I apologize for the line wraps, but I think in most cases the intent is
clear. My goals:
Postmaster/abuse/hostmaster should receive all email. If the role account is
one of multiple recipients, messages that would otherwise be rejected are
accepted and quarantined.
Mail from greenlisted hosts gets delivered unless it includes a virus
Whitelisted hosts are immune to blacklists, either local or DNSBL, but are
subject to other tests
TIA for any help; Dallas-area responders or those who visit DFW in future
are eligible for gratitude expressed as $BEVERAGE.
=====
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_helo
acl_smtp_mail = acl_mail_from
acl_smtp_rcpt = acl_rcpt_to
acl_smtp_data = acl_data
av_scanner = clamd:/tmp/clamd
spamd_address = /tmp/spamd
never_users = root
host_lookup = *
# These lists will be used in various ACLs
hostlist greenlisted = /usr/exim/files/greenlist_hosts
hostlist whitelisted = /usr/exim/files/whitelist_hosts
hostlist block_by_ip = /usr/exim/files/blacklist_ip
hostlist block_by_name = /usr/exim/files/blacklist_name
######################################################################
# ACL CONFIGURATION #
######################################################################
begin acl
acl_connect:
accept
# This access control list is used for the HELO or EHLO command in
# an incoming SMTP transaction. The tests are run in order until the
# greeting is either accepted or denied.
acl_helo:
accept
acl_mail_from:
accept
# This access control list is used for every RCPT command in an incoming
# SMTP message. The tests are run in order until the address is either
# accepted or denied.
acl_rcpt_to:
# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
# testing for an empty sending host field.
accept hosts = : +greenlisted
# Accept mail to postmaster in any local domain, regardless of the source,
# and without verifying the sender.
accept set acl_m0 = Delivered to role account
local_parts = postmaster : blacklist-admin : abuse
domains = +local_domains
deny message = Restricted characters in address
domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# Deny unless the sender address can be verified.
require verify = sender
# Make sure not to relay
require message = Relay not permitted
domains = +local_domains : +relay_to_domains
# Do HELO tests
deny message = Remote host used IP address in HELO/EHLO greeting
!host = +whitelisted
condition = ${if isip {$sender_helo_name}{true}{false}}
deny message = Remote host used our name in HELO/EHLO greeting.
!host = +whitelisted
condition = ${if or {match_domain{$sender_helo_name}
{$primary_hostname:+local_domains:+relay_to_domains}}\
{eq {${lc:$sender_helo_name}}{12.106.209.189}}
{true}{false}}
# Check local blacklists before doing DNS queries
deny message = Message rejected because $sender_host_address
is in a local block list; please email <blacklist-admin@???>
with questions.
!host = +whitelisted
host = +block_by_ip
deny message = Message rejected because $sender_host_address
resolves to a domain in a local block list; please email
<blacklist-admin@???> with questions.
!host = +whitelisted
host = +block_by_name
# Now do DNSBL queries
deny message = Message rejected because $sender_host_address is
in a block list at $dnslist_domain\n$dnslist_text\n Please email
<blacklist-admin@???> with questions.
dnslists = sbl-xbl.spamhaus.org : blacklist.alfordmedia.com :
dul.dnsbl.sorbs.net
!host = +whitelisted
# If host in greylist stall 30s
warn message = X-Warning: $sender_host_address is on a suspicious
list at $dnslist_domain
log_message = found in $dnslist_domain
dnslists = greylist.alfordmedia.com : bl.spamcop.net
delay = 30s
# We also require all accepted addresses to be verifiable.
require message = Unknown address; see
<http://www.alfordmedia.com/bttb/index.cfm?fuseaction=staff> or email
<postmaster@???>.
verify = recipient/callout=30s,defer_ok,use_sender
# Sender callout verification
deny
message = Message blocked because <$sender_address> does not appear to
be a valid sender address; email <postmaster@???> with
questions.
!verify = sender/callout
accept delay = 20s
acl_data:
# Add a header so I can quarantine malware that is accepted because
# one recipient is postmaster/abuse/whatever
warn malware = *
message = This message contains a virus ($malware_name).
# Deny if the message contains a virus.
deny malware = *
message = This message contains a virus ($malware_name).
!condition = ${if {def:acl_m0}}
# We trust the greenlist not to send spam
accept hosts = : +greenlisted
# Add headers to a message if it is judged to be spam.
# All messages get spam headers
warn message = X-AMS3-Spam-Score: $spam_score ($spam_bar)
spam = nobody:true
warn message = X-Spam-Report: $spam_report
spam = nobody:true
# Messages over a certain threshold get flagged as spam for primary MX
warn message = X-Spam-Level: $spam_bar
spam = nobody
# Reject spam scoring 10+
deny message = Message blocked by our spam filter; email\
<postmaster@???> with questions.
spam = nobody:true
condition = ${if >{$spam_score_int}{100}{1}{0}}
!condition = ${if {def:acl_m0}}
# Accept the message.
accept
--
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna
