From exim configuration file:
# The second rule applies to all other domains, and its default is
# considerably less strict.
# CHECK_RCPT_REMOTE_LOCALPARTS = ^[./|] : ^.*[@%!`#&?] : ^.*/\\.\\./
# It allows local users to send outgoing messages to sites
# that use slashes and vertical bars in their local parts. It blocks
# local parts that begin with a dot, slash, or vertical bar, but allows
# these characters within the local part. However, the sequence /../ is
# barred. The use of some other non-alphanumeric characters is blocked.
# Single quotes might probably be dangerous as well, but they're
# allowed by the default regexps to avoid rejecting mails to Ireland.
# The motivation here is to prevent local users (or local users' malware)
# from mounting certain kinds of attack on remote sites.
It's confusing, because it says "local users", but local users sending
mails from command line can use any character, because
CHECK_RCPT_REMOTE_LOCALPARTS only used in acl_smtp_rcpt.
(I don't get why there isn't acl_not_smtp_rcpt which of course wouldn't
be able to deny individual addresses, but would be able to drop the
whole mail)
