|
Access Control Lists (ACLs) are how you weed out the jokers from the real mail. In the begining the mail system was fairly straight forward and all was well in the world. Then came the spammer class of folks that just wanted to be annoying.
The acl names are respective of the SMTP commands that are given. So the helo acl fires when the HELO/EHLO command is given. As well the mail acl is called when the MAIL FROM command is given.
The purpose of the acl is to check out the parameters of the command in an attempt to 1: prevent the server from being abused and 2: enhance the experience of the correct users.
Not all variables are available in the various ACLs. For example: local_part is not available in the connect ACL because the RCPT TO command has not been given. But the IP address is so you can access that.
I suggest getting familiar with the typical SMTP session and understanding which commands are given in what order. If you do, most of this will be self explanitory.
You name your ACL's however you want you just have to tell exim which one goes with what commnad.
The parameter to do that has a format acl followed by the type smtp (there are only two smtp and not_smtp) and then the command.
For example to define the acl to process when the HELO command is given...
acl_smtp_helo = my-helo-acl
The actual name of the acl can be anything you want but, don't forget to tell exim what it is.
|
|
|
|
CREATED 2016-11-28 16:23:48.0
|
00-26-E2
|
UPDATED 2016-11-28 16:23:54.0
|
|
|
|
The Types of ACLs
- acl_not_smtp - run for non-SMTP messages
- acl_smtp_connect - run when the connection starts
- acl_smtp_starttls - run when
STARTTLS commands are received
- acl_smtp_auth - run when an
AUTH command is received
- acl_smtp_mail - run when
MAIL commands are received
- acl_smtp_rcpt - run when
RCPT commands are received
- acl_smtp_data - run after the
DATA command is received
- acl_smtp_etrn - run when
ETRN commands are received
- acl_smtp_expn - run when
EXPN commands are received
- acl_smtp_vrfy - run when
VRFY commands are received
Types must be associated with the appropriate ACLs globally, in the begining of the config file.
For Example, to run an ACL named my_rcp_acl when a RCPT command is received:
acl_smtp_rcpt = my_rcpt_acl
|
|
|
|
CREATED 2017-02-21 09:14:39.0
|
00-27-49
|
UPDATED 2022-01-04 09:44:33.0
|
|
|
|
| connect |
The connect acl is called when the client first establishes a connection. At this point whe know the clients ip address but not much else. It is normal to do a DNS lookup at this time.
First we check that ip address against a white list. If found the address status is set to whiteListed and the address is accepted.
If not found on a white list, we check that ip address against black lists. First is our internal black list. If it is not found there we check against several blacklists on the web. If the IP is found on a black list the status is set to blackListed and the IP address is accepted.
If the IP is not found on either a white list or a black list, it's status is set to notListed and the IP address is accepted.
|
| helo |
The helo acl runs when the helo command is given. It's job is to check some key elements of the calling client:
- 1 - did the client give us their host name or ip address
- 2 - is the client using a host name that matches dns records
- 3 - is the host name or ip address the same as ours ( a trick used by spammers )
If the client gave us our host name or IP address the connection is rejected
Otherwise, a marker is placed on the connection indicating if the client gave us a valid host name, an IP address in lieu of a host name or no host name at all. In any of these events the command is accepted.
|
|
|
|
|
CREATED 2017-02-21 09:28:41.0
|
00-27-4A
|
UPDATED 2022-01-04 09:35:13.0
|
|
|
|
| mail |
The mail acl fires when a MAIL command is received i.e. MAIL FROM. This is who is sending the mail i.e. the senders address.
Since we are not a open relay we handle mail for two entities. Mail from our clients OR mail to our clients.
Therefore, we have to verify that either the senders address OR the recipients address resides within one of our domains.
Although we have the senders address we can not verify it in this acl because the acl does not support it.
|
| rcpt |
The rcpt acl fires when the rcpt command is given. At this time we know both the sender (since that command has to come before this one) and the reciever. Both addresses are verified. At least one has to be within our domain structure.
The RCPT command can be given many times since an email can be sent to many recipients. In each case, the sending OR recieving address has to be within our domain.
If either of the addesses are within our domain, the RCPT address is accepted, otherwise it is rejected.
|
| data |
The data acl fires when the actual email message is received. At this pont we have accepted the addresses in whole or in part and we are processing the message.
Frist we need to ensure that the message has no viruses because that would be bad. If the message contains any viruses it will be automatically rejected and the connection will be aborted.
The second task is to get a spam score on the message. If the spam score is too high the message will be labeled as spam and will probably be put in a spam folder. However, regardless of the spam score the message will be accepted.
|
|
|
|
|
CREATED 2022-01-04 09:35:57.0
|
018-00-0D-D5
|
UPDATED 2022-01-04 09:36:30.0
|
|
|
|
Each ACL is made up of statements. Each statement performs task(s) to check out the parameters of the command. Statments begin with a verb and can only have one verb. The statement ends when a new verb is encountered or the end of file is reached.
Statements are made up of conditions and modifiers. Each condition/modifier is processed in order. If any condition fails, control is passed to the next ACL statement.
The statement follows a simple format:
verb condition/modifier = action
Each statement can have as many lines as needed i.e. as many conditions and/or modifiers. But for each statment there is only one verb. So a typical statement could look like this:
| accept |
log_message |
= |
Message received for John |
|
condition |
= |
${if eq{$local_part}{john}{yes}{no}} |
|
add_header |
= |
X-Example.com: This message is for John |
This statement will accept any message that is addressed to john, will write a log entry stating that and will add a header to the email. If the message is not addressed to John i.e. the local_part is not john, the statement is aborted and control passes to the next ACL statement.
Note: blank lines are ignored and any line with # in it will be ignored from that point to the end of line
|
|
|
|
CREATED 2017-02-20 11:13:26.0
|
00-27-37
|
UPDATED 2022-01-04 09:38:56.0
|
|
|
|
The first part of the statement is the verb. The verb indicates what will happen if the attached conditions are all true.
| accept |
Returns accept if all conditions of the acl are met unless endpass was used. In the event endpass is used on a line by itself between to conditions/modifiers, if that preceeding endpass fails, control is passed to the next acl statement. If the condition after endpass fails, the acl returns deny.
|
| defer |
If all conditions are met the acl returns defer (returns a 4xx code) otherwise, if any of the conditions are not met, control goes to the next acl statement.
|
| deny |
Returns deny if all conditions are met otherwise, control passes to the next acl statement.
|
| drop |
Same as deny except the connection is dropped after a permanent error code is sent.
|
| require |
Control is passed to the next acl statement if all conditions are met. Returns deny otherwise.
|
| warn |
If all conditions are met actions of any modifiers are carried out and control passes to the next acl statment.
|
|
|
|
|
CREATED 2017-02-20 13:52:40.0
|
00-27-3F
|
UPDATED 2022-01-04 09:39:15.0
|
|
|
|
| add_header |
Adds a header to the message. This should be at the end of the acl statement after all conditions because it adds the header even if a later condition fails.
|
| continue |
|
| control |
Can be freeze or queue_only. |
| delay |
Causes the message to be delayed in processing. Great for spammers but it does tie up resources.
|
| endpass |
Only allowed in accept and discard statments. In normal processing of an acl statement, when a condition in an acl statement fails the processing continues with the next acl statement.
When endpass is used, if the next acl condition (that immediately following it) fails, the acl returns deny.
Example:
| accept |
condition |
= |
${lookup \
{$sender_local_part} \
lsearch{/local_parts_file}} |
|
endpass |
|
|
|
condition |
= |
${lookup \
{$sender_domain} \
lseach{/domains_file}} |
Normally, without endpass, if the second condition was unsuccessful control would be passed to the next acl statement. However, with endpass if the second condition is false, the acl statement returns deny.
|
|
|
|
|
CREATED 2017-02-20 12:58:22.0
|
00-27-38
|
UPDATED 2022-01-04 09:39:40.0
|
|
|
|
| log_reject_target |
Specifies an addtional log to write reject log entries to
|
| log_message |
Logs a message to the log if the conditions of the acl are all true
|
| logwrite |
Like log_message but it logs even if the acl failed
|
| message |
Returns a message to the client.
|
| queue |
Specifies the a queue to use. Must be named before the message is recieve. Not available in a data acl.
|
| remove_header |
Removes and existing header(s). The parameter can be a colon separated list.
|
| set |
Sets the value of a user defined variable. The variable name must begin with acl_m_ or acl_c_. acl_c_ will be available throughout the session and can be used in routers and transports while acl_m_ is disposed after the message is received.
|
| udpsend |
sends a udp packet
|
|
|
|
|
CREATED 2022-01-04 09:41:01.0
|
018-00-0D-D7
|
UPDATED 2022-01-04 09:41:10.0
|
|
|
|
A condition in the other hand can change the behavior of the acl. Turn an accept acl into a deny.
| acl |
Allows another acl to be called from within an acl
|
| authenticated |
Tests if the session was authenticated |
| condition |
General condition to use when there are no other conditions to use. |
| dnslists |
A list of DNS black lists to check
|
| encrypted |
Tests if the session is encrypted
|
| hosts |
Checks the sending host against a list
|
| local_parts |
Checks the local_part against a list or string
|
| recipients |
Checks the recipient address against a list or a string
|
| sender_domains |
Checks the senders domain against a string or a list
|
| senders |
Test the sender address against a string
|
| verify |
Verifies the sender or recipient addres by running it through the routers
|
|
|
|
|
CREATED 2017-02-20 14:13:46.0
|
00-27-40
|
UPDATED 2022-01-04 09:42:17.0
|
|
|
|
ACL Return codes:
- accept -- O.K. to accept.
- deny -- not O.K. to accept.
- defer -- something happend... can not accept at this time.
- error -- problem in the configuration.
|
|
|
|
CREATED 2016-12-03 20:11:38.0
|
00-27-01
|
UPDATED 2022-01-04 09:47:37.0
|
|
|
