exim4:configuration_file
This is an old revision of the document!
Table of Contents
Exim4 - Configuration File
The context is a host server with a public IP (5.42.134.35, www.sharewiz.net), which is also used as local mail server:
###################################################################### # MAIN CONFIGURATION SETTINGS # ###################################################################### # If exim is used localy in batch mode (exim4 -bs) then "$host" is empty, the ": :" adds the empty string. hostlist own_hosts = 127.0.0.1 : : 192.168.0.2 : 192.168.0.3 : 5.42.134.35 domainlist public_domains = sharewiz.net
ACLs
Here is the ACL section of my Exim configuration file
# ACL that is used after the RCPT command
check_recipient:
# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *
# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
accept hosts = :
# sender domains whitelist
# accept if sender domain is in whitelist
accept sender_domains = +whitelist_domains
# sender hosts whitelist
# accept if sender host is in whitelist
accept hosts = +whitelist_hosts
accept hosts = +whitelist_hosts_ip
# envelope senders whitelist
# accept if envelope sender is in whitelist
accept senders = +whitelist_senders
# accept mail to postmaster in any local domain, regardless of source
accept local_parts = postmaster
domains = +local_domains
# accept mail to abuse in any local domain, regardless of source
accept local_parts = abuse
domains = +local_domains
# accept mail to hostmaster in any local domain, regardless of source
accept local_parts = hostmaster
domains =+local_domains
# OPTIONAL MODIFICATIONS:
# If the page you're using to notify senders of blocked email of how
# to get their address unblocked will use a web form to send you email so
# you'll know to unblock those senders, then you may leave these lines
# commented out. However, if you'll be telling your senders of blocked
# email to send an email to errors@yourdomain.com, then you should
# replace "errors" with the left side of the email address you'll be
# using, and "example.com" with the right side of the email address and
# then uncomment the second two lines, leaving the first one commented.
# Doing this will mean anyone can send email to this specific address,
# even if they're at a blocked domain, and even if your domain is using
# blocklists.
# accept mail to errors@example.com, regardless of source
# accept local_parts = errors
# domains = example.com
# deny so-called "legal" spammers"
deny message = Email blocked by RBL - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains
# deny using hostname in bad_sender_hosts blacklist
deny message = Email blocked by BSHL - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
hosts = +bad_sender_hosts
# deny using IP in bad_sender_hosts blacklist
deny message = Email blocked by BSHL - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
hosts = +bad_sender_hosts_ip
# deny using email address in blacklist_senders
deny message = Email blocked by BSAL - to unblock see http://www.example.com/
domains = +use_rbl_domains
senders = +blacklist_senders
# By default we do NOT require sender verification.
# Sender verification denies unless sender address can be verified:
# If you want to require sender verification, i.e., that the sending
# address is routable and mail can be delivered to it, then
# uncomment the next line. If you do not want to require sender
# verification, leave the line commented out
#require verify = sender
# deny using .spamhaus
deny message = Email blocked by SPAMHAUS - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = sbl.spamhaus.org
# deny using ordb
# deny message = Email blocked by ORDB - to unblock see http://www.example.com/
# # only for domains that do want to be tested against RBLs
# domains = +use_rbl_domains
# dnslists = relays.ordb.org
# deny using sorbs smtp list
deny message = Email blocked by SORBS - to unblock see http://www.example.com/
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
dnslists = dnsbl.sorbs.net=127.0.0.5
# Next deny stuff from more "fuzzy" blacklists
# but do bypass all checking for whitelisted host names
# and for authenticated users
# deny using spamcop
deny message = Email blocked by SPAMCOP - to unblock see http://www.example.com/
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = bl.spamcop.net
# deny using njabl
deny message = Email blocked by NJABL - to unblock see http://www.example.com/
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.njabl.org
# deny using cbl
deny message = Email blocked by CBL - to unblock see http://www.example.com/
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = cbl.abuseat.org
# deny using all other sorbs ip-based blocklist besides smtp list
deny message = Email blocked by SORBS - to unblock see http://www.example.com/
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = dnsbl.sorbs.net!=127.0.0.6
# deny using sorbs name based list
deny message = Email blocked by SORBS - to unblock see http://www.example.com/
domains =+use_rbl_domains
# rhsbl list is name based
dnslists = rhsbl.sorbs.net/$sender_address_domain
# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient
# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify=recipient
# accept if message comes for a host for which we are an outgoing relay
# recipient verification is omitted because many MUA clients don't cope
# well with SMTP error responses. If you are actually relaying from MTAs
# then you should probably add recipient verify here
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
deny message = relay not permitted
# default at end of acl causes a "deny", but line below will give
# an explicit error message:
deny message = relay not permitted
# ACL that is used after the DATA command
check_message:
accept
Another config
######################################################################
# MAIN CONFIGURATION SETTINGS #
######################################################################
hostlist own_hosts = 127.0.0.1 : 192.168.1.2 : 192.168.1.3 : 5.42.134.35
domainlist public_domains = sharewiz.net
. . .
# Mandatory to use "verify = helo"
helo_try_verify_hosts = !+own_hosts
av_scanner = clamd:/var/run/clamd.ctl
spamd_address = 127.0.0.1 783
acl_smtp_rcpt = acl_check_rcpt
acl_smtp_mail = acl_check_sender
acl_smtp_connect = acl_check_host
acl_smtp_data = acl_check_data
acl_smtp_helo = acl_check_helo
. . .
######################################################################
# ACL CONFIGURATION #
######################################################################
acl_check_host:
accept
hosts = +own_hosts : /etc/exim4/filters/host_white.list
deny
log_message = match host_reject.list
hosts = /etc/exim4/filters/host_reject.list
accept
acl_check_helo:
accept hosts = +own_hosts
# If the HELO pretend to be this host
deny condition = ${if or { \
{eq {${lc:$sender_helo_name}}{sharewiz.net}} \
{eq {${lc:$sender_helo_name}}{5.42.134.35}} \
} {true}{false} }
# by default we accept
accept
acl_check_sender:
deny senders = /etc/exim4/filters/sender_reject.list
accept
# ACL "subroutine" used by acl_check_rcpt below.
# Return ok if the HELO argument correspond to the connected HOST and
# if the HELO argument does not contain an IP in decimal or hexa.
# I have created this ACL subroutine because we can't do a list of "or"
# in ACL (it's a list of "and"), so I use a negation of "and":
# no (no A and no B) = A or B.
acl_clean_helo:
accept
verify = helo
condition = ${if match{$sender_helo_name}{\N(\d{1,3}[.-]\d{1,3}[.-]\d{1,3}[.-]\d{1,3})|([0-9a-f]{8})|([0-9A-F]{8})\N}{false}{true}}
acl_check_rcpt:
# refuse if the recipient string is a hack,
# see exim file example C043.txt.gz
deny
local_parts = ^.*[@%!/|] : ^\\.
# Relaying with no more check for my own hosts.
accept
hosts = +own_hosts
# For the rest, the domain of the recipient address
# must be my public domain. (no relay)
require
log_message = no relay.
domains = +public_domains
# Reffuse all the message if the recipient is only used by spammers.
drop
log_message = match recipients_drop.list.
recipients = /etc/exim4/filters/recipients_drop.list
drop
log_message = match sbl-xbl.spamhaus.org
dnslists = sbl-xbl.spamhaus.org
# Greylisting, if the HELO argument seems bad or
# a dialin name (with IP included in the name). Some hosts from big
# providers are in a white list to avoid testing. When there is no
# sender then it is a bounce message, so no greylist.
defer
message = Please try later.
!hosts = /etc/exim4/filters/host_white.list
!senders = :
!acl = acl_clean_helo
log_message = greylisted.
set acl_m9 = ${mask:$sender_host_address/24} $sender_address $local_part@$domain
set acl_m9 = ${readsocket{/var/run/greylistd/socket}{$acl_m9}{5s}{}{}}
condition = ${if eq {$acl_m9}{grey}{true}{false}}
# Default rule: accept except if recipient address is unrouteable.
accept
message = unrouteable address
verify = recipient
acl_check_data:
accept hosts = +own_hosts
# if there is a windows executable as attachment then we reject
deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
demime = bat:btm:cmd:com:cpl:dll:exe:lnk:msi:pif:prf:reg:scr:vbs:url
# clamav
deny message = This message contains a virus or other harmful content ($malware_name)
demime = *
malware = *
## spamassassin, spams are never big and spamassassin can die on big emails, so we
## limit its use under 500k.
accept condition = ${if >={$message_size}{500k}{yes}{no}}
warn message = X-SA-Score: $spam_score
spam = nobody:true
warn message = X-SA-Report: $spam_report
spam = nobody:true
condition = ${if >{$spam_score_int}{0}{true}{false}}
warn message = X-SA-Status: Yes
spam = nobody:true
condition = ${if >{$spam_score_int}{50}{true}{false}}
deny message = This message scored $spam_score spam points.
spam = nobody:true
condition = ${if >{$spam_score_int}{70}{true}{false}}
# accept by default
accept
exim4/configuration_file.1478276717.txt.gz · Last modified: 2020/07/15 09:30 (external edit)