summaryrefslogtreecommitdiffstats
path: root/debian/debconf/conf.d/acl
diff options
context:
space:
mode:
Diffstat (limited to 'debian/debconf/conf.d/acl')
-rw-r--r--debian/debconf/conf.d/acl/00_exim4-config_header8
-rw-r--r--debian/debconf/conf.d/acl/20_exim4-config_local_deny_exceptions49
-rw-r--r--debian/debconf/conf.d/acl/30_exim4-config_check_mail11
-rw-r--r--debian/debconf/conf.d/acl/30_exim4-config_check_rcpt386
-rw-r--r--debian/debconf/conf.d/acl/40_exim4-config_check_data96
5 files changed, 550 insertions, 0 deletions
diff --git a/debian/debconf/conf.d/acl/00_exim4-config_header b/debian/debconf/conf.d/acl/00_exim4-config_header
new file mode 100644
index 0000000..76b017e
--- /dev/null
+++ b/debian/debconf/conf.d/acl/00_exim4-config_header
@@ -0,0 +1,8 @@
+
+######################################################################
+# ACL CONFIGURATION #
+# Specifies access control lists for incoming SMTP mail #
+######################################################################
+begin acl
+
+
diff --git a/debian/debconf/conf.d/acl/20_exim4-config_local_deny_exceptions b/debian/debconf/conf.d/acl/20_exim4-config_local_deny_exceptions
new file mode 100644
index 0000000..2372795
--- /dev/null
+++ b/debian/debconf/conf.d/acl/20_exim4-config_local_deny_exceptions
@@ -0,0 +1,49 @@
+
+### acl/20_exim4-config_local_deny_exceptions
+#################################
+
+# This is used to determine whitelisted senders and hosts.
+# It checks for CONFDIR/host_local_deny_exceptions and
+# CONFDIR/sender_local_deny_exceptions.
+#
+# It is meant to be used from some other acl entry.
+#
+# See exim4-config_files(5) for details.
+#
+# If the files do not exist, the white list never matches, which is
+# the desired behaviour.
+#
+# The old file names CONFDIR/local_host_whitelist and
+# CONFDIR/local_sender_whitelist will continue to be honored for a
+# transition period. Their use is deprecated.
+
+acl_local_deny_exceptions:
+ accept
+ hosts = ${if exists{CONFDIR/host_local_deny_exceptions}\
+ {CONFDIR/host_local_deny_exceptions}\
+ {}}
+ accept
+ senders = ${if exists{CONFDIR/sender_local_deny_exceptions}\
+ {CONFDIR/sender_local_deny_exceptions}\
+ {}}
+ accept
+ hosts = ${if exists{CONFDIR/local_host_whitelist}\
+ {CONFDIR/local_host_whitelist}\
+ {}}
+ accept
+ senders = ${if exists{CONFDIR/local_sender_whitelist}\
+ {CONFDIR/local_sender_whitelist}\
+ {}}
+
+ # This hook allows you to hook in your own ACLs without having to
+ # modify this file. If you do it like we suggest, you'll end up with
+ # a small performance penalty since there is an additional file being
+ # accessed. This doesn't happen if you leave the macro unset.
+ .ifdef LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
+ .include LOCAL_DENY_EXCEPTIONS_LOCAL_ACL_FILE
+ .endif
+
+ # this is still supported for a transition period and is deprecated.
+ .ifdef WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
+ .include WHITELIST_LOCAL_DENY_LOCAL_ACL_FILE
+ .endif
diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_mail b/debian/debconf/conf.d/acl/30_exim4-config_check_mail
new file mode 100644
index 0000000..f8c53d6
--- /dev/null
+++ b/debian/debconf/conf.d/acl/30_exim4-config_check_mail
@@ -0,0 +1,11 @@
+
+### acl/30_exim4-config_check_mail
+#################################
+
+# This access control list is used for every MAIL command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+#
+acl_check_mail:
+
+ accept
diff --git a/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
new file mode 100644
index 0000000..c70d515
--- /dev/null
+++ b/debian/debconf/conf.d/acl/30_exim4-config_check_rcpt
@@ -0,0 +1,386 @@
+
+### acl/30_exim4-config_check_rcpt
+#################################
+
+# define macros to be used below in this file to check recipient
+# local parts for strange characters. Documentation below.
+# This blocks local parts that begin with a dot or contain a quite
+# broad range of non-alphanumeric characters.
+
+.ifndef CHECK_RCPT_LOCAL_LOCALPARTS
+CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]
+.endif
+
+.ifndef CHECK_RCPT_REMOTE_LOCALPARTS
+CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
+.endif
+
+# This access control list is used for every RCPT command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+#
+acl_check_rcpt:
+
+ # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+ # testing for an empty sending host field.
+ accept
+ hosts = :
+ control = dkim_disable_verify
+
+ # Do not try to verify DKIM signatures of incoming mail if DC_minimaldns
+ # or DISABLE_DKIM_VERIFY are set.
+.ifdef DC_minimaldns
+ warn
+ control = dkim_disable_verify
+.else
+.ifdef DISABLE_DKIM_VERIFY
+ warn
+ control = dkim_disable_verify
+.endif
+.endif
+
+ # The following section of the ACL is concerned with local parts that contain
+ # certain non-alphanumeric characters. Dots in unusual places are
+ # handled by this ACL as well.
+ #
+ # Non-alphanumeric characters other than dots are rarely found in genuine
+ # local parts, but are often tried by people looking to circumvent
+ # relaying restrictions. Therefore, although they are valid in local
+ # parts, these rules disallow certain non-alphanumeric characters, as
+ # a precaution.
+ #
+ # Empty components (two dots in a row) are not valid in RFC 2822, but Exim
+ # allows them because they have been encountered. (Consider local parts
+ # constructed as "firstinitial.secondinitial.familyname" when applied to
+ # a name without a second initial.) However, a local part starting
+ # with a dot or containing /../ can cause trouble if it is used as part of a
+ # file name (e.g. for a mailing list). This is also true for local parts that
+ # contain slashes. A pipe symbol can also be troublesome if the local part is
+ # incorporated unthinkingly into a shell command line.
+ #
+ # These ACL components will block recipient addresses that are valid
+ # from an RFC5322 point of view. We chose to have them blocked by
+ # default for security reasons.
+ #
+ # If you feel that your site should have less strict recipient
+ # checking, please feel free to change the default values of the macros
+ # defined in main/01_exim4-config_listmacrosdefs or override them from a
+ # local configuration file.
+ #
+ # Two different rules are used. The first one has a quite strict
+ # default, and is applied to messages that are addressed to one of the
+ # local domains handled by this host.
+
+ # The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined
+ # at the top of this file.
+ .ifdef CHECK_RCPT_LOCAL_LOCALPARTS
+ deny
+ domains = +local_domains
+ local_parts = CHECK_RCPT_LOCAL_LOCALPARTS
+ message = restricted characters in address
+ .endif
+
+
+ # The second rule applies to all other domains, and its default is
+ # considerably less strict.
+
+ # The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in
+ # main/01_exim4-config_listmacrosdefs:
+ # CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
+
+ # It allows local users to send outgoing messages to sites
+ # that use slashes and vertical bars in their local parts. It blocks
+ # local parts that begin with a dot, slash, or vertical bar, but allows
+ # these characters within the local part. However, the sequence /../ is
+ # barred. The use of some other non-alphanumeric characters is blocked.
+ # Single quotes might probably be dangerous as well, but they're
+ # allowed by the default regexps to avoid rejecting mails to Ireland.
+ # The motivation here is to prevent local users (or local users' malware)
+ # from mounting certain kinds of attack on remote sites.
+ .ifdef CHECK_RCPT_REMOTE_LOCALPARTS
+ deny
+ domains = !+local_domains
+ local_parts = CHECK_RCPT_REMOTE_LOCALPARTS
+ message = restricted characters in address
+ .endif
+
+
+ # Accept mail to postmaster in any local domain, regardless of the source,
+ # and without verifying the sender.
+ #
+ accept
+ .ifndef CHECK_RCPT_POSTMASTER
+ local_parts = postmaster
+ .else
+ local_parts = CHECK_RCPT_POSTMASTER
+ .endif
+ domains = +local_domains : +relay_to_domains
+
+
+ # Deny unless the sender address can be verified.
+ #
+ # This is disabled by default so that DNSless systems don't break. If
+ # your system can do DNS lookups without delay or cost, you might want
+ # to enable this feature.
+ #
+ # This feature does not work in smarthost and satellite setups as
+ # with these setups all domains pass verification. See spec.txt section
+ # "Access control lists" subsection "Address verification" with the added
+ # information that a smarthost/satellite setup routes all non-local e-mail
+ # to the smarthost.
+ .ifdef CHECK_RCPT_VERIFY_SENDER
+ deny
+ !acl = acl_local_deny_exceptions
+ !verify = sender
+ message = Sender verification failed
+ .endif
+
+ # Verify senders listed in local_sender_callout with a callout.
+ #
+ # In smarthost and satellite setups, this causes the callout to be
+ # done to the smarthost. Verification will thus only be reliable if the
+ # smarthost does reject illegal addresses in the SMTP dialog.
+ deny
+ !acl = acl_local_deny_exceptions
+ senders = ${if exists{CONFDIR/local_sender_callout}\
+ {CONFDIR/local_sender_callout}\
+ {}}
+ !verify = sender/callout
+
+ .ifndef CHECK_RCPT_NO_FAIL_TOO_MANY_BAD_RCPT
+ # Reject all RCPT commands after too many bad recipients
+ # This is partly a defense against spam abuse and partly attacker abuse.
+ # Real senders should manage, by the time they get to 10 RCPT directives,
+ # to have had at least half of them be real addresses.
+ #
+ # This is a lightweight check and can protect you against repeated
+ # invocations of more heavy-weight checks which would come after it.
+
+ deny condition = ${if and {\
+ {>{$rcpt_count}{10}}\
+ {<{$recipients_count}{${eval:$rcpt_count/2}}} }}
+ message = Rejected for too many bad recipients
+ logwrite = REJECT [$sender_host_address]: bad recipient count high [${eval:$rcpt_count-$recipients_count}]
+ .endif
+
+ # Accept if the message comes from one of the hosts for which we are an
+ # outgoing relay. It is assumed that such hosts are most likely to be MUAs,
+ # so we set control=submission to make Exim treat the message as a
+ # submission. It will fix up various errors in the message, for example, the
+ # lack of a Date: header line. If you are actually relaying out out from
+ # MTAs, you may want to disable this. If you are handling both relaying from
+ # MTAs and submissions from MUAs you should probably split them into two
+ # lists, and handle them differently.
+
+ # Recipient verification is omitted here, because in many cases the clients
+ # are dumb MUAs that don't cope well with SMTP error responses. If you are
+ # actually relaying out from MTAs, you should probably add recipient
+ # verification here.
+
+ # Note that, by putting this test before any DNS black list checks, you will
+ # always accept from these hosts, even if they end up on a black list. The
+ # assumption is that they are your friends, and if they get onto black
+ # list, it is a mistake.
+ accept
+ hosts = +relay_from_hosts
+ control = submission/sender_retain
+ control = dkim_disable_verify
+
+
+ # Accept if the message arrived over an authenticated connection, from
+ # any host. Again, these messages are usually from MUAs, so recipient
+ # verification is omitted, and submission mode is set. And again, we do this
+ # check before any black list tests.
+ accept
+ authenticated = *
+ control = submission/sender_retain
+ control = dkim_disable_verify
+
+ # Insist that a HELO/EHLO was accepted.
+
+ require
+ condition = ${if def:sender_helo_name}
+ message = nice hosts say HELO first
+
+ # Insist that any other recipient address that we accept is either in one of
+ # our local domains, or is in a domain for which we explicitly allow
+ # relaying. Any other domain is rejected as being unacceptable for relaying.
+ require
+ message = relay not permitted
+ domains = +local_domains : +relay_to_domains
+
+
+ # We also require all accepted addresses to be verifiable. This check will
+ # do local part verification for local domains, but only check the domain
+ # for remote domains.
+ require
+ verify = recipient
+
+
+ # Verify recipients listed in local_rcpt_callout with a callout.
+ # This is especially handy for forwarding MX hosts (secondary MX or
+ # mail hubs) of domains that receive a lot of spam to non-existent
+ # addresses. The only way to check local parts for remote relay
+ # domains is to use a callout (add /callout), but please read the
+ # documentation about callouts before doing this.
+ deny
+ !acl = acl_local_deny_exceptions
+ recipients = ${if exists{CONFDIR/local_rcpt_callout}\
+ {CONFDIR/local_rcpt_callout}\
+ {}}
+ !verify = recipient/callout
+
+
+ # CONFDIR/local_sender_blacklist holds a list of envelope senders that
+ # should have their access denied to the local host. Incoming messages
+ # with one of these senders are rejected at RCPT time.
+ #
+ # The explicit white lists are honored as well as negative items in
+ # the black list. See exim4-config_files(5) for details.
+ deny
+ !acl = acl_local_deny_exceptions
+ senders = ${if exists{CONFDIR/local_sender_blacklist}\
+ {CONFDIR/local_sender_blacklist}\
+ {}}
+ message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ log_message = sender envelope address is locally blacklisted.
+
+
+ # deny bad sites (IP address)
+ # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
+ # and networks (CIDR notation) that should have their access denied to
+ # The local host. Messages coming in from a listed host will have all
+ # RCPT statements rejected.
+ #
+ # The explicit white lists are honored as well as negative items in
+ # the black list. See exim4-config_files(5) for details.
+ deny
+ !acl = acl_local_deny_exceptions
+ hosts = ${if exists{CONFDIR/local_host_blacklist}\
+ {CONFDIR/local_host_blacklist}\
+ {}}
+ message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+ log_message = sender IP address is locally blacklisted.
+
+
+ # Warn if the sender host does not have valid reverse DNS.
+ #
+ # If your system can do DNS lookups without delay or cost, you might want
+ # to enable this.
+ # If sender_host_address is defined, it's a remote call. If
+ # sender_host_name is not defined, then reverse lookup failed. Use
+ # this instead of !verify = reverse_host_lookup to catch deferrals
+ # as well as outright failures.
+ .ifdef CHECK_RCPT_REVERSE_DNS
+ warn
+ condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\
+ {yes}{no}}
+ add_header = X-Host-Lookup-Failed: Reverse DNS lookup failed for $sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})
+ .endif
+
+
+ # Use spfquery to perform a pair of SPF checks.
+ #
+ # This is quite costly in terms of DNS lookups (~6 lookups per mail). Do not
+ # enable if that's an issue. Also note that if you enable this, you must
+ # install "spf-tools-perl" which provides the spfquery command.
+ # Missing spf-tools-perl will trigger the "Unexpected error in
+ # SPF check" warning.
+ .ifdef CHECK_RCPT_SPF
+ deny
+ !acl = acl_local_deny_exceptions
+ condition = ${run{/usr/bin/spfquery.mail-spf-perl --ip \
+ ${quote:$sender_host_address} --identity \
+ ${if def:sender_address_domain \
+ {--scope mfrom --identity ${quote:$sender_address}}\
+ {--scope helo --identity ${quote:$sender_helo_name}}}}\
+ {no}{${if eq {$runrc}{1}{yes}{no}}}}
+ message = [SPF] $sender_host_address is not allowed to send mail from \
+ ${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
+ log_message = SPF check failed.
+
+ defer
+ !acl = acl_local_deny_exceptions
+ condition = ${if eq {$runrc}{5}{yes}{no}}
+ message = Temporary DNS error while checking SPF record. Try again later.
+
+ warn
+ condition = ${if <={$runrc}{6}{yes}{no}}
+ add_header = Received-SPF: ${if eq {$runrc}{0}{pass}\
+ {${if eq {$runrc}{2}{softfail}\
+ {${if eq {$runrc}{3}{neutral}\
+ {${if eq {$runrc}{4}{permerror}\
+ {${if eq {$runrc}{6}{none}{error}}}}}}}}}\
+ } client-ip=$sender_host_address; \
+ ${if def:sender_address_domain \
+ {envelope-from=${sender_address}; }{}}\
+ helo=$sender_helo_name
+
+ warn
+ condition = ${if >{$runrc}{6}{yes}{no}}
+ log_message = Unexpected error in SPF check.
+ .endif
+
+
+ # Check against classic DNS "black" lists (DNSBLs) which list
+ # sender IP addresses
+ .ifdef CHECK_RCPT_IP_DNSBLS
+ warn
+ dnslists = CHECK_RCPT_IP_DNSBLS
+ add_header = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ .endif
+
+
+ # Check against DNSBLs which list sender domains, with an option to locally
+ # whitelist certain domains that might be blacklisted.
+ #
+ # Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append
+ # "/$sender_address_domain" after each domain. For example:
+ # CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \
+ # : rhsbl.bar.org/$sender_address_domain
+ .ifdef CHECK_RCPT_DOMAIN_DNSBLS
+ warn
+ !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\
+ {CONFDIR/local_domain_dnsbl_whitelist}\
+ {}}
+ dnslists = CHECK_RCPT_DOMAIN_DNSBLS
+ add_header = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ log_message = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+ .endif
+
+
+ # This hook allows you to hook in your own ACLs without having to
+ # modify this file. If you do it like we suggest, you'll end up with
+ # a small performance penalty since there is an additional file being
+ # accessed. This doesn't happen if you leave the macro unset.
+ .ifdef CHECK_RCPT_LOCAL_ACL_FILE
+ .include CHECK_RCPT_LOCAL_ACL_FILE
+ .endif
+
+
+ #############################################################################
+ # This check is commented out because it is recognized that not every
+ # sysadmin will want to do it. If you enable it, the check performs
+ # Client SMTP Authorization (csa) checks on the sending host. These checks
+ # do DNS lookups for SRV records. The CSA proposal is currently (May 2005)
+ # an Internet draft. You can, of course, add additional conditions to this
+ # ACL statement to restrict the CSA checks to certain hosts only.
+ #
+ # require verify = csa
+ #############################################################################
+
+
+ # Accept if the address is in a domain for which we are an incoming relay,
+ # but again, only if the recipient can be verified.
+
+ accept
+ domains = +relay_to_domains
+ endpass
+ verify = recipient
+
+
+ # At this point, the address has passed all the checks that have been
+ # configured, so we accept it unconditionally.
+
+ accept
diff --git a/debian/debconf/conf.d/acl/40_exim4-config_check_data b/debian/debconf/conf.d/acl/40_exim4-config_check_data
new file mode 100644
index 0000000..ac198f9
--- /dev/null
+++ b/debian/debconf/conf.d/acl/40_exim4-config_check_data
@@ -0,0 +1,96 @@
+
+### acl/40_exim4-config_check_data
+#################################
+
+# This ACL is used after the contents of a message have been received. This
+# is the ACL in which you can test a message's headers or body, and in
+# particular, this is where you can invoke external virus or spam scanners.
+
+acl_check_data:
+
+ # Deny if the message contains an overlong line. Per the standards
+ # we should never receive one such via SMTP.
+ #
+ .ifndef IGNORE_SMTP_LINE_LENGTH_LIMIT
+ deny
+ condition = ${if > {$max_received_linelength}{998}}
+ message = maximum allowed line length is 998 octets, \
+ got $max_received_linelength
+ .endif
+
+ # Deny if the headers contain badly-formed addresses.
+ #
+ .ifndef NO_CHECK_DATA_VERIFY_HEADER_SYNTAX
+ deny
+ !acl = acl_local_deny_exceptions
+ !verify = header_syntax
+ message = header syntax
+ log_message = header syntax ($acl_verify_message)
+ .endif
+
+
+ # require that there is a verifiable sender address in at least
+ # one of the "Sender:", "Reply-To:", or "From:" header lines.
+ .ifdef CHECK_DATA_VERIFY_HEADER_SENDER
+ deny
+ !acl = acl_local_deny_exceptions
+ !verify = header_sender
+ message = No verifiable sender address in message headers
+ .endif
+
+
+ # Deny if the message contains malware. Before enabling this check, you
+ # must install a virus scanner and set the av_scanner option in the
+ # main configuration.
+ #
+ # exim4-daemon-heavy must be used for this section to work.
+ #
+ # deny
+ # malware = *
+ # message = This message was detected as possible malware ($malware_name).
+
+
+ # Add headers to a message if it is judged to be spam. Before enabling this,
+ # you must install SpamAssassin. You may also need to set the spamd_address
+ # option in the main configuration.
+ #
+ # exim4-daemon-heavy must be used for this section to work.
+ #
+ # Please note that this is only suiteable as an example. See
+ # /usr/share/doc/exim4-base/README.Debian.gz
+ #
+ # See the exim docs and the exim wiki for more suitable examples.
+ #
+ # # Remove internal headers
+ # warn
+ # remove_header = X-Spam_score: X-Spam_score_int : X-Spam_bar : \
+ # X-Spam_report
+ #
+ # warn
+ # condition = ${if <{$message_size}{120k}{1}{0}}
+ # # ":true" to add headers/acl variables even if not spam
+ # spam = nobody:true
+ # add_header = X-Spam_score: $spam_score
+ # add_header = X-Spam_bar: $spam_bar
+ # # Do not enable this unless you have shorted SpamAssassin's report
+ # #add_header = X-Spam_report: $spam_report
+ #
+ # Reject spam messages (score >15.0).
+ # This breaks mailing list and forward messages.
+ # deny
+ # condition = ${if <{$message_size}{120k}{1}{0}}
+ # condition = ${if >{$spam_score_int}{150}{true}{false}}
+ # message = Classified as spam (score $spam_score)
+
+
+ # This hook allows you to hook in your own ACLs without having to
+ # modify this file. If you do it like we suggest, you'll end up with
+ # a small performance penalty since there is an additional file being
+ # accessed. This doesn't happen if you leave the macro unset.
+ .ifdef CHECK_DATA_LOCAL_ACL_FILE
+ .include CHECK_DATA_LOCAL_ACL_FILE
+ .endif
+
+
+ # accept otherwise
+ accept