### acl/30_exim4-config_check_rcpt ################################# # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_rcpt: # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : # The following section of the ACL is concerned with local parts that contain # certain non-alphanumeric characters. Dots in unusual places are # handled by this ACL as well. # # Non-alphanumeric characters other than dots are rarely found in genuine # local parts, but are often tried by people looking to circumvent # relaying restrictions. Therefore, although they are valid in local # parts, these rules disallow certain non-alphanumeric characters, as # a precaution. # # Empty components (two dots in a row) are not valid in RFC 2822, but Exim # allows them because they have been encountered. (Consider local parts # constructed as "firstinitial.secondinitial.familyname" when applied to # a name without a second initial.) However, a local part starting # with a dot or containing /../ can cause trouble if it is used as part of a # file name (e.g. for a mailing list). This is also true for local parts that # contain slashes. A pipe symbol can also be troublesome if the local part is # incorporated unthinkingly into a shell command line. # # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. deny domains = +local_domains # This blocks local parts that begin with a dot or contain a quite # broad range of non-alphanumeric characters. local_parts = ^[.] : ^.*[@%!/|`#&?] message = restricted characters in address # The second rule applies to all other domains, and its default is # considerably less strict. # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks # local parts that begin with a dot, slash, or vertical bar, but allows # these characters within the local part. However, the sequence /../ is # barred. The use of some other non-alphanumeric characters is blocked. # Single quotes might probably be dangerous as well, but they're # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. deny domains = !+local_domains local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ message = restricted characters in address # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept local_parts = postmaster domains = +local_domains : +relay_to_domains # Deny unless the sender address can be verified. # # This also performs "callout" verification, i.e., connect to the sender's # mailserver and see if it accepts the mail address. This is quite # expensive, but might save a bunch of spamchecks... deny message = Sender verification failed !verify = sender/callout # Accept if the message arrived over an authenticated connection, from # any host. These messages are usually from MUAs, so recipient # verification is omitted, and submission mode is set. We do this # check before any black list tests. accept authenticated = * control = submission/sender_retain # Accept if the message comes from one of the hosts for which we are an # outgoing relay. These hosts are only dumb forwarders (nullmailers), not # real MTAs, so we set control=submission to make Exim treat the message as a # submission. It will fix up various errors in the message, for example, the # lack of a Date: header line. accept hosts = +relay_from_hosts #control = submission/sender_retain # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. require message = relay not permitted domains = +local_domains : +relay_to_domains # We also require all accepted addresses to be verifiable. This check will # do local part verification for local domains, but only check the domain # for remote domains. require verify = recipient # Warn if the sender host does not have valid reverse DNS. # # If your system can do DNS lookups without delay or cost, you might want # to enable this. # If sender_host_address is defined, it's a remote call. If # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) verify = reverse_host_lookup # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept # vim: set sts=2 expandtab sw=2 ai: