===== Exim4 - Stop Exim being an open relay =====

Stop Exim being an open relay by adjusting the **acl_smtp_rcpt** ACL.


===== Examples =====

Accept anything locally generated:

<file>
accept hosts = :
</file>

Accept anything from authenticated users:

<file>
accept authenticated = *
</file>


Accept anything from the local network:

<file>
accept hosts = +local_network
</file>

here you have to decide what "local_network" means - for example, you might want to define it as **192.168.0.0/16**.


Reject non-local domains:

<file>
deny domains = !+local_domains
     message = Relaying denied
</file>     

this is what stops your Exim from being an open relay.  Again, you have to decide what **local_domains** means.


Reject invalid recipients:

<file>
require verify = recipient
</file>

this causes Exim to check that the recipient is routeable.  For example, bob@your.example.com might exist, but lktjnho@your.example.com might not.  Using **verify = recipient**, in conjunction with the right router configuration, causes Exim to reject the bad addresses at RCPT time.
 If you want to add extra checks (such as consulting DNS blacklists, or rejecting "bounce" messages with large numbers of recipients), this would be a good place to do add them.


Accept the rest:

<file>
accept
</file>



===== Using acl_rcpt_to =====

A sample statement in the **acl_rcpt_to** ACL above may look like this:

<file>
  deny
    message  = relay not permitted
    !hosts   = +relay_from_hosts
    !domains = +local_domains : +relay_to_domains
    delay    = 1m
</file>

This statement will reject the **RCPT TO:** command if it was not delivered by a host in the "**+relay_from_hosts**" host list, and the recipient domain is not in the "**+local_domains**" or "**+relay_to_domains**" domain lists.  However, before issuing the "550" SMTP response to this command, the server will wait for one minute.

To evaluate a particular ACL at a given stage of the message transaction, you need to point one of Exim's policy controls to that ACL.  For instance, to use the **acl_rcpt_to** ACL mentioned above to evaluate the RCPT TO:, the main section of your Exim configuration file (before any begin keywords) should include:

<file>
acl_smtp_rcpt = acl_rcpt_to
</file>