Rewrite ACLs

author: root 2017-03-28 11:00:05 +0200
committer: root 2017-03-28 11:03:30 +0200
commit: 0d01bcc2f9bf16e3f384549f395c1a173b8a4c18 (patch)
tree: c21e959293ab13af3f3d21d39af8fcfadcdcdc19
parent: 1009459ba2cdca8e16eacfa9c995ae2f31599850 (diff)
download: exim-0d01bcc2f9bf16e3f384549f395c1a173b8a4c18.tar.gz
5 files changed, 164 insertions, 180 deletions
diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf
index 08694c8..e693144 100644
--- a/conf.d/010_main.conf
+++ b/conf.d/010_main.conf
@@ -68,8 +68,10 @@ hostlist   relay_from_hosts = localhost
 # manual for details. The lists above are used in the access control lists for
 # checking incoming messages. The names of these ACLs are defined here:
-acl_smtp_rcpt = acl_check_rcpt
+acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}
-acl_smtp_data = acl_check_data
+acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}
+acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}
+acl_smtp_dkim = acl_check_dkim
 # You should not change those settings until you understand how ACLs work.
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
index 61dc33f..a909910 100644
--- a/conf.d/020_acl.conf
+++ b/conf.d/020_acl.conf
@@ -5,190 +5,169 @@
 begin acl
-# This access control list is used for every RCPT command in an incoming
-# SMTP message. The tests are run in order until the address is either
+######################
-# accepted or denied.
+# GENERAL CHECK ACLs #
+######################
-acl_check_rcpt:
+# Ensures that the remote host has introduced itself.
-  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+acl_check_rcpt_introduction:
-  # testing for an empty sending host field.
-  accept  hosts = :
-          control = dkim_disable_verify
-  #############################################################################
-  # The following section of the ACL is concerned with local parts that contain
-  # @ or % or ! or / or | or dots in unusual places.
-  #
-  # The characters other than dots are rarely found in genuine local parts, but
-  # are often tried by people looking to circumvent relaying restrictions.
-  # Therefore, although they are valid in local parts, these rules lock them
-  # out, as a precaution.
-  #
-  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
-  # allows them because they have been encountered. (Consider local parts
-  # constructed as "firstinitial.secondinitial.familyname" when applied to
-  # someone like me, who has no second initial.) However, a local part starting
-  # with a dot or containing /../ can cause trouble if it is used as part of a
-  # file name (e.g. for a mailing list). This is also true for local parts that
-  # contain slashes. A pipe symbol can also be troublesome if the local part is
-  # incorporated unthinkingly into a shell command line.
-  #
-  # Two different rules are used. The first one is stricter, and is applied to
-  # messages that are addressed to one of the local domains handled by this
-  # host. The line "domains = +local_domains" restricts it to domains that are
-  # defined by the "domainlist local_domains" setting above. The rule  blocks
-  # local parts that begin with a dot or contain @ % ! / or |. If you have
-  # local accounts that include these characters, you will have to modify this
-  # rule.
-  deny    message       = Restricted characters in address
-          domains       = +local_domains
-          local_parts   = ^[.] : ^.*[@%!/|]
-  # The second rule applies to all other domains, and is less strict. The line
-  # "domains = !+local_domains" restricts it to domains that are NOT defined by
-  # the "domainlist local_domains" setting above. The exclamation mark is a
-  # negating operator. This rule allows your own users to send outgoing
-  # messages to sites that use slashes and vertical bars in their local parts.
-  # It blocks local parts that begin with a dot, slash, or vertical bar, but
-  # allows these characters within the local part. However, the sequence /../
-  # is barred. The use of @ % and ! is blocked, as before. The motivation here
-  # is to prevent your users (or your users' viruses) from mounting certain
-  # kinds of attack on remote sites.
-  deny    message       = Restricted characters in address
-          domains       = !+local_domains
-          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
-  #############################################################################
-  # Accept mail to postmaster in any local domain, regardless of the source,
-  # and without verifying the sender.
-  accept  local_parts   = postmaster
-          domains       = +local_domains
-  # Deny unless the sender address can be verified.
-  require verify        = sender
-  # Accept if the message comes from one of the hosts for which we are an
-  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
-  # so we set control=submission to make Exim treat the message as a
-  # submission. It will fix up various errors in the message, for example, the
-  # lack of a Date: header line. If you are actually relaying out out from
-  # MTAs, you may want to disable this. If you are handling both relaying from
-  # MTAs and submissions from MUAs you should probably split them into two
-  # lists, and handle them differently.
-  # Recipient verification is omitted here, because in many cases the clients
-  # are dumb MUAs that don't cope well with SMTP error responses. If you are
-  # actually relaying out from MTAs, you should probably add recipient
-  # verification here.
-  # Note that, by putting this test before any DNS black list checks, you will
-  # always accept from these hosts, even if they end up on a black list. The
-  # assumption is that they are your friends, and if they get onto a black
-  # list, it is a mistake.
-  accept  hosts         = +relay_from_hosts
-          control       = submission
-          control       = dkim_disable_verify
-  # Accept if the message arrived over an authenticated connection, from
-  # any host. Again, these messages are usually from MUAs, so recipient
-  # verification is omitted, and submission mode is set. And again, we do this
-  # check before any black list tests.
-  accept  authenticated = *
-          control       = submission
-          control       = dkim_disable_verify
  # Insist that a HELO/EHLO was accepted.
+  require  condition     = ${if def:sender_helo_name}
+           set acl_m_msg = HELO/EHLO command required.
+  accept
+# Syntactic validation of fields.
+acl_check_rcpt_syntax:
+  # Deny if the local parts is malformed.
+  deny     local_parts   = ^[.] : ^.*[@%!/|]
+           set acl_m_msg = Invalid local part.
+  accept
+# Checks the link between a given mail alias and a given user.
+# $acl_arg1: alias to check
+# $acl_arg2: user
+acl_check_alias:
+  # Accept if the alias belongs to the user.
+  accept   condition     = ${lookup{$acl_arg1}lsearch{ALIASMAP} \
+                             {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
+  # Deny otherwise
+  deny
+# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
+acl_check_rcpt_host_policy:
+  # Accept all messages from trusted hosts and relays.
+  accept   hosts         = +redirected_from_hosts
+  # Deny messages from hosts known to be bad.
+  deny     dnslists      = sbl-xbl.spamhaus.org : bl.spamcop.net
+           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+  # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
+  accept   set acl_m_spf = ${run{/usr/bin/spfquery.mail-spf-perl \
+                             --ip ${quote:$sender_host_address} \
+                             --identity ${if def:sender_address_domain \
+                               {--scope mfrom --identity ${quote:$sender_address}} \
+                               {--scope helo --identity ${quote:$sender_helo_name}}}}}
+           condition     = ${if eq {$acl_m_spf}{0}{yes}{no}}
+  # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
+  deny     condition     = ${if eq {$acl_m_spf}{1}{yes}{no}}
+           set acl_m_msg = [SPF] $sender_host_address is not allowed to send mail from \
+                           ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
+                           Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
+                             {mfrom}{helo}};identity=${if def:sender_address_domain \
+                             {$sender_address}{$sender_helo_name}};ip=$sender_host_address
+  # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
+  deny     dnslists      = pbl.spamhaus.org
+           set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+  # Accept otherwise
+  accept
+#########################
+# MUA ACLs (submission) #
+#########################
+acl_mua_rcpt:
+  require  encrypted     = *
+           message       = Encryption required.
+  require  acl           = acl_check_rcpt_introduction
+           message       = Courtesy protocol violation: $acl_m_msg
+  require  authenticated = *
+           control       = submission
+           control       = dkim_disable_verify
+           message       = Authentication required.
+  require  acl           = acl_check_rcpt_syntax
+           message       = Syntactic validation failed: $acl_m_msg
-  require message       = nice hosts say HELO first
+  require  verify        = sender
-          condition     = ${if def:sender_helo_name}
+           message       = Sender verification failed.
-  # Insist that any other recipient address that we accept is either in one of
-  # our local domains, or is in a domain for which we explicitly allow
-  # relaying. Any other domain is rejected as being unacceptable for relaying.
-  require message = relay not permitted
-          domains = +local_domains : +relay_to_domains
-  # We also require all accepted addresses to be verifiable. This check will
-  # do local part verification for local domains, but only check the domain
-  # for remote domains. The only way to check local parts for the remote
-  # relay domains is to use a callout (add /callout), but please read the
-  # documentation about callouts before doing this.
-  require verify = recipient
-  #############################################################################
-  # There are no default checks on DNS black lists because the domains that
-  # contain these lists are changing all the time. However, here are two
-  # examples of how you can get Exim to perform a DNS black list lookup at this
-  # point. The first one denies, whereas the second just warns.
author	root	2017-03-28 11:00:05 +0200
committer	root	2017-03-28 11:03:30 +0200
commit	0d01bcc2f9bf16e3f384549f395c1a173b8a4c18 (patch)
tree	c21e959293ab13af3f3d21d39af8fcfadcdcdc19
parent	1009459ba2cdca8e16eacfa9c995ae2f31599850 (diff)
download	exim-0d01bcc2f9bf16e3f384549f395c1a173b8a4c18.tar.gz

diff --git a/conf.d/010_main.conf b/conf.d/010_main.conf index 08694c8..e693144 100644 --- a/conf.d/010_main.conf +++ b/conf.d/010_main.conf
@@ -68,8 +68,10 @@ hostlist relay_from_hosts = localhost
68	# manual for details. The lists above are used in the access control lists for	68	# manual for details. The lists above are used in the access control lists for
69	# checking incoming messages. The names of these ACLs are defined here:	69	# checking incoming messages. The names of these ACLs are defined here:
70		70
71	acl_smtp_rcpt = acl_check_rcpt	71	acl_smtp_rcpt = ${if ={587}{$interface_port} {acl_mua_rcpt} {acl_mta_rcpt}
72	acl_smtp_data = acl_check_data	72	acl_smtp_mail = ${if ={587}{$interface_port} {acl_mua_mail} {accept}
		73	acl_smtp_data = ${if ={587}{$interface_port} {acl_mua_data} {acl_mta_data}
		74	acl_smtp_dkim = acl_check_dkim
73		75
74	# You should not change those settings until you understand how ACLs work.	76	# You should not change those settings until you understand how ACLs work.
75		77


diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf index 61dc33f..a909910 100644 --- a/conf.d/020_acl.conf +++ b/conf.d/020_acl.conf
@@ -5,190 +5,169 @@
5		5
6	begin acl	6	begin acl
7		7
8	# This access control list is used for every RCPT command in an incoming	8
9	# SMTP message. The tests are run in order until the address is either	9	######################
10	# accepted or denied.	10	# GENERAL CHECK ACLs #
11		11	######################
12	acl_check_rcpt:	12
13		13	# Ensures that the remote host has introduced itself.
14	# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by	14	acl_check_rcpt_introduction:
15	# testing for an empty sending host field.
16
17	accept hosts = :
18	control = dkim_disable_verify
19
20	#############################################################################
21	# The following section of the ACL is concerned with local parts that contain
22	# @ or % or ! or / or \| or dots in unusual places.
23	#
24	# The characters other than dots are rarely found in genuine local parts, but
25	# are often tried by people looking to circumvent relaying restrictions.
26	# Therefore, although they are valid in local parts, these rules lock them
27	# out, as a precaution.
28	#
29	# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
30	# allows them because they have been encountered. (Consider local parts
31	# constructed as "firstinitial.secondinitial.familyname" when applied to
32	# someone like me, who has no second initial.) However, a local part starting
33	# with a dot or containing /../ can cause trouble if it is used as part of a
34	# file name (e.g. for a mailing list). This is also true for local parts that
35	# contain slashes. A pipe symbol can also be troublesome if the local part is
36	# incorporated unthinkingly into a shell command line.
37	#
38	# Two different rules are used. The first one is stricter, and is applied to
39	# messages that are addressed to one of the local domains handled by this
40	# host. The line "domains = +local_domains" restricts it to domains that are
41	# defined by the "domainlist local_domains" setting above. The rule blocks
42	# local parts that begin with a dot or contain @ % ! / or \|. If you have
43	# local accounts that include these characters, you will have to modify this
44	# rule.
45
46	deny message = Restricted characters in address
47	domains = +local_domains
48	local_parts = ^[.] : ^.*[@%!/\|]
49
50	# The second rule applies to all other domains, and is less strict. The line
51	# "domains = !+local_domains" restricts it to domains that are NOT defined by
52	# the "domainlist local_domains" setting above. The exclamation mark is a
53	# negating operator. This rule allows your own users to send outgoing
54	# messages to sites that use slashes and vertical bars in their local parts.
55	# It blocks local parts that begin with a dot, slash, or vertical bar, but
56	# allows these characters within the local part. However, the sequence /../
57	# is barred. The use of @ % and ! is blocked, as before. The motivation here
58	# is to prevent your users (or your users' viruses) from mounting certain
59	# kinds of attack on remote sites.
60
61	deny message = Restricted characters in address
62	domains = !+local_domains
63	local_parts = ^[./\|] : ^.[@%!] : ^./\\.\\./
64	#############################################################################
65
66	# Accept mail to postmaster in any local domain, regardless of the source,
67	# and without verifying the sender.
68
69	accept local_parts = postmaster
70	domains = +local_domains
71
72	# Deny unless the sender address can be verified.
73
74	require verify = sender
75
76	# Accept if the message comes from one of the hosts for which we are an
77	# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
78	# so we set control=submission to make Exim treat the message as a
79	# submission. It will fix up various errors in the message, for example, the
80	# lack of a Date: header line. If you are actually relaying out out from
81	# MTAs, you may want to disable this. If you are handling both relaying from
82	# MTAs and submissions from MUAs you should probably split them into two
83	# lists, and handle them differently.
84
85	# Recipient verification is omitted here, because in many cases the clients
86	# are dumb MUAs that don't cope well with SMTP error responses. If you are
87	# actually relaying out from MTAs, you should probably add recipient
88	# verification here.
89
90	# Note that, by putting this test before any DNS black list checks, you will
91	# always accept from these hosts, even if they end up on a black list. The
92	# assumption is that they are your friends, and if they get onto a black
93	# list, it is a mistake.
94
95	accept hosts = +relay_from_hosts
96	control = submission
97	control = dkim_disable_verify
98
99	# Accept if the message arrived over an authenticated connection, from
100	# any host. Again, these messages are usually from MUAs, so recipient
101	# verification is omitted, and submission mode is set. And again, we do this
102	# check before any black list tests.
103
104	accept authenticated = *
105	control = submission
106	control = dkim_disable_verify
107		15
108	# Insist that a HELO/EHLO was accepted.	16	# Insist that a HELO/EHLO was accepted.
		17	require condition = ${if def:sender_helo_name}
		18	set acl_m_msg = HELO/EHLO command required.
		19
		20	accept
		21
		22
		23	# Syntactic validation of fields.
		24	acl_check_rcpt_syntax:
		25
		26	# Deny if the local parts is malformed.
		27	deny local_parts = ^[.] : ^.*[@%!/\|]
		28	set acl_m_msg = Invalid local part.
		29
		30	accept
		31
		32
		33	# Checks the link between a given mail alias and a given user.
		34	# $acl_arg1: alias to check
		35	# $acl_arg2: user
		36	acl_check_alias:
		37
		38	# Accept if the alias belongs to the user.
		39	accept condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} \
		40	{${if eq{$value}{$acl_arg2} {yes}{no}}} {no}}
		41
		42	# Deny otherwise
		43	deny
		44
		45
		46	# Checks if the host is allowed to send messages according to the local whitelist, DNS blocklists and SPF policy.
		47	acl_check_rcpt_host_policy:
		48
		49	# Accept all messages from trusted hosts and relays.
		50	accept hosts = +redirected_from_hosts
		51
		52	# Deny messages from hosts known to be bad.
		53	deny dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net
		54	set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
		55
		56	# Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass).
		57	accept set acl_m_spf = ${run{/usr/bin/spfquery.mail-spf-perl \
		58	--ip ${quote:$sender_host_address} \
		59	--identity ${if def:sender_address_domain \
		60	{--scope mfrom --identity ${quote:$sender_address}} \
		61	{--scope helo --identity ${quote:$sender_helo_name}}}}}
		62	condition = ${if eq {$acl_m_spf}{0}{yes}{no}}
		63
		64	# Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail).
		65	deny condition = ${if eq {$acl_m_spf}{1}{yes}{no}}
		66	set acl_m_msg = [SPF] $sender_host_address is not allowed to send mail from \
		67	${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \
		68	Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \
		69	{mfrom}{helo}};identity=${if def:sender_address_domain \
		70	{$sender_address}{$sender_helo_name}};ip=$sender_host_address
		71
		72	# Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy.
		73	deny dnslists = pbl.spamhaus.org
		74	set acl_m_msg = Rejected: $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
		75
		76	# Accept otherwise
		77	accept
		78
		79
		80	#########################
		81	# MUA ACLs (submission) #
		82	#########################
		83
		84	acl_mua_rcpt:
		85
		86	require encrypted = *
		87	message = Encryption required.
		88
		89	require acl = acl_check_rcpt_introduction
		90	message = Courtesy protocol violation: $acl_m_msg
		91
		92	require authenticated = *
		93	control = submission
		94	control = dkim_disable_verify
		95	message = Authentication required.
		96
		97	require acl = acl_check_rcpt_syntax
		98	message = Syntactic validation failed: $acl_m_msg
109		99
110	require message = nice hosts say HELO first	100	require verify = sender
111	condition = ${if def:sender_helo_name}	101	message = Sender verification failed.
112
113	# Insist that any other recipient address that we accept is either in one of
114	# our local domains, or is in a domain for which we explicitly allow
115	# relaying. Any other domain is rejected as being unacceptable for relaying.
116
117	require message = relay not permitted
118	domains = +local_domains : +relay_to_domains
119
120	# We also require all accepted addresses to be verifiable. This check will
121	# do local part verification for local domains, but only check the domain
122	# for remote domains. The only way to check local parts for the remote
123	# relay domains is to use a callout (add /callout), but please read the
124	# documentation about callouts before doing this.
125
126	require verify = recipient
127
128	#############################################################################
129	# There are no default checks on DNS black lists because the domains that
130	# contain these lists are changing all the time. However, here are two
131	# examples of how you can get Exim to perform a DNS black list lookup at this
132	# point. The first one denies, whereas the second just warns.