Here is a excerpt from my configuration that you can look through, and
possible use parts of.
Remember to replace all instances of my domain with yours.
hostlist relay_from_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
auth_advertise_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1
domainlist local_domains =
sebbe.eu:[185.86.106.232]:[193.187.91.106]:[2001:470:dff1:1:10::1]:[2001:470
:dff1:1:10::2]:dns1.sebbe.eu:dns2.sebbe.eu:mx.sebbe.eu:185.86.106.232:193.18
7.91.106
acl_check_mail:
accept
authenticated = *
senders = ^(sebastian|postmaster|abuse)@sebbe\\.eu\$
hosts = +relay_from_hosts
set acl_m0 = authorizedrelay
## This one ensures you need a valid password AND a valid IP to relay. Thus
hacked passwords is a no go here.
## Combined with auth_advertise_hosts, it will also not even offer
authentication to invalid hosts.
## This also requires sender adress to be within the local domain to be
considered authenticated relay,
## else this rule is never triggered, authorizedrelay isn't set and any
valid authenticated emails but with a sender of like
RolexWatches@??? will also get rejected.
deny
message = 5.7.14 You can't spoof the domains this server is authorative
for
sender_domains = ^(?i).*(sebbe\\.eu)\$ : +local_domains
## Prevents anyone from sending a email with a sender that is local to the
server in question, if they aren't authorized to do so (ergo logged in and
have right IP)
deny
message = 5.7.1 Local users must authenticate
hosts = +relay_from_hosts
## Prevents anyone that is already local network, from sending without
authenticating.
deny
message = 5.4.6 That would create a mail loop
sender_domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain
: ^.*\\.localhost : ^127\\..*
## Prevent crude form of mail loops.
deny
message = 5.7.0 Banned TLD
sender_domains =
^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car|cars|christ
mas|click|club|college|computer|country|cricket|date|design|download|email|f
aith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media|men|mom|ne
ws|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|re
n|rent|review|rocks|science|security|shop|site|solutions|space|storage|store
|stream|study|tech|technology|theatre|today|top|trade|university|uno|vip|viv
idal|wang|webcam|website|win|work|works|world|xin|xyz|zip)\$
## TLD ban. Bans a lot of TLDs in sender adress. Those TLDs are the ICANN
new garbage shit that are 100% spam sources.
deny
message = 5.1.8 Sender verification failed
!verify = sender
## Basic sender verification. (Does MX exist etc)
accept
condition = ${if eq {$sender_address}{}{yes}{no}}
## Auto-accept the blank sender adress.
deny
message = 5.7.23 SPF fail (phishing) -
(${sg{${sg{$spf_smtp_comment}{http\:\/\/www\.open-spf\.org\/Why}{https:\/\/w
ww.sebbe.eu\/spf.cgi}}}{&receiver=sebbe\.eu}{}})
log_message = SPF check failed: ($spf_header_comment)
spf = fail : softfail
## Reject all SPF=softfail and all SPF=hardfail messages.
accept
acl_check_rcpt:
deny
local_parts = ^[./|] : ^.*[\\\\@\$%`#&?/|] : ^.*/\\.\\./ : ^.*x24 :
^.*0.44
message = 5.1.7 Restricted characters in address
## Prevent certain security holes.
deny
message = 5.4.6 That would create a mail loop
domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain :
^.*\\.localhost : ^127\\..*
## Prevent some crude mail loops.
accept
condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
control = submission/sender_retain
control = dkim_disable_verify
## If message is authorized relay - ergo authenticated and right IP, accept
it through at RCPT stage too.
require
message = 5.7.1 Relay not permitted
domains = +local_domains
## Message must be to a local mailbox if its not authenticated.
require
verify = recipient
## Basic recipient reachability check.
accept
acl_check_data:
warn
remove_header = date
remove_header = subject
add_header = Date: $tod_full
add_header = Subject:
${rfc2047:${length_100:${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${s
g{${sg{${sg{$h_subject:}{\\xE5}{\\xA5}}}{\\xC4}{\\x84}}}{\\xD6}{\\x96}}}{\\x
C5}{\\x85}}}{\\xF6}{\\xB6}}}{\\xE4}{\\xA4}}}{\N[^a-zA-Z0-9\xA5\xA4\xB6\x85\x
84\x96
!"\@#\$%&\/\{(\[)\]=\}?+\\\-_:.;,*><|^~]\N}{}}}{\N([\xA5\xA4\xB6\x85\x84\x96
])\N}{\\xC3\$1}}}{ }{ }}}{ }{ }}}{ }{ }}}{^ }{}}}{ \$}{}}}}
## Scrub email. This replaces the Date header with a valid one, so if a mail
has its date set to 1970-01-01 the email doesn't get pushed to the very
bottom of the inbox.
## Also shortens subjects to 100 characters and removes invalid characters,
preventing certain bugs and quirks in Microsoft Outlook with subjects.
deny
message = 5.6.0 Message headers fail syntax check
!verify = header_syntax
## Basic header check.
deny
message = 5.6.0 No verifiable sender address in message headers
!verify = header_sender
## Basic header check.
deny
message = 5.6.0 Missing MIME From header
condition = ${if def:h_from:{no}{yes}}
## Basic header check.
deny
message = 5.7.14 You can't spoof the MIME From this server is
authorative for
condition = ${if match
{$h_from:}{(?i)@([a-zA-Z0-9_.\\-]*\\.)?(sebbe\\.eu)}{yes}{no}}
condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}}
## If email is not a authorized relay, MIME From: header can't be within the
local server's domain.
deny
message = 5.7.1 Authorized relayed messages MUST have a local MIME From
condition = ${if match {$h_from:}{^"?(Sebastian Nielsen|Microsoft
Outlook)"? <(sebastian|abuse|postmaster)@sebbe\\.eu>\$}{no}{yes}}
condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}}
## If email IS authenticated relay, the MIME From MUST be within the local
domain, so if any bots from local computer attempts to send, they must also
use the local domain and cannot spoof.
deny
message = 5.7.0 Banned TLD in MIME From
condition = ${if match
{$h_from:}{^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car|
cars|christmas|click|club|college|computer|country|cricket|date|design|downl
oad|email|faith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media
|men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realt
or|reise|ren|rent|review|rocks|science|security|shop|site|solutions|space|st
orage|store|stream|study|tech|technology|theatre|today|top|trade|university|
uno|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip)>\$}{ye
s}{no}}
## same TLD ban as above, but this for MIME From. Bans a lot of TLDs in
sender adress. Those TLDs are the ICANN new garbage shit that are 100% spam
sources.
accept
Hope you like it.
Best regards, Sebastian Nielsen
-----Ursprungligt meddelande-----
Från: Jacques B. Siboni via Exim-users <exim-users@???>
Skickat: den 1 juni 2020 18:54
Till: Jeremy Harris via Exim-users <exim-users@???>
Ämne: [exim] A decent acl example please!
dear colleagues
It seems there are many ways to configure the acl part of exim4. I have
tried
many options but, so far I can't get rid of spammers using our smtp to send
spam
mails. (I receive a lot of spam mails as well but this nuisance I can deal
with.)
Can some of you can send a decent example of acl config solving most of the
problems encountered. I signal I have already added the spf record, a dkim
signature and dmarc data.
But nonetheless I believe some bots manage to pass through the net.
exim4 version is 4.93-16 on debian
Thanks in advance
Jacques
--
Jacques B. Siboni
mailto:jacsib@Lutecium.org
8 pass. Charles Albert, F75018 Paris, France
Tel: +33 142 287 678 Port: +33 612 536 959
Home Page:
http://jacsib.lutecium.org/
Lutecium pages:
http://www.lutecium.org
--
## List details at
https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
