[exim] Help with ACL

Top Page
Delete this message
Reply to this message
Author: Ruth Ivimey-Cook
Date:  
To: exim-users
CC: qq
Subject: [exim] Help with ACL
Hi folks,

I think I need some help with my ACLs. The system is Exim 4.42 running on
Linux FC1. Recently I upgraded the ACLs to be stronger, and I have encountered
some badly behaved hosts (I think) which I have to work around for the moment.

The reject logs include:

2005-01-18 22:51:21 H=(gatekeeper36.totaljobsmail.co.uk) [193.128.115.36]
F=<cwjobs@???> rejected RCPT <ruth@???>: host lookup
failed (193.128.115.36 does not match any IP address for gatekeeper36.totaljobsmail.co.uk)

My RCPT ACL includes a possibility for noverify hosts - i.e. those hosts I
want and would otherwise fail by text lookup in a file noverify-hosts, and I
thought this would do it.

The rcpt ACL looks like this: [ If in passing folks have comments on the ACL
in general I am happy to listen :-) ]

---------------------------------------------------------

acl_check_rcpt:

# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.

  accept  hosts        = : +relay_from_hosts


# Deny if the sender is <> and there are more than 1 recipients

  deny    senders       = :
          message       = Invalid use of null sender
          condition     = ${if > {$rcpt_count} {1} {1} }


# Deny if the local part contains @ or % or / or | or !. These are rarely
# found in genuine local parts, but are often tried by people looking to
# circumvent relaying restrictions.

  deny    message       = Invalid local part in address
          local_parts   = ^.*[@%!/|]
      delay        = 30s


# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.

  accept  local_parts   = postmaster
          domains       = +local_domains


# Accept if the message arrived over an authenticated connection, from
# any host. Again, these messages are usually from MUAs, so recipient
# verification is omitted.

accept authenticated = *

  accept  hosts        = /etc/exim/noverify_hosts


  # If reverse DNS lookup of the sender's host fails (i.e. there is
  # no rDNS entry, or a forward lookup of the resulting name does not
  # match the original IP address), then reject the message.
  #
  #deny      message    = reverse DNS lookup failed for host $sender_host_address.
  #      !verify    = reverse_host_lookup


# Deny unless the sender address can be verified.

  deny    message    = <$sender_address> does not appear to be a valid sender.
        !verify       = sender/callout=20s,defer_ok


# Accept if the address is in a local domain, but only if the recipient can
# be verified. Otherwise deny. The "endpass" line is the border between
# passing on to the next ACL statement (if tests above it fail) or denying
# access (if tests below it fail).

  accept  domains       = +local_domains
          endpass
          message       = unknown user
          verify        = recipient/callout=20s,defer_ok


# Accept if the address is in a domain for which we are relaying, but again,
# only if the recipient can be verified.

  accept  domains       = +relay_to_domains
          endpass
          message       = unable to route address
          verify        = recipient/callout=20s,defer_ok


# If control reaches this point, the domain is neither in +local_domains
# nor in +relay_to_domains.

  deny    message       = mail not permitted
          hosts         = /etc/exim/exim-spam-hosts
      delay        = 20s


# Reaching the end of the ACL causes a "deny", but we might as well give
# an explicit message.

  deny    message       = Relay not permitted
      delay        = 20s


-----------------------------------------------------------------


and the file noverify-hosts includes the lines:

#Totaljobs
*.totaljobs.co.uk
*.totaljobsmail.co.uk

-----------------------------------------------------------------

Hoping you can help...

Thanks


--
Ruth Ivimey-Cook
Software engineer and technical writer.