ACL RULE LIST (more needed!!)

[bsasninja]

Here is my ACL list for Exim, I would like to share it and also I would like those who have more ACL rules not listed here to post them in this thread.
Even if someone knows or made an undocumented/working acl.
I would like to know if anyone figured out how to prevent relay in ACL from addresses not listed at localdomains. For example someone relaying using our smtp server with a hotmail address (forged), and give him a 550 administrative prohibition or something like that.

ACL rules are very handy, they saves us a lot of bandwidth before the mail enters the server.

Here are the rules Im using (UPDATED April 25 2007)


#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny local_parts = ^.*[@%!/|] : ^\\.
message = I`ve never seen @, %, !, / or | in an e-mail. Neither should you!

deny message = Only one recipient accepted for NULL sender
senders = :
condition = ${if>{$rcpt_count}{1}{1}}

deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

deny message = Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO
condition = ${if eq{$sender_helo_name}{}}

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1
,3}(\])?$\N}{yes}{no}}

deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC standa
rds.
log_message = Forged HELO as local domain
!hosts = +relay_hosts
!authenticated = *
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}

deny message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}

deny message = $sender_helo_name is a silly HELO
log_message = Silly HELO
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N}{yes}{no}}

deny message = Underscores are not allowed in hostnames
log_message = Underscore in hostname
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N.*_.*\N}{yes}{no}}

deny message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses (random)
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{smtp}{no}{yes}}
condition = ${if match {$sender_helo_name}{\N^[a-z0-9]+\.[a-z]+$\N}}
condition = ${if match {$sender_helo_name}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}

deny message = Faked Yahoo.com address, so you must be spam.
senders = *@yahoo.com:*@yahoo.es:*@yahoo.com.ar:*yahoo.com.br:*@yahoo.it:*@yahoo.co.uk:*@yahoo.ca:*@yahoo.fr
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Hotmail.com address, so you must be spam.
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

deny message = Faked MSN.com address, so you must be spam.
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = Faked AOL.com address, so you must be spam.
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

deny message = Faked Gmail.com address, so you must be spam.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(google|gmail).com$\N}{no}{yes}}

deny message = Faked Mail.ru address, so you must be spam.
senders = *@mail.ru
condition = ${if match {$sender_host_name}{\Nmail.ru$\N}{no}{yes}}

deny message = Faked Fibertel.com.ar address, so you must be spam.
senders = *@fibertel.com.ar
condition = ${if match {$sender_host_name}{\Nfibertel.com.ar$\N}{no}{yes}}

deny message = Faked Ciudad.com.ar address, so you must be spam.
senders = *@ciudad.com.ar
condition = ${if match {$sender_host_name}{\N(ciudad|prima).com.ar$\N}{no}{yes}}

deny message = Faked Argentina.com address, so you must be spam.
senders = *@argentina.com
condition = ${if match {$sender_host_name}{\Nargentina.com$\N}{no}{yes}}

deny message = Faked Excite.com address, so you must be spam.
senders = *@excite.com
condition = ${if match {$sender_host_name}{\Nexcite.com$\N}{no}{yes}}

deny message = Faked Mixmail.com address, so you must be spam.
senders = *@mixmail.com
condition = ${if match {$sender_host_name}{\Nmixmail.com$\N}{no}{yes}}

deny message = Faked Latinmail.com address, so you must be spam.
senders = *@latinmail.com
condition = ${if match {$sender_host_name}{\Nlatinmail.com$\N}{no}{yes}}

deny message = Faked Arnet.com.ar address, so you must be spam.
senders = *@arnet.com.ar
condition = ${if match {$sender_host_name}{\Narnet.com.ar$\N}{no}{yes}}

deny message = Faked Microsoft.com address, so you must be spam.
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}

deny message = Faked Wanadoo.com address, so you must be spam.
senders = *@wanadoo.com
condition = ${if match {$sender_host_name}{\Nwanadoo.com$\N}{no}{yes}}

deny message = Faked Mail.com address, so you must be spam.
senders = *@mail.com
condition = ${if match {$sender_host_name}{\N(mail|outblaze).com$\N}{no}{yes}}

deny message = Faked Hotpop.com address, so you must be spam.
senders = *@hotpop.com
condition = ${if match {$sender_host_name}{\Nhotpop.com$\N}{no}{yes}}

deny message = Faked Mac.com address, so you must be spam.
senders = *@mac.com
condition = ${if match {$sender_host_name}{\Nmac.com$\N}{no}{yes}}

deny message = Faked Net.il address, so you must be spam.
senders = *@net.il
condition = ${if match {$sender_host_name}{\Nnet.il$\N}{no}{yes}}

deny message = Faked Walla.com address, so you must be spam.
senders = *@walla.com
condition = ${if match {$sender_host_name}{\Nwalla.com$\N}{no}{yes}}

deny message = Faked Topmail.com.ar address, so you must be spam.
senders = *@topmail.com.ar
condition = ${if match {$sender_host_name}{\Ntopmail.com.ar$\N}{no}{yes}}

deny message = Faked Tutopia.com address, so you must be spam.
senders = *@tutopia.com
condition = ${if match {$sender_host_name}{\Ntutopia.com$\N}{no}{yes}}

deny message = Faked Uyuyuy.com address, so you must be spam.
senders = *@uyuyuy.com
condition = ${if match {$sender_host_name}{\Nuyuyuy.com$\N}{no}{yes}}



Enjoy!

Ps: where appears {y es} in fact is {yes}. Until you apply any changes, check that there is not other space somewhere. The space between y and e is caused by the forum.

[bsasninja]

Im using this ACL to block faked emails comming from @yahoo.com, @yahoo.com.ar and @yahoo.com.br

Is there a way at senders = to put all the address there and not repeating a separate rule for each one?

deny message = Faked Yahoo, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Yahoo.com.ar, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Yahoo.com.br, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

Thanks.

[serversphere]

Im using this ACL to block faked emails comming from @yahoo.com, @yahoo.com.ar and @yahoo.com.br

Is there a way at senders = to put all the address there and not repeating a separate rule for each one?

deny message = Faked Yahoo, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Yahoo.com.ar, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Yahoo.com.br, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

Thanks.

All those look to do the same thing to me? See if this will work (not tested):

Code:

deny condition = ${if match {$sender_host_name}{\Nyahoo\.com(\.br|\.ar)?$\N}/
                  {no}{yes}}
  senders = *@yahoo.com:*@yahoo.com.br:*@yahoo.com.ar
  message = Faked Yahoo sender information, you're spam
  log_message = Faked Yahoo sender information, you're spam

[bsasninja]

Yes is working using senders = *@yahoo.com:*@yahoo.es:*@yahoo.com.br and so on.

Anyways all yahoo servers are xxxx.yahoo.com so there is no need of setting yahoo.com.br, yahoo.es or whatever at the condition rule.

Is rejecting trash like hell !!

Thanks!

[CoolMike]

Where do you add this rules in exim? Can I use the exim configuration editor in WHM?

Michael

[serversphere]

Anyways all yahoo servers are xxxx.yahoo.com so there is no need of setting yahoo.com.br, yahoo.es or whatever at the condition rule.

Is rejecting trash like hell !!

Thanks!

NICE!! Love to hear it when the spam gets trashed!

Where do you add this rules in exim? Can I use the exim configuration editor in WHM?

Yes, always add configuration changes through the WHM editor so that upgrades don't overwrite your changes.

[bsasninja]

Anyone is using other ACL not listed here? Would be great to do an updated acl ruleset.

Im wondering these ones:

1) Some ACL that rejects inexistent addresses or check quota at smtp-time. (with no addons or scripts as I saw somewhere, just ACL as the above)
Ej: xjiofuxjv@hotmail.com sends mails to user@domaim.com at your server. Mailbox is full and the bounce goes back to xjiofuxjv@hotmail.com. As it doesnt exists it get stuck in you queue.

2) How do I know if I have exiscan? My cpanel server at the service status says exim (exim-4.63-1_cpanel_maildir) as default by cpanel setup. And how do I activate it?

3) ClamAv kicks viruses at smtp time?

Thanks

[CoolMike]

Yes, always add configuration changes through the WHM editor so that upgrades don't overwrite your changes.

And in which box should I add it?

[bsasninja]

You have to put them in the second box right after begin acl.

By the way I´m wondering of a good rule to block _@domain.com addresses.
I´ve seen a lot of trash with emails begining with underscores.

I tried to make the rule but I cant hit the right condition if anyone could help.

deny message = Underscore in e-mail. Get out of here.
senders = _@*
condition = ?????

Thanks

[serversphere]

And in which box should I add it?

started to answer, got a phone call and bsasninja answered while I on the phone

[bsasninja]

I earn you some time in writting serversphere.

By the way do you know how we could block _@ addresses ?

Cant write the condition

I dont know if this one is right

deny message = Underscore in e-mail. Get out of here.
senders = _@*
condition = ${if match {$sender_host_address}{_}{no}{yes}}

[bsasninja]

I´ve some customers that dont want ACL control in their domains?
Is there a way to put the domains in a whitelist that jumps the acl control? For example in the following rule How can I apply it?

deny message = Faked Yahoo.com.br, so you must be spam.
log_message = Faked Yahoo
senders = *@yahoo.com
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

Thanks

[anand]

Anyone is using other ACL not listed here? Would be great to do an updated acl ruleset.

Im wondering these ones:

Ej: xjiofuxjv@hotmail.com sends mails to user@domaim.com at your server. Mailbox is full and the bounce goes back to xjiofuxjv@hotmail.com. As it doesnt exists it get stuck in you queue.

anyone has a solution for this ? I use the following in the last box in whm exim configurator.

* quota

However still the mails are stuck in the mailqueue which should have been bounced back.

Anyone has any ideas on resolving this ?

[anand]

#!!# ACL that is used after the RCPT command
check_recipient:
# Exim 3 had no checking on -bs messages, so for compatibility
# we accept if the source is local SMTP (i.e. not over TCP/IP).
# We do this by testing for an empty sending host field.
accept hosts = :

deny local_parts = ^.*[@%!/|] : ^\\.
message = I`ve never seen @, %, !, / or | in an e-mail. Neither should you!

deny message = Only one recipient accepted for NULL sender
senders = :
condition = ${if>{$rcpt_count}{1}{1}}

deny message = HELO/EHLO with my ip address. You are not me.
log_message = HELO/EHLO my.ip
condition = ${if eq{$sender_helo_name}{$interface_address}{yes}{no}}

deny message = Polite hosts say HELO first. Please see RFC 2821 section 4.1.1.1
log_message = Bad HELO: Empty HELO
condition = ${if eq{$sender_helo_name}{}}

deny message = RFC 1918 IP address in HELO.
log_message = RFC 1918 IP address
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(\[)?(10\.[0-9]{1,3}|172\.(1[6-9]|2[0-9]|31)|192\.168)\.[0-9]{1,3}\.[0-9]{1
,3}(\])?$\N}{yes}{no}}

deny message = Forged HELO: you are not $sender_helo_name our local domain and you are not allowed to use as per RFC standa
rds.
log_message = Forged HELO as local domain
!hosts = +relay_hosts
!authenticated = *
condition = ${if match_domain{$sender_helo_name}{+local_domains}{yes}{no}}

deny message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^[A-Z0-9]+\.[a-z]+$\N}{yes}{no}}
condition = ${if match {$sender_helo_name}{\N^[0-9]+\.[a-z]+$\N}{no}{yes}}

deny message = $sender_helo_name is a silly HELO
log_message = Silly HELO
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N^(127\.0\.0\.1|localhost(\.localdomain)?)$\N}{yes}{no}}

deny message = Underscores are not allowed in hostnames
log_message = Underscore in hostname
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{\N.*_.*\N}{yes}{no}}

deny message = Hacked HELO: you are not $sender_helo_name
log_message = Hacked HELO: constructed by viruses (random)
!hosts = +relay_hosts
!authenticated = *
condition = ${if match {$sender_helo_name}{smtp}{no}{yes}}
condition = ${if match {$sender_helo_name}{\N^[a-z0-9]+\.[a-z]+$\N}}
condition = ${if match {$sender_helo_name}{\N.*[bcdfghjklmnpqrstvwxz]{7,}.*\.[a-z]+$\N}}

deny message = Faked Yahoo.com address, so you must be spam.
senders = *@yahoo.com:*@yahoo.es:*@yahoo.com.ar:*yahoo.com.br:*@yahoo.it:*@yahoo.co.uk:*@yahoo.ca:*@yahoo.fr
condition = ${if match {$sender_host_name}{\Nyahoo.com$\N}{no}{yes}}

deny message = Faked Hotmail.com address, so you must be spam.
senders = *@hotmail.com
condition = ${if match {$sender_host_name}{\Nhotmail.com$\N}{no}{yes}}

deny message = Faked MSN.com address, so you must be spam.
senders = *@msn.com
condition = ${if match {$sender_host_name}{\N(hotmail|msn).com$\N}{no}{yes}}

deny message = Faked AOL.com address, so you must be spam.
senders = *@aol.com
condition = ${if match {$sender_host_name}{\Naol.com$\N}{no}{yes}}

deny message = Faked Gmail.com address, so you must be spam.
senders = *@gmail.com
condition = ${if match {$sender_host_name}{\N(google|gmail).com$\N}{no}{yes}}

deny message = Faked Mail.ru address, so you must be spam.
senders = *@mail.ru
condition = ${if match {$sender_host_name}{\Nmail.ru$\N}{no}{yes}}

deny message = Faked Fibertel.com.ar address, so you must be spam.
senders = *@fibertel.com.ar
condition = ${if match {$sender_host_name}{\Nfibertel.com.ar$\N}{no}{yes}}

deny message = Faked Ciudad.com.ar address, so you must be spam.
senders = *@ciudad.com.ar
condition = ${if match {$sender_host_name}{\N(ciudad|prima).com.ar$\N}{no}{yes}}

deny message = Faked Argentina.com address, so you must be spam.
senders = *@argentina.com
condition = ${if match {$sender_host_name}{\Nargentina.com$\N}{no}{yes}}

deny message = Faked Excite.com address, so you must be spam.
senders = *@excite.com
condition = ${if match {$sender_host_name}{\Nexcite.com$\N}{no}{yes}}

deny message = Faked Mixmail.com address, so you must be spam.
senders = *@mixmail.com
condition = ${if match {$sender_host_name}{\Nmixmail.com$\N}{no}{yes}}

deny message = Faked Latinmail.com address, so you must be spam.
senders = *@latinmail.com
condition = ${if match {$sender_host_name}{\Nlatinmail.com$\N}{no}{yes}}

deny message = Faked Arnet.com.ar address, so you must be spam.
senders = *@arnet.com.ar
condition = ${if match {$sender_host_name}{\Narnet.com.ar$\N}{no}{yes}}

deny message = Faked Microsoft.com address, so you must be spam.
senders = *@microsoft.com
condition = ${if match {$sender_host_name}{\Nmicrosoft.com$\N}{no}{yes}}

deny message = Faked Wanadoo.com address, so you must be spam.
senders = *@wanadoo.com
condition = ${if match {$sender_host_name}{\Nwanadoo.com$\N}{no}{yes}}

deny message = Faked Mail.com address, so you must be spam.
senders = *@mail.com
condition = ${if match {$sender_host_name}{\N(mail|outblaze).com$\N}{no}{yes}}

deny message = Faked Hotpop.com address, so you must be spam.
senders = *@hotpop.com
condition = ${if match {$sender_host_name}{\Nhotpop.com$\N}{no}{yes}}

deny message = Faked Mac.com address, so you must be spam.
senders = *@mac.com
condition = ${if match {$sender_host_name}{\Nmac.com$\N}{no}{yes}}

deny message = Faked Net.il address, so you must be spam.
senders = *@net.il
condition = ${if match {$sender_host_name}{\Nnet.il$\N}{no}{yes}}

deny message = Faked Walla.com address, so you must be spam.
senders = *@walla.com
condition = ${if match {$sender_host_name}{\Nwalla.com$\N}{no}{yes}}

deny message = Faked Topmail.com.ar address, so you must be spam.
senders = *@topmail.com.ar
condition = ${if match {$sender_host_name}{\Ntopmail.com.ar$\N}{no}{yes}}

deny message = Faked Tutopia.com address, so you must be spam.
senders = *@tutopia.com
condition = ${if match {$sender_host_name}{\Ntutopia.com$\N}{no}{yes}}

deny message = Faked Uyuyuy.com address, so you must be spam.
senders = *@uyuyuy.com
condition = ${if match {$sender_host_name}{\Nuyuyuy.com$\N}{no}{yes}}

won't this block mails from genuine mail servers of yahoo, gmail etc ?

[bsasninja]

nope, cause it checks the mx servers of them.

Give it a try!