AclSmtpData

Warren Baker edited this page Jul 22, 2014 · 3 revisions

Sender Verification

This is a fairly safe sender verify ACL. It only rejects the message if the sender verify specifically rejects the message during the recipient part of the verification. It also uses a specific email address rather an empty message for verification. This avoids misconfigured hosts that reject empty from addresses at the recipient phase. It also supports the use of a no verify list for really stupid hosts where testing must be avoided. The no verify list will whitelist both the senders domain and the host address.

deny    message = REJECTED - Sender Verify Failed - The email server for the domain [$sender_address_domain] tells junkemailfilter.com that the sender's email address [$sender_address] is not a valid. $sender_verify_failure
        log_message = REJECTED - Sender Verify Failed - The email server for the domain [$sender_address_domain] tells junkemailfilter.com that the sender's email address [$sender_address] is not a valid. $sender_verify_failure
        !verify = header_sender/callout=2m,defer_ok,mailfrom=sender-verify@junkemailfilter.com
        condition = ${if eq{recipient}{$sender_verify_failure}}
        condition = ${lookup{$sender_address_domain}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}
        condition = ${lookup{$sender_host_address}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}

This sender verification combines a wider verify fail with failed reverse DNS. It's a combination of two sins that causes the bounce.

deny    message     = REJECTED - Sender Verify Failed and no RDNS - error code = $sender_verify_failure
        log_message = REJECTED - Sender Verify Failed and no RDNS - error code = $sender_verify_failure
        !verify = reverse_host_lookup
        !verify = header_sender/callout=2m,defer_ok,mailfrom=sender-verify@junkemailfilter.com
        !condition =  ${if eq{$sender_verify_failure}{}}
        condition = ${lookup{$sender_address_domain}wildlsearch{/etc/exim/acllists/noverify.txt}{no}{yes}}

Check Syntax

drop  condition       = ${if match{$h_to:}{(?i)Undisclosed-recipient}{no}{yes}}
      message         = Header Syntax error: $acl_verify_message
      !verify         = header_syntax
      logwrite        = :reject,main: Header Syntax Error: $acl_verify_message

Null Address Check Headers

drop  message         = Header From exist, but not have a valid address
      condition       = ${if def:h_from: {yes}{no}}
      condition       = ${if or { \
                          { eq{${address:$h_from:}}{} } \
                          { eq{${domain:$h_from:}}{} } \
                          { eq{${local_part:$h_from:}}{} } \
                        } {yes}{no}}
      delay           = 45s
drop  message         = Header Reply-to exist, but not have a valid address
      condition       = ${if def:h_reply-to: {yes}{no}}
      condition       = ${if or { \
                          { eq{${address:$h_reply-to:}}{} } \
                          { eq{${domain:$h_reply-to:}}{} } \
                          { eq{${local_part:$h_reply-to:}}{} } \
                        } {yes}{no}}
      delay           = 45s
drop  message         = Header Sender exists, but not have a valid address
      condition       = ${if def:h_sender: {yes}{no}}
      condition       = ${if or { \
                          { eq{${address:$h_sender:}}{} } \
                          { eq{${domain:$h_sender:}}{} } \
                          { eq{${local_part:$h_sender:}}{} } \
                        } {yes}{no}}
      delay           = 45s

Fast Check Mx Headers Address

drop  message         = Header From have a invalid ${sender_verify_failure}: <${address:$h_from:}>
      condition       = ${if def:h_from: {yes}{no}}
      !verify         = sender=${address:$h_from:}/no_details
      delay           = 45s
drop  message         = Header Reply have a invalid ${sender_verify_failure}: <${address:$h_reply-to:}>
      condition       = ${if def:h_reply-to: {yes}{no}}
      !verify         = sender=${address:$h_reply-to:}/no_details
      delay           = 45s
drop  message         = Header Sender have a invalid ${sender_verify_failure}: <${address:$h_sender:}>
      condition       = ${if def:h_sender: {yes}{no}}
      !verify         = sender=${address:$h_sender:}/no_details
      delay           = 45s

Slow, but efficient callout

drop  message         = Header From have a invalid callout ${sender_verify_failure}: <${address:$h_from:}>
      condition       = ${if def:h_from: {yes}{no}}
      condition       = ${if eqi {$sender_address} {${address:$h_from:}}{no}{yes}}
      condition       = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/machine_senders}{no}{yes}}
      condition       = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/bounce_senders}{no}{yes}}
      condition       = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
      .ifdef SKP_Spf_LIB
          !spf         = SKP_Spf_LIB
      .endif
      .ifdef SKP_Spf_PERL
          set acl_m_spfaddr = ${address:$h_from:}
          !acl         = spf_acpt
      .endif
      condition       = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_from:}}}}}}{no}{yes}}
      !verify         = sender=${address:$h_from:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
       delay          = 30s
drop  message         = Header Reply have a invalid callout ${sender_verify_failure}: <${address:$h_reply-to:}>
      condition       = ${if def:h_reply-to: {yes}{no}}
      condition       = ${if eqi {$sender_address} {${address:$h_reply-to:}}{no}{yes}}
      condition       = ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
      .ifdef SKP_Spf_PERL
          set acl_m_spfaddr = ${address:$h_from:}
          !acl         = spf_acpt
      .endif
      condition       = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_reply-to:}}}}}}{no}{yes}}
      !verify         = sender=${address:$h_reply-to:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
       delay          = 30s
drop  message         = Header Sender have a invalid callout ${sender_verify_failure}: <${address:$h_sender:}>
      condition       = ${if def:h_sender: {yes}{no}}
      condition       = ${if eqi {$sender_address} {${address:$h_sender:}}{no}{yes}}
      condition       = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/machine_senders}{no}{yes}}
      condition       = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/bounce_senders}{no}{yes}}
      condition       = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/skp_callout}{no}{yes}}
      .ifdef SKP_Spf_PERL
          set acl_m_spfaddr = ${address:$h_from:}
          !acl         = spf_acpt
      .endif
      condition       = ${if eqi {${domain:$h_sender:}} {$sender_address_domain} {no}{yes}}
      condition       = ${if eqi {${domain:$h_sender:}} {${domain:$reply_address}} {no}{yes}}
      condition       = ${if match_ip{$sender_host_address}{${lookup dnsdb{>: defer_lax,a=${lookup dnsdb{>: defer_lax,mxh=${domain:$h_sender:}}}}}}{no}{yes}}
      !verify         = sender=${address:$h_sender:}/no_details/callout=20s,connect=10s,maxwait=45s,defer_ok,random
       delay          = 30s

Black List headers

blk_sender contains address patterns, line separated (*@domainspam.com, *.domainspam.com)

drop   condition      = ${if def:h_from: {yes}{no}}
       condition      = ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
       message        = Header From <${address:$h_from:}> black listed: ${lookup{${address:$h_from:}}wildlsearch{/etc/exim4/lst/blk_sender}}
       delay          = 45s
drop   condition      = ${if def:h_reply-to: {yes}{no}}
       condition      = ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
       message        = Header Reply <${address:$h_reply-to:}> black listed: ${lookup{${address:$h_reply-to:}}wildlsearch{/etc/exim4/lst/blk_sender}}
       delay          = 45s
drop   condition      = ${if def:h_sender: {yes}{no}}
       condition      = ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
       message        = Header From <${address:$h_sender:}> black listed: ${lookup{${address:$h_sender:}}wildlsearch{/etc/exim4/lst/blk_sender}}
       delay          = 45s
drop   condition      = ${if def:h_Message-Id: {yes}{no}}
       condition      = ${lookup{${address:$h_Message-Id:}}wildlsearch{/etc/exim4/lst/blk_sender}{yes}{no}}
       message        = Header Message-ID <${address:$h_Message-Id:}> black listed: ${lookup{${address:$h_Message-Id:}}wildlsearch{/etc/exim4/lst/blk_sender}}
       delay          = 45s

Blind copy in bounce?

drop  message         = Bounce errors never contains bind copy headers!
      senders         = :
      !verify         = not_blind
      delay           = 45s

Fake my message ID domain or subdomain

drop   message        = No you are not ME or OURS (Message-ID was ${domain:$h_Message-ID:} and equal my local domains or my domains relay)
       !hosts         = +relay_from_hosts : +relay_mx_hosts
       condition      = ${if or{{!def:h_message-id:}{eqi{${domain:$h_Message-ID:}}{}}}{no}{yes}}
       condition      = ${if match_domain{${domain:$h_Message-ID:}}{+local_domains:+alias_domains:+relay_to_domains}{yes}{no}}
       delay          = 45s
drop   message        = No you are not Me or OURS (Message-ID was ${domain:$h_Message-ID:} and the subdomain is my domain ${extract{-3}{.}{${domain:$h_Message-ID:}}}.${extract{-2}{.}{${domain:$h_Message-ID:}}}.${extract{-1}{.}{${domain:$h_Message-ID:}}})
       !hosts         = +relay_from_hosts : +relay_mx_hosts
       condition      = ${if or{{!def:h_message-id:}{eqi{${domain:$h_Message-ID:}}{}}}{no}{yes}}
       condition      = ${if match_domain{${extract{-3}{.}{${domain:$h_Message-ID:}}}.${extract{-2}{.}{${domain:$h_Message-ID:}}}.${extract{-1}{.}{${domain:$h_Message-ID:}}}}{+local_domains:+alias_domains:+relay_to_domains}{yes}{no}}
       delay          = 45s
drop   message        = No you are not ME or OURS (Message-ID was ${domain:$h_Message-ID:} and equal my interface hostname)
       !hosts         = +relay_from_hosts : +relay_mx_hosts
       condition      = ${if !def:interface_address {no}{yes}}
       condition      = ${if !def:h_message-id: {no}{yes}}
       condition      = ${if match_ip{$interface_address}{${lookup dnsdb{>: defer_never,a=${domain:$h_Message-ID:}}}}{yes}{no}}
       delay          = 45s

Duplicate Message-ID or Subject ?

If use it, set numer of messages by period. Warning, the lists have equal subjects to diferents receipients in diferents mail to sessions: BLK_DUP_MESSAGEID = 2 / 7d BLK_DUP_MESSAGESUB = 5 / 7d

.ifdef BLK_DUP_MESSAGEID
#-BLK: Ratelimit para mensagens duplicadas pelo id (#exim_dumpdb /var/spool/exim4/ ratelimit)
drop   !hosts         = +relay_from_hosts : +relay_mx_hosts
       !authenticated = *
       condition      = ${if !def:h_Message-Id: {no}{yes}}
       ratelimit      = BLK_DUP_MESSAGEID / strict / Message-ID=${md5:${escape:${lc:$h_Message-Id:}}}${sha1:${escape:${lc:$h_Message-Id:}}}
       logwrite       = :reject,main: $message_exim_id RateLimit: $sender_rate/$sender_rate_limit/$sender_rate_period - F=$sender_address_domain H=$sender_rcvhost: Message-ID=${length_150:${escape:$h_Message-Id:}}
       message        = This message is duplicated id and has been previously sent. Possible SPAM!
       delay          = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit }s
.endif
.ifdef BLK_DUP_MESSAGESUB
#-BLK: Ratelimit para mensagens duplicadas pelo subject (#exim_dumpdb /var/spool/exim4/ ratelimit)
#Trocar leaky / strict ???
drop   !hosts         = +relay_from_hosts : +relay_mx_hosts
       !authenticated = *
       condition      = ${if !def:h_Subject: {no}{yes}}
       condition      = ${if def:h_In-Reply-To: {no}{yes}}
       condition      = ${if def:h_References: {no}{yes}}
       ratelimit      = BLK_DUP_MESSAGESUB / leaky / Subject=${md5:${escape:${lc:$h_Subject:$h_Date:}}}${sha1:${escape:${lc:$h_Subject:$h_Date:}}}
       logwrite       = :reject,main: $message_exim_id RateLimit: $sender_rate/$sender_rate_limit/$sender_rate_period - F=$sender_address_domain H=$sender_rcvhost: Subject=${length_150:${escape:$h_Subject:}}
       message        = This message is duplicated subject and has been previously sent. Possible SPAM!
       delay          = ${eval: ${sg{$sender_rate}{[.].*}{}} - $sender_rate_limit }s
 .endif

Other Tricks

Block if Subject and Body are both Empty.

deny    message = REJECTED - No Subject or Body
        !condition = ${if def:h_Subject:}
        condition = ${if <{$body_linecount}{1}{true}{false}}
Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.