim_disable_verify | |
39 | .endif | |
40 | .endif | |
725c9874 | 41 | |
725c9874 | 42 | # The following section of the ACL is concerned with local parts that contain |
43 | # certain non-alphanumeric characters. Dots in unusual places are | |
44 | # handled by this ACL as well. | |
45 | # | |
46 | # Non-alphanumeric characters other than dots are rarely found in genuine | |
47 | # local parts, but are often tried by people looking to circumvent | |
48 | # relaying restrictions. Therefore, although they are valid in local | |
49 | # parts, these rules disallow certain non-alphanumeric characters, as | |
50 | # a precaution. | |
51 | # | |
52 | # Empty components (two dots in a row) are not valid in RFC 2822, but Exim | |
53 | # allows them because they have been encountered. (Consider local parts | |
54 | # constructed as "firstinitial.secondinitial.familyname" when applied to | |
55 | # a name without a second initial.) However, a local part starting | |
56 | # with a dot or containing /../ can cause trouble if it is used as part of a | |
57 | # file name (e.g. for a mailing list). This is also true for local parts that | |
58 | # contain slashes. A pipe symbol can also be troublesome if the local part is | |
59 | # incorporated unthinkingly into a shell command line. | |
60 | # | |
d2b0a567 | 61 | # These ACL components will block recipient addresses that are valid |
7b83f2a3 | 62 | # from an RFC5322 point of view. We chose to have them blocked by |
d2b0a567 | 63 | # default for security reasons. |
64 | # | |
65 | # If you feel that your site should have less strict recipient | |
66 | # checking, please feel free to change the default values of the macros | |
67 | # defined in main/01_exim4-config_listmacrosdefs or override them from a | |
68 | # local configuration file. | |
69 | # | |
725c9874 | 70 | # Two different rules are used. The first one has a quite strict |
71 | # default, and is applied to messages that are addressed to one of the | |
72 | # local domains handled by this host. | |
d2b0a567 | 73 | |
7b83f2a3 CE |
74 | # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined |
75 | # at the top of this file. | |
725c9874 | 76 | .ifdef CHECK_RCPT_LOCAL_LOCALPARTS |
77 | deny | |
bbc29c5a | 78 | domains = +local_domains : +unix_domains |
725c9874 | 79 | local_parts = CHECK_RCPT_LOCAL_LOCALPARTS |
80 | message = restricted characters in address | |
81 | .endif | |
82 | ||
83 | ||
84 | # The second rule applies to all other domains, and its default is | |
85 | # considerably less strict. | |
d2b0a567 | 86 | |
87 | # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in | |
88 | # main/01_exim4-config_listmacrosdefs: | |
89 | # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ | |
90 | ||
91 | # It allows local users to send outgoing messages to sites | |
92 | # that use slashes and vertical bars in their local parts. It blocks | |
93 | # local parts that begin with a dot, slash, or vertical bar, but allows | |
94 | # these characters within the local part. However, the sequence /../ is | |
95 | # barred. The use of some other non-alphanumeric characters is blocked. | |
96 | # Single quotes might probably be dangerous as well, but they're | |
97 | # allowed by the default regexps to avoid rejecting mails to Ireland. | |
98 | # The motivation here is to prevent local users (or local users' malware) | |
99 | # from mounting certain kinds of attack on remote sites. | |
725c9874 | 100 | .ifdef CHECK_RCPT_REMOTE_LOCALPARTS |
101 | deny | |
bbc29c5a | 102 | domains = !+local_domains : !+unix_domains |
725c9874 | 103 | local_parts = CHECK_RCPT_REMOTE_LOCALPARTS |
104 | message = restricted characters in address | |
105 | .endif | |
106 | ||
107 | ||
108 | # Accept mail to postmaster in any local domain, regardless of the source, | |
109 | # and without verifying the sender. | |
110 | # | |
111 | accept | |
112 | .ifndef CHECK_RCPT_POSTMASTER | |
113 | local_parts = postmaster | |
114 | .else | |
115 | local_parts = CHECK_RCPT_POSTMASTER | |
116 | .endif | |
bbc29c5a | 117 | domains = +local_domains : +unix_domains : +relay_to_domains |
d2b0a567 | 118 | |
d2b0a567 | 119 | # Deny unless the sender address can be verified. |
120 | # | |
121 | # This is disabled by default so that DNSless systems don't break. If | |
122 | # your system can do DNS lookups without delay or cost, you might want | |
123 | # to enable this feature. | |
124 | # | |
125 | # This feature does not work in smarthost and satellite setups as | |
7b83f2a3 CE |
126 | # with these setups all domains pass verification. See spec.txt section |
127 | # "Access control lists" subsection "Address verification" with the added | |
128 | # information that a smarthost/satellite setup routes all non-local e-mail | |
129 | # to the smarthost. | |
d2b0a567 | 130 | .ifdef CHECK_RCPT_VERIFY_SENDER |
049ff5b8 CE |
131 | # hcoop-change: warn so that we can track down webapps sending |
132 | # without a valid return user, but not break the many web apps that | |
133 | # do so. Fix. | |
134 | warn | |
135 | log_message = Sender verification failed | |
136 | !acl = acl_local_deny_exceptions | |
d2b0a567 | 137 | !verify = sender |
138 | .endif | |
139 | ||
06b25c81 | 140 | # hcoop-change: Add recommended lines from |
141 | # /usr/share/doc/mailman/README.EXIM.gz so that bounce messages | |
142 | # get through, even if they are from a malformed address | |
143 | ||
144 | # Accept bounces to lists even if callbacks or other checks would fail | |
145 | warn | |
146 | message = X-WhitelistedRCPT-nohdrfromcallback: Yes | |
147 | condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ | |
ae57a972 | 148 | {def:domain} \ |
b09d0d57 | 149 | {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \ |
150 | {true}}} \ | |
06b25c81 | 151 | {yes}{no}} |
152 | ||
153 | accept | |
154 | condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \ | |
ae57a972 | 155 | {def:domain} \ |
b09d0d57 | 156 | {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \ |
157 | {true}}} \ | |
06b25c81 | 158 | {yes}{no}} |
159 | ||
d2b0a567 | 160 | # Verify senders listed in local_sender_callout with a callout. |
161 | # | |
162 | # In smarthost and satellite setups, this causes the callout to be | |
163 | # done to the smarthost. Verification will thus only be reliable if the | |
164 | # smarthost does reject illegal addresses in the SMTP dialog. | |
165 | deny | |
d21ec910 | 166 | !acl = acl_local_deny_exceptions |
d2b0a567 | 167 | senders = ${if exists{CONFDIR/local_sender_callout}\ |
168 | {CONFDIR/local_sender_callout}\ | |
169 | {}} | |
170 | !verify = sender/callout | |
171 | ||
172 | ||
173 | # Accept if the message comes from one of the hosts for which we are an | |
174 | # outgoing relay. It is assumed that such hosts are most likely to be MUAs, | |
175 | # so we set control=submission to make Exim treat the message as a | |
176 | # submission. It will fix up various errors in the message, for example, the | |
177 | # lack of a Date: header line. If you are actually relaying out out from | |
178 | # MTAs, you may want to disable this. If you are handling both relaying from | |
179 | # MTAs and submissions from MUAs you should probably split them into two | |
180 | # lists, and handle them differently. | |
181 | ||
182 | # Recipient verification is omitted here, because in many cases the clients | |
183 | # are dumb MUAs that don't cope well with SMTP error responses. If you are | |
184 | # actually relaying out from MTAs, you should probably add recipient | |
185 | # verification here. | |
186 | ||
187 | # Note that, by putting this test before any DNS black list checks, you will | |
188 | # always accept from these hosts, even if they end up on a black list. The | |
189 | # assumption is that they are your friends, and if they get onto black | |
190 | # list, it is a mistake. | |
191 | accept | |
192 | hosts = +relay_from_hosts | |
193 | control = submission/sender_retain | |
d21ec910 | 194 | control = dkim_disable_verify |
d2b0a567 | 195 | |
196 | ||
197 | # Accept if the message arrived over an authenticated connection, from | |
198 | # any host. Again, these messages are usually from MUAs, so recipient | |
199 | # verification is omitted, and submission mode is set. And again, we do this | |
200 | # check before any black list tests. | |
201 | accept | |
202 | authenticated = * | |
203 | control = submission/sender_retain | |
d21ec910 | 204 | control = dkim_disable_verify |
d2b0a567 | 205 | |
c6ffa96a CE |
206 | # Insist that a HELO/EHLO was accepted. |
207 | ||
208 | require message = nice hosts say HELO first | |
209 | condition = ${if def:sender_helo_name} | |
d2b0a567 | 210 | |
211 | # Insist that any other recipient address that we accept is either in one of | |
212 | # our local domains, or is in a domain for which we explicitly allow | |
213 | # relaying. Any other domain is rejected as being unacceptable for relaying. | |
214 | require | |
215 | message = relay not permitted | |
bbc29c5a | 216 | domains = +local_domains : +unix_domains : +relay_to_domains |
d2b0a567 | 217 | |
218 | ||
219 | # We also require all accepted addresses to be verifiable. This check will | |
220 | # do local part verification for local domains, but only check the domain | |
221 | # for remote domains. | |
222 | require | |
223 | verify = recipient | |
224 | ||
225 | ||
226 | # Verify recipients listed in local_rcpt_callout with a callout. | |
227 | # This is especially handy for forwarding MX hosts (secondary MX or | |
228 | # mail hubs) of domains that receive a lot of spam to non-existent | |
229 | # addresses. The only way to check local parts for remote relay | |
230 | # domains is to use a callout (add /callout), but please read the | |
231 | # documentation about callouts before doing this. | |
232 | deny | |
d21ec910 | 233 | !acl = acl_local_deny_exceptions |
d2b0a567 | 234 | recipients = ${if exists{CONFDIR/local_rcpt_callout}\ |
235 | {CONFDIR/local_rcpt_callout}\ | |
236 | {}} | |
237 | !verify = recipient/callout | |
725c9874 | 238 | |
239 | ||
725c9874 | 240 | # CONFDIR/local_sender_blacklist holds a list of envelope senders that |
241 | # should have their access denied to the local host. Incoming messages | |
242 | # with one of these senders are rejected at RCPT time. | |
243 | # | |
244 | # The explicit white lists are honored as well as negative items in | |
d2b0a567 | 245 | # the black list. See exim4-config_files(5) for details. |
725c9874 | 246 | deny |
247 | message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster | |
7b83f2a3 | 248 | log_message = sender envelope address is locally blacklisted. |
d21ec910 | 249 | !acl = acl_local_deny_exceptions |
725c9874 | 250 | senders = ${if exists{CONFDIR/local_sender_blacklist}\ |
251 | {CONFDIR/local_sender_blacklist}\ | |
252 | {}} | |
253 | ||
254 | ||
255 | # deny bad sites (IP address) | |
256 | # CONFDIR/local_host_blacklist holds a list of host names, IP addresses | |
257 | # and networks (CIDR notation) that should have their access denied to | |
258 | # The local host. Messages coming in from a listed host will have all | |
259 | # RCPT statements rejected. | |
260 | # | |
261 | # The explicit white lists are honored as well as negative items in | |
d21ec910 | 262 | # the black list. See exim4-config_files(5) for details. |
725c9874 | 263 | deny |
264 | message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster | |
7b83f2a3 | 265 | log_message = sender IP address is locally blacklisted. |
d21ec910 | 266 | !acl = acl_local_deny_exceptions |
725c9874 | 267 | hosts = ${if exists{CONFDIR/local_host_blacklist}\ |
268 | {CONFDIR/local_host_blacklist}\ | |
269 | {}} | |
270 | ||
271 | ||
725c9874 | 272 | # Warn if the sender host does not have valid reverse DNS. |
273 | # | |
274 | # If your system can do DNS lookups without delay or cost, you might want | |
275 | # to enable this. | |
276 | # If sender_host_address is defined, it's a remote call. If | |
277 | # sender_host_name is not defined, then reverse lookup failed. Use | |
278 | # this instead of !verify = reverse_host_lookup to catch deferrals | |
279 | # as well as outright failures. | |
280 | .ifdef CHECK_RCPT_REVERSE_DNS | |
281 | warn | |
d21ec910 | 282 | condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ |
725c9874 | 283 | {yes}{no}} |
d21ec910 CE |
284 | log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) |
285 | add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) | |
725c9874 | 286 | .endif |
287 | ||
288 | ||
d2b0a567 | 289 | # Use spfquery to perform a pair of SPF checks (for details, see |
290 | # http://www.openspf.org/) | |
291 | # | |
292 | # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not | |
293 | # enable if that's an issue. Also note that if you enable this, you must | |
d21ec910 CE |
294 | # install "spf-tools-perl" which provides the spfquery command. |
295 | # Missing spf-tools-perl will trigger the "Unexpected error in | |
d2b0a567 | 296 | # SPF check" warning. |
297 | .ifdef CHECK_RCPT_SPF | |
1beeb313 | 298 | deny |
d21ec910 CE |
299 | message = [SPF] $sender_host_address is not allowed to send mail from \ |
300 | ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ | |
301 | Please see \ | |
302 | http://www.openspf.org/Why?scope=${if def:sender_address_domain \ | |
303 | {mfrom}{helo}};identity=${if def:sender_address_domain \ | |
304 | {$sender_address}{$sender_helo_name}};ip=$sender_host_address | |
d2b0a567 | 305 | log_message = SPF check failed. |
d21ec910 CE |
306 | !acl = acl_local_deny_exceptions |
307 | condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ | |
308 | ${quote:$sender_host_address} --identity \ | |
309 | ${if def:sender_address_domain \ | |
310 | {--scope mfrom --identity ${quote:$sender_address}}\ | |
311 | {--scope helo --identity ${quote:$sender_helo_name}}}}\ | |
312 | {no}{${if eq {$runrc}{1}{yes}{no}}}} | |
d2b0a567 | 313 | |
314 | defer | |
315 | message = Temporary DNS error while checking SPF record. Try again later. | |
d21ec910 | 316 | !acl = acl_local_deny_exceptions |
d2b0a567 | 317 | condition = ${if eq {$runrc}{5}{yes}{no}} |
318 | ||
319 | warn | |
d2b0a567 | 320 | condition = ${if <={$runrc}{6}{yes}{no}} |
d21ec910 CE |
321 | add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\ |
322 | {${if eq {$runrc}{2}{softfail}\ | |
323 | {${if eq {$runrc}{3}{neutral}\ | |
324 | {${if eq {$runrc}{4}{permerror}\ | |
325 | {${if eq {$runrc}{6}{none}{error}}}}}}}}}\ | |
326 | } client-ip=$sender_host_address; \ | |
327 | ${if def:sender_address_domain \ | |
328 | {envelope-from=${sender_address}; }{}}\ | |
329 | helo=$sender_helo_name | |
d2b0a567 | 330 | |
331 | warn | |
332 | log_message = Unexpected error in SPF check. | |
333 | condition = ${if >{$runrc}{6}{yes}{no}} | |
d2b0a567 | 334 | .endif |
335 | ||
336 | ||
725c9874 | 337 | # Check against classic DNS "black" lists (DNSBLs) which list |
338 | # sender IP addresses | |
339 | .ifdef CHECK_RCPT_IP_DNSBLS | |
049ff5b8 CE |
340 | # hcoop-change: drop connection instead of warning |
341 | drop | |
725c9874 | 342 | message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
343 | log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) | |
344 | dnslists = CHECK_RCPT_IP_DNSBLS | |
c6ffa96a CE |
345 | add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
346 | log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) | |
725c9874 | 347 | .endif |
348 | ||
349 | ||
350 | # Check against DNSBLs which list sender domains, with an option to locally | |
d2b0a567 | 351 | # whitelist certain domains that might be blacklisted. |
352 | # | |
353 | # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append | |
354 | # "/$sender_address_domain" after each domain. For example: | |
355 | # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ | |
356 | # : rhsbl.bar.org/$sender_address_domain | |
725c9874 | 357 | .ifdef CHECK_RCPT_DOMAIN_DNSBLS |
358 | warn | |
725c9874 | 359 | !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ |
360 | {CONFDIR/local_domain_dnsbl_whitelist}\ | |
361 | {}} | |
d2b0a567 | 362 | dnslists = CHECK_RCPT_DOMAIN_DNSBLS |
d21ec910 CE |
363 | add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
364 | log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) | |
725c9874 | 365 | .endif |
366 | ||
367 | ||
368 | # This hook allows you to hook in your own ACLs without having to | |
369 | # modify this file. If you do it like we suggest, you'll end up with | |
370 | # a small performance penalty since there is an additional file being | |
371 | # accessed. This doesn't happen if you leave the macro unset. | |
372 | .ifdef CHECK_RCPT_LOCAL_ACL_FILE | |
373 | .include CHECK_RCPT_LOCAL_ACL_FILE | |
374 | .endif | |
375 | ||
8873822d CE |
376 | # hcoop-change: 2015-03-19 clinton_admin |
377 | # testing if this will reject the fucktons of spam hitting logs@, | |
378 | # most of it fscking signed with valid DKIM keys and evading | |
379 | # spamassassin. | |
380 | deny | |
381 | log_message = rejecting non-hcoop host sending to logs | |
8929fb46 | 382 | recipients = logs@*.hcoop.net,log@hcoop.net |
8873822d CE |
383 | !hosts = +relay_from_hosts |
384 | ||
d2b0a567 | 385 | ############################################################################# |
386 | # This check is commented out because it is recognized that not every | |
387 | # sysadmin will want to do it. If you enable it, the check performs | |
388 | # Client SMTP Authorization (csa) checks on the sending host. These checks | |
389 | # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) | |
390 | # an Internet draft. You can, of course, add additional conditions to this | |
391 | # ACL statement to restrict the CSA checks to certain hosts only. | |
725c9874 | 392 | # |
d2b0a567 | 393 | # require verify = csa |
394 | ############################################################################# | |
725c9874 | 395 | |
396 | ||
d2b0a567 | 397 | # Accept if the address is in a domain for which we are an incoming relay, |
398 | # but again, only if the recipient can be verified. | |
399 | ||
725c9874 | 400 | accept |
401 | domains = +relay_to_domains | |
402 | endpass | |
725c9874 | 403 | verify = recipient |
404 | ||
405 | ||
d2b0a567 | 406 | # At this point, the address has passed all the checks that have been |
407 | # configured, so we accept it unconditionally. | |
725c9874 | 408 | |
725c9874 | 409 | accept |