###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl ###################### # GENERAL CHECK ACLs # ###################### acl_check_mail_introduction: require condition = ${if def:sender_helo_name} set acl_m_msg = HELO/EHLO command required. accept acl_check_rcpt_syntax: deny local_parts = ^[.] : ^.*[@%!/|] set acl_m_msg = Invalid local part. accept # Checks the link between a given mail alias and a given user. # $acl_arg1: alias to check # $acl_arg2: user acl_check_alias: require condition = ${lookup{$acl_arg1}lsearch{ALIASMAP} {${if eq{$value}{$acl_arg2} {yes}{no}}} {no}} accept ######################### # MUA ACLs (submission) # ######################### acl_mua_mail: require acl = acl_check_mail_introduction message = Courtesy protocol violation: $acl_m_msg require acl = acl_check_alias $sender_address $authenticated_id message = Envelope address mismatch: $authenticated_id is not authorized to use $sender_address. accept acl_mua_rcpt: require encrypted = * message = Encrypted session required for message submission. require authenticated = * control = submission control = dkim_disable_verify message = Authentication required for message submission. require acl = acl_check_rcpt_syntax message = Syntactic validation failed: $acl_m_msg require verify = sender message = Sender verification failed. accept acl_mua_data: require acl = acl_check_alias ${address:$h_from:} $authenticated_id message = Header address mismatch: $authenticated_id is not authorized to use ${address:$h_from:}. accept ############ # MTA ACLs # ############ acl_mta_connect: # Accept all messages from trusted hosts and relays. # Also disable DKIM signature check as mailing list servers may alter messages. accept hosts = +trusted_relay_hosts control = dkim_disable_verify # Deny messages from hosts known to be bad. drop dnslists = sbl-xbl.spamhaus.org : bl.spamcop.net message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text accept acl_mta_mail: require acl = acl_check_mail_introduction message = Courtesy protocol violation: $acl_m_msg # Accept all messages from trusted hosts and relays. # Also disable DKIM signature check as mailing list servers may alter messages. accept hosts = +trusted_relay_hosts control = dkim_disable_verify # Accept if the host is an authorized sender according to the SPF policy for the domain (SPF pass). # TODO: switch to builtin exim SPF support accept set acl_m_spf = ${run{SPF_QUERY_COMMAND \ --ip ${quote:$sender_host_address} \ --identity ${if def:sender_address_domain \ {--scope mfrom --identity ${quote:$sender_address}} \ {--scope helo --identity ${quote:$sender_helo_name}}}}} condition = ${if eq {$acl_m_spf}{0}{yes}{no}} # Deny if the host is explicitely not an authorized sender according to the SPF policy for the domain (SPF fail). # TODO: switch to builtin exim SPF support drop condition = ${if eq {$acl_m_spf}{1}{yes}{no}} message = [SPF] $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ Please see http://www.openspf.org/Why?scope=${if def:sender_address_domain \ {mfrom}{helo}};identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};ip=$sender_host_address # Deny messages from hosts listed as non-MTA in the PBL, for which SPF couldn't determine a policy. drop dnslists = pbl.spamhaus.org message = [RBL] $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text accept acl_mta_rcpt: require acl = acl_check_rcpt_syntax message = Syntactic validation failed: $acl_m_msg require verify = sender message = Sender verification failed. accept hosts = +relay_from_hosts require domains = +local_domains : +relay_to_domains message = Unhandled destination. require verify = recipient message = Recipient verification failed. accept .ifdef SPAMD_ADDRESS SCAN_SPAM = yes .else SCAN_SPAM = no .endif acl_mta_data: deny condition = ${if > {$max_received_linelength}{998}} set acl_m_msg = Maximum allowed line length is 998 octets, got $max_received_linelength. warn condition = SCAN_SPAM spam = nobody:true/defer_ok remove_header = x-spam-bar : x-spam-score : x-spam-report : x-spam-status add_header = X-Spam-Score: $spam_score ($spam_bar) add_header = X-Spam-Report: $spam_report add_header = X-Spam-Status: ${if eq{$spam_action}{reject} {Yes}{No}} accept # Checks the validity of each signatures in the message, # and the presence of a required signature for the sender domain. # Global var to enable mandatory signature check: # dkim_verify_signers = $sender_address_domain:$dkim_signers acl_mta_dkim: deny dkim_status = fail message = [DKIM] invalid signature ($dkim_verify_reason). deny dkim_status = none set acl_m_ddk = ${run{DIG_QUERY_COMMAND +short TXT ${quote:_domainkey.$sender_host_address}}} condition = ${if match {$acl_m_ddk}{/o=-/} {yes}{no}} message = [DKIM] required signature for $sender_host_address is missing. accept