725c9874 |
1 | |
2 | ### acl/30_exim4-config_check_rcpt |
3 | ################################# |
4 | |
5 | # This access control list is used for every RCPT command in an incoming |
6 | # SMTP message. The tests are run in order until the address is either |
7 | # accepted or denied. |
8 | # |
9 | acl_check_rcpt: |
10 | # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by |
11 | # testing for an empty sending host field. |
12 | accept |
13 | hosts = : |
14 | |
15 | |
16 | # Add missing Date and Message-ID header for relayed messages |
17 | warn |
18 | hosts = +relay_from_hosts |
19 | control = submission/sender_retain |
20 | |
21 | |
22 | # The following section of the ACL is concerned with local parts that contain |
23 | # certain non-alphanumeric characters. Dots in unusual places are |
24 | # handled by this ACL as well. |
25 | # |
26 | # Non-alphanumeric characters other than dots are rarely found in genuine |
27 | # local parts, but are often tried by people looking to circumvent |
28 | # relaying restrictions. Therefore, although they are valid in local |
29 | # parts, these rules disallow certain non-alphanumeric characters, as |
30 | # a precaution. |
31 | # |
32 | # Empty components (two dots in a row) are not valid in RFC 2822, but Exim |
33 | # allows them because they have been encountered. (Consider local parts |
34 | # constructed as "firstinitial.secondinitial.familyname" when applied to |
35 | # a name without a second initial.) However, a local part starting |
36 | # with a dot or containing /../ can cause trouble if it is used as part of a |
37 | # file name (e.g. for a mailing list). This is also true for local parts that |
38 | # contain slashes. A pipe symbol can also be troublesome if the local part is |
39 | # incorporated unthinkingly into a shell command line. |
40 | # |
41 | # Two different rules are used. The first one has a quite strict |
42 | # default, and is applied to messages that are addressed to one of the |
43 | # local domains handled by this host. |
44 | # If you have local accounts that include strange characters, you can |
45 | # use the macro provided to change the ACL range or to disable the |
46 | # check completely. |
47 | .ifdef CHECK_RCPT_LOCAL_LOCALPARTS |
48 | deny |
49 | domains = +local_domains |
50 | local_parts = CHECK_RCPT_LOCAL_LOCALPARTS |
51 | message = restricted characters in address |
52 | .endif |
53 | |
54 | |
55 | # The second rule applies to all other domains, and its default is |
56 | # considerably less strict. |
57 | .ifdef CHECK_RCPT_REMOTE_LOCALPARTS |
58 | deny |
59 | domains = !+local_domains |
60 | local_parts = CHECK_RCPT_REMOTE_LOCALPARTS |
61 | message = restricted characters in address |
62 | .endif |
63 | |
64 | |
65 | # Accept mail to postmaster in any local domain, regardless of the source, |
66 | # and without verifying the sender. |
67 | # |
68 | accept |
69 | .ifndef CHECK_RCPT_POSTMASTER |
70 | local_parts = postmaster |
71 | .else |
72 | local_parts = CHECK_RCPT_POSTMASTER |
73 | .endif |
74 | domains = +local_domains |
75 | |
76 | |
77 | # deny bad senders (envelope sender) |
78 | # CONFDIR/local_sender_blacklist holds a list of envelope senders that |
79 | # should have their access denied to the local host. Incoming messages |
80 | # with one of these senders are rejected at RCPT time. |
81 | # |
82 | # The explicit white lists are honored as well as negative items in |
83 | # the black list. See /usr/share/doc/exim4-config/default_acl for details. |
84 | deny |
85 | message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster |
86 | !acl = acl_whitelist_local_deny |
87 | senders = ${if exists{CONFDIR/local_sender_blacklist}\ |
88 | {CONFDIR/local_sender_blacklist}\ |
89 | {}} |
90 | |
91 | |
92 | # deny bad sites (IP address) |
93 | # CONFDIR/local_host_blacklist holds a list of host names, IP addresses |
94 | # and networks (CIDR notation) that should have their access denied to |
95 | # The local host. Messages coming in from a listed host will have all |
96 | # RCPT statements rejected. |
97 | # |
98 | # The explicit white lists are honored as well as negative items in |
99 | # the black list. See /usr/share/doc/exim4-config/default_acl for details. |
100 | deny |
101 | message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster |
102 | !acl = acl_whitelist_local_deny |
103 | hosts = ${if exists{CONFDIR/local_host_blacklist}\ |
104 | {CONFDIR/local_host_blacklist}\ |
105 | {}} |
106 | |
107 | |
108 | # Deny unless the sender address can be verified. |
109 | # |
110 | # This is disabled by default so that DNSless systems don't break. If |
111 | # your system can do DNS lookups without delay or cost, you might want |
112 | # to enable this feature. |
113 | .ifdef CHECK_RCPT_VERIFY_SENDER |
114 | deny |
115 | message = Sender verification failed |
116 | !acl = acl_whitelist_local_deny |
117 | !verify = sender |
118 | .endif |
119 | |
120 | # For some sender domains, we do callout to verify if a sender |
121 | # exists. |
122 | deny |
123 | !acl = acl_whitelist_local_deny |
124 | senders = ${if exists{CONFDIR/local_sender_callout}\ |
125 | {CONFDIR/local_sender_callout}\ |
126 | {}} |
127 | !verify = sender/callout |
128 | |
129 | |
130 | # For some recipient domains, we do callout to verify if a recipient |
131 | # exists. This is especially handy for customers that receive a lot of |
132 | # spam to non-existent addresses. |
133 | deny |
134 | !acl = acl_whitelist_local_deny |
135 | recipients = ${if exists{CONFDIR/local_rcpt_callout}\ |
136 | {CONFDIR/local_rcpt_callout}\ |
137 | {}} |
138 | !verify = recipient/callout |
139 | |
140 | |
141 | # Warn if the sender host does not have valid reverse DNS. |
142 | # |
143 | # If your system can do DNS lookups without delay or cost, you might want |
144 | # to enable this. |
145 | # If sender_host_address is defined, it's a remote call. If |
146 | # sender_host_name is not defined, then reverse lookup failed. Use |
147 | # this instead of !verify = reverse_host_lookup to catch deferrals |
148 | # as well as outright failures. |
149 | .ifdef CHECK_RCPT_REVERSE_DNS |
150 | warn |
151 | message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) |
152 | condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ |
153 | {yes}{no}} |
154 | .endif |
155 | |
156 | |
157 | # Check against classic DNS "black" lists (DNSBLs) which list |
158 | # sender IP addresses |
159 | .ifdef CHECK_RCPT_IP_DNSBLS |
160 | warn |
161 | message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
162 | log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
163 | dnslists = CHECK_RCPT_IP_DNSBLS |
164 | .endif |
165 | |
166 | |
167 | # Check against DNSBLs which list sender domains, with an option to locally |
168 | # whitelist certain domains that might be blacklisted. If you want one |
169 | # blacklist per domain, you need to replicate the stanza for each DNSBL. |
170 | .ifdef CHECK_RCPT_DOMAIN_DNSBLS |
171 | warn |
172 | message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
173 | log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
174 | !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ |
175 | {CONFDIR/local_domain_dnsbl_whitelist}\ |
176 | {}} |
177 | dnslists = CHECK_RCPT_DOMAIN_DNSBLS/$sender_address_domain |
178 | .endif |
179 | |
180 | |
181 | # This hook allows you to hook in your own ACLs without having to |
182 | # modify this file. If you do it like we suggest, you'll end up with |
183 | # a small performance penalty since there is an additional file being |
184 | # accessed. This doesn't happen if you leave the macro unset. |
185 | .ifdef CHECK_RCPT_LOCAL_ACL_FILE |
186 | .include CHECK_RCPT_LOCAL_ACL_FILE |
187 | .endif |
188 | |
189 | |
190 | # Accept if the address is in a local domain, but only if the recipient can |
191 | # be verified. Otherwise deny. The "endpass" line is the border between |
192 | # passing on to the next ACL statement (if tests above it fail) or denying |
193 | # access (if tests below it fail). |
194 | # |
195 | accept |
196 | domains = +local_domains |
197 | endpass |
198 | message = unknown user |
199 | verify = recipient |
200 | |
201 | |
202 | # Accept if the address is in a domain for which we are relaying, but again, |
203 | # only if the recipient can be verified. |
204 | # |
205 | # If you want to use the more conservative "unknown user" error |
206 | # message in case of a non-existing local part, you might want to |
207 | # set CHECK_RCPT_GIVE_UNKNOWN_USER. However, this might reveal |
208 | # local information, which is the cause for it not being enabled by |
209 | # default. |
210 | accept |
211 | domains = +relay_to_domains |
212 | endpass |
213 | .ifdef CHECK_RCPT_GIVE_UNKNOWN_USER |
214 | message = ${if eq{$acl_verify_message}{Unrouteable address}{unknown user}{$acl_verify_message}} |
215 | .else |
216 | message = unrouteable address |
217 | .endif |
218 | verify = recipient |
219 | |
220 | |
221 | ############ |
222 | # If control reaches this point, the domain is neither in +local_domains |
223 | # nor in +relay_to_domains. |
224 | ############ |
225 | |
226 | # Accept if the message comes from one of the hosts for which we are an |
227 | # outgoing relay. Recipient verification is omitted here, because in many |
228 | # cases the clients are dumb MUAs that don't cope well with SMTP error |
229 | # responses. If you are actually relaying out from MTAs, you should probably |
230 | # add recipient verification here. |
231 | # |
232 | accept |
233 | hosts = +relay_from_hosts |
234 | |
235 | |
236 | # Accept if the message arrived over an authenticated connection, from |
237 | # any host. Again, these messages are usually from MUAs, so recipient |
238 | # verification is omitted. |
239 | # |
240 | accept |
241 | authenticated = * |
242 | |
243 | |
244 | # Reaching the end of the ACL causes a "deny", but we might as well give |
245 | # an explicit message. |
246 | # |
247 | deny |
248 | message = relay not permitted |