Re: [exim] Completely lost

Hi

Thanks for the reply

So my config says this when it comes to acl_smtp_rcpt …


# Defines the access control list that is run when an
# SMTP RCPT command is received.
#
.ifndef MAIN_ACL_CHECK_RCPT
MAIN_ACL_CHECK_RCPT = acl_check_rcpt
.endif
acl_smtp_rcpt = MAIN_ACL_CHECK_RCPT


What I don't get is what is ifndef ? Does it mean if it is not defined
then define it ?

It seems to say that the caps string is equal to the lower case string
(This is a macro I think)

Then it says that acl_smtp_rcpt    (the one you said I should do my checking
in)   
Is equal to the macro

Why is this necessary ? Why not just have the acl be what it is why
should it be changed to something else, this is just confusing ?

Anyway  
If      acl_smtp_rcpt      is the same thing as    acl_check_rcpt

Then a bit later says … should I place the filters I want in the
configuration below, if so does it matter where and can anyone give me an
example text to try ?


acl_check_rcpt:



# Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by

# testing for an empty sending host field.

accept

    hosts = :

    control = dkim_disable_verify

# Add missing Date and Message-ID header for relayed messages

# warn

#    hosts = +relay_from_hosts

#    control = submission/sender_retain

#warn    message       = X-SA-Do-Not-Rej: Yes

#        local_parts   = postmaster:abuse

# The following section of the ACL is concerned with local parts that
contain

# certain non-alphanumeric characters. Dots in unusual places are

# handled by this ACL as well.

#

# Non-alphanumeric characters other than dots are rarely found in genuine

# local parts, but are often tried by people looking to circumvent

# relaying restrictions. Therefore, although they are valid in local

# parts, these rules disallow certain non-alphanumeric characters, as

# a precaution.

#

# Empty components (two dots in a row) are not valid in RFC 2822, but Exim

# allows them because they have been encountered. (Consider local parts

# constructed as "firstinitial.secondinitial.familyname" when applied to

# a name without a second initial.) However, a local part starting

# with a dot or containing /../ can cause trouble if it is used as part of
a

# file name (e.g. for a mailing list). This is also true for local parts
that

# contain slashes. A pipe symbol can also be troublesome if the local part
is

# incorporated unthinkingly into a shell command line.

#

# These ACL components will block recipient addresses that are valid

# from an RFC2822 point of view. We chose to have them blocked by

# default for security reasons.

#

# If you feel that your site should have less strict recipient

# checking, please feel free to change the default values of the macros

# defined in main/01_exim4-config_listmacrosdefs or override them from a

# local configuration file.

#

# Two different rules are used. The first one has a quite strict

# default, and is applied to messages that are addressed to one of the

# local domains handled by this host.



# The default value of CHECK_RCPT_LOCAL_LOCALPARTS is defined in

# main/01_exim4-config_listmacrosdefs:

# CHECK_RCPT_LOCAL_LOCALPARTS = ^[.] : ^.*[@%!/|`#&?]

# This blocks local parts that begin with a dot or contain a quite

# broad range of non-alphanumeric characters.

.ifdef CHECK_RCPT_LOCAL_LOCALPARTS

deny

    domains = +local_domains

    local_parts = CHECK_RCPT_LOCAL_LOCALPARTS

    message = restricted characters in address

.endif





# The second rule applies to all other domains, and its default is

# considerably less strict.



# The default value of CHECK_RCPT_REMOTE_LOCALPARTS is defined in

# main/01_exim4-config_listmacrosdefs:

# CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./



# It allows local users to send outgoing messages to sites

# that use slashes and vertical bars in their local parts. It blocks

# local parts that begin with a dot, slash, or vertical bar, but allows

# these characters within the local part. However, the sequence /../ is

# barred. The use of some other non-alphanumeric characters is blocked.

# Single quotes might probably be dangerous as well, but they're

# allowed by the default regexps to avoid rejecting mails to Ireland.

# The motivation here is to prevent local users (or local users' malware)

# from mounting certain kinds of attack on remote sites.

.ifdef CHECK_RCPT_REMOTE_LOCALPARTS

deny

    domains = !+local_domains

    local_parts = CHECK_RCPT_REMOTE_LOCALPARTS

    message = restricted characters in address

.endif





# Accept mail to postmaster in any local domain, regardless of the source,

# and without verifying the sender.

#

accept

    .ifndef CHECK_RCPT_POSTMASTER

    local_parts = postmaster

    .else

    local_parts = CHECK_RCPT_POSTMASTER

    .endif

    domains = +local_domains : +relay_to_domains

# Deny unless the sender address can be verified.

#

# This is disabled by default so that DNSless systems don't break. If

# your system can do DNS lookups without delay or cost, you might want

# to enable this feature.

#

# This feature does not work in smarthost and satellite setups as

# with these setups all domains pass verification. See spec.txt chapter

# 39.31 with the added information that a smarthost/satellite setup

# routes all non-local e-mail to the smarthost.

.ifdef CHECK_RCPT_VERIFY_SENDER

deny

    message = Sender verification failed

    !acl = acl_local_deny_exceptions

    !verify = sender

.endif



# Verify senders listed in local_sender_callout with a callout.

#

# In smarthost and satellite setups, this causes the callout to be

# done to the smarthost. Verification will thus only be reliable if the

# smarthost does reject illegal addresses in the SMTP dialog.

deny

    !acl = acl_local_deny_exceptions

    senders = ${if exists{CONFDIR/local_sender_callout}\

                         {CONFDIR/local_sender_callout}\

                   {}}

    !verify = sender/callout

# Accept if the message comes from one of the hosts for which we are an

# outgoing relay. It is assumed that such hosts are most likely to be
MUAs,

# so we set control=submission to make Exim treat the message as a

# submission. It will fix up various errors in the message, for example,
the

# lack of a Date: header line. If you are actually relaying out out from

# MTAs, you may want to disable this. If you are handling both relaying
from

# MTAs and submissions from MUAs you should probably split them into two

# lists, and handle them differently.



# Recipient verification is omitted here, because in many cases the
clients

# are dumb MUAs that don't cope well with SMTP error responses. If you are

# actually relaying out from MTAs, you should probably add recipient

# verification here.



# Note that, by putting this test before any DNS black list checks, you
will

# always accept from these hosts, even if they end up on a black list. The

# assumption is that they are your friends, and if they get onto black

# list, it is a mistake.

accept

    hosts = +relay_from_hosts

    control = submission/sender_retain

    control = dkim_disable_verify

# Accept if the message arrived over an authenticated connection, from

# any host. Again, these messages are usually from MUAs, so recipient

# verification is omitted, and submission mode is set. And again, we do
this

# check before any black list tests.

accept

    authenticated = *

    control = submission/sender_retain

    control = dkim_disable_verify

# Insist that any other recipient address that we accept is either in one
of

# our local domains, or is in a domain for which we explicitly allow

# relaying. Any other domain is rejected as being unacceptable for
relaying.

require

    message = relay not permitted

    domains = +local_domains : +relay_to_domains

# We also require all accepted addresses to be verifiable. This check will

# do local part verification for local domains, but only check the domain

# for remote domains.

require

    verify = recipient

# Verify recipients listed in local_rcpt_callout with a callout.

# This is especially handy for forwarding MX hosts (secondary MX or

# mail hubs) of domains that receive a lot of spam to non-existent

# addresses. The only way to check local parts for remote relay

# domains is to use a callout (add /callout), but please read the

# documentation about callouts before doing this.

deny

    !acl = acl_local_deny_exceptions

    recipients = ${if exists{CONFDIR/local_rcpt_callout}\

                            {CONFDIR/local_rcpt_callout}\

                      {}}

    !verify = recipient/callout

# CONFDIR/local_sender_blacklist holds a list of envelope senders that

# should have their access denied to the local host. Incoming messages

# with one of these senders are rejected at RCPT time.

#

# The explicit white lists are honored as well as negative items in

# the black list. See exim4-config_files(5) for details.

deny

    message = sender envelope address $sender_address is locally blacklisted
here. If you think this is wrong, get in touch with postmaster

    !acl = acl_local_deny_exceptions

    senders = ${if exists{CONFDIR/local_sender_blacklist}\

                   {CONFDIR/local_sender_blacklist}\

                   {}}

# deny bad sites (IP address)

# CONFDIR/local_host_blacklist holds a list of host names, IP addresses

# and networks (CIDR notation) that should have their access denied to

# The local host. Messages coming in from a listed host will have all

# RCPT statements rejected.

#

# The explicit white lists are honored as well as negative items in

# the black list. See exim4-config_files(5) for details.

deny

    message = sender IP address $sender_host_address is locally blacklisted
here. If you think this is wrong, get in touch with postmaster

    !acl = acl_local_deny_exceptions

    hosts = ${if exists{CONFDIR/local_host_blacklist}\

                 {CONFDIR/local_host_blacklist}\

                 {}}

# Warn if the sender host does not have valid reverse DNS.

#

# If your system can do DNS lookups without delay or cost, you might want

# to enable this.

# If sender_host_address is defined, it's a remote call. If

# sender_host_name is not defined, then reverse lookup failed. Use

# this instead of !verify = reverse_host_lookup to catch deferrals

# as well as outright failures.

.ifdef CHECK_RCPT_REVERSE_DNS

warn

    message = X-Host-Lookup-Failed: Reverse DNS lookup failed for
$sender_host_address (${if eq{$host_lookup_failed}{1}{failed}{deferred}})

     condition = ${if and{{def:sender_host_address}{!def:sender_host_name}}\

                      {yes}{no}}

.endif





# Use spfquery to perform a pair of SPF checks (for details, see

# http://www.openspf.org/)

#

# This is quite costly in terms of DNS lookups (~6 lookups per mail). Do
not

# enable if that's an issue. Also note that if you enable this, you must

# install "libmail-spf-query-perl" which provides the spfquery command.

# Missing libmail-spf-query-perl will trigger the "Unexpected error in

# SPF check" warning.

.ifdef CHECK_RCPT_SPF

deny

    message = [SPF] $sender_host_address is not allowed to send mail from
${if def:sender_address_domain {$sender_address_domain}{$sender_helo_name}}.
\

              Please see http://www.openspf.org/Why?scope=${if
def:sender_address_domain {mfrom}{helo}};identity=${if
def:sender_address_domain
{$sender_address}{$sender_helo_name}};ip=$sender_host_address

    log_message = SPF check failed.

    !acl = acl_local_deny_exceptions

    condition = ${run{/usr/bin/spfquery --ip \"$sender_host_address\"
--mail-from \"$sender_address\" --helo \"$sender_helo_name\"}\

                     {no}{${if eq {$runrc}{1}{yes}{no}}}}

defer

    message = Temporary DNS error while checking SPF record.  Try again
later.

    condition = ${if eq {$runrc}{5}{yes}{no}}

warn

    message = Received-SPF: ${if eq {$runrc}{0}{pass}{${if eq
{$runrc}{2}{softfail}\

                                 {${if eq {$runrc}{3}{neutral}{${if eq
{$runrc}{4}{unknown}{${if eq {$runrc}{6}{none}{error}}}}}}}}}}

    condition = ${if <={$runrc}{6}{yes}{no}}

warn

    log_message = Unexpected error in SPF check.

    condition = ${if >{$runrc}{6}{yes}{no}}

# Support for best-guess (see
http://www.openspf.org/developers-guide.html)

warn

    message = X-SPF-Guess: ${run{/usr/bin/spfquery --ip
\"$sender_host_address\" --mail-from \"$sender_address\" \ --helo
\"$sender_helo_name\" --guess true}\

                                {pass}{${if eq {$runrc}{2}{softfail}{${if eq
{$runrc}{3}{neutral}{${if eq {$runrc}{4}{unknown}\

                                {${if eq {$runrc}{6}{none}{error}}}}}}}}}}

    condition = ${if <={$runrc}{6}{yes}{no}}

defer

    message = Temporary DNS error while checking SPF record.  Try again
later.

    condition = ${if eq {$runrc}{5}{yes}{no}}

.endif





# Check against classic DNS "black" lists (DNSBLs) which list

# sender IP addresses

.ifdef CHECK_RCPT_IP_DNSBLS

warn

    message = X-Warning: $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)

    log_message = $sender_host_address is listed at $dnslist_domain
($dnslist_value: $dnslist_text)

    dnslists = CHECK_RCPT_IP_DNSBLS

.endif





# Check against DNSBLs which list sender domains, with an option to
locally

# whitelist certain domains that might be blacklisted.

#

# Note: If you define CHECK_RCPT_DOMAIN_DNSBLS, you must append

# "/$sender_address_domain" after each domain. For example:

# CHECK_RCPT_DOMAIN_DNSBLS = rhsbl.foo.org/$sender_address_domain \

  #                            : rhsbl.bar.org/$sender_address_domain

.ifdef CHECK_RCPT_DOMAIN_DNSBLS

warn

    message = X-Warning: $sender_address_domain is listed at $dnslist_domain
($dnslist_value: $dnslist_text)

    log_message = $sender_address_domain is listed at $dnslist_domain
($dnslist_value: $dnslist_text)

    !senders = ${if exists{CONFDIR/local_domain_dnsbl_whitelist}\

                    {CONFDIR/local_domain_dnsbl_whitelist}\

                    {}}

    dnslists = CHECK_RCPT_DOMAIN_DNSBLS

.endif





# This hook allows you to hook in your own ACLs without having to

# modify this file. If you do it like we suggest, you'll end up with

# a small performance penalty since there is an additional file being

# accessed. This doesn't happen if you leave the macro unset.

.ifdef CHECK_RCPT_LOCAL_ACL_FILE

.include CHECK_RCPT_LOCAL_ACL_FILE

.endif






############################################################################
#

# This check is commented out because it is recognized that not every

# sysadmin will want to do it. If you enable it, the check performs

# Client SMTP Authorization (csa) checks on the sending host. These checks

# do DNS lookups for SRV records. The CSA proposal is currently (May 2005)

# an Internet draft. You can, of course, add additional conditions to this

# ACL statement to restrict the CSA checks to certain hosts only.

#

# require verify = csa


############################################################################
#





# Accept if the address is in a domain for which we are an incoming relay,

# but again, only if the recipient can be verified.



accept

    domains = +relay_to_domains

    endpass

    verify = recipient

# At this point, the address has passed all the checks that have been

# configured, so we accept it unconditionally.



accept

#####################################################

### end acl/30_exim4-config_check_rcpt

#####################################################



From: Odhiambo Washington <odhiambo@???>
Date: Monday, 13 August 2012 16:43
To: Hill Ruyter <hill@???>
Subject: Re: [exim] Completely lost

Hi Hill,

Your particular type of filtering must be done at SMTP time (acl_smtp_rcpt).

In the meantime, head to www.exim4u.org <http://www.exim4u.org> and
download the tarball. Extract it and read the exim.conf to remind yourself
about how things are done. It is documented with comments and so saves you
from RTFM, which you say you don't understand:-)


On Mon, Aug 13, 2012 at 6:26 PM, Hill Ruyter <hill@???> wrote:
> Hi guys
>
> I have been using exim4 for many years and there are some things that I have
> never managed to get my head around
> I am coming for help and I know many will say I should read the docs but
> that is part of the problem. I don't understand!
>
> I am running Exim on an Ubuntu server which I know differs in a number of
> ways to the standard configuration and I think may not be supported by this
> mailing list but any help will be appreciated
>
> My main issue is with trying to get ACLs working properly
>
> The things I want to do is
>
> When a connection comes from an authenticated client then just let it
> proceed
> If a connection comes from elsewhere I want it to do fns checking and also
> prevent mail being sent as if from me
>
> One of my biggest spam problems is with mail appearing as if it is from me,
> I am sure this must be easy to filter but I just can't seem to get the
> server to even act on filters I try to configure.
>
> I am not sure where to start anymore as I have just ignored the problem for
> so long now I have forgotten where I was and every time I try to tackle it I
> feel like I have to try learn again from the beginning. The documentation
> although very clear does not seem to have any examples that look anything
> like my config file so I quickly get lost
>
> I don¹t get what the .ifndef statements do for example
>
> Should I just attach my entire config file to an email or do you want me to
> send sections
>
> Are there some commands I can run that help me debug the incoming email to
> see how it is being processed
>
> Is there a good place I can go with clear explanation of how to configure
> exim on an ubuntu server
>
>
> Lots of questions that I am sure will frustrate many of you, please be
> gentle
>
> Regards
> Hill
>
>
>
>
>
> --
> ## List details at https://lists.exim.org/mailman/listinfo/exim-users
> ## Exim details at http://www.exim.org/
> ## Please use the Wiki with this list - http://wiki.exim.org/



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
I can't hear you -- I'm using the scrambler.