1 files changed, 138 insertions, 0 deletions
diff --git a/debian/debconf/30_exim4-config_example_check_rcpt b/debian/debconf/30_exim4-config_example_check_rcpt
new file mode 100644
index 0000000..a3ee381
--- /dev/null
+++ b/debian/debconf/30_exim4-config_example_check_rcpt
@@ -0,0 +1,138 @@
+# This access control list is used for every RCPT command in an incoming
+# SMTP message. The tests are run in order until the address is either
+# accepted or denied.
+#
+acl_example_check_rcpt:
+  # Accept if the source is local SMTP (i.e. not over TCP/IP). We do this by
+  # testing for an empty sending host field.
+  accept hosts = :
+
+  # Deny if the local part contains @ or % or / or | or !. These are rarely
+  # found in genuine local parts, but are often tried by people looking to
+  # circumvent relaying restrictions.
+  #
+  # Also deny if the local part starts with a dot. Empty components aren't
+  # strictly legal in RFC 2822, but Exim allows them because this is common.
+  # However, actually starting with a dot may cause trouble if the local part
+  # is used as a file name (e.g. for a mailing list).
+  #
+  deny local_parts = ^.*[@%!/|] : ^\\.
+
+  # Accept mail to postmaster in any local domain, regardless of the source,
+  # and without verifying the sender.
+  #
+  accept local_parts = postmaster
+         domains = +local_domains
+
+  # Deny unless the sender address can be verified.
+  require verify = sender
+
+  # Warn if the sender host does not have valid reverse DNS.
+  warn message = X-Broken-Reverse-DNS: no host name found for IP address $sender_host_address
+       !verify = reverse_host_lookup
+
+  # deny bad senders (envelope sender)
+  # CONFDIR/local_sender_blacklist holds a list of envelope senders that
+  # should have their access denied to the local host. Incoming messages
+  # with one of these senders are rejected at RCPT time.
+  #
+  # The explicit white lists are honored as well as negative items in
+  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+  deny message = sender envelope address $sender_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+       !acl = acl_whitelist_local_deny
+       senders = ${if exists{CONFDIR/local_sender_blacklist}\
+                             {CONFDIR/local_sender_blacklist}\
+                             {}}
+
+  # deny bad sites (IP address)
+  # CONFDIR/local_host_blacklist holds a list of host names, IP addresses
+  # and networks (CIDR notation)  that should have their access denied to
+  # The local host. Messages coming in from a listed host will have all
+  # RCPT statements rejected.
+  #
+  # The explicit white lists are honored as well as negative items in
+  # the black list. See /usr/share/doc/exim4-config/default_acl for details.
+  deny message = sender IP address $sender_host_address is locally blacklisted here. If you think this is wrong, get in touch with postmaster
+       !acl = acl_whitelist_local_deny
+       hosts = ${if exists{CONFDIR/local_host_blacklist}\
+                             {CONFDIR/local_host_blacklist}\
+                             {}}
+
+
+  #############################################################################
+  # The DNS "black" lists here might have gone out of existence at the
+  # time you might want to start using this example. Use at your own risk,
+  # and verify the used lists' policies.
+  #############################################################################
+
+  warn  message         = X-Warning: $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        log_message     = $sender_host_address is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        dnslists        = inputs.relays.osirusoft.com:dialups.relays.osirusoft.com:spamhaus.relays.osirusoft.com:spamsites.relays.osirusoft.com:spews.relays.osirusoft.com:relays.ordb.org:relays.bl.kundenserver.de:relays.visi.com:sbl.spamhaus.org
+  
+  warn  message         = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        !senders = ${if exists{CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\
+		        {CONFDIR/local_postmaster.rfc-ignorant.org_whitelist}\
+                        {}}
+        dnslists        = postmaster.rfc-ignorant.org/$sender_address_domain
+
+  warn  message         = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        !senders = ${if exists{CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\
+		        {CONFDIR/local_abuse.rfc-ignorant.org_whitelist}\
+                        {}}
+	dnslists        = abuse.rfc-ignorant.org/$sender_address_domain
+  
+  warn  message         = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        !senders = ${if exists{CONFDIR/local_whois.rfc-ignorant.org_whitelist}\
+		        {CONFDIR/local_whois.rfc-ignorant.org_whitelist}\
+                        {}}
+	dnslists        = whois.rfc-ignorant.org/$sender_address_domain
+  
+  warn  message         = X-Warning: $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        log_message     = $sender_address_domain is listed at $dnslist_domain ($dnslist_value: $dnslist_text)
+        !senders = ${if exists{CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\
+                        {CONFDIR/local_dsn.rfc-ignorant.org_whitelist}\
+			{}}
+	dnslists = dsn.rfc-ignorant.org/$sender_address_domain
+
+  # Accept if the address is in a local domain, but only if the recipient can
+  # be verified. Otherwise deny. The "endpass" line is the border between
+  # passing on to the next ACL statement (if tests above it fail) or denying
+  # access (if tests below it fail).
+  #
+  accept domains = +local_domains
+         endpass
+         message = unknown user
+         verify = recipient
+
+  # Accept if the address is in a domain for which we are relaying, but again,
+  # only if the recipient can be verified.
+  #
+  accept domains = +relay_to_domains
+         endpass
+         message = unrouteable address
+         verify = recipient
+
+  # If control reaches this point, the domain is neither in +local_domains
+  # nor in +relay_to_domains.
+
+  # Accept if the message comes from one of the hosts for which we are an
+  # outgoing relay. Recipient verification is omitted here, because in many
+  # cases the clients are dumb MUAs that don't cope well with SMTP error
+  # responses. If you are actually relaying out from MTAs, you should probably
+  # add recipient verification here.
+  #
+  accept hosts = +relay_from_hosts
+
+  # Accept if the message arrived over an authenticated connection, from
+  # any host. Again, these messages are usually from MUAs, so recipient
+  # verification is omitted.
+  #
+  accept authenticated = *
+
+  # Reaching the end of the ACL causes a "deny", but we might as well give
+  # an explicit message.
+  #
+  deny message = relay not permitted