Here is a excerpt from my configuration that you can look through, and possible use parts of.
Remember to replace all instances of my domain with yours. hostlist relay_from_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1 auth_advertise_hosts = 192.168.0.0/16 : 127.0.0.1 : ::::1 domainlist local_domains = sebbe.eu:[185.86.106.232]:[193.187.91.106]:[2001:470:dff1:1:10::1]:[2001:470 :dff1:1:10::2]:dns1.sebbe.eu:dns2.sebbe.eu:mx.sebbe.eu:185.86.106.232:193.18 7.91.106 acl_check_mail: accept authenticated = * senders = ^(sebastian|postmaster|abuse)@sebbe\\.eu\$ hosts = +relay_from_hosts set acl_m0 = authorizedrelay ## This one ensures you need a valid password AND a valid IP to relay. Thus hacked passwords is a no go here. ## Combined with auth_advertise_hosts, it will also not even offer authentication to invalid hosts. ## This also requires sender adress to be within the local domain to be considered authenticated relay, ## else this rule is never triggered, authorizedrelay isn't set and any valid authenticated emails but with a sender of like RolexWatches@GetRich.whatever will also get rejected. deny message = 5.7.14 You can't spoof the domains this server is authorative for sender_domains = ^(?i).*(sebbe\\.eu)\$ : +local_domains ## Prevents anyone from sending a email with a sender that is local to the server in question, if they aren't authorized to do so (ergo logged in and have right IP) deny message = 5.7.1 Local users must authenticate hosts = +relay_from_hosts ## Prevents anyone that is already local network, from sending without authenticating. deny message = 5.4.6 That would create a mail loop sender_domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain : ^.*\\.localhost : ^127\\..* ## Prevent crude form of mail loops. deny message = 5.7.0 Banned TLD sender_domains = ^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car|cars|christ mas|click|club|college|computer|country|cricket|date|design|download|email|f aith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media|men|mom|ne ws|ninja|online|party|photography|pro|protection|pub|racing|realtor|reise|re n|rent|review|rocks|science|security|shop|site|solutions|space|storage|store |stream|study|tech|technology|theatre|today|top|trade|university|uno|vip|viv idal|wang|webcam|website|win|work|works|world|xin|xyz|zip)\$ ## TLD ban. Bans a lot of TLDs in sender adress. Those TLDs are the ICANN new garbage shit that are 100% spam sources. deny message = 5.1.8 Sender verification failed !verify = sender ## Basic sender verification. (Does MX exist etc) accept condition = ${if eq {$sender_address}{}{yes}{no}} ## Auto-accept the blank sender adress. deny message = 5.7.23 SPF fail (phishing) - (${sg{${sg{$spf_smtp_comment}{http\:\/\/www\.open-spf\.org\/Why}{https:\/\/w ww.sebbe.eu\/spf.cgi}}}{&receiver=sebbe\.eu}{}}) log_message = SPF check failed: ($spf_header_comment) spf = fail : softfail ## Reject all SPF=softfail and all SPF=hardfail messages. accept acl_check_rcpt: deny local_parts = ^[./|] : ^.*[\\\\@\$%`#&?/|] : ^.*/\\.\\./ : ^.*x24 : ^.*0.44 message = 5.1.7 Restricted characters in address ## Prevent certain security holes. deny message = 5.4.6 That would create a mail loop domains = localhost : ^\\[127.* : ^.*\\.local : ^.*\\.localdomain : ^.*\\.localhost : ^127\\..* ## Prevent some crude mail loops. accept condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}} control = submission/sender_retain control = dkim_disable_verify ## If message is authorized relay - ergo authenticated and right IP, accept it through at RCPT stage too. require message = 5.7.1 Relay not permitted domains = +local_domains ## Message must be to a local mailbox if its not authenticated. require verify = recipient ## Basic recipient reachability check. accept acl_check_data: warn remove_header = date remove_header = subject add_header = Date: $tod_full add_header = Subject: ${rfc2047:${length_100:${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${sg{${s g{${sg{${sg{$h_subject:}{\\xE5}{\\xA5}}}{\\xC4}{\\x84}}}{\\xD6}{\\x96}}}{\\x C5}{\\x85}}}{\\xF6}{\\xB6}}}{\\xE4}{\\xA4}}}{\N[^a-zA-Z0-9\xA5\xA4\xB6\x85\x 84\x96 !"\@#\$%&\/\{(\[)\]=\}?+\\\-_:.;,*><|^~]\N}{}}}{\N([\xA5\xA4\xB6\x85\x84\x96 ])\N}{\\xC3\$1}}}{ }{ }}}{ }{ }}}{ }{ }}}{^ }{}}}{ \$}{}}}} ## Scrub email. This replaces the Date header with a valid one, so if a mail has its date set to 1970-01-01 the email doesn't get pushed to the very bottom of the inbox. ## Also shortens subjects to 100 characters and removes invalid characters, preventing certain bugs and quirks in Microsoft Outlook with subjects. deny message = 5.6.0 Message headers fail syntax check !verify = header_syntax ## Basic header check. deny message = 5.6.0 No verifiable sender address in message headers !verify = header_sender ## Basic header check. deny message = 5.6.0 Missing MIME From header condition = ${if def:h_from:{no}{yes}} ## Basic header check. deny message = 5.7.14 You can't spoof the MIME From this server is authorative for condition = ${if match {$h_from:}{(?i)@([a-zA-Z0-9_.\\-]*\\.)?(sebbe\\.eu)}{yes}{no}} condition = ${if eq {$acl_m0}{authorizedrelay}{no}{yes}} ## If email is not a authorized relay, MIME From: header can't be within the local server's domain. deny message = 5.7.1 Authorized relayed messages MUST have a local MIME From condition = ${if match {$h_from:}{^"?(Sebastian Nielsen|Microsoft Outlook)"? <(sebastian|abuse|postmaster)@sebbe\\.eu>\$}{no}{yes}} condition = ${if eq {$acl_m0}{authorizedrelay}{yes}{no}} ## If email IS authenticated relay, the MIME From MUST be within the local domain, so if any bots from local computer attempts to send, they must also use the local domain and cannot spoof. deny message = 5.7.0 Banned TLD in MIME From condition = ${if match {$h_from:}{^(?i).*\\.(app|accountant|accountants|auto|berlin|bid|camera|car| cars|christmas|click|club|college|computer|country|cricket|date|design|downl oad|email|faith|fun|gdn|global|guru|help|host|jetzt|kim|life|link|loan|media |men|mom|news|ninja|online|party|photography|pro|protection|pub|racing|realt or|reise|ren|rent|review|rocks|science|security|shop|site|solutions|space|st orage|store|stream|study|tech|technology|theatre|today|top|trade|university| uno|vip|vividal|wang|webcam|website|win|work|works|world|xin|xyz|zip)>\$}{ye s}{no}} ## same TLD ban as above, but this for MIME From. Bans a lot of TLDs in sender adress. Those TLDs are the ICANN new garbage shit that are 100% spam sources. accept Hope you like it. Best regards, Sebastian Nielsen -----Ursprungligt meddelande----- Från: Jacques B. Siboni via Exim-users <exim-users@exim.org> Skickat: den 1 juni 2020 18:54 Till: Jeremy Harris via Exim-users <exim-users@exim.org> Ämne: [exim] A decent acl example please! dear colleagues It seems there are many ways to configure the acl part of exim4. I have tried many options but, so far I can't get rid of spammers using our smtp to send spam mails. (I receive a lot of spam mails as well but this nuisance I can deal with.) Can some of you can send a decent example of acl config solving most of the problems encountered. I signal I have already added the spf record, a dkim signature and dmarc data. But nonetheless I believe some bots manage to pass through the net. exim4 version is 4.93-16 on debian Thanks in advance Jacques -- Jacques B. Siboni mailto:jac...@lutecium.org 8 pass. Charles Albert, F75018 Paris, France Tel: +33 142 287 678 Port: +33 612 536 959 Home Page: http://jacsib.lutecium.org/ Lutecium pages: http://www.lutecium.org -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
smime.p7s
Description: S/MIME Cryptographic Signature
-- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/