X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=etc%2Fexim4%2Fconf.d%2Facl%2F30_exim4-config_check_rcpt;h=21be517ee2aebcfcae896f0ae514374b9f3942c2;hb=00913fc5c4f0bd4a78df5fb067cfb10392aebe7c;hp=41682eb867430feeac8f80a5b0c94dd7ca41a11a;hpb=0625c01974df320cade3f9cd56674bcdfee0d9f3;p=matthijs%2Fservers%2Fdrsnuggles.git diff --git a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt index 41682eb..21be517 100644 --- a/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt +++ b/etc/exim4/conf.d/acl/30_exim4-config_check_rcpt @@ -36,35 +36,21 @@ acl_check_rcpt: # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. - # - # If you feel that your site should have less strict recipient - # checking, please feel free to change the default values of the macros - # defined in main/01_exim4-config_listmacrosdefs or override them from a - # local configuration file. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. - # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in - # main/01_exim4-config_listmacrosdefs: - # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] - # This blocks local parts that begin with a dot or contain a quite - # broad range of non-alphanumeric characters. - .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains - local_parts = CHECK_RCPT_LOCAL_LOCALPARTS + # This blocks local parts that begin with a dot or contain a quite + # broad range of non-alphanumeric characters. + local_parts = ^[.] : ^.*[@%!/|`#&?] message = restricted characters in address - .endif # The second rule applies to all other domains, and its default is # considerably less strict. - - # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in - # main/01_exim4-config_listmacrosdefs: - # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks @@ -75,87 +61,46 @@ acl_check_rcpt: # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. - .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains - local_parts = CHECK_RCPT_REMOTE_LOCALPARTS + local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ message = restricted characters in address - .endif # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept - .ifndef CHECK_RCPT_POSTMASTER local_parts = postmaster - .else - local_parts = CHECK_RCPT_POSTMASTER - .endif domains = +local_domains : +relay_to_domains # Deny unless the sender address can be verified. # - # This is disabled by default so that DNSless systems don't break. If - # your system can do DNS lookups without delay or cost, you might want - # to enable this feature. - # - # This feature does not work in smarthost and satellite setups as - # with these setups all domains pass verification. See spec.txt chapter - # 39.31 with the added information that a smarthost/satellite setup - # routes all non-local e-mail to the smarthost. - .ifdef CHECK_RCPT_VERIFY_SENDER + # This also performs "callout" verification, i.e., connect to the sender's + # mailserver and see if it accepts the mail address. This is quite + # expensive, but might save a bunch of spamchecks... deny message = Sender verification failed - !acl = acl_local_deny_exceptions - !verify = sender - .endif - - # Verify senders listed in local_sender_callout with a callout. - # - # In smarthost and satellite setups, this causes the callout to be - # done to the smarthost. Verification will thus only be reliable if the - # smarthost does reject illegal addresses in the SMTP dialog. - deny - !acl = acl_local_deny_exceptions - senders = ${if exists{CONFDIR/local_sender_callout}\ - {CONFDIR/local_sender_callout}\ - {}} !verify = sender/callout - # Accept if the message comes from one of the hosts for which we are an - # outgoing relay. It is assumed that such hosts are most likely to be MUAs, - # so we set control=submission to make Exim treat the message as a - # submission. It will fix up various errors in the message, for example, the - # lack of a Date: header line. If you are actually relaying out out from - # MTAs, you may want to disable this. If you are handling both relaying from - # MTAs and submissions from MUAs you should probably split them into two - # lists, and handle them differently. - - # Recipient verification is omitted here, because in many cases the clients - # are dumb MUAs that don't cope well with SMTP error responses. If you are - # actually relaying out from MTAs, you should probably add recipient - # verification here. - - # Note that, by putting this test before any DNS black list checks, you will - # always accept from these hosts, even if they end up on a black list. The - # assumption is that they are your friends, and if they get onto black - # list, it is a mistake. - accept - hosts = +relay_from_hosts - control = submission/sender_retain - - # Accept if the message arrived over an authenticated connection, from - # any host. Again, these messages are usually from MUAs, so recipient - # verification is omitted, and submission mode is set. And again, we do this + # any host. These messages are usually from MUAs, so recipient + # verification is omitted, and submission mode is set. We do this # check before any black list tests. accept authenticated = * control = submission/sender_retain + # Accept if the message comes from one of the hosts for which we are an + # outgoing relay. These hosts are only dumb forwarders (nullmailers), not + # real MTAs, so we set control=submission to make Exim treat the message as a + # submission. It will fix up various errors in the message, for example, the + # lack of a Date: header line. + accept + hosts = +relay_from_hosts + #control = submission/sender_retain # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow @@ -172,50 +117,6 @@ acl_check_rcpt: verify = recipient - # Verify recipients listed in local_rcpt_callout with a callout. - # This is especially handy for forwarding MX hosts (secondary MX or - # mail hubs) of domains that receive a lot of spam to non-existent - # addresses. The only way to check local parts for remote relay - # domains is to use a callout (add /callout), but please read the - # documentation about callouts before doing this. - deny - !acl = acl_local_deny_exceptions - recipients = ${if exists{CONFDIR/local_rcpt_callout}\ - {CONFDIR/local_rcpt_callout}\ - {}} - !verify = recipient/callout - - - # CONFDIR/local_sender_blacklist holds a list of envelope senders that - # should have their access denied to the local host. Incoming messages - # with one of these senders are rejected at RCPT time. - # - # The explicit white lists are honored as well as negative items in - # the black list. See exim4-config_files(5) for details. - deny - message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_local_deny_exceptions - senders = ${if exists{CONFDIR/local_sender_blacklist}\ - {CONFDIR/local_sender_blacklist}\ - {}} - - - # deny bad sites (IP address) - # CONFDIR/local_host_blacklist holds a list of host names, IP addresses - # and networks (CIDR notation) that should have their access denied to - # The local host. Messages coming in from a listed host will have all - # RCPT statements rejected. - # - # The explicit white lists are honored as well as negative items in - # the black list. See exim4-config_files(5) for details. - deny - message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster - !acl = acl_local_deny_exceptions - hosts = ${if exists{CONFDIR/local_host_blacklist}\ - {CONFDIR/local_host_blacklist}\ - {}} - - # Warn if the sender host does not have valid reverse DNS. # # If your system can do DNS lookups without delay or cost, you might want @@ -224,116 +125,13 @@ acl_check_rcpt: # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. - .ifdef CHECK_RCPT_REVERSE_DNS warn message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) - condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ - {yes}{no}} - .endif - - - # Use spfquery to perform a pair of SPF checks (for details, see - # http://www.openspf.org/) - # - # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not - # enable if that's an issue. Also note that if you enable this, you must - # install "libmail-spf-query-perl" which provides the spfquery command. - # Missing libmail-spf-query-perl will trigger the "Unexpected error in - # SPF check" warning. - .ifdef CHECK_RCPT_SPF - deny - message = [SPF] $sender_host_address is not allowed to send mail from ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ - Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain {mfrom}{helo}};identity=${if def:sender_address_domain {$sender_address}{$sender_helo_name}};ip=$sender_host_address - log_message = SPF check failed. - !acl = acl_local_deny_exceptions - condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\ - {no}{${if eq {$runrc}{1}{yes}{no}}}} - - defer - message = Temporary DNS error while checking SPF record. Try again later. - condition = ${if eq {$runrc}{5}{yes}{no}} - - warn - message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq {$runrc}{2}{softfail}\ - {${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}} - condition = ${if <={$runrc}{6}{yes}{no}} - - warn - log_message = Unexpected error in SPF check. - condition = ${if >{$runrc}{6}{yes}{no}} - - # Support for best-guess (see http://www.openspf.org/developers-guide.html) - warn - message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip \"$sender_host_address\" --mail-from \"$sender_address\" \ --helo \"$sender_helo_name\" --guess true}\ - {pass}{${if eq {$runrc}{2}{softfail}{${if eq {$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\ - {${if eq {$runrc}{6}{none}{error}}}}}}}}}} - condition = ${if <={$runrc}{6}{yes}{no}} - - defer - message = Temporary DNS error while checking SPF record. Try again later. - condition = ${if eq {$runrc}{5}{yes}{no}} - .endif - - - # Check against classic DNS "black" lists (DNSBLs) which list - # sender IP addresses - .ifdef CHECK_RCPT_IP_DNSBLS - warn - message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - dnslists = CHECK_RCPT_IP_DNSBLS - .endif - - - # Check against DNSBLs which list sender domains, with an option to locally - # whitelist certain domains that might be blacklisted. - # - # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append - # "/$sender_address_domain" after each domain. For example: - # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ - # : rhsbl.bar.org/$sender_address_domain - .ifdef CHECK_RCPT_DOMAIN_DNSBLS - warn - message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) - !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ - {CONFDIR/local_domain_dnsbl_whitelist}\ - {}} - dnslists = CHECK_RCPT_DOMAIN_DNSBLS - .endif - - - # This hook allows you to hook in your own ACLs without having to - # modify this file. If you do it like we suggest, you'll end up with - # a small performance penalty since there is an additional file being - # accessed. This doesn't happen if you leave the macro unset. - .ifdef CHECK_RCPT_LOCAL_ACL_FILE - .include CHECK_RCPT_LOCAL_ACL_FILE - .endif - - - ############################################################################# - # This check is commented out because it is recognized that not every - # sysadmin will want to do it. If you enable it, the check performs - # Client SMTP Authorization (csa) checks on the sending host. These checks - # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) - # an Internet draft. You can, of course, add additional conditions to this - # ACL statement to restrict the CSA checks to certain hosts only. - # - # require verify = csa - ############################################################################# - - - # Accept if the address is in a domain for which we are an incoming relay, - # but again, only if the recipient can be verified. - - accept - domains = +relay_to_domains - endpass - verify = recipient - + verify = reverse_host_lookup # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept + +# vim: set sts=2 expandtab sw=2 ai: