725c9874 |
1 | |
2 | ### acl/30_exim4-config_check_rcpt |
3 | ################################# |
4 | |
5 | # This access control list is used for every RCPT command in an incoming |
6 | # SMTP message. The tests are run in order until the address is either |
7 | # accepted or denied. |
8 | # |
9 | acl_check_rcpt: |
d2b0a567 |
10 | |
725c9874 |
11 | # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by |
12 | # testing for an empty sending host field. |
13 | accept |
14 | hosts = : |
15 | |
16 | |
725c9874 |
17 | # The following section of the ACL is concerned with local parts that contain |
18 | # certain non-alphanumeric characters. Dots in unusual places are |
19 | # handled by this ACL as well. |
20 | # |
21 | # Non-alphanumeric characters other than dots are rarely found in genuine |
22 | # local parts, but are often tried by people looking to circumvent |
23 | # relaying restrictions. Therefore, although they are valid in local |
24 | # parts, these rules disallow certain non-alphanumeric characters, as |
25 | # a precaution. |
26 | # |
27 | # Empty components (two dots in a row) are not valid in RFC 2822, but Exim |
28 | # allows them because they have been encountered. (Consider local parts |
29 | # constructed as "firstinitial.secondinitial.familyname" when applied to |
30 | # a name without a second initial.) However, a local part starting |
31 | # with a dot or containing /../ can cause trouble if it is used as part of a |
32 | # file name (e.g. for a mailing list). This is also true for local parts that |
33 | # contain slashes. A pipe symbol can also be troublesome if the local part is |
34 | # incorporated unthinkingly into a shell command line. |
35 | # |
d2b0a567 |
36 | # These ACL components will block recipient addresses that are valid |
37 | # from an RFC2822 point of view. We chose to have them blocked by |
38 | # default for security reasons. |
39 | # |
40 | # If you feel that your site should have less strict recipient |
41 | # checking, please feel free to change the default values of the macros |
42 | # defined in main/01_exim4-config_listmacrosdefs or override them from a |
43 | # local configuration file. |
44 | # |
725c9874 |
45 | # Two different rules are used. The first one has a quite strict |
46 | # default, and is applied to messages that are addressed to one of the |
47 | # local domains handled by this host. |
d2b0a567 |
48 | |
49 | # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in |
50 | # main/01_exim4-config_listmacrosdefs: |
51 | # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] |
52 | # This blocks local parts that begin with a dot or contain a quite |
53 | # broad range of non-alphanumeric characters. |
725c9874 |
54 | .ifdef CHECK_RCPT_LOCAL_LOCALPARTS |
55 | deny |
56 | domains = +local_domains |
57 | local_parts = CHECK_RCPT_LOCAL_LOCALPARTS |
58 | message = restricted characters in address |
59 | .endif |
60 | |
61 | |
62 | # The second rule applies to all other domains, and its default is |
63 | # considerably less strict. |
d2b0a567 |
64 | |
65 | # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in |
66 | # main/01_exim4-config_listmacrosdefs: |
67 | # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ |
68 | |
69 | # It allows local users to send outgoing messages to sites |
70 | # that use slashes and vertical bars in their local parts. It blocks |
71 | # local parts that begin with a dot, slash, or vertical bar, but allows |
72 | # these characters within the local part. However, the sequence /../ is |
73 | # barred. The use of some other non-alphanumeric characters is blocked. |
74 | # Single quotes might probably be dangerous as well, but they're |
75 | # allowed by the default regexps to avoid rejecting mails to Ireland. |
76 | # The motivation here is to prevent local users (or local users' malware) |
77 | # from mounting certain kinds of attack on remote sites. |
725c9874 |
78 | .ifdef CHECK_RCPT_REMOTE_LOCALPARTS |
79 | deny |
80 | domains = !+local_domains |
81 | local_parts = CHECK_RCPT_REMOTE_LOCALPARTS |
82 | message = restricted characters in address |
83 | .endif |
84 | |
85 | |
86 | # Accept mail to postmaster in any local domain, regardless of the source, |
87 | # and without verifying the sender. |
88 | # |
89 | accept |
90 | .ifndef CHECK_RCPT_POSTMASTER |
91 | local_parts = postmaster |
92 | .else |
93 | local_parts = CHECK_RCPT_POSTMASTER |
94 | .endif |
d2b0a567 |
95 | domains = +local_domains : +relay_to_domains |
96 | |
97 | |
98 | # Deny unless the sender address can be verified. |
99 | # |
100 | # This is disabled by default so that DNSless systems don't break. If |
101 | # your system can do DNS lookups without delay or cost, you might want |
102 | # to enable this feature. |
103 | # |
104 | # This feature does not work in smarthost and satellite setups as |
105 | # with these setups all domains pass verification. See spec.txt chapter |
106 | # 39.31 with the added information that a smarthost/satellite setup |
107 | # routes all non-local e-mail to the smarthost. |
108 | .ifdef CHECK_RCPT_VERIFY_SENDER |
109 | deny |
110 | message = Sender verification failed |
111 | !acl = acl_whitelist_local_deny |
112 | !verify = sender |
113 | .endif |
114 | |
115 | # Verify senders listed in local_sender_callout with a callout. |
116 | # |
117 | # In smarthost and satellite setups, this causes the callout to be |
118 | # done to the smarthost. Verification will thus only be reliable if the |
119 | # smarthost does reject illegal addresses in the SMTP dialog. |
120 | deny |
121 | !acl = acl_whitelist_local_deny |
122 | senders = ${if exists{CONFDIR/local_sender_callout}\ |
123 | {CONFDIR/local_sender_callout}\ |
124 | {}} |
125 | !verify = sender/callout |
126 | |
127 | |
128 | # Accept if the message comes from one of the hosts for which we are an |
129 | # outgoing relay. It is assumed that such hosts are most likely to be MUAs, |
130 | # so we set control=submission to make Exim treat the message as a |
131 | # submission. It will fix up various errors in the message, for example, the |
132 | # lack of a Date: header line. If you are actually relaying out out from |
133 | # MTAs, you may want to disable this. If you are handling both relaying from |
134 | # MTAs and submissions from MUAs you should probably split them into two |
135 | # lists, and handle them differently. |
136 | |
137 | # Recipient verification is omitted here, because in many cases the clients |
138 | # are dumb MUAs that don't cope well with SMTP error responses. If you are |
139 | # actually relaying out from MTAs, you should probably add recipient |
140 | # verification here. |
141 | |
142 | # Note that, by putting this test before any DNS black list checks, you will |
143 | # always accept from these hosts, even if they end up on a black list. The |
144 | # assumption is that they are your friends, and if they get onto black |
145 | # list, it is a mistake. |
146 | accept |
147 | hosts = +relay_from_hosts |
148 | control = submission/sender_retain |
149 | |
150 | |
151 | # Accept if the message arrived over an authenticated connection, from |
152 | # any host. Again, these messages are usually from MUAs, so recipient |
153 | # verification is omitted, and submission mode is set. And again, we do this |
154 | # check before any black list tests. |
155 | accept |
156 | authenticated = * |
157 | control = submission/sender_retain |
158 | |
159 | |
160 | # Insist that any other recipient address that we accept is either in one of |
161 | # our local domains, or is in a domain for which we explicitly allow |
162 | # relaying. Any other domain is rejected as being unacceptable for relaying. |
163 | require |
164 | message = relay not permitted |
165 | domains = +local_domains : +relay_to_domains |
166 | |
167 | |
168 | # We also require all accepted addresses to be verifiable. This check will |
169 | # do local part verification for local domains, but only check the domain |
170 | # for remote domains. |
171 | require |
172 | verify = recipient |
173 | |
174 | |
175 | # Verify recipients listed in local_rcpt_callout with a callout. |
176 | # This is especially handy for forwarding MX hosts (secondary MX or |
177 | # mail hubs) of domains that receive a lot of spam to non-existent |
178 | # addresses. The only way to check local parts for remote relay |
179 | # domains is to use a callout (add /callout), but please read the |
180 | # documentation about callouts before doing this. |
181 | deny |
182 | !acl = acl_whitelist_local_deny |
183 | recipients = ${if exists{CONFDIR/local_rcpt_callout}\ |
184 | {CONFDIR/local_rcpt_callout}\ |
185 | {}} |
186 | !verify = recipient/callout |
725c9874 |
187 | |
188 | |
725c9874 |
189 | # CONFDIR/local_sender_blacklist holds a list of envelope senders that |
190 | # should have their access denied to the local host. Incoming messages |
191 | # with one of these senders are rejected at RCPT time. |
192 | # |
193 | # The explicit white lists are honored as well as negative items in |
d2b0a567 |
194 | # the black list. See exim4-config_files(5) for details. |
725c9874 |
195 | deny |
196 | message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster |
197 | !acl = acl_whitelist_local_deny |
198 | senders = ${if exists{CONFDIR/local_sender_blacklist}\ |
199 | {CONFDIR/local_sender_blacklist}\ |
200 | {}} |
201 | |
202 | |
203 | # deny bad sites (IP address) |
204 | # CONFDIR/local_host_blacklist holds a list of host names, IP addresses |
205 | # and networks (CIDR notation) that should have their access denied to |
206 | # The local host. Messages coming in from a listed host will have all |
207 | # RCPT statements rejected. |
208 | # |
209 | # The explicit white lists are honored as well as negative items in |
210 | # the black list. See /usr/share/doc/exim4-config/default_acl for details. |
211 | deny |
212 | message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster |
213 | !acl = acl_whitelist_local_deny |
214 | hosts = ${if exists{CONFDIR/local_host_blacklist}\ |
215 | {CONFDIR/local_host_blacklist}\ |
216 | {}} |
217 | |
218 | |
725c9874 |
219 | # Warn if the sender host does not have valid reverse DNS. |
220 | # |
221 | # If your system can do DNS lookups without delay or cost, you might want |
222 | # to enable this. |
223 | # If sender_host_address is defined, it's a remote call. If |
224 | # sender_host_name is not defined, then reverse lookup failed. Use |
225 | # this instead of !verify = reverse_host_lookup to catch deferrals |
226 | # as well as outright failures. |
227 | .ifdef CHECK_RCPT_REVERSE_DNS |
228 | warn |
229 | message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) |
230 | condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ |
231 | {yes}{no}} |
232 | .endif |
233 | |
234 | |
d2b0a567 |
235 | # Use spfquery to perform a pair of SPF checks (for details, see |
236 | # http://www.openspf.org/) |
237 | # |
238 | # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not |
239 | # enable if that's an issue. Also note that if you enable this, you must |
240 | # install "libmail-spf-query-perl" which provides the spfquery command. |
241 | # Missing libmail-spf-query-perl will trigger the "Unexpected error in |
242 | # SPF check" warning. |
243 | .ifdef CHECK_RCPT_SPF |
244 | deny |
245 | message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ |
246 | Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address |
247 | log_message = SPF check failed. |
248 | condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\ |
249 | {no}{${if eq {$runrc}{1}{yes}{no}}}} |
250 | |
251 | defer |
252 | message = Temporary DNS error while checking SPF record. Try again later. |
253 | condition = ${if eq {$runrc}{5}{yes}{no}} |
254 | |
255 | warn |
256 | message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\ |
257 | {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}} |
258 | condition = ${if <={$runrc}{6}{yes}{no}} |
259 | |
260 | warn |
261 | log_message = Unexpected error in SPF check. |
262 | condition = ${if >{$runrc}{6}{yes}{no}} |
263 | |
264 | # Support for best-guess (see http://www.openspf.org/developers-guide.html) |
265 | warn |
266 | message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\ |
267 | {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\ |
268 | {${if eq {$runrc}{6}{none}{error}}}}}}}}}} |
269 | condition = ${if <={$runrc}{6}{yes}{no}} |
270 | |
271 | defer |
272 | message = Temporary DNS error while checking SPF record. Try again later. |
273 | condition = ${if eq {$runrc}{5}{yes}{no}} |
274 | .endif |
275 | |
276 | |
725c9874 |
277 | # Check against classic DNS "black" lists (DNSBLs) which list |
278 | # sender IP addresses |
279 | .ifdef CHECK_RCPT_IP_DNSBLS |
280 | warn |
281 | message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
282 | log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
283 | dnslists = CHECK_RCPT_IP_DNSBLS |
284 | .endif |
285 | |
286 | |
287 | # Check against DNSBLs which list sender domains, with an option to locally |
d2b0a567 |
288 | # whitelist certain domains that might be blacklisted. |
289 | # |
290 | # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append |
291 | # "/$sender_address_domain" after each domain. For example: |
292 | # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ |
293 | # : rhsbl.bar.org/$sender_address_domain |
725c9874 |
294 | .ifdef CHECK_RCPT_DOMAIN_DNSBLS |
295 | warn |
296 | message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
297 | log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) |
298 | !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ |
299 | {CONFDIR/local_domain_dnsbl_whitelist}\ |
300 | {}} |
d2b0a567 |
301 | dnslists = CHECK_RCPT_DOMAIN_DNSBLS |
725c9874 |
302 | .endif |
303 | |
304 | |
305 | # This hook allows you to hook in your own ACLs without having to |
306 | # modify this file. If you do it like we suggest, you'll end up with |
307 | # a small performance penalty since there is an additional file being |
308 | # accessed. This doesn't happen if you leave the macro unset. |
309 | .ifdef CHECK_RCPT_LOCAL_ACL_FILE |
310 | .include CHECK_RCPT_LOCAL_ACL_FILE |
311 | .endif |
312 | |
313 | |
d2b0a567 |
314 | ############################################################################# |
315 | # This check is commented out because it is recognized that not every |
316 | # sysadmin will want to do it. If you enable it, the check performs |
317 | # Client SMTP Authorization (csa) checks on the sending host. These checks |
318 | # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) |
319 | # an Internet draft. You can, of course, add additional conditions to this |
320 | # ACL statement to restrict the CSA checks to certain hosts only. |
725c9874 |
321 | # |
d2b0a567 |
322 | # require verify = csa |
323 | ############################################################################# |
725c9874 |
324 | |
325 | |
d2b0a567 |
326 | # Accept if the address is in a domain for which we are an incoming relay, |
327 | # but again, only if the recipient can be verified. |
328 | |
725c9874 |
329 | accept |
330 | domains = +relay_to_domains |
331 | endpass |
725c9874 |
332 | verify = recipient |
333 | |
334 | |
d2b0a567 |
335 | # At this point, the address has passed all the checks that have been |
336 | # configured, so we accept it unconditionally. |
725c9874 |
337 | |
725c9874 |
338 | accept |