# testing for an empty sending host field.
accept
hosts = :
+ control = dkim_disable_verify
+ # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
+ # or DISABLE_DKIM_VERIFY are set.
+.ifdef DC_minimaldns
+ warn
+ control = dkim_disable_verify
+.else
+.ifdef DISABLE_DKIM_VERIFY
+ warn
+ control = dkim_disable_verify
+.endif
+.endif
# The following section of the ACL is concerned with local parts that contain
# certain non-alphanumeric characters. Dots in unusual places are
# broad range of non-alphanumeric characters.
.ifdef CHECK_RCPT_LOCAL_LOCALPARTS
deny
- domains = +local_domains
+ domains = +local_domains : +unix_domains
local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
message = restricted characters in address
.endif
# from mounting certain kinds of attack on remote sites.
.ifdef CHECK_RCPT_REMOTE_LOCALPARTS
deny
- domains = !+local_domains
+ domains = !+local_domains : !+unix_domains
local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
message = restricted characters in address
.endif
.else
local_parts = CHECK_RCPT_POSTMASTER
.endif
- domains = +local_domains : +relay_to_domains
+ domains = +local_domains : +unix_domains : +relay_to_domains
# Deny unless the sender address can be verified.
# 39.31 with the added information that a smarthost/satellite setup
# routes all non-local e-mail to the smarthost.
.ifdef CHECK_RCPT_VERIFY_SENDER
- deny
- message = Sender verification failed
- !acl = acl_whitelist_local_deny
+ # hcoop-change: warn so that we can track down webapps sending
+ # without a valid return user, but not break the many web apps that
+ # do so. Fix.
+ warn
+ log_message = Sender verification failed
+ !acl = acl_local_deny_exceptions
!verify = sender
.endif
warn
message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {MAILMAN_LISTCHK}}} \
+ {def:domain} \
+ {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
+ {true}}} \
{yes}{no}}
accept
condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
- {exists {MAILMAN_LISTCHK}}} \
+ {def:domain} \
+ {eq {${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
+ {true}}} \
{yes}{no}}
# Verify senders listed in local_sender_callout with a callout.
# done to the smarthost. Verification will thus only be reliable if the
# smarthost does reject illegal addresses in the SMTP dialog.
deny
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
senders = ${if exists{CONFDIR/local_sender_callout}\
{CONFDIR/local_sender_callout}\
{}}
accept
hosts = +relay_from_hosts
control = submission/sender_retain
+ control = dkim_disable_verify
# Accept if the message arrived over an authenticated connection, from
accept
authenticated = *
control = submission/sender_retain
+ control = dkim_disable_verify
# Insist that any other recipient address that we accept is either in one of
# relaying. Any other domain is rejected as being unacceptable for relaying.
require
message = relay not permitted
- domains = +local_domains : +relay_to_domains
+ domains = +local_domains : +unix_domains : +relay_to_domains
# We also require all accepted addresses to be verifiable. This check will
# domains is to use a callout (add /callout), but please read the
# documentation about callouts before doing this.
deny
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
recipients = ${if exists{CONFDIR/local_rcpt_callout}\
{CONFDIR/local_rcpt_callout}\
{}}
# the black list. See exim4-config_files(5) for details.
deny
message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
senders = ${if exists{CONFDIR/local_sender_blacklist}\
{CONFDIR/local_sender_blacklist}\
{}}
# RCPT statements rejected.
#
# The explicit white lists are honored as well as negative items in
- # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+ # the black list. See exim4-config_files(5) for details.
deny
message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
- !acl = acl_whitelist_local_deny
+ !acl = acl_local_deny_exceptions
hosts = ${if exists{CONFDIR/local_host_blacklist}\
{CONFDIR/local_host_blacklist}\
{}}
# as well as outright failures.
.ifdef CHECK_RCPT_REVERSE_DNS
warn
- message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
- condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
+ condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
{yes}{no}}
+ log_message = Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
+ add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
.endif
#
# This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
# enable if that's an issue. Also note that if you enable this, you must
- # install "libmail-spf-query-perl" which provides the spfquery command.
- # Missing libmail-spf-query-perl will trigger the "Unexpected error in
+ # install "spf-tools-perl" which provides the spfquery command.
+ # Missing spf-tools-perl will trigger the "Unexpected error in
# SPF check" warning.
.ifdef CHECK_RCPT_SPF
- deny
- message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
- Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
+ warn
+ message = [SPF] $sender_host_address is not allowed to send mail from \
+ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
+ Please see \
+ http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+ {mfrom}{helo}};identity=${if def:sender_address_domain \
+ {$sender_address}{$sender_helo_name}};ip=$sender_host_address
log_message = SPF check failed.
- condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
- {no}{${if eq {$runrc}{1}{yes}{no}}}}
+ !acl = acl_local_deny_exceptions
+ condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
+ ${quote:$sender_host_address} --identity \
+ ${if def:sender_address_domain \
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
+ {no}{${if eq {$runrc}{1}{yes}{no}}}}
defer
message = Temporary DNS error while checking SPF record. Try again later.
+ !acl = acl_local_deny_exceptions
condition = ${if eq {$runrc}{5}{yes}{no}}
warn
- message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
- {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
condition = ${if <={$runrc}{6}{yes}{no}}
+ add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
+ {${if eq {$runrc}{2}{softfail}\
+ {${if eq {$runrc}{3}{neutral}\
+ {${if eq {$runrc}{4}{permerror}\
+ {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
+ } client-ip=$sender_host_address; \
+ ${if def:sender_address_domain \
+ {envelope-from=${sender_address}; }{}}\
+ helo=$sender_helo_name
warn
log_message = Unexpected error in SPF check.
condition = ${if >{$runrc}{6}{yes}{no}}
-
- # Support for best-guess (see http://www.openspf.org/developers-guide.html)
- warn
- message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
- {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
- {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
- condition = ${if <={$runrc}{6}{yes}{no}}
-
- defer
- message = Temporary DNS error while checking SPF record. Try again later.
- condition = ${if eq {$runrc}{5}{yes}{no}}
.endif
# Check against classic DNS "black" lists (DNSBLs) which list
# sender IP addresses
.ifdef CHECK_RCPT_IP_DNSBLS
- warn
+ # hcoop-change: drop connection instead of warning
+ drop
message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
dnslists = CHECK_RCPT_IP_DNSBLS
# : rhsbl.bar.org/$sender_address_domain
.ifdef CHECK_RCPT_DOMAIN_DNSBLS
warn
- message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
- log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
!senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
{CONFDIR/local_domain_dnsbl_whitelist}\
{}}
dnslists = CHECK_RCPT_DOMAIN_DNSBLS
+ add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
.endif
.include CHECK_RCPT_LOCAL_ACL_FILE
.endif
+ # hcoop-change: 2015-03-19 clinton_admin
+ # testing if this will reject the fucktons of spam hitting logs@,
+ # most of it fscking signed with valid DKIM keys and evading
+ # spamassassin.
+ deny
+ log_message = rejecting non-hcoop host sending to logs
+ recipients = logs@*.hcoop.net
+ !hosts = +relay_from_hosts
+
#############################################################################
# This check is commented out because it is recognized that not every