2 ### acl/30_exim4-config_check_rcpt
3 #################################
5 # This access control list is used for every RCPT command in an incoming
6 # SMTP message. The tests are run in order until the address is either
11 # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
12 # testing for an empty sending host field.
17 # The following section of the ACL is concerned with local parts that contain
18 # certain non-alphanumeric characters. Dots in unusual places are
19 # handled by this ACL as well.
21 # Non-alphanumeric characters other than dots are rarely found in genuine
22 # local parts, but are often tried by people looking to circumvent
23 # relaying restrictions. Therefore, although they are valid in local
24 # parts, these rules disallow certain non-alphanumeric characters, as
27 # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
28 # allows them because they have been encountered. (Consider local parts
29 # constructed as "firstinitial.secondinitial.familyname" when applied to
30 # a name without a second initial.) However, a local part starting
31 # with a dot or containing /../ can cause trouble if it is used as part of a
32 # file name (e.g. for a mailing list). This is also true for local parts that
33 # contain slashes. A pipe symbol can also be troublesome if the local part is
34 # incorporated unthinkingly into a shell command line.
36 # These ACL components will block recipient addresses that are valid
37 # from an RFC2822 point of view. We chose to have them blocked by
38 # default for security reasons.
40 # If you feel that your site should have less strict recipient
41 # checking, please feel free to change the default values of the macros
42 # defined in main/01_exim4-config_listmacrosdefs or override them from a
43 # local configuration file.
45 # Two different rules are used. The first one has a quite strict
46 # default, and is applied to messages that are addressed to one of the
47 # local domains handled by this host.
49 # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in
50 # main/01_exim4-config_listmacrosdefs:
51 # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
52 # This blocks local parts that begin with a dot or contain a quite
53 # broad range of non-alphanumeric characters.
54 .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
56 domains = +local_domains : +unix_domains
57 local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
58 message = restricted characters in address
62 # The second rule applies to all other domains, and its default is
63 # considerably less strict.
65 # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
66 # main/01_exim4-config_listmacrosdefs:
67 # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
69 # It allows local users to send outgoing messages to sites
70 # that use slashes and vertical bars in their local parts. It blocks
71 # local parts that begin with a dot, slash, or vertical bar, but allows
72 # these characters within the local part. However, the sequence /../ is
73 # barred. The use of some other non-alphanumeric characters is blocked.
74 # Single quotes might probably be dangerous as well, but they're
75 # allowed by the default regexps to avoid rejecting mails to Ireland.
76 # The motivation here is to prevent local users (or local users' malware)
77 # from mounting certain kinds of attack on remote sites.
78 .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
80 domains = !+local_domains : !+unix_domains
81 local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
82 message = restricted characters in address
86 # Accept mail to postmaster in any local domain, regardless of the source,
87 # and without verifying the sender.
90 .ifndef CHECK_RCPT_POSTMASTER
91 local_parts = postmaster
93 local_parts = CHECK_RCPT_POSTMASTER
95 domains = +local_domains : +unix_domains : +relay_to_domains
98 # Deny unless the sender address can be verified.
100 # This is disabled by default so that DNSless systems don't break. If
101 # your system can do DNS lookups without delay or cost, you might want
102 # to enable this feature.
104 # This feature does not work in smarthost and satellite setups as
105 # with these setups all domains pass verification. See spec.txt chapter
106 # 39.31 with the added information that a smarthost/satellite setup
107 # routes all non-local e-mail to the smarthost.
108 .ifdef CHECK_RCPT_VERIFY_SENDER
110 message = Sender verification failed
111 !acl = acl_whitelist_local_deny
115 # hcoop-change: Add recommended lines from
116 # /usr/share/doc/mailman/README.EXIM.gz so that bounce messages
117 # get through, even if they are from a malformed address
119 # Accept bounces to lists even if callbacks or other checks would fail
121 message = X-WhitelistedRCPT-nohdrfromcallback: Yes
122 condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
124 ${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
128 condition = ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
130 ${lookup{$local_part@$domain}lsearch{MAILMAN_DB}}} \
133 # Verify senders listed in local_sender_callout with a callout.
135 # In smarthost and satellite setups, this causes the callout to be
136 # done to the smarthost. Verification will thus only be reliable if the
137 # smarthost does reject illegal addresses in the SMTP dialog.
139 !acl = acl_whitelist_local_deny
140 senders = ${if exists{CONFDIR/local_sender_callout}\
141 {CONFDIR/local_sender_callout}\
143 !verify = sender/callout
146 # Accept if the message comes from one of the hosts for which we are an
147 # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
148 # so we set control=submission to make Exim treat the message as a
149 # submission. It will fix up various errors in the message, for example, the
150 # lack of a Date: header line. If you are actually relaying out out from
151 # MTAs, you may want to disable this. If you are handling both relaying from
152 # MTAs and submissions from MUAs you should probably split them into two
153 # lists, and handle them differently.
155 # Recipient verification is omitted here, because in many cases the clients
156 # are dumb MUAs that don't cope well with SMTP error responses. If you are
157 # actually relaying out from MTAs, you should probably add recipient
160 # Note that, by putting this test before any DNS black list checks, you will
161 # always accept from these hosts, even if they end up on a black list. The
162 # assumption is that they are your friends, and if they get onto black
163 # list, it is a mistake.
165 hosts = +relay_from_hosts
166 control = submission/sender_retain
169 # Accept if the message arrived over an authenticated connection, from
170 # any host. Again, these messages are usually from MUAs, so recipient
171 # verification is omitted, and submission mode is set. And again, we do this
172 # check before any black list tests.
175 control = submission/sender_retain
178 # Insist that any other recipient address that we accept is either in one of
179 # our local domains, or is in a domain for which we explicitly allow
180 # relaying. Any other domain is rejected as being unacceptable for relaying.
182 message = relay not permitted
183 domains = +local_domains : +unix_domains : +relay_to_domains
186 # We also require all accepted addresses to be verifiable. This check will
187 # do local part verification for local domains, but only check the domain
188 # for remote domains.
193 # Verify recipients listed in local_rcpt_callout with a callout.
194 # This is especially handy for forwarding MX hosts (secondary MX or
195 # mail hubs) of domains that receive a lot of spam to non-existent
196 # addresses. The only way to check local parts for remote relay
197 # domains is to use a callout (add /callout), but please read the
198 # documentation about callouts before doing this.
200 !acl = acl_whitelist_local_deny
201 recipients = ${if exists{CONFDIR/local_rcpt_callout}\
202 {CONFDIR/local_rcpt_callout}\
204 !verify = recipient/callout
207 # CONFDIR/local_sender_blacklist holds a list of envelope senders that
208 # should have their access denied to the local host. Incoming messages
209 # with one of these senders are rejected at RCPT time.
211 # The explicit white lists are honored as well as negative items in
212 # the black list. See exim4-config_files(5) for details.
214 message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
215 !acl = acl_whitelist_local_deny
216 senders = ${if exists{CONFDIR/local_sender_blacklist}\
217 {CONFDIR/local_sender_blacklist}\
221 # deny bad sites (IP address)
222 # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
223 # and networks (CIDR notation) that should have their access denied to
224 # The local host. Messages coming in from a listed host will have all
225 # RCPT statements rejected.
227 # The explicit white lists are honored as well as negative items in
228 # the black list. See /usr/share/doc/exim4-config/default_acl for details.
230 message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
231 !acl = acl_whitelist_local_deny
232 hosts = ${if exists{CONFDIR/local_host_blacklist}\
233 {CONFDIR/local_host_blacklist}\
237 # Warn if the sender host does not have valid reverse DNS.
239 # If your system can do DNS lookups without delay or cost, you might want
241 # If sender_host_address is defined, it's a remote call. If
242 # sender_host_name is not defined, then reverse lookup failed. Use
243 # this instead of !verify = reverse_host_lookup to catch deferrals
244 # as well as outright failures.
245 .ifdef CHECK_RCPT_REVERSE_DNS
247 message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
248 condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
253 # Use spfquery to perform a pair of SPF checks (for details, see
254 # http://www.openspf.org/)
256 # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
257 # enable if that's an issue. Also note that if you enable this, you must
258 # install "libmail-spf-query-perl" which provides the spfquery command.
259 # Missing libmail-spf-query-perl will trigger the "Unexpected error in
260 # SPF check" warning.
261 .ifdef CHECK_RCPT_SPF
263 message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
264 Please see http://www.openspf.org/why.html?sender=$sender_address&ip=$sender_host_address
265 log_message = SPF check failed.
266 condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\
267 {no}{${if eq {$runrc}{1}{yes}{no}}}}
270 message = Temporary DNS error while checking SPF record. Try again later.
271 condition = ${if eq {$runrc}{5}{yes}{no}}
274 message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\
275 {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}
276 condition = ${if <={$runrc}{6}{yes}{no}}
279 log_message = Unexpected error in SPF check.
280 condition = ${if >{$runrc}{6}{yes}{no}}
282 # Support for best-guess (see http://www.openspf.org/developers-guide.html)
284 message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\
285 {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\
286 {${if eq {$runrc}{6}{none}{error}}}}}}}}}}
287 condition = ${if <={$runrc}{6}{yes}{no}}
290 message = Temporary DNS error while checking SPF record. Try again later.
291 condition = ${if eq {$runrc}{5}{yes}{no}}
295 # Check against classic DNS "black" lists (DNSBLs) which list
296 # sender IP addresses
297 .ifdef CHECK_RCPT_IP_DNSBLS
299 message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
300 log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
301 dnslists = CHECK_RCPT_IP_DNSBLS
305 # Check against DNSBLs which list sender domains, with an option to locally
306 # whitelist certain domains that might be blacklisted.
308 # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
309 # "/$sender_address_domain" after each domain. For example:
310 # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
311 # : rhsbl.bar.org/$sender_address_domain
312 .ifdef CHECK_RCPT_DOMAIN_DNSBLS
314 message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
315 log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
316 !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
317 {CONFDIR/local_domain_dnsbl_whitelist}\
319 dnslists = CHECK_RCPT_DOMAIN_DNSBLS
323 # This hook allows you to hook in your own ACLs without having to
324 # modify this file. If you do it like we suggest, you'll end up with
325 # a small performance penalty since there is an additional file being
326 # accessed. This doesn't happen if you leave the macro unset.
327 .ifdef CHECK_RCPT_LOCAL_ACL_FILE
328 .include CHECK_RCPT_LOCAL_ACL_FILE
332 #############################################################################
333 # This check is commented out because it is recognized that not every
334 # sysadmin will want to do it. If you enable it, the check performs
335 # Client SMTP Authorization (csa) checks on the sending host. These checks
336 # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
337 # an Internet draft. You can, of course, add additional conditions to this
338 # ACL statement to restrict the CSA checks to certain hosts only.
340 # require verify = csa
341 #############################################################################
344 # Accept if the address is in a domain for which we are an incoming relay,
345 # but again, only if the recipient can be verified.
348 domains = +relay_to_domains
353 # At this point, the address has passed all the checks that have been
354 # configured, so we accept it unconditionally.