The Exim configuration file contains global definitions at the top (we will call this the main section), followed by several other sections[15]. Each of these other sections starts with:
begin section
We will spend most of our time in the acl
section (i.e. after begin acl); but we will
also add and/or modify a few items in the
transports and routers
sections, as well as in the main section at the top of the file.
As of version 4.xx, Exim incorporates perhaps the most sophisticated and flexible mechanism for SMTP-time filtering available anywhere, by way of so-called Access Control Lists (ACLs).
An ACL can be used to evaluate whether to accept or reject an
aspect of an incoming message transaction, such as the initial
connection from a remote host, or the
HELO/EHLO, MAIL FROM:,
or RCPT TO: SMTP commands. So, for
instance, you may have an ACL named
acl_rcpt_to to validate each RCPT
TO: command received from the peer.
An ACL consists of a series of statements
(or rules). Each statement starts with
an action verb, such as accept,
warn, require,
defer, or deny, followed by
a list of conditions, options, and other settings pertaining
to that statement. Every statement is
evaluated in order, until a definitive action (besides
warn) is taken. There is an implicit
deny at the end of the ACL.
A sample statement in the acl_rcpt_to ACL
above may look like this:
deny
message = relay not permitted
!hosts = +relay_from_hosts
!domains = +local_domains : +relay_to_domains
delay = 1m
This statement will reject the RCPT TO: command if it was not delivered by a host in the “+relay_from_hosts” host list, and the recipient domain is not in the “+local_domains” or “+relay_to_domains” domain lists. However, before issuing the “550” SMTP response to this command, the server will wait for one minute.
To evaluate a particular ACL at a given stage of the message
transaction, you need to point one of Exim's policy
controls to that ACL. For instance, to use the
acl_rcpt_to ACL mentioned above to evaluate the
RCPT TO:, the main section of your Exim
configuration file (before any begin keywords)
should include:
acl_smtp_rcpt = acl_rcpt_to
For a full list of such policy controls, refer to section 14.11 in the Exim specifications.
A large number of expansion items are available, including run-time variables, lookup functions, string/regex manipulations, host/domain lists, etc. etc. An exhaustive reference for the last x.x0 release (i.e. 4.20, 4.30..) can be found in the file “spec.txt”; ACLs are described in section 38.
In particular, Exim provides twenty general purpose expansion variables to which we can assign values in an ACL statement:
$acl_c0 - $acl_c9 can
hold values that will persist through the lifetime of an
SMTP connection.
$acl_m0 - $acl_m9 can
hold values while a message is being received, but are
then reset. They are also reset by the
HELO, EHLO,
MAIL, and RSET
commands.
[15]
Debian users: The
exim4-config package gives you a choice
between splitting the Exim configuration into several small
chunks distributed within subdirectories below
/etc/exim4/conf.d, or to keep the entire
configuration in a single file.
If you chose the former option (I recommend this!), you can
keep your customization well separated from the stock
configuration provided with the exim4-config
package by creating new files within these subdirectories,
rather than modifying the existing ones. For instance, you
may create a file named
/etc/exim4/conf.d/acl/80_local-config_rcpt_to
to declare your own ACL for the RCPT TO:
command (see below).
The Exim “init” script
(/etc/init.d/exim4) will automatically
consolidate all these files into a single large run-time
configuration file next time you (re)start.