2 ### acl/30_exim4-config_check_rcpt
3 #################################
5 # define macros to be used below in this file to check recipient
6 # local parts for strange characters. Documentation below.
7 # This blocks local parts that begin with a dot or contain a quite
8 # broad range of non-alphanumeric characters.
10 .ifndef CHECK_RCPT_LOCAL_LOCALPARTS
11 CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
14 .ifndef CHECK_RCPT_REMOTE_LOCALPARTS
15 CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
18 # This access control list is used for every RCPT command in an incoming
19 # SMTP message. The tests are run in order until the address is either
24 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
25 # testing for an empty sending host field.
28 control = dkim_disable_verify
30 # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
31 # or DISABLE_DKIM_VERIFY are set.
34 control = dkim_disable_verify
36 .ifdef DISABLE_DKIM_VERIFY
38 control = dkim_disable_verify
42 # The following section of the ACL is concerned with local parts that contain
43 # certain non-alphanumeric characters. Dots in unusual places are
44 # handled by this ACL as well.
46 # Non-alphanumeric characters other than dots are rarely found in genuine
47 # local parts, but are often tried by people looking to circumvent
48 # relaying restrictions. Therefore, although they are valid in local
49 # parts, these rules disallow certain non-alphanumeric characters, as
52 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
53 # allows them because they have been encountered. (Consider local parts
54 # constructed as "firstinitial.secondinitial.familyname" when applied to
55 # a name without a second initial.) However, a local part starting
56 # with a dot or containing /../ can cause trouble if it is used as part of a
57 # file name (e.g. for a mailing list). This is also true for local parts that
58 # contain slashes. A pipe symbol can also be troublesome if the local part is
59 # incorporated unthinkingly into a shell command line.
61 # These ACL components will block recipient addresses that are valid
62 # from an RFC5322 point of view. We chose to have them blocked by
63 # default for security reasons.
65 # If you feel that your site should have less strict recipient
66 # checking, please feel free to change the default values of the macros
67 # defined in main/01_exim4-config_listmacrosdefs or override them from a
68 # local configuration file.
70 # Two different rules are used. The first one has a quite strict
71 # default, and is applied to messages that are addressed to one of the
72 # local domains handled by this host.
74 # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
75 # at the top of this file.
76 .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
78 domains = +local_domains
79 local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
80 message = restricted characters in address
84 # The second rule applies to all other domains, and its default is
85 # considerably less strict.
87 # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
88 # main/01_exim4-config_listmacrosdefs:
89 # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
91 # It allows local users to send outgoing messages to sites
92 # that use slashes and vertical bars in their local parts. It blocks
93 # local parts that begin with a dot, slash, or vertical bar, but allows
94 # these characters within the local part. However, the sequence /../ is
95 # barred. The use of some other non-alphanumeric characters is blocked.
96 # Single quotes might probably be dangerous as well, but they're
97 # allowed by the default regexps to avoid rejecting mails to Ireland.
98 # The motivation here is to prevent local users (or local users' malware)
99 # from mounting certain kinds of attack on remote sites.
100 .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
102 domains = !+local_domains
103 local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
104 message = restricted characters in address
108 # Accept mail to postmaster in any local domain, regardless of the source,
109 # and without verifying the sender.
112 .ifndef CHECK_RCPT_POSTMASTER
113 local_parts = postmaster
115 local_parts = CHECK_RCPT_POSTMASTER
117 domains = +local_domains : +relay_to_domains
120 # Deny unless the sender address can be verified.
122 # This is disabled by default so that DNSless systems don't break. If
123 # your system can do DNS lookups without delay or cost, you might want
124 # to enable this feature.
126 # This feature does not work in smarthost and satellite setups as
127 # with these setups all domains pass verification. See spec.txt section
128 # "Access control lists" subsection "Address verification" with the added
129 # information that a smarthost/satellite setup routes all non-local e-mail
131 .ifdef CHECK_RCPT_VERIFY_SENDER
133 message = Sender verification failed
134 !acl = acl_local_deny_exceptions
138 # Verify senders listed in local_sender_callout with a callout.
140 # In smarthost and satellite setups, this causes the callout to be
141 # done to the smarthost. Verification will thus only be reliable if the
142 # smarthost does reject illegal addresses in the SMTP dialog.
144 !acl = acl_local_deny_exceptions
145 senders = ${if exists{CONFDIR/local_sender_callout}\
146 {CONFDIR/local_sender_callout}\
148 !verify = sender/callout
151 # Accept if the message comes from one of the hosts for which we are an
152 # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
153 # so we set control=submission to make Exim treat the message as a
154 # submission. It will fix up various errors in the message, for example, the
155 # lack of a Date: header line. If you are actually relaying out out from
156 # MTAs, you may want to disable this. If you are handling both relaying from
157 # MTAs and submissions from MUAs you should probably split them into two
158 # lists, and handle them differently.
160 # Recipient verification is omitted here, because in many cases the clients
161 # are dumb MUAs that don't cope well with SMTP error responses. If you are
162 # actually relaying out from MTAs, you should probably add recipient
165 # Note that, by putting this test before any DNS black list checks, you will
166 # always accept from these hosts, even if they end up on a black list. The
167 # assumption is that they are your friends, and if they get onto black
168 # list, it is a mistake.
170 hosts = +relay_from_hosts
171 control = submission/sender_retain
172 control = dkim_disable_verify
175 # Accept if the message arrived over an authenticated connection, from
176 # any host. Again, these messages are usually from MUAs, so recipient
177 # verification is omitted, and submission mode is set. And again, we do this
178 # check before any black list tests.
181 control = submission/sender_retain
182 control = dkim_disable_verify
184 # Insist that a HELO/EHLO was accepted.
186 require message = nice hosts say HELO first
187 condition = ${if def:sender_helo_name}
189 # Insist that any other recipient address that we accept is either in one of
190 # our local domains, or is in a domain for which we explicitly allow
191 # relaying. Any other domain is rejected as being unacceptable for relaying.
193 message = relay not permitted
194 domains = +local_domains : +relay_to_domains
197 # We also require all accepted addresses to be verifiable. This check will
198 # do local part verification for local domains, but only check the domain
199 # for remote domains.
204 # Verify recipients listed in local_rcpt_callout with a callout.
205 # This is especially handy for forwarding MX hosts (secondary MX or
206 # mail hubs) of domains that receive a lot of spam to non-existent
207 # addresses. The only way to check local parts for remote relay
208 # domains is to use a callout (add /callout), but please read the
209 # documentation about callouts before doing this.
211 !acl = acl_local_deny_exceptions
212 recipients = ${if exists{CONFDIR/local_rcpt_callout}\
213 {CONFDIR/local_rcpt_callout}\
215 !verify = recipient/callout
218 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
219 # should have their access denied to the local host. Incoming messages
220 # with one of these senders are rejected at RCPT time.
222 # The explicit white lists are honored as well as negative items in
223 # the black list. See exim4-config_files(5) for details.
225 message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
226 log_message = sender envelope address is locally blacklisted.
227 !acl = acl_local_deny_exceptions
228 senders = ${if exists{CONFDIR/local_sender_blacklist}\
229 {CONFDIR/local_sender_blacklist}\
233 # deny bad sites (IP address)
234 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
235 # and networks (CIDR notation) that should have their access denied to
236 # The local host. Messages coming in from a listed host will have all
237 # RCPT statements rejected.
239 # The explicit white lists are honored as well as negative items in
240 # the black list. See exim4-config_files(5) for details.
242 message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
243 log_message = sender IP address is locally blacklisted.
244 !acl = acl_local_deny_exceptions
245 hosts = ${if exists{CONFDIR/local_host_blacklist}\
246 {CONFDIR/local_host_blacklist}\
250 # Warn if the sender host does not have valid reverse DNS.
252 # If your system can do DNS lookups without delay or cost, you might want
254 # If sender_host_address is defined, it's a remote call. If
255 # sender_host_name is not defined, then reverse lookup failed. Use
256 # this instead of !verify = reverse_host_lookup to catch deferrals
257 # as well as outright failures.
258 .ifdef CHECK_RCPT_REVERSE_DNS
260 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
262 add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
266 # Use spfquery to perform a pair of SPF checks (for details, see
267 # http://www.openspf.org/)
269 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
270 # enable if that's an issue. Also note that if you enable this, you must
271 # install "spf-tools-perl" which provides the spfquery command.
272 # Missing spf-tools-perl will trigger the "Unexpected error in
273 # SPF check" warning.
274 .ifdef CHECK_RCPT_SPF
276 message = [SPF] $sender_host_address is not allowed to send mail from \
277 ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
279 http://www.openspf.org/Why?scope=${if def:sender_address_domain \
280 {mfrom}{helo}};identity=${if def:sender_address_domain \
281 {$sender_address}{$sender_helo_name}};ip=$sender_host_address
282 log_message = SPF check failed.
283 !acl = acl_local_deny_exceptions
284 condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
285 ${quote:$sender_host_address} --identity \
286 ${if def:sender_address_domain \
287 {--scope mfrom --identity ${quote:$sender_address}}\
288 {--scope helo --identity ${quote:$sender_helo_name}}}}\
289 {no}{${if eq {$runrc}{1}{yes}{no}}}}
292 message = Temporary DNS error while checking SPF record. Try again later.
293 !acl = acl_local_deny_exceptions
294 condition = ${if eq {$runrc}{5}{yes}{no}}
297 condition = ${if <={$runrc}{6}{yes}{no}}
298 add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
299 {${if eq {$runrc}{2}{softfail}\
300 {${if eq {$runrc}{3}{neutral}\
301 {${if eq {$runrc}{4}{permerror}\
302 {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
303 } client-ip=$sender_host_address; \
304 ${if def:sender_address_domain \
305 {envelope-from=${sender_address}; }{}}\
306 helo=$sender_helo_name
309 log_message = Unexpected error in SPF check.
310 condition = ${if >{$runrc}{6}{yes}{no}}
314 # Check against classic DNS "black" lists (DNSBLs) which list
315 # sender IP addresses
316 .ifdef CHECK_RCPT_IP_DNSBLS
318 dnslists = CHECK_RCPT_IP_DNSBLS
319 add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
320 log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
324 # Check against DNSBLs which list sender domains, with an option to locally
325 # whitelist certain domains that might be blacklisted.
327 # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
328 # "/$sender_address_domain" after each domain. For example:
329 # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
330 # : rhsbl.bar.org/$sender_address_domain
331 .ifdef CHECK_RCPT_DOMAIN_DNSBLS
333 !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
334 {CONFDIR/local_domain_dnsbl_whitelist}\
336 dnslists = CHECK_RCPT_DOMAIN_DNSBLS
337 add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
338 log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
342 # This hook allows you to hook in your own ACLs without having to
343 # modify this file. If you do it like we suggest, you'll end up with
344 # a small performance penalty since there is an additional file being
345 # accessed. This doesn't happen if you leave the macro unset.
346 .ifdef CHECK_RCPT_LOCAL_ACL_FILE
347 .include CHECK_RCPT_LOCAL_ACL_FILE
351 #############################################################################
352 # This check is commented out because it is recognized that not every
353 # sysadmin will want to do it. If you enable it, the check performs
354 # Client SMTP Authorization (csa) checks on the sending host. These checks
355 # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
356 # an Internet draft. You can, of course, add additional conditions to this
357 # ACL statement to restrict the CSA checks to certain hosts only.
359 # require verify = csa
360 #############################################################################
363 # Accept if the address is in a domain for which we are an incoming relay,
364 # but again, only if the recipient can be verified.
367 domains = +relay_to_domains
372 # At this point, the address has passed all the checks that have been
373 # configured, so we accept it unconditionally.