Table of Contents
Exim4 - Access Control Lists (ACLs)
Exim4 implements policy controls on incoming mail by means of Access Control Lists (ACLs). Each list is a series of statements that may either grant or deny access. ACLs can be used at several places in the SMTP dialogue while receiving a message from a remote host. However, the most common places are after each RCPT command, and at the very end of the message.
Access Control Lists (ACLs) are defined in a separate section of the run time configuration file, headed by “begin acl”. Each ACL definition starts with a name, terminated by a colon. Here is a complete ACL section that contains just one very small ACL:
begin acl small_acl: accept hosts = one.host.only
You can have as many lists as you like in the ACL section, and the order in which they appear does not matter. The lists are self-terminating.
ACLs
Here is a list of ACLs.
| ACL | Description |
|---|---|
| acl_not_smtp | ACL for non-SMTP messages |
| acl_not_smtp_mime | ACL for non-SMTP MIME parts |
| acl_not_smtp_start | ACL at start of non-SMTP message |
| acl_smtp_auth | ACL for AUTH |
| acl_smtp_connect | ACL for start of SMTP connection |
| acl_smtp_data | ACL after DATA is complete |
| acl_smtp_data_prdr | ACL for each recipient, after DATA is complete |
| acl_smtp_dkim | ACL for each DKIM signer |
| acl_smtp_etrn | ACL for ETRN |
| acl_smtp_expn | ACL for EXPN |
| acl_smtp_helo | ACL for HELO or EHLO |
| acl_smtp_mail | ACL for MAIL |
| acl_smtp_mailauth | ACL for the AUTH parameter of MAIL |
| acl_smtp_mime | ACL for content-scanning MIME parts |
| acl_smtp_notquit | ACL for non-QUIT terminations |
| acl_smtp_predata | ACL at start of DATA command |
| acl_smtp_quit | ACL for QUIT |
| acl_smtp_rcpt | ACL for RCPT |
| acl_smtp_starttls | ACL for STARTTLS |
| acl_smtp_vrfy | ACL for VRFY |
Example usage
If you set
acl_smtp_rcpt = acl_check_rcpt
the little ACL defined above is used whenever Exim receives a RCPT command in an SMTP dialogue. The majority of policy tests on incoming messages can be done when RCPT commands arrive. A rejection of RCPT should cause the sending MTA to give up on the recipient address contained in the RCPT command, whereas rejection at other times may cause the client MTA to keep on trying to deliver the message. It is therefore recommended that you do as much testing as possible at RCPT time.