[exim] Please sanity-check my ACLs outline

Top Page
Delete this message
Reply to this message
Author: Dave Pooser
Date:  
To: Exim Mailing List
Subject: [exim] Please sanity-check my ACLs outline
After a successful trial of Exim as a secondary MX, I'm ready to roll it out
as an antispam/antivirus frontend to my CommuniGate Pro server. The general
mail flow I have in mind is below; please glance over it and contribute
suggestions/comments/mockery as needed. I have a fair amount of CPU/RAM to
throw at this but very limited tolerance for FPs and almost no tolerance for
time delays of more than a few minutes.

-     acl_smtp_connect = acl_connect
      acl_smtp_helo    = acl_helo
      acl_smtp_mail    = acl_mail_from
      acl_smtp_rcpt    = acl_rcpt_to
      acl_smtp_data    = acl_data
- [ ] acl_connect
    - [ ] accept from trusted hosts
        - [ ] my corporate overlords
        - [ ] some clients?
        - [ ] Check blacklists/whitelists and save blacklist results
              in variables for later rejection
            - [ ] whitelist file -- if listed, skip blacklists
            - [ ] whitelist by RDNS -- if listed, skip blacklists
            - [ ] create DNSWL? -- might be easier than keeping files
                  synchronized across multiple MXes
            - [ ] blacklist file
            - [ ] DNSBLs
            - [ ] blacklist by RDNS
- [ ] acl_helo
    - [ ] accept from trusted hosts
    - [ ] Check HELO for IP address and if IP address flag in variables
    - [ ] Check HELO for our name/address and if ours flag in variables
    - [ ] Verify HELO or log verification failure
        - [ ] Flag fake yahoo/aol/hotmail/gmail helo for rejection?
- [ ] acl_mail_from
    - [ ] accept from trusted hosts
    - [ ] If no helo flag in variables
- [ ] acl_rcpt_to
    - [ ] accept from trusted hosts
    - [ ] accept if local part is postmaster and/or blacklist admin
          and/or abuse (this is why I wait until now to start rejecting
          messages)
    - [ ] deny if blacklisted/IP HELO/forged HELO/no HELO/callout failed
    - [ ] deny if recipient not in +relay_to_domains
    - [ ] deny if recipient callout fails
    - [ ] deny if sender callout fails (I know the arguments against
          sender callout, but on balance it seems to me that it's worth
          doing; I try to minimize the effect on innocent mail servers by
          leaving it to this late in the game
    - [ ] if verizon/.mac delay 20s then accept
    - [ ] elif in redlist delay 55s then accept (Redlist is my DNSBL of
          hosts we will rarely see legitimate email from; it's a mix of
          geographical locations and spam-tolerant ISPs.)
    - [ ] else delay 30s then accept
- [ ] acl_data
    - [ ] accept if local part is postmaster and/or blacklist admin
          and/or abuse
    - [ ] scan with ClamAV
    - [ ] accept from trusted hosts
    - [ ] scan with SpamAssassin
        - [ ] reject on 10+
        - [ ] add header for sorting on 5+
- [ ] accept


Thanks for any help you can provide!
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"The greatest dangers to liberty lurk in insidious encroachment
by men of zeal, well-meaning but without understanding."
                            -- Justice Louis Brandeis