-
Notifications
You must be signed in to change notification settings - Fork 178
AclSmtpData
Warren Baker edited this page Jul 22, 2014
·
3 revisions
This is a fairly safe sender verify ACL. It only rejects the message if the sender verify specifically rejects the message during the recipient part of the verification. It also uses a specific email address rather an empty message for verification. This avoids misconfigured hosts that reject empty from addresses at the recipient phase. It also supports the use of a no verify list for really stupid hosts where testing must be avoided. The no verify list will whitelist both the senders domain and the host address.
deny message = REJECTED - Sender Verify Failed - The email server for the domain [$sender_address_domain] tells junkemailfilter.com that the sender's email address [$sender_address] is not a valid. $sender_verify_failure
log_message = REJECTED - Sender Verify Failed - The email server for the domain [$sender_address_domain] tells junkemailfilter.com that the sender's email address [$sender_address] is not a valid. $sender_verify_failure
!verify = header_sender/callout=2m,defer_ok,[email protected]
condition = ${if eq{recipient}{$sender_verify_failure}}
condition = ${lookup{$sender_address_domain}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}
condition = ${lookup{$sender_host_address}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}
This sender verification combines a wider verify fail with failed reverse DNS. It's a combination of two sins that causes the bounce.
deny message = REJECTED - Sender Verify Failed and no RDNS - error code = $sender_verify_failure
log_message = REJECTED - Sender Verify Failed and no RDNS - error code = $sender_verify_failure
!verify = reverse_host_lookup
!verify = header_sender/callout=2m,defer_ok,[email protected]
!condition = ${if eq{$sender_verify_failure}{}}
condition = ${lookup{$sender_address_domain}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}
drop condition = ${if match{$h_to:}{(?i)Undisclosed-recipient}{no}{yes}}
message = Header Syntax error: $acl_verify_message
!verify = header_syntax
logwrite = :reject,main: Header Syntax Error: $acl_verify_message
drop message = Header From exist, but not have a valid address
condition = ${if def:h_from: {yes}{no}}
condition = ${if or { \
{ eq{${address:$h_from:}}{} } \
{ eq{${domain:$h_from:}}{} } \
{ eq{${local_part:$h_from:}}{} } \
} {yes}{no}}
delay = 45s
drop message = Header Reply-to exist, but not have a valid address
condition = ${if def:h_reply-to: {yes}{no}}
condition = ${if or { \
{ eq{${address:$h_reply-to:}}{} } \
{ eq{${domain:$h_reply-to:}}{} } \
{ eq{${local_part:$h_reply-to:}}{} } \
} {yes}{no}}
delay = 45s
drop message = Header Sender exists, but not have a valid address
condition = ${if def:h_sender: {yes}{no}}
condition = ${if or { \
{ eq{${address:$h_sender:}}{} } \
{ eq{${domain:$h_sender:}}{} } \
{ eq{${local_part:$h_sender:}}{} } \
} {yes}{no}}
delay = 45s
drop message = Header From have a invalid ${sender_verify_failure}: <${address:$h_from:}>
condition = ${if def:h_from: {yes}{no}}
!verify = sender=${address:$h_from:}/no_details
delay = 45s
drop message = Header Reply have a invalid ${sender_verify_failure}: <${address:$h_reply-to:}>
condition = ${if def:h_reply-to: {yes}{no}}
!verify = sender=${address:$h_reply-to:}/no_details
delay = 45s
drop message = Header Sender have a invalid ${sender_verify_failure}: <${address:$h_sender:}>
condition = ${if def:h_sender: {yes}{no}}
!verify = sender=${address:$h_sender:}/no_details
delay = 45s
drop message = Header From have a invalid callout ${sender_verify_failure}: <${address:$h_from:}>
condition = ${if def:h_from: {yes}{no}}
condition = ${if eqi {$sender_address} {${address:$h_from:}}{no}{yes}}
condition = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/machine_senders}{no}{yes}}
condition = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/bounce_senders}{no}{yes}}
condition = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
.ifdef SKP_Spf_LIB
!spf = SKP_Spf_LIB
.endif
.ifdef SKP_Spf_PERL
set acl_m_spfaddr = ${address:$h_from:}
!acl = spf_acpt
.endif
condition = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_from:}}}}}}{no}{yes}}
!verify = sender=${address:$h_from:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
delay = 30s
drop message = Header Reply have a invalid callout ${sender_verify_failure}: <${address:$h_reply-to:}>
condition = ${if def:h_reply-to: {yes}{no}}
condition = ${if eqi {$sender_address} {${address:$h_reply-to:}}{no}{yes}}
condition = ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
.ifdef SKP_Spf_PERL
set acl_m_spfaddr = ${address:$h_from:}
!acl = spf_acpt
.endif
condition = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_reply-to:}}}}}}{no}{yes}}
!verify = sender=${address:$h_reply-to:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
delay = 30s
drop message = Header Sender have a invalid callout ${sender_verify_failure}: <${address:$h_sender:}>
condition = ${if def:h_sender: {yes}{no}}
condition = ${if eqi {$sender_address} {${address:$h_sender:}}{no}{yes}}
condition = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/machine_senders}{no}{yes}}
condition = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/bounce_senders}{no}{yes}}
condition = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
.ifdef SKP_Spf_PERL
set acl_m_spfaddr = ${address:$h_from:}
!acl = spf_acpt
.endif
condition = ${if eqi {${domain:$h_sender:}} {$sender_address_domain} {no}{yes}}
condition = ${if eqi {${domain:$h_sender:}} {${domain:$reply_address}} {no}{yes}}
condition = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_sender:}}}}}}{no}{yes}}
!verify = sender=${address:$h_sender:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
delay = 30s
blk_sender contains address patterns, line separated
(*@domainspam.com, *.domainspam.com)
drop condition = ${if def:h_from: {yes}{no}}
condition = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
message = Header From <${address:$h_from:}> black listed: ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/blk_sender}}
delay = 45s
drop condition = ${if def:h_reply-to: {yes}{no}}
condition = ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
message = Header Reply <${address:$h_reply-to:}> black listed: ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/blk_sender}}
delay = 45s
drop condition = ${if def:h_sender: {yes}{no}}
condition = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
message = Header From <${address:$h_sender:}> black listed: ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/blk_sender}}
delay = 45s
drop condition = ${if def:h_Message-Id: {yes}{no}}
condition = ${lookup{${address:$h_Message-Id:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
message = Header Message-ID <${address:$h_Message-Id:}> black listed: ${lookup{${address:$h_Message-Id:}}wildlsearch{/etc/exim4/lst/blk_sender}}
delay = 45s
drop message = Bounce errors never contains bind copy headers!
senders = :
!verify = not_blind
delay = 45s
drop message = No you are not ME or OURS (Message-ID was ${domain:$h_Message-ID:} and equal my local domains or my domains relay)
!hosts = +relay_from_hosts : +relay_mx_hosts
condition = ${if or{{!def:h_message-id:}{eqi{${domain:$h_Message-ID:}}{}}}{no}{yes}}
condition = ${if match_domain{${domain:$h_Message-ID:}}{+local_domains:+alias_domains:+relay_to_domains}{yes}{no}}
delay = 45s
drop message = No you are not Me or OURS (Message-ID was ${domain:$h_Message-ID:} and the subdomain is my domain ${extract{-3}{.}{${domain:$h_Message-ID:}}}.${extract{-2}{.}{${domain:$h_Message-ID:}}}.${extract{-1}{.}{${domain:$h_Message-ID:}}})
!hosts = +relay_from_hosts : +relay_mx_hosts
condition = ${if or{{!def:h_message-id:}{eqi{${domain:$h_Message-ID:}}{}}}{no}{yes}}
condition = ${if match_domain{${extract{-3}{.}{${domain:$h_Message-ID:}}}.${extract{-2}{.}{${domain:$h_Message-ID:}}}.${extract{-1}{.}{${domain:$h_Message-ID:}}}}{+local_domains:+alias_domains:+relay_to_domains}{yes}{no}}
delay = 45s
drop message = No you are not ME or OURS (Message-ID was ${domain:$h_Message-ID:} and equal my interface hostname)
!hosts = +relay_from_hosts : +relay_mx_hosts
condition = ${if !def:interface_address {no}{yes}}
condition = ${if !def:h_message-id: {no}{yes}}
condition = ${if match_ip{$interface_address}{${lookup dnsdb{>: defer_never,a=${domain:$h_Message-ID:}}}}{yes}{no}}
delay = 45s
If use it, set numer of messages by period. Warning, the lists have
equal subjects to diferents receipients in diferents mail to sessions:
BLK_DUP_MESSAGEID = 2 / 7d BLK_DUP_MESSAGESUB = 5 / 7d
.ifdef BLK_DUP_MESSAGEID
#-BLK: Ratelimit para mensagens duplicadas pelo id (#exim_dumpdb /var/spool/exim4/ ratelimit)
drop !hosts = +relay_from_hosts : +relay_mx_hosts
!authenticated = *
condition = ${if !def:h_Message-Id: {no}{yes}}
ratelimit = BLK_DUP_MESSAGEID / strict / Message-ID=${md5:${escape:${lc:$h_Message-Id:}}}${sha1:${escape:${lc:$h_Message-Id:}}}
logwrite = :reject,main: $message_exim_id RateLimit: $sender_rate/$sender_rate_limit/$sender_rate_period - F=$sender_address_domain H=$sender_rcvhost: Message-ID=${length_150:${escape:$h_Message-Id:}}
message = This message is duplicated id and has been previously sent. Possible SPAM!
delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit }s
.endif
.ifdef BLK_DUP_MESSAGESUB
#-BLK: Ratelimit para mensagens duplicadas pelo subject (#exim_dumpdb /var/spool/exim4/ ratelimit)
#Trocar leaky / strict ???
drop !hosts = +relay_from_hosts : +relay_mx_hosts
!authenticated = *
condition = ${if !def:h_Subject: {no}{yes}}
condition = ${if def:h_In-Reply-To: {no}{yes}}
condition = ${if def:h_References: {no}{yes}}
ratelimit = BLK_DUP_MESSAGESUB / leaky / Subject=${md5:${escape:${lc:$h_Subject:$h_Date:}}}${sha1:${escape:${lc:$h_Subject:$h_Date:}}}
logwrite = :reject,main: $message_exim_id RateLimit: $sender_rate/$sender_rate_limit/$sender_rate_period - F=$sender_address_domain H=$sender_rcvhost: Subject=${length_150:${escape:$h_Subject:}}
message = This message is duplicated subject and has been previously sent. Possible SPAM!
delay = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit }s
.endif
Block if Subject and Body are both Empty.
deny message = REJECTED - No Subject or Body
!condition = ${if def:h_Subject:}
condition = ${if <{$body_linecount}{1}{true}{false}}