Table of Contents

Exim4 - Access Control Lists (ACLs)

Exim4 implements policy controls on incoming mail by means of Access Control Lists (ACLs). Each list is a series of statements that may either grant or deny access. ACLs can be used at several places in the SMTP dialogue while receiving a message from a remote host. However, the most common places are after each RCPT command, and at the very end of the message.

Access Control Lists (ACLs) are defined in a separate section of the run time configuration file, headed by “begin acl”. Each ACL definition starts with a name, terminated by a colon. Here is a complete ACL section that contains just one very small ACL:

begin acl
small_acl:
  accept   hosts = one.host.only

You can have as many lists as you like in the ACL section, and the order in which they appear does not matter. The lists are self-terminating.

ACLs

Here is a list of ACLs.

ACLDescription
acl_not_smtpACL for non-SMTP messages
acl_not_smtp_mimeACL for non-SMTP MIME parts
acl_not_smtp_startACL at start of non-SMTP message
acl_smtp_authACL for AUTH
acl_smtp_connectACL for start of SMTP connection
acl_smtp_dataACL after DATA is complete
acl_smtp_data_prdrACL for each recipient, after DATA is complete
acl_smtp_dkimACL for each DKIM signer
acl_smtp_etrnACL for ETRN
acl_smtp_expnACL for EXPN
acl_smtp_heloACL for HELO or EHLO
acl_smtp_mailACL for MAIL
acl_smtp_mailauthACL for the AUTH parameter of MAIL
acl_smtp_mimeACL for content-scanning MIME parts
acl_smtp_notquitACL for non-QUIT terminations
acl_smtp_predataACL at start of DATA command
acl_smtp_quitACL for QUIT
acl_smtp_rcptACL for RCPT
acl_smtp_starttlsACL for STARTTLS
acl_smtp_vrfyACL for VRFY

Example usage

If you set

acl_smtp_rcpt = acl_check_rcpt

the little ACL defined above is used whenever Exim receives a RCPT command in an SMTP dialogue. The majority of policy tests on incoming messages can be done when RCPT commands arrive. A rejection of RCPT should cause the sending MTA to give up on the recipient address contained in the RCPT command, whereas rejection at other times may cause the client MTA to keep on trying to deliver the message. It is therefore recommended that you do as much testing as possible at RCPT time.

References

http://www.exim.org/exim-html-current/doc/html/spec_html/ch-access_control_lists.html