1
# This access control list is used for every RCPT command in an incoming
2
# SMTP message. The tests are run in order until the address is either
5
acl_example_check_rcpt:
6
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
7
# testing for an empty sending host field.
10
# Deny if the local part contains @ or % or / or | or !. These are rarely
11
# found in genuine local parts, but are often tried by people looking to
12
# circumvent relaying restrictions.
14
# Also deny if the local part starts with a dot. Empty components aren't
15
# strictly legal in RFC 2822, but Exim allows them because this is common.
16
# However, actually starting with a dot may cause trouble if the local part
17
# is used as a file name (e.g. for a mailing list).
19
deny local_parts = ^.*[@%!/|] : ^\\.
21
# Accept mail to postmaster in any local domain, regardless of the source,
22
# and without verifying the sender.
24
accept local_parts = postmaster
25
domains = +local_domains
27
# Deny unless the sender address can be verified.
28
deny !acl = acl_whitelist_local_deny
31
# Warn if the sender host does not have valid reverse DNS.
32
warn message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address
33
!verify = reverse_host_lookup
35
# deny bad senders (envelope sender)
36
# CONFDIR/local_sender_blacklist holds a list of envelope senders that
37
# should have their access denied to the local host. Incoming messages
38
# with one of these senders are rejected at RCPT time.
40
# The explicit white lists are honored as well as negative items in
41
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
42
deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
43
!acl = acl_whitelist_local_deny
44
senders = ${if exists{CONFDIR/local_sender_blacklist}\
45
{CONFDIR/local_sender_blacklist}\
48
# deny bad sites (IP address)
49
# CONFDIR/local_host_blacklist holds a list of host names, IP addresses
50
# and networks (CIDR notation) that should have their access denied to
51
# The local host. Messages coming in from a listed host will have all
52
# RCPT statements rejected.
54
# The explicit white lists are honored as well as negative items in
55
# the black list. See /usr/share/doc/exim4-config/default_acl for details.
56
deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
57
!acl = acl_whitelist_local_deny
58
hosts = ${if exists{CONFDIR/local_host_blacklist}\
59
{CONFDIR/local_host_blacklist}\
63
#############################################################################
64
# The DNS "black" lists here might have gone out of existence at the
65
# time you might want to start using this example. Use at your own risk,
66
# and verify the used lists' policies.
67
#############################################################################
69
warn message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
70
log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
71
dnslists = sbl-xbl.spamhaus.org:relays.bl.kundenserver.de
73
warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
74
log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
75
!senders = ${if exists{CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\
76
{CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\
78
dnslists = postmaster.rfc-ignorant.org/$sender_address_domain
80
warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
81
log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
82
!senders = ${if exists{CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\
83
{CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\
85
dnslists = abuse.rfc-ignorant.org/$sender_address_domain
87
warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
88
log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
89
!senders = ${if exists{CONFDIR/local_whois.rfc-ignorant.org_whitelist}\
90
{CONFDIR/local_whois.rfc-ignorant.org_whitelist}\
92
dnslists = whois.rfc-ignorant.org/$sender_address_domain
94
warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
95
log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
96
!senders = ${if exists{CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\
97
{CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\
99
dnslists = dsn.rfc-ignorant.org/$sender_address_domain
101
# Accept if the address is in a local domain, but only if the recipient can
102
# be verified. Otherwise deny. The "endpass" line is the border between
103
# passing on to the next ACL statement (if tests above it fail) or denying
104
# access (if tests below it fail).
106
accept domains = +local_domains
108
message = unknown user
111
# Accept if the address is in a domain for which we are relaying, but again,
112
# only if the recipient can be verified.
114
accept domains = +relay_to_domains
116
message = unrouteable address
119
# If control reaches this point, the domain is neither in +local_domains
120
# nor in +relay_to_domains.
122
# Accept if the message comes from one of the hosts for which we are an
123
# outgoing relay. Recipient verification is omitted here, because in many
124
# cases the clients are dumb MUAs that don't cope well with SMTP error
125
# responses. If you are actually relaying out from MTAs, you should probably
126
# add recipient verification here.
128
accept hosts = +relay_from_hosts
130
# Accept if the message arrived over an authenticated connection, from
131
# any host. Again, these messages are usually from MUAs, so recipient
132
# verification is omitted.
134
accept authenticated = *
136
# Reaching the end of the ACL causes a "deny", but we might as well give
137
# an explicit message.
139
deny message = relay not permitted