sorry for miss understanding.
i didn't talk about acl_connect because you dont have to modify it for this rule
here an example of the exim.conf i use
of course you cant use it integrally but it may help you to understand
i didn't talk about acl_connect because you dont have to modify it for this rule
here an example of the exim.conf i use
of course you cant use it integrally but it may help you to understand
Code:
# DirectAdmin SpamBlocker Version 3.2.4 RC exim.conf
# 09-Nov-2009 19:37 (-0800)
# Exim configuration file for DirectAdmin
# Requires exim.pl as distributed by DirectAdmin here:
# http://files.directadmin.com/services/exim.pl Dated 28-Mar-2008 or later
# # SpamBlocker with Optional VirusBlocker
# Dovecot Only
# # WARNING! Be sure to back up your previous exim.conf file before
# attempting to use this exim.conf file.
#
# Do NOT use this exim.conf Exim configuration file unless you
# make the required modifications to your Exim configuration
# following the instructions in the README file included in this
# distribution.
#
# WARNING: The following files must exist and have the same ownership
# and permisssions as your /etc/virtual/domains file.
#
# /etc/virtual/bad_sender_hosts
# /etc/virtual/bad_sender_hosts_ip
# /etc/virtual/blacklist_domains
# /etc/virtual/blacklist_senders
# /etc/virtual/whitelist_domains
# /etc/virtual/whitelist_hosts
# /etc/virtual/whitelist_hosts_ip
# /etc/virtual/whitelist_senders
# /etc/virtual/use_rbl_domains
#
# Some of the above files may already exist and be populated.
#
# If you have a prepopulated bad_sender_hosts file and if
# it's populated with listings which consist of IPs, then those
# listings must be moved out of the bad_sender_hosts file and
# into the bad_sender_hosts_ip file.
#
# If you have a prepopulated whitelist_hosts file and if it's
# populated with listings which consist of IP#s, then those
# listings must be moved out of the whitelist_hosts file and
# into the whitelist_hosts_ip file.
#
# We recommend that your /etc/virtual/use_rbl_domains file not
# exist as a separate file, but rather be a link to your
# /etc/virtual/domains file in which case all domains on your
# server will use blocklisting, which will keep your email server
# load manageable. If you do so, we also recommend you also
# notify all your clients that you use spam-management protocols
# on your server and that to keep your server load to a reasonable
# level you do not allow opt-out from spam-management.
#
# This is version "3.2-RC of the SpamBlocker exim.conf file as
# distributed by NoBaloney Internet Services for DirectAdmin based
# servers.
#
# More information about NoBaloney Internet Services may be found at:
# http://www.nobaloney.net/
#
# More information about DirectAdmin may be found at:
# http://www.directadmin.com/
#
# More information about the SpamBlocker exim.conf file may be found on the
# DirectAdmin forums:
# http://www.directadmin.com/forum/forumdisplay.php?f=56
# and at the NoBaloney Internet Services site:
# http://www.nobaloney.net/downloads/spamblocker/DirectAdminSpamBlocker3/
#
# This Exim configuration file has been modified from the original exim.conf
# file distributed with Exim 4. The modifications have been made by:
#
# NoBaloney Internet Services
# Post Office Box 52200
# Riverside, CA 92517-3200
# spamblocker - at - nobaloney.net
# (915) 643-5345
#
# The original exim.conf file distributed with Exim 4, includes the
# following copyright notice:
#
# Copyright (C) 2002 University of Cambridge, Cambridge, UK
# # Portions of the file are taken from the exim.conf file as
# distributed with DirectAdmin (http://www.directadmin.com/)
# # Copyright (C) 2003-2009 JBMC Software, St Albert, AB, Canada
# # Portions of this file are written by NoBaloney Internet Services
# and are copyright as follows:
#
# Copyright (C) 2004-2000 NoBaloney Internet Services, Riverside, Calif., USA
# # The entire Exim 4 distribution, including the exim.conf file, is
# distributed under the GNU GENERAL PUBLIC LICENSE, Version 2,
# June 1991. If you do not have a copy of the GNU GENERAL PUBLIC LICENSE
# you may download it, in it's entirety, from the website at:
#
# http://www.nobaloney.net/exim/gnu-gpl-v2.txt
#
# With thanks to Martino Dell'Ambrogio <tillo -at- tillo.ch> for his
# much needed and appreciated help.
#
# The most recent version of this file may always downloaded from the website
# at: http://www.nobaloney.net/downloads/spamblocker
#
# IMPORTANT NOTICE:
#
# Whenever you change Exim's configuration file, you *must* remember
# to HUP the Exim daemon, because it will not pick up the new
# configuration until you do. However, any other Exim processes that
# are started, for example, a process started by an MUA in order to
# send a message, will see the new configuration as soon as it is in
# place.
#
# You do not need to HUP the daemon for changes in auxiliary files
# that are referenced from this file. They are read every time they
# are used.
#
# It is usually a good idea to test a new configuration for
# syntactic correctness before installing it (for example, by
# running the command "exim -C /config/file.new -bV").
#
# MODIFICATION INSTRUCTIONS
#
# YOU MUST MAKE THE CHANGES TO THIS SpamBlocked exim.conf file as
# documented in the README file.
#
# The README file for this version is named:
# ReadMe-SpamBlocker.3.2-RC.txt
# CONFIGURATION STARTS HERE
# Specify your host's canonical name here. This should normally be the
# fully qualified "official" name of your host. If this option is not
# set, the uname() function is called to obtain the name. In many cases
# this does the right thing and you need not set anything explicitly.
# primary_hostname =
# EDIT FOR CLAMAV
# If you use ClamAv, then uncomment no more than one of the lines below
# depending on how you call ClamAv (check to see how you call ClamAv
# and uncomment the line which corresponds to how you call ClamAv).
# if you call ClamAV by some other method leave all three lines
# commented out and insert a line required by the method you use to
# call ClamAV
# av_scanner = clamd:/var/run/clamav/clamd
# av_scanner = clamd:/tmp/clamd
# av_scanner = clamd:127.0.0.1 3310
# Specify the domain you want to be added to all unqualified addresses
# here. An unqualified address is one that does not contain an "@" character
# followed by a domain. For example, "[email protected]" is a fully qualified
# address, but the string "caesar" (i.e. just a login name) is an unqualified
# email address. Unqualified addresses are accepted only from local senders by
# default. See the receiver_unqualified_{hosts,nets} options if you want
# to permit unqualified addresses from remote sources. If this option is
# not set, the primary_hostname value is used for qualification.
# qualify_domain =
# the next line is required to start the smtp auth script included
# in DirectAdmin
perl_startup = do '/etc/exim.pl'
# the next line is required to start the system_filter included in
# DirectAdmin
system_filter = /etc/system_filter.exim
# the next line enabless the incoming email submission port 587
# as well as the standard email receipt port 25
# but see also check_recipient ACL port 587 ruleset
daemon_smtp_ports = 25 : 587
# SET SOME MEANINGFUL LIMITS
# These defaults work for us; you may wish to modify them
# for your environment
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT message_size_limit = 100M smtp_receive_timeout = 5m smtp_accept_max = 100 message_body_visible = 3000 print_topbitchars = true smtp_accept_max_nonmail = 19 smtp_accept_max_per_host = 10 recipients_max = 150
# ALLOW UNDERSCORE IN EMAIL DOMAIN NAME
# domains shouldn't use the underscore character "_" but some
# may. Because John Postel, one of the architects of the Internet,
# said "Be liberal in what you accept and conservative in what you
# transmit, we choose to allow underscore in email domain names so we
# can receive email form domains which use the underscore character
# in their domain name.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT helo_allow_chars = _
# CHANGE LOGGING BEHAVIOR
# We weren't happy with the default Exim logging behavior through
# syslog; it didn't give us enough information. So we turned off
# syslog behavior and changed the logging behavior to give us what we
# felt was more helpful information. You may choose to delete or modify
# this section.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT log_selector = \
+delivery_size \
+sender_on_delivery \
+received_recipients \
+received_sender \
+smtp_confirmation \
+subject \
+smtp_incomplete_transaction \
-dnslist_defer \
-host_lookup_failed \
-queue_run \
-rejected_header \
-retry_defer \
-skip_delivery \
+arguments
syslog_duplication = false
# These options specify the Access Control Lists (ACLs) that
# are used for incoming SMTP messages - after the CONNECT, RCPT and DATA
# commands, respectively.
acl_smtp_connect = acl_connect
acl_smtp_helo = acl_check_helo
acl_smtp_rcpt = acl_check_recipient
acl_smtp_data = acl_check_message
# define local lists
# EDIT: NO EDIT TO THIS FILE NEEDED HERE BUT:
# MAKE SURE THE FOLLOWING FILES EXIST; IF THEY DON'T, CREATE THEM
# WITH THE SAME OWNERSHIP AND PERMISSIONS AS THE /etc/virtual/domains
# FILE.
#
# EVERY FILE DEFINED BY AN addresslist, domainlist or hostlist MUST
# EXIST AT /etc/virtual OR ELSE EXIM WILL NOT RUN.
#
# NOTE THAT SOME FILES ARE LISTED IN MULTIPLE LISTS BELOW; IF SO THE
# FILE SHOULD STILL ONLY EXIST ONCE.
#
# IF YOU WANT TO RUN SPAMBLOCKER FOR ALL DOMAINS ON YOUR SERVER
# (RECOMMENDED ON TODAY'S INTERNET BUT YOU SHOULD NOTIFY YOUR CLIENTS)
# THEN YOU SHOULD CREATE /etc/virtual/use_rbl_domains AS A LINK TO
# THE FILE /etc/virtual/domains INSTEAD OF CREATING IT AS A NEW
# FILE.
#
# NOTE: No management tools are included in DirectAdmin to manage
# the whitelists, blacklists or list of domains using the RBLs,
# but commercial tools may be available; search the DirectAdmin
# Forums.
addresslist whitelist_senders = lsearch;/etc/virtual/whitelist_senders
addresslist blacklist_senders = lsearch;/etc/virtual/blacklist_senders
domainlist blacklist_domains = lsearch;/etc/virtual/blacklist_domains
domainlist whitelist_domains = lsearch;/etc/virtual/whitelist_domains
domainlist local_domains = lsearch;/etc/virtual/domains
domainlist relay_domains = lsearch;/etc/virtual/domains : localhost
domainlist use_rbl_domains = lsearch;/etc/virtual/use_rbl_domains
domainlist whitelist_senders_domains = lsearch;/etc/virtual/whitelist_senders_domains : lsearch;/etc/virtual/domains
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# If you run ClamAv then create an empty file /etc/virtual/skip_av_domains
# and uncomment the next line. Later you can copy domain names from
# the /etc/virtual/domains file for any domains that should NOT use
# ClamAv.
# NOTE: there's more to uncomment below for ClamAV to work.
# domainlist skip_av_domains = lsearch;/etc/virtual/skip_av_domains
hostlist auth_relay_hosts = *
hostlist bad_sender_hosts = lsearch;/etc/virtual/bad_sender_hosts
hostlist bad_sender_hosts_ip = /etc/virtual/bad_sender_hosts_ip hostlist whitelist_hosts = lsearch;/etc/virtual/whitelist_hosts
hostlist whitelist_hosts_ip = /etc/virtual/whitelist_hosts_ip
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EITHER ALLOW OR DISALLOW 127.0.0.1 AS RELAY HOST;
# UNCOMMENT ONE OR THE OTHER.
hostlist relay_hosts = net-lsearch;/etc/virtual/pophosts : 127.0.0.1
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# ALLOW HOST LITERALS
# note that allowing host literals is NOT recommended for today's Internet.
# The default is to NOT allow email addressed to your server's literal IP
# address. If you want to allow email addressed to your server's literal
# IP address, for example: user@[111.111.111.111], then uncomment the
# next two lines and see also the "domain_literal" router below.
# local_domains_include_host_literals
# allow_domain_literals
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# DISALLOW LOCAL DELIVERIES UNDER UIDs OF CERTAIN USERS
# No local deliveries will ever be run under the uids of these users
# (a colon-separated list). An attempt to do so gets changed so that
# it runs under the uid of "nobody" instead. This is a paranoic safety
# catch. Note the default setting means you cannot deliver mail
# addressed to root as if it were a normal user. This isn't usually a
# problem, as most sites have an alias for root that redirects such mail
# to a human administrator. You may comment out the line below to
# allow user root to receive email, or you make add more usernames
# in a colon-separated list. Generally you should add the names of any
# other users who share the UID/GID 0:0, but you shouldn't need to add
# any other usernames to this list. The default is generally perfect
#never_users = root
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# ALLOW HOST LOOKUPS ON INCOMING EMAIL
# The setting below causes Exim to do a reverse DNS lookup on all
# incoming IP email, in order to get the true host name. If you feel
# this is too time-consuming, you can comment out the next line.
host_lookup = *
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# ENABLE IDENT CALLBACKS
# Exim may be set to make RFC 1413 (ident) callbacks for all incoming
# SMTP calls. You can limit the hosts to which these calls are made,
# and/or change the timeout that is used. If you set the timeout to zero,
# all RFC 1413 calls are disabled. RFC 1413 calls are cheap and can
# provide useful information for tracing problem messages, but some
# hosts and firewalls have problems with them. This can result in a
# timeout instead of an immediate refused connection, leading to delays
# on starting up an SMTP session. By default we disable callbacks for
# incoming SMTP calls. You may change rfc1413_query_timeout to 30s or
# some other positive number of seconds to enable callbacks for incoming
# SMTP calls.
rfc1413_hosts = *
rfc1413_query_timeout = 0s
# QUEUE RUNS
# The following settings modify when and how exim queue-runners run on your
# server.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# deliver_queue_load_max:
# If deliver_queue_load_max is set, then the value is used to determine
# whether to abandon a queue run, based on the system load average
deliver_queue_load_max = 4.0
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# queue_only_load:
# If the queue_only_load_max is set, then all incoming messages are queued
# and no automatic deliveries are started, as long as the system load
# average is higher than this value. If this happens during local or remote
# smtp input, then all subsequent messages on the same connection are queued.
# Deliveries are subsequently performed by queue running processes, unless
# the load is higher than the setting for deliver_queue_load_max, above.
queue_only_load = 6.0
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# queue_run_max
# queue_run_max determines the maximum number of queue-running processes
# exim will run simultaneously. This does not mean that it starts them all
# at once, but rather that if the maximum number are still running when the
# time comes to start another one, exim will not start it. This can happen
# with very large queues and/or very sluggish deliveries. This option does
# not interlock with other processes: additional queue-running processes
# can be started by other means; i.e., from the command line, or by killing
# and restarting the exim daemon.
queue_run_max = 5
# MESSAGE BOUNCES
# When Exim can neither deliver a message nor return it to sender, it
# "freezes" the delivery error message (aka "bounce message"). There are
# also other circumstances in which messages get frozen. They will stay
# on the queue forever unless one or both of the following options is
# set.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# This option unfreezes bounce messages after two days, tries
# once more to deliver them, and ignores any delivery failures.
ignore_bounce_errors_after = 2d
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# FROZEN MESSAGES
# This option cancels (removes) frozen messages that are older than three
# days.
timeout_frozen_after = 3d
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# TRUSTED USERS
# if you must add additional trusted users, do so here; continue the
# colon-delimited list
trusted_users = mail:majordomo:apache:diradmin
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# SSL/TLS cert and key tls_certificate = /etc/exim.cert tls_privatekey = /etc/exim.key tls_advertise_hosts = *
#auth_over_tls_hosts = * tls_require_ciphers = ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
# ACLs
######
# EDIT BOUNCE MESSAGES
# to allow for false positives on email checking against blocklists, you
# may want to set up a page somewhere on the Internet where you explain
# your whitelisting policy or precedure. This SpamBlocker exim.conf file
# does NOT define either that page, or your procedure; setting it up is
# your responsibility.
# In the following ACL sections you'll find many bounce messages; you
# should edit them as necessary.
begin acl
acl_connect:
accept hosts = *
delay = 0s
# above accepts hosts who are polite enough to wait rather than just send, as spammers do
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
deny message = Too quick on the draw - to unblock wait for helo/ehlo
acl_check_helo:
#accept email originating on this server unconditionally
accept hosts = @[] : @
# deny if the HELO pretends to be this host
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT : REPLACE HOSTNAME WITH YOUR HOSTNAME AND IP with your main IP#
deny message = You cannot be me
condition = ${if or { \
{eq {${lc:$sender_helo_name}}{FQDN.goes.here}} \
{eq {${lc:$sender_helo_name}}{xxx.xxx.xxx.xxx}} \
} {true}{false} }
accept
# ACL that is used after the RCPT command
acl_check_recipient:
# to block certain wellknown exploits, Deny for local domains if
# local parts begin with a dot or contain @ % ! / |
deny domains = +local_domains
local_parts = ^[.] : ^.*[@%!/|]
# to restrict port 587 to authenticated users only
# see also daemon_smtp_ports above
accept hosts = +auth_relay_hosts
condition = ${if eq {$interface_port}{587} {yes}{no}}
endpass
message = relay not permitted, authentication required
authenticated = *
# RC 3.2.4 09-nov-2009
# Mailer-Daemon messages must be for us
deny senders = :
message = We don't host the recipient domain
hosts = !+relay_hosts
domains = !+local_domains
!authenticated = *
# RC 3.2.3 05-sep-2009 deny all unauthenticated if Helo not FQDN
# deny hosts = !+relay_hosts
# message = HELO should be Fully Qualified Domain Name Host.Domain.Tld See RFC821
# !authenticated = *
# condition = ${if !match\
# {$sender_helo_name}\
# {\N.*[A-Za-z].*\..*[A-Za-z].*\N}\
# {yes}{no}}
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT TO IMPLEMENT CLAMAV
# if you use ClamAV uncomment the two lines below to set acl_m0 to
# use later in the data acl to implement ClamAV for all domains not listed
# in skip_av_domains
# warn domains = +skip_av_domains
# set acl_m0 = $tod_epoch
# allow local users to send outgoing messages using slashes
# and vertical bars in their local parts.
# Block outgoing local parts that begin with a dot, slash, or vertical
# bar but allows them within the local part.
# The sequence \..\ is barred. The usage of @ % and ! is barred as
# before. The motivation is to prevent your users (or their virii)
# from mounting certain kinds of attacks on remote sites.
deny domains = !+local_domains
local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
# local source whitelist
# accept if the source is local SMTP (i.e. not over TCP/IP).
# Test for this by testing for an empty sending host field.
accept hosts = :
logwrite = Whitelisted as having local origination
# sender domains whitelist
# accept if sender domain is in whitelist
accept sender_domains = +whitelist_domains
logwrite = $sender_host_address whitelisted in local whitelist
# sender hosts whitelist
# accept if sender host is in whitelist
accept hosts = +whitelist_hosts
accept hosts = +whitelist_hosts_ip
logwrite = $sender_host_address whitelisted in local whitelist
# envelope senders whitelist
# accept if envelope sender is in whitelist
accept senders = +whitelist_senders
logwrite = $sender_host_address whitelisted in local whitelist
# deny email addresses in blacklist_senders
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT edit message to fit your needs.
deny message = Email blocked by server's local sender host blocklist
domains = +use_rbl_domains
senders = +blacklist_senders
# dnswl.org whitelist (whitelist official ISP servers)
# accept if IP# is listed at dnswl.org as whitelisted
accept domains = +local_domains
dnslists = list.dnswl.org
logwrite = $sender_host_address whitelisted in list.dnswl.org
# hostkarma.junkemailfilter.com used as whitelist
# accept if IP# is listed at hostkarma.junkemailfilter.com as whitelisted
# 127.0.0.1 means whitelisted
accept domains = +local_domains
dnslists = hostkarma.junkemailfilter.com=127.0.0.1
logwrite = $sender_host_address whitelisted in hostkarma.junkemailfilter.com
# Deny IPs in your local bad_sender_hosts blacklist
# even if sent to postmaster, hostmaster, or abuse
# Note this breaks RFCs but we think you should be able to do this.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT Your deny message should be sent back to the original sender
# you may want to change it to point to your policy or page on whitelisting
deny message = Email blocked by server's local sender host blacklist
hosts = +bad_sender_hosts_ip
# NOW ACCEPT EMAIL TO postmaster, hostmaster, or abuse
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# accept mail to postmaster in any local domain, regardless of source
accept local_parts = postmaster
domains = +local_domains
# accept mail to abuse in any local domain, regardless of source
accept local_parts = abuse
domains = +local_domains
# accept mail to hostmaster in any local domain, regardless of source
accept local_parts = hostmaster
domains =+local_domains
# OPTIONAL MODIFICATIONS:
# If the page you're using to notify senders of blocked email of how
# to get their address unblocked will use a web form to send you email so
# you'll know to unblock those senders, then you may leave these lines
# commented out. However, for example, if you'll be telling your
# senders of blocked email to send an email to [email protected],
# then you should replace "errors" with the left side of the email
# address you'll be using, and "example.com" with the right side of the
# email address and then uncomment the two lines beginning with the line
# which begins with the word accept
#
# Doing this will mean anyone can send email to this specific address,
# even if they're at a blocked domain, and even if your domain is using
# blocklists.
# accept mail to [email protected], regardless of source
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT be sure to change to use your own email address
accept local_parts = errors
domains = somedomain.com
# OPTIONAL MODIFICATIONS:
# By default we do NOT require sender verification.
# Sender verification denies email unless sender address can be
# verified:
# If you want to require sender verification, i.e., that the
# sending address is routable and mail can be delivered to it, then
# uncomment the next line.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT uncomment the next line if you want sender verification
# require verify = sender
# deny domains in local blacklist
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT edit message to fit your needs.
deny message = Email blocked by server's local blacklist
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
sender_domains = +blacklist_domains
# deny hostnames in bad_sender_hosts blacklist
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT edit message to fit your needs.
deny message = Email blocked by server's local sender host blacklist
# only for domains that do want to be tested against RBLs
domains = +use_rbl_domains
hosts = +bad_sender_hosts
# deny email forging paypal sender
deny message = Forged Paypal Mail, not sent from PayPal.
senders = *@paypal.com
condition = ${if match {$sender_host_name}{\Npaypal.com$\N}{no}{yes}}
# Next deny stuff from blacklists for hosts in use_rbl_domains
# Deny using various RBLs
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT edit message to fit your needs.
deny message = Email blocked by $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = \
zen.spamhaus.org : \
psbl.surriel.com : \
access.redhawk.org : \
dnsbl.njabl.org : \
bl.spamcop.net : \
dnsbl.ahbl.org : \
cbl.abuseat.org : \
b.barracudacentral.org : \
combined.rbl.msrbl.net
## LISTS NOT INCLUDED AT THIS TIME; PERHAPS WE'LL INCLUDE THEM LATER:
# bogusmx.rfc-ignorant.org/$sender_address_domain
## WOULD BE NICE TO INCLUDE BUT REQUIRES DA-SANCTIONED ADDITION TO exim.pl
# http://www.directadmin.com/forum/showthread.php?p=107371#post107371
## NAME BASED BLOCKLIST EMAIL CHECKS
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT edit message to fit your needs.
deny message = Email blocked by $dnslist_domain
hosts = !+relay_hosts
domains = +use_rbl_domains
!authenticated = *
dnslists = \
rhsbl.ahbl.org/$sender_address_domain
#block.rhs.mailpolice.com/$sender_address_domain
# ACCEPT EMAIL BEGINNING HERE
# accept if address is in a local domain as long as recipient can be verified
accept domains = +local_domains
endpass
message = "Unknown User"
verify = recipient
# accept if address is in a domain for which we relay as long as recipient
# can be verified
accept domains = +relay_domains
endpass
verify = recipient
# accept if message comes for a host for which we are an outgoing relay
# recipient verification is omitted because many MUA clients don't cope
# well with SMTP error responses.
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT If you are actually relaying from MTAs then you should probably
# add recipient verify here
accept hosts = +relay_hosts
accept hosts = +auth_relay_hosts
endpass
message = authentication required
authenticated = *
# FINAL DENY EMAIL BEFORE DATA BEGINS HERE
# default at end of acl causes a "deny", but line below will give
# an explicit error message:
deny message = relay not permitted
# ACL that is used after the DATA command
acl_check_message:
# Deny outgoing email with a FROM domain that this server does not own
deny
message = Illegal FROM adresse domain
hosts = @[]
condition = ${if or {\
{!match_domain{${domain:$rh_From:}}{+whitelist_senders_domains}}\
{!match_domain{$sender_address_domain}{+whitelist_senders_domains}}\
}{yes}{no}}
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT TO IMPLEMENT CLAMAV
# Uncomment this entire section (except the comment lines beginning with "# #"
# when implementing ClamAV
# # accept without checking if in skip_av_domains
# accept condition =${if and {{def:acl_m0}{def:acl_m0}} {true}{false}}
#
# deny message = This message contains malformed MIME ($demime_reason)
# demime = *
# condition = ${if >{$demime_errorlevel}{2}{1}{0}}
#
# deny message = This message contains a virus or other harmful content ($malware_name)
# demime = *
# malware = *
#
# deny message = This message contains an attachment of a type which we do not accept (.$found_extension)
# demime = bat:com:pif:prf:scr:vbs
#
# # Accept but put warning into headers if message over 1000k
# warn message = X-Antivirus-Scanner: Skipped scanning; size over 1000K. You should use an Antivirus Scanner
# condition = ${if >={$message_size}{1000k} {1}{0}}
#
# warn message = X-Antivirus-Scanner: Seems clean. You should still use an Antivirus Scanner
# default to accept (otherwise all would be denied)
accept
# AUTHENTICATION CONFIGURATION
##############################
begin authenticators
plain:
driver = plaintext
public_name = PLAIN
server_prompts = :
server_condition = "${perl{smtpauth}}"
server_set_id = $2
login:
driver = plaintext
public_name = LOGIN
server_prompts = "Username:: : Password::"
server_condition = "${perl{smtpauth}}"
server_set_id = $1
# REWRITE CONFIGURATION
# There is no rewriting specification in this exim.conf file
# ROUTERS CONFIGURATION
# Specifies how remote addresses are handled.
#
# Remote addresses are those with a domain that does not match any item
# in the "local_domains" setting above.
#
# We specify two routers, but only one or the other may be used.
#
# If this server routes its own remote email, then the lookuphost
# router should be uncommented and the smarthost driver should be commented.
#
# If this router sends all remote email to a smarthost, then the lookuphost
# router should be commented and the smarthost driver should be uncommented.
#
# By default this exim.conf file presumes this server will rout its own
# remote email.
begin routers
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT Only one of these routers may be uncommented; see notes above.
lookuphost:
driver = dnslookup
domains = ! +local_domains
ignore_target_hosts = 127.0.0.0/8
condition = "${perl{check_limits}}"
transport = remote_smtp
no_more
#smarthost:
# driver = manualroute
# route_list = !+local_domains da6.namelessnet.com
# transport = remote_smtp
# DIRECTORS CONFIGURATION
# Specifies how local addresses are handled.
#
# Order does matter; a local address is passed to each in turn until
# it is accepted.
# Local addresses are those with a domain that matches some item in
# the local_domains setting above.
# Spam Assassin
# EDIT AS REQUIRED TO FIT YOUR ENVIRONMENT
# EDIT Uncomment the section below (including the "spamcheck_director"
# line) if you've Installed Spam Assassin on your server. Note that
# this section should NOT be uncommented unless Spam Assassin is
# installed on your server.
#spamcheck_director:
# driver = accept
# condition = "${if and { \
# {!def:h_X-Spam-Flag:} \
# {!eq {$received_protocol}{spam-scanned}} \
# {!eq {$received_protocol}{local}} \
# {exists{/home/${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}/.spamassassin/user_prefs}} \
# {<{$message_size}{100k}} \
# } {1}{0}}"
# retry_use_local_part
# transport = spamcheck
# no_verify
majordomo_aliases:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/${domain}/majordomo/list.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/list.aliases}}}}
domains = lsearch;/etc/virtual/domainowners
file_transport = address_file
group = daemon
pipe_transport = majordomo_pipe
retry_use_local_part
no_rewrite
user = majordomo
majordomo_private:
driver = redirect
allow_defer
allow_fail
#condition = "${if eq {$received_protocol} {local} {true} {false} }"
condition = "${if or { {eq {$received_protocol} {local}} \
{eq {$received_protocol} {spam-scanned}} } {true} {false} }"
data = ${if exists{/etc/virtual/${domain}/majordomo/private.aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/majordomo/private.aliases}}}}
domains = lsearch;/etc/virtual/domainowners
file_transport = address_file
group = daemon
pipe_transport = majordomo_pipe
retry_use_local_part
user = majordomo
domain_filter:
driver = redirect
allow_filter
no_check_local_user
condition = "${if exists{/etc/virtual/${domain}/filter}{yes}{no}}"
user = "${lookup{$domain}lsearch{/etc/virtual/domainowners}{$value}}"
group = "mail"
file = /etc/virtual/${domain}/filter
directory_transport = address_file
pipe_transport = virtual_address_pipe
retry_use_local_part
no_verify
uservacation:
# RC 3.2.3 05-sep-2009 do not reply to errors,bounces,lists
driver = accept
condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/vacation.conf}{yes}{no}}
require_files = /etc/virtual/${domain}/reply/${local_part}.msg
# do not reply to errors and bounces or lists
senders = " ! ^.*-request@.*:\
! ^owner-.*@.*:\
! ^postmaster@.*:\
! ^listmaster@.*:\
! ^mailer-daemon@.*\
! ^root@.*"
transport = uservacation
unseen
userautoreply:
driver = accept
condition = ${lookup{$local_part} lsearch {/etc/virtual/${domain}/autoresponder.conf}{yes}{no}}
require_files = /etc/virtual/${domain}/reply/${local_part}.msg
# do not reply to errors and bounces or lists
senders = " ! ^.*-request@.*:\
! ^owner-.*@.*:\
! ^postmaster@.*:\
! ^listmaster@.*:\
! ^mailer-daemon@.*\
! ^root@.*"
transport = userautoreply
unseen
virtual_aliases_nostar:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
unseen
#include_domain = true
virtual_user:
driver = accept
condition = ${perl{save_virtual_user}}
domains = lsearch;/etc/virtual/domainowners
group = mail
retry_use_local_part
transport = virtual_localdelivery
# accept only if local_part is not in the aliases file
# (this implements catch-all)
virtual_aliases:
driver = redirect
allow_defer
allow_fail
condition = ${if eq {}{${if exists{/etc/virtual/${domain}/aliases}{${lookup{$local_part}lsearch{/etc/virtual/${domain}/aliases}}}}}{yes}{no}}
data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch*{/etc/virtual/$domain/aliases}}}}
file_transport = address_file
group = mail
pipe_transport = virtual_address_pipe
retry_use_local_part
#include_domain = true
# if we have an alias, but no passwd entry we have to drop the email because the
# first alias is unseen (so that you can forward as well as save it)
# The save part is "seen" (virtual_user), but the forward before it isn't. This
# will be the spot where we "see" the email so that it doesn't send a bounce if
# we have an alias but no pop.
drop_solo_alias:
driver = redirect
allow_defer
allow_fail
data = ${if exists{/etc/virtual/$domain/aliases}{${lookup{$local_part}lsearch{/etc/virtual/$domain/aliases}}}}
file_transport = devnull
group = mail
pipe_transport = devnull
retry_use_local_part
#include_domain = true
# This director handles forwarding using traditional .forward files.
# If you want it also to allow mail filtering when a forward file
# starts with the string "# Exim filter", uncomment the "filter" option.
# The check_ancestor option means that if the forward file generates an
# address that is an ancestor of the current one, the current one gets
# passed on instead. This covers the case where A is aliased to B and B
# has a .forward file pointing to A. The three transports specified at the
# end are those that are used when forwarding generates a direct delivery
# to a file, or to a pipe, or sets up an auto-reply, respectively.
userforward:
driver = redirect
allow_filter
check_ancestor
check_local_user
no_expn
file = $home/.forward
file_transport = address_file
pipe_transport = address_pipe
reply_transport = address_reply
no_verify
system_aliases:
driver = redirect
allow_defer
allow_fail
data = ${lookup{$local_part}lsearch{/etc/aliases}}
file_transport = address_file
pipe_transport = address_pipe
retry_use_local_part
# user = exim
# The director below matches local user mailboxes
localuser:
driver = accept
check_local_user
condition = "${if eq {$domain} {$primary_hostname} {yes} {no}}"
transport = local_delivery
# TRANSPORTS CONFIGURATION
# ORDER DOES NOT MATTER; ONLY ONE APPROPRIATE TRANSPORT
# IS CALLED FOR EACH DELIVERY
# A transport is used only when referenced from a director or a router that
# successfully handles an address.
begin transports
# The spamcheck router is used by SpamAssassin
# NOTE this transport need not be commented out if you don't use spamassassin
# on your server; if that's the case it won't ever be called
spamcheck:
driver = pipe
batch_max = 100
command = /usr/sbin/exim -oMr spam-scanned -bS
current_directory = "/tmp"
group = mail
home_directory = "/tmp"
log_output
message_prefix =
message_suffix =
return_fail_output
no_return_path_add
transport_filter = /usr/bin/spamc -u ${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}
use_bsmtp
user = mail
# must use a privileged user to set $received_protocol on the way back in!
#majordomo
majordomo_pipe:
driver = pipe
group = daemon
return_fail_output
user = majordomo
# The transport below is used for local delivery to user mailboxes
# in Maildir format, in the user's local Maildir Directory as defined
# by DirectAdmin
local_delivery:
driver = appendfile
delivery_date_add
envelope_to_add
directory = /home/$local_part/Maildir/
directory_mode = 770
create_directory = true
maildir_format
group = mail
mode = 0660
return_path_add
user = ${local_part}
# The transport below is for delivering virtual domain users' email
# to their own mail spool
virtual_localdelivery:
driver = appendfile
create_directory
delivery_date_add
directory_mode = 770
envelope_to_add
directory = /home/${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}/imap/${domain}/${local_part}/Maildir
maildir_format
group = mail
mode = 660
return_path_add
user = "${lookup{$domain}lsearch*{/etc/virtual/domainowners}{$value}}"
quota = ${if exists{/etc/virtual/${domain}/quota}{${lookup{$local_part}lsearch*{/etc/virtual/${domain}/quota}{$value}{0}}}{0}}
# The vacation transport is below
uservacation:
driver = autoreply
file = /etc/virtual/${domain}/reply/${local_part}.msg
from = "${local_part}@${domain}"
log = /etc/virtual/${domain}/reply/${local_part}.log
no_return_message
subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {I am on vacation}}"
text = "\
------ ------\n\n\
This message was automatically generated by email software\n\
The delivery of your message has not been affected.\n\n\
------ ------\n\n"
to = "${sender_address}"
user = mail
#once = /etc/virtual/${domain}/reply/${local_part}.once
# The autoreply transport is below
userautoreply:
driver = autoreply
bcc = ${lookup{${local_part}} lsearch {/etc/virtual/${domain}/autoresponder.conf}{$value}}
file = /etc/virtual/${domain}/reply/${local_part}.msg
from = "${local_part}@${domain}"
log = /etc/virtual/${domain}/reply/${local_part}.log
no_return_message
subject = "${if def:h_Subject: {Autoreply: ${quote:${escape:$h_Subject:}}} {Autoreply Message}}"
to = "${sender_address}"
user = mail
#once = /etc/virtual/${domain}/reply/${local_part}.once
# The follow transport delivers email destined to /dev/null
devnull:
driver = appendfile
file = /dev/null
# This transport is used for delivering messages over SMTP connections.
remote_smtp:
driver = smtp
# The transports below are used for handling pipe deliveries generated by alias
# or .forward files. If the pipe generates any standard output, it is returned
# to the sender of the message as a delivery error. Set return_fail_output
# instead of return_output if you want this to happen only when the pipe fails
# to complete normally. You can set different transports for aliases and
# forwards if you want to - see the references to address_pipe in the directors
# section below.
address_pipe:
driver = pipe
return_output
virtual_address_pipe:
driver = pipe
group = nobody
return_output
user = "${lookup{$domain}lsearch* {/etc/virtual/domainowners}{$value}}"
# The transport below is used for handling deliveries directly to files that are
# generated by aliasing or forwarding.
address_file:
driver = appendfile
delivery_date_add
envelope_to_add
return_path_add
# The transport below is used for handling autoreplies generated by the filtering
# option of the forwardfile director.
address_reply:
driver = autoreply
# RETRY CONFIGURATION
# This single retry rule applies to all domains and all errors. It specifies
# retries every 15 minutes for 2 hours, then increasing retry intervals,
# starting at 1 hour and increasing each time by a factor of 1.5, up to 16
# hours, then retries every 8 hours until 4 days have passed since the first
# failed delivery.
# Domain Error Retries
# ------ ----- -------
begin retry
* * F,2h,15m; G,16h,1h,1.5; F,4d,8h
# End of Exim 4 configuration
Last edited: