Alukardd
Gold Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору ###################################################################### # ACL CONFIGURATION # # Specifies access control lists for incoming SMTP mail # ###################################################################### begin acl ##################################################### ### end acl/00_exim4-config_header ##################################################### ##################################################### ### acl/20_exim4-config_local_deny_exceptions ##################################################### ### acl/20_exim4-config_local_deny_exceptions ################################# # This is used to determine whitelisted senders and hosts. # It checks for CONFDIR/host_local_deny_exceptions and # CONFDIR/sender_local_deny_exceptions. # # It is meant to be used from some other acl entry. # # See exim4-config_files(5) for details. # # If the files do not exist, the white list never matches, which is # the desired behaviour. # # The old file names CONFDIR/local_host_whitelist and # CONFDIR/local_sender_whitelist will continue to be honored for a # transition period. Their use is deprecated. acl_local_deny_exceptions: accept hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\ {CONFDIR/host_local_deny_exceptions}\ {}} accept senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\ {CONFDIR/sender_local_deny_exceptions}\ {}} accept hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}\ {}} accept senders = ${if exists{CONFDIR/local_sender_whitelist}\ {CONFDIR/local_sender_whitelist}\ {}} # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE .endif # this is still supported for a transition period and is deprecated. .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE .endif ##################################################### ### end acl/20_exim4-config_local_deny_exceptions ##################################################### ##################################################### ### acl/30_exim4-config_check_mail ##################################################### ### acl/30_exim4-config_check_mail ################################# # This access control list is used for every MAIL command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_mail: .ifdef CHECK_MAIL_HELO_ISSUED deny message = no HELO/EHLO given before MAIL command condition = ${if def:sender_helo_name {no}{yes}} .endif deny #message = The sender name must be the same as the login id message = $authenticated_id is not allowed to send mail from $sender_address condition = ${if eq{$sender_address}{$authenticated_id}{no}{yes}} authenticated = * ## deny ## message = $authenticated_id is not allowed to send mail from $sender_address ## #condition = ${if def:authenticated_sender {no}{yes}} ## condition = ${if eq {$authenticated_id}{$sender_address}{false}{true}} ## accept ## host = : ## set acl_m5 = ${if eq {$authenticated_id}{$sender_address}{true}{false}} accept ##################################################### ### end acl/30_exim4-config_check_mail ##################################################### ##################################################### ### acl/30_exim4-config_check_rcpt ##################################################### ### acl/30_exim4-config_check_rcpt ################################# # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. # acl_check_rcpt: # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by # testing for an empty sending host field. accept hosts = : set acl_m0 = noscan deny message = Authentication required before MAIL command !authenticated = * condition = ${if eq {$interface_port}{587}{true}} # The following section of the ACL is concerned with local parts that contain # certain non-alphanumeric characters. Dots in unusual places are # handled by this ACL as well. # # Non-alphanumeric characters other than dots are rarely found in genuine # local parts, but are often tried by people looking to circumvent # relaying restrictions. Therefore, although they are valid in local # parts, these rules disallow certain non-alphanumeric characters, as # a precaution. # # Empty components (two dots in a row) are not valid in RFC 2822, but Exim # allows them because they have been encountered. (Consider local parts # constructed as "firstinitial.secondinitial.familyname" when applied to # a name without a second initial.) However, a local part starting # with a dot or containing /../ can cause trouble if it is used as part of a # file name (e.g. for a mailing list). This is also true for local parts that # contain slashes. A pipe symbol can also be troublesome if the local part is # incorporated unthinkingly into a shell command line. # # These ACL components will block recipient addresses that are valid # from an RFC2822 point of view. We chose to have them blocked by # default for security reasons. # # If you feel that your site should have less strict recipient # checking, please feel free to change the default values of the macros # defined in main/01_exim4-config_listmacrosdefs or override them from a # local configuration file. # # Two different rules are used. The first one has a quite strict # default, and is applied to messages that are addressed to one of the # local domains handled by this host. # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?] # This blocks local parts that begin with a dot or contain a quite # broad range of non-alphanumeric characters. .ifdef CHECK_RCPT_LOCAL_LOCALPARTS deny domains = +local_domains local_parts = CHECK_RCPT_LOCAL_LOCALPARTS message = restricted characters in address .endif # The second rule applies to all other domains, and its default is # considerably less strict. # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in # main/01_exim4-config_listmacrosdefs: # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./ # It allows local users to send outgoing messages to sites # that use slashes and vertical bars in their local parts. It blocks # local parts that begin with a dot, slash, or vertical bar, but allows # these characters within the local part. However, the sequence /../ is # barred. The use of some other non-alphanumeric characters is blocked. # Single quotes might probably be dangerous as well, but they're # allowed by the default regexps to avoid rejecting mails to Ireland. # The motivation here is to prevent local users (or local users' malware) # from mounting certain kinds of attack on remote sites. .ifdef CHECK_RCPT_REMOTE_LOCALPARTS deny domains = !+local_domains local_parts = CHECK_RCPT_REMOTE_LOCALPARTS message = restricted characters in address .endif # Accept mail to postmaster in any local domain, regardless of the source, # and without verifying the sender. # accept .ifndef CHECK_RCPT_POSTMASTER local_parts = postmaster .else local_parts = CHECK_RCPT_POSTMASTER .endif domains = +local_domains : +relay_to_domains # Deny unless the sender address can be verified. # # This is disabled by default so that DNSless systems don't break. If # your system can do DNS lookups without delay or cost, you might want # to enable this feature. # # This feature does not work in smarthost and satellite setups as # with these setups all domains pass verification. See spec.txt chapter # 39.31 with the added information that a smarthost/satellite setup # routes all non-local e-mail to the smarthost. .ifdef CHECK_RCPT_VERIFY_SENDER deny message = Sender verification failed !acl = acl_local_deny_exceptions !verify = sender .endif # Verify senders listed in local_sender_callout with a callout. # # In smarthost and satellite setups, this causes the callout to be # done to the smarthost. Verification will thus only be reliable if the # smarthost does reject illegal addresses in the SMTP dialog. deny !acl = acl_local_deny_exceptions senders = ${if exists{CONFDIR/local_sender_callout}\ {CONFDIR/local_sender_callout}\ {}} !verify = sender/callout # Accept if the message comes from one of the hosts for which we are an # outgoing relay. It is assumed that such hosts are most likely to be MUAs, # so we set control=submission to make Exim treat the message as a # submission. It will fix up various errors in the message, for example, the # lack of a Date: header line. If you are actually relaying out out from # MTAs, you may want to disable this. If you are handling both relaying from # MTAs and submissions from MUAs you should probably split them into two # lists, and handle them differently. # Recipient verification is omitted here, because in many cases the clients # are dumb MUAs that don't cope well with SMTP error responses. If you are # actually relaying out from MTAs, you should probably add recipient # verification here. # Note that, by putting this test before any DNS black list checks, you will # always accept from these hosts, even if they end up on a black list. The # assumption is that they are your friends, and if they get onto black # list, it is a mistake. accept hosts = +relay_from_hosts control = submission/sender_retain set acl_m0 = noscan accept authenticated = * control = submission/sender_retain control = dkim_disable_verify set acl_m0 = noscan # Accept if the message arrived over an authenticated connection, from # any host. Again, these messages are usually from MUAs, so recipient # verification is omitted, and submission mode is set. And again, we do this # check before any black list tests. #accept # authenticated = * # control = submission/sender_retain # Insist that any other recipient address that we accept is either in one of # our local domains, or is in a domain for which we explicitly allow # relaying. Any other domain is rejected as being unacceptable for relaying. require message = relay not permitted domains = +local_domains : +relay_to_domains # We also require all accepted addresses to be verifiable. This check will # do local part verification for local domains, but only check the domain # for remote domains. require verify = recipient # Verify recipients listed in local_rcpt_callout with a callout. # This is especially handy for forwarding MX hosts (secondary MX or # mail hubs) of domains that receive a lot of spam to non-existent # addresses. The only way to check local parts for remote relay # domains is to use a callout (add /callout), but please read the # documentation about callouts before doing this. deny !acl = acl_local_deny_exceptions recipients = ${if exists{CONFDIR/local_rcpt_callout}\ {CONFDIR/local_rcpt_callout}\ {}} !verify = recipient/callout # CONFDIR/local_sender_blacklist holds a list of envelope senders that # should have their access denied to the local host. Incoming messages # with one of these senders are rejected at RCPT time. # # The explicit white lists are honored as well as negative items in # the black list. See exim4-config_files(5) for details. deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_local_deny_exceptions senders = ${if exists{CONFDIR/local_sender_blacklist}\ {CONFDIR/local_sender_blacklist}\ {}} # deny bad sites (IP address) # CONFDIR/local_host_blacklist holds a list of host names, IP addresses # and networks (CIDR notation) that should have their access denied to # The local host. Messages coming in from a listed host will have all # RCPT statements rejected. # # The explicit white lists are honored as well as negative items in # the black list. See exim4-config_files(5) for details. deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster !acl = acl_local_deny_exceptions hosts = ${if exists{CONFDIR/local_host_blacklist}\ {CONFDIR/local_host_blacklist}\ {}} # Warn if the sender host does not have valid reverse DNS. # # If your system can do DNS lookups without delay or cost, you might want # to enable this. # If sender_host_address is defined, it's a remote call. If # sender_host_name is not defined, then reverse lookup failed. Use # this instead of !verify = reverse_host_lookup to catch deferrals # as well as outright failures. .ifdef CHECK_RCPT_REVERSE_DNS # warn deny message = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}}) condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\ {yes}{no}} .endif # Use spfquery to perform a pair of SPF checks (for details, see # http://www.openspf.org/) # # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not # enable if that's an issue. Also note that if you enable this, you must # install "spf-tools-perl" which provides the spfquery command. # Missing spf-tools-perl will trigger the "Unexpected error in # SPF check" warning. .ifdef CHECK_RCPT_SPF deny message = [SPF] $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. \ Please see \ http://www.openspf.org/Why?scope=${if def:sender_address_domain \ {mfrom}{helo}};identity=${if def:sender_address_domain \ {$sender_address}{$sender_helo_name}};ip=$sender_host_address log_message = SPF check failed. [SPF] $sender_host_address is not allowed to send mail from \ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}. !acl = acl_local_deny_exceptions !authenticated = * condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \ ${quote:$sender_host_address} --identity \ ${if def:sender_address_domain \ {--scope mfrom --identity ${quote:$sender_address}}\ {--scope helo --identity ${quote:$sender_helo_name}}}}\ {no}{${if eq {$runrc}{1}{yes}{no}}}} defer message = Temporary DNS error while checking SPF record. Try again later. !acl = acl_local_deny_exceptions condition = ${if eq {$runrc}{5}{yes}{no}} warn condition = ${if <={$runrc}{6}{yes}{no}} add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\ {${if eq {$runrc}{2}{softfail}\ {${if eq {$runrc}{3}{neutral}\ {${if eq {$runrc}{4}{permerror}\ {${if eq {$runrc}{6}{none}{error}}}}}}}}}\ } client-ip=$sender_host_address; \ ${if def:sender_address_domain \ {envelope-from=${sender_address}; }{}}\ helo=$sender_helo_name warn log_message = Unexpected error in SPF check. condition = ${if >{$runrc}{6}{yes}{no}} .endif # Check against classic DNS "black" lists (DNSBLs) which list # sender IP addresses .ifdef CHECK_RCPT_IP_DNSBLS # warn deny message = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text) dnslists = CHECK_RCPT_IP_DNSBLS .endif # Check against DNSBLs which list sender domains, with an option to locally # whitelist certain domains that might be blacklisted. # # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append # "/$sender_address_domain" after each domain. For example: # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \ # : rhsbl.bar.org/$sender_address_domain .ifdef CHECK_RCPT_DOMAIN_DNSBLS warn message = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text) !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\ {CONFDIR/local_domain_dnsbl_whitelist}\ {}} dnslists = CHECK_RCPT_DOMAIN_DNSBLS .endif # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef CHECK_RCPT_LOCAL_ACL_FILE .include CHECK_RCPT_LOCAL_ACL_FILE .endif ############################################################################# # This check is commented out because it is recognized that not every # sysadmin will want to do it. If you enable it, the check performs # Client SMTP Authorization (csa) checks on the sending host. These checks # do DNS lookups for SRV records. The CSA proposal is currently (May 2005) # an Internet draft. You can, of course, add additional conditions to this # ACL statement to restrict the CSA checks to certain hosts only. # # require verify = csa ############################################################################# # Accept if the address is in a domain for which we are an incoming relay, # but again, only if the recipient can be verified. accept domains = +relay_to_domains endpass verify = recipient # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. accept ##################################################### ### end acl/30_exim4-config_check_rcpt ##################################################### acl_check_spamsenders: # Pass if DKIM is good accept dkim_status = pass log_message = Pass throw by DKIM # # Greylist check # # set variables warn set acl_m1 = ${lookup mysql{GREYLIST_TEST}{$value}{id=-1 ts=0}} set acl_m2 = ${extract{id}{$acl_m1}{$value}{unknown}} set acl_m3 = ${extract{ts}{$acl_m1}{$value}{unknown}} # defer if first attempt defer hosts = ! +relay_from_hosts condition = ${if < {$acl_m2}{0}{yes}{no}} set acl_m4 = ${lookup mysql{GREYLIST_ADD}{$value}{0}} # defer if time < block_time defer hosts = ! +relay_from_hosts condition = ${if > {$acl_m2}{0}{yes}{no}} condition = ${if < {$acl_m3}{0}{yes}{no}} set acl_m4 = ${lookup mysql{GREYLIST_UPD2}{$value}{0}} # pass defers if time > block_time and update count warn hosts = ! +relay_from_hosts set acl_m4 = ${lookup mysql{GREYLIST_UPD1}{$value}{0}} accept ##################################################### ### acl/40_exim4-config_check_data ##################################################### ### acl/40_exim4-config_check_data ################################# # This ACL is used after the contents of a message have been received. This # is the ACL in which you can test a message's headers or body, and in # particular, this is where you can invoke external virus or spam scanners. acl_check_data: # Reject mail with deny extensions deny message = contains $found_extension file (blacklisted). demime = exe : com : lnk : pif : prf # Deny unless the address list headers are syntactically correct. # # If you enable this, you might reject legitimate mail. .ifdef CHECK_DATA_VERIFY_HEADER_SYNTAX deny message = Message headers fail syntax check !acl = acl_local_deny_exceptions !verify = header_syntax .endif # require that there is a verifiable sender address in at least # one of the "Sender:", "Reply-To:", or "From:" header lines. .ifdef CHECK_DATA_VERIFY_HEADER_SENDER deny message = No verifiable sender address in message headers !acl = acl_local_deny_exceptions !verify = header_sender .endif # Deny if the message contains malware. Before enabling this check, you # must install a virus scanner and set the av_scanner option in the # main configuration. # # exim4-daemon-heavy must be used for this section to work. # #deny # malware = * # message = This message was detected as possible malware ($malware_name). # Add headers to a message if it is judged to be spam. Before enabling this, # you must install SpamAssassin. You also need to set the spamd_address # option in the main configuration. # # exim4-daemon-heavy must be used for this section to work. # # Please note that this is only suiteable as an example. There are # multiple issues with this configuration method. For example, if you go # this way, you'll give your spamassassin daemon write access to the # entire exim spool which might be a security issue in case of a # spamassassin exploit. # # See the exim docs and the exim wiki for more suitable examples. # warn spam = Debian-exim:true message = X-Spam_score: $spam_score\n\ X-Spam_score_int: $spam_score_int\n\ X-Spam_bar: $spam_bar\n\ X-Spam_report: $spam_report condition = ${if eq {$acl_m0}{noscan}{no}{yes}} #warn # message = X-Spam_Flag: Yes # condition = ${if >{$spam_score_int}{50}{yes}{no}} deny message = Spam detected! log_message = Spam detected (ip: $sender_host_address, email:$sender_address) condition = ${if >{$spam_score_int}{150}{yes}{no}} # This hook allows you to hook in your own ACLs without having to # modify this file. If you do it like we suggest, you'll end up with # a small performance penalty since there is an additional file being # accessed. This doesn't happen if you leave the macro unset. .ifdef CHECK_DATA_LOCAL_ACL_FILE .include CHECK_DATA_LOCAL_ACL_FILE .endif # accept otherwise accept ##################################################### ### end acl/40_exim4-config_check_data ##################################################### # acl_check_mime: # # warn # decode = default # # deny # message = Blacklisted file extension detected ($mime_filename) # condition = ${if match {${lc:$mime_filename}}{\N(\.exe|\.pif|\.cmd|\.hta|\.lnk|\.url|\.vb|\.bat|\.scr|\.lnk|\.com|\.vbs|\.cpl)$\N}{1}{0}} # # accept |