[hcoop/config/exim.git] / conf.d / acl / 30_exim4-config_check_rcpt


### acl/30_exim4-config_check_rcpt
#################################

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept
    hosts = :
    control = dkim_disable_verify

  # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
  # or DISABLE_DKIM_VERIFY are set.
.ifdef DC_minimaldns
  warn
    control = dkim_disable_verify
.else
.ifdef DISABLE_DKIM_VERIFY
  warn
    control = dkim_disable_verify
.endif
.endif

  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # These ACL components will block recipient addresses that are valid
  # from an RFC2822 point of view. We chose to have them blocked by
  # default for security reasons.
  #
  # If you feel that your site should have less strict recipient
  # checking, please feel free to change the default values of the macros
  # defined in main/01_exim4-config_listmacrosdefs or override them from a
  # local configuration file.
  # 
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.

  # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
  # This blocks local parts that begin with a dot or contain a quite
  # broad range of non-alphanumeric characters.
  .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
  deny
    domains = +local_domains : +unix_domains
    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
    message = restricted characters in address
  .endif


  # The second rule applies to all other domains, and its default is
  # considerably less strict.
  
  # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
  # main/01_exim4-config_listmacrosdefs:
  # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./

  # It allows local users to send outgoing messages to sites
  # that use slashes and vertical bars in their local parts. It blocks
  # local parts that begin with a dot, slash, or vertical bar, but allows
  # these characters within the local part. However, the sequence /../ is
  # barred. The use of some other non-alphanumeric characters is blocked.
  # Single quotes might probably be dangerous as well, but they're
  # allowed by the default regexps to avoid rejecting mails to Ireland.
  # The motivation here is to prevent local users (or local users' malware)
  # from mounting certain kinds of attack on remote sites.
  .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
  deny
    domains = !+local_domains : !+unix_domains
    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
    message = restricted characters in address
  .endif


  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  #
  accept
    .ifndef CHECK_RCPT_POSTMASTER
    local_parts = postmaster
    .else
    local_parts = CHECK_RCPT_POSTMASTER
    .endif
    domains = +local_domains : +unix_domains : +relay_to_domains


  # Deny unless the sender address can be verified.
  #
  # This is disabled by default so that DNSless systems don't break. If
  # your system can do DNS lookups without delay or cost, you might want
  # to enable this feature.
  #
  # This feature does not work in smarthost and satellite setups as
  # with these setups all domains pass verification. See spec.txt chapter
  # 39.31 with the added information that a smarthost/satellite setup
  # routes all non-local e-mail to the smarthost.
  .ifdef CHECK_RCPT_VERIFY_SENDER
  # hcoop-change: warn so that we can track down webapps sending
  # without a valid return user, but not break the many web apps that
  # do so. Fix.
  warn
    log_message = Sender verification failed
    !acl = acl_local_deny_exceptions
    !verify = sender
  .endif

  # hcoop-change: Add recommended lines from
  # /usr/share/doc/mailman/README.EXIM.gz so that bounce messages
  # get through, even if they are from a malformed address

  # Accept bounces to lists even if callbacks or other checks would fail
  warn
    message = X-WhitelistedRCPT-nohdrfromcallback: Yes
    condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                          {def:domain} \
                          {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
                              {true}}} \
                     {yes}{no}}

  accept
    condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                          {def:domain} \
                          {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
                              {true}}} \
                     {yes}{no}}

  # Verify senders listed in local_sender_callout with a callout.
  #
  # In smarthost and satellite setups, this causes the callout to be
  # done to the smarthost. Verification will thus only be reliable if the
  # smarthost does reject illegal addresses in the SMTP dialog.
  deny
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_callout}\
                         {CONFDIR/local_sender_callout}\
                   {}}
    !verify = sender/callout


  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
  # so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line. If you are actually relaying out out from
  # MTAs, you may want to disable this. If you are handling both relaying from
  # MTAs and submissions from MUAs you should probably split them into two
  # lists, and handle them differently.

  # Recipient verification is omitted here, because in many cases the clients
  # are dumb MUAs that don't cope well with SMTP error responses. If you are
  # actually relaying out from MTAs, you should probably add recipient
  # verification here.

  # Note that, by putting this test before any DNS black list checks, you will
  # always accept from these hosts, even if they end up on a black list. The
  # assumption is that they are your friends, and if they get onto black
  # list, it is a mistake.
  accept
    hosts = +relay_from_hosts
    control = submission/sender_retain
    control = dkim_disable_verify


  # Accept if the message arrived over an authenticated connection, from
  # any host. Again, these messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. And again, we do this
  # check before any black list tests.
  accept
    authenticated = *
    control = submission/sender_retain
    control = dkim_disable_verify


  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require
    message = relay not permitted
    domains = +local_domains : +unix_domains : +relay_to_domains


  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains.
  require
    verify = recipient


  # Verify recipients listed in local_rcpt_callout with a callout.
  # This is especially handy for forwarding MX hosts (secondary MX or
  # mail hubs) of domains that receive a lot of spam to non-existent
  # addresses.  The only way to check local parts for remote relay
  # domains is to use a callout (add /callout), but please read the
  # documentation about callouts before doing this.
  deny
    !acl = acl_local_deny_exceptions
    recipients = ${if exists{CONFDIR/local_rcpt_callout}\
                            {CONFDIR/local_rcpt_callout}\
                      {}}
    !verify = recipient/callout


  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
  # should have their access denied to the local host. Incoming messages
  # with one of these senders are rejected at RCPT time.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    senders = ${if exists{CONFDIR/local_sender_blacklist}\
                   {CONFDIR/local_sender_blacklist}\
                   {}}


  # deny bad sites (IP address)
  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
  # and networks (CIDR notation)  that should have their access denied to
  # The local host. Messages coming in from a listed host will have all
  # RCPT statements rejected.
  #
  # The explicit white lists are honored as well as negative items in
  # the black list. See exim4-config_files(5) for details.
  deny
    message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
    !acl = acl_local_deny_exceptions
    hosts = ${if exists{CONFDIR/local_host_blacklist}\
                 {CONFDIR/local_host_blacklist}\
                 {}}


  # Warn if the sender host does not have valid reverse DNS.
  # 
  # If your system can do DNS lookups without delay or cost, you might want
  # to enable this.
  # If sender_host_address is defined, it's a remote call.  If
  # sender_host_name is not defined, then reverse lookup failed.  Use
  # this instead of !verify = reverse_host_lookup to catch deferrals
  # as well as outright failures.
  .ifdef CHECK_RCPT_REVERSE_DNS
  warn
    condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
                      {yes}{no}}
    log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
    add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
  .endif


  # Use spfquery to perform a pair of SPF checks (for details, see
  # http://www.openspf.org/)
  #
  # This is quite costly in terms of DNS lookups (~6 lookups per mail).  Do not
  # enable if that's an issue.  Also note that if you enable this, you must
  # install "spf-tools-perl" which provides the spfquery command.
  # Missing spf-tools-perl will trigger the "Unexpected error in
  # SPF check" warning.
  .ifdef CHECK_RCPT_SPF
  warn
    message = [SPF] $sender_host_address is not allowed to send mail from \
              ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.  \
              Please see \
	      http://www.openspf.org/Why?scope=${if def:sender_address_domain \
              {mfrom}{helo}};identity=${if def:sender_address_domain \
              {$sender_address}{$sender_helo_name}};ip=$sender_host_address
    log_message = SPF check failed.
    !acl = acl_local_deny_exceptions
    condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
                   ${quote:$sender_host_address} --identity \
                   ${if def:sender_address_domain \
                       {--scope mfrom  --identity ${quote:$sender_address}}\
                       {--scope helo --identity ${quote:$sender_helo_name}}}}\
                   {no}{${if eq {$runrc}{1}{yes}{no}}}}

  defer
    message = Temporary DNS error while checking SPF record.  Try again later.
    !acl = acl_local_deny_exceptions
    condition = ${if eq {$runrc}{5}{yes}{no}}

  warn
    condition = ${if <={$runrc}{6}{yes}{no}}
    add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
                                {${if eq {$runrc}{2}{softfail}\
                                 {${if eq {$runrc}{3}{neutral}\
				  {${if eq {$runrc}{4}{permerror}\
				   {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
				} client-ip=$sender_host_address; \
				${if def:sender_address_domain \
				   {envelope-from=${sender_address}; }{}}\
				helo=$sender_helo_name

  warn
    log_message = Unexpected error in SPF check.
    condition = ${if >{$runrc}{6}{yes}{no}}
  .endif


  # Check against classic DNS "black" lists (DNSBLs) which list
  # sender IP addresses
  .ifdef CHECK_RCPT_IP_DNSBLS
  # hcoop-change: drop connection instead of warning
  drop
    message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    dnslists = CHECK_RCPT_IP_DNSBLS
  .endif


  # Check against DNSBLs which list sender domains, with an option to locally
  # whitelist certain domains that might be blacklisted.
  #
  # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
  # "/$sender_address_domain" after each domain.  For example:
  # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
  #                            : rhsbl.bar.org/$sender_address_domain
  .ifdef CHECK_RCPT_DOMAIN_DNSBLS
  warn
    !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
                    {CONFDIR/local_domain_dnsbl_whitelist}\
                    {}}
    dnslists = CHECK_RCPT_DOMAIN_DNSBLS
    add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
    log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
  .endif


  # This hook allows you to hook in your own ACLs without having to
  # modify this file. If you do it like we suggest, you'll end up with
  # a small performance penalty since there is an additional file being
  # accessed. This doesn't happen if you leave the macro unset.
  .ifdef CHECK_RCPT_LOCAL_ACL_FILE
  .include CHECK_RCPT_LOCAL_ACL_FILE
  .endif

  # hcoop-change: 2015-03-19 clinton_admin
  # testing if this will reject the fucktons of spam hitting logs@,
  # most of it fscking signed with valid DKIM keys and evading
  # spamassassin.
  deny
	log_message = rejecting non-hcoop host sending to logs
	recipients = logs@*.hcoop.net
	!hosts = +relay_from_hosts


  #############################################################################
  # This check is commented out because it is recognized that not every
  # sysadmin will want to do it. If you enable it, the check performs
  # Client SMTP Authorization (csa) checks on the sending host. These checks
  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
  # an Internet draft. You can, of course, add additional conditions to this
  # ACL statement to restrict the CSA checks to certain hosts only.
  #
  # require verify = csa
  #############################################################################


  # Accept if the address is in a domain for which we are an incoming relay,
  # but again, only if the recipient can be verified.

  accept
    domains = +relay_to_domains
    endpass
    verify = recipient


  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.

  accept
Commit	Line	Data
725c9874	1
	2	### acl/30_exim4-config_check_rcpt
	3	#################################
	4
	5	# This access control list is used for every RCPT command in an incoming
	6	# SMTP message. The tests are run in order until the address is either
	7	# accepted or denied.
	8	#
	9	acl_check_rcpt:
d2b0a567	10
725c9874	11	# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
	12	# testing for an empty sending host field.
	13	accept
	14	hosts = :
d21ec910	15	control = dkim_disable_verify
725c9874	16
d21ec910 CE	17	# Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
	18	# or DISABLE_DKIM_VERIFY are set.
	19	.ifdef DC_minimaldns
	20	warn
	21	control = dkim_disable_verify
	22	.else
	23	.ifdef DISABLE_DKIM_VERIFY
	24	warn
	25	control = dkim_disable_verify
	26	.endif
	27	.endif
725c9874	28
725c9874	29	# The following section of the ACL is concerned with local parts that contain
	30	# certain non-alphanumeric characters. Dots in unusual places are
	31	# handled by this ACL as well.
	32	#
	33	# Non-alphanumeric characters other than dots are rarely found in genuine
	34	# local parts, but are often tried by people looking to circumvent
	35	# relaying restrictions. Therefore, although they are valid in local
	36	# parts, these rules disallow certain non-alphanumeric characters, as
	37	# a precaution.
	38	#
	39	# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
	40	# allows them because they have been encountered. (Consider local parts
	41	# constructed as "firstinitial.secondinitial.familyname" when applied to
	42	# a name without a second initial.) However, a local part starting
	43	# with a dot or containing /../ can cause trouble if it is used as part of a
	44	# file name (e.g. for a mailing list). This is also true for local parts that
	45	# contain slashes. A pipe symbol can also be troublesome if the local part is
	46	# incorporated unthinkingly into a shell command line.
	47	#
d2b0a567	48	# These ACL components will block recipient addresses that are valid
	49	# from an RFC2822 point of view. We chose to have them blocked by
	50	# default for security reasons.
	51	#
	52	# If you feel that your site should have less strict recipient
	53	# checking, please feel free to change the default values of the macros
	54	# defined in main/01_exim4-config_listmacrosdefs or override them from a
	55	# local configuration file.
	56	#
725c9874	57	# Two different rules are used. The first one has a quite strict
	58	# default, and is applied to messages that are addressed to one of the
	59	# local domains handled by this host.
d2b0a567	60
	61	# The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
	62	# main/01_exim4-config_listmacrosdefs:
	63	# CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/\|`#&?]
	64	# This blocks local parts that begin with a dot or contain a quite
	65	# broad range of non-alphanumeric characters.
725c9874	66	.ifdef CHECK_RCPT_LOCAL_LOCALPARTS
725c9874	67	deny
bbc29c5a	68	domains = +local_domains : +unix_domains
725c9874	69	local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
	70	message = restricted characters in address
	71	.endif
	72
	73
	74	# The second rule applies to all other domains, and its default is
	75	# considerably less strict.
d2b0a567	76
	77	# The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
	78	# main/01_exim4-config_listmacrosdefs:
	79	# CHECK_RCPT_REMOTE_LOCALPARTS = ^[./\|] : ^.[@%!`#&?] : ^./\\.\\./
	80
	81	# It allows local users to send outgoing messages to sites
	82	# that use slashes and vertical bars in their local parts. It blocks
	83	# local parts that begin with a dot, slash, or vertical bar, but allows
	84	# these characters within the local part. However, the sequence /../ is
	85	# barred. The use of some other non-alphanumeric characters is blocked.
	86	# Single quotes might probably be dangerous as well, but they're
	87	# allowed by the default regexps to avoid rejecting mails to Ireland.
	88	# The motivation here is to prevent local users (or local users' malware)
	89	# from mounting certain kinds of attack on remote sites.
725c9874	90	.ifdef CHECK_RCPT_REMOTE_LOCALPARTS
725c9874	91	deny
bbc29c5a	92	domains = !+local_domains : !+unix_domains
725c9874	93	local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
	94	message = restricted characters in address
	95	.endif
	96
	97
	98	# Accept mail to postmaster in any local domain, regardless of the source,
	99	# and without verifying the sender.
	100	#
	101	accept
	102	.ifndef CHECK_RCPT_POSTMASTER
	103	local_parts = postmaster
	104	.else
	105	local_parts = CHECK_RCPT_POSTMASTER
	106	.endif
bbc29c5a	107	domains = +local_domains : +unix_domains : +relay_to_domains
d2b0a567	108
	109
	110	# Deny unless the sender address can be verified.
	111	#
	112	# This is disabled by default so that DNSless systems don't break. If
	113	# your system can do DNS lookups without delay or cost, you might want
	114	# to enable this feature.
	115	#
	116	# This feature does not work in smarthost and satellite setups as
	117	# with these setups all domains pass verification. See spec.txt chapter
	118	# 39.31 with the added information that a smarthost/satellite setup
	119	# routes all non-local e-mail to the smarthost.
	120	.ifdef CHECK_RCPT_VERIFY_SENDER
049ff5b8 CE	121	# hcoop-change: warn so that we can track down webapps sending
	122	# without a valid return user, but not break the many web apps that
	123	# do so. Fix.
	124	warn
	125	log_message = Sender verification failed
	126	!acl = acl_local_deny_exceptions
d2b0a567	127	!verify = sender
	128	.endif
	129
06b25c81	130	# hcoop-change: Add recommended lines from
	131	# /usr/share/doc/mailman/README.EXIM.gz so that bounce messages
	132	# get through, even if they are from a malformed address
	133
	134	# Accept bounces to lists even if callbacks or other checks would fail
	135	warn
	136	message = X-WhitelistedRCPT-nohdrfromcallback: Yes
	137	condition = ${if and {{match{$local_part}{(.)-bounces\+.}} \
ae57a972	138	{def:domain} \
b09d0d57	139	{eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
b09d0d57	140	{true}}} \
06b25c81	141	{yes}{no}}
	142
	143	accept
	144	condition = ${if and {{match{$local_part}{(.)-bounces\+.}} \
ae57a972	145	{def:domain} \
b09d0d57	146	{eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
b09d0d57	147	{true}}} \
06b25c81	148	{yes}{no}}
06b25c81	149
d2b0a567	150	# Verify senders listed in local_sender_callout with a callout.
	151	#
	152	# In smarthost and satellite setups, this causes the callout to be
	153	# done to the smarthost. Verification will thus only be reliable if the
	154	# smarthost does reject illegal addresses in the SMTP dialog.
	155	deny
d21ec910	156	!acl = acl_local_deny_exceptions
d2b0a567	157	senders = ${if exists{CONFDIR/local_sender_callout}\
	158	{CONFDIR/local_sender_callout}\
	159	{}}
	160	!verify = sender/callout
	161
	162
	163	# Accept if the message comes from one of the hosts for which we are an
	164	# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
	165	# so we set control=submission to make Exim treat the message as a
	166	# submission. It will fix up various errors in the message, for example, the
	167	# lack of a Date: header line. If you are actually relaying out out from
	168	# MTAs, you may want to disable this. If you are handling both relaying from
	169	# MTAs and submissions from MUAs you should probably split them into two
	170	# lists, and handle them differently.
	171
	172	# Recipient verification is omitted here, because in many cases the clients
	173	# are dumb MUAs that don't cope well with SMTP error responses. If you are
	174	# actually relaying out from MTAs, you should probably add recipient
	175	# verification here.
	176
	177	# Note that, by putting this test before any DNS black list checks, you will
	178	# always accept from these hosts, even if they end up on a black list. The
	179	# assumption is that they are your friends, and if they get onto black
	180	# list, it is a mistake.
	181	accept
	182	hosts = +relay_from_hosts
	183	control = submission/sender_retain
d21ec910	184	control = dkim_disable_verify
d2b0a567	185
	186
	187	# Accept if the message arrived over an authenticated connection, from
	188	# any host. Again, these messages are usually from MUAs, so recipient
	189	# verification is omitted, and submission mode is set. And again, we do this
	190	# check before any black list tests.
	191	accept
	192	authenticated = *
	193	control = submission/sender_retain
d21ec910	194	control = dkim_disable_verify
d2b0a567	195
	196
	197	# Insist that any other recipient address that we accept is either in one of
	198	# our local domains, or is in a domain for which we explicitly allow
	199	# relaying. Any other domain is rejected as being unacceptable for relaying.
	200	require
	201	message = relay not permitted
bbc29c5a	202	domains = +local_domains : +unix_domains : +relay_to_domains
d2b0a567	203
	204
	205	# We also require all accepted addresses to be verifiable. This check will
	206	# do local part verification for local domains, but only check the domain
	207	# for remote domains.
	208	require
	209	verify = recipient
	210
	211
	212	# Verify recipients listed in local_rcpt_callout with a callout.
	213	# This is especially handy for forwarding MX hosts (secondary MX or
	214	# mail hubs) of domains that receive a lot of spam to non-existent
	215	# addresses. The only way to check local parts for remote relay
	216	# domains is to use a callout (add /callout), but please read the
	217	# documentation about callouts before doing this.
	218	deny
d21ec910	219	!acl = acl_local_deny_exceptions
d2b0a567	220	recipients = ${if exists{CONFDIR/local_rcpt_callout}\
	221	{CONFDIR/local_rcpt_callout}\
	222	{}}
	223	!verify = recipient/callout
725c9874	224
725c9874	225
725c9874	226	# CONFDIR/local_sender_blacklist holds a list of envelope senders that
	227	# should have their access denied to the local host. Incoming messages
	228	# with one of these senders are rejected at RCPT time.
	229	#
	230	# The explicit white lists are honored as well as negative items in
d2b0a567	231	# the black list. See exim4-config_files(5) for details.
725c9874	232	deny
725c9874	233	message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
d21ec910	234	!acl = acl_local_deny_exceptions
725c9874	235	senders = ${if exists{CONFDIR/local_sender_blacklist}\
	236	{CONFDIR/local_sender_blacklist}\
	237	{}}
	238
	239
	240	# deny bad sites (IP address)
	241	# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
	242	# and networks (CIDR notation) that should have their access denied to
	243	# The local host. Messages coming in from a listed host will have all
	244	# RCPT statements rejected.
	245	#
	246	# The explicit white lists are honored as well as negative items in
d21ec910	247	# the black list. See exim4-config_files(5) for details.
725c9874	248	deny
725c9874	249	message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
d21ec910	250	!acl = acl_local_deny_exceptions
725c9874	251	hosts = ${if exists{CONFDIR/local_host_blacklist}\
	252	{CONFDIR/local_host_blacklist}\
	253	{}}
	254
	255
725c9874	256	# Warn if the sender host does not have valid reverse DNS.
	257	#
	258	# If your system can do DNS lookups without delay or cost, you might want
	259	# to enable this.
	260	# If sender_host_address is defined, it's a remote call. If
	261	# sender_host_name is not defined, then reverse lookup failed. Use
	262	# this instead of !verify = reverse_host_lookup to catch deferrals
	263	# as well as outright failures.
	264	.ifdef CHECK_RCPT_REVERSE_DNS
	265	warn
d21ec910	266	condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
725c9874	267	{yes}{no}}
d21ec910 CE	268	log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
d21ec910 CE	269	add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
725c9874	270	.endif
	271
	272
d2b0a567	273	# Use spfquery to perform a pair of SPF checks (for details, see
	274	# http://www.openspf.org/)
	275	#
	276	# This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
	277	# enable if that's an issue. Also note that if you enable this, you must
d21ec910 CE	278	# install "spf-tools-perl" which provides the spfquery command.
d21ec910 CE	279	# Missing spf-tools-perl will trigger the "Unexpected error in
d2b0a567	280	# SPF check" warning.
d2b0a567	281	.ifdef CHECK_RCPT_SPF
f6b45aab	282	warn
d21ec910 CE	283	message = [SPF] $sender_host_address is not allowed to send mail from \
	284	${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
	285	Please see \
	286	http://www.openspf.org/Why?scope=${if def:sender_address_domain \
	287	{mfrom}{helo}};identity=${if def:sender_address_domain \
	288	{$sender_address}{$sender_helo_name}};ip=$sender_host_address
d2b0a567	289	log_message = SPF check failed.
d21ec910 CE	290	!acl = acl_local_deny_exceptions
	291	condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
	292	${quote:$sender_host_address} --identity \
	293	${if def:sender_address_domain \
	294	{--scope mfrom --identity ${quote:$sender_address}}\
	295	{--scope helo --identity ${quote:$sender_helo_name}}}}\
	296	{no}{${if eq {$runrc}{1}{yes}{no}}}}
d2b0a567	297
	298	defer
	299	message = Temporary DNS error while checking SPF record. Try again later.
d21ec910	300	!acl = acl_local_deny_exceptions
d2b0a567	301	condition = ${if eq {$runrc}{5}{yes}{no}}
	302
	303	warn
d2b0a567	304	condition = ${if <={$runrc}{6}{yes}{no}}
d21ec910 CE	305	add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
	306	{${if eq {$runrc}{2}{softfail}\
	307	{${if eq {$runrc}{3}{neutral}\
	308	{${if eq {$runrc}{4}{permerror}\
	309	{${if eq {$runrc}{6}{none}{error}}}}}}}}}\
	310	} client-ip=$sender_host_address; \
	311	${if def:sender_address_domain \
	312	{envelope-from=${sender_address}; }{}}\
	313	helo=$sender_helo_name
d2b0a567	314
	315	warn
	316	log_message = Unexpected error in SPF check.
	317	condition = ${if >{$runrc}{6}{yes}{no}}
d2b0a567	318	.endif
	319
	320
725c9874	321	# Check against classic DNS "black" lists (DNSBLs) which list
	322	# sender IP addresses
	323	.ifdef CHECK_RCPT_IP_DNSBLS
049ff5b8 CE	324	# hcoop-change: drop connection instead of warning
049ff5b8 CE	325	drop
725c9874	326	message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
	327	log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
	328	dnslists = CHECK_RCPT_IP_DNSBLS
	329	.endif
	330
	331
	332	# Check against DNSBLs which list sender domains, with an option to locally
d2b0a567	333	# whitelist certain domains that might be blacklisted.
	334	#
	335	# Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
	336	# "/$sender_address_domain" after each domain. For example:
	337	# CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
	338	# : rhsbl.bar.org/$sender_address_domain
725c9874	339	.ifdef CHECK_RCPT_DOMAIN_DNSBLS
725c9874	340	warn
725c9874	341	!senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
	342	{CONFDIR/local_domain_dnsbl_whitelist}\
	343	{}}
d2b0a567	344	dnslists = CHECK_RCPT_DOMAIN_DNSBLS
d21ec910 CE	345	add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
d21ec910 CE	346	log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
725c9874	347	.endif
	348
	349
	350	# This hook allows you to hook in your own ACLs without having to
	351	# modify this file. If you do it like we suggest, you'll end up with
	352	# a small performance penalty since there is an additional file being
	353	# accessed. This doesn't happen if you leave the macro unset.
	354	.ifdef CHECK_RCPT_LOCAL_ACL_FILE
	355	.include CHECK_RCPT_LOCAL_ACL_FILE
	356	.endif
	357
8873822d CE	358	# hcoop-change: 2015-03-19 clinton_admin
	359	# testing if this will reject the fucktons of spam hitting logs@,
	360	# most of it fscking signed with valid DKIM keys and evading
	361	# spamassassin.
	362	deny
	363	log_message = rejecting non-hcoop host sending to logs
	364	recipients = logs@*.hcoop.net
	365	!hosts = +relay_from_hosts
	366
725c9874	367
d2b0a567	368	#############################################################################
	369	# This check is commented out because it is recognized that not every
	370	# sysadmin will want to do it. If you enable it, the check performs
	371	# Client SMTP Authorization (csa) checks on the sending host. These checks
	372	# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
	373	# an Internet draft. You can, of course, add additional conditions to this
	374	# ACL statement to restrict the CSA checks to certain hosts only.
725c9874	375	#
d2b0a567	376	# require verify = csa
d2b0a567	377	#############################################################################
725c9874	378
725c9874	379
d2b0a567	380	# Accept if the address is in a domain for which we are an incoming relay,
	381	# but again, only if the recipient can be verified.
	382
725c9874	383	accept
	384	domains = +relay_to_domains
	385	endpass
725c9874	386	verify = recipient
	387
	388
d2b0a567	389	# At this point, the address has passed all the checks that have been
d2b0a567	390	# configured, so we accept it unconditionally.
725c9874	391
725c9874	392	accept