diff --git a/src/configure.default b/src/configure.default index f1260cf..05e9371 100644 --- a/src/configure.default +++ b/src/configure.default @@ -107,6 +107,7 @@ hostlist relay_from_hosts = localhost # manual for details. The lists above are used in the access control lists for # checking incoming messages. The names of these ACLs are defined here: +acl_smtp_mail = acl_check_mail acl_smtp_rcpt = acl_check_rcpt acl_smtp_data = acl_check_data acl_smtp_mime = acl_check_mime @@ -371,6 +372,29 @@ timeout_frozen_after = 7d begin acl + +# This access control list is used for the MAIL command in an incoming +# SMTP message. + +acl_check_mail: + + # Hosts are required to say HELO (or EHLO) before sending mail. + # So don't allow them to use the MAIL command if they haven't + # done so. + + deny condition = ${if eq{$sender_helo_name}{} {1}} + message = Nice boys say HELO first + + # Use the lack of reverse DNS to trigger greylisting. Some people + # even reject for it but that would be a little excessive. + + warn condition = ${if eq{$sender_host_name}{} {1}} + set acl_m_greylistreasons = Host $sender_host_address lacks reverse DNS\n$acl_m_greylistreasons + + accept + + + # This access control list is used for every RCPT command in an incoming # SMTP message. The tests are run in order until the address is either # accepted or denied. @@ -496,7 +520,8 @@ acl_check_rcpt: # There are no default checks on DNS black lists because the domains that # contain these lists are changing all the time. However, here are two # examples of how you can get Exim to perform a DNS black list lookup at this - # point. The first one denies, whereas the second just warns. + # point. The first one denies, whereas the second just warns. The third + # triggers greylisting for any host in the blacklist. # # deny message = rejected because $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text # dnslists = black.list.example @@ -504,6 +529,10 @@ acl_check_rcpt: # warn dnslists = black.list.example # add_header = X-Warning: $sender_host_address is in a black list at $dnslist_domain # log_message = found in $dnslist_domain + # + # warn dnslists = black.list.example + # set acl_m_greylistreasons = Host found in $dnslist_domain\n$acl_m_greylistreasons + # ############################################################################# ############################################################################# @@ -517,6 +546,10 @@ acl_check_rcpt: # require verify = csa ############################################################################# + # Alternatively, greylist for it: + # warn !verify = csa + # set acl_m_greylistreasons = Host failed CSA check\n$acl_m_greylistreasons + # At this point, the address has passed all the checks that have been # configured, so we accept it unconditionally. @@ -555,6 +588,12 @@ acl_check_data: # deny condition = ${if !def:h_Message-ID: {1}} # message = RFC2822 says that all mail SHOULD have a Message-ID header.\n\ # Most messages without it are spam, so your mail has been rejected. + # + # Alternatively if we're feeling more lenient we could just use it to + # trigger greylisting instead: + + warn condition = ${if !def:h_Message-ID: {1}} + set acl_m_greylistreasons = Message lacks Message-Id: header. Consult RFC2822.\n$acl_m_greylistreasons # Deny if the message contains a virus. Before enabling this check, you # must install a virus scanner and set the av_scanner option above. @@ -589,8 +628,30 @@ acl_check_data: # message = Your message scored $spam_score SpamAssassin point. Report follows:\n\ # $spam_report + # Trigger greylisting (if enabled) if the SpamAssassin score is greater than 0.5 + # + # warn condition = ${if >{$spam_score_int}{5} {1}} + # set acl_m_greylistreasons = Message has $spam_score SpamAssassin points\n$acl_m_greylistreasons + + + # If you want to greylist _all_ mail rather than only mail which looks like there + # might be something wrong with it, then you can do this... + # + # warn set acl_m_greylistreasons = We greylist all mail\n$acl_m_greylistreasons + + # Now, invoke the greylisting. For this you need to have installed the exim-greylist + # package which contains this subroutine, and you need to uncomment the bit below + # which includes it too. Whenever the $acl_m_greylistreasons variable is non-empty, + # greylisting will kick in and will defer the mail to check if the sender is a + # proper mail which which retries, or whether it's a zombie. For more details, see + # the exim-greylist.conf.inc file itself. + # + # require acl = greylist_mail + accept +# To enable the greylisting, also uncomment this line: +# .include /etc/exim/exim-greylist.conf.inc acl_check_mime: