Thanks Dean. Below is my ACL section (I use cPanel server, so I don't
fully understand it.) Can you help me figure out where your helpful
code will go? -- I assuming right before the other lines that contain
"authenticated"
Also, do you see any conflicting code with other parts of the ACL?
Thanks,
Terry
begin acl
#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
{yes}{no}}
# Accept bounces to lists even if callbacks or other checks would fail
warn message = X-WhitelistedRCPT-nohdrfromcallback: Yes
condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
\
{yes}{no}}
accept condition = \
${if and {{match{$local_part}{(.*)-bounces\+.*}} \
{exists
{/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}}
\
{yes}{no}}
#if it gets here it isn't mailman
accept hosts = *
authenticated = *
#if they poped before smtp we just accept
accept condition = ${if
match_ip{$sender_host_address}{iplsearch;/etc/relayhosts}{1}{${if
eq{$sender_host_address}{127.0.0.1}{1}{0}}}}
add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
accept hosts = +relay_hosts
add_header = ${perl{popbeforesmtpwarn}{$sender_host_address}}
#recipient verifications are now done after smtp auth and pop before
smtp so the users get back bounces instead of
# a clogged outbox in outlook
#recipient verifications are required for all messages that are not
sent to the local machine
#this was done at multiple users requests
require verify = recipient
require verify = sender/callout=60s
# The only problem with this setup is that if the message is for
multiple users on the same server
# and they are on different unix accounts, the settings for the first
recipient which has spamassassin enabled will be used.
# This shouldn't be a problem 99.9% of the time, however its a very
small price to pay for a massive speed increase.
warn domains = ! ${primary_hostname} : +local_domains
condition = ${if eq
{${acl_m0}}{1}{0}{${perl{acl_checksa_deliver}{$domain}{${extract{5}{:}{${lookup{${lookup{$domain}lsearch*{/etc/userdomains}{$value}}}lsearch{/etc/passwd}{$value}}}}}}}}
set acl_m0 = 1
set acl_m1 = ${lookup{$domain}lsearch*{/etc/userdomains}{$value}}
warn domains = ${primary_hostname}
condition = ${if eq
{${acl_m0}}{1}{0}{${perl{acl_checkusersa}{$local_part}{${extract{5}{:}{${lookup{$local_part}lsearch{/etc/passwd}{$value}}}}}}}}
set acl_m0 = 1
set acl_m1 = $local_part
accept domains = +relay_domains
deny message = $sender_fullhost is currently not permitted to \
relay through this server. Perhaps you \
have not logged into the pop/imap server in the \
last 30 minutes or do not have SMTP
Authentication turned on in your email client.
#!!# ACL that is used after the DATA command
check_message:
# Enabling this will make the server non-rfc compliant
# require verify = header_sender
accept hosts = 127.0.0.1 : +relay_hosts
accept hosts = *
authenticated = *
warn
condition = ${if eq {${acl_m0}}{1}{1}{0}}
spam = ${acl_m1}/defer_ok
log_message = "SpamAssassin as ${acl_m1} detected message as spam"
add_header = X-Spam-Subject: ***SPAM*** $h_subject
add_header = X-Spam-Status: Yes, score=$spam_score
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Report: $spam_report
add_header = X-Spam-Flag: YES
set acl_m2 = 1
warn
condition = ${if eq {${acl_m0}}{1}{${if eq {${acl_m2}}{1}{0}{1}}}{0}}
add_header = X-Spam-Status: No, score=$spam_score
add_header = X-Spam-Score: $spam_score_int
add_header = X-Spam-Bar: $spam_bar
add_header = X-Spam-Flag: NO
log_message = "SpamAssassin as ${acl_m1} detected message as NOT spam"
deny
condition = ${if eq {${acl_m0}}{1}{${if
>{$spam_score_int}{200}{1}{0}}}{0}}
log_message = "The mail server detected your message as spam and
has prevented delivery (200)."
message = "The mail server detected your message as spam and has
prevented delivery."
accept
Dean Brooks wrote:
> On Sun, Oct 14, 2007 at 01:58:21PM -0500, eximlearning@??? wrote:
>
>> So I guess what I'm saying is how could I go about writing the following
>> rule as an ACL (possibly with a call from acl_smtp_data):
>>
>> "If the connection is SMTP and isn't authenticated, check the "From"
>> header address to see if it contains a local domain, and if it does,
>> reject the message with error:
>
> Well, if you have your local domains in a domainlist, such as:
>
> domainlist localdomains = mydomain1.com : mydomain2.com
>
> then you could use something like:
>
> deny
> ! authenticated = *
> condition = ${if match_domain{${domain:${address:$h_from:}}}{+localdomains}}
> message = sorry, external MTA's and unauthenticated MTU's don't have\
> permission to send email to this server with a header that\
> states the email is from ${lc:${domain:${address:$h_from:}}}.
>
> Keep in mind that placement of this in your DATA ACL is important. The
> ACL would need to have already accepted email that is within your IP
> space. Otherwise, this will block email from your domain from *everyone*
> who hasn't used SMTP auth. Unless that is what you want, of course.
>
> --
> Dean Brooks
> dean@???
>
