1 files changed, 194 insertions, 0 deletions
diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf
new file mode 100644
index 0000000..61dc33f
--- /dev/null
+++ b/conf.d/020_acl.conf
@@ -0,0 +1,194 @@
+######################################################################
+#                       ACL CONFIGURATION                            #
+#         Specifies access control lists for incoming SMTP mail      #
+######################################################################
+begin acl
+# This access control list is used for every RCPT command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+acl_check_rcpt:
+  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+  # testing for an empty sending host field.
+  accept  hosts = :
+          control = dkim_disable_verify
+  #############################################################################
+  # The following section of the ACL is concerned with local parts that contain
+  # @ or % or ! or / or | or dots in unusual places.
+  #
+  # The characters other than dots are rarely found in genuine local parts, but
+  # are often tried by people looking to circumvent relaying restrictions.
+  # Therefore, although they are valid in local parts, these rules lock them
+  # out, as a precaution.
+  #
+  # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
+  # allows them because they have been encountered. (Consider local parts
+  # constructed as "firstinitial.secondinitial.familyname" when applied to
+  # someone like me, who has no second initial.) However, a local part starting
+  # with a dot or containing /../ can cause trouble if it is used as part of a
+  # file name (e.g. for a mailing list). This is also true for local parts that
+  # contain slashes. A pipe symbol can also be troublesome if the local part is
+  # incorporated unthinkingly into a shell command line.
+  #
+  # Two different rules are used. The first one is stricter, and is applied to
+  # messages that are addressed to one of the local domains handled by this
+  # host. The line "domains = +local_domains" restricts it to domains that are
+  # defined by the "domainlist local_domains" setting above. The rule  blocks
+  # local parts that begin with a dot or contain @ % ! / or |. If you have
+  # local accounts that include these characters, you will have to modify this
+  # rule.
+  deny    message       = Restricted characters in address
+          domains       = +local_domains
+          local_parts   = ^[.] : ^.*[@%!/|]
+  # The second rule applies to all other domains, and is less strict. The line
+  # "domains = !+local_domains" restricts it to domains that are NOT defined by
+  # the "domainlist local_domains" setting above. The exclamation mark is a
+  # negating operator. This rule allows your own users to send outgoing
+  # messages to sites that use slashes and vertical bars in their local parts.
+  # It blocks local parts that begin with a dot, slash, or vertical bar, but
+  # allows these characters within the local part. However, the sequence /../
+  # is barred. The use of @ % and ! is blocked, as before. The motivation here
+  # is to prevent your users (or your users' viruses) from mounting certain
+  # kinds of attack on remote sites.
+  deny    message       = Restricted characters in address
+          domains       = !+local_domains
+          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
+  #############################################################################
+  # Accept mail to postmaster in any local domain, regardless of the source,
+  # and without verifying the sender.
+  accept  local_parts   = postmaster
+          domains       = +local_domains
+  # Deny unless the sender address can be verified.
+  require verify        = sender
+  # Accept if the message comes from one of the hosts for which we are an
+  # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
+  # so we set control=submission to make Exim treat the message as a
+  # submission. It will fix up various errors in the message, for example, the
+  # lack of a Date: header line. If you are actually relaying out out from
+  # MTAs, you may want to disable this. If you are handling both relaying from
+  # MTAs and submissions from MUAs you should probably split them into two
+  # lists, and handle them differently.
+  # Recipient verification is omitted here, because in many cases the clients
+  # are dumb MUAs that don't cope well with SMTP error responses. If you are
+  # actually relaying out from MTAs, you should probably add recipient
+  # verification here.
+  # Note that, by putting this test before any DNS black list checks, you will
+  # always accept from these hosts, even if they end up on a black list. The
+  # assumption is that they are your friends, and if they get onto a black
+  # list, it is a mistake.
+  accept  hosts         = +relay_from_hosts
+          control       = submission
+          control       = dkim_disable_verify
+  # Accept if the message arrived over an authenticated connection, from
+  # any host. Again, these messages are usually from MUAs, so recipient
+  # verification is omitted, and submission mode is set. And again, we do this
+  # check before any black list tests.
+  accept  authenticated = *
+          control       = submission
+          control       = dkim_disable_verify
+  # Insist that a HELO/EHLO was accepted.
+  require message       = nice hosts say HELO first
+          condition     = ${if def:sender_helo_name}
+  # Insist that any other recipient address that we accept is either in one of
+  # our local domains, or is in a domain for which we explicitly allow
+  # relaying. Any other domain is rejected as being unacceptable for relaying.
+  require message = relay not permitted
+          domains = +local_domains : +relay_to_domains
+  # We also require all accepted addresses to be verifiable. This check will
+  # do local part verification for local domains, but only check the domain
+  # for remote domains. The only way to check local parts for the remote
+  # relay domains is to use a callout (add /callout), but please read the
+  # documentation about callouts before doing this.
+  require verify = recipient
+  #############################################################################
+  # There are no default checks on DNS black lists because the domains that
+  # contain these lists are changing all the time. However, here are two
+  # examples of how you can get Exim to perform a DNS black list lookup at this
+  # point. The first one denies, whereas the second just warns.
+  #
+  # deny    message       = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
+  #         dnslists      = black.list.example
+  #
+  # warn    dnslists      = black.list.example
+  #         add_header    = X-Warning: $sender_host_address is in a black list at $dnslist_domain
+  #         log_message   = found in $dnslist_domain
+  #############################################################################
+  #############################################################################
+  # This check is commented out because it is recognized that not every
+  # sysadmin will want to do it. If you enable it, the check performs
+  # Client SMTP Authorization (csa) checks on the sending host. These checks
+  # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
+  # an Internet draft. You can, of course, add additional conditions to this
+  # ACL statement to restrict the CSA checks to certain hosts only.
+  #
+  # require verify = csa
+  #############################################################################
+  # At this point, the address has passed all the checks that have been
+  # configured, so we accept it unconditionally.
+  accept
+# This ACL is used after the contents of a message have been received. This
+# is the ACL in which you can test a message's headers or body, and in
+# particular, this is where you can invoke external virus or spam scanners.
+# Some suggested ways of configuring these tests are shown below, commented
+# out. Without any tests, this ACL accepts all messages. If you want to use
+# such tests, you must ensure that Exim is compiled with the content-scanning
+# extension (WITH_CONTENT_SCAN=yes in Local/Makefile).
+acl_check_data:
+  # Deny if the message contains an overlong line.  Per the standards
+  # we should never receive one such via SMTP.
+  #
+  deny    message    = maximum allowed line length is 998 octets, \
+                       got $max_received_linelength
+          condition  = ${if > {$max_received_linelength}{998}}
+  # Deny if the message contains a virus. Before enabling this check, you
+  # must install a virus scanner and set the av_scanner option above.
+  #
+  # deny    malware    = *
+  #         message    = This message contains a virus ($malware_name).
+  # Add headers to a message if it is judged to be spam. Before enabling this,
+  # you must install SpamAssassin. You may also need to set the spamd_address
+  # option above.
+  #
+  # warn    spam       = nobody
+  #         add_header = X-Spam_score: $spam_score\n\
+  #                      X-Spam_score_int: $spam_score_int\n\
+  #                      X-Spam_bar: $spam_bar\n\
+  #                      X-Spam_report: $spam_report
+  # Accept the message.
+  accept

diff --git a/conf.d/020_acl.conf b/conf.d/020_acl.conf new file mode 100644 index 0000000..61dc33f --- /dev/null +++ b/conf.d/020_acl.conf
@@ -0,0 +1,194 @@
	1	######################################################################
	2	# ACL CONFIGURATION #
	3	# Specifies access control lists for incoming SMTP mail #
	4	######################################################################
	5
	6	begin acl
	7
	8	# This access control list is used for every RCPT command in an incoming
	9	# SMTP message. The tests are run in order until the address is either
	10	# accepted or denied.
	11
	12	acl_check_rcpt:
	13
	14	# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
	15	# testing for an empty sending host field.
	16
	17	accept hosts = :
	18	control = dkim_disable_verify
	19
	20	#############################################################################
	21	# The following section of the ACL is concerned with local parts that contain
	22	# @ or % or ! or / or \| or dots in unusual places.
	23	#
	24	# The characters other than dots are rarely found in genuine local parts, but
	25	# are often tried by people looking to circumvent relaying restrictions.
	26	# Therefore, although they are valid in local parts, these rules lock them
	27	# out, as a precaution.
	28	#
	29	# Empty components (two dots in a row) are not valid in RFC 2822, but Exim
	30	# allows them because they have been encountered. (Consider local parts
	31	# constructed as "firstinitial.secondinitial.familyname" when applied to
	32	# someone like me, who has no second initial.) However, a local part starting
	33	# with a dot or containing /../ can cause trouble if it is used as part of a
	34	# file name (e.g. for a mailing list). This is also true for local parts that
	35	# contain slashes. A pipe symbol can also be troublesome if the local part is
	36	# incorporated unthinkingly into a shell command line.
	37	#
	38	# Two different rules are used. The first one is stricter, and is applied to
	39	# messages that are addressed to one of the local domains handled by this
	40	# host. The line "domains = +local_domains" restricts it to domains that are
	41	# defined by the "domainlist local_domains" setting above. The rule blocks
	42	# local parts that begin with a dot or contain @ % ! / or \|. If you have
	43	# local accounts that include these characters, you will have to modify this
	44	# rule.
	45
	46	deny message = Restricted characters in address
	47	domains = +local_domains
	48	local_parts = ^[.] : ^.*[@%!/\|]
	49
	50	# The second rule applies to all other domains, and is less strict. The line
	51	# "domains = !+local_domains" restricts it to domains that are NOT defined by
	52	# the "domainlist local_domains" setting above. The exclamation mark is a
	53	# negating operator. This rule allows your own users to send outgoing
	54	# messages to sites that use slashes and vertical bars in their local parts.
	55	# It blocks local parts that begin with a dot, slash, or vertical bar, but
	56	# allows these characters within the local part. However, the sequence /../
	57	# is barred. The use of @ % and ! is blocked, as before. The motivation here
	58	# is to prevent your users (or your users' viruses) from mounting certain
	59	# kinds of attack on remote sites.
	60
	61	deny message = Restricted characters in address
	62	domains = !+local_domains
	63	local_parts = ^[./\|] : ^.[@%!] : ^./\\.\\./
	64	#############################################################################
	65
	66	# Accept mail to postmaster in any local domain, regardless of the source,
	67	# and without verifying the sender.
	68
	69	accept local_parts = postmaster
	70	domains = +local_domains
	71
	72	# Deny unless the sender address can be verified.
	73
	74	require verify = sender
	75
	76	# Accept if the message comes from one of the hosts for which we are an
	77	# outgoing relay. It is assumed that such hosts are most likely to be MUAs,
	78	# so we set control=submission to make Exim treat the message as a
	79	# submission. It will fix up various errors in the message, for example, the
	80	# lack of a Date: header line. If you are actually relaying out out from
	81	# MTAs, you may want to disable this. If you are handling both relaying from
	82	# MTAs and submissions from MUAs you should probably split them into two
	83	# lists, and handle them differently.
	84
	85	# Recipient verification is omitted here, because in many cases the clients
	86	# are dumb MUAs that don't cope well with SMTP error responses. If you are
	87	# actually relaying out from MTAs, you should probably add recipient
	88	# verification here.
	89
	90	# Note that, by putting this test before any DNS black list checks, you will
	91	# always accept from these hosts, even if they end up on a black list. The
	92	# assumption is that they are your friends, and if they get onto a black
	93	# list, it is a mistake.
	94
	95	accept hosts = +relay_from_hosts
	96	control = submission
	97	control = dkim_disable_verify
	98
	99	# Accept if the message arrived over an authenticated connection, from
	100	# any host. Again, these messages are usually from MUAs, so recipient
	101	# verification is omitted, and submission mode is set. And again, we do this
	102	# check before any black list tests.
	103
	104	accept authenticated = *
	105	control = submission
	106	control = dkim_disable_verify
	107
	108	# Insist that a HELO/EHLO was accepted.
	109
	110	require message = nice hosts say HELO first
	111	condition = ${if def:sender_helo_name}
	112
	113	# Insist that any other recipient address that we accept is either in one of
	114	# our local domains, or is in a domain for which we explicitly allow
	115	# relaying. Any other domain is rejected as being unacceptable for relaying.
	116
	117	require message = relay not permitted
	118	domains = +local_domains : +relay_to_domains
	119
	120	# We also require all accepted addresses to be verifiable. This check will
	121	# do local part verification for local domains, but only check the domain
	122	# for remote domains. The only way to check local parts for the remote
	123	# relay domains is to use a callout (add /callout), but please read the
	124	# documentation about callouts before doing this.
	125
	126	require verify = recipient
	127
	128	#############################################################################
	129	# There are no default checks on DNS black lists because the domains that
	130	# contain these lists are changing all the time. However, here are two
	131	# examples of how you can get Exim to perform a DNS black list lookup at this
	132	# point. The first one denies, whereas the second just warns.
	133	#
	134	# deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
	135	# dnslists = black.list.example
	136	#
	137	# warn dnslists = black.list.example
	138	# add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain
	139	# log_message = found in $dnslist_domain
	140	#############################################################################
	141
	142	#############################################################################
	143	# This check is commented out because it is recognized that not every
	144	# sysadmin will want to do it. If you enable it, the check performs
	145	# Client SMTP Authorization (csa) checks on the sending host. These checks
	146	# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
	147	# an Internet draft. You can, of course, add additional conditions to this
	148	# ACL statement to restrict the CSA checks to certain hosts only.
	149	#
	150	# require verify = csa
	151	#############################################################################
	152
	153	# At this point, the address has passed all the checks that have been
	154	# configured, so we accept it unconditionally.
	155
	156	accept
	157
	158
	159	# This ACL is used after the contents of a message have been received. This
	160	# is the ACL in which you can test a message's headers or body, and in
	161	# particular, this is where you can invoke external virus or spam scanners.
	162	# Some suggested ways of configuring these tests are shown below, commented
	163	# out. Without any tests, this ACL accepts all messages. If you want to use
	164	# such tests, you must ensure that Exim is compiled with the content-scanning
	165	# extension (WITH_CONTENT_SCAN=yes in Local/Makefile).
	166
	167	acl_check_data:
	168
	169	# Deny if the message contains an overlong line. Per the standards
	170	# we should never receive one such via SMTP.
	171	#
	172	deny message = maximum allowed line length is 998 octets, \
	173	got $max_received_linelength
	174	condition = ${if > {$max_received_linelength}{998}}
	175
	176	# Deny if the message contains a virus. Before enabling this check, you
	177	# must install a virus scanner and set the av_scanner option above.
	178	#
	179	# deny malware = *
	180	# message = This message contains a virus ($malware_name).
	181
	182	# Add headers to a message if it is judged to be spam. Before enabling this,
	183	# you must install SpamAssassin. You may also need to set the spamd_address
	184	# option above.
	185	#
	186	# warn spam = nobody
	187	# add_header = X-Spam_score: $spam_score\n\
	188	# X-Spam_score_int: $spam_score_int\n\
	189	# X-Spam_bar: $spam_bar\n\
	190	# X-Spam_report: $spam_report
	191
	192	# Accept the message.
	193
	194	accept