Wiki

Stop Exim being an open relay by adjusting the acl_smtp_rcpt ACL.

Accept anything locally generated:

accept hosts = :

Accept anything from authenticated users:

accept authenticated = *

Accept anything from the local network:

accept hosts = +local_network

here you have to decide what “local_network” means - for example, you might want to define it as 192.168.0.0/16.

Reject non-local domains:

deny domains = !+local_domains
     message = Relaying denied

this is what stops your Exim from being an open relay. Again, you have to decide what local_domains means.

Reject invalid recipients:

require verify = recipient

this causes Exim to check that the recipient is routeable. For example, bob@your.example.com might exist, but lktjnho@your.example.com might not. Using verify = recipient, in conjunction with the right router configuration, causes Exim to reject the bad addresses at RCPT time. If you want to add extra checks (such as consulting DNS blacklists, or rejecting “bounce” messages with large numbers of recipients), this would be a good place to do add them.

Accept the rest:

accept

A sample statement in the acl_rcpt_to ACL above may look like this:

  deny
    message  = relay not permitted
    !hosts   = +relay_from_hosts
    !domains = +local_domains : +relay_to_domains
    delay    = 1m

This statement will reject the RCPT TO: command if it was not delivered by a host in the “+relay_from_hosts” host list, and the recipient domain is not in the “+local_domains” or “+relay_to_domains” domain lists. However, before issuing the “550” SMTP response to this command, the server will wait for one minute.

To evaluate a particular ACL at a given stage of the message transaction, you need to point one of Exim's policy controls to that ACL. For instance, to use the acl_rcpt_to ACL mentioned above to evaluate the RCPT TO:, the main section of your Exim configuration file (before any begin keywords) should include:

acl_smtp_rcpt = acl_rcpt_to