1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
Access Control in the default configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Debian exim 4 package comes with a default configuration that
allows flexible access control and blacklisting of sites and hosts.
The acls involved can be found in /etc/exim4/conf.d/acl with the file
names 20_exim4-config_whitelist_local_deny and 30_exim4-config_check_rcpt,
thus all rejections of messages due to this mechanism happen at RCPT
time. Local configuration of the mechanisms happen through data files
in /etc/exim4, so there is normally no need to change the files in the
acl subdirectory.
/etc/exim4/local_sender_blacklist contains a list of envelope senders
whose messages will be denied with the error message "locally
blacklisted". This is a full exim 4 address list, and all available
features can be used. This includes negative items, and so it is
possible to exclude addresses from being blacklisted. For convenience,
as an additional method to whitelist addresses from being blocked, an
explicit whitelist is read in from /etc/exim4/local_sender_whitelist.
Entries in the whitelist override corresponding blacklist entries.
In the blacklist, the trick is to read a line break as "or" if it
follows a positive item, and as "and" if it follows a negative item.
For example, a /etc/exim4/local_sender_blacklist
domain1.example
!local@domain2.example
domain2.example
domain3.example
Exim just evaluates left to right (or up-down in the file listing
context), so you don't get the same kind of operator binding as in a
programming language.
/etc/exim4/local_host_blacklist contains a list of IP addresses,
networks and host names whose messages will be denied with the error
message "locally blacklisted". This is a full exim 4 host list. Again,
negative items can be used here, and there is also an explicit
whitelist read in from /etc/exim4/local_host_whitelist, and whitelist
entries override blacklistings.
The example access list shipped in
/usr/share/doc/exim4-config/examples/acl/30_exim4-config_example_check_rcpt
includes a bunch of dnslists configured to warn and/or deny incoming
messages. Some of these lists have a corresponding whitelist, read
in from /etc/exim4/local_$DNSLISTNAME_whitelist which allows the local
administrator to override dnslist entries for domains or IP addresses
that should be able to send mail despite the dnslist entry.
|
