How to: Spam+Virus Protection for cPanel server using Exiscan+Clamav+RBL+Spamassassin

[rvskin]

Since cPanel drop the support for Mailscanner, we are forced to use the existing cPanel mail system to avoid further conflict. In the beginning, I am quite upset cPanel drop it, but since we have tested the Exim+Exiscan and configure server-wide Spam+Virus Protection, its performance increase a lots. I suggest that avoid MailScanner if possible.

The Instruction separate to 6 sections, use it at your own risk:-
1. Install required software and scripts
2. Virus Protection
2.1. Configure Exim to reject virus at SMTP time
2.2. Configure Exim to reject virus + sender whitelist + receiver whitelist
3. RBL and blacklists
3.1. Sender blacklist and remote mail server blacklist
3.2. RBL setting + sender whitelist + receiver whitelist + remote mail server whitelist
4. Spam Protection
5. Integrate into user's cPanel allowing user enable/disable server-wide Virus and Spam Protection
6. Testing
...
...
Full documnet is here:
http://www.rvskin.com/index.php?page=public/antispam

More questions please go to http://forums.rvskin.com/index.php?showforum=7

[Christleo]

root@nss-4 [~/EXIM/razor-agents-2.61]# make install
make[1]: Entering directory `/root/EXIM/razor-agents-2.61/Razor2-Preproc-deHTMLxs'
make[1]: Leaving directory `/root/EXIM/razor-agents-2.61/Razor2-Preproc-deHTMLxs'
/usr/bin/perl -we '%m=@ARGV;for (keys %m){' -e 'next if -e $m{$_} && -M $m{$_} < -M $_ && -M $m{$_} < -M "Makefile";' -e 'print "Manifying $m{$_}\n";' -e 'system(q[/usr/bin/perl /usr/bin/pod2man ].qq[$_>$m{$_}])==0 or warn "Couldn\047t install $m{$_}\n";' -e 'chmod(oct(644), $m{$_}) or warn "chmod 644 $m{$_}: $!\n";}' \
docs/razor-agent.conf.pod \
blib/man5/razor-agent.conf.5 \
docs/razor-agents.pod \
blib/man5/razor-agents.5 \
docs/razor-whitelist.pod \
blib/man5/razor-whitelist.5
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Writing /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi/auto/razor-agents/.packlist
Appending installation info to /usr/lib/perl5/5.8.0/i386-linux-thread-multi/perllocal.pod
blib/script/razor-client
Digest::SHA1 object version 2.01 does not match bootstrap parameter 2.10 at /usr/lib/perl5/5.8.0/i386-linux-thread-multi/DynaLoader.pm line 249.
Compilation failed in require at lib/Razor2/String.pm line 4.
BEGIN failed--compilation aborted at lib/Razor2/String.pm line 4.
Compilation failed in require at (eval 7) line 3.
...propagated at /usr/lib/perl5/5.8.0/base.pm line 64.
BEGIN failed--compilation aborted at lib/Razor2/Client/Core.pm line 22.
Compilation failed in require at (eval 4) line 3.
...propagated at /usr/lib/perl5/5.8.0/base.pm line 64.
BEGIN failed--compilation aborted at lib/Razor2/Client/Agent.pm line 18.
Compilation failed in require at blib/script/razor-client line 21.
BEGIN failed--compilation aborted at blib/script/razor-client line 21.
make: *** [install_razor_agents] Error 2

root@nss-4 [~/EXIM/razor-agents-2.61]#

[rvskin]

http://forums.rvskin.com/index.php?showtopic=514

[anup123]

Nice documentation.
However, i have following to add wrt SA 3.X

Score Bumping already takes place for RBL Listed IP's/Host (Multiple Network Digest -- Network Tests are enabled by default on SA 3.x), at least the check for everything except rfc-ignorant.org can be safely removed. SA already does the same. This score BUMPING gets more SPAM blocked (in case Admin choses to block above a given score).

In your already nice documentation, if you could include ACL check for Forged HELO/EHLO it would also reduce the usage of spamd and clamd and hence average load levels perhaps. Practically i have found that half of SPAM is with forged HELO/EHLO prsenting local ip/domains in HELO/EHLO. This meant lesser load on server as spam/av check was never reached for those messages. In addition, the number of Virus Infected mails dropped by about 70% (signifying the obvious)

Something like following::

###HELO CHECK START

# No HELO/EHLO

deny
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
message = Polite hosts say HELO first\n\
Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO

#Modified Forged HELO (our ip/hostname)

deny
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards. Please Contact Your Sys Admin
log_message = Forged HELO: is our interface address

deny
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards. Please Contact Your Sys Admin
log_message = Forged HELO: $sender_helo_name is one of our local domains

#Modified End

# Forged HELO (IP address does not match)

deny
condition = ${if isip{$sender_helo_name}{yes}{no}}
condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: ip does not match

# Hacked HELO (DOMAIN.com) (constructed by viruses)

deny
condition = ${if match \
{$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match \
{$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses

# Tipical unexistant domains

deny
condition = ${if match {$sender_helo_name}\
{(backup.lst|localhost.localdomain)}\
{yes}{no}}
message = Bad HELO: $sender_helo_name does not exist\n\
Please see RFC 2821 section 4.1.1.1

##HELO CHK END ##

Also Check For MISSING Date:

#Date Check
deny condition = ${if !def:h_Date: {1}}
message = Message SHOULD have Date: but does not
log_message = No Date In Mail So Cannot Accept



###CLSID ATTACHMENT

deny message = Hiding of file extensions is not allowed!
log_message = Dangerous extension (CLSID hidden)
regex = ^(?i)Content-Disposition:.*?)filename=\\s*"+((\{[a-hA-H0-9-]{25,}\})|((.*?)\\s{10,}(.*?)))"+\$



I think the above should be ok??


Anup

[rvskin]

In your already nice documentation, if you could include ACL check for Forged HELO/EHLO it would also reduce the usage of spamd and clamd and hence average load levels perhaps. Practically i have found that half of SPAM is with forged HELO/EHLO prsenting local ip/domains in HELO/EHLO. This meant lesser load on server as spam/av check was never reached for those messages. In addition, the number of Virus Infected mails dropped by about 70% (signifying the obvious)

Thanks for suggestion. HELO ACL was added to the document with a bit modifying.

[TheSpidre]

Could you explain us what the difference is between those two reject/filter methods:

2.1. Configure Exim to reject virus at SMTP time
2.2. Configure Exim to reject virus + sender whitelist + receiver whitelist


Also, what is done in step 3.1/3.2, how does the blacklisting work? Does it have anything to do with SARE, Razor and DCC?

3.1. Sender blacklist and remote mail server blacklist
3.2. RBL setting + sender whitelist + receiver whitelist + remote mail server whitelist

Thank you for the excellent How to and the excellent service (@RVSkin

[rvskin]

Could you explain us what the difference is between those two reject/filter methods:

2.1. Configure Exim to reject virus at SMTP time
2.2. Configure Exim to reject virus + sender whitelist + receiver whitelist

2.1 will block virus immediatly if virus or harmful content detected, this way you cannot do receiver whitelist.
2.2 will block virus but you can do whitelist.

[QUOTE]Also, what is done in step 3.1/3.2, how does the blacklisting work? /QUOTE]
If the sender send from known address or mail server, you can blacklist them. This will remedy your server in case there are invalid bounce email from an compromised server. You can blacklist here. Or some cases, spam get through your server but spamassassin cannot catch it. You can blacklist here. It is useful for some that are not in US, and Europe.

Does it have anything to do with SARE, Razor and DCC?

No. SARE, Razor, DCC is used only by Spamassassin. As the default spamassassin score is not easy to identify the spam. Those addon will raise spam score very effective, so less chance you block legitimate email. From my past experience, none of mail client notify that they lost email.

[damainman]

Anyone else using this with no problems?

I would like to implement it with my server, but don't want nothing to break lol. Is there any chance a cpanel update might conflict with this config and break something?

RHE server

Thank you in advance.

[fusioncroc]

nothing broke on my server i installed the full set of spam tools

[fusioncroc]

also its centos 3.3

[erick_paper]

The Instruction separate to 6 sections, use it at your own risk

Hello rvskin, sounds like a neat tool (suggested by Anup in another thread). My question is, many entries for the exim conf make references to rv_<this>, rv_<that>. Does this mean I *need* to install rvskin for these instructions to work?

Thanks, .ep

[anup123]

Hello rvskin, sounds like a neat tool (suggested by Anup in another thread). My question is, many entries for the exim conf make references to rv_<this>, rv_<that>. Does this mean I *need* to install rvskin for these instructions to work?

Thanks, .ep

I don't use rvskin.

Anup

[erick_paper]

I don't use rvskin.

Thanks Anup. I have edited my exim.conf.

However, it doesn't seem to be working as desired. I want all email that slips through my RBLs to go through the HELO check. But that doesn't seem to be happening.

Can you or Chirpy please confirm if my exim.conf code is correct, thanks so much! --

Code:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

### LWBlacklist v0.02
deny  !sender_domains = lsearch;/etc/localdomains
      !hosts = +relay_hosts
      !authenticated = *
      message = rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
      dnslists      = whitelist.MYDOMAIN.com!=127.0.0.13 : \
                      rhsbl.ahbl.org/$sender_address_domain : \
                      list.dsbl.org : \
                      dnsbl.ahbl.org : \
                      sbl-xbl.spamhaus.org : \
                      bl.spamcop.net : \
                      relays.ordb.org : \
                      rbl.MYDOMAIN.com

  ##--------------------------------------------------------------------
  ##-- Added Chirpy's dictionary attack protection
  ##-- From http://www.configserver.com/free/eximdeny.html
  ##-- [ERICK_P May 29 2005]
  ##--------------------------------------------------------------------
  drop hosts = /etc/exim_deny
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack

    drop message = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify = recipient
  ##--------------------------------------------------------------------

  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #if it gets here it isn't mailman
                                                                                                                                           
  #sender verifications are required for all messages that are not sent to lists
                                                                                                                                           

  #--------- [ERICK_P MAY 29 2005] HELO VERIFICATION ---------------------
  # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
  # A VALID HELO/EHLO TO US.
  #---------------------------------------------------------------------
  deny message = Bad HELO: Empty HELO, please see RFC 2821 section 4.1.1.1
   condition = ${if eq{$sender_helo_name}{}{yes}{no}}
  delay = 3s
  
  #---------------------------------------------------------------------
  # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
  # FORGED HELO (OUR IP/HOSTNAME)
  #---------------------------------------------------------------------
  deny message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you are not allowed to use it in HELO/EHLO as per RFC Standards.
  !hosts = @[]
  !hosts = +rv_relay_hosts
  !authenticated = *
  condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
  delay = 3s
  
  #---------------------------------------------------------------------
  # FORGED HOSTNAME - HELOS AS MY OWN HOSTNAME OR DOMAIN
  #---------------------------------------------------------------------
  deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
  #---------------------------------------------------------------------
  # ACCEPT HELO WHICH IS IN LOCAL_DOMAIN IF WE RELAY OR HAD SMTP AUTH
  #---------------------------------------------------------------------
  !hosts = @[]
  !hosts = +rv_relay_hosts
  !authenticated = *
  condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
  delay = 3s
  
  #---------------------------------------------------------------------
  # HACKED HELO (DOMAIN.COM) (CONSTRUCTED BY VIRUSES)
  #---------------------------------------------------------------------
  deny message = Hacked HELO: you are not $sender_helo_name
  condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
  condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
  !hosts = @[]
  !hosts = +rv_relay_hosts
  !authenticated = *
  delay = 3s

#-------------------- END OF HELO CHECK --------------------------------


  require verify = sender
    accept  domains = +local_domains
  endpass
                                                                                                                                           
  #recipient verifications are required for all messages that are not sent to the local machine
  #this was done at multiple users requests
                                                                                                                                           
  message = "The recipient cannot be verified. $acl_verify_message"
  verify = recipient
                                                                                                                                           
  accept  domains = +relay_domains


  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.


#!!# ACL that is used after the DATA command
check_message:
  require verify = header_sender
## clamav ACL, reject virus infected mails with proper error

deny message = This message contains malformed MIME ($demime_reason).
demime = *
condition = ${if >{$demime_errorlevel}{2}{1}{0}}

deny message = This message contains a virus or other harmful content \
($malware_name)
demime = *
malware = *

deny message = Potentially executable content. If you meant to send this file \
then please package it up as a zip file and resend it.
demime = ###ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

# Add X-Scanned Header

warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

## end clamav ACL
accept

Should I put the HELO checking code before the DNSLISTs for instance?

[anup123]

Here's My Relevant Portion of exim.conf edited thru WHM

check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny
local_parts = ^.*[@%!/|] : ^\\.
log_message = invalid local part

# deny condition = ${if eq {$sender_address}{$local_part@$domain}{yes}{no}}
# hosts = !+relay_from_hosts
# message = This Seems To Be SPAM Attempt. Contact postmaster in case you feel this is in error.
# log_message = Spam from sender $sender_address at $sender_fullhost

deny
message = Legitimate bounces are never sent to more than one recipient.
senders = : postmaster@*
condition = $recipients_count

##Section Added For Dictioanry Attack
##Valid For Accounts With Default Set to :fail:
drop hosts = /etc/exim_deny
message = Connection denied after dictionary attack
log_message = Connection denied from $sender_host_address after dictionary attack

drop message = Appears to be a dictionary attack
log_message = Dictionary attack (after $rcpt_fail_count failures)
condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
!verify = recipient
##Dictionary Attack Customization End

###HELO CHECK START


# No HELO/EHLO

deny
condition = ${if eq{$sender_helo_name}{}{yes}{no}}
message = Polite hosts say HELO first\n\
Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO

# Forged HELO (IP address does not match)

deny
condition = ${if isip{$sender_helo_name}{yes}{no}}
condition = ${if eq{$sender_helo_name}{$sender_host_address}{no}{yes}}
message = Forged HELO: you are not $sender_helo_name
log_message = Forged HELO: ip does not match

# Hacked HELO (DOMAIN.com) (constructed by viruses)

deny
condition = ${if match \
{$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match \
{$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses

# Typical unexistant domains

deny
condition = ${if match {$sender_helo_name}\
{(backup.lst|localhost.localdomain)}\
{yes}{no}}
message = Bad HELO: $sender_helo_name does not exist\n\
Please see RFC 2821 section 4.1.1.1

#Modified Forged HELO (our ip/hostname)

# deny
# condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
# message = Forged HELO: you are not $sender_helo_name as that is our IP Address and you #are not allowed to use it in HELO/EHLO as per RFC Standards. Please Contact Your Sys Admin
# log_message = Forged HELO: is our interface address

deny
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}
message = Forged HELO AS PER RFC STANDARDS: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards. Please Contact Your Sys Admin
log_message = Forged HELO: $sender_helo_name is one of our local domains


##Modified End

##HELO CHK END ##

#**#Section Added For RBL Integration
#**# RBL List Begin
#**#
#
# Always accept mail to postmaster & abuse for any local domain
#
accept
domains = +local_domains
local_parts = postmaster:abuse

##Test Addn
endpass
message = unknown user
verify = recipient

###Test End
#
# Check sending hosts against DNS black lists.
# Reject message if address listed in blacklist.

deny message = Message rejected because $sender_fullhost \
is blacklisted at $dnslist_domain see $dnslist_text

dnslists = dsn.rfc-ignorant.org
# RBL Bypass Local Domain List
!domains = +rbl_bypass
# RBL Whitelist incoming hosts
!hosts = +rbl_whitelist
#**#
#**# RBL List End
#**#

As i mentioned, i do not do RBL stuff in exim.conf except for rfc-ignorant.org as SA 3 is already doing it.

Play with it carefully one thing at a time

Anup

[edit]
Chirpy@Jonnathan repeatedly educated me not to use delay = x m so ultimately i got rid of all delay = xm in my exim.conf
[/edit]

[erick_paper]

Thanks for that anup. But I have many things in mine that you don't. My intention is not to replicate your settings (although I'm very grateful to you for sharing!)

S my simple question is: does the order of these commands matter? If I put my DNSLIST call at the very end, would it make a difference? I would like ALL these tests to be undertaken before a message is delivered.

With my current setup, even though a message passes the RBL check, it should be getting caught by the faulty HELP check, but it is not. Hence the question. It seems all these tests are not being undertaken. How can I make sure they are, and in the order I specify?

My full new code is below. Before I enter it in, just wanted to see if this is correct. Thanks for your thoughts!

Code:

#!!# ACL that is used after the RCPT command
check_recipient:
  # Exim 3 had no checking on -bs messages, so for compatibility
  # we accept if the source is local SMTP (i.e. not over TCP/IP).
  # We do this by testing for an empty sending host field.
  accept  hosts = :

  #---------------------------------------------------------------------
  # First, deny all that have malformed addresses 
  #---------------------------------------------------------------------
  deny    domains       = !+local_domains
          local_parts   = ^[./|] : ^.*[@%!] : ^.*/\\.\\./
          log_message   = Invalid local part

  ##--------------------------------------------------------------------
  ##-- Added Chirpy's dictionary attack protection
  ##-- From http://www.configserver.com/free/eximdeny.html
  ##-- [ERICK_P May 29 2005]
  ##--------------------------------------------------------------------
  drop hosts = /etc/exim_deny
        message = Connection denied after dictionary attack
        log_message = Connection denied from $sender_host_address after dictionary attack

  drop message = Appears to be a dictionary attack
        log_message = Dictionary attack (after $rcpt_fail_count failures)
        condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
        condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
        !verify = recipient
  ##--------------------------------------------------------------------

  #--------- [ERICK_P MAY 29 2005] HELO VERIFICATION ---------------------
  # BE POLITE AND SAY HELO. REJECT ANYTHING FROM HOSTS THAT HAVN'T GIVEN
  # A VALID HELO/EHLO TO US.
  #---------------------------------------------------------------------
  deny 
    message = Bad HELO: Empty HELO, Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1.
    condition = ${if eq{$sender_helo_name}{}{yes}{no}}
  
  #---------------------------------------------------------------------
  # FORGED HOSTNAME -HELOS AS ONE OF MY OWN IPS
  # FORGED HELO (OUR IP/HOSTNAME)
  #---------------------------------------------------------------------
  deny message = Forged HELO: You are not $sender_helo_name as you claim. You are not allowed to use it in HELO/EHLO as per RFC Standards.
   !hosts = @[]
   !hosts = +rv_relay_hosts
   !authenticated = *
   condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}
  
  #---------------------------------------------------------------------
  # FORGED HOSTNAME - HELOS AS MY OWN HOSTNAME OR DOMAIN
  #---------------------------------------------------------------------
  deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC Standards.
  #---------------------------------------------------------------------
  # ACCEPT HELO WHICH IS IN LOCAL_DOMAIN IF WE RELAY OR HAD SMTP AUTH
  #---------------------------------------------------------------------
  !hosts = @[]
  !hosts = +rv_relay_hosts
  !authenticated = *
  condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}

  #---------------------------------------------------------------------
  # HACKED HELO (DOMAIN.COM) (CONSTRUCTED BY VIRUSES)
  #---------------------------------------------------------------------
  deny message = Hacked HELO: you are not $sender_helo_name
  condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
  condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}
  !hosts = @[]
  !hosts = +rv_relay_hosts
  !authenticated = *

  #---------------------------------------------------------------------
  # MAILMAN STUFF: 
  # Accept bounces to lists even if callbacks or other checks would fail
  #---------------------------------------------------------------------
  warn     message   = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}

  accept   condition = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}/config.pck}}} \
                {yes}{no}}


  # Accept bounces to lists even if callbacks or other checks would fail
  warn     message      = X-WhitelistedRCPT-nohdrfromcallback: Yes
           condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  accept   condition    = \
           ${if and {{match{$local_part}{(.*)-bounces\+.*}} \
                     {exists {/usr/local/cpanel/3rdparty/mailman/lists/${lc:$1}_${lc:$domain}/config.pck}}} \
                {yes}{no}}

  #---------------------------------------------------------------------
  # If it gets until here it isn't mailman
  # Sender verifications are required for all messages 
  # that are not sent to lists.
  #---------------------------------------------------------------------
 
  require verify = sender
  accept  local_parts   = postmaster
          domains       = +local_domains
  endpass
 
  message = "The recipient cannot be verified. $acl_verify_message"
  verify = recipient
 
  accept  domains = +relay_domains

  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
        hosts = +relay_hosts
  accept  hosts = +relay_hosts
                                                                                
  warn  message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
        condition = ${perl{checkrelayhost}{$sender_host_address}}
  accept  condition = ${perl{checkrelayhost}{$sender_host_address}}

  accept  hosts = +auth_relay_hosts
          endpass
          message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.
          authenticated = *

  deny    message = $sender_fullhost is currently not permitted to \
                        relay through this server. Perhaps you \
                        have not logged into the pop/imap server in the \
                        last 30 minutes or do not have SMTP Authentication turned on in your email client.

#-----------------------------------------------------------------------
# Only deny the RFC-Ignorant ones, as remaining are checked by 
# SpamAssassin anyway
#  -- Modified LWBlacklist v0.02 on May 29, 2005 [ERICK_P]
#-----------------------------------------------------------------------
deny  !sender_domains = lsearch;/etc/localdomains
      !hosts = +relay_hosts
      !authenticated = *
      message = Rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
      dnslists      = dsn.rfc-ignorant.org/$sender_address_domain : \
                      postmaster.rfc-ignorant.org/$sender_address_domain 

warn  message = X-Warning: Should be rejected because the sending host $sender_host_address is in a black list at $dnslist_domain\n$dnslist_text
      dnslists      = whitelist.MYDOMAIN.com!=127.0.0.13 : \
                      rhsbl.ahbl.org/$sender_address_domain : \
                      list.dsbl.org : \
                      dnsbl.ahbl.org : \
                      sbl-xbl.spamhaus.org : \
                      bl.spamcop.net : \
                      relays.ordb.org : \
                      rbl.MYDOMAIN.com

#!!# ACL that is used after the DATA command
check_message:
  require verify = header_sender
  ## clamav ACL, reject virus infected mails with proper error

  deny message = This message contains malformed MIME ($demime_reason).
  demime = *
  condition = ${if >{$demime_errorlevel}{2}{1}{0}}

  deny message = This message contains a virus or other harmful content \
  ($malware_name)
  demime = *
  malware = *

  deny message = Potentially executable content. If you meant to send this file \
  then please package it up as a zip file and resend it.
  demime = ###ade:adp:bas:bat:chm:cmd:com:cpl:crt:eml:exe:hlp:hta:inf:ins:isp:jse:lnk:mdb:mde:msc:msi:msp:pcd:reg:scr:sct:shs:url:vbs:vbe:wsf:wsh:wsc

  # Add X-Scanned Header
  warn message = X-Antivirus-Scanner: Clean mail though you should still use an Antivirus

  ## end clamav ACL
accept