exim: Completely review the exim configuration.

[matthijs/servers/drsnuggles.git] / etc / exim4 / conf.d / acl / 30_exim4-config_check_rcpt

### acl/30_exim4-config_check_rcpt
#################################

# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
#
acl_check_rcpt:

  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
  # testing for an empty sending host field.
  accept
    hosts = :


  # The following section of the ACL is concerned with local parts that contain
  # certain non-alphanumeric characters. Dots in unusual places are
  # handled by this ACL as well.
  #
  # Non-alphanumeric characters other than dots are rarely found in genuine
  # local parts, but are often tried by people looking to circumvent
  # relaying restrictions. Therefore, although they are valid in local
  # parts, these rules disallow certain non-alphanumeric characters, as
  # a precaution.
  #
  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
  # allows them because they have been encountered. (Consider local parts
  # constructed as "firstinitial.secondinitial.familyname" when applied to
  # a name without a second initial.) However, a local part starting
  # with a dot or containing /../ can cause trouble if it is used as part of a
  # file name (e.g. for a mailing list). This is also true for local parts that
  # contain slashes. A pipe symbol can also be troublesome if the local part is
  # incorporated unthinkingly into a shell command line.
  #
  # These ACL components will block recipient addresses that are valid
  # from an RFC2822 point of view. We chose to have them blocked by
  # default for security reasons.
  # 
  # Two different rules are used. The first one has a quite strict
  # default, and is applied to messages that are addressed to one of the
  # local domains handled by this host.

  deny
    domains = +local_domains
    # This blocks local parts that begin with a dot or contain a quite
    # broad range of non-alphanumeric characters.
    local_parts = ^[.] : ^.*[@%!/|`#&?]
    message = restricted characters in address


  # The second rule applies to all other domains, and its default is
  # considerably less strict.

  # It allows local users to send outgoing messages to sites
  # that use slashes and vertical bars in their local parts. It blocks
  # local parts that begin with a dot, slash, or vertical bar, but allows
  # these characters within the local part. However, the sequence /../ is
  # barred. The use of some other non-alphanumeric characters is blocked.
  # Single quotes might probably be dangerous as well, but they're
  # allowed by the default regexps to avoid rejecting mails to Ireland.
  # The motivation here is to prevent local users (or local users' malware)
  # from mounting certain kinds of attack on remote sites.
  deny
    domains = !+local_domains
    local_parts = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
    message = restricted characters in address


  # Accept mail to postmaster in any local domain, regardless of the source,
  # and without verifying the sender.
  #
  accept
    local_parts = postmaster
    domains = +local_domains : +relay_to_domains


  # Deny unless the sender address can be verified.
  #
  # This also performs "callout" verification, i.e., connect to the sender's
  # mailserver and see if it accepts the mail address. This is quite
  # expensive, but might save a bunch of spamchecks...
  deny
    message = Sender verification failed
    !verify = sender/callout


  # Accept if the message arrived over an authenticated connection, from
  # any host. These messages are usually from MUAs, so recipient
  # verification is omitted, and submission mode is set. We do this
  # check before any black list tests.
  accept
    authenticated = *
    control = submission/sender_retain

  # Accept if the message comes from one of the hosts for which we are an
  # outgoing relay. These hosts are only dumb forwarders (nullmailers), not
  # real MTAs, so we set control=submission to make Exim treat the message as a
  # submission. It will fix up various errors in the message, for example, the
  # lack of a Date: header line.
  accept
    hosts = +relay_from_hosts
    #control = submission/sender_retain

  # Insist that any other recipient address that we accept is either in one of
  # our local domains, or is in a domain for which we explicitly allow
  # relaying. Any other domain is rejected as being unacceptable for relaying.
  require
    message = relay not permitted
    domains = +local_domains : +relay_to_domains


  # We also require all accepted addresses to be verifiable. This check will
  # do local part verification for local domains, but only check the domain
  # for remote domains.
  require
    verify = recipient


  # Warn if the sender host does not have valid reverse DNS.
  # 
  # If your system can do DNS lookups without delay or cost, you might want
  # to enable this.
  # If sender_host_address is defined, it's a remote call.  If
  # sender_host_name is not defined, then reverse lookup failed.  Use
  # this instead of !verify = reverse_host_lookup to catch deferrals
  # as well as outright failures.
  warn
    message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
    verify = reverse_host_lookup

  # At this point, the address has passed all the checks that have been
  # configured, so we accept it unconditionally.

  accept

# vim: set sts=2 expandtab sw=2 ai: